Oktacron - Cyber Security RSS Feeds History

U.S. Announces Five Guilty Pleas and $15M Seizure in Cybercrime Case

cyberexpress Nov 17, 2025 Cyber News

The Justice Department has announced major developments in its ongoing efforts to disrupt illicit financing operations linked to North Korea. Five defendants have pleaded guilty in a wide-ranging scheme involving identity fraud, remote IT employment, and large-scale virtual currency theft. The department has also show more ...

initiated civil forfeiture actions totaling more than $15 million. These actions target financial networks supporting the DPRK government’s weapons program. The case highlights growing concerns surrounding virtual currency heists, identity theft, and the exploitation of U.S. companies through fraudulent remote employment schemes. North Korean IT Employment Schemes Exposed According to court documents, U.S. and Ukrainian facilitators helped North Korean IT workers obtain remote jobs with American companies. By providing stolen or falsified identities, hosting employer-issued laptops in the United States, and installing remote-access tools, the defendants created the false impression that the workers were operating domestically. Investigators say the scheme affected more than 136 U.S. companies, generated over $2.2 million in revenue for the DPRK regime, and compromised the identities of at least 18 American citizens. These tactics align with methods highlighted in federal advisories regarding identity misuse, proxy networks, and false documentation used by foreign threat actors—including those involved in virtual currency theft and broader revenue-generation operations. $15 Million in Virtual Currency Seized In a parallel action, two civil forfeiture complaints detail how the North Korean hacking group APT38 targeted four overseas virtual currency platforms in 2023. These virtual currency heists resulted in hundreds of millions of dollars being stolen from payment processors and exchanges in Estonia, Panama, and Seychelles. While DPRK-linked actors attempted to launder the stolen funds through mixers, bridges, and over-the-counter traders, U.S. authorities successfully froze and seized more than $15 million worth of USDT stablecoins. Federal officials intend to forfeit the assets so they can eventually be returned to victims. Virtual Currency Theft: Three Guilty Pleas in Georgia In the Southern District of Georgia, U.S. nationals Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis pleaded guilty to wire fraud conspiracy. From 2019 to 2022, the trio knowingly supplied their personal identities to overseas IT workers and assisted them in bypassing employer screening procedures. Travis, who served in the U.S. Army during the scheme, received over $51,000 for his involvement. Prosecutors emphasized that the fraudulent operation resulted in more than $1.28 million in salaries being paid out by victim companies, with most of the funds transferred to workers operating outside the United States. Ukrainian Identity Broker Admits Role On Nov. 10, Ukrainian national Oleksandr Didenko pleaded guilty in the District of Columbia to wire fraud conspiracy and aggravated identity theft. Didenko sold stolen identities to foreign IT workers— including those linked to North Korea—helping them secure jobs at more than 40 U.S. companies. He agreed to forfeit more than $1.4 million in fiat and digital currency. Florida Defendant Pleads Guilty in Related Case In the Southern District of Florida, U.S. citizen Erick Ntekereze Prince admitted to wire fraud conspiracy connected to fraudulent staffing operations. Prince supplied U.S. companies with remote IT workers who were, in fact, based overseas and using stolen identities. His participation earned him more than $89,000. Two co-defendants remain pending trial or extradition. Senior DOJ and FBI officials said the coordinated actions reflect a comprehensive federal strategy to counter North Korea’s illicit revenue-generation networks. They warned that DPRK-linked cyber operations—including identity fraud and virtual currency theft, remain a persistent threat to national and economic security. Authorities urged U.S. companies to strengthen vetting processes for remote workers and remain alert to identity anomalies, unauthorized access tools, and other indicators of foreign fraud.

Logitech Confirms Data Breach Following CL0P Victim Claims

cyberexpress Nov 17, 2025 Cyber News

Logitech International S.A. has confirmed that it was hit by a data breach, the company said in an SEC filing late last week. Logitech’s 8-K filing released on Nov. 14 was short on details, but the company was named as a victim by the CL0P ransomware group earlier this month as part of the threat group’s campaign show more ...

