CySecurity News - Latest Information Security and Hacking Incidents: cyber threat

Cybbersecurity Cyber Crime cyber threat CyberCrime Identity Theft Postal Service SMS Phishing SMS Spoofing USPS

Identity Theft Concerns Rise as USPS Flags Suspicious Package Deliveries

Recently, the United States Postal Service (USPS) issued an advisory in which it advised citizens to be more vigilant in light of an increase in sophisticated mail fraud schemes. In addition to the deceptive activities that have notably increased across the country, particularly during the recent holiday season, consumers' financial and personal security have been threatened significantly as a result of these deceptive activities. In addition to traditional phishing emails and fraudulent text messages, the USPS reports that these scams are now taking a more sophisticated form.

As the number of unsolicited packages delivered is on the rise, criminals are using increasingly inventive methods to deceive the recipients of their mail to exploit them. This makes it more difficult to tell a genuine email from a fraudulent email. There has been an increase in the number of individuals who are being affected, and as a result, the USPS has intensified its anti-fraud initiatives, reinforcing its commitment to maintaining the integrity of the national postal system in the long run.

A collaboration between the agency and law enforcement agencies, and consumer protection agencies is being undertaken to track these schemes as well as educate the public about identifying and reporting suspicious activity. There has been a noticeable rise in text message fraud scams impersonating the United States Postal Service (USPS), posing an urgent threat to public data security. In these fraudulent communications, the recipient often receives an alleged pending package and is requested to take additional action to make sure that it is delivered by taking steps to ensure its delivery.

Even though the message appears authentic, there is a malicious intent behind it, designed to deceive individuals into disclosing sensitive financial and personal information. The most alarming aspect of these scams is their sophisticated presentation. In most cases, the messages are designed to evoke a sense of urgency and legitimacy by using language that sounds official and even replicating USPS logos and branding.

The victim is usually directed to click on links in the emails, which lead to fake websites that harvest personal information such as banking credentials, ID numbers, and other private data, utilising embedded links. To avoid falling victim to these unscrupulous tactics, it is important to recognise and resist them. In an era of increasingly advanced cyber threats, individuals are advised to maintain vigilance to protect themselves against identity theft and financial exploitation.

As a result of this, individuals should scrutinise unexpected delivery notifications, refrain from engaging with suspicious links, and report any suspicious messages to the appropriate authorities. During the past few years, cybercriminals have become increasingly sophisticated with regards to the USPS-related text message scams, posing as automated postal service notifications. Under the pretence of facilitating package redelivery, these deceptive messages are designed to convince recipients that they have missed a delivery, causing them to confirm their personal information or click on embedded links.

While these texts may seem innocuous at first glance, they are a deliberate attempt to compromise the privacy and security of individuals, as well as their financial security. Social engineering plays a significant role in the strategy behind these scams. In a first method, known as pretexting, a plausible narrative, usually a delayed or incomplete delivery, is used to trick the recipient into providing sensitive information in exchange for a fee.

The second method of attack, SMS spoofing, allows attackers to conceal their true identity by modifying the sender's information to disguise the fraudulent message's origin, thereby appearing as though it has been sent by an official United States Postal Service. In general, these schemes are referred to as smishing, a type of phishing that involves sending text messages in exchange for a reward. Typically, the victims are directed to counterfeit websites that look remarkably similar to official USPS interfaces.

When users get there, they will be prompted to provide personally identifiable information (PII) as well as their contact information, under the false assumption that this information is necessary to redeliver or verify their package. Many malicious websites out there are not only designed to gather sensitive information, but also to use fraudulent payment services to charge a small transaction fee. Often, the stolen data can be sold on illegal marketplaces or used directly to commit identity theft and financial fraud.

Individuals must be aware of the threats that continue to evolve regarding delivery-related messages and verify any requests that they make through official USPS channels to avoid harm. It has become increasingly apparent that crime has become increasingly sophisticated and frequent in the country's postal infrastructure, as the number and nature of criminal activity have increased. In response to this crime wave, the United States Postal Service (USPS) has intensified its efforts to improve its operations to combat these crimes.

To implement this initiative, the Government of the United States has decided to implement a comprehensive 10-year strategy, Delivering for America, a $40 billion investment which is intended to transform the postal system into a secure, efficient, and financially sustainable institution that will meet the needs of future generations, thereby transforming the entire postal system. Project Safe Delivery was initiated as part of this larger strategy by USPS, in partnership with the US Postal Inspection Service, as a targeted enforcement campaign to combat crimes aimed at ensuring the safety of mail services and ensuring their integrity.

