Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Infostealers and Lac ...

 Cyber News

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.   show more ...

” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor. Infostealers and No MFA Make Attacks Easy The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow: Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.” Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).” Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.” “The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.” ownCloud Calls for Greater MFA Use ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include: Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps Resetting passwords for all users and requiring “strong, unique credentials” Reviewing access logs for suspicious activity Invalidating active sessions to force re-authentication with MFA  

image for Unpatched TOTOLINK E ...

 Firewall Daily

A serious and unpatched security flaw has been disclosed in the TOTOLINK EX200 wireless range extender. The vulnerability, tracked as CVE-2025-65606, allows a remote authenticated attacker to gain full system control by abusing a flaw in the device’s firmware-upload mechanism. The issue was publicly disclosed by   show more ...

the CERT Coordination Center (CERT/CC) on January 6, 2026, and currently has no available fix.  According to CERT/CC, CVE-2025-65606 is rooted in improper error handling within the firmware-upload logic of the TOTOLINK EX200. When the extender processes certain malformed firmware files, the upload handler can enter what CERT/CC described as an “abnormal error state.” This condition causes the device to start a telnet service running with root privileges.  Firmware Upload Error Triggers Root-Level Telnet Access  What makes this behavior especially dangerous is that the telnet service launched under these circumstances does not require authentication. The interface, which is normally disabled and not intended to be exposed, becomes an unintended remote administration channel. CERT/CC summarized the issue clearly, stating: “An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.”  The vulnerability was discovered and responsibly reported by security researcher Leandro Kogan, who was credited by CERT/CC for identifying the flaw. The advisory was authored by Timur Snoke and published as Vulnerability Note VU#295169, with both the original release date and last revision listed as January 6, 2026.  Exploitation Requirements and Potential Impact of CVE-2025-65606  While exploitation of CVE-2025-65606 does require the attacker to already be authenticated to the web management interface of the TOTOLINK EX200, the resulting impact is severe. Access to the firmware-upload functionality is enough to trigger the vulnerability. Once the malformed firmware file is processed and the device enters the abnormal error state, the unauthenticated root-level telnet service becomes available.  From that point forward, an attacker gains unrestricted control of the device. CERT/CC warned that successful exploitation could lead to configuration manipulation, arbitrary command execution, or the establishment of persistent access on the network. Because the TOTOLINK EX200 functions as a network extender, compromise of the device may also enable lateral movement or broader network attacks.  CERT/CC emphasized that the unintended telnet interface increases the attack surface of the device. The advisory notes that this behavior could be leveraged to hijack susceptible devices, allowing attackers to maintain long-term control without relying on the original web authentication mechanism.  No Patch Available as Device Reaches End of Life  One of the most concerning aspects of CVE-2025-65606 is the absence of a vendor-provided fix. CERT/CC confirmed that TOTOLINK has not released any updates addressing the vulnerability, and the TOTOLINK EX200 is no longer actively maintained. Vendor status information was listed as “Unknown,” and the product has reached end-of-life.  Publicly available information shows that the last firmware update for the TOTOLINK EX200 was released in February 2023, nearly three years before the vulnerability was disclosed. As a result, users cannot rely on an official patch to remediate the issue.  In the absence of a fix, CERT/CC recommends several mitigation steps. These include restricting administrative access to trusted networks, preventing unauthorized users from accessing the management interface, and actively monitoring unexpected telnet activity. However, the advisory makes it clear that these measures are temporary protection rather than permanent solutions.  CERT/CC ultimately advises users to plan for replacing the TOTOLINK EX200 with a supported and actively maintained model. Given the severity of CVE-2025-65606 and the lack of ongoing vendor support, continued use of the device poses a sustained security risk.  Additional metadata associated with CVE-2025-65606 shows that the CVE was made public on January 6, 2026, with the first publication and last update occurring the same day at 14:49 UTC. The document revision is listed as version 1. 

image for Telecommunications S ...

 Firewall Daily

The telecommunications sector, a cornerstone of national infrastructure, continued to remain under the radar of both ransomware and nation-state actors in 2025, revealed Cyble’s Telecommunications Sector Threat Landscape Report 2025.   The convergence of high-value subscriber data, geopolitical   show more ...

