Oktacron - Cyber Security RSS Feeds History

‘UNC3886 is Attacking Our Critical Infrastructure Right Now’: Singapore’s National Security Lawmaker

cyberexpress Jul 18, 2025 Threat Actors

In a rare and urgent late-night address, a senior Singapore official confirmed that the country is currently facing a sophisticated and ongoing cyberattack targeting its critical infrastructure. The attack is attributed to UNC3886, a suspected China-nexus advanced persistent threat (APT) actor previously associated show more ...

with espionage campaigns targeting U.S. and Asian defense and tech sectors. Coordinating Minister for National Security, K Shanmugam, called the threat “serious and ongoing,” warning that UNC3886 is actively attempting to compromise Singapore’s power, telecommunications, water, and transportation systems. “UNC3886 poses a serious threat to us and has the potential to undermine our national security,” the official said. “Even as we speak, UNC3886 is attacking our critical infrastructure.” - K Shanmugam Who Is UNC3886 UNC3886 is a highly advanced, state-sponsored cyber espionage group, strongly suspected to be linked to China. A defining characteristic of UNC3886 is their exceptional ability to discover and exploit zero-day vulnerabilities in network devices and virtualization software. According to multiple threat intelligence reports, the group is also known for using living-off-the-land techniques, and operating in air-gapped or segmented environments to maintain undetected access. Also read: Researchers Deep Dive into UNC3886 Actors’ Cyberespionage Realm Their operational methods are marked by extreme sophistication and evasiveness. UNC3886 employs a diverse toolkit including custom malware (like VIRTUALSHINE and TINYSHELL-based backdoors), publicly available rootkits, and intricate techniques to disable logging and remove traces of their activity. They prioritize maintaining long-term, stealthy access to compromised systems, often through multiple layers of persistence and by abusing legitimate credentials obtained via methods like SSH backdoors or targeting authentication servers. First identified by Mandiant in 2022, UNC3886 has demonstrated a unique capability to compromise high-value targets by exploiting vulnerabilities in widely used products from vendors such as VMware, Fortinet, and Juniper Networks. Their focus on zero-day exploits, coupled with their highly covert and persistent operational style, positions them as one of the most dangerous and challenging cyber adversaries currently operating on the global stage. Targeting the Lifelines of the State Specifics of the current attack were not disclosed due to "national security concerns" but the Shanmugam said the targets include high-value national assets. “The intent of this threat actor is quite clear—it is going after high-value strategic targets: vital infrastructure that delivers essential services.” - K Shanmugam The gravity of such intrusions is not hypothetical. A successful breach into Singapore’s energy grid, for instance, could cascade into failures across healthcare, water, and transport systems. “Our economy can be substantially impacted,” Shanmugam warned. “Banks, airports, industries would not be able to operate.” Prepared but Realistic Singapore's Cyber Security Agency (CSA), in coordination with other national agencies and Critical Information Infrastructure (CII) owners, is actively mitigating the ongoing threat. The speaker reiterated that the country has robust incident response plans but tempered expectations given the sophistication of state-sponsored attackers. “We are up against very sophisticated actors, some backed by countries with vast resources—unlimited almost—in manpower and technology,” Shanmugam said. “Even countries at the frontier of technology have not been able to prevent APT attacks on their systems.” Trust and Reputation at Stake Perhaps the most sobering part of the address was a clear recognition of what’s at stake: trust. “Trust and confidence in Singapore as a whole can be affected,” the official said. “Businesses may shy away if they are unsure about our systems—whether they are clean, resilient, and safe.” Singapore has long prided itself as a global business hub. But in a landscape where cyber resilience is becoming a key metric of economic stability, its digital infrastructure is now squarely part of its national brand. The situation remains fluid. Authorities have promised to reassess whether more details can be released publicly. In the meantime, Singapore is rallying its resources and international partners to keep systems secure. The message is clear: the island nation is under digital siege—but it is not standing still.

Top 10 Threat Intelligence Platforms in ANZ: 2025 Guide for Security Teams

cyberexpress Jul 18, 2025 Firewall Daily

The ANZ (Australia and New Zealand) region has long been plagued by cyber threats that have targeted the nations for years. From ransomware groups, vulnerability exploitation, to new threat actors trying their luck, the Oceanic countries have faced countless cyber incidents from adversaries. According to the show more ...

