Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Threat Actors Exploit Fortinet Devices and Steal Firewall Configurations

Fortinet products targeted Threat actors are targeting Fortinet FortiGate devices via automated attacks that make rogue accounts and steal f...

All the recent news you need to know
WordPress
ACF Administrative Rights Plugin Flaw Vulnerabilities and Exploits WordPress

ACF Plugin Flaw Exposes 50,000 WordPress Sites to Admin Takeover

 

A critical vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin has exposed around 50,000 sites to potential hacker takeovers. Tracked as CVE-2025-14533, this flaw affects versions up to 0.9.2.1 and allows unauthenticated attackers to gain administrator privileges through flawed user creation forms. Discovered by researcher Andrea Bocchetti and reported via Wordfence on December 10, 2025, the issue was swiftly patched in version 0.9.2.2 just four days later. Despite the quick fix, download stats show many sites remain unpatched, leaving them vulnerable to remote exploitation.

The vulnerability originates in the plugin's 'Insert User / Update User' form action, where role restrictions are not properly enforced. Attackers can exploit this by submitting crafted requests that assign the 'administrator' role, bypassing any configured limitations in field settings.This privilege escalation requires sites to use forms with a 'role' field mapped to custom fields, a common setup for user registration features. Once successful, hackers achieve full site control, enabling data theft, malware injection, or backdoor installation without needing prior access.

ACF Extended, active on over 100,000 WordPress installations, builds on the popular Advanced Custom Fields plugin to offer developers advanced customization tools. Its widespread use amplifies the risk, as roughly half of users have yet to update since the patch release in mid-December 2025. WordPress sites relying on these plugins for dynamic content often overlook such configurations, inadvertently creating attack vectors.

This privilege escalation bug allows attackers to arbitrarily assign the 'administrator' role during user registration or updates, bypassing any configured limitations in field settings. Exploitation requires sites using ACF Extended forms with a 'role' field mapped to custom fields, a common setup for advanced user management in custom themes and plugins. Once exploited, hackers gain full control, enabling them to install malicious code, steal data, or pivot to server-level compromises without needing credentials.

Threat intelligence from GreyNoise reveals aggressive reconnaissance scanning 706 WordPress plugins, including ACF Extended, by nearly 1,000 IPs across 145 ASNs from late October 2025 to mid-January 2026. While no confirmed exploits of CVE-2025-14533 have surfaced, patterns mirror attacks on vulnerabilities like those in Post SMTP and LiteSpeed Cache, signaling imminent danger.This enumeration boom underscores how attackers probe for unpatched flaws before launching mass campaigns.

Site owners must urgently update to ACF Extended 0.9.2.2 or later via the WordPress dashboard and audit forms for role mappings.Additional steps include disabling public registration, reviewing user accounts for anomalies, and deploying firewalls like Wordfence for real-time blocking. In WordPress's vast ecosystem, proactive patching remains the frontline defense against such admin takeovers, preventing potential site-wide devastation.
Read more »
Malware Attack
Data Breach Database Breach Database Compromised Infostealer Infostealer Malware Malware Attack

Unsecured Database Exposes 149 Million Logins Linked to Infostealer Malware Operations

 

Appearing without warning on the internet, a massive collection of personal login details became reachable to any passerby. This trove - spanning about 96 gigabytes - included close to 150 million distinct credentials gathered from various sources. Not shielded by locks or scrambled coding, its contents lay fully exposed. Inside, endless spreadsheets paired emails with user handles, access codes, plus entry points to accounts. Examination showed evidence of widespread digital theft, driven by aggressive software designed to harvest private information. Such leaks reveal how deeply automated attacks now penetrate everyday online activity. 

Credentials came from people across the globe, tied to many different websites. Access information showed up for big social networks, romance apps, subscription video sites, games, and money-handling services. Among them: login pairs for digital currency storage, bank entry points, and systems linked to payment cards. A mix like that points not to one hacked business but likely stems from software designed to gather passwords automatically.  

What stood out most was the appearance of login details tied to government-backed email addresses in various nations. Though these accounts do not always grant entry to critical infrastructure, basic official credentials might still be exploited - serving as tools for focused scams or fake identities. Starting from minor access points, attackers could work their way deeper into secure environments. The level of danger shifts with each individual's privileges; when higher-access .gov logins fall into the wrong hands, consequences can stretch well beyond a single agency. 

