Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for LockBit Ransomware G ...

 Cyber News

The LockBit ransomware group is making a comeback, with a new data leak site and 21 new victims. LockBit was once the most feared ransomware group, and it still vastly outnumbers other ransomware groups with more than 2,700 claimed victims over its six-year-history, but a series of international law enforcement   show more ...

actions that began in February 2024 severely disrupted the group, and it has struggled to mount a sustained comeback since. LockBit 4.0, released in early 2025, failed to gain much traction and was never completely rolled out, and rivals like Qilin have done well attracting ransomware affiliates with favorable terms like profit sharing and enhanced features. But LockBit 5.0, announced on the underground forum RAMP in September, may be helping the group gain some traction, as it has since launched a new dark web data leak site and claimed new victims, Cyble reported in recent notes to clients. Dec. 8 update: LockBit claimed an additional 14 victims over the weekend since this article was published, raising the group's total to 21 for the month, behind only Qilin and Akira. LockBit 'Fully Reactivated' Despite a nearly two-year struggle to regain its footing, LockBit remains by far the most active ransomware group over its six-year history, its 2,757 victims more than double that of its nearest rivals, including Qilin, Akira, Play and CL0P (chart below from Cyble). [caption id="attachment_107448" align="aligncenter" width="1200"] LockBit remains the most dominant ransomware group of all time by a significant margin (Cyble)[/caption] Despite its history and name, LockBit’s comeback route has been a steep one, as arrests, leaked source code and operational leaks have repeatedly hampered comeback attempts and given rivals an advantage. But Cyble reported to clients on Dec. 5 that LockBit has “fully reactivated its public ransomware operations.” The new data leak site launched on November 5 and currently lists 21 new victims, plus several that had been previously claimed by the group. The new LockBit 5.0 variant, internally codenamed “ChuongDong,” has been driving the group’s reemergence. The new ransomware variant includes a complete redevelopment of the ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses. Obfuscation is a key feature of the new ransomware version, which targets Linux, Windows and VMware ESXi environments. LockBit Victims, Sectors and Targeted Countries One notable new victim claimed by LockBit is an Asian airline providing regional passenger transport and charter services. Another new listing is a major Caribbean real estate company. Looking at the 42 victims claimed by LockBit in 2025 through Dec. 5, what stands out are the sectors and countries targeted, which differ from other leading ransomware groups. LockBit has had surprising success targeting financial services organizations. The group has claimed more victims in the Banking, Financial Services and Insurance (BFSI) sector in 2025 than in other industries (chart below). Overall, financial services isn’t among the top 10 sectors attacked by all ransomware groups, as the BFSI sector typically has stronger cybersecurity controls than other sectors. [caption id="attachment_107450" align="aligncenter" width="1200"] LockBit has had significant success targeting financial services companies (Cyble)[/caption] Also interesting is LockBit’s success targeting organizations in South America (chart below), which differs significantly from other ransomware groups, whose attacks are largely focused on the U.S., Canada and Europe. [caption id="attachment_107452" align="aligncenter" width="1200"] LockBit has had more success in South America than other ransomware groups (Cyble)[/caption] It remains to be seen if LockBit can mount a sustained comeback this time, but the group has a uniquely interesting base to build on. Ransomware affiliates are opportunistic, however, and they tend to gravitate toward the ransomware groups that offer the best chance at profitability and success. LockBit's comeback will depend on its ability to convince affiliates that it deserves to be back among the leaders. Article published on Dec. 5 and updated on Dec. 8 to reflect an increase in recent victims claimed by LockBit from seven to 21.

image for Active Exploitation ...

 Cyber News

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in Japan since August 2025. The advisory, updated on December 5, 2025, states that attackers   show more ...

have leveraged the flaw to implant web shells and gain unauthorized access to internal networks.  According to JPCERT, the vulnerability originates in the DesktopDirect feature of the AG Series, Array Networks’ remote desktop access capability designed to help users connect securely to office resources. Although the issue was quietly resolved by the vendor on May 11, 2025, the lack of a public CVE identifier and the continued presence of unpatched devices have left a notable attack surface exposed.  “Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” the advisory states. JPCERT added that systems running DesktopDirect are specifically at risk, emphasizing that the feature enablement is a prerequisite for successful exploitation.  Ongoing Attacks Traced to a Single IP Address  JPCERT reports that organizations in Japan have experienced intrusions tied to this security gap beginning in August 2025. In these incidents, attackers attempted to plant PHP-based web shells in paths containing “/webapp/,” a technique that would provide persistent remote access.   The agency noted that malicious traffic has consistently originated from the IP address 194.233.100[.]138, though the identity and motivations of the threat actors remain unclear. Details regarding the scope of the campaign, the tools deployed beyond web shells, or whether the attackers represent a known threat group have not yet been released.  No Evidence Linking to Past Exploits of CVE-2023-28461  The newly exposed vulnerability exists alongside another previously exploited flaw in the same product line, CVE-2023-28461, a high-severity authentication bypass rated CVSS 9.8. That earlier issue was abused in 2024 by a China-linked espionage group known as MirrorFace, which has targeted Japanese institutions since at least 2019.  Despite the overlap in affected systems, JPCERT emphasized that there is no current evidence connecting the recent command injection attacks with MirrorFace or with prior activity related to CVE-2023-28461.  Affected Versions and Required Updates  The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier versions, all of which support the DesktopDirect functionality. Array Networks issued a fixed release, ArrayOS 9.4.5.9, to address the flaw. The company has advised users to test and deploy the updated firmware as soon as possible.  JPCERT cautioned administrators that rebooting devices after applying the patch may lead to log loss. Because log files are crucial to intrusion investigations, the agency recommends preserving these records before performing any update or system reboot.  Workarounds  For organizations unable to immediately apply the firmware update, Array Networks has provided temporary mitigation steps:  Disable all DesktopDirect services if the feature is not actively in use.  Implement URL filtering to block requests containing semicolons (“;”), a common vector used for command injection payloads.  These measures aim to reduce exposure until patching becomes feasible.  In its advisory, JPCERT urged all users of affected products to examine their systems for signs of compromise. Reported malicious activity includes the installation of web shells, the creation of unauthorized user accounts, and subsequent internal intrusions launched through the compromised AG gateways.