Australian Cyber Security Centre, tens of thousands of cyberattacks are reported annually, with the average cost of a data breach in Australia reaching nearly $3 million. Over the years, there have been several high-profile breaches in both Australia and New Zealand that exposed millions of personal data. To protect against such breaches and threat actors, both Australia and New Zealand need to adopt the best threat intelligence platforms in ANZ 2025. Thankfully, there have been several top ANZ threat intelligence platforms protecting the regions with advanced cybersecurity solutions. Here is a list of the top 10 threat intelligence platforms in ANZ (2025). Most of these threat intelligence platforms are listed out of Gartner Peer Insights. Top 10 Threat Intelligence Platforms in ANZ (2025) 1. Cyble Cyble is a global cyber threat intelligence company that helps organizations manage cyber risks through AI-powered solutions and actionable insights. Its platforms, including Cyble Vision, Cyble Hawk, Cyble Titan, AmIBreached, and Cyble Odin, offer comprehensive capabilities like threat intelligence, attack surface management, dark web monitoring, and vulnerability management. It has been recognized among the top ANZ threat intelligence platforms for delivering top-notch threat intelligence ANZ security teams can trust. Cyble consistently ranks among the top 10 threat intelligence platforms in ANZ globally, as well as on Gartner Peer Insights, where it regularly receives the highest user scores. With 73% of users rating it 5 stars, Cyble is highly regarded for its ability to enhance security visibility and resilience, particularly in the ANZ region, where its impact is notably strong. It was also awarded 22 badges in the G2 Summer 2025 Report across categories like threat intelligence, brand Intelligence, and dark web monitoring. 2. Recorded Future Recorded Future is a threat intelligence company known for its powerful threat intelligence platform, which delivers end-to-end insights on adversaries, infrastructure, and potential targets. By indexing a vast array of sources, including the open web, dark web, and technical feeds, the platform offers real-time visibility into the modern-day threat landscape. This enables organizations to reduce risk and operate securely with greater speed and confidence. Headquartered in Boston with a global presence, Recorded Future serves a wide range of businesses and government agencies, providing timely, unbiased, and actionable intelligence. 3. CrowdStrike CrowdStrike is a cybersecurity company focused on enterprise risk areas such as endpoints, cloud workloads, identity, and data protection. It's Falcon platform, built on the CrowdStrike Security Cloud, uses real-time attack indicators, threat intelligence, and enterprise telemetry to support threat detection, automated response, and vulnerability monitoring. The platform operates through a lightweight cloud-native agent, designed for quick deployment and reduced system complexity. With an emphasis on scalable protection and AI-driven analysis, CrowdStrike offers organizations a practical approach to addressing modern cyber threats. 4. Tesserent Tesserent is an Australian cybersecurity company providing managed security services, consultancy, and threat intelligence solutions. Originally founded in Melbourne with a focus on managed security and backed primarily by local investors, Tesserent has grown into Australia's leading ASX-listed cybersecurity firm. With offices across Australia and New Zealand, the company supports clients across all sectors, including government and critical infrastructure. Tesserent delivers tailored cybersecurity services that help organizations prevent, detect, and respond to threats. Its offerings include 24/7 managed services, cloud security, technical assurance, GRC advisory, physical security, and continuous monitoring, serving over 1,200 mid-sized to large enterprises and public sector clients. As part of the top 10 threat intelligence platforms in ANZ, Tesserent’s threat intelligence tools help in ANZ cybersecurity TIP 2025 efforts. 5. Huntsman Security Huntsman Security is an Australian threat intelligence service provider that started in 1999. It develops advanced cybersecurity software designed to support highly secure environments across intelligence, defense, and criminal justice sectors. The company offers risk management, monitoring, and response solutions by leveraging machine learning and high-speed stream processing to analyze and contextualize security data in real time. With offices in Australia and the UK, and operations in Japan and the Philippines, Huntsman Security focuses on helping governments and businesses transition to more efficient digital operations while meeting growing regulatory demands. Its technology is built to measure, report, and reduce cyber risk effectively. 6. CTM360 CTM360 is a cybersecurity company specializing in integrated external security. Its platform simplifies cyber defenses by combining multiple capabilities into a single security solution. The platform covers everything from external attack surface management, digital risk protection, cyber threat intelligence, brand protection, deep & dark web monitoring, and takedowns. With CTM360, all functions are fully managed, requiring no setup, configuration, or constant input from users. The system comes pre-populated with data specific to each organization, providing a turnkey experience that streamlines external threat management and enhances overall security posture. 7. Palo Alto Networks Palo Alto Networks is a global cybersecurity leader pioneering cloud-centric security solutions through an integrated platform approach. The company leverages innovations in artificial intelligence, analytics, automation, and orchestration to deliver unified protection across cloud environments, networks, and mobile devices. Its strategy emphasizes platformization, bundling multiple security functions into comprehensive, interoperable packages, which simplifies vendor management and enhances operational efficiency. 8. KELA KELA is a cybercrime threat intelligence firm that delivers proactive, attacker‑informed insights by combining automated technology with expert human analysis. Its platform tracks activity across the deep and dark web, including illicit forums, messaging groups, botnet markets, and stolen data dumps, to detect new threats and compromised credentials. By providing contextualized intelligence from an adversary’s perspective, KELA helps organizations anticipate attacks before they materialize, making it possible to reinforce defenses, close exposure gaps, and reduce risk effectively. 9. Content Security Content Security is an Australian IT cybersecurity integration and consulting firm with a focus on protecting clients’ brand reputation and financial integrity. They work closely with leading technology partners to deliver practical expertise in secure cloud architecture, strong governance, advanced forensics, and remediation solutions. Offering a comprehensive portfolio, including penetration testing, red teaming, social engineering assessments, risk advisory (GRC), cloud security, managed services, and around-the-clock threat response, they provide end-to-end cybersecurity tailored to Australian organizations. With over two decades of experience, Content Security delivers a seamless service model, acting as a single point of contact for product selection, deployment, and ongoing management to help businesses maintain compliance and resilience. 10. Airlock Digital Airlock Digital is an Australian cybersecurity firm specializing in endpoint protection through application allowlisting. Founded in Adelaide by cybersecurity professionals, the company offers a scalable solution that enforces a "Deny by Default" security posture, ensuring only trusted applications are permitted to execute on endpoints. This approach effectively prevents malware, ransomware, and zero-day attacks by blocking unapproved code. Airlock Digital's platform supports various operating systems, including Windows, macOS, and Linux, and integrates seamlessly with existing IT infrastructures. The company operates globally, with offices in Australia, North America, and the Asia Pacific region, providing tailored security solutions to organizations across diverse industries. Conclusion As cyber threats grow across Australia and New Zealand, choosing the right threat intelligence solution is critical. The top 10 threat intelligence platforms in ANZ, including Cyble, offer advanced capabilities to help organizations detect, prevent, and respond to cyber risks with confidence. Cyble stands out as a unified platform for threat exposure management, combining AI-driven analytics, dark web monitoring, attack surface management, and real-time threat detection. Whether you're defending against ransomware, securing cloud environments, or protecting your brand, Cyble empowers ANZ security teams to stay protected from cyber threats. Ready to strengthen your defenses? Talk to an Expert or Schedule a Demo to see how Cyble can protect your business. Frequently Asked Questions (FAQs) about Threat Intelligence Platforms in ANZ Q1. What are the top 10 threat intelligence platforms in ANZ 2025? Leading platforms include Cyble, Recorded Future, CrowdStrike, Tesserent, Huntsman Security, SOCRadar, Palo Alto Networks, KELA, Content Security, and Airlock Digital—trusted by ANZ security teams. Q2. Why is threat intelligence vital for ANZ security teams? It helps detect cyber threats early, reducing costly breaches and enhancing cybersecurity in Australia and New Zealand. Q3. What defines the ANZ threat intelligence ranking 2025? Real-time threat data, dark web monitoring Australia, AI analytics, and strong vulnerability management Australia capabilities. Q4. How do threat intelligence platforms support cloud security Australia? They provide continuous monitoring and fast response to threats targeting cloud environments. Q5. Where can I find the ANZ threat intelligence guide 2025? Industry reports and cybersecurity firms provide guides on the best TIPs in Australia and New Zealand.

