Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

California Privacy Regulator Fines Datamasters for Selling Sensitive Consumer Data Without Registration

  The California Privacy Protection Agency (CalPrivacy) has taken enforcement action against Datamasters, a marketing firm operated by Ricke...

All the recent news you need to know
Linux Servers
Botnet Brute Force Attacks Cyber Attacks GoBruteforcer Linux Servers

GoBruteforcer Botnet Targets Linux Servers with Brute-Force Attacks

 

A dangerous botnet called GoBruteforcer is ramping up brute-force attacks on internet-exposed Linux servers, focusing on services like FTP, MySQL, PostgreSQL, and phpMyAdmin. Check Point Research (CPR) warns that over 50,000 servers remain vulnerable due to weak credentials and poor configurations, turning them into new attack nodes after compromise. This surge exploits common defaults from tutorials and legacy stacks like XAMPP, amplifying risks for organizations worldwide.

The botnet, first spotted in 2023, evolved into a more sophisticated Go-written variant by mid-2025, featuring advanced obfuscation, persistence mechanisms, and process-hiding tricks like renaming to "init". Infected servers scan random IPs and test credential lists with usernames such as "admin," "appuser," or crypto-themed ones like "cryptouser," rotating campaigns weekly for efficiency. Low success rates still pay off given millions of exposed databases and FTP ports.

Financial motives drive some operations, with attackers deploying Go tools to scan TRON balances and sweep tokens from Binance Smart Chain on compromised hosts. CPR found 23,000 TRON addresses on one server, and on-chain data confirmed small thefts, highlighting resale potential for stolen access or data. Targeted attacks hit WordPress-linked phpMyAdmin panels and blockchain databases.

CPR links this threat to AI-generated deployment guides that propagate insecure defaults, predicting worse risks as server setups become easier. Legacy web environments and credential reuse from leaked databases fuel the botnet's spread, with C2 servers distributing modular components like IRC bots and bruteforcers.

Mitigation demands strong passwords, MFA, service lockdowns, and exposure monitoring beyond takedowns. Disabling unnecessary ports and auditing configs counters brute-force economics, while tools block known IOCs like C2 domains (e.g., fi.warmachine.su) and SHA-256 hashes for IRC bots. Proactive hygiene remains key against persistent threats like GoBruteforce.
Read more »
ShinyHunters
BreachForums BreachForums user database Data Breach Extortion Gang hacking forum leak ShinyHunters

BreachForums Database Breach Exposes Details of Over 324K User Accounts

 

The newest version of the infamous BreachForums cybercrime marketplace has reportedly experienced another security lapse, with its user database table appearing online.

BreachForums refers to a succession of underground hacking forums commonly used for buying, selling, and leaking stolen data, as well as offering access to compromised corporate networks and other illicit cyber services. The platform emerged after RaidForums was taken down by law enforcement and its alleged operator, known as “Omnipotent,” was arrested.

Despite facing previous data breaches and repeated law enforcement interventions, BreachForums has consistently resurfaced under new domains. This pattern has led some observers to speculate that the forum may now be operating as a law-enforcement honeypot.

Recently, a website bearing the name of the ShinyHunters extortion group published a 7Zip archive titled breachedforum.7z. The archive includes three files:
  • shinyhunte.rs-the-story-of-james.txt
  • databoose.sql
  • breachedforum-pgp-key.txt.asc
A spokesperson for the ShinyHunters extortion group told BleepingComputer that they are not connected to the site hosting the archive.

The file breachedforum-pgp-key.txt.asc contains a private PGP key created on July 25, 2023, which BreachForums administrators previously used to sign official communications. Although the key has been exposed, it is protected by a passphrase, preventing misuse without the correct password.

Meanwhile, the databoose.sql file is reportedly a MyBB users table (mybb_users) holding details of 323,988 accounts. The leaked data includes usernames, registration timestamps, IP addresses, and other internal forum information.

