Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for U.S.-based Sling TV ...

 Cyber News

California Attorney General Rob Bonta has announced a $530,000 Sling TV privacy fine against Sling TV LLC and Dish Media Sales LLC, marking the first enforcement action from the Department of Justice’s (DOJ) 2024 sweep of streaming services for compliance with the California Consumer Privacy Act (CCPA). The Sling TV   show more ...

privacy fine resolves allegations that the U.S.-based streaming service failed to make it easy for users to opt out of the sale of their personal data and did not provide adequate privacy protections for children. The company is also required to implement significant changes to how it handles user data and privacy requests. Privacy Rights and Enforcement The CCPA grants Californians several privacy rights, including the ability to know what data companies collect, to request deletion of personal information, and to opt out of the sale of their data. According to Attorney General Bonta, Sling TV violated these rights by creating confusing and burdensome procedures for consumers attempting to exercise their opt-out options. “Californians have critical privacy rights,” said Attorney General Bonta. “We take privacy rights seriously, and Sling TV was not providing consumers an easy way to opt out of the sale of their personal data as required. My office is committed to the continued enforcement of the CCPA — every Californian has the right to their online privacy, especially in the comfort of their living room.” How Sling TV Fell Short Sling TV operates as an internet-based live TV service offering both paid and ad-supported options. Unlike traditional broadcasting, Sling uses viewer data such as age, gender, location, and income to deliver targeted advertisements. The DOJ’s investigation found that the platform’s privacy settings and opt-out mechanisms were difficult to navigate and ineffective. Consumers seeking to opt out of data sales were directed to cookie preference settings, which did not actually prevent their information from being sold or shared. Even logged-in users, whose details were already known to Sling TV, had to complete lengthy web forms to process their requests. The company also lacked built-in opt-out options on streaming apps used on living room devices such as smart TVs. Additionally, Sling TV failed to provide appropriate protections for minors. It did not offer dedicated kids’ profiles that would limit targeted advertising or require parental consent when users under 16 were likely watching. Terms of the Sling TV Privacy Fine Settlement Under the settlement, which is subject to court approval, Sling TV must make several key changes: Simplify the opt-out process: Consumers can no longer be directed to cookie settings when attempting to exercise CCPA rights. Reduce redundant steps: Logged-in users will not be required to provide information already available to the company. Expand accessibility: The opt-out feature must be available directly through Sling TV’s app across different devices. Enhance child protections: Parents will be able to set up “kid’s profiles” that automatically block targeted advertising and data sales. Improve disclosures: The company must give parents clear information and tools to safeguard their children’s privacy. Broader CCPA Enforcement Efforts The Sling TV privacy fine marks the fifth major settlement under California’s privacy law since it took effect. Earlier cases include Healthline Media ($1.55 million), Tilting Point Media ($500,000), DoorDash, and Sephora — all for violations related to consumer data and opt-out requirements. Attorney General Bonta’s office has conducted multiple investigations across mobile apps, data brokers, and streaming platforms to ensure compliance with the state’s privacy law. The Attorney General emphasized that enforcing privacy rights remains a priority as Californians increasingly rely on connected devices and streaming services.

image for PNP Strengthens Cybe ...

 Cyber News

The Philippine National Police (PNP) stated on Monday that it is actively monitoring its online platforms and reinforcing defense against potential cyberattacks. The announcement follows a warning from the Department of Information and Communications Technology (DICT) regarding possible Distributed Denial of   show more ...