Appearing first in the analysis was a database organized much like those seen in infostealer activities. Keylog results sat alongside extra details - hostnames flipped intentionally to sort thefts by target and origin. Though built on hashes, every record carried its own distinct ID, likely meant to prevent repeats while easing bulk sorting tasks. From this setup emerges something functional: a system shaped for gathering, handling, even passing along login information. Last noted - the traits match what supports credential trafficking behind the scenes. 

With unclear responsibility for the database, reporting went straight to the hosting company. Still, fixing the issue dragged on - weeks passed, with multiple alerts needed before entry was blocked. While delays continued, more data kept flowing in, expanding the volume of sensitive records exposed. Who controlled the system, how long it stayed open online, or whether others harvested its contents stays unanswered. One wrong move here leads to serious trouble. 

When hackers get full logins alongside active URLs, they run automated break-ins across many accounts - this raises chances of stolen identities, fake messages that seem real, repeated fraud, and unauthorized access. Personal habits emerge through used platforms, painting a clearer picture of who someone is online, which deepens threats to private data and future safety. 

Midway through this event lies proof: stealing login details now operates like mass production, fueled by weak cloud setups. Because information-harvesting software grows sharper every month, staying protected means doing basics well - shielding devices, practicing careful habits online, using separate codes everywhere, while adding extra identity checks. Found gaps here reveal something odd at first glance - not just legitimate systems fail from poor setup, but illegal networks do too; when they collapse, masses of people get caught unaware, their private pieces scattered without knowing a breach ever happened.
Read more »
Traffic Manipulation
Adversary In The Middle China Linked APT DarkNimbus DKnife Framework malware Network Edge Attacks Router Hijacking ShadowPad Traffic Manipulation

China-Linked DKnife Threat Underscores Risks to Network Edge Devices

 


Despite adversaries increasing their focus on the network edge, recent findings suggest a sustained and deliberate effort to weaponize routing infrastructure itself for surveillance and delivery purposes. An attacker can observe, modify, and selectively redirect data streams in transit by embedding malicious logic directly into traffic paths rather than relying on endpoint compromise. 

This evolution is reflected in the development of the DKnife framework, which has transformed attacker-in-the-middle capabilities into modular, long-lived platforms that are designed to be persistent, stealthy, and operationally flexible. 

Through the framework's ability to operate at a level where legitimate traffic aggregation and inspection already take place, the line between benign network functionality and hostile control is blurred, enabling malware deployment and long-term monitoring across a variety of device classes and user environments targeted at targeted users. 

According to cybersecurity researchers, DKnife is an adversary-in-the-middle framework that has operated from at least 2019 to maintain router-centric infrastructure by threat actors who have been found to be linked to China. 

In order to enable deep packet inspection, selective traffic manipulation, and covert delivery of malicious payloads, seven Linux-based implants are installed on gateways and edge devices. Several code artifacts and telemetry indicate a clear focus on Chinese-speaking users, including credential-harvesting components tailored specifically for Chinese email services, data exfiltration modules specifically targeted at popular mobile applications, and hard-coded references to domestic media domains buried within the implants. 

It is argued that DKnife's potential strategic value lies in its ability to act as a conduit between legitimate update and download channels and users. As the framework intercepts binary transfers and mobile application updates in transit, it is possible to deploy and manage established backdoors across a broad range of endpoints ranging from desktop systems to mobile devices to Internet of Things environments, including ShadowPad and DarkNimbus. 

According to Cisco Talos, the activity has been associated with the ongoing tracking of a Chinese threat cluster dubbed Earth Minotaur, previously associated with exploit kits like MOONSHINE as well as backdoors like DarkNimbus. The reuse of DarkNimbus is noteworthy, as the malware has also been found in operations attributed to another Chinese advanced persistent threat group, The Wizards, indicating the possibility of sharing tools or infrastructure among these groups. 

Upon further analysis of the infrastructure, it was revealed that DKnife-associated resources overlapped with those connected to WizardNet, a Windows implant deployed by TheWizards through an AitM framework called Spellbinder, which was publicized in 2025. This led to additional connections between DKnife-associated systems and WizardNet resources. 

As Cisco cautions, current insights into DKnife's targeting may be incomplete due to the fact that the configuration data obtained from a single command-and-control server provide limited information about its target market of Chinese-speaking users. It is possible that parallel servers exist to support operations in other regions as well. 