According to BleepingComputer’s review, most IP addresses in the dataset resolve to a loopback address (127.0.0.9), limiting their investigative value. However, around 70,296 records do not use this local IP and instead resolve to public addresses. These entries could pose operational security risks to affected users and may be useful to law enforcement or cybersecurity analysts.

The most recent registration date in the leaked database is August 11, 2025—the same day the previous BreachForums instance at breachforums[.]hn was taken offline following arrests linked to its alleged operators. On that day, a ShinyHunters member posted in the “Scattered Lapsus$ Hunters” Telegram channel, alleging that BreachForums was a law-enforcement trap, a claim later denied by forum administrators.

In October 2025, the breachforums[.]hn domain was formally seized after being repurposed for extortion campaigns tied to large-scale Salesforce data thefts attributed to the ShinyHunters group.

The current BreachForums administrator, operating under the alias “N/A,” has confirmed the latest incident. According to the administrator, a backup of the MyBB users table was briefly left in an unsecured directory and downloaded only once.

“We want to address recent discussions regarding an alleged database leak and clearly explain what happened,” N/A wrote on BreachForums.

“First of all, this is not a recent incident. The data in question originates from an old users-table leak dating back to August 2025, during the period when BreachForums was being restored/recovered from the .hn domain.”

“During the restoration process, the users table and the forum PGP key were temporarily stored in an unsecured folder for a very short period of time. Our investigation shows that the folder was downloaded only once during that window.”

While N/A advised members to rely on disposable email addresses and emphasized that most IPs were local, the exposed data could still attract interest from investigators.

Following publication of the article, cybersecurity firm Resecurity informed BleepingComputer that the website hosting the archive has now been updated to include the passphrase for BreachForums’ private PGP key. Another independent security researcher confirmed that the disclosed password successfully unlocks the key.

Read more »
Spain
Black Axe Gang Cyber Crime Europe Europol Germany Spain

Europol Cracks Down Gang Responsible for Cyber Crime Worth Billions


Europol’s joint operation to crackdown international gang

Europol recently arrested 34 people in Spain who are alleged to have a role in a global criminal gang called Black Axe. The operation was conducted by Spanish National Police and Bavarian State Criminal Police Office and Europol. 

Twenty eight individuals were arrested in Seville, three in Madrid and two in Malaga, and the last one in Barcelona. Among the 34 suspects, 10 individuals are from Nigeria. 

“The action resulted in 34 arrests and significant disruptions to the group's activities. Black Axe is a highly structured, hierarchical group with its origins in Nigeria and a global presence in dozens of countries,” Europol said in a press release on its website. 

About Black Axe 

Black Axe is infamous for its role in various cyber crimes like frauds, human trafficking, prostitution, drug trafficking, armed robbery, kidnapping, and malicious spiritual activities. The gang annually earns roughly billions of euros via these operations that have a massive impact. 

Officials suspect that Black Axe is responsible for fraud worth over 5.94 million euros. During the operation, the investigating agencies froze 119352 euros in bank accounts and seized 66403 euros in cash during home searches. 

The crackdown 

Germany and Spain's cross-border cooperation includes the deployment of two German officers on the scene on the day of action, the exchange of intelligence, and the provision of analytical support to Spanish investigators. 

The core group of the organized crime network, which recruits money mules in underprivileged communities with high unemployment rates, was the objective of the operation. The majority of these susceptible people are of Spanish nationality and are used to support the illegal activities of the network.

Europol's key role

Europol provided a variety of services to help this operation, such as intelligence analysis, a data sprint in Madrid, and on-the-spot assistance. Mapping the organization's structure across nations, centralizing data, exchanging important intelligence packages, and assisting with coordinated national investigations have all been made possible by Europol. 

In order to solve the problems caused by the group's scattered little cases, cross-border activities, and the blurring of crimes into "ordinary" local offenses, this strategy seeks to disrupt the group's operations and recover assets.



