The Breach News

Ukrainian Network FDN3 Conducts Widespread Brute-Force Attacks on SSL VPN and RDP Devices

Date: Sep 02, 2025
Category: Cyber Attack / Botnet

Cybersecurity experts have identified a Ukrainian IP network engaging in extensive brute-force and password spraying campaigns against SSL VPN and RDP devices between June and July 2025. The operations are traced back to the Ukraine-based autonomous system FDN3 (AS211736), according to French cybersecurity firm Intrinsec. “We have high confidence that FDN3 is part of a larger malicious infrastructure that includes two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as a Seychelles-based system, TK-NET (AS210848),” the report stated. “All of these were allocated in August 2021 and frequently exchange IPv4 prefixes to bypass blocklisting and sustain their abusive operations.” AS61432 currently announces a single prefix, 185.156.72[.]0/24, while AS210950 has two prefixes: 45.143.201[.]0/24 and 185.193.89[.]0/24. These autonomous systems were allocated in May…

Ukrainian Network FDN3 Targets SSL VPN and RDP Devices with Coordinated Brute-Force Attacks On September 2, 2025, cybersecurity experts reported significant brute-force and password spraying campaigns linked to a Ukrainian IP network known as FDN3 (AS211736). These attacks were specifically aimed at SSL VPN and Remote Desktop Protocol (RDP) devices…

Read More

Ukrainian Network FDN3 Conducts Widespread Brute-Force Attacks on SSL VPN and RDP Devices

Date: Sep 02, 2025
Category: Cyber Attack / Botnet

Cybersecurity experts have identified a Ukrainian IP network engaging in extensive brute-force and password spraying campaigns against SSL VPN and RDP devices between June and July 2025. The operations are traced back to the Ukraine-based autonomous system FDN3 (AS211736), according to French cybersecurity firm Intrinsec. “We have high confidence that FDN3 is part of a larger malicious infrastructure that includes two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as a Seychelles-based system, TK-NET (AS210848),” the report stated. “All of these were allocated in August 2021 and frequently exchange IPv4 prefixes to bypass blocklisting and sustain their abusive operations.” AS61432 currently announces a single prefix, 185.156.72[.]0/24, while AS210950 has two prefixes: 45.143.201[.]0/24 and 185.193.89[.]0/24. These autonomous systems were allocated in May…

Apple Issues Critical 0-Day Patch for Mac, iPhone, and iPad

On July 27, 2021, Apple released a crucial security update for iOS, iPadOS, and macOS to fix a zero-day vulnerability that may have already been exploited. This marks the thirteenth such vulnerability Apple has addressed this year. The update, which follows the recent launch of iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5, resolves a memory corruption issue (CVE-2021-30807) in the IOMobileFrameBuffer, a kernel extension responsible for managing the screen framebuffer. This flaw could allow malicious actors to execute arbitrary code with kernel privileges. Apple stated that it has improved memory handling to mitigate this risk and acknowledged reports of potential exploitation. As is standard, specific details about the vulnerability have not been released to prevent further attacks. An anonymous researcher is credited with discovering and reporting the issue.

Apple Issues Critical 0-Day Security Update for Mac, iPhone, and iPad Devices On July 27, 2021, Apple took swift action to release a critical security update for its iOS, iPadOS, and macOS platforms, addressing a zero-day vulnerability that the company indicated may have been actively exploited in the wild. This…

Read More

Apple Issues Critical 0-Day Patch for Mac, iPhone, and iPad

On July 27, 2021, Apple released a crucial security update for iOS, iPadOS, and macOS to fix a zero-day vulnerability that may have already been exploited. This marks the thirteenth such vulnerability Apple has addressed this year. The update, which follows the recent launch of iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5, resolves a memory corruption issue (CVE-2021-30807) in the IOMobileFrameBuffer, a kernel extension responsible for managing the screen framebuffer. This flaw could allow malicious actors to execute arbitrary code with kernel privileges. Apple stated that it has improved memory handling to mitigate this risk and acknowledged reports of potential exploitation. As is standard, specific details about the vulnerability have not been released to prevent further attacks. An anonymous researcher is credited with discovering and reporting the issue.

Chinese Hacker Group ‘Comment Crew’ Remains Active and Operates Stealthily

June 27, 2013

Security experts assert that the Chinese hacker group known as Comment Crew is still active and operating covertly. Rumors within the intelligence community suggest, “The Comment Crew is back again,” with researchers suspecting their involvement in the recent cyber tensions between the U.S. and China.

Looking back, in February, the Mandiant Intelligence firm published a significant report detailing an extensive computer espionage campaign called APT1. Mandiant linked APT1, which compromised 141 organizations over seven years, to a Chinese military unit known as “61398.” Notably, the security firm identified a consistent pattern in attacks carried out by this group and established key indicators to recognize ongoing advanced persistent threat (APT) attacks.

Mandiant has been monitoring the group for years, and while it is not the only firm to do so, FireEye has also provided valuable insights into their operations.

Chinese Hacking Group ‘Comment Crew’ Remains Active and Under the Radar In recent developments, cybersecurity experts have confirmed that the notorious Chinese hacking collective known as Comment Crew continues to operate covertly. Observations within the intelligence community suggest that this group has resurfaced, raising suspicions of their involvement in escalating…

Read More

Chinese Hacker Group ‘Comment Crew’ Remains Active and Operates Stealthily

June 27, 2013

Security experts assert that the Chinese hacker group known as Comment Crew is still active and operating covertly. Rumors within the intelligence community suggest, “The Comment Crew is back again,” with researchers suspecting their involvement in the recent cyber tensions between the U.S. and China.