Due to The Wizards' history of targeting individuals and gambling-related entities across Southeast Asia, Greater China, and the Middle East, the convergence of infrastructure and tactics is significant, highlighting the wider implications of DKnife as a traffic hijacking platform with reusable, regionally adaptable features. 

Although researchers have not determined the exact vector used to compromise network equipment, researchers have established that DKnife functions to deliver and control backdoors known as ShadowPad and DarkNimbus, both of which have been used by Chinese-allied threat actors for decades. A technical analysis reveals that there are seven discrete modules in the framework. 

Each module is designed to support a particular operational role, such as traffic inspection, manipulation, and control-and-control messages, as well as origin obfuscation. In addition to packet inspection and attack logic, the system includes relay services to facilitate communication with remote C2 servers as well as a customized reverse proxy derived from HAProxy to mask and manage malicious traffic flows. 

Additionally, DKnife extends its capabilities beyond passive monitoring with additional modules. An attacker is able to establish a virtual Ethernet TAP interface on the compromised router and connect it directly to the local network, effectively placing themselves in the data path of internal communications.

In addition, there are third parties who provide peer-to-peer VPN connectivity using modified n2n software, coordinate the download and update of malicious Android applications, and manage the deployment of the DKnife implants themselves. 

Together, these elements provide a range of tools for a wide range of activities, including DNS hijacking, intercepting legitimate binary and application updates, selectively disrupting security-related traffic, and exfiltrating detailed user activity to external command infrastructures. In addition to intercepting and rewriting packets destined for their original hosts once activated on a device, DKnife also uses its network-bridging capabilities to substitute malicious payloads during transit transparently. 

Through this technique, weaponized APK files can be delivered to Android devices as well as compromised binaries to Windows systems connected to the affected network using this technique. Research conducted by Cisco Talos demonstrated instances in which the framework first installed ShadowPad backdoors for Windows, signed by Chinese certificates, followed by the installation of DarkNimbus backdoors to establish long-term access. 

Unlike secondary droppers, DarkNimbus was delivered directly to Android environments through the manipulated update channel. It was further revealed by investigators that infrastructure was associated with a framework hosting the WizardNet backdoor, a Windows implant previously associated with Spellbinder AitM. This confirmed the link between DKnife and previously documented adversary-in-the-middle attacks. 

Incorporating these tools within the same operational environment implies that development resources will likely be shared or infrastructure will be coordinated. As a result, threat actors are becoming increasingly sophisticated in their use of compromised network devices as covert malware distribution channels as opposed to utilizing endpoints to spread malware. 

The Cisco Talos team further concluded that DKnife is capable of intercepting Windows binary downloads in addition to mobile ecosystems. As observed, the framework was capable of manipulating download URLs in transit, either substituting legitimate installers for trojanized counterparts or redirecting users to malicious distribution points controlled by the attackers. 

In combination with its DNS manipulation capabilities and control over application update channels, DKnife provides an extensive traffic-hijacking platform that can silently deliver malware while maintaining the appearance of normal network behavior.

The framework's components work together to create a continuous attack system at the network gateway that functions in conjunction with each other. Moreover, DKnife offers a broad range of secondary functionality in addition to payload delivery, such as credential harvesting through decrypted POP3 and IMAP sessions, hosting phishing pages, selectively disrupting antivirus and security product traffic, and detailed user activity monitoring. 

Several applications and services were observed to collect telemetry, including messaging platforms, navigation tools, news consumption, telephony, ridesharing, and online shopping, by researchers. In particular, WeChat was observed to receive significant attention, with the framework tracking voice and video calls, message content, media exchanges, and articles accessed through the application. The placement of DKnife on gateway devices permits near real-time visibility into user behavior. 

Activity events are processed internally across the framework's modular components first before being exfiltrated via structured HTTP POST requests to dedicated API endpoints and then forwarded to remote command-and-control infrastructure. 

A significant reduction in the need for persistent malware on individual endpoints is achieved through this architecture, which allows attackers to correlate traffic flows and user actions as packets traverse the network. Researchers note that this approach reflects a greater trend towards infrastructure-level compromise, which is the use of routers and edge devices as persistent delivery platforms for malware. 

