Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Eurail Breach Exposes Data of Over 300,000 U.S. Users

  Eurail B.V. has confirmed a data breach affecting 308,777 individuals in the United States. Among them are 242 people from New Hampshire. ...

All the recent news you need to know
Z-CERT advisory
ChipSoft ransomware attack Cyber Attacks Dutch healthcare cyberattack hospital data breach Netherlands ransomware healthcare Z-CERT advisory

Ransomware Attack Disrupts Dutch Healthcare Software Provider ChipSoft, Raising Sector-Wide Concerns

 

A Netherlands-based healthcare software company, ChipSoft, has been forced offline after falling victim to a ransomware attack, according to officials.

The company’s website has been inaccessible since April 7 and remains down at the time of writing. ChipSoft supplies patient record management systems to hospitals and is used by roughly 80 percent of healthcare facilities across the country.

Confirmation of the ransomware attack came through an advisory issued by Z-CERT, the cybersecurity response team for the Dutch healthcare sector, and was also referenced in a statement released on Wednesday.

"On April 7, 2026, Z-CERT received notification that ChipSoft has fallen victim to a ransomware attack," it said. "Z-CERT is in contact with ChipSoft, healthcare institutions, and our partners. We are working hard to assess the impact of the incident."

The identity of the attackers remains unknown. Despite the outage affecting ChipSoft’s public-facing systems, most hospitals using its software continue to operate their patient portals without interruption.

Usage of ChipSoft’s systems differs among hospitals, with some institutions relying on it more heavily than others. Reports from NOS indicate that 11 hospitals have temporarily taken their systems offline, including nine that depend extensively on the platform.

Z-CERT has advised healthcare providers working with ChipSoft to review their systems for any unusual activity and report suspicious findings through official channels.

In its annual threat assessment, Z-CERT highlighted ransomware and extortion as the most significant cybersecurity risks facing Dutch healthcare organizations—issues that have persisted over recent years. In 2025, one of the country’s most serious breaches occurred during a Nova ransomware attack on Eurofins subsidiary Clinical Diagnostics, a laboratory specializing in cancer screening.

That incident resulted in the theft of data belonging to nearly one million patients, including personal details and highly sensitive medical records such as Pap smear results and other diagnostic test data.

Z-CERT also referenced a more recent ransomware attack in January targeting the Belgian hospital network AZ Monica. The cyberattack caused extended disruptions at facilities in Antwerp and Deurne, forcing hospitals to divert ambulances and transfer critical patients elsewhere.

"Digital outage is not an abstract IT problem. It concerns people who need care," said Wim Hafkamp, emphasizing the need for robust contingency planning in healthcare.

"In Belgium, in January 2026, we saw how a cyberattack on a hospital led to prolonged system downtime and postponed operations. That directly affects patients and healthcare providers. Good preparation ensures that care can continue safely and carefully even then."
Read more »
Financial Scam
Bitcoin Depot Crypto Firm Cyber Attacks Financial Scam

Hackers Steal $3.665 Million in Bitcoin from Crypto ATM Giant Bitcoin Depot

 

Bitcoin Depot, a major operator of Bitcoin ATMs worldwide, has disclosed that hackers stole around 50.9 Bitcoin—valued at roughly 3.665 million dollars—from its corporate wallets after breaching its IT systems in March 2026. The company, which runs more than 25,000 crypto ATMs and BDCheckout locations, first detected suspicious activity on March 23 and later confirmed that attackers had accessed internal infrastructure and exfiltrated digital‑asset credentials. 

Modus operandi 

Investigators believe the attackers compromised Bitcoin Depot’s corporate environment and obtained login details for the firm’s digital‑asset settlement accounts. Using these stolen credentials, the hackers transferred about 50.9 Bitcoin from company‑controlled wallets to an attacker‑controlled address before Bitcoin Depot managed to cut off access. The theft was identified shortly after the illicit transfers, prompting the company to activate its incident‑response playbook and engage third‑party cybersecurity experts. 

Bitcoin Depot emphasized that the incident was limited to its corporate systems and did not reach its customer platforms, transaction environments, or user data.In an SEC filing, the firm stated that customer accounts, transaction data, and ATM networks remained unaffected, though the breach could still generate reputational and legal fallout. The company has also notified law enforcement and regulators, with the investigation still ongoing and the full consequences not yet fully known. 