It has been more than two years since this joint operation was launched, but since then, it has been able to achieve tangible results, such as more than 2,400 arrests and a significant decrease in mail carrier robberies by more than 27%. This program has been proving to be an effective tool for deterring and prosecuting postal crime, with over 1,200 people apprehended in 2024 alone for mail-related theft, thus demonstrating the program's effectiveness in deterring and prosecuting it. USPS has taken extensive measures to further enhance the security of its delivery network.

In addition, over 49,000 high-security mailboxes have been installed across the country, designed to prevent tampering and unauthorised entry. Also, advanced electronic locking mechanisms are being installed in the mail carriers' offices to replace the traditional mechanical locks they were using in the past. These upgrades are essential for preventing the widespread theft of carrier keys, which have become frequent targets of criminal activity. It is also vital for the USPS's security framework to emphasise the importance of encouraging public cooperation.

A substantial monetary reward program has been instituted, and individuals providing credible information that leads to arrests in postal robberies can now receive up to $150,000 for providing credible information. It is also possible for the agency to pay up to $100,000 for actionable tips that lead to the arrests of mail thieves, a practice that reinforces the agency's commitment to protecting both mail workers and the American public. According to Secretary of State Sherry Patterson, the United States Postal Service (USPS) is committed to confronting and dismantling any schemes that attempt to exploit the postal system to maximise revenue.

USPS has released a set of precautionary guidelines for individuals to follow when receiving suspicious or unsolicited package deliveries, an increasingly common tactic used by identity thieves and fraudsters, as part of its public safety outreach program. When an unrequested parcel is received by a recipient, it is strongly recommended that the recipient refrain from engaging with any embedded links, QR codes, or digital prompts that may accompany the delivery or related notification.

There is a high probability that these elements will act as a gateway to malicious websites that will be used to harvest personal information or to install malware, so it is recommended that users report questionable mail or packages directly to the USPS using their official website. Also, recipients need to maintain ongoing vigilance, monitoring their financial accounts for any anomalies or unauthorised transactions that may suggest fraudulent activity.

In addition to taking care of users' credit profiles as a precautionary measure, it is also advised that they review them periodically and consider freezing their credit profiles temporarily as an added measure of security. The proactive approach taken by the Post Office is one of the most effective methods of preventing unauthorised credit activity since it can help prevent a crime from potentially occurring, especially in the aftermath of an identity theft. Together, these measures form one of the most effective lines of defence against postal-related scams.

Cybercrime in 2025: AI-Powered Attacks, Identity Exploits, and the Rise of Nation-State Threats



 

Hacking

AI technology AI Threat CrowdStrike Cyber Security cyber threat CyberCrime cybercriminals Hacking

Cybercrime in 2025: AI-Powered Attacks, Identity Exploits, and the Rise of Nation-State Threats

Cybercrime has evolved beyond traditional hacking, transforming into a highly organized and sophisticated industry. In 2025, cyber adversaries — ranging from financially motivated criminals to nation-state actors—are leveraging AI, identity-based attacks, and cloud exploitation to breach even the most secure organizations. The 2025 CrowdStrike Global Threat Report highlights how cybercriminals now operate like businesses.

One of the fastest-growing trends is Access-as-a-Service, where initial access brokers infiltrate networks and sell entry points to ransomware groups and other malicious actors. The shift from traditional malware to identity-based attacks is accelerating, with 79% of observed breaches relying on valid credentials and remote administration tools instead of malicious software. Attackers are also moving faster than ever. Breakout times—the speed at which cybercriminals move laterally within a network after breaching it—have hit a record low of just 48 minutes, with the fastest observed attack spreading in just 51 seconds.

This efficiency is fueled by AI-driven automation, making intrusions more effective and harder to detect. AI has also revolutionized social engineering. AI-generated phishing emails now have a 54% click-through rate, compared to just 12% for human-written ones. Deepfake technology is being used to execute business email compromise scams, such as a $25.6 million fraud involving an AI-generated video. In a more alarming development, North Korean hackers have used AI to create fake LinkedIn profiles and manipulate job interviews, gaining insider access to corporate networks.

The rise of AI in cybercrime is mirrored by the increasing sophistication of nation-state cyber operations. China, in particular, has expanded its offensive capabilities, with a 150% increase in cyber activity targeting finance, manufacturing, and media sectors. Groups like Vanguard Panda are embedding themselves within critical infrastructure networks, potentially preparing for geopolitical conflicts.

As traditional perimeter security becomes obsolete, organizations must shift to identity-focused protection strategies. Cybercriminals are exploiting cloud vulnerabilities, leading to a 35% rise in cloud intrusions, while access broker activity has surged by 50%, demonstrating the growing value of stolen credentials.