According to Cisco Talos, DKnife-associated command-and-control servers remain active as of January 2026, highlighting the continued nature of this threat. An exhaustive set of indicators of compromise has been developed by the firm to assist defenders in identifying compromised systems, as well as emphasizing the need to pay increased attention to network infrastructure as adversaries continue to utilize its unique position within modern digital environments to their advantage.
Read more »
Spain
Data Breach Data Leak Education ministry of science Online Platforms Spain

Spain’s Science Ministry Partially Shuts Online Systems After Suspected Cyber Incident

 



Spain’s Ministry of Science, Innovation and Universities has temporarily disabled parts of its digital infrastructure following what it described as a technical problem. The disruption has affected several online services used by citizens, universities, researchers, and businesses for official procedures and submissions. These platforms support important administrative functions and process sensitive information, which is why access was restricted as a precaution.

The ministry oversees national science policy, research programs, innovation initiatives, and higher education administration. Its systems handle high-value data, including academic and research records, application materials, and personal information linked to students and professionals. Because of the incident, multiple digital services were made unavailable, and active procedures were placed on hold to limit any potential risk to data or system integrity.

In a public notice on its official website, the ministry stated that the incident is under technical assessment and did not disclose further details at the time. The announcement clarified that the ministry’s online portal is only partially operational and that ongoing administrative processes have been paused to protect the rights and lawful interests of affected users. To reduce the impact of the outage, authorities confirmed that deadlines for affected procedures will be extended in line with Spain’s administrative law provisions, so applicants and institutions are not penalized for delays caused by the shutdown.

Separately, claims surfaced on underground online platforms from an individual alleging unauthorized access to the ministry’s systems. The person shared what they presented as sample data to support the claim and stated that additional information was available for sale. The material reportedly includes personal records, email information, application-related documents, and images of official paperwork. These claims have not been independently verified, and the online space where the samples were shared later became inaccessible.

The same individual alleged that access was gained by exploiting a security weakness that can allow users to reach restricted resources without proper authorization. Such flaws, when present in web applications, can expose internal systems if not properly secured. At this stage, the technical details of the claim remain unconfirmed by authorities.

Spanish media outlets have reported that a ministry spokesperson acknowledged that the service disruption is linked to a cybersecurity incident. However, officials have not confirmed whether any data was accessed or taken, nor have they outlined the scope of any potential compromise. The ministry has indicated that investigations are ongoing to determine what occurred and to restore services safely.

Cybersecurity experts consistently warn that public sector systems are frequent targets because of the volume and sensitivity of data they manage. Strong access controls, continuous monitoring, and timely security updates are critical to reducing exposure to such risks. Further updates from the ministry are expected once technical assessments are completed and the situation is fully clarified.

Read more »
I fy
AI Cloud Cyber Crime Data espionage I fy

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends


Infy group's new attack tactic 

An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide its operations. The group also made a new C2 infrastructure while there was a wave of internet shutdown imposed earlier this year. The gang stopped configuring its C2 servers on January 8 when experts started monitoring Infy. 

In reaction to previous protests, Iranian authorities implemented a nationwide internet shutdown on this day, which probably indicates that even government-affiliated cyber units did not have the internet. 

About the campaign 

The new activity was spotted on 26 January 2026 while the gang was setting up its new C2 servers, one day prior to the Iranian government’s internet restrictions. This suggests that the threat actor may be state-sponsored and supported by Iran. 

Infy is one of the many state-sponsored hacking gangs working out of Iran infamous for sabotage, spying, and influence campaigns coordinated with Tehran’s strategic goals. However, it also has a reputation for being the oldest and less famous gangs staying under the radar and not getting caught, working secretly since 2004 via “laser-focused” campaigns aimed at people for espionage.

The use of modified versions of Foudre and Tonnerre, the latter of which used a Telegram bot probably for data collection and command issuance, were among the new tradecraft linked to the threat actor that SafeBreach revealed in a report released in December 2025. Tornado is the codename for the most recent version of Tonnerre (version 50).

The report also revealed that threat actors replaced the C2 infrastructure for all variants of Tonnerre and Foudre and also released Tornado variant 51 that employs both Telegram and HTTP for C2.

It generates C2 domain names using two distinct techniques: a new DGA algorithm initially, followed by fixed names utilizing blockchain data de-obfuscation. We believe that this novel method offers more flexibility in C2 domain name registration without requiring an upgrade to the Tornado version.