It’s Official: Thailand’s Labour Ministry Breached, Backups Erased, Network in Ruins

cyberexpress Jul 18, 2025 Cyber News

Thailand Ministry of Labour cyberattack has intensified as new revelations came which indicates that a planned data breach impacted the Ministry’s digital infrastructure. What was initially reported as a defacement of the Ministry’s website has now been confirmed as a full scale cyberattack on Thailand’s show more ...

Ministry of Labour that compromised internal systems, encrypted critical data, and disrupted government operations. Boonsong Tapchaiyut, Permanent Secretary of the Ministry of Labour, had confirmed that on the morning of July 17, 2025, hackers had defaced the Ministry’s official website, replacing its homepage with a message announcing their successful attack. Further, Boonsong emphasized that the data breach was limited to visible content and that the internal servers and data repositories remained secure. However, recent developments have painted an extremely different picture. Hacker Group 'Devman' Claims Responsibility A threat actor identifying as Devman had claimed responsibility for Thailand Ministry of Labour cyberattack through a post on a dark web blog. According to the post, the group had maintained undetected access to the Ministry's network for more than 43 days, infiltrating Active Directory servers and multiple Linux systems during that period. The group claims to have exfiltrated over 300 GB of sensitive data, encrypted approximately 2,000 laptops, and taken control of 98 Linux servers and over 50 Windows servers. Moreover, they state that they have completely wiped the Active Directory environment and destroyed all tape backups, rendering data recovery almost impossible. Website Defacement After Thailand Ministry of Labour cyberattack Thailand Ministry of Labour cyberattack became publicly known after the Ministry’s website was defaced with a chilling message: “THIS IS NOT JUST THE WEBSITE. WHAT YOU WITNESS HERE IS PART OF OUR COORDINATED ATTACK, AIMED AT CRIPPLING THIS MINISTRY.” Although the message was removed shortly afterward and the website was restored using backup files, the deeper implications of the cyberattack are now emerging. Boonsong stated that immediate actions were taken by the Ministry’s Information and Communication Technology Center (ICTC) to shut down the compromised system, remove the malicious files, and restore web functionality using backups. New security measures were also implemented, including closing access points, and resetting all usernames and passwords. He further clarified that the circulating claim of a $15 million loss was inaccurate and that damage assessments were still ongoing. Full System Compromise Confirmed In an update on Thailand Ministry of Labour cyberattack issued late July 17, the Ministry acknowledged that their internal systems had been compromised and encrypted, with no recovery possible without the decryption key. An internal error during IT operations has made short-term recovery unlikely, leaving the Ministry’s infrastructure completely down for the time being due to Thailand Ministry of Labour cyberattack. “The severity of the situation has elevated. We are treating this matter with utmost urgency and will provide more updates as we work through the crisis,” read the official statement. [caption id="attachment_103937" align="aligncenter" width="1566"] Boonsong Tapchaiyut, Permanent Secretary of the Ministry of Labor (Source: Official Website)[/caption] Legal Action and Cybercrime Report Filed Boonsong confirmed that the Ministry has filed a report with the Cyber Police, urging legal action against the perpetrators under the Computer Crime Act, citing reputational damage and the entry of false data into a government system. “I’ve instructed the legal department to examine all possible avenues. This is not just a technical incident — it is a violation of national security and law,” said Boonsong. What’s Next? The Ministry of Labour is currently working with external cybersecurity firms, law enforcement, and national cyber defense agencies to determine the full extent of the damage of Thailand Ministry of Labour cyberattack and prevent future incidents. Recovery efforts are underway, though the destruction of backups and encryption of internal systems present a formidable challenge. As this story continues to unfold, The Cyber Express will monitor updates on the Thailand Ministry of Labour cyberattack, including any official responses, confirmations, or public statements from affected agencies.

Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access

cyberexpress Jul 18, 2025 Firewall Daily

Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional show more ...

phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. Victims are prompted to scan these codes using their mobile devices, a tactic that cleverly shifts the attack vector to endpoints that lie outside organizational visibility, such as personal smartphones. This approach allows attackers to bypass security systems like secure email gateways (SEGs) and endpoint detection tools, which often do not scrutinize mobile device traffic. The attack typically begins with a phishing email that includes a PDF file mimicking official corporate communication. These decoys are crafted to resemble HR notifications, employee handbooks, or onboarding documents, complete with logos, tables of contents, and multiple pages to avoid signature-based detection tools. Scanception Quishing Campaign: Over 600 Unique Lures in Three Months [caption id="" align="aligncenter" width="501"] Phishing QR code (Source: Cyble)[/caption] CRIL’s analysis over three months uncovered over 600 distinct phishing PDFs and emails tied to the Scanception campaign. Shockingly, nearly 80% of these files had zero detections on VirusTotal at the time of their discovery. These documents are not randomly distributed; instead, they are precision-targeted based on industry verticals, geographic location, and user roles. This quishing campaign has a global reach throughout the tracking period, affecting organizations in over 50 countries, with high activity concentrations in North America, EMEA (Europe, the Middle East, and Africa), and the APAC region. The sectors most impacted include technology, healthcare, manufacturing, and BFSI (banking, financial services, and insurance), industries known for their data sensitivity and high-value targets. Credential Theft via AITM Phishing Infrastructure [caption id="" align="aligncenter" width="1024"] Office 365 sign-in portal (Source: Cyble)[/caption] The end goal of Scanception is credential harvesting. The embedded QR codes lead to adversary-in-the-middle (AITM) phishing pages, often designed to impersonate Microsoft Office 365 login portals. These pages collect user credentials in real-time and use advanced techniques to bypass security measures such as multi-factor authentication (MFA). Once credentials are entered, the attacker’s infrastructure captures the data using tools like randroute and randexp.min.js, which dynamically generate URLs to evade signature-based detection. The phishing pages also employ browser fingerprinting and detect debugging tools like Selenium and Burp Suite. If such tools are identified, the attack immediately halts by redirecting to a blank or legitimate webpage. This dynamic infrastructure maintains an open communication channel with the attacker, potentially prompting for secondary authentication details like 2FA codes or one-time passwords (OTPs), enabling full session hijacking and long-term access to compromised accounts. Abuse of Trusted Platforms and Redirection Techniques One of Scanception’s most insidious strategies involves the abuse of trusted redirection services and reputable cloud-hosting platforms. The campaign has misused services such as YouTube, Google, Bing, Cisco, Medium, and even email protection vendors to host or relay phishing infrastructure. This tactic not only masks the attack behind seemingly legitimate URLs but also helps in evading content and reputation-based security filters. Examples include: Redirect URLs embedded in Google search links Medium articles containing hidden redirect links Cisco-secure URLs redirecting to phishing pages Email security links that lead victims to fake login portals By embedding malicious payloads behind such domains, attackers bypass security measures that typically whitelist these platforms. Evolution of Tactics and Continued Activity Scanception is not a static operation; it is adapting and changing rapidly. Initial versions of the decoy PDFs were single-page documents. Newer versions now include multiple pages, structured content, and advanced visual designs to enhance credibility. Some phishing pages now feature multi-stage harvesting and dynamic evasion techniques, including right-click disablement and real-time debugging detection. Scanception is a new and advanced player in phishing, blending social engineering with technical evasion to exploit QR codes, trusted platforms, and unmanaged mobile devices. With over 600 unique lures identified in just 90 days, most undetected by threat engines, it highlights how attackers bypass security and target users beyond traditional perimeters.

AI, Teens, and Trust: Roblox’s New Safety Tools Raise Old Questions

cyberexpress Jul 18, 2025 Cyber News

Roblox has announced a new suite of safety and privacy updates aimed at teenagers, including an AI-driven age estimation system, enhanced parental insight tools, and a new “Trusted Connections” feature. Another update is the video-based age estimation requirement to unlock Trusted Connections. Users aged 13 and show more ...