Service (DDoS) attacks, planned for November 5 and targeting various websites and networks.  A DDoS attack occurs when malicious actors flood a website with traffic, causing it to slow, stagger, or crash. The DICT’s advisory is part of its efforts to urge government agencies and the public alike to remain vigilant. According to the DICT, while this impending threat is not a data breach incident, meaning no financial accounts or personal data are expected to be stolen, the disruption from an attack could still hamper online services.  PNP Secures Critical Digital Systems PNP acting chief Jose Melencio Nartatez Jr. confirmed that the police force’s various units are collaborating with the DICT to bolster firewall defenses and check the integrity of both hardware and software systems. “We have different systems and in fact, we've been victims of that cyberattack, na‑compromise ‘yung ating data (our data was compromised), especially sa (in) logistics, the firearms, and others. And we are continuously protecting that,” Nartatez told reporters during a press briefing held at Camp Crame in Quezon City. He added: “To protect our system ay ginagawa natin ang iba't‑ibang activities like to ensure firewall, ensure the integrity of hardware, and even software.”  He further emphasized that the PNP is not only protecting technological infrastructure but also ensuring that the personnel who manage sensitive data are held to high standards of integrity. “Even ‘yung mga tao natin na gumagamit ng mga system na ito, either they are the administrator or recipient of this data. So, kailangan may integrity doon,” he said.  Among the digital systems under intense protection is the PNP’s e‑Warrant platform, a nationwide database of arrest warrants that allows officers to verify and act on cases in real time. Nartatez also mentioned the protection of the Situation Report and Incident Recording System (SIRAS), as well as the databases on firearms, explosives, and internal disciplinary cases under the Internal Disciplinary Mechanism Information System (INVIS). He stressed that these interconnected systems “hold critical and sensitive data essential to police operations.”  Public and Agencies Urged to Stay Vigilant The DICT’s warning, in advance of November 5, highlighted the date’s significance for cyber actors. According to Cybercrime Investigating and Coordinating Center (CICC) Acting Executive Director Renato Paraiso, November 5 is typically a global protest day widely used by hacktivists. “It’s a very significant date, especially when it comes to the hacking community. It’s the fifth of November, which is a global symbol for protest, global day of protest,” Paraiso said. He explained that many hackers each year adopt a cause for their activism; this time, the subject of controversy surrounding flood control may be the trigger for potential website defacements or DDoS attacks.  Paraiso urged all government agencies to prepare for possible digital breaches and likewise encouraged the public to report any suspicious online activity, particularly service slowdowns or malfunctioning websites. “Kung may makita sila or naramdaman sila na meron hindi maayos o hindi gumagana sa serbisyo sa gobyerno pagdating sa digital aspect o sa mga websites nila, ipagbigay alam sa DICT at CICC hotline 1326,” he advised.  For its part, the PNP remains on high alert. Bernard R. Yang, Acting Director of the PNP Anti‑Cybercrime Group (PNP‑ACG), confirmed the organization's readiness: “The PNP is in fact prepared for any possible cyberattack. We keep on reminding our units and personnel to always secure the different systems of the PNP,” Yang said. Meanwhile, Nartatez reaffirmed that, even absent a specific DICT warning, the PNP maintains constant vigilance in protecting its digital infrastructure. 

image for Hacktivist Attacks o ...

 Cyber News

Hacktivist attacks on critical infrastructure doubled over the course of the third quarter, according to a new Cyble report. Hacktivist attacks on industrial control systems (ICS) grew throughout the third quarter and made up 25% of all hacktivist attacks by September, Cyble wrote in a blog post. “If that trend   show more ...

continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025,” Cyble said. The report follows a Canadian Centre for Cyber Security warning last week that hacktivists are targeting critical infrastructure in that country. Hacktivist Attacks on Critical Infrastructure Led by Russia-linked Groups Cyble said DDoS attacks and website defacements still account for most hacktivist activity, but the ideologically-motivated threat groups are increasingly turning their focus toward ICS attacks, data breaches, unauthorized access, and ransomware. Z-Pentest has been the leading hacktivist group targeting ICS infrastructure, but the threat group has also been joined by Dark Engine (also known as the Infrastructure Destruction Squad), Golden Falcon Team, INTEID, S4uD1Pwnz, and Sector 16. “Russia-aligned hacktivist groups INTEID, Dark Engine, Sector 16, and Z-Pentest were responsible for the majority of recent ICS attacks, primarily targeting Energy & Utilities, Manufacturing, and Agriculture sectors across Europe,” Cyble said. “Their campaigns focused on disrupting industrial and critical infrastructure in Ukraine, EU and NATO member states.” Among Z-Pentest’s targets in the third quarter were a water utility HMI system in the U.S. and an agricultural biotechnology SCADA system in Taiwan. The group frequently posts videos of its members tampering with ICS controls, and may have been one of the groups the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was referring to in a warning about critical infrastructure tampering attacks earlier this year. Most Active Hacktivist Groups NoName057(16) remains the most active hacktivist group despite attempts by law enforcement to disrupt its operations, Cyble said. Z-Pentest and Hezi Rash increased their share of attacks in the third quarter, the threat intelligence company said. Special Forces of the Electronic Army, Jokeir_07x and BL4CK CYB3R all lost ground in the quarter, while newcomers like Red Wolf Cyber Team and INTEID increased their share of hacktivist activity in the quarter. One of the more noteworthy incidents in the quarter involved the Belarusian group Cyber Partisans BY, which joined with Silent Crow to claim a cyberattack on Russian state airline Aeroflot. The attackers disrupted key systems, exfiltrated more than 22TB of data, and claimed to have destroyed about 7,000 servers, Cyble said. In another noteworthy hacktivist attack, the Ukrainian Cyber Alliance and BO Team claimed a breach of a Russian manufacturer involved in military drone production, stealing engineering blueprints, VMware snapshots, storage mappings, and CCTV footage from UAV assembly facilities. The groups said they wiped servers, backups, and cloud environments after they exfiltrated data. Hacktivism and Geopolitical Conflict Geopolitical conflict “remains a primary motive in hacktivist campaigns,” Cyble said. The Thailand–Cambodia border conflict, the India–Pakistan and India-Bangladesh rivalries, Middle East conflicts – including the Israel–Hamas war and the Israel-Iran and Houthi–Saudi Arabian conflicts – the Russia–Ukraine war and domestic unrest in the Philippines were some of the major conflicts driving hacktivism across the globe. Ukraine was the leading target of hacktivist campaigns in the third quarter, Cyble said (chart below). [caption id="attachment_106494" align="aligncenter" width="624"] Most attacked countries by hacktivist groups (Cyble)[/caption] “The growing sophistication of the leading hacktivist groups is by now an established trend and will likely continue to spread to other groups over time,” Cyble said. “That means that exposed environments in critical sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure.”