Read more »
Russian sponsored Hackers
Advanced Persistent Threats APT28 Cyber Espionage Cyber Attacks Fancy Bear Attacks Geopolitical Cyber Risk GRU Cyber Operations Phishing Infrastructure Abuse Russian sponsored Hackers

APT28 Intensifies Cyber Espionage Targeting Energy Infrastructure and Policy Groups


 

One of Russia's most prolific cyber espionage groups has operated largely in the shadows for more than two decades, quietly shaping the global threat landscape by carrying out persistent and highly targeted digital intrusions using techniques that have been used for many years. 

In the community of cybersecurity, the group is referred to as APT28 and is believed to be linked to the 85th Main Special Service Center of the GRU, a Russian military intelligence agency. This group has operated continuously since at least 2004, utilizing aliases such as Fancy Bear, Sofacy, Sednit, STRONTIUM, and Pawn Storm in addition to the alias above. 

There has been a marked evolution in APT28's operational playbook over the last few months, and the threat intelligence reports point to refinements in tactics, techniques, and procedures that have enhanced stealth and impact, complicating detection and response efforts in detecting and responding to APT28. 

Among the most pressing concerns is the expansion of strategic targeting beyond traditional government and defense organizations to include critical infrastructure and private companies. As a result, national security, economic stability, and institutional resilience are all at increased risk. 

This activity reflects a wider alignment with the Russian Cyber Warfare doctrine, which includes espionage-driven operations that are intended not only to gather sensitive intelligence but also to undermine adversaries' capabilities, reinforcing cyber operations as a tool for geopolitical influence and escalation, and reinforcing their significance for geopolitical influence. 

Known to most people as Fancy Bear, and officially tracked as APT28, the group of threat actors that are connected to the Russian Federation's Main Directorate of the General Staff, has long been viewed as one of the most consequential advanced persistent threats that emerged in the middle of the 2010s. 

There were a number of operations that took place during that period, ranging from sustained cyber warfare against Ukraine to high-profile interference in American and European elections, as well as disruptive activities tied to international sporting events. These operations had an impact on public and policy discourse around cybersecurity, and state-sponsored cyber operations. 

In the midst of these headline-grabbing incidents, APT28’s parallel campaigns against Western media outlets and government institutions often receded from attention, but as a whole, they cemented APT28’s position as a defining force in the development of modern cyber espionage. It would be fair to say that the group's recent activity has been somewhat less dramatic, but equally deliberate. 

Currently, most operations are conducted by using spear phishing techniques aimed at governments and strategic companies, reflecting a shift away from louder, more traditional intrusion tactics in favor of quieter ones. 

A study by Recorded Future suggests that BlueDelta was conducting targeted credential harvesting campaigns against a selected group of organizations across multiple regions during February - September 2025. It was primarily a combination of convincingly crafted phishing pages and readily accessible infrastructure, rather than custom tools, that was used in these targeted credential harvesting campaigns. 

As the cybersecurity firm determined based on their analysis, the campaigns observed between February and September 2025 were targeted to a relatively small number of victims but had clearly defined targets and were built around carefully crafted phishing infrastructures that resembled widely used enterprise services to the greatest extent possible.

A counterfeit login page modeled after Microsoft Outlook Web Access, Google account portals and Sophos VPN interfaces was deployed by the attackers, with a method of redirection that forwarded victims directly to legitimate sites after credentials had been submitted. The intentional handoffs reduced the probability of users suspecting the activity and made it more likely to blend in with their regular browsing habits. 

As part of its phishing operations, a wide variety of readily available third-party services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, were used to spread spoofed pages, collect stolen credentials, and redirect traffic to servers that were possessed by the hackers. 

Furthermore, the threat actors used genuine PDF documents to embed their lures into their messages. These included a publication from the Gulf Research Center on the Iran-Israel conflict released in June 2025, as well as a policy briefing released by the climate think tank ECCO in July 2025 concerning a Mediterranean pact. 

As the infection chain is outlined above, several instances have occurred in which phishing emails contained shortened links that briefly displayed legitimate documents before redirecting users to a fake Microsoft OWA login page, where hidden HTML elements and JavaScript functions transmitted credentials to attacker-controlled endpoints, before redirecting the users back to the original PDF document. 