Financial and operational implications 

The loss of roughly 3.665 million dollars represents a direct hit to Bitcoin Depot’s corporate holdings, though the company does carry cyber‑attack insurance that may offset some of the damages. Despite the theft, Bitcoin Depot underlined that its ATM operations continue normally and that no customer funds stored in personal wallets were touched. Nonetheless, the episode comes as a reminder that even large crypto‑infrastructure players remain attractive targets for well‑funded cybercriminals. 

This incident highlights how stolen credentials and access to settlement wallets can quickly translate into multi‑million‑dollar losses, even when customer platforms themselves are not directly breached. For crypto service providers, it underscores the need for strong identity and access controls, multi‑factor authentication on treasury systems, and continuous monitoring of internal traffic around critical accounts. For users, the takeaway is that while individual wallets may stay safe, the broader ecosystem still depends on how well companies like Bitcoin Depot protect their own infrastructure.
Read more »
malicious PDF files
Adobe Adobe Reader Cyber Security Cyberattacks cybersecurity vulnerabilities data security Hacker attack Malicious Files Malicious PDF Attachment malicious PDF files

Adobe Reader Zero-Day PDF Exploit Actively Used in Attacks to Steal Data

 

A fresh security flaw in Adobe Reader - unknown until now - is under attack by hackers wielding manipulated PDFs, sparking alarm across global user bases. Since December, activity has persisted without pause; findings come from analyst Haifei Li, who traced repeated intrusions back months. 

What stands out is the method: an intricate exploit resembling digital fingerprinting, effective despite up-to-date installations. Even patched systems fall vulnerable to this quietly spreading technique. Open a single infected PDF, then the damage begins - little else matters after that. This method spreads quietly because it leans on normal software behaviors instead of obvious malware tricks. 

Instead of complex setups, it taps into built-in functions like util.readFileIntoStream and RSS.addFeed, tools meant for routine tasks. Because these actions look ordinary, alarms rarely sound. Information slips out before anyone notices anything wrong. What makes this flaw especially risky isn’t just stolen information. As Li points out, it might allow further intrusions - such as running unauthorized code from afar or breaking out of restricted environments. Control over the affected device could then shift entirely into an attacker’s hands, turning a minor leak into something far worse. 

Examining deeper, threat analyst Gi7w0rm noticed fake PDFs in these operations frequently include bait written in Russian. With topics tied to current oil and gas industry shifts, the material appears shaped deliberately - aimed at certain professionals to seem believable. Though subtle, the choice of subject matter reflects an effort to mirror real-world events closely. 

Still waiting, Li notified Adobe about the flaw earlier - yet when details emerged, a fix wasn’t available. Without an update out yet, anyone opening PDFs from outside channels stays at risk. For now, while waiting for a solution, specialists urge care with PDFs - especially ones arriving by email or unknown sources. 

Watch network activity closely; odd patterns like strange HTTP or HTTPS calls may point to the vulnerability being used. Unusual user-agent labels in web requests could mean trouble already started. One more zero-day surfaces, revealing how hackers now lean on familiar file types and common programs to slip past security walls. 

While the flaw stays open, sharp attention and careful handling of digital files become necessary tools for staying protected. Though fixes lag behind, cautious behavior offers some shield against unseen threats waiting in plain sight. 
Read more »
SCADA Threats
Critical Infrastructure Protection CyberAv3ngers Data Breach ICS Vulnerabilities industrial cybersecurity Infrastructure Hacking Iran Cyber Attacks OT security risks PLC Security SCADA Threats

Industrial Cybersecurity Under Strain as Iran-Linked Actors Breach U.S. Systems


In response to a coordinated interagency alert, United States authorities have outlined a sustained and deliberate intrusion campaign that has targeted operational technology environments across numerous critical sectors. 

In the joint assessment, adversarial activity has been extended beyond isolated incidents, affecting government-linked facilities, municipal systems, and vital infrastructures such as water, wastewater, and electricity. A strategic shift toward systems that directly affect physical processes and ensure service continuity is reflected in this campaign, which places a strong focus on industrial control layers and not conventional IT networks. 