image for Ongoing Ransomware A ...

 Firewall Daily

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning after confirming that a critical flaw in the Linux Kernel, tracked as CVE-2024-1086, is being actively exploited in ongoing ransomware attacks targeting Linux systems worldwide.  CVE-2024-1086 is   show more ...

a use-after-free vulnerability in the Linux Kernel’s netfilter: nf_tables component. The flaw arises when the nft_verdict_init() function improperly allows positive values to be used as a drop error within the hook verdict, which can lead to a double-free scenario in nf_hook_slow() when NF_DROP is mishandled.  Although the faulty code originated from a commit introduced back in February 2014, the vulnerability was not officially disclosed until January 31, 2024. A patch to address it was submitted in January 2024.  Scope and Impact of CVE-2024-1086 The Linux Kernel flaw affects versions from 3.15 up to 6.8-rc1, meaning a wide range of major Linux distributions are vulnerable. Impacted systems include:  Ubuntu: 18.04, 20.04, 22.04, and 23.10  Red Hat Enterprise Linux (RHEL):  RHEL 7 – 3.10.0-1062.4.1.el7  RHEL 8 – 4.18.0-147.el8  RHEL 9 – 5.14.0-362.24.2.el9_3  Debian: kernel version 6.1.76-1  Exploitation of CVE-2024-1086 allows attackers with local access to escalate their privileges to root level, granting full control of compromised systems. With root access, threat actors can disable security protections, install malware, move laterally within a network, steal data, and deploy ransomware payloads.  Ransomware Connection and Agency Action CISA has now confirmed that CVE-2024-1086 is being used in ransomware attacks. The vulnerability was initially added to the agency’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, with federal agencies ordered to apply security patches or mitigations no later than June 20, 2024.  In its official statement, CISA described this Linux Kernel flaw as a “frequent attack vector for malicious cyber actors,” emphasizing the significant risks it poses to government and enterprise networks alike. Agencies and organizations are instructed to follow vendor guidance for patching or discontinue use of affected products if no fixes are available.  Exploit Availability and Threat Landscape In late March 2024, a security researcher using the alias Notselwyn released a detailed write-up and a proof-of-concept (PoC) exploit for CVE-2024-1086. The PoC demonstrated how attackers could achieve local privilege escalation on Linux kernel versions ranging from 5.14 to 6.6.  According to security researchers, the exploit has proven to be highly reliable, showing success rates exceeding 99% in some tests. The public availability of this exploit code, combined with confirmed use in ransomware operations, significantly increases the risk of widespread attacks.  Mitigation and Recommended Actions System administrators are advised to verify immediately whether their Linux installations are affected. Running the command uname -r will reveal the kernel version in use. If the version falls between 3.15 and 6.8-rc1, the system may still be vulnerable.  To protect against exploitation:  Update to Linux Kernel 6.8-rc2 or later, or apply vendor-provided patches.  Blocklist the nf_tables module if it is not required.  Restrict access to user namespaces to minimize the attack surface.  Consider loading the Linux Kernel Runtime Guard (LKRG) module to add runtime protection, though administrators should be aware that it may affect system stability. 

image for Cyble Detects Advanc ...

