Category: Cyber News

The intrusion happened sometime between November 5 and November 11, 2024, when attackers gained unauthorized access to the group’s network and copied files containing patients’ data. Once they detected unusual activity, they launched a full investigation. That process took many months. The detailed review was completed by August 29, 2025, and the breach was publicly reported on September 24, 2025.

Scale

During the investigation they confirmed that both Protected Health Information (PHI) and Personally Identifiable Information (PII) had been compromised. Exposed data includes names, addresses, dates of birth, Social Security numbers, medical records, insurance and billing details, treatment data, and even financial account numbers. Because finance data was part of the leak, affected people face real risk of identity theft or fraud.

In response, the company alerted law enforcement and regulatory bodies, began notifying the individuals whose data was exposed, and said it is reviewing internal security practices and looking into additional cybersecurity tools. They also advised that all impacted individuals monitor their financial statements, medical explanation of benefits, and credit reports for signs of trouble.

My Take:

I think this breach emphasizes a truth: even organizations in critical and highly regulated sectors like healthcare are still failing to keep up with data security. If you ask me, I feel like breaches like this could be prevented with stronger network monitoring and consistent patch management, but too often, security becomes an afterthought until it’s too late.

Zero-day vulnerabilities in Cisco firewalls enable unauthenticated remote code execution and Denial-of-Service attacks. CISA mandates these devices be patched immediately and urges organizations to follow heightened monitoring and mitigation procedures until updates are active.

Details of the Vulnerabilities

The vulnerabilities exist in the firewall management plane and packet-processing modules. In some cases, crafted packets can bypass authentication altogether. Attackers could leverage malformed network traffic to trigger buffer overflows, memory corruption, or logic errors—leading to RCE or DoS against firewall systems. These flaws pose particular risk to perimeter defenses that directly face the internet.

Risk & Urgency

Because these are zero-day vulnerabilities—with publicly known proof-of-concept code or active exploitation—attackers may be able to compromise firewalls before patches are applied. Since firewalls guard critical infrastructure, successful exploits can lead to broad network compromise, traffic interception, or lateral movement.

CISA has added these issues to its Known Exploited Vulnerabilities catalog, putting organizations on notice to treat them as high priority.

Mitigation & Recommended Actions

1. Patch immediately — install Cisco’s security updates for ASA and FTD software as soon as they’re available.
2. Temporarily limit exposure — block management interfaces from untrusted networks and restrict access to trusted IPs.
3. Use access control lists (ACLs) — restrict incoming traffic to firewall control interfaces.
4. Enable logging and alerts — monitor for suspicious connections, anomalous traffic patterns, or unexpected firmware behavior.
5. Employ segmentation — isolate firewall management components where possible and reduce their attack surface.
6. Coordinate with vendors — track Cisco’s advisory, confirm patch applicability to your variants, and validate configuration integrity.

Main Takeaways

• Attackers are misusing Oracle’s internal job scheduling capability to hide payload execution, making their actions look like routine DB tasks.
• By running malicious tasks via the Scheduler, they can survive restarts and stay under the radar of many security controls.
• Defense recommendations include auditing scheduled jobs regularly, restricting who can create new jobs, and enabling alerting when unusual jobs are added.

The Oracle DB Scheduler is a component that allows administrators to schedule jobs (such as PL/SQL scripts or shell commands) to run at defined intervals or triggers. Threat actors with sufficient database privileges are leveraging this component to:

• Insert malicious or unauthorized jobs that execute commands or scripts.
• Operate under the guise of maintenance or backup jobs, blending into typical database activity.
• Ensure persistence even across database restarts or maintenance windows.

Because many monitoring tools look at external services or suspicious processes, a malicious job operating internally within Oracle can slip past detection.

Attack vectors & mechanics

• The attacker must first gain elevated privileges within the Oracle environment (e.g. DBA role or access to scheduler privileges).
• Using the DBMS_SCHEDULER API or SQL packages, they create or modify jobs that invoke shell commands or scripts.
• These jobs can execute on a schedule or in response to specific events/triggers.
• The commands run under the context of the database user, which may have access to file systems or other services.
• Because the job definitions are stored within the Oracle database, they’re harder to spot via OS-level monitoring tools.