Targeting Industrial Control Systems 

In a technical analysis, it is revealed that the threat actors are prioritizing programmable logic controllers (PLCs) that are exposed to the internet, including those associated with Rockwell Automation's Allen-Bradley ecosystems, but are not excluding exposure to other vendor environments as well. 

Throughout the intrusion set, unauthorized access to system interfaces and interaction with configuration-level project files is demonstrated, demonstrating a working knowledge of supervisory control and data acquisition (SCADA) architectures. In this case, device logic can be altered, automated workflows disrupted, and operational integrity can be compromised without immediate notice due to such access. 

In their assessment, these activities represent an increase in both intent and capability, aligning them with broader geopolitical tensions that have been building since the beginning of direct hostilities involving Iran in late February. Additionally, the timing coincides with increased diplomatic rhetoric from Washington, indicating a convergence of cybersecurity operations and strategic signaling in an environment characterized by increasing volatility. 

Attack Methodology and Execution 

As far as the operational level is concerned, the campaign is characterized more by its systematic identification and targeting of accessible control environments than its use of advanced zero-day vulnerabilities. Researchers have reported that threat actors are actively searching for internet-accessible programmable logic controllers, including commonly used CompactLogix and Micro850 systems, and gaining initial access to these systems by using legitimate engineering tools such as Studio 5000 Logix Designer. 

When attackers operate within trusted environments, they are able to avoid detection while simultaneously executing a structured intrusion sequence that minimizes detection. When access is granted, activity shifts toward controlled manipulation, including extraction of configuration files, modification of control logic, and establishment of persistence. 

Several instances have been documented where remote access utilities such as Dropbear SSH have been deployed on standard port 22, allowing sustained connectivity to be achieved. In addition, malicious traffic can blend into normal operational technology communications using widely recognized industrial communication ports 44818, 2222, 102, and 502 complicating network-level visibility as a result. These intrusion patterns are not isolated; they are closely aligned with previously documented campaigns, providing evidence of attribution and indicating continuity in the method and intent of the attack. 

Attribution and Operational Patterns

According to the patterns of attribution, this campaign has previously been associated with the Iran-linked group CyberAv3ngers, historically linked with the Islamic Revolutionary Guard Corps. They use a consistent operational approach that includes reconnaissance, exploitation, and control after a compromise, as well as a high level of technical discipline. 

Prior incidents demonstrate the incorporation of symbolic elements within compromised environments. It was discovered that attackers altered the interface displays and system identifiers of Unitronics devices in targeted operations to project political messages and group insignia. However, subsequent forensic analyses by industrial cybersecurity firms such as Dragos and Claroty established that the visible changes were correlated with deeper code manipulations. 

Several water utility networks in several regions, including parts of the United States, Israel, Ireland, and parts of the United States, experienced operational interruptions following modifications introduced by the attackers that disrupted control logic. A deliberate effort is being made to combine visibility with functional impact by combining surface-level signaling with underlying system interference. 

Defensive Measures and Risk Mitigation 

Federal agencies continue to emphasize the importance of maintaining a security posture based on the assumption of compromise in response to this threat. Audits of externally exposed assets must be conducted, stricter controls on remote engineering access must be enforced, and continuous monitoring must be implemented throughout the operational technology environment. 

To mitigate risk and reduce the likelihood that adversaries will exploit existing vulnerabilities within critical infrastructure systems, strengthening these areas is considered essential. In addition to the technical exposure, a heightened defensive urgency can be attributed to the broader strategic context in which these operations are taking place. 

Geopolitical Context and Strategic Implications

As part of the mitigation effort, the federal authorities have raised the threat posture, issuing an urgent warning to critical infrastructure operators as it appears that the campaign is intended to trigger disruptive outcomes rather than simply being an espionage campaign.

An asymmetric cyber response is being increasingly used to compensate for conventional military limitations, as adversaries are now targeting digitally accessible industrial environments that can produce real-world consequences in order to compensate.

In conjunction with rapidly changing geopolitical signals, the U.S. leadership has announced a temporary de-escalation window in order to address the threat. This underscores the increasing interconnectedness of cyber operations with strategic messaging and conflict dynamics. 

Systemic Vulnerabilities in OT Environments 

In the investigation, it has been demonstrated that adversaries exploit a structural weakness within operational technology environments: accessibility gaps within operational technology environments. In spite of years of guidance, internet-facing programmable logic controllers remain exposed to vulnerabilities that do not have adequate isolation or hardening despite years of guidance. 