above will now need to submit a video selfie to confirm their age, a process powered by a third-party verification provider, Persona. These updated come at a time of mounting regulatory scrutiny and legal challenges concerning how digital platforms safeguard children and adolescents online. Age Estimation Technology Raises Privacy and Policy Questions While Roblox emphasizes that it does not retain raw data and Persona deletes it within 30 days, privacy supporters may question the broader implications of collecting biometric data from minors. Despite assurances of data protection, such systems inevitably introduce a layer of surveillance and dependency on machine learning algorithms, a point that has become contentious in ongoing conversations around digital identity and data governance. Roblox’s rollout comes shortly after the U.S. Supreme Court allowed age verification laws to stand, and multiple U.S. states followed with similar legislative moves. While such laws are intended to prevent minors from accessing adult content, platforms are now expected to extend these standards to broader areas, including social interaction, as is the case with Roblox. A Measured Attempt to Contain Off-Platform Risk The “Trusted Connections” feature allows teens to connect more easily with peers they know in real life. The logic is straightforward: by encouraging users to stay within the platform, Roblox reduces the chances of teens moving conversations to less regulated apps, such as Discord or WhatsApp, where moderation is weaker. However, critics might argue that such mechanisms can only go so far in mitigating risk. Grooming, manipulation, and other online harms often occur even within "trusted" circles, and while age checks are a step in the right direction, they are far from a silver bullet. It also raises a fundamental question: Should the burden of identifying "safe" interactions fall on AI tools and account-linking features, or is a broader rethinking of digital design needed? Teen Controls and Parental Visibility Roblox is also expanding its parental tools and teen privacy settings. New additions include: Do Not Disturb mode Customizable online status Screen time insights and controls These updates aim to strike a balance between teen autonomy and parental awareness. While the ability to view time spent, friend lists, and experiences may offer parents peace of mind, it also risks pushing some teens toward creating secondary or hidden accounts, a well-documented behavior among youth who feel overly surveilled. From a policy perspective, this raises questions about how much oversight is appropriate, especially when the child is over 13, which many consider a transitional stage in online independence. Roblox Faces Legal and Regulatory Pressure These safety updates arrive amid intensifying pressure. In recent months, Roblox has faced lawsuits from families alleging negligence in addressing grooming and exploitation. A recent lawsuit, for instance, describes a harrowing case of an underage user nearly being assaulted after meeting an adult through the platform. In response, several states, including Florida, have initiated inquiries into Roblox’s content moderation systems and age verification policies. Notably, Florida Attorney General James Uthmeier issued a subpoena to the company earlier this year, seeking detailed records of its safety practices and communication policies. The company has consistently maintained that it takes child safety seriously and has invested in moderation, machine learning tools, and advisory councils. Still, these cases reflect broader concerns about whether platform governance is evolving fast enough to keep up with real-world threats. Industry-Wide Shift or Strategic Optics? Roblox is not alone in reevaluating its approach to child and teen online safety. Reddit and Google have introduced or adjusted age-verification systems in response to similar pressures. In the UK, the Online Safety Act has begun to influence platform behavior globally. However, there’s a difference between reactive compliance and proactive safety design. The integration of features like age estimation may help tick regulatory boxes, but the effectiveness of these tools will ultimately be judged by how well they prevent harm, not just how well they document intent. It remains to be seen whether these updates will meaningfully reduce risk or simply serve as technical safeguards that shift responsibility from platform to user.

Ivanti Bugs Exploited Even After Three Months of Patch Availability

cyberexpress Jul 18, 2025 Malware News

Japan’s cyber defenders have raised the red flag, once again, for a set of Ivanti Connect Secure vulnerabilities that continue to be exploited to present day, although a patch has been available for the last three months. The latest update comes after the Japanese computer emergency response team, in April, first show more ...

issued a critical advisory detailing the exploitation of Ivanti Connect Secure bugs, tracked as CVE-2025-0282 and CVE-2025-22457, to deploy DslogdRAT and SPAWNCHIMERA malware variants. Also read: DslogdRAT Malware Deployed in Ivanti Connect Secure Zero-Day Campaign JPCERT/CC said it has continued to track the exploitation of these bugs but has additionally identified new malware variants, including the deployment of a cobalt strike beacon with the help of a loader that makes use of DLL side-loading. [caption id="attachment_103968" align="aligncenter" width="600"] Execution flow of Cobalt Strike through MDifyLoader (Credit: JPCERT/CC)[/caption] The loader is based on the open-source project libPeConv and uses RC4 – a stream cipher known for its speed and simplicity – for decrypting data files, and its key derives from the MD5 hash value of executable files. This method requires the executable file, the loader, and the data file, for execution, and the attackers likely intended obfuscation using this method. The other remote access trojan identified was “vshell.” Researchers said that its GitHub repository is no longer publicly available but “attackers have been observed using the Windows executable vshell version 4.6.0.” A very interesting functionality of this RAT was it particularly checked the system language and if it wasn’t Chinese, then proceeded further execution. The last of the three payloads observed was “Fscan,” an open-source network scanning tool written in Go language. This tool was again deployed using DLL side-loading. [caption id="attachment_103969" align="aligncenter" width="600"] The execution flow of Fscan (Credit: JPCERT/CC)[/caption] Post Exploitation of Ivanti Connect, Behavior of Attackers JPCERT/CC also revealed the post internal network breach tactics of attackers, which included using brute-force attacks on AD, FTP, MSSQL, and SSH servers. They then scanned the internal systems, and exploited the SMB vulnerability MS17-010. With stolen credentials, they moved laterally via RDP and SMB, deploying malware across systems. The attackers also created new domain accounts, added them to groups to maintain access, and registered malware as services or scheduled tasks to ensure it ran at startup or on triggers. For evading EDR detection, they used a loader based on FilelessRemotePE to execute malware via legitimate files, bypassing ETW logging in ntdll.dll. The Japanese cyber defenders have provided more detailed tactics, techniques and procedures in their technical advisory released today. Ivanti devices are not just used by the private sector entities but are also popular amongst government agencies. However, the popularity has made it a prime target as well. The impacted organizations from previous Ivanti bugs includes the US Cybersecurity and Infrastructure Security Agency and several Australian enterprises. JPCERT/CC said, “These attacks have persisted since December 2024 and are expected to remain active, particularly those aimed at VPN devices like Ivanti Connect Secure.”