image for SMS Phishers Pivot t ...

 A Little Sunshine

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile   show more ...

wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points. Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones. An instant message spoofing T-Mobile says the recipient is eligible to claim thousands of rewards points. The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor’s name, address, phone number and payment card data to claim the points. A phishing website registered this week that spoofs T-Mobile. If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim’s phished card details in a mobile wallet from Apple or Google. If the victim also provides that one-time code, the phishers can then link the victim’s card to a mobile device that they physically control. Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers: An SMS phishing or “smishing” website targeting AT&T users. Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time, but the scam has only recently been pointed at consumers in the United States. “These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now,” Merrill said. A review of other domains flagged by urlscan.io as tied to this Chinese SMS phishing syndicate shows they are also spoofing U.S. state tax authorities, telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code. A text message that spoofs the District of Columbia’s Office of Tax and Revenue. CAVEAT EMPTOR Many SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious. But Merrill said one burgeoning area of growth for these phishing kits — fake e-commerce shops — can be far harder to spot because they do not call attention to themselves by spamming the entire world. Merrill said the same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts. Those phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products. A machine-translated screenshot of an ad from a China-based phishing group promoting their fake e-commerce shop templates. With these fake e-commerce stores, the customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution. The fake shopping site claims the code is required by the user’s bank to verify the transaction, but it is sent to the user because the scammers immediately attempt to enroll the supplied card data in a mobile wallet. According to Merrill, it is only during the check-out process that these fake shops will fetch the malicious code that gives them away as fraudulent, which tends to make it difficult to locate these stores simply by mass-scanning the web. Also, most customers who pay for products through these sites don’t realize they’ve been snookered until weeks later when the purchased item fails to arrive. “The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill said. “They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools.” Happily, reporting these SMS phishing lures and websites is one of the fastest ways to get them properly identified and shut down. Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. SURBL has created a website called smishreport.com that asks users to forward a screenshot of any smishing message(s) received. “If [a domain is] unlisted, we can find and add the new pattern and kill the rest” of the matching domains, Dijkxhoorn said. “Just make a screenshot and upload. The tool does the rest.” The SMS phishing reporting site smishreport.com. Merrill said the last few weeks of the calendar year typically see a big uptick in smishing — particularly package redelivery schemes that spoof the U.S. Postal Service or commercial shipping companies. “Every holiday season there is an explosion in smishing activity,” he said. “Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished.” SHOP ONLINE LIKE A SECURITY PRO As we can see, adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet. Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers (think third-party sellers on these platforms). If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store. If you receive a message warning about a problem with an order or shipment, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down. But it’s not just outright scammers who can trip up your holiday shopping: Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling. So be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process. Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.

image for How Agentic AI Can B ...

 Feed

Transurban head of cyber defense Muhammad Ali Paracha shares how his team is automating the triaging and scoring of security threats as part of the Black Hat Middle East conference.

 Feed

A command injection vulnerability in Array Networks AG Series secure access gateways has been exploited in the wild since August 2025, according to an alert issued by JPCERT/CC this week. The vulnerability, which does not have a CVE identifier, was addressed by the company on May 11, 2025. It's rooted in Array's DesktopDirect, a remote desktop access solution that allows users to securely access

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. "BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said. "

 Feed

A human rights lawyer from Pakistan's Balochistan province received a suspicious link on WhatsApp from an unknown number, marking the first time a civil society member in the country was targeted by Intellexa's Predator spyware, Amnesty International said in a report. The link, the non-profit organization said, is a "Predator attack attempt based on the technical behaviour of the infection

 Feed

Most MSPs and MSSPs know how to deliver effective security. The challenge is helping prospects understand why it matters in business terms. Too often, sales conversations stall because prospects are overwhelmed, skeptical, or tired of fear-based messaging. That’s why we created ”Getting to Yes”: An Anti-Sales Guide for MSPs. This guide helps service providers transform resistance into trust and

 Feed

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them

 Feed

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an

 Feed

Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According

2025-12
Aggregator history
Friday, December 05
MON
TUE
WED
THU
FRI
SAT
SUN
DecemberJanuaryFebruary