There have been a number of additional campaigns identified during the same timeframe, including a fake Sophos VPN password reset page used to target a think tank of the European Union in June 2025, a wave of attacks that were carried out in September 2025 and which exploited false password expiration alerts to compromise military and technology organizations in North Macedonia and Uzbekistan, and a similar attack in April 2025 in which the credentials were exfiltrated using a fake Google password reset page. 

Fancy Bear has recently been associated with methodical phishing-driven intrusions, in which emails have been tailored to specific targets and written in the native language of the target to increase credibility and engagement. In documented cases, the recipients were initially directed to genuine PDF documents sourced from reputable organizations, which were carefully chosen based on their alignment with the intended victims' professional interests. 

The attacker used a genuine climate policy publication from a Middle Eastern think tank to trick renewable energy researchers in Türkiye into logging in using fake login pages resembling services like Sophos VPN, Google, and Microsoft Outlook.

Upon entering credentials, users were automatically redirected to the legitimate service's real login page, so a second authentication attempt was often prompted, which in this situation can easily be brushed aside as just a routine technical error. 

The operators did not rely on custom malware or proprietary infrastructure to keep track of or detect the attacks, but rather, they relied on commonly available hosting and networking services, which reduced overhead, but also complicated the process of attribution and detection.

With the credentials obtained as a result of these campaigns, access to email platforms and virtual private networks would have provided a foothold to collect intelligence, move laterally, and perform subsequent operations against targets with higher value. 

Although the techniques used in such a state-backed advanced persistent threat are not technically innovative, analysts note that the simplicity appears to be intentional on the part of the perpetrators. 

A calculated shift towards persistent, scalability, and operational deniability over overt technical sophistication, which was achieved through the use of disposable infrastructure, commercial VPN services, and widely available platforms, minimized forensic traces and shortened the life cycle of their attack infrastructure, as well as the shift toward scalability and operational deniability. 

Considering the findings of the latest research as a whole, it seems to be confirming an underlying shift in how state-backed threat actors are pursuing long-term intelligence objectives in a world that is becoming more and more crowded and very well protected. 

In addition to multi-faceted tactics, such as those associated with APT28 emphasize the enduring value of social engineering, trusted content, and low-cost infrastructure as ways to exploit a network as long as they are applied with precision and patience, rather than focusing on technical novelty or destructive effects. 

It should be noted that this activity serves as a reminder to government agencies, policy institutions, and organizations working in sensitive sectors that the first point of exposure to cyber-attacks is not traditionally advanced malware, but rather common daily tasks like email usage and remote authentication.

In order to strengthen security defenses, it is essential to bear in mind that credentials must be maintained correctly, multifactor authentication should be implemented, login activity should be continuously monitored and regular security awareness training needs to be tailored to regional and linguistic conditions. 

The persistence of these operations at a strategic level illustrates how cyber espionage can be viewed as a normalized tool by governments. It is one that is based on endurance and plausible deniability rather than visibility. 

With geopolitical tensions continuing to shape the threat landscape, it is becoming increasingly important to close the subtle gaps that quietly enable the use of spectacular attacks in order to remain resilient to them.
Read more »
Sensitive data
AI Agent ai application Cyber Security LangChain Sensitive data

LangChain Security Issue Puts AI Application Data at Risk

 



A critical security vulnerability has been identified in LangChain’s core library that could allow attackers to extract sensitive system data from artificial intelligence applications. The flaw, tracked as CVE-2025-68664, affects how the framework processes and reconstructs internal data, creating serious risks for organizations relying on AI-driven workflows.

LangChain is a widely adopted framework used to build applications powered by large language models, including chatbots, automation tools, and AI agents. Due to its extensive use across the AI ecosystem, security weaknesses within its core components can have widespread consequences.

The issue stems from how LangChain handles serialization and deserialization. These processes convert data into a transferable format and then rebuild it for use by the application. In this case, two core functions failed to properly safeguard user-controlled data that included a reserved internal marker used by LangChain to identify trusted objects. As a result, untrusted input could be mistakenly treated as legitimate system data.