Experts believe that Infy also abused a 1-day security bug in WinRAR to extract the Tornado payload on an infected host to increase the effectiveness of its attacks. The RAR archives were sent to the Virus Total platform from India and Germany in December 2025. This means the two countries may have been victims. 



Read more »
Record DDoS Attack
AISURU Kimwolf botnet Android botnet malware Cloudflare DDoS report hyper volumetric DDoS malware Record DDoS Attack

AISURU/Kimwolf Botnet Behind Record 31.4 Tbps DDoS Attack, Cloudflare Reveals

 

A massive distributed denial-of-service (DDoS) assault reaching an unprecedented peak of 31.4 terabits per second (Tbps) has been attributed to the AISURU/Kimwolf botnet. The attack, which lasted just 35 seconds, is now being described as one of the largest hyper-volumetric DDoS events ever recorded.

Cloudflare said it automatically identified and blocked the activity, noting that the incident was part of a wider surge in hyper-volumetric HTTP DDoS attacks linked to AISURU/Kimwolf during the fourth quarter of 2025. The specific attack occurred in November 2025.

The botnet has also been associated with a separate campaign dubbed The Night Before Christmas, which began on December 19, 2025. According to Cloudflare, attacks observed during this campaign averaged 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps). At their peak, the attacks escalated to 9 Bpps, 24 Tbps, and 205 Mrps.

"DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour," Cloudflare's Omer Yoachimik and Jorge Pacheco said. "In 2025, the total number of DDoS attacks more than doubled to an incredible 47.1 million."

The web infrastructure firm reported mitigating 34.4 million network-layer DDoS attacks throughout 2025, a sharp increase from 11.4 million in 2024. In the final quarter of 2025 alone, network-layer incidents represented 78% of all DDoS activity. Overall, DDoS attacks climbed 31% quarter-over-quarter and rose 58% compared to the previous year. 

Hyper-volumetric DDoS attacks also saw a significant rise, increasing by 40% in Q4 2025 compared to the previous quarter, jumping from 1,304 to 1,824 incidents. Earlier in the year, Q1 2025 recorded 717 such attacks. Alongside the growing frequency, the scale of these attacks expanded dramatically, with sizes increasing by more than 700% compared to large-scale incidents observed in late 2024.

AISURU/Kimwolf is believed to have compromised over 2 million Android devices, largely unbranded Android TVs, which were absorbed into its botnet. Many of these infections were facilitated through residential proxy networks such as IPIDEA. In response, Google recently disrupted the proxy service and initiated legal action to dismantle dozens of domains used to manage infected devices and route proxy traffic.

Google also collaborated with Cloudflare to interfere with IPIDEA’s domain resolution capabilities, significantly weakening the operators’ command-and-control infrastructure.

“As part of the Google-led disruption effort, Cloudflare participated by suspending access to many accounts and domains that were misusing its infrastructure," Cloudflare told The Hacker News over email. "Threat actors were attempting to distribute malware and provide markets for people seeking access to the network of illicit residential proxies."

Investigations suggest that IPIDEA recruited infected devices using at least 600 malicious Android applications embedded with proxy SDKs, along with more than 3,000 trojanized Windows executables masquerading as OneDriveSync tools or Windows updates. The Beijing-based firm has also promoted VPN and proxy applications that covertly transformed users’ Android devices into proxy exit nodes without their awareness or permission.

Additionally, threat actors have been identified operating more than a dozen residential proxy services posing as legitimate businesses. These offerings, despite appearing separate, are all reportedly connected to a centralized infrastructure controlled by IPIDEA.

Cloudflare highlighted several additional trends observed during Q4 2025. Telecommunications companies, service providers, and carriers were the most targeted industries, followed by IT services, gambling, gaming, and software sectors. The most attacked countries included China, Hong Kong, Germany, Brazil, the United States, the United Kingdom, Vietnam, Azerbaijan, India, and Singapore.

Bangladesh overtook Indonesia as the largest source of DDoS traffic globally, with Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru also ranking among the top origins of attack traffic.

"DDoS attacks are rapidly growing in sophistication and size, surpassing what was previously imaginable," Cloudflare said. "This evolving threat landscape presents a significant challenge for many organizations to keep pace. Organizations currently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy."
Read more »
Subscribe to: Comments (Atom)

Featured