 Firewall Daily

Cyble Research and Intelligence Labs (CRIL) have uncovered a cyber-espionage operation that used a weaponized ZIP archive to infiltrate defense-sector systems. The malicious file—disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (“TLG for   show more ...

departure for retraining.pdf”)—delivered a highly advanced backdoor capable of establishing covert access through SSH and Tor.  The campaign specifically leveraged the Belarusian military theme to deceive personnel linked to Special Operations Command and those specializing in UAV or drone operations. CRIL’s findings suggest the attack aimed to gather intelligence about the region’s unmanned aerial capabilities or possibly mask the attacker’s true identity through a false-flag narrative.  This operation builds on methods first observed in the December 2024 “Army+” campaign, previously attributed to the Sandworm group (APT44/UAC-0125). The October 2025 version shows notable technical evolution, employing improved obfuscation, operational security, and anonymization measures.  Infection Chain and Anti-Detection Measures  The malicious ZIP archive was carefully constructed to evade both human suspicion and automated detection. Inside the ZIP archive, the victim would find an LNK shortcut masquerading as a PDF file and a hidden folder named “FOUND.000” containing another compressed file, persistentHandlerHashingEncodingScalable.zip. When executed, the LNK shortcut launched an obfuscated PowerShell script instead of opening a legitimate document.  The PowerShell payload extracted files to the %appdata%logicpro directory and ran additional code that maintained stealth through obfuscation and environmental awareness. Before executing, it checked that the infected system contained at least ten recent shortcut files and fifty or more running processes—conditions typical of real user environments but not sandboxes. If these checks fail, the script terminates, effectively bypassing automated malware analysis systems.  While the decoy PDF was opened to distract the victim, the malware silently proceeded to install persistent services in the background.  Scheduled Tasks, Persistence, and Backdoor Setup  Persistence was achieved through scheduled tasks created using XML templates extracted from the ZIP archive. Two tasks were registered: one to deploy OpenSSH for Windows (renamed as githubdesktop.exe) and another to run a modified Tor client (renamed as pinterest.exe).  The OpenSSH binary established a local SSH service on port 20321 using only RSA key-based authentication, disabling passwords entirely. The authorized keys and configuration files were stored in hidden directories under AppDataRoaminglogicpro. In parallel, the Tor service created a hidden .onion address and forwarded several critical ports:  SSH (20322 → 127.0.0.1:20321)  SMB (11435 → 127.0.0.1:445)  RDP (13893 → 127.0.0.1:3389)  To conceal traffic, the malware employed the obfs4 protocol, disguising Tor communications as legitimate network traffic. Two bridge relays—77.20.116.133:8080 and 156.67.24.239:33333—served as entry points into the Tor network.  Once connected, the malware generated a unique .onion hostname and sent it to the attacker’s command-and-control server via a curl command routed through the Tor SOCKS5 proxy. The command used 1,000 retries with three-second intervals to ensure successful data delivery. This process gave the attacker continuous, anonymous access to the compromised host.  Attribution, Impact, and Defensive Measures  CRIL’s analysis confirmed that the backdoor allowed full remote access through SSH, RDP, SFTP, and SMB channels, all tunneled through Tor for anonymity. Analysts verified the backdoor’s functionality by establishing a controlled SSH session using the embedded RSA keys and proxy configuration. No secondary payloads or lateral movements were detected, suggesting the attackers were in the reconnaissance phase.  The October 2025 sample closely resembles techniques used in the December 2024 Army+ campaign attributed to Sandworm (APT44). The overlap includes double-extension lures, scheduled task persistence, and the integration of OpenSSH and Tor for covert tunneling. Sandworm, associated with Russia’s GRU Unit 74455, has a long history of targeting Ukraine’s infrastructure, including the BlackEnergy attacks in 2015, the NotPetya outbreak in 2017, and a 2023 breach of Kyivstar.  Despite these similarities, CRIL maintains moderate confidence in linking this operation directly to Sandworm. The Belarusian military focus could reflect either an intelligence-gathering mission or a deliberate misdirection tactic.  To mitigate such threats, CRIL recommends that defense organizations:  Strengthen email filtering to detect nested or double-extension ZIP archives.  Train personnel to verify document authenticity through secondary channels.  Deploy a behavioral endpoint detection capable of flagging suspicious PowerShell activity and unauthorized scheduled tasks.  Block or monitor Tor and obfs4 traffic at the network level.  Audit SSH key usage and identify any OpenSSH instances running on non-standard ports. 

image for Kaspersky for Linux ...