targeting Oracle E-Business Suite vulnerabilities. Of roughly 45 organizations claimed as victims by CL0P, only five have confirmed an attack to date: The Washington Post, Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic. The CL0P campaign is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, contrary to initial reports that the Oracle EBS vulnerability targeted was CVE-2025-61882. Logitech Data Breach Confirmed Logitech said in its SEC filing that the company “recently experienced a cybersecurity incident relating to the exfiltration of data.” The computer peripherals and software maker said the incident did not impact its products, business operations or manufacturing. After detecting the incident, Logitech said it investigated and responded to the incident with help from unnamed external cybersecurity firms. Logitech said the company “believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. ... The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system.” Logitech said it patched the third-party vulnerability “following its release by the software platform vendor.” Logitech Says Cyber Insurance Will Cover Incident The company said it doesn’t believe the incident will have a “material adverse effect” on its financial condition, in part because it holds “a comprehensive cybersecurity insurance policy, which we expect will, subject to policy limits and deductibles, cover costs associated with incident response and forensic investigations, as well as business interruptions, legal actions and regulatory fines, if any.” While only five victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed about 45 victims to date from the campaign on its dark web data leak site. Alleged victims claimed by CL0P have spanned a wide range of industries and organizations, including major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other sectors. CL0P has tended to cluster victims in campaigns targeting specific zero-day vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.

IBM AIX Hit by Three Critical Vulnerabilities, One a Perfect 10. Patch Now!

cyberexpress Nov 17, 2025 Cyber News

Vulnerabilities in the IBM AIX operating system for Power servers could allow remote attackers to execute arbitrary commands, obtain Network Installation Manager (NIM) private keys, or traverse directories. IBM flagged the vulnerabilities - three critical and one high-severity - in a new security bulletin, and show more ...

security firm Mondoo also urged AIX users to mitigate the flaws in a blog post. While there has been no evidence of exploitation as of yet, Mondoo warns the vulnerabilities could be chained together to compromise the critical environments that typically rely on IBM Power systems, like financial services and healthcare. “These four vulnerabilities together present a very serious threat, especially in environments where the NIM infrastructure is exposed,” Mondoo said. IBM AIX Vulnerability CVE-2025-36250 Rated 10.0 The highest-rated vulnerability is CVE-2025-36250, which scored a perfect 10.0. In IBM AIX 7.2 and 7.3 and IBM VIOS (Virtual I/O Server) 3.1 and 4.1, NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix issued by IBM “addresses additional attack vectors for a vulnerability that was previously addressed” as CVE-2024-56346, which was also rated 10.0. CVE-2025-36251, rated 9.6, also affects IBM AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. IBM notes that nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix also addresses additional attack vectors for a previous vulnerability, CVE-2024-56347, which was also rated 9.6. CVE-2025-36096, rated 9.0, notes that AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1 store NIM private keys used in NIM environments “in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.” CVE-2025-36236, rated 8.2, also affects AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. The NIM server service could allow a remote attacker to traverse system directories or send a specially crafted URL request to write arbitrary files on the system. IBM credited Jan Alsenz of Oneconsult AG for the discoveries. IBM AIX Vulnerabilities Could Allow System ‘Hijack’ In a statement shared with The Cyber Express, Mondoo CSO Patrick Münch said the four vulnerabilities “present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are). This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment.” Münch noted that because of their critical nature, “Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.” IBM provided lengthy mitigation instructions, and Mondoo said affected organizations should configure NIM in SSL/TLS Secure mode (nimconfig -c) and apply the fixes, which can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/nim_fix2.tar, which downloads a tar file that contains the advisory, fix packages, and OpenSSL signatures for each package.

Eurofiber France Confirms Data Exfiltration After System Breach

cyberexpress Nov 17, 2025 Cyber News

A cybersecurity incident at Eurofiber France was officially confirmed after the company identified unauthorized activity on November 13, 2025. The incident involved a software vulnerability that allowed a malicious actor to access data from Eurofiber France’s ticket management platform and the ATE customer portal. show more ...