Risks & impacts

• Persistence: Even after system reboots or routine cleanups, the scheduled jobs can re-run malicious code.
• Stealth: Activity appears as a legitimate database operation rather than an external attacker process.
• Privilege escalation / lateral movement: Malware or commands launched via these jobs can attempt privilege escalation, data exfiltration, or further infrastructure compromises.

Mitigation & defense strategies

• Audit scheduler jobs: Regularly review all jobs in the Oracle database and compare them against known baselines.
• Restrict scheduler permissions: Limit who can create, alter, or drop jobs via DBMS_SCHEDULER to a small set of trusted admins.
• Alert on anomalies: Trigger alerts if new or modified jobs are created, especially those invoking external scripts or shell commands.
• Harden database access: Enforce least privilege, role separation, and monitor for suspicious privilege assignments.
• Use forensic logging: Enable audit logs for scheduler activity and track job execution history.
• Isolate sensitive environments: Where possible, separate mission-critical DB servers from environments where attacker access is more probable.

Main Takeaways

• The flaw is due to incorrect permissions on configuration directories and files, allowing privileged users to tamper with rules, logging, or settings.
• The vulnerability’s CVSS 3.1 base score is 2.3, reflecting a low-severity rating—because it requires local privileged access.
• IBM has released UP13 IF02 to fix the permissions issue; administrators should also limit who holds local admin rights and monitor the QRadar config folder.

This vulnerability stems from a CWE-732: Incorrect Permission Assignment for Critical Resource. In the affected QRadar versions, configuration files under /opt/qradar/conf and associated folders are writable by privileged users beyond the intended service account.

With local privileged access (e.g. a sysadmin or support engineer), an attacker—or a misbehaving insider—can alter logging rules, disable detection mechanisms, or otherwise manipulate QRadar’s behavior. These changes could persist until manually discovered and reversed and might skew audit trails or hide malicious activity.

Risk & Impact

• Who’s vulnerable: QRadar SIEM installations running 7.5 through 7.5.0 UP13 IF01.
• What is possible: Unauthorized modifications to configuration files, disabling detection or logging rules, or otherwise undermining the system’s integrity.
• Exploit prerequisites: The attacker must already have privileged local access. Remote exploitation is not in scope.
• Severity rating: CVSS 3.1 score of 2.3 (low) — the limited impact is due to the required level of access.

Mitigations & Recommendations

• Patch: Upgrade to QRadar 7.5.0 UP13 IF02, which corrects the permissions so only the QRadar service account can write the configuration files.
• Restrict admin privileges: Only allow trusted personnel to hold local administrator or system-level access on QRadar hosts.
• Monitor config folder: Set up alerts to detect changes in /opt/qradar/conf (or equivalent paths) and review file modifications regularly.
• Harden host security: Use file integrity monitoring, limit shell access, and enforce separation of duties to reduce the chance a privileged account is misused.
• Audit user roles: Regularly review who holds local privilege, especially on security monitoring systems, and ensure least privilege principles.

Main Takeaways

• Threat actors are using Amazon SES accounts (often via compromised/abused credentials or misconfigured tenant accounts) to send high-volume phishing and credential-harvesting emails.
• The campaign can push 50k+ malicious emails per day, increasing reach while blending into legitimate bulk-mail traffic.
• Attack messages are high-quality, personalized, and frequently use dynamic landing pages or reply-forward chains that evade common filters.

What happened (high level)

Attackers leveraged Amazon SES — a trusted mail-sending service — to distribute large-scale phishing messages. Because SES is a legitimate infrastructure used by many organizations, emails routed through it can bypass reputation-based blocks and achieve higher inbox placement. The campaign’s combination of volume, personalization, and valid sending infrastructure makes it especially effective for credential theft and fraud.

How the campaign works

• Account abuse & access: Adversaries are obtaining SES sending ability via stolen AWS credentials, abused trial/tenant setups, or by compromising third-party vendors that have SES configured. Once they control an SES identity, they can send from verified domains or subdomains that look legitimate.
• High-volume, trusted senders: Using SES’s scalability, the attackers can deliver tens of thousands of messages per day without the typical spammer infrastructure fingerprints. This raises the delivery rate and reduces bounce/blacklist signals.
• Sophisticated lures: Emails use tailored templates, dynamic content, and short-lived landing pages (or disposable hosting) for credential harvesting. Some messages use reply chains or invoice/receipt formats to trick recipients into interacting.
• Filter evasion: Because messages originate from a reputable mail service and often pass DKIM/SPF checks when attackers control the sending identity, many automated filters and basic heuristics are less effective.