To combat these evolving threats, enterprises must adopt new security measures. Continuous identity monitoring, AI-driven threat detection, and cross-domain visibility are now critical. As cyber adversaries continue to innovate, businesses must stay ahead—or risk becoming the next target in this rapidly evolving digital battlefield.

U.S. Soldier Who Hacked AT&T and Verizon Sought to Sell Stolen Data to Foreign Intelligence, Prosecutors Say



 

Data Theft

Cyber Security cyber threat Data Security Breach Data Theft

U.S. Soldier Who Hacked AT&T and Verizon Sought to Sell Stolen Data to Foreign Intelligence, Prosecutors Say

A U.S. soldier who pleaded guilty to hacking AT&T and Verizon attempted to sell stolen data to what he believed was a foreign military intelligence service, according to newly filed court records reviewed by Media.

The documents also reveal that the soldier, Cameron John Wagenius, searched online for “U.S. military personnel defecting to Russia” and “can hacking be treason.” Wagenius, who operated under the online aliases “kiberphant0m” and “cyb3rph4nt0m,” unlawfully obtained and transferred confidential phone records, including those of high-ranking public officials.

Prosecutors allege that he posted these records for sale in November 2024 and demanded $500,000 from AT&T in exchange for deleting the stolen information, all while on active duty at Fort Cavazos. His activities were part of a larger cyberattack against multiple Snowflake customers during the summer of 2024, impacting at least ten organizations, including Live Nation Entertainment Inc. and Advance Auto Parts Inc.

Court documents state that hackers linked to the AT&T breach targeted records associated with prominent figures, including former First Lady Melania Trump, Ivanka Trump, Vice President Kamala Harris, and the wife of Senator Marco Rubio. However, it remains unclear what specific data Wagenius attempted to sell to the foreign intelligence service.

Prosecutors have described the extortion attempt as “only a small part of Wagenius’ malicious activity.” According to a government memorandum filed Wednesday, Wagenius allegedly communicated with an email address he believed was linked to a foreign intelligence agency and, days later, searched for information about countries that do not extradite to the U.S.

The memorandum states, “Wagenius conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service.” Authorities have also uncovered thousands of stolen identification documents, including passports and driver’s licenses, on Wagenius’ devices, along with access to large amounts of cryptocurrency.

Additionally, he researched the Russian embassy in Washington, D.C., raising further concerns about his intentions. Wagenius’ co-conspirator, Connor Moucka, a Canadian citizen, is set to face an extradition hearing in Canada on charges of stealing AT&T and Snowflake customer data. Another alleged accomplice, John Binns, an American living in Turkey, was reportedly fearful of being tracked by U.S. intelligence agencies.

The extensive hacking operation, which prosecutors say resulted in millions of dollars in ransom payments, has prompted warnings from the FBI about potential risks to national security. The agency has cautioned that the breach could compromise communications between FBI agents and confidential sources.

TRAI Enforces Stricter Regulations to Combat Telemarketing Spam Calls



 

TRAI

COAI Cybeattacks Cyber Crime cyber threat CyberCrime Cyberhackers Cyberscam Cybersecurity TCCCPR Telecom TRAI

TRAI Enforces Stricter Regulations to Combat Telemarketing Spam Calls

There has been a significant shift in the Telecom Regulatory Authority of India (TRAI)'s efforts to curb spam calls and unsolicited commercial communications (UCC) as part of its effort to improve consumer protection, as TRAI has introduced stringent regulations. These amendments will take effect on February 12, 2025, and prohibit the use of 10-digit mobile numbers for telemarketing purposes, addressing the growing concern that mobile users have with fraudulent and intrusive messages.

To ensure greater transparency in telemarketing practices, the Telecom Regulatory Authority of India (TRAI) has enforced several measures that aim to ensure communication integrity while increasing the intelligence of telemarketers. A comprehensive consultation process was undertaken by the Telecom Regulatory Authority of India (TRAI), which involved a comprehensive stakeholder consultation process for the approval of changes to the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, as a result of which significant changes have been made. This revision is intended to protect consumers against unsolicited commercial communications (UCCs) as well as to enhance compliance requirements for the providers of telecom services.

Cellular Operators Association of India (COAI,) however, has expressed its concern over the updated regulation, especially about the penalties imposed on service providers as a result of it. The second amendment to the TCCCPR allows consumers to lodge complaints up to seven days after receiving the call or message, allowing them greater flexibility in reporting spam calls and messages for the second amendment. Furthermore, because of the new regulations, individuals are now able to lodge complaints without the need to first register their preferences for communication.

Additionally, telecom operators are required to respond to complaints within five business days, a substantial reduction from the previous deadline of 30 days. A new set of stricter enforcement measures imposed by the law mandates that senders who receive five complaints within ten days must be held accountable for the complaint. To further safeguard consumer interests, telecom service providers will now be required to provide users with the option of opting out of all promotional emails.