relevance, and complex digital ecosystems made the industry a persistent focal point for a wide spectrum of threat actors, including ideologically driven hacktivist groups.   “Telecommunications networks sit at the intersection of digital trust, national security, and everyday life. As threat actors continue to become more coordinated and persistent, telecom providers are no longer just service operators—they need to become frontline defenders of critical infrastructure,” said Mandar Patil, Founding Member & SVP at Cyble.  Why the Telecommunication Sector Remains a Prime Target  Telecom organizations were consistently targeted for their extensive repositories of Personally Identifiable Information (PII), including call records, billing details, and customer credentials. This data carries high resale value in underground markets, where compromised network access and customer databases are traded as commodities. The strategic importance of telecommunication networks in geopolitical conflicts further increased their attractiveness, as disruptions can have far-reaching economic and societal consequences.  Exposure through internet-facing infrastructure and reliance on third-party service providers amplified risk across the sector. These factors allowed threat actors to exploit vulnerabilities at multiple points, enabling both immediate financial exploitation and long-term network persistence.  Ransomware Activity and Dominant Threat Groups  Cyble documented 444 security incidents affecting the global telecommunication sector in 2025, including 90 confirmed ransomware attacks. Ransomware activity has increased fourfold since 2021. A total of 34 ransomware groups were identified, though the majority of attacks were driven by a small number of highly active actors.   The most prolific groups, Qilin, Akira, and Play, accounted for nearly 39% of all observed incidents. Qilin led with 16 attacks, primarily targeting organizations in the United States while expanding its operations into Europe and Asia.  Supply Chain Impact and Regional Trends  The impact of cyberattacks extended across the entire telecommunication ecosystem. While major carriers such as AT&T and Orange were among the most visible victims, threat actors also targeted internet infrastructure providers and manufacturers of communications equipment. This approach disrupted operations across interconnected systems, increasing the overall impact of ransomware campaigns.  Regionally, the Americas experienced the highest number of incidents, with the United States accounting for 47 attacks. Several telecom companies, including Verizon, AT&T, and Lumen Technologies, had reported breaches ahead of the U.S. elections in late 2024. In 2025, opportunistic actors continued to monetize data believed to have been exfiltrated during those earlier intrusions, particularly large volumes of customer PII.  Nation-State Espionage and Hacktivist Disruption  Beyond financially motivated crime, nation-state actors played a critical role in shaping the threat landscape. The China-linked Salt Typhoon campaign demonstrated sustained espionage efforts against global telecommunication providers by exploiting vulnerabilities in network-edge devices from vendors such as Cisco and Fortinet. These intrusions focused on long-term surveillance and the theft of sensitive call records, compromising hundreds of organizations. Geopolitically motivated hacktivism further contributed to disruption across the sector. Pro-Russian groups claimed intrusions into Ukrainian telecommunication infrastructure, using Distributed Denial-of-Service (DDoS) attacks, website defacements, and data leaks as part of broader ideological campaigns.  Persistent Pressure and Emerging Patterns  A defining trend in 2025 was the sustained, year-long activity of dominant ransomware groups. Qilin, in particular, maintained a consistent attack tempo throughout the year. One notable incident involved a U.S.-based telecom company appearing on the leak sites of both INC Ransom and Qilin within the same month. Additionally, isolated late-year activity linked to LockBit suggested residual operations by affiliates despite earlier law enforcement disruptions.  Overall, the telecommunication sector in 2025 faced a highly hostile environment marked by ransomware concentration, nation-state espionage, and an active underground economy trading stolen data and access.   “What we are witnessing is not a series of isolated attacks, but a sustained campaign against the telecom ecosystem. Organizations that fail to prioritize visibility, resilience, and supply-chain security will continue to face compounded risk in an increasingly contested cyber landscape,” Patil concluded.  For deeper insights into ransomware activity, nation-state threats, and telecom security risks, check out Cyble's  Telecommunications Sector Threat Landscape Report 2025.

image for Crimson Collective C ...

 Cyber News

The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be   show more ...

complaining you should check,” the Telegram post says. Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access. The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed. Crimson Collective’s Brightspeed Claims and Customer Risk In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider. A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress. Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more. The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express. Crimson Collective: An Emerging Threat Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure. Murata said the Brightspeed attack “aligns with the Crimson Collective's pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.” The timing of the attack, coming just after the New Year holiday, is a possible example of "holiday hunting," where cybercriminals exploit reduced IT staffing over holidays, Murata said. “Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”

 News

The Illinois Department of Human Services exposed personal information belonging to more than 700,000 state residents after inadvertently posting the data on the open internet where it remained for as long as four years before being taken down in September.

 Feed

A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the "dnscfg.cgi" endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters. "An unauthenticated remote attacker can inject

 Feed

Threat actors engaging in phishing attacks are exploiting routing scenarios and misconfigured spoof protections to impersonate organizations' domains and distribute emails that appear as if they have been sent internally. "Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA," the

 Feed

Security teams are still catching malware. The problem is what they're not catching. More attacks today don't arrive as files. They don't drop binaries. They don't trigger classic alerts. Instead, they run quietly through tools that already exist inside the environment — scripts, remote access, browsers, and developer workflows. That shift is creating a blind spot. Join us for a deep-dive

 Feed

Open-source workflow automation platform n8n has warned of a maximum-severity security flaw that, if successfully exploited, could result in authenticated remote code execution (RCE). The vulnerability, which has been assigned the CVE identifier CVE-2026-21877, is rated 10.0 on the CVSS scoring system. "Under certain conditions, an authenticated user may be able to cause untrusted code to be

 Feed

Non-human employees are becoming the future of cybersecurity, and enterprises need to prepare accordingly. As organizations scale Artificial Intelligence (AI) and cloud automation, there is exponential growth in Non-Human Identities (NHIs), including bots, AI agents, service accounts and automation scripts. In fact, 51% of respondents in ConductorOne’s 2025 Future of Identity Security Report

 Feed

Veeam has released security updates to address multiple flaws in its Backup & Replication software, including a "critical" issue that could result in remote code execution (RCE). The vulnerability, tracked as CVE-2025-59470, carries a CVSS score of 9.0. "This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious

 Feed

A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data. According to a report published by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and

 Feed

Cybersecurity researchers have disclosed details of yet another maximum-severity security flaw in n8n, a popular workflow automation platform, that allows an unauthenticated remote attacker to gain complete control over susceptible instances. The vulnerability, tracked as CVE-2026-21858 (CVSS score: 10.0), has been codenamed Ni8mare by Cyera Research Labs. Security researcher Dor Attias has been

2026-01
Aggregator history
Wednesday, January 07
THU
FRI
SAT
SUN
MON
TUE
WED
JanuaryFebruaryMarch