 Products

Great news for all Linux users: our product line for home users now includes Kaspersky for Linux. Our cybersecurity solution with the highest number of global accolades now delivers maximum protection for home users across all their devices running Windows, Linux, macOS, Android, and iOS — all with just one   show more ...

Kaspersky for Linux subscription. If you thought Linux was immune to cyberthreats, it’s time to rethink that view. The number of malicious programs targeting this OS has increased 20-fold over the past five years! These threats include miners, ransomware, and even malware embedded into the source code of popular applications. For instance, last year’s attack involving a backdoor in the XZ archiving utility, which is built into many popular Linux distributions, could have become the most widespread attack on the Linux ecosystem in its entire history. Beyond viruses, Linux users face other threats that are common across all platforms: phishing and malicious websites, as well as theft of passwords and banking and personal data. As interest in Linux-powered devices grows year after year, we want to ensure our users have 100% protection across every operating system. To achieve this, we’ve adapted our business security solution, which has been used worldwide for years, to meet the needs of home users. What can Kaspersky for Linux do? The key features of Kaspersky for Linux include: Monitoring the system, devices, and individual files to detect and eliminate malware Scanning removable media connected to the PC, including USB drives and hard drives, for threats Detecting malware through behavior analysis on the device, providing proactive defense Protecting against malware on the internet Alerting users when they attempt to follow a phishing link AI-powered antivirus scans and blocks infected files, folders, and applications upon detecting viruses, ransomware Trojans, password stealers, and other malware, preventing infection of your PC, other devices, and your entire network. Anti-phishing warns you about phishing links in emails and on websites to protect your login credentials and banking data from theft. Online payment protection verifies the security of bank websites and online stores before you execute any financial transactions. Anti-cryptojacking prevents unauthorized crypto mining on your device to ensure cybercriminals can’t drain its performance. Scanning of removable media, such as USB drives and external hard drives, upon connection to your computer uses the tried and true method of defending against the spread of viruses. What are the technical requirements for Kaspersky for Linux? Kaspersky for Linux supports major 64-bit Linux distributions, including Ubuntu, ALT Linux, Uncom, and RED OS. To install the software, your PC must meet the following minimum specifications: at least a Core 2 Duo 1.86GHz CPU, 2GB of RAM, at least 1GB of swap space, and 4GB of free disk space. You can find the full system requirements here. How to install Kaspersky for Linux? First, sign in to your My Kaspersky account. If you don’t have one, it’ll be created automatically when you purchase a subscription or install the free trial version. Next, download the installation files compatible with your flavor of Linux: Kaspersky for Linux is distributed in DEB and RPM package formats. Before you run the installer, double-check all requirements regarding your computer’s configuration, OS settings, and any installed software. Follow the detailed step-by-step guide to install and set up the application. If you have any questions during setup or while using the application, you can consult the extensive Kaspersky for Linux help documentation. Which Kaspersky subscription should Linux users choose? Currently, the set of features available to users of Kaspersky for Linux doesn’t depend on your subscription — be it Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium. This allows you to choose the most cost-effective option: for example, if you only need to protect a single PC running Linux, Kaspersky Standard is sufficient. However, if you have a multi-device home ecosystem with computers, laptops, smartphones, and tablets running various operating systems, consider Kaspersky Premium. With this plan, you can protect up to 10 devices for all your family members. In addition to the top-tier security for Windows, Linux, macOS, Android, and iOS, you get a password manager, a fast and unlimited VPN, and a Kaspersky Safe Kids app for child protection and parental control (the last three are for Windows, macOS, Android, and iOS only). You can explore everything Kaspersky for Linux can do with a free 30-day trial. NB: Kaspersky for Linux isn’t GDPR-ready just yet.

 Industry

The U.K.'s water suppliers have reported five cyberattacks since January 2024, according to information reviewed by Recorded Future News. The incidents did not affect the safety of water supplies, but they highlight an increasing threat.

 Feed

The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea. Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file ("250908_A_HK이노션

 Feed

Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight. The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the

 Feed

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe. From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test.

 Feed

Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the

 Feed

Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment

 Feed

Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck. According to Secure Annex's John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to

2025-11
Aggregator history
Monday, November 03
SAT
SUN
MON
TUE
WED
THU
FRI
November