Tag: hackers

US Cyber Agency Issues Emergency Directive Amid Major Hacking Campaign Targeting Cisco

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive asking federal agencies to take immediate action to identify and mitigate system vulnerabilities to protect their devices from a major hacking campaign, the agency said in a Sept. 25 statement.

This widespread campaign poses a significant risk to victims’ networks by exploiting zero-day vulnerabilities that persist through reboots and system upgrades,” CISA said.

Zero-day vulnerabilities refer to unknown or unaddressed security flaws in computer hardware, firmware, or software. Such vulnerabilities are called “zero-day” since the software or device with such flaws has zero days to fix the issue, thus enabling hackers to immediately exploit them.

According to the directive, Cisco has assessed that the hacking campaign is linked to the threat actor ArcaneDoor.

A May 2024 post by computer and network security company Censys said an investigation of IPs controlled by ArcaneDoor suggested “the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software.”

Four out of five IP hosts analyzed by Censys were found to be in China, with some linked to Chinese conglomerate Tencent and Chinese telecom company ChinaNet.

Networks like Tencent and ChinaNet have extensive reach and resources, so they would make sense as an infrastructure choice for a sophisticated global operation like this one,” Censys said in its post.

In a Sept. 25 statement, Cisco said it had been engaged by multiple government agencies in May to provide support to an investigation into attacks targeting the company’s ASA devices.

The company said it has “high confidence” that the hacking activity was related to ArcaneDoor.

Cisco assesses with high confidence that upgrading to a fixed software release will break the threat actor’s attack chain and strongly recommends that all customers upgrade to fixed software releases,” the company said.

Keep reading

John Bolton’s personal email account was hacked by foreign entity, FBI docs reveal

Former National Security Adviser John Bolton allegedly used a private email account that was at one point hacked by a “foreign entity,” an FBI search warrant affidavit released Friday revealed. 

The 41-page document –  used by federal investigators to justify the raid of Bolton’s Maryland home last month – suggests the hacking incident gave the FBI reason to believe the former Trump administration official mishandled classified records. 

The Post previously reported that Bolton allegedly used his personal email account to send “highly sensitive” documents to his family while working in the White House.

“Hack of Bolton AOL Account by Foreign Entity,” reads a section of the affidavit, where investigators explained the probable cause for the searches. 

The roughly 10 pages detailing the hacking incident are completely redacted. It’s unclear which foreign nation may have been responsible. 

Keep reading

U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years

The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes. Tymoshchuk faces severe federal charges for his part in reportedly masterminding the theft of a combined $18 billion over a three year period.

Tymoshchuk is accused of being the kingpin behind the MegaCortex, LockerGoga, and Nefilim attacks, a string of attacks that were active from Dec. 2018 to Oct. 2021. The MegaCortex attack, which we covered in 2019, changes the Windows passwords and encrypts the files of a host computer, threatening to make sensitive files public if the ransom went unpaid.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms,” said U.S. Attorney Joseph Nocella Jr. in a statement from the Justice Department. One of the highest-profile thefts linked to Tymoshchuk and LockerGoga was the attack on Norsk Hydro, a renewable energy company based in Norway. The attack on Norsk caused a reported $81 million in damages as all of its 170 sites were impacted at some level.

Nocella continued, “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

Tymoshchuk is alleged to have run the LockerGoga and MegaCortex offensives from July 2019 and June 2020, at which point the two ransomware viruses went largely dark. From then on, Tymoshchuk is accused of having helped to engineer and administrate the Nefilim ransomware strain, selling access to it to attackers in exchange for 20% of the ransomed funds received from each successful attack.

An unsealed indictment, archived by The Register, lists a number of unnamed victim companies from across the United States and Europe. Tymoshchuk is on the hook for seven total charges relating to intentional damage to a private computer and threatening to disclose private information. If found guilty Tymoshchuk faces a maximum sentence of life in prison.

Keep reading

Malware found hidden in image files, can dodge antivirus detection entirely — VirusTotal discovers undetected SVG phishing campaign

Scalable vector graphics (.svg) files are lightweight, XML-based images that render at any resolution. They’re usually harmless, but they can also contain active code, and hackers appear to be relying on them more often as a means to stealthily deliver malware.

A new report from VirusTotal shows just how far that tactic has evolved, unearthing a campaign that used weaponized SVGs to drop malware, spoof a government agency, and dodge antivirus detection entirely.

44 previously undetected phishing SVG

In its report published September 4, the Google-owned scanning platform said its Code Insight system had flagged an SVG file masquerading as a legal notification from Colombia’s judicial system.