TRAI has also mandated a standard messaging format, which requires message headers to contain specific codes that indicate that they are promotional, service-related, transactional, or government-related. This structured labelling system aims to enhance transparency and help users distinguish between different types of communication by adding a structured llabellingsystem to their communication systems.

As a part of the regulatory framework implemented by the Telecom Regulatory Authority of India (TRAI) to improve transparency and curb unsolicited commercial communications (UCCs), 10-digit mobile numbers will no longer be allowed to be used for commercial purposes. A telemarketer is required to use a series of designated numbers for promotional and service calls, ensuring that the two are clearly distinguished.

It is expected that the existing ‘140’ series will remain available for promotional purposes while the newly launched ‘1600’ series will be used for transactional and service-related communications. TRAI has also removed the requirement for the consumer to pre-register their communication preferences in advance of lodging a complaint against spam messages and unwanted phone calls from unregistered senders as part of its anti-spam practices.

In addition to simplifying the complaint process, TRAI has also expanded the reporting period from three days to seven days to improve user convenience in reporting violations, providing consumers with more flexibility in reporting complaints with essential details. To further strengthen consumer protection, TRAI has extended the complaint reporting window from three days to seven days, thus creating an environment of greater flexibility for users.

There has been a significant reduction in the timeframe for telecom operators to respond to UCC complaints, which was previously 30 days, down to five days now. Further, the threshold for penalizing senders has been lowered as well, with only five complaints within ten days instead of the earlier benchmark of ten complaints within seven days, requiring penalties to be imposed. To improve accessibility and foster consumer engagement, the government is now requiring that mobile applications and official websites of telecom service providers prominently display complaint registration options as a means of promoting consumer engagement.

Several regulatory initiatives have been taken to improve the accountability, transparency, and consumer-friendly nature of the telecommunications sector while also making sure the anti-spam directives are strictly followed. A stringent series of measures has been introduced by the Telecom Regulatory Authority of India (TRAI) to counter the rising threat of spam calls and to prevent malicious entities from misusing SMS headers and content templates to forward fraudulent or deceptive messages to subscribers.

Several initiatives are being implemented by the TRAI that will ensure that consumer interests are protected and a safer and more transparent messaging environment is established. To ensure compliance with telemarketing regulations, TRAI has mandated strict penalties for entities making unauthorized promotional calls that violate telemarketing regulations. A violation of these terms can result in severe consequences such as the disconnection of all telecommunications resources for a period of up to two years, a blacklisting for up to two years, and a prohibition on acquiring any new telecommunications resources during the period of blacklisting.

More than 800 entities and individuals have been blacklisted as a result of these measures, and over 1.8 million SIP DIDs, mobile numbers, and other telecommunications resources have been deactivated as a consequence. As a consequence, fraudulent commercial communications have been eliminated in large part. TRAI's directives call for access providers to list URLs, APKs, and links to OTTs within SMS content, and we have implemented this requirement with effect from October 1, 2024, to further enhance consumers' protection.

In an attempt to ensure consumer safety, a regulation moving forward will limit the use of links in text messages that have been verified and authorized by the user, thereby reducing the risk of consumers being exposed to harmful websites, fraudulent software, and other online risks. The '140xx' numbering series is further enhanced by migrating all telemarketing calls that originate from this series of numbers to the Distributed Ledger Platform (Blockchain) platform. In this way, the surveillance and control of telemarketing activities can be improved.

There have also been advances in technical solutions being deployed by access providers to improve traceability to ensure that every entity involved in the message transmission, from the initial sender through to the final recipient, is accounted for within the chain of communication. Any traffic containing messages that omit a clearly defined chain of telemarketers and can be vverifiedor deviate from the pre-registered framework will be automatically rejected as of December 1, 2024. Several significant advancements are being made in regulatory oversight in the telecom sector as a result of these measures. Consumer protection is reinforced,d and accountability is enhanced within the industry as a result of these measures.

To ensure that consumers have an easier and more convenient way to report unsolicited commercial communications violations, telecom service providers are required to prominently display complaint registration options on their official websites and mobile applications, making the complaint system more user-friendly and accessible for them. As part of this initiative, consumers will have the opportunity to easily flag non-compliant telemarketing practices, allowing the complaint process to be streamlined. Furthermore, service providers must provide consumers with a mandatory ‘opt-out’ option within all promotional messages to give them greater control over how they want to communicate.