In addition to disrupting immediate services, such access introduces the risk of deeper manipulation
altering operational parameters in ways that can cause operational instability with downstream effects on safety and performance, according to security analysts. 

The operation scope of the campaign has been widened in comparison to previous campaigns, and the operational impact has been focused more closely. There are also parallel cyber activities attributed to Tehran-linked actors that reinforce this trajectory, ranging from targeted data leaks to disruptions affecting private sector businesses.  Apart from technical compromise, psychological signaling is often utilized through selective disclosure and amplification of perceived impact, as well as implementing psychological signaling. 

In combination, the pattern reflects a carefully calibrated blend of technical intrusion and influence operations aimed at projecting reach as well as exploiting cyber and cognitive aspects of modern conflict. With geopolitical tensions converging and targeted operational technology intrusions advancing, the present campaign reinforces infrastructure security at a critical crossroads. 

According to experts, resilience does not depend on perimeter defenses alone; it is necessary to segment OT environments, control remote engineering access tightly, and continuously verify system integrity at the controller level in order to achieve resilience. 

Organizations which approach exposure as a practical risk rather than a theoretical risk are better able to deal with disruptions. Having proactive visibility, detecting anomalies rapidly, and responding to incidents in a coordinated manner are no longer best practices in this environment; they are operational requirements.
Read more »
Vulnerabilities and Exploits
APT28 Fancy Bear NSA router warning reboot router security Russia GRU cyberattack TP-Link vulnerability Vulnerabilities and Exploits

NSA Urges Americans to Reboot Routers as Russian Hackers Exploit Vulnerable Home Networks

 

The National Security Agency (NSA) is once again advising internet users in the United States to restart their routers, warning that cyber attackers are actively targeting home networks to access sensitive personal data. Reviving guidance first issued in 2023, the agency stresses urgency with a clear message: “Don’t be a victim!" the spy agency says in a 2023 advisory it has directed citizens to again this month. "Malicious cyber actors may leverage your home network to gain access to personal, private, and confidential information.”

The NSA’s alert aligns with a warning from the Federal Bureau of Investigation (FBI), which has revealed that Russia’s military intelligence unit, the GRU, is exploiting insecure routers worldwide. According to officials, these attacks aim to intercept and steal highly sensitive data linked to military, government, and critical infrastructure systems.

Authorities have identified the hacking group APT28, also known as Fancy Bear, as a key actor in these operations. The group has reportedly been targeting vulnerable devices, including routers from brands like TP-Link, by exploiting known flaws such as CVE-2023-50224. Investigators say the attackers are harvesting credentials and compromising devices on a global scale.

The core advice from cybersecurity agencies is straightforward: replace outdated routers that no longer receive support and ensure active devices are regularly updated. However, many users neglect basic security steps—such as changing default passwords, installing firmware updates, or setting up separate guest networks—leaving their systems exposed.

Reinforcing its guidance, the NSA highlights essential practices for securing home networks: “changing default usernames and passwords, disabling remote management interfaces from the Internet, updating to latest firmware versions, and upgrading end-of-support devices.” These measures underscore the importance of not overlooking the router, often quietly running in homes yet posing a significant security risk if ignored.

Additionally, the agency recommends routine device restarts as a simple but effective safeguard. “at a minimum, you should schedule weekly reboots of your routing device, smartphones, and computers. Regular reboots help to remove implants and ensure security.” In practical terms, this means powering devices off and back on regularly—something most users only do when troubleshooting connectivity issues.

While not everyone may be directly targeted by state-sponsored actors like Russia’s military, everyday users remain at risk from the broader surge in cyberattacks, increasingly fueled by advancements in AI technologies. Maintaining good digital hygiene—such as frequent password changes, timely updates, and weekly reboots—can significantly reduce exposure.

Meanwhile, a report from Federal Communications Commission (FCC), highlighted by tech publication PCMag, suggests that new restrictions on foreign-made routers could impact several popular brands. Using data from Ookla’s Speedtest platform, the report identifies which manufacturers dominate the U.S. market and may be affected.

Industry insights from WiFi Now note that most consumer-grade routers available in the U.S. are produced in countries like China, Taiwan, and Vietnam. Major brands include NETGEAR, Google Nest, Eero, and Ubiquiti. Currently, there is little to no domestic manufacturing of such devices in the U.S.