This weakness becomes particularly dangerous when AI-generated outputs or manipulated prompts influence metadata fields used during logging, event streaming, or caching. When such data passes through repeated serialization and deserialization cycles, the system may unknowingly reconstruct malicious objects. This behavior falls under a known security category involving unsafe deserialization and has been rated critical, with a severity score of 9.3.

In practical terms, attackers could craft inputs that cause AI agents to leak environment variables, which often store highly sensitive information such as access tokens, API keys, and internal configuration secrets. In more advanced scenarios, specific approved components could be abused to transmit this data outward, including through unauthorized network requests. Certain templating features may further increase risk if invoked after unsafe deserialization, potentially opening paths toward code execution.

The vulnerability was discovered during security reviews focused on AI trust boundaries, where the researcher traced how untrusted data moved through internal processing paths. After responsible disclosure in early December 2025, the LangChain team acknowledged the issue and released security updates later that month.

The patched versions introduce stricter handling of internal object markers and disable automatic resolution of environment secrets by default, a feature that was previously enabled and contributed to the exposure risk. Developers are strongly advised to upgrade immediately and review related dependencies that interact with LangChain-core.

Security experts stress that AI outputs should always be treated as untrusted input. Organizations are urged to audit logging, streaming, and caching mechanisms, limit deserialization wherever possible, and avoid exposing secrets unless inputs are fully validated. A similar vulnerability identified in LangChain’s JavaScript ecosystem accentuates broader security challenges as AI frameworks become more interconnected.

As AI adoption accelerates, maintaining strict data boundaries and secure design practices is essential to protecting both systems and users from newly developing threats.

Read more »
User Privacy
Chinese hacking group Data Breach Email Breach Privacy Salt Typhoon U.S. U.S. House committees cyberattack User Data User Privacy

Chinese Hacking Group Breaches Email Systems Used by Key U.S. House Committees: Report

 

A cyber espionage group believed to be based in China has reportedly gained unauthorized access to email accounts used by staff working for influential committees in the U.S. House of Representatives, according to a report by the Financial Times published on Wednesday. The information was shared by sources familiar with the investigation.

The group, known as Salt Typhoon, is said to have infiltrated email systems used by personnel associated with the House China committee, along with aides serving on committees overseeing foreign affairs, intelligence, and armed services. The report did not specify the identities of the staff members affected.

Reuters said it was unable to independently confirm the details of the report. Responding to the allegations, Chinese Embassy spokesperson Liu Pengyu criticized what he described as “unfounded speculation and accusations.” The Federal Bureau of Investigation declined to comment, while the White House and the offices of the four reportedly targeted committees did not immediately respond to media inquiries.

According to one source cited by the Financial Times, it remains uncertain whether the attackers managed to access the personal email accounts of lawmakers themselves. The suspected intrusions were reportedly discovered in December.

Members of Congress and their staff, particularly those involved in overseeing the U.S. military and intelligence apparatus, have historically been frequent targets of cyber surveillance. Over the years, multiple incidents involving hacking or attempted breaches of congressional systems have been reported.

In November, the Senate Sergeant at Arms alerted several congressional offices to a “cyber incident” in which hackers may have accessed communications between the nonpartisan Congressional Budget Office and certain Senate offices. Separately, a 2023 report by the Washington Post revealed that two senior U.S. lawmakers were targeted in a hacking campaign linked to Vietnam.

Salt Typhoon has been a persistent concern for the U.S. intelligence community. The group, which U.S. officials allege is connected to Chinese intelligence services, has been accused of collecting large volumes of data from Americans’ telephone communications and intercepting conversations, including those involving senior U.S. politicians and government officials.

China has repeatedly rejected accusations of involvement in such cyber spying activities. Early last year, the United States imposed sanctions on alleged hacker Yin Kecheng and the cybersecurity firm Sichuan Juxinhe Network Technology, accusing both of playing a role in Salt Typhoon’s operations.
Read more »
Subscribe to: Comments (Atom)

Featured