The Breach News

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.

APT41 Exploits Open Source Tool to Target Taiwanese Media Outlets In a recently uncovered cyber operation, Google’s Threat Analysis Group (TAG) reported that a Chinese state-sponsored threat actor known as APT41 has aimed its sights on a Taiwanese media organization. This campaign involved the use of a red teaming tool…

Read More

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.

How ACI Worldwide Intends to Tackle APP Scams Head-On

Fraud Management & Cybercrime, Fraud Risk Management, Mobile Payments Fraud ACI Worldwide’s New Signals Network Intelligence Technology Aims to Combat APP Scams Brian Pereira (creed_digital) • August 26, 2025 Image: Shutterstock Real-time payments (RTP) and other cashless transaction methods allow for instant money transfers, greatly benefiting both individuals and businesses.…

Read MoreHow ACI Worldwide Intends to Tackle APP Scams Head-On

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post-Storm-0558 Breach

Apr 22, 2025
Identity Management / Cloud Security

Microsoft announced on Monday the migration of its Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and is currently in the process of transitioning the Entra ID signing service. This move follows updates made about seven months ago to Microsoft Entra ID and MS for both public and U.S. government clouds, enabling the generation, storage, and automatic rotation of access token signing keys using the Azure Managed Hardware Security Module (HSM) service. “These enhancements aim to mitigate the vulnerabilities we believe were exploited in the 2023 Storm-0558 attack,” stated Charlie Bell, Executive Vice President for Microsoft Security, in a pre-publication post shared with The Hacker News. Microsoft also highlighted that 90% of identity tokens from Microsoft Entra ID for its applications are validated by a robust identity Software Development Kit (SDK), with 92% of employee…

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post Storm-0558 Breach On April 22, 2025, Microsoft announced a significant upgrade to its Microsoft Account (MSA) signing service, relocating it to Azure confidential virtual machines (VMs). This move comes as part of a broader effort to enhance security measures following…

Read More

Microsoft Enhances MSA Signing Security with Azure Confidential VMs Post-Storm-0558 Breach

Apr 22, 2025
Identity Management / Cloud Security

Microsoft announced on Monday the migration of its Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and is currently in the process of transitioning the Entra ID signing service. This move follows updates made about seven months ago to Microsoft Entra ID and MS for both public and U.S. government clouds, enabling the generation, storage, and automatic rotation of access token signing keys using the Azure Managed Hardware Security Module (HSM) service. “These enhancements aim to mitigate the vulnerabilities we believe were exploited in the 2023 Storm-0558 attack,” stated Charlie Bell, Executive Vice President for Microsoft Security, in a pre-publication post shared with The Hacker News. Microsoft also highlighted that 90% of identity tokens from Microsoft Entra ID for its applications are validated by a robust identity Software Development Kit (SDK), with 92% of employee…

Five Strategies for Teams to Address Recent SharePoint Attacks – SC Media

Teams Urged to Strengthen Defenses Following Recent SharePoint Attacks In recent weeks, organizations utilizing Microsoft SharePoint have experienced a series of coordinated cyber attacks that have raised significant alarm within the cybersecurity community. These incidents primarily target businesses leveraging SharePoint for document management and collaboration, making it evident that adversaries…

Read MoreFive Strategies for Teams to Address Recent SharePoint Attacks – SC Media

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Coordinated Scanning Activity Targeting ColdFusion, Struts, and Elasticsearch Uncovered May 28, 2025 | Network Security / Vulnerability Recent investigations by cybersecurity experts revealed a coordinated scanning initiative that exploited vulnerabilities across a range of platforms. On May 8, 2025, GreyNoise observed suspicious activity from approximately 251 malicious IP addresses, all…

Read More

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware April 17, 2023 Financial Security / Malware Recent research from Kaspersky has unveiled a new initiative utilizing the QBot banking Trojan to compromise business email communications as a method to disseminate malware. This latest campaign began on April 4,…

Read More

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

Major Supply Chain Compromise: Backdoor Found in Ripple’s xrpl.js npm Package Targeting Private Keys

April 23, 2025
Blockchain / Cryptocurrency

The JavaScript library xrpl.js, associated with Ripple cryptocurrency, has been compromised in a supply chain attack by unidentified threat actors, aimed at stealing users’ private keys. This vulnerability impacts several versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Versions 4.2.5 and 2.14.3 have since addressed the issue. xrpl.js serves as a widely-used API for interacting with the XRP Ledger blockchain, developed by Ripple Labs since 2012, and has garnered over 2.9 million downloads along with more than 135,000 weekly downloads. “The official xrpl (Ripple) NPM package was compromised by sophisticated attackers who embedded a backdoor specifically designed to steal cryptocurrency private keys and access wallets,” stated Charlie Eriksen of Aikido