Experts advise users to verify whether their router still receives firmware updates by checking the model details. Regardless of the brand, ensuring devices are secure—and restarting them regularly—remains a crucial step in protecting against evolving cyber threats.
Read more »
Mirai botnet
Botnet CVE vulnerability DVR Fortinet IoT malware Mirai botnet

Mirai Malware Spreads Through Vulnerable TBK DVR Devices

 



Threat actors are actively taking advantage of security weaknesses in TBK digital video recorders and outdated TP-Link Wi-Fi routers to install variants of the Mirai botnet on compromised systems. This activity has been documented by researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.

One of the primary attack vectors involves the exploitation of CVE-2024-3721, a command injection vulnerability with a CVSS score of 6.3, classified as medium severity. This flaw affects TBK DVR-4104 and DVR-4216 devices and is being used to deliver a Mirai-based malware strain identified as Nexcorium.

Security researchers note that IoT devices continue to be heavily targeted because they are widely deployed, frequently lack timely security updates, and are often configured with weak protections. These conditions allow attackers to exploit known vulnerabilities to gain initial access, deploy malicious code, maintain persistence, and ultimately use infected devices to conduct distributed denial-of-service attacks.

This vulnerability has already been observed in previous attack campaigns. Over the past year, it has been used not only to deploy Mirai variants but also a newer botnet known as RondoDox. In addition, earlier reporting highlighted large-scale botnet operations distributing multiple malware families, including Mirai, RondoDox, and Morte, by exploiting weak credentials and outdated vulnerabilities across routers, IoT devices, and enterprise systems.

In the current attack chain described by Fortinet, exploitation of CVE-2024-3721 allows attackers to download a script onto the target device. This script then determines the system’s Linux architecture and retrieves a compatible botnet payload. Once executed, the malware displays a message indicating that the system has been taken over.

Technical analysis shows that Nexcorium follows a structure similar to traditional Mirai variants. It includes encoded configuration tables, a watchdog mechanism to keep the malware active, and dedicated modules for launching DDoS attacks.

The malware also integrates an exploit for CVE-2017-17215, enabling it to target Huawei HG532 devices within the same network. Additionally, it uses a hard-coded list of usernames and passwords to attempt brute-force logins on other systems via Telnet connections.

If these login attempts succeed, the malware gains shell access, establishes persistence using scheduled tasks and system services, and connects to an external command-and-control server. From there, it waits for instructions to launch attacks using protocols such as UDP, TCP, and SMTP. After securing persistence, it deletes the original binary file to reduce the likelihood of detection and analysis.

Researchers describe Nexcorium as representative of modern IoT botnets, combining multiple techniques such as vulnerability exploitation, multi-architecture support, and persistence mechanisms to maintain long-term control over infected devices. Its use of both older vulnerabilities and brute-force tactics highlights its ability to adapt and expand its reach.

Separately, Unit 42 identified automated scanning activity attempting to exploit another vulnerability, CVE-2023-33538, which has a higher CVSS score of 8.8. This flaw affects several end-of-life TP-Link routers, including TL-WR940N (v2 and v4), TL-WR740N (v1 and v2), and TL-WR841N (v8 and v10). While the observed attack attempts were incorrectly executed and did not succeed, the vulnerability itself remains valid.

This vulnerability was added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency in June 2025, reflecting its relevance in real-world threat activity. Researchers emphasize that successful exploitation requires authenticated access to the router’s web interface, which can often be achieved if default credentials are still in use.

The attacks linked to this vulnerability are designed to deploy Mirai-like malware containing references to “Condi” within its source code. This malware is capable of updating itself to newer versions and can also operate as a web server, allowing it to spread to additional devices that connect to the infected system.

Because the affected TP-Link routers are no longer supported by the manufacturer, users are advised to replace them with newer devices. Security experts also stress the importance of changing default login credentials, as these remain a major weakness that attackers continue to exploit.

Researchers warn that the continued use of default credentials in IoT environments will remain a persistent security risk. Even vulnerabilities that require authentication can become critical entry points if weak or unchanged credentials are present, enabling attackers to compromise devices and expand botnet networks with relative ease.


Read more »
Subscribe to: Comments (Atom)

Featured