Impact & scale

Researchers observed that the operation can exceed 50,000 malicious emails per day, allowing attackers to massively scale credential-harvesting campaigns and payment-fraud schemes. The use of legitimate cloud email infrastructure complicates takedown and detection efforts.

Detection & mitigation

• Monitor SES usage: Alert on unusual SES activity (spikes in send volume, new verified identities, new sending regions, or unexpected DKIM/SPF changes). Require multi-factor authentication and restrict IAM permissions for sending.
• Harden cloud credentials: Enforce least privilege for AWS/IAM roles, rotate keys, enable MFA for console access, and use AWS CloudTrail and AWS Config to detect anomalies.
• Inspect content & URLs: Use URL reputation and runtime detonation for landing pages; flag short-lived domains and newly minted TLS certs used in credential harvesters.
• Improve recipient defenses: Train users to verify unexpected requests, enable strong anti-phishing controls (BIMI, DMARC with quarantine/enforce where possible), and deploy advanced mail-scanning that looks beyond SPF/DKIM to behavioral indicators.
• Coordinate takedown: If you identify abusive SES identities or hosting, report to AWS abuse with detailed logs (headers, sending identity, timestamps) to speed remediation.

Final note

This campaign underscores a growing trend: attackers prefer abusing trusted cloud platforms to improve delivery and evade traditional defenses. Defenders should shift from solely relying on sender reputation to combining infrastructure monitoring, cloud security hygiene, and content-aware detection.

Main Takeaways

• Researchers found hundreds of suspicious domains (many using “fifa”, “worldcup”, or host-city names) that mimic legitimate services to trick fans into visiting and transacting. Cyber Security News
• The malicious sites can deliver staged JavaScript that fetches in-memory payloads, avoids disk artifacts, and injects code into legitimate processes. Cyber Security News
• Campaigns rely on aged or low-friction domains across major registrars and cheap TLDs (.online, .shop) to gain credibility and resist takedown.

What researchers observed

Hundreds of domains registered with names referencing FIFA, World Cup, and host cities, with a registration surge in August 2025. Threat actors intentionally register domains well in advance (up to 18 months) so the sites look established when fan interest peaks.

These fraudulent pages are crafted to lure visitors into interacting with content (ticket lookups, schedule pages, streaming links). Once a visitor lands on an infected page, obfuscated JavaScript performs environment checks and, if conditions match, pulls a second-stage payload from a dynamically computed CDN hostname. The loader then unpacks encrypted modules in memory and injects them into legitimate processes (for example, svchost.exe), minimizing forensic traces.

Why this matters

By exploiting fan interest and high transaction volumes, attackers can scale credential-harvesting and financial fraud. Using aged domains and polymorphic loaders makes detection, attribution, and takedown harder — a problem that will grow as the tournament approaches and related domains proliferate.

Recommended actions

• Proactively monitor and blacklist suspicious domains and newly created domains that contain tournament-related keywords.
• Harden web filtering and block known low-reputation TLDs where appropriate (.online, .shop) and enforce allowlists for corporate ticketing or streaming vendors.
• Inspect web pages for injected JavaScript and deploy runtime protection that detects in-memory unpacking and reflective injection.
• Educate users to buy tickets only from official FIFA channels or trusted vendors and verify URLs before entering payment or personal information.

How it infects and stays resident

The campaign relies on social engineering and sideloading (users manually installing the APK) rather than exploiting software flaws. After installation the app registers background services and an Accessibility Service in its manifest—this grants powerful capabilities such as keystroke and in-app data interception. The malware runs continuous health checks and automatically restarts its services so it survives reboots and force-stops.

What the spyware can do

When active, operators can:

• Harvest call logs, SMS, and contact lists.
• Track device geolocation.
• Stream microphone audio, capture camera video, and take screen snapshots.
• Access stored images and execute arbitrary shell commands.
• Use the Accessibility API to block removal attempts by overlaying fake system dialogs or disabling uninstall options.