The new Consumer Rights Rule establishes a mandatory 90-day waiting period before marketers can re-engage users who have previously opted out of receiving marketing communication from a brand before re-initiating a consent request for them. By implementing this regulatory measure, the telecom industry will be able to protect consumers, eliminate aggressive advertising tactics, and develop a more consumer-centric approach to commercial messaging within its infrastructure.

It was announced yesterday that the Telecom Regulatory Authority of India (TRAI) has introduced stringent compliance requirements for access providers to make sure unsolicited commercial communications (UCC) are curbed more effectively. This new set of guidelines requires telecom companies to comply with stricter reporting standards, with financial penalties imposed on those companies that fail to accurately report UCC violations.

According to the punishment structure, the initial fine of 2 lakh rupees for a first offence is followed by a fine of 5 lakhs for the second offence and a fine of 10 lakhs for subsequent violations. There has been a move by access providers to further enhance the level of regulatory compliance by mandating that telemarketers place security deposits that will be forfeited if any violation of telemarketing regulations occurs. A telecom operator may also be required by law to enter into legally binding agreements with telemarketers and commercial enterprises, which will explicitly define and specify their compliance obligations, as well as enumerating the repercussions of non-compliance.

This means that reducing spam levels will be a major benefit for businesses while ensuring that they can communicate through authorized, transparent, and compliant channels, leading to a significant reduction in spam levels. TRAI aims to increase the consumer safety and security of the telecommunications ecosystem by enforcing these stringent requirements while simultaneously balancing regulatory oversight with legitimate business needs to engage with customers by the means approved by TRAI.

Ransomware Tactics Evolve as Hackers Shift Focus to Data Theft



 

Ransomwares

Cyber Security cyber threat Data Hackers Data Theft Huntress SMB Report Ransomware threats Ransomwares

Ransomware Tactics Evolve as Hackers Shift Focus to Data Theft

Ransomware groups are adapting their strategies to outsmart stronger cybersecurity defenses and increasing law enforcement pressure, according to the Huntress 2025 Cyber Threat Report. The findings reveal that attackers are moving beyond traditional encryption-based ransomware, instead focusing on data theft and extortion to bypass modern protections.

In 2024, 75% of ransomware cases Huntress investigated involved remote access Trojans (RATs), allowing hackers to infiltrate systems discreetly. Additionally, 17.3% of incidents featured the misuse of legitimate remote management tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn. This shift reflects a growing reliance on “living off the land” techniques, where attackers use trusted administrative tools to avoid detection.

A significant trend noted in the report is that sophisticated tactics once reserved for targeting large enterprises are now common across businesses of all sizes. Huntress observed that cybercriminals are increasingly disabling or tampering with security software to maintain access and avoid detection, effectively closing the gap between attacks on major corporations and smaller organizations.

Huntress’ analysis of over 3 million endpoints also revealed that nearly 24% of ransomware incidents in 2024 involved infostealer malware, while malicious scripts designed to automate attacks and evade security tools appeared in 22% of cases. Greg Linares, principal threat intelligence analyst at Huntress, states that ransomware groups must constantly evolve to survive in the competitive cybercrime landscape.

“If malware isn’t staying ahead of detection techniques, it becomes obsolete fast,” Linares explained. Another key insight from the report was the speed of modern ransomware campaigns. On average, the time from initial access to the delivery of a ransom demand — known as time-to-ransom (TTR) — was just 17 hours. Some groups, including Play, Akira, and Dharma/Crysis, were even faster, with TTRs averaging around six hours.

Interestingly, Huntress noted a clear shift in ransomware tactics: rather than encrypting data, many attackers now opt to exfiltrate sensitive information and threaten to leak it unless a ransom is paid. This change is seen as a direct response to stronger ransomware defenses and increased law enforcement efforts, which led to the takedown of major groups like Lockbit.

However, this shift presents new challenges for companies. While endpoint detection and ransomware protections have improved, the report points out that data loss prevention (DLP) measures remain underdeveloped. Linares noted that DLP solutions are often overlooked, especially in organizations with remote work and bring-your-own-device (BYOD) policies. These environments, he said, often lack the comprehensive monitoring and control needed to prevent data exfiltration.

To stay ahead of these evolving threats, Huntress recommends that businesses not only strengthen their ransomware defenses but also implement more robust DLP strategies to protect sensitive data. As ransomware gangs continue to adapt, companies must be proactive in addressing both encryption and data theft risks.

Urgent Patch Needed for SonicWall Firewall Exploit Enabling VPN Hijacking



 

VPN

Bishop Fox cyber threat Cyberattacks Cybersecurity firewall exploits Hijacking SonicWall VPN

Urgent Patch Needed for SonicWall Firewall Exploit Enabling VPN Hijacking

Bishop Fox cybersecurity researchers have discovered a critical security flaw in approximately 4,500 SonicWall firewalls that are exposed to the Internet as a result of a critical security breach. The flaw, CVE-2024-53704, is a high-severity authentication bypass vulnerability within SonicOS SSLVPN. Threat actors could exploit this flaw to gain unauthorized access to your VPN sessions, compromising the privacy of your sensitive data and the security of your network.