New Cisco Bugs Rated CVSS 10.0, Patch Immediately

cyberexpress Jul 18, 2025 Firewall Daily

Cisco has issued a new security advisory warning of newly discovered vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), revealing serious security flaws that could allow remote, unauthenticated attackers to execute arbitrary code on targeted systems with root privileges. show more ...

The most severe of these vulnerabilities, tracked as CVE-2025-20337, carries the maximum CVSS score of 10.0. This vulnerability is strikingly similar to another critical issue, CVE-2025-20281, which Cisco patched just weeks earlier. “Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities,” Cisco stated in its revised security advisory, published initially on June 25, 2025, and updated on July 16, 2025. Cisco Vulnerability CVE-2025-20337 These vulnerabilities affect Cisco ISE and ISE-PIC versions 3.3 and 3.4 regardless of their configuration. Devices running Release 3.2 or earlier are not affected by CVE-2025-20337 or CVE-2025-20281. Meanwhile, a related vulnerability, CVE-2025-20282, impacts only Release 3.4. According to Cisco, no authentication is required to exploit these vulnerabilities. Threat actors could remotely submit crafted API requests or upload malicious files, thereby gaining full control over the operating system. This opens the door to activities like data exfiltration, lateral movement, or further compromise of network infrastructure. Vulnerabilities Technical Details The vulnerabilities CVE-2025-20337 and CVE-2025-20281 stem from insufficient validation of user-supplied input in a specific API used by Cisco ISE and ISE-PIC, allowing unauthenticated attackers to send crafted API requests that could result in arbitrary code execution with root privileges. These critical flaws, identified by Bug IDs CSCwo99449 and CSCwp02814, are categorized under CWE-269 (Improper Privilege Management) and CWE-74 (Improper Neutralization of Input), and carry a CVSS v3.1 base score of 10.0 with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, highlighting their severe potential impact on affected systems. The vulnerability CVE-2025-20282 arises from inadequate file validation checks within an internal API of Cisco ISE and ISE-PIC, enabling remote attackers to upload arbitrary files to privileged directories and execute them with elevated privileges. Identified by Bug ID CSCwp02821, this flaw is rated critical with a CVSS v3.1 base score of 10.0 and a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Patching and Recommendations Cisco has released software updates to mitigate these vulnerabilities. However, the company emphasized that no workarounds currently exist for these issues. Organizations are strongly advised to upgrade to the recommended fixed releases: If running Cisco ISE 3.4 Patch 2, no further action is needed. For Cisco ISE 3.3 Patch 6, it is essential to upgrade to Patch 7. Users who have applied hot patches such as ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should also upgrade, as these patches do not mitigate CVE-2025-20337. The advisory notes that these vulnerabilities are independent of one another, meaning each one could be exploited separately. An affected release may not necessarily be vulnerable to all three CVEs.

Cambodia Cracks Down on Cybercrime: 1,000+ Arrests Across Five Provinces

cyberexpress Jul 18, 2025 Firewall Daily

Within a single week, the Cambodia cybercrime crackdown arrested over 1,000 suspects linked to operations spanning at least five provinces, including Phnom Penh, Sihanoukville, Poipet, Kratie, and Pursat. The detentions included 85 Cambodians and hundreds of foreigners, from Vietnam, China, Taiwan, Indonesia, Myanmar, show more ...

Bangladesh, and more. Prime Minister Hun Manet, citing threats to regional security, directed the Cambodia cybercrime crackdown “to maintain and protect security, public order, and social safety.” He issued a stern warning: officials could lose their jobs if they failed to act. Decoding the Cambodia Cybercrime Crackdown These operations, widely known for romance scams, investment fraud, and gambling schemes, allegedly generate billions of dollars annually. According to UN estimates, scammers in Southeast Asia have stolen up to $40 billion, acting through compounds often run by organized crime groups. Police also seized hundreds of mobile phones, computers, and other devices used in these scams. Despite the sweeping arrests, critics argue this could be little more than Cambodia cybercrime crackdown “reform theater.” Transnational crime analyst Jacob Sims described the operation as “fully performative,” noting that arrested individuals likely represent well under 1% of Cambodia’s estimated 150,000-strong cybercriminal population. He warned that even thousands of arrests are “a rounding error on the regime’s most profitable industry.” Indeed, such crackdowns mirror previous mass operations in 2022 and 2024, raids that critics say failed to dismantle the underlying infrastructure of cybercrime, reported the Australian Broadcasting Corporation. State Collusion or Blind Eye? Human rights organizations have alleged deeper government involvement. In June, Amnesty International released an 18‑month investigation revealing at least 53 scam compounds where trafficked workers, some as young as 13, were held in slave-like conditions, including torture, forced labor, and child exploitation. Amnesty’s Secretary General, Agnès Callamard, asserted: “Deceived, trafficked and enslaved, the survivors of these scamming compounds describe being trapped in a living nightmare … operating with the apparent consent of the Cambodian government”. Conclusion Critics argue that the government's ruling elite benefit from cybercrime revenues. A May 2025 NGO report suggested that influential business groups, allegedly linked to top officials, host scam operations, further pointing to the state. Observers say this complicity helps maintain patronage networks that protect these cybercrime operations. The country faces mounting international scrutiny, not just over illicit cybercrime, but its systemic tolerance of transnational cybercrime and associated human trafficking. Calls are growing for sustained reforms: closing scam compounds, prosecuting perpetrators (including officials), and protecting victims. Until these steps are taken, many believe the crackdown will remain superficial. As one analyst put it, the goal may be more about managing international perceptions than ending Cambodia’s deeply embedded role in cybercrime operations.