The malware’s configuration is flexible: it can use up to fifteen hosting providers and shifts between active C2 servers to resist takedowns. Domain registrar actions have disabled some infrastructure, but the campaign remains resilient.

Detection & mitigation

Dr.Web’s Android product detects and removes known variants of this backdoor. However, because the attacks are customized and highly targeted, organizations—especially those with high-value personnel—should exercise extra caution:

• Avoid installing APKs from untrusted sources or links received over private messaging.
• Disable sideloading on corporate devices where possible.
• Turn off Accessibility permissions for apps that do not explicitly need them.
• Monitor for unusual permission requests, rapid background services, or repeated C2 connections.
• Use reputable mobile-security solutions and keep threat intelligence feeds updated.

Highlights of the Week

• Microsoft released its August “Patch Tuesday” on August 12, fixing over 90 security flaws. Among these were multiple zero-day vulnerabilities in Windows and Office suites that could permit remote code execution.
• Cisco issued emergency advisories for vulnerabilities in IOS and NX-OS, some of which could allow denial-of-service attacks on networking infrastructure. The company also flagged growing supply chain threats, especially after a breach attempt targeting telecom firms using compromised Cisco equipment.
• Fortinet pushed updates to its FortiGate firewalls to address critical buffer overflow issues—mitigating potential ransomware risks.
• Noteworthy attacks this week included a major DDoS assault on European financial institutions, likely state-sponsored, which disrupted services across the region.
• New ransomware variants, such as LockBit, exploited unpatched systems, particularly in health care.
• Security experts issued warnings about AI-assisted attacks, urging organizations to double down on patching, threat intelligence, and proactive defense.

Cyber Attacks

• ClickFix Trick Exploits Windows
  Threat actors are using a technique dubbed “ClickFix,” luring users via phishing or fake error alerts to run malicious PowerShell commands. This can drop malware like Havoc, which maintains persistence and exfiltrates data through cloud services. Organizations should scrutinize PowerShell logs and educate users to avoid suspicious prompts.
• DarkBit Hits VMware ESXi Hosts
• The DarkBit group is targeting VMware ESXi servers with custom ransomware that encrypts VM disk files using AES-128-CBC and RSA-2048. Some decryptors were later released, but victims are urged to patch systems and monitor abnormal encryption activity.
• Attack on Canada’s House of Commons
• On August 9, attackers leveraged a Microsoft vulnerability to infiltrate Canada’s House of Commons infrastructure, exfiltrating employee names, roles, and email addresses. The Canadian Centre for Cyber Security is investigating; attribution has not been confirmed.
• New FireWood Backdoor Targets Linux
• A variant of FireWood, associated with the Gelsemium APT, is attacking Linux servers via web shells, enabling command execution and data theft. Administrators should scan for web shell artifacts and reinforce shell access controls.
• PhantomCard Android Malware Uses NFC for Theft
• PhantomCard, a Brazilian cybercrime tool, abuses NFC to steal card information in real time. Delivered through fake security apps, it masquerades as a payment terminal. Users should only install verified apps and disable NFC when idle.
• Phishing via Microsoft Teams Remote Control
• Malicious actors are exploiting Teams’ remote-control feature during meetings, tricking victims into granting system access. To counter this, organizations should disable remote control or verify access requests thoroughly.
• Gmail Phishing Evades Filters
• A sophisticated Gmail phishing campaign now bypasses defenses by spoofing Google alerts, passing DKIM checks, and hosting credential-harvesting pages on sites.google.com. Recipients receive fake subpoenas or security notices. Users should inspect sender details and avoid clicking on unsolicited links.

Vulnerabilities Disclosed

• Ivanti Connect Secure / Policy Secure / ZTA
  Four issues were patched, including two high-severity buffer overflow vulnerabilities (CVE-2025-5456, CVE-2025-5462). Other fixes addressed XML external entity injection and symbolic link mishandling. Cloud users benefit from auto-updates; on-premises users must patch manually.

• SAP August Security Release
  SAP addressed 15 vulnerabilities—three were critical code injection flaws (CVEs 2025-42957, 2025-42950, 2025-27429) in S/4HANA and Landscape Transformation. Other issues included authorization bypass, XSS, and path traversal in NetWeaver and Business One. Update priorities should target high-risk enterprise systems first.