SonicWall has issued a patch to address this issue, but unpatched systems remain at immediate risk. Due to this discovery, it is imperative that organizations relying on SonicWall firewalls immediately update those firewalls to mitigate the threat of cyberattacks leveraging this exploit and mitigate the amount of damage they will incur.

In its security bulletin dated January 7, 2025, SonicWall issued a warning about the high likelihood of an exploit resulting from a recently identified authentication bypass vulnerability within its SonicOS SSLVPN application that has been released to alert customers. There was a strong recommendation the company sent out to administrators to upgrade their SonicOS firewall firmware immediately so that they could mitigate the risk of unauthorized access and potentially dangerous cyberattacks.

The SonicWall security company sent an email notification to all its customers about this critical vulnerability. In the email warning, SonicWall reiterated that the vulnerability poses an immediate threat to organizations that have SSL VPNs or SSH management enabled in their systems. This vendor stressed the importance of immediately updating firmware to protect networks and prevent malicious actors from exploiting them.

In the latest research, SonicWall's SonicOS SSLVPN application was discovered to have an authentication bypass vulnerability, which has been rated at high risk with a CVSS score of 8.2. In this particular case, the problem affects several versions of SonicOS, specifically versions 7.1.x (all versions up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are widely utilized across both Generation 6 and Generation 7 SonicWall firewalls.

Bishop Fox's cybersecurity team performed a thorough analysis of the vulnerability and successfully demonstrated exploitation scenarios to demonstrate the possibility of unauthenticated, remote attackers bypassing security mechanisms and hijacking active VPN sessions if they can bypass authentication mechanisms. To exploit this vulnerability, a specially crafted session cookie is sent to the SSL VPN endpoint's endpoint (/cgi-bin/sslvpnclient) that contains a base64-encoded string of null bytes.

The misuse of this method can allow threat actors to gain access to authenticated VPN sessions without requiring valid credentials from the users, which poses a significant risk to organizations that use SonicWall firewall products as part of their security measures. The Cyber Security Research Lab has determined that as of February 7, 2025, approximately 4,500 SonicWall SSL VPN servers that connect to the internet remain unpatched and are vulnerable to exploitation by hackers.

Initially, SonicWall published a security advisory on January 7, 2025, urging organizations to immediately update their firewall firmware to mitigate the risks associated with this high-severity vulnerability that allows authentication bypass. Several SonicOS firewall applications, which are affected by this flaw, have had firmware patches issued to address the problem. These include SonicOS 6.5.5.1-6n or later for Gen 6 firewalls, SonicOS 7.1.3-7015 or later for Gen 7 firewalls, and SonicOS 8.0.0-8037 or later for TZ80 firewalls, which have all been updated with these firmware patches.

To mitigate the risks associated with these updates, organizations unable to implement these updates are strongly recommended to temporarily disable SSL VPN access or to restrict it only to trusted IP addresses. Despite the simplicity of the exploit, the risk it poses to corporate networks is significant; this is because it opens the door for widespread abuse from threat actors seeking to gain access to corporate networks to espionage, data exfiltration, or ransomware attacks.

As soon as an adversary is inside a compromised environment, they will be able to escalate privileges, perform lateral movements, and further infiltrate critical systems. To combat these threats, administrators must immediately implement several key security measures that can help prevent these threats from happening.

Too achieve this, all affected devices need to be updated with the latest firmware, SSL VPN and SSH management access should be restricted to trusted IP ranges, firewall logs should be monitored for anomalies, such as repeat session terminations or unauthorized login attempts, and multi-factor authentication (MFA) should be implemented on all devices.

MFA, while ineffective in combating this specific exploit, remains a critical security measure that can be used against other types of cyberattacks as well. Since the risks associated with active exploitation are high, organizations should prioritize the security of their SonicWall firewalls to prevent unauthorized access to their networks, possible data breaches, and long-term network compromises.

Ransomware Gangs Targeting CEOs with Stolen Data



 

Ransomware Gangs

Corporate Cyber Security cyber threat data security Ransomware Ransomware Gangs

Ransomware Gangs Targeting CEOs with Stolen Data

Ransomware gangs are now employing a terrifying tactic—using stolen data to coerce and threaten CEOs.

Understanding Ransomware Attacks

Ransomware is a type of malicious software that encrypts the victim's data, rendering it inaccessible until a ransom is paid. Over the years, ransomware tactics have evolved, becoming more sophisticated and damaging. Originally, ransomware attacks were more indiscriminate, targeting individuals and organizations alike. However, cybercriminals have become more strategic, now focusing on high-value targets.

The Rise of CEO Extortion

Ransomware gangs have discovered that targeting CEOs can yield higher returns. By threatening to release sensitive data, they put immense pressure on CEOs to comply with their demands. This method of extortion not only threatens the individual's reputation but also jeopardizes the entire organization's security and financial stability.

Why They Rarely Get Caught

Anonymity: Cybercriminals use encryption and the dark web to hide their identities, making it challenging for law enforcement agencies to trace them.

Jurisdictional Challenges: Ransomware attacks are often transnational, complicating legal processes. Different countries have varying laws and levels of cooperation with international authorities.

Sophisticated Techniques: These criminals are adept at covering their tracks, using advanced encryption, and frequently changing their digital footprints to evade detection.

Resource Limitations: Law enforcement agencies often lack the resources and specialized knowledge required to effectively tackle these sophisticated cybercrimes.

The consequences of a ransomware attack can be devastating. For CEOs, the personal and professional stakes are incredibly high. They face potential damage to their reputation, legal ramifications, and significant financial loss. For the organization, it can result in operational disruption, loss of sensitive data, and a breach of trust with customers and stakeholders.

Combating the Threat

Regularly update software, use advanced firewalls, and employ comprehensive security solutions to protect against ransomware attacks.
Conduct regular cybersecurity training for employees to recognize phishing attempts and other common tactics used by cybercriminals.
Ensure that all critical data is backed up regularly and stored securely. This can help recover data without paying the ransom.
Have a well-defined plan in place for responding to ransomware attacks, including steps to isolate affected systems and communicate with stakeholders.
Report ransomware incidents to law enforcement agencies to help track and apprehend cybercriminals.

Ransomware Attack on the Washington Times Leads to a Dark Web Data Auction



 

Ransomware attack

CMIT Cyber Crime cyber threat CyberCrime Cybersecurity Dark Web Data Ransomware attack

Ransomware Attack on the Washington Times Leads to a Dark Web Data Auction

In a countdown clock that showed that the auction would begin in seven days, the Rhysida cartel promoted an online auction that promised to sell Washington Times' unique data. The auction was set to start within seven days of the date of the notice. As a result of observing an unidentified criminal group deploying a new utility designed to terminate endpoint detection and response (EDR) tools, it appears that it is part of an attempt by the group to attack an organization with ransomware, RansomHub.

As a result of this news, many security professionals began to express concern because RansomHub is used in many prominent hacks, including those against Change Healthcare, Frontier Communications, and Christie's auction house. The hacker group who attacked Columbus last week dumped over three terabytes of stolen data, including files belonging to employees, on the dark web early Thursday morning after their efforts to auction off the data failed to attract or satisfy buyers.

A few hours after a lengthy auction ended on the dark web, the Rhysida ransomware group started leaking the data after it had disappeared from the encryption site, according to Ohio State assistant professor Carter Yagemann, CMIT Solutions' Daniel Maldet, and other cybersecurity experts who have observed the onion site. As much as the hackers claimed that they had 6.5 terabytes of data at their disposal, only a portion of that data has been uploaded online, including databases that are backed up for dozens of city employees, and SQL backup files for entire databases that contain personal information.

Since the files are so large, it is difficult to make out what exactly has been contained in them due to the size of the files. It is what NBC4 found, however, that Rhysida's leak not only included a list of employees' names from a company database but also a list of contractors and former employees who left the company in 2021, making it clear that the leak did not just cover current employees.

In a bid to sell off the massive amount of data it allegedly stole as a result of a city ransomware attack, a group claiming to have carried out the hack claims responsibility for several bank accounts being hacked by the thieves. According to the hacking gang Rhysida, who originally hacked into the City of Columbus servers to steal sensitive information, they have managed to steal 6.5 terabytes' worth of data. It was reported by multiple cybersecurity watchdogs, including Dark Web Intelligence and Ransom Look, that Rhysida is offering a service which can only be accessed using the specialized internet browser Tor, which has become synonymous with the dark web.

The fine details about this treasure trove of compromised data have emerged after Columbus Mayor Andrew Ginther announced some of the city's online services had been shut down due to a ransomware attack that occurred on July 18. It is fair to say that the mayor has given credit to the city's IT department for cutting off access before any data from the city was encrypted by the hackers. However, he added that they are investigating how much of the data was stolen.

In addition to not naming Rhysida or any other suspected hacking group on Monday, Corbett said the attack had been carried out by an "established and sophisticated threat actor working from overseas." It is stated on the group's website that the price for the data is 5 bitcoins, which are currently worth $295,198.50 at the time of this writing. This group does not specify what the data supposedly consists of in the post, but a screenshot that is attached to the post appears to show many scans of official documents, including an identification card and a Texas driver's license.

Previously, cybersecurity analyst Dominic Alvier told a story on the Daily Dot that based on the screenshot, it didn't appear that the hackers had accessed any critical information other than your personal information, which could be linked to someone in your organization. The Daily Dot contacted Rhysida for information regarding the alleged breach but has not received a response to the inquiry. In addition, it remains unclear if there have been any negotiations between the hacking group and the outlet itself. As of Wednesday afternoon, the Washington Times had not made any public statements regarding the alleged cyberattack that targeted its systems.

Despite attempts to seek clarification, the publication did not respond to an email inquiry from the Daily Dot at the time of their report. The incident drew attention to the Rhysida ransomware group, which has been recognized by U.S. government advisories as a significant cyber threat. Rhysida operates under a subscription-based model known as Ransomware as a Service (RaaS), where it leases its ransomware tools to cybercriminals. This model has facilitated attacks across various sectors, including education, healthcare, manufacturing, information technology, and government, since Rhysida's emergence in May 2023.

Earlier this month, Rhysida gained widespread attention after successfully hacking a law enforcement agency in a Florida county. The group threatened to expose sensitive data, including scanned driver’s licenses and fingerprints, highlighting the severity of the breach. Cybersecurity experts have noted that while the identities of those behind Rhysida remain unknown, the group's operational patterns are reminiscent of cybercriminals based in Russia, Belarus, and Kazakhstan.

Rafe Pilling, Director of Threat Research at Secureworks, has emphasized that Rhysida exhibits behaviours common to criminal organizations in these regions. Since its inception, the Rhysida group has claimed responsibility for 114 cyberattacks, a fact evidenced by the list of victims published on its dark web blog. This list underscores the group's approach of targeting "targets of opportunity," as it has infiltrated multiple sectors, including education, healthcare, manufacturing, and local government entities.

An updated profile by the U.S. Defense Department in November 2023 corroborates these findings. Rhysida's operations are further characterized by their use of double extortion tactics. In this approach, even after victims have paid the initial ransom to receive a decryption key, the group threatens to leak the stolen data unless a second payment is made. This strategy adds another layer of pressure on the victims, exacerbating the impact of the attacks. This year, Rhysida took responsibility for breaches at the British Library, the world’s largest repository of historical knowledge, and the Anne & Robert H. Lurie Children’s Hospital in Chicago.

These incidents further demonstrate the group’s willingness to target prestigious and vulnerable institutions. The growing list of Rhysida’s victims serves as a stark reminder of the pervasive and escalating nature of ransomware threats in today’s digital landscape. The recent incident involving The Washington Times is yet another example of the significant damage cyberattacks can inflict, particularly when they target well-known organizations.

The audacity of Rhysida’s operations underscores the critical need for organizations to prioritize robust cyber defence mechanisms. Protecting sensitive data has become increasingly important as cyber threats continue to evolve and grow more sophisticated. Security analysts consistently recommend the adoption of strong data protection policies to effectively combat ransomware. As The Washington Times and other organizations navigate these complex threats, they must remain acutely aware of the high stakes involved, not only in their operations but also in their readership and the broader media environment.

In summary, the ongoing activities of the Rhysida group illustrate the serious challenges posed by ransomware in the current cybersecurity climate. Each incident involving Rhysida offers invaluable lessons for organizations striving to develop effective strategies to counter and prevent future attacks.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Identity Theft Concerns Rise as USPS Flags Suspicious Package Deliveries

Cybercrime in 2025: AI-Powered Attacks, Identity Exploits, and the Rise of Nation-State Threats

U.S. Soldier Who Hacked AT&T and Verizon Sought to Sell Stolen Data to Foreign Intelligence, Prosecutors Say

TRAI Enforces Stricter Regulations to Combat Telemarketing Spam Calls

Ransomware Tactics Evolve as Hackers Shift Focus to Data Theft

Urgent Patch Needed for SonicWall Firewall Exploit Enabling VPN Hijacking

Ransomware Gangs Targeting CEOs with Stolen Data

Understanding Ransomware Attacks

The Rise of CEO Extortion

Why They Rarely Get Caught

Combating the Threat

Ransomware Attack on the Washington Times Leads to a Dark Web Data Auction

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Showing result(s) for

Popular Posts

Pages

Menu Item

Understanding Ransomware Attacks

The Rise of CEO Extortion

Why They Rarely Get Caught

Combating the Threat