Looking back, in February, the Mandiant Intelligence firm published a significant report detailing an extensive computer espionage campaign called APT1. Mandiant linked APT1, which compromised 141 organizations over seven years, to a Chinese military unit known as “61398.” Notably, the security firm identified a consistent pattern in attacks carried out by this group and established key indicators to recognize ongoing advanced persistent threat (APT) attacks.

Mandiant has been monitoring the group for years, and while it is not the only firm to do so, FireEye has also provided valuable insights into their operations.

Researchers Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP Triggers for Covert Control

Sep 02, 2025 – Cyber Espionage / Network Security

Cybersecurity experts have revealed a new stealthy backdoor named MystRodX, designed to capture sensitive information from compromised systems. According to a report from QiAnXin XLab, “MystRodX is a typical backdoor developed in C++, featuring capabilities such as file management, port forwarding, reverse shell, and socket management.” The report highlights that MystRodX distinguishes itself from standard backdoors through its exceptional stealth and versatility. Also referred to as ChronosRAT, this malware was initially documented by Palo Alto Networks Unit 42 last month, linked to a threat activity cluster named CL-STA-0969, which shows connections to a China-based cyber espionage group called Liminal Panda. Its stealthy nature is enhanced by multiple layers of encryption that obscure both the source code and payloads, while its flexibility allows it to dynamically activate different functionalities based on configuration settings, including the choice between TCP or HTTP for network communication.

Cybersecurity Experts Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP for Discreet Control September 2, 2025 Cyber Espionage / Network Security Cybersecurity experts have recently unveiled MystRodX, a sophisticated backdoor designed to stealthily infiltrate systems and extract sensitive information. According to a report from QiAnXin XLab, MystRodX operates using…

Read More

Researchers Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP Triggers for Covert Control

Sep 02, 2025 – Cyber Espionage / Network Security

Cybersecurity experts have revealed a new stealthy backdoor named MystRodX, designed to capture sensitive information from compromised systems. According to a report from QiAnXin XLab, “MystRodX is a typical backdoor developed in C++, featuring capabilities such as file management, port forwarding, reverse shell, and socket management.” The report highlights that MystRodX distinguishes itself from standard backdoors through its exceptional stealth and versatility. Also referred to as ChronosRAT, this malware was initially documented by Palo Alto Networks Unit 42 last month, linked to a threat activity cluster named CL-STA-0969, which shows connections to a China-based cyber espionage group called Liminal Panda. Its stealthy nature is enhanced by multiple layers of encryption that obscure both the source code and payloads, while its flexibility allows it to dynamically activate different functionalities based on configuration settings, including the choice between TCP or HTTP for network communication.

Security Flaws Discovered in Three Widely Used Open-Source Software Solutions

On July 27, 2021, cybersecurity researchers revealed nine vulnerabilities across three popular open-source projects—EspoCRM, Pimcore, and Akaunting. These platforms are commonly utilized by small to medium businesses, and successful exploitation of these flaws could lead to more advanced cyberattacks. The identified vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12. Fortunately, all issues were addressed within a day of being disclosed, according to researchers Wiktor Sędkowski from Nokia and Trevor Christiansen from Rapid7. Notably, six of the nine vulnerabilities originated in the Akaunting project. EspoCRM serves as an open-source customer relationship management application, while Pimcore functions as an open-source enterprise platform for managing customer data, digital assets, content, and commerce. Akaunting provides open-source online accounting solutions.

Multiple Vulnerabilities Discovered in Popular Open-Source Software Jul 27, 2021 Cybersecurity researchers have identified nine security vulnerabilities across three widely utilized open-source projects: EspoCRM, Pimcore, and Akaunting. These platforms are commonly adopted by small to medium-sized businesses and, if exploited, could pave the way for more complex cyber-attacks. The flaws…

Read More

Security Flaws Discovered in Three Widely Used Open-Source Software Solutions

On July 27, 2021, cybersecurity researchers revealed nine vulnerabilities across three popular open-source projects—EspoCRM, Pimcore, and Akaunting. These platforms are commonly utilized by small to medium businesses, and successful exploitation of these flaws could lead to more advanced cyberattacks. The identified vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12. Fortunately, all issues were addressed within a day of being disclosed, according to researchers Wiktor Sędkowski from Nokia and Trevor Christiansen from Rapid7. Notably, six of the nine vulnerabilities originated in the Akaunting project. EspoCRM serves as an open-source customer relationship management application, while Pimcore functions as an open-source enterprise platform for managing customer data, digital assets, content, and commerce. Akaunting provides open-source online accounting solutions.

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Lazarus Group Enhances Malware Capabilities with New Tools: PondRAT, ThemeForestRAT, and RemotePE On September 2, 2025, cybersecurity researchers revealed that the Lazarus Group, a North Korean-affiliated threat actor, has expanded its malware toolkit. This development includes the introduction of three distinct pieces of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. The…

Read More

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…

Microsoft Issues Warning Over New Unpatched Windows Print Spooler RCE Vulnerability On August 12, 2021, Microsoft publicly acknowledged a newly discovered remote code execution (RCE) vulnerability affecting the Windows Print Spooler service. This announcement came just a day after the company’s Patch Tuesday updates, which typically address various security flaws…

Read More

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…