• Microsoft August Patch – 107 Fixes
  Microsoft’s update fixes 107 vulnerabilities, including 36 remote-code execution flaws (10 critical) across components like Windows Graphics, Office, Excel, and Hyper-V. Elevation-of-privilege issues (40 total) also feature prominently, along with spoofing, denial-of-service, and information disclosure flaws. No zero-days were disclosed this cycle, but quick patching is highly recommended.

• FortiSIEM OS Command-Injection (CVE-2025-25256)
  A serious flaw in Fortinet’s FortiSIEM permits remote command execution without authentication. Affected versions include 5.4–7.3. Proof-of-concept exploits are already circulating. Users are advised to upgrade or restrict port 7900 access immediately.

• Rooted Android Full Control Vulnerability
  A newly revealed vulnerability affects rooted Android devices, potentially giving attackers full control and exposing data. Devices globally could be at risk. Users should reassess rooting and bolster defenses.

• Cisco Secure Client / Secure Firewall DLL Hijacking
  In versions up to 5.1.7.80, a local attacker with authentication may hijack DLLs via weak IPC validation, executing arbitrary code with SYSTEM privileges. The fix is available starting with version 5.1.8.1.

• Snort 3 Detection Weakness
  Vulnerabilities in Snort 3 may allow attackers to elude detection and escalate privileges. Patches targeting relevant Linux kernels and toolsets are essential.

• Elastic EDR Zero Day
  A zero-day in Elastic EDR bypasses endpoint defenses, enabling malware execution and leading to system crashes (BSOD). The flaw was disclosed August 17, 2025—urgent updates are required for protection.

How the Attack works

1. Deception: Users navigating to a compromised website (often impersonating popular trading platforms) are presented with a fake CAPTCHA or “human verification” page that mimics a legitimate Cloudflare security check.
2. OS-Specific Attack: The attacker customizes the instructions based on the victim’s operating system:

• Windows users receive innocuous (harmless) PowerShell instructions.
• macOS users are instructed to open Terminal, paste a seemingly benign, base64-encoded command, and press Enter.

3. Payload Execution: When the macOS command is run, it decodes and executes a script that fetches a highly obfuscated AppleScript payload from a remote server.
4. Data Theft and Exfiltration: The AppleScript performs the core data harvesting activities:

• It prompts the user for their password to escalate privileges.
• It scans the Desktop, Documents, and Library folders for sensitive files (e.g., .pdf, .docx, Keychain databases, and Safari artifacts).
• It enumerates and copies saved credentials, cookies, form history, and encrypted files from major browsers, including MetaMask and Exodus crypto wallet files.
• The collected data is archived into a .zip file and exfiltrated to the attacker’s command-and-control server.

5. Evasion: By relying on the victim to manually execute a one-line Terminal command rather than dropping a traditional malware binary, the “ClickFix” method effectively bypasses signature-based antivirus solutions.

This campaign, linked to the “Odyssey stealer,” underscores the need for users to be highly skeptical of any website instructing them to copy and paste code into their operating system’s command line.

Details of the Vulnerability

• Flaw: The vulnerability exploits Cursor’s Model Context Protocol (MCP) auto-start feature, which automatically executes new entries added to the ~/.cursor/mcp.json configuration file.
• Attack Vector: When a developer connects Cursor to external services (like Slack or GitHub) via an MCP server and then uses the AI agent to process untrusted external data (such as summarizing messages), a sophisticated prompt injection attack can occur.
• Execution: The malicious prompt tricks the AI agent into directly modifying the mcp.json file. Crucially, Cursor IDE writes these suggested edits to the disk and the MCP auto-start feature executes the embedded command immediately, achieving RCE before the user can review or reject the AI’s suggestion.
• Impact: Successful exploitation grants attackers developer-level privileges, enabling potential data theft, ransomware deployment, or complete system compromise.

Mitigation

The vulnerability affects all Cursor IDE versions prior to 1.3. Developers are strongly advised to:

1. Update Immediately to Cursor IDE version 1.3 or later, which contains the fix.
2. Review MCP Configurations to minimize exposure to untrusted external data sources.

This incident highlights a growing security challenge for AI development tools that integrate local systems with external, untrusted content sources.