The Breach News

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post-Storm-0558 Breach

Apr 22, 2025
Identity Management / Cloud Security

Microsoft announced on Monday the migration of its Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and is currently in the process of transitioning the Entra ID signing service. This move follows updates made about seven months ago to Microsoft Entra ID and MS for both public and U.S. government clouds, enabling the generation, storage, and automatic rotation of access token signing keys using the Azure Managed Hardware Security Module (HSM) service. “These enhancements aim to mitigate the vulnerabilities we believe were exploited in the 2023 Storm-0558 attack,” stated Charlie Bell, Executive Vice President for Microsoft Security, in a pre-publication post shared with The Hacker News. Microsoft also highlighted that 90% of identity tokens from Microsoft Entra ID for its applications are validated by a robust identity Software Development Kit (SDK), with 92% of employee…

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post Storm-0558 Breach On April 22, 2025, Microsoft announced a significant upgrade to its Microsoft Account (MSA) signing service, relocating it to Azure confidential virtual machines (VMs). This move comes as part of a broader effort to enhance security measures following…

Read More

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post-Storm-0558 Breach

Apr 22, 2025
Identity Management / Cloud Security

Microsoft announced on Monday the migration of its Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and is currently in the process of transitioning the Entra ID signing service. This move follows updates made about seven months ago to Microsoft Entra ID and MS for both public and U.S. government clouds, enabling the generation, storage, and automatic rotation of access token signing keys using the Azure Managed Hardware Security Module (HSM) service. “These enhancements aim to mitigate the vulnerabilities we believe were exploited in the 2023 Storm-0558 attack,” stated Charlie Bell, Executive Vice President for Microsoft Security, in a pre-publication post shared with The Hacker News. Microsoft also highlighted that 90% of identity tokens from Microsoft Entra ID for its applications are validated by a robust identity Software Development Kit (SDK), with 92% of employee…

Five Strategies for Teams to Address Recent SharePoint Attacks – SC Media

Teams Urged to Strengthen Defenses Following Recent SharePoint Attacks In recent weeks, organizations utilizing Microsoft SharePoint have experienced a series of coordinated cyber attacks that have raised significant alarm within the cybersecurity community. These incidents primarily target businesses leveraging SharePoint for document management and collaboration, making it evident that adversaries…

Read MoreFive Strategies for Teams to Address Recent SharePoint Attacks – SC Media

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Coordinated Scanning Activity Targeting ColdFusion, Struts, and Elasticsearch Uncovered May 28, 2025 | Network Security / Vulnerability Recent investigations by cybersecurity experts revealed a coordinated scanning initiative that exploited vulnerabilities across a range of platforms. On May 8, 2025, GreyNoise observed suspicious activity from approximately 251 malicious IP addresses, all…

Read More

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware April 17, 2023 Financial Security / Malware Recent research from Kaspersky has unveiled a new initiative utilizing the QBot banking Trojan to compromise business email communications as a method to disseminate malware. This latest campaign began on April 4,…

Read More

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

Major Supply Chain Compromise: Backdoor Found in Ripple’s xrpl.js npm Package Targeting Private Keys

April 23, 2025
Blockchain / Cryptocurrency

The JavaScript library xrpl.js, associated with Ripple cryptocurrency, has been compromised in a supply chain attack by unidentified threat actors, aimed at stealing users’ private keys. This vulnerability impacts several versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Versions 4.2.5 and 2.14.3 have since addressed the issue. xrpl.js serves as a widely-used API for interacting with the XRP Ledger blockchain, developed by Ripple Labs since 2012, and has garnered over 2.9 million downloads along with more than 135,000 weekly downloads. “The official xrpl (Ripple) NPM package was compromised by sophisticated attackers who embedded a backdoor specifically designed to steal cryptocurrency private keys and access wallets,” stated Charlie Eriksen of Aikido Security. The malicious code modifications are believed to have been introduced by a…

Ripple’s xrpl.js npm Package Compromised in Significant Supply Chain Attack April 23, 2025 Blockchain / Cryptocurrency In a concerning development within the cryptocurrency sector, the npm JavaScript library for Ripple, known as xrpl.js, has fallen victim to unknown adversaries in a software supply chain attack aimed at capturing users’ private…

Read More

Major Supply Chain Compromise: Backdoor Found in Ripple’s xrpl.js npm Package Targeting Private Keys

April 23, 2025
Blockchain / Cryptocurrency

The JavaScript library xrpl.js, associated with Ripple cryptocurrency, has been compromised in a supply chain attack by unidentified threat actors, aimed at stealing users’ private keys. This vulnerability impacts several versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Versions 4.2.5 and 2.14.3 have since addressed the issue. xrpl.js serves as a widely-used API for interacting with the XRP Ledger blockchain, developed by Ripple Labs since 2012, and has garnered over 2.9 million downloads along with more than 135,000 weekly downloads. “The official xrpl (Ripple) NPM package was compromised by sophisticated attackers who embedded a backdoor specifically designed to steal cryptocurrency private keys and access wallets,” stated Charlie Eriksen of Aikido Security. The malicious code modifications are believed to have been introduced by a…

How NHIs Provide Value in Data Security – Security Boulevard

Value Delivery in Data Security by NHIs In a rapidly evolving digital landscape, healthcare organizations are increasingly turning to Network Health Information Exchanges (NHIs) to bolster their data security frameworks. Recent discussions have highlighted the critical role NHIs play in enhancing data security, particularly as cyber threats grow more sophisticated.…

Read MoreHow NHIs Provide Value in Data Security – Security Boulevard

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Mimo Hackers Target Craft CMS Flaw to Deploy Cryptomining and Proxy Services On May 28, 2025, cybersecurity analysts reported an alarming trend in which financially motivated hackers have been exploiting a serious vulnerability in the Craft Content Management System (CMS)—designated as CVE-2025-32432. This flaw, which allows for remote code execution,…

Read More

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Infrastructure

April 19, 2023
Cyber Threat / SCADA

A subgroup of Iranian state-backed hackers, identified as Mint Sandstorm, has been implicated in a series of attacks against critical U.S. infrastructure from late 2021 to mid-2022. According to Microsoft’s Threat Intelligence team, this group demonstrates a high level of technical expertise, with the ability to create custom tools and rapidly exploit known vulnerabilities. Their operational focus aligns closely with Iran’s national interests, targeting seaports, energy firms, transit systems, and a major U.S. utility and gas company. These cyber activities are believed to be retaliatory, stemming from prior attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has alleged that these earlier attacks were orchestrated by Israel and the U.S. to incite domestic unrest.

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Sectors April 19, 2023 Recent investigations have revealed a troubling pattern of cyberattacks linked to an Iranian government-backed group known as Mint Sandstorm. These attacks, which occurred intermittently from late 2021 to mid-2022, have specifically targeted critical infrastructure within the United States,…

Read More

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Infrastructure

April 19, 2023
Cyber Threat / SCADA

A subgroup of Iranian state-backed hackers, identified as Mint Sandstorm, has been implicated in a series of attacks against critical U.S. infrastructure from late 2021 to mid-2022. According to Microsoft’s Threat Intelligence team, this group demonstrates a high level of technical expertise, with the ability to create custom tools and rapidly exploit known vulnerabilities. Their operational focus aligns closely with Iran’s national interests, targeting seaports, energy firms, transit systems, and a major U.S. utility and gas company. These cyber activities are believed to be retaliatory, stemming from prior attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has alleged that these earlier attacks were orchestrated by Israel and the U.S. to incite domestic unrest.