According to the company, the situation is now under control, with systems secured and additional protective measures implemented. Cybersecurity Incident Impacted Ticketing Platform and ATE Portal Eurofiber France stated that the cybersecurity incident affected its central ticket management platform used by regional brands Eurafibre, FullSave, Netiwan, and Avelia. It also impacted the ATE portal, part of Eurofiber France’s cloud services operating under the Eurofiber Cloud Infra France brand. The company confirmed that the attacker exploited a software vulnerability in this shared environment, leading to the exfiltration of customer-related data. The company emphasized that the incident is limited to customers in France using the affected platforms. Customers using Eurofiber services in Belgium, Germany, or the Netherlands, including Eurofiber Cloud Infra in the Netherlands, were not impacted. Eurofiber also noted that the effect on indirect sales and wholesale partners within France remains minimal, as most partners operate on separate systems. Immediate Response and Containment Measures Within hours of detecting the breach, Eurofiber France placed both the ticketing platform and the ATE portal under reinforced security. The vulnerability was patched, and additional layers of protection were deployed. The company said its internal teams, working alongside external cybersecurity experts, are now focused on assisting customers in assessing and managing the impact. Eurofiber clarified that no sensitive financial information, such as bank details or regulated critical data stored in other systems, was compromised. All services remained fully operational during the attack, and there was no disruption to customer connectivity or service availability. Customers were notified immediately after the breach was detected. Eurofiber stated it would continue to update affected organizations transparently as the investigation progresses. Regulatory Notifications and Ongoing Investigation In line with European regulatory requirements, Eurofiber France has notified the CNIL (France’s Data Protection Authority under GDPR) and reported the incident to ANSSI (the French National Cybersecurity Agency). A police complaint has also been filed in connection with an extortion attempt linked to the attack. The company reaffirmed its commitment to transparency, data protection, and cybersecurity throughout the remediation process. External Research Points to Larger Data Exposure International Cyber Digest, a third-party cybersecurity research group, reported that the breach may have exposed information belonging to approximately 3,600 customers. According to their analysis, the threat actor — who identifies as “ByteToBreach” — gained full access to Eurofiber’s GLPI database, including client data, support tickets, internal messages, passwords, and API keys. Researchers noted that Eurofiber’s GLPI installation may have been operating on versions 10.0.7–10.0.14, potentially outdated and vulnerable. The attacker, in comments shared with the researchers, claimed to have executed a slow, time-based SQL injection attack and extracted nearly 10,000 password hashes over a period of 10 days. They reportedly used administrator-level API keys to download internal documents and customer PII. ByteToBreach also claimed to have contacted both GLPI’s developer, Teclib, and Eurofiber to negotiate ransom demands. According to the research group, those attempts received no response. Eurofiber France operates over 76,000 kilometers of fiber network and 11 data centers, serving between 9,000 and 12,000 business and government customers. The company’s French clientele includes several major public institutions and private-sector organizations. Eurofiber France reiterated that all systems have now been secured and that enhanced monitoring and preventive measures are in place. The company said its teams remain fully mobilized until the cybersecurity incident is completely resolved.

Critical Fortinet FortiWeb WAF Bug Exploited in the Wild

darkreading Nov 17, 2025 Feed

The vulnerability could allow an unauthenticated attacker to remotely execute administrative commands.

Cursor Issue Paves Way for Credential-Stealing Attacks

darkreading Nov 17, 2025 Feed

Researchers discovered a security weakness in the AI-powered coding tool that allows malicious MCP server to hijack Cursor's internal browser.

US Citizens Plead Guilty to Aiding North Korean IT Worker Campaigns

darkreading Nov 17, 2025 Feed

Four individuals admitted to assisting foreign IT workers in gaining employment at US companies by providing false identities and remote access to employer-owned laptops.

Kamel Ghali on what's 'theoretically possible' in car hacking

cyware Nov 17, 2025 Technology

White-hat hacker and pentester Kamel Ghali talks with the Click Here podcast team about how cars became computers on wheels — and why, in the race for smarter tech, safety is still trying to catch up.

Kenyan gov't websites back online after hackers deface pages with white supremacist messages

cyware Nov 17, 2025 News

A handful of Kenyan government websites were defaced with white supremacist slogans.

Princeton University says database containing donor, alumni info breached

cyware Nov 17, 2025 Cybercrime

Information including names, email addresses, telephone numbers, and home and business addresses is stored on the database, in addition to donation information.

CISA gives federal agencies one week to patch exploited Fortinet bug

cyware Nov 17, 2025 Technology

U.S. government agencies have been given a shorter window than usual to patch a critical vulnerability affecting Fortinet's FortiWeb firewall product.

Cyberattack leaves Jaguar Land Rover short of £680 million

cyware Nov 17, 2025 Industry

British automotive giant Jaguar Land Rover said a cyberattack caused a huge hit to its bottom line in the most recent quarter.

Pennsylvania attorney general says SSNs stolen during August ransomware attack

cyware Nov 17, 2025 Government

Social Security numbers and medical information were among the data stolen in an August breach of the networks of Pennsylvania's attorney general, officials said.

Logitech discloses data breach after Clop claims

cyware Nov 17, 2025 Cybercrime

The filing comes one week after the Clop cybercriminal organization claimed it stole information from Logitech through a zero-day vulnerability in Oracle’s E-Business Suite tool.