HR guidelines phishing email | Kaspersky official blog

kaspersky Jul 18, 2025 Business

Weve been seeing attempts at using spear-phishing tricks on a mass scale for quite a while now. These efforts are typically limited to slightly better than usual email styling that mimics a specific company, faking a corporate sender via ghost spoofing, and personalizing the message, which, at best, means addressing show more ...

the victim by name. However, in March of this year, we began noticing a particularly intriguing campaign in which not only the email body but also the attached document was personalized. The scheme itself was also a bit unusual: it tried to trick victims into entering their corporate email credentials under the pretense of HR policy changes. A fake request to review new HR guidelines Heres how it works. The victim receives an email, seemingly from HR, addressing them by name. The email informs them of changes to HR policy regarding remote work protocols, available benefits, and security standards. Naturally, any employee would be interested in these kinds of changes, so their cursor naturally drifts toward the attached document, which, incidentally, also features the recipients name in its title. Whats more, the email has a convincing banner stating that the sender is verified and the message came from a safe-sender list. As experience shows, this is precisely the kind of email that deserves extra scrutiny. A phishing email message designed to lure victims with fake HR policy updates For starters, the entire email content — including the reassuring green banner and the personalized greeting — is an image. You can easily check this by trying to highlight any part of the text with your mouse. A legitimate sender would never send an email this way; its simply impractical. Imagine an HR department having to save and send individual images to every single employee for such a widespread announcement! The only reason to embed text as an image is to bypass email antispam or antiphishing filters. There are other, more subtle clues in the email that can give away the attackers. For example, the name and even the format of the attached document dont match whats mentioned in the email body. But compared to the picturesque email, these are minor details. An attachment that imitates HR guidelines Of course, the attached document doesnt contain any actual HR guidelines. What youll find is a title page with a small company logo and a prominent Employee Handbook header. It also includes a table of contents with items highlighted in red as if to indicate changes, followed by a page with a QR code (as if to access the full document). Finally, theres a very basic instruction on how to scan QR codes with your phone. The code, of course, leads to a page where the user is asked to enter corporate credentials, which is what the authors of the scheme are after. The scammers document used as a lure The document is peppered with phrases designed to convince the victim its specifically for them. Even their name is mentioned twice: once in the greeting and again in the line This letter is intended for… that precedes the instruction. Oh, and yes, the file name also includes their name. But the first question this document should raise is: whats the point? Realistically, all this information could have been presented directly in the email without creating a personalized, four-page file. Why would an HR employee go to such lengths and create these seemingly pointless documents for each employee? Honestly, we initially doubted that scammers would bother with such an elaborate setup. But our tools confirm that all the phishing emails in this campaign indeed contain different attachments, each unique to the recipients name. Were likely seeing the work of a new automated mailing mechanism that generates a document and an email image for each recipient… or perhaps just some extremely dedicated phishers. How to stay safe A specialized security solution can block most phishing email messages at the corporate mail server. In addition, all devices used by company employees for work, including mobile phones, should also be protected. We also recommend educating employees about modern scam tactics — for example, by sharing resources from our blog — and continually raising their overall cybersecurity awareness. This can be achieved through platforms like Kaspersky Automated Security Awareness.

Poor Passwords Tattle on AI Hiring Bot Maker Paradox.ai

krebsonsecurity Jul 18, 2025 A Little Sunshine

Security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald’s was exposed after they guessed the password (“123456”) for the fast food chain’s account at Paradox.ai, a company that makes artificial intelligence based hiring show more ...

chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight was an isolated incident that did not affect its other customers, but recent security breaches involving its employees in Vietnam tell a more nuanced story. A screenshot of the paradox.ai homepage showing its AI hiring chatbot “Olivia” interacting with potential hires. Earlier this month, security researchers Ian Carroll and Sam Curry wrote about simple methods they found to access the backend of the AI chatbot platform on McHire.com, the McDonald’s website that many of its franchisees use to screen job applicants. As first reported by Wired, the researchers discovered that the weak password used by Paradox exposed 64 million records, including applicants’ names, email addresses and phone numbers. Paradox.ai acknowledged the researchers’ findings but said the company’s other client instances were not affected, and that no sensitive information — such as Social Security numbers — was exposed. “We are confident, based on our records, this test account was not accessed by any third party other than the security researchers,” the company wrote in a July 9 blog post. “It had not been logged into since 2019 and frankly, should have been decommissioned. We want to be very clear that while the researchers may have briefly had access to the system containing all chat interactions (NOT job applications), they only viewed and downloaded five chats in total that had candidate information within. Again, at no point was any data leaked online or made public.” However, a review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device that stole usernames and passwords for a variety of internal and third-party online services. The results were not pretty. The password data from the Paradox.ai developer was stolen by a malware strain known as “Nexus Stealer,” a form grabber and password stealer that is sold on cybercrime forums. The information snarfed by stealers like Nexus is often recovered and indexed by data leak aggregator services like Intelligence X, which reports that the malware on the Paradox.ai developer’s device exposed hundreds of mostly poor and recycled passwords (using the same base password but slightly different characters at the end). Those purloined credentials show the developer in question at one point used the same seven-digit password to log in to Paradox.ai accounts for a number of Fortune 500 firms listed as customers on the company’s website, including Aramark, Lockheed Martin, Lowes, and Pepsi. Seven-character passwords, particularly those consisting entirely of numerals, are highly vulnerable to “brute-force” attacks that can try a large number of possible password combinations in quick succession. According to a much-referenced password strength guide maintained by Hive Systems, modern password-cracking systems can work out a seven number password more or less instantly. Image: hivesystems.com. In response to questions from KrebsOnSecurity, Paradox.ai confirmed that the password data was recently stolen by a malware infection on the personal device of a longtime Paradox developer based in Vietnam, and said the company was made aware of the compromise shortly after it happened. Paradox maintains that few of the exposed passwords were still valid, and that a majority of them were present on the employee’s personal device only because he had migrated the contents of a password manager from an old computer. Paradox also pointed out that it has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its partners. Still, a review of the exposed passwords shows they included the Vietnamese administrator’s credentials to the company’s SSO platform — paradoxai.okta.com. The password for that account ended in 202506 — possibly a reference to the month of June 2025 — and the digital cookie left behind after a successful Okta login with those credentials says it was valid until December 2025. Also exposed were the administrator’s credentials and authentication cookies for an account at Atlassian, a platform made for software development and project management. The expiration date for that authentication token likewise was December 2025. Infostealer infections are among the leading causes of data breaches and ransomware attacks today, and they result in the theft of stored passwords and any credentials the victim types into a browser. Most infostealer malware also will siphon authentication cookies stored on the victim’s device, and depending on how those tokens are configured thieves may be able to use them to bypass login prompts and/or multi-factor authentication. Quite often these infostealer infections will open a backdoor on the victim’s device that allows attackers to access the infected machine remotely. Indeed, it appears that remote access to the Paradox administrator’s compromised device was offered for sale recently. In February 2019, Paradox.ai announced it had successfully completed audits for two fairly comprehensive security standards (ISO 27001 and SOC 2 Type II). Meanwhile, the company’s security disclosure this month says the test account with the atrocious 123456 username and password was last accessed in 2019, but somehow missed in their annual penetration tests. So how did it manage to pass such stringent security audits with these practices in place? Paradox.ai told KrebsOnSecurity that at the time of the 2019 audit, the company’s various contractors were not held to the same security standards the company practices internally. Paradox emphasized that this has changed, and that it has updated its security and password requirements multiple times since then. It is unclear how the Paradox developer in Vietnam infected his computer with malware, but a closer review finds a Windows device for another Paradox.ai employee from Vietnam was compromised by similar data-stealing malware at the end of 2024 (that compromise included the victim’s GitHub credentials). In the case of both employees, the stolen credential data includes Web browser logs that indicate the victims repeatedly downloaded pirated movies and television shows, which are often bundled with malware disguised as a video codec needed to view the pirated content.

Firmware Vulnerabilities Continue to Plague Supply Chain

darkreading Jul 18, 2025 Feed

Four flaws in the basic software for Gigabyte motherboards could allow persistent implants, underscoring problems in the ways firmware is developed and updated.

3 Ways Security Teams Can Minimize Agentic AI Chaos

darkreading Jul 18, 2025 Feed

Security often lags behind innovation. The path forward requires striking a balance.

'PoisonSeed' Attacker Skates Around FIDO Keys

darkreading Jul 18, 2025 Feed

Researchers discovered a novel phishing attack that serves the victim a QR code as part of supposed multifactor authentication (MFA), in order to get around FIDO-based protections.

4 Chinese APTs Attack Taiwan's Semiconductor Industry

darkreading Jul 18, 2025 Feed

Chinese threat actors have turned to cyberattacks as a way to undermine and destabilize Taiwan's most important industrial sector.

UK sanctions Russian cyber spies accused of facilitating murders

cyware Jul 18, 2025 Government

Eighteen members of Russia's GRU have been sanctioned by the British government for various operations, including military strikes that killed hundreds of civilians in Ukraine.

Singapore accuses Chinese state-backed hackers of attacking critical infrastructure networks

cyware Jul 18, 2025 Cybercrime

A top official did not disclose details of UNC3886’s activity but said “it is serious and it’s ongoing … and we will assess whether it is in our interest to disclose more details later.”

Japanese police release decryptor for Phobos ransomware after February takedown

cyware Jul 18, 2025 Technology

Victims of Phobos ransomware and its 8Base offshoot now have access to a decryptor released by Japanese law enforcement and backed by the FBI and European officials.