When opened, the file rendered a realistic-looking web portal in-browser, complete with a fake progress bar and download button. That button then delivered a malicious ZIP archive containing a signed Comodo Dragon browser executable, along with a malicious .dll file that would be sideloaded if the .exe was run. This would then install more malware on the system.

The attack relied on a known but often overlooked feature that SVGs support embedded HTML and JavaScript. This means that they can be used like mini web pages — or, as in this case, full phishing kits — even when attached to an email or hosted on cloud storage. VirusTotal’s retrospective scan tied 523 SVG files to the same campaign, with 44 completely undetected by any antivirus engine at the time of submission.

Keep reading

Mystery Hacker Used AI To Automate ‘Unprecedented’ Cybercrime Rampage

A hacker allegedly exploited Anthropic, the fast-growing AI startup behind the popular Claude chatbot, to orchestrate what authorities describe as an “unprecedented” cybercrime campaign targeting nearly 20 companies, according to a report released this week.

The report, published by Anthropic and obtained by NBC News, details how the hacker manipulated Claude to pinpoint companies vulnerable to cyberattacks. Claude then generated malicious code to pilfer sensitive data and cataloged information that could be used for extortion, even drafting the threatening communications sent to the targeted firms.

NBC News reports:

The stolen data included Social Security numbers, bank details and patients’ sensitive medical information. The hacker also took files related to sensitive defense information regulated by the U.S. State Department, known as International Traffic in Arms Regulations.

It’s not clear how many of the companies paid or how much money the hacker made, but the extortion demands ranged from around $75,000 to more than $500,000, the report said.

Jacob Klein, head of threat intelligence for Anthropic, said the campaign appeared to be the work of a hacker operating outside the U.S., but did not provide any additional details about the culprit.

We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein said.

Anthropic’s findings come as an increasing number of malicious actors are leveraging AI to craft fraud that is more persuasive, scalable, and elusive than ever. A SoSafe Cybercrime Trends report reveals that 87% of global organizations encountered an AI-driven cyberattack over the past year, with the threat gaining momentum.

AI is dramatically scaling the sophistication and personalization of cyberattacks,” said Andrew Rose, Chief Security Officer at SoSafe. “While organizations seem to be aware of the threat, our data shows businesses are not confident in their ability to detect and react to these attacks.”

Artificial intelligence is not only a tool for cybercriminals – it is also broadening the vulnerabilities within organizations. As companies rush to adopt AI-driven tools, they may inadvertently expose themselves to new risks.

Even the benevolent AI that organisations adopt for their own benefit can be abused by attackers to locate valuable information, key assets or bypass other controls,” Rose continued.

Keep reading

Victim Loses $91M in Bitcoin in Social Engineering Scam: ZachXBT

A fraudster posing as a hardware wallet support agent tricked the target into handing over wallet credentials.

What to know:

  • A victim lost 783 BTC in a social engineering scam after an attacker impersonated hardware wallet support.
  • The stolen funds were funneled through multiple deposits into Wasabi Wallet, a privacy tool used to mask transaction trails.
  • The hack came exactly one year after the $243M Genesis creditor theft, underscoring ongoing vulnerabilities in crypto security.

Blockchain sleuth ZachXBT uncovered a high-profile social engineering attack on Thursday, with the victim losing 783 BTC worth around $91.4 million.

The scam occurred on Aug. 19 and involved the attacker posing as a support agent for a hardware wallet before duping the victim into handing over wallet credentials.

The attack mirrors a string of social engineering attacks over the past year and contributes to an already woeful year in terms of hacks and scams, with crypto investors losing $3.1 billion in the first half of 2025.

Once the malicious transfer was made, the funds began their journey through a typical laundering process, with multiple deposits made into Wasabi Wallet, a privacy tool commonly used to obfuscate the trail.

The hack occurred exactly one year after the $243 million Genesis creditor theft, a landmark event that sent ripples across the industry and led to the arrest of 12 people in California in May.

Keep reading

1.7 Mln Losses Exposed After Russian Hackers Crack Ukrainian General Staff Database

The KillNet group hacked the Ukrainian general staff’s database containing information on 1.7 million killed and missing Ukrainian servicemen.

“We can confirm, of course,” a KillNet representative told Sputnik when asked if they indeed have proof of such losses.

The hackers also shared a number of photos of deceased Ukrainian soldiers, their passports and military IDs, death certificates, and tags.

Keep reading

Vulnerabilities exposed: Israeli company reveals how users can hack ChatGPT accounts remotely

Israeli cybersecurity company Zenity revealed what it defines as the first-ever “Zero Click” vulnerability in OpenAI’s ChatGPT service, showing how one could take control of a ChatGPT account and extract sensitive information without the user clicking a link, opening a file, or performing any deliberate action.

The demonstration was conducted by Mikhail Bergori, co-founder and CTO of Zenity, during the Black Hat 2025 conference held this week in Las Vegas, in the US.

He showed how a hacker could exploit the system using only the user’s email address to gain full control over the user’s chat, including access to both past and future conversations, altering the conversation’s goals, and guiding the chat to act on behalf of the hacker.

JPost Videos

During the lecture, it was demonstrated how the attacked ChatGPT became a malicious agent operating covertly against the user. The researchers pointed out how the hacker could prompt the chatbot to suggest that the user download a certain virus, recommend incorrect business tips, or even access files stored on Google Drive as long as they were connected to the account. 

All of this could be done without the user ever realizing that something had gone wrong. The vulnerability was fully patched only after Zenity reported it to OpenAI.

Keep reading

From helpdesk to havoc: Why Clorox is suing Indian company for $380 million

In a San Francisco courtroom, the Clorox Company recently dropped a legal bombshell – a $380 million lawsuit against Indian-American information technology company Cognizant, alleging gross negligence in a 2023 cyberattack.

In the complaint dated July 22, 2025, Clorox contends a hacker simply called Cognizant’s helpdesk, lied about being an employee and was handed network credentials – no identity verification, no oversight, just a password transfer. The resulting cyberattack ended up paralyzing Clorox’s operations, costing upwards of $49 million in remediation and much more in lost business.

Offshoring ecosystem under the microscope

Cognizant, though officially headquartered in New Jersey, was founded in Chennai, India in 1994, and now employs over 250,000 people across India, providing everything from software development to helpdesk services for global corporations. Industry analysts have warned that shifting U.S. companies’ sensitive customer data offshore exposes Americans to significant privacy risks. India lacks comprehensive data privacy laws or an enforcement body like the Federal Trade Commission.

While offshoring offers cheap labor and scalability, it also creates layers of separation between U.S.-based clients and the employees handling their data. Those layers can conceal critical weaknesses.

Clorox case: A failed firewall

In Clorox’s telling, the hacker didn’t crack advanced encryption or “spear-phish” executives. He just called Cognizant on the phone and lied about who and what he was. That was enough. Cognizant agents reset the account, handed over passwords and reopened Clorox’s VPN access without a single identity check. Agents reportedly said phrases like: “Here’s the password … Welcome …”

Cognizant disputes the claim, saying its contract with Clorox, dating back to 2013, covered only helpdesk tasks, not broader cybersecurity responsibilities. Cognizant characterized Clorox’s own defenses as “inept,” calling the attack partly Clorox’s fault.

Keep reading

In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution’s ATM system, researchers reported Wednesday.

The researchers with security firm Group-IB said the “unprecedented tactic allowed the attackers to bypass perimeter defenses entirely.” The hackers combined the physical intrusion with remote access malware that used another novel technique to conceal itself, even from sophisticated forensic tools. The technique, known as a Linux bind mount, is used in IT administration but had never been seen used by threat actors. The trick allowed the malware to operate similarly to a rootkit, which uses advanced techniques to hide itself from the operating system it runs on.

End goal: Backdooring the ATM switching network

The Raspberry Pi was connected to the same network switch used by the bank’s ATM system, a position that effectively put it inside the bank’s internal network. The goal was to compromise the ATM switching server and use that control to manipulate the bank’s hardware security module, a tamper-resistant physical device used to store secrets such as credentials and digital signatures and run encryption and decryption functions.

The group behind the attack is tracked in the industry under the name UNC2891. The financially motivated threat group has been active since at least 2017 in targeting the infrastructures of banks. It has earned a well-deserved reputation for proficiency in its use of custom malware in attacks targeting Linux, Unix, and Oracle Solaris systems.

In 2022, Google’s Mandiant division said it had observed UNC2891 spending years inside a targeted network, during which time the intrusion went largely unnoticed. Mandiant researchers went on to identify CakeTap, a custom rootkit for Solaris systems. Among other things, CakeTap manipulated messages passing through an infected ATM switching network, most likely for use in unauthorized cash withdrawals using fraudulent bank cards. Mandiant documented two other custom pieces of malware, which the company named SlapStick and TinyShell.

Group-IB’s report on Wednesday shows that UNC2891 is still active and finding new and advanced ways to burrow into bank networks without detection.

“One of the most unusual elements of this case was the attacker’s use of physical access to install a Raspberry Pi device,” Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong wrote. “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data.”

To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank’s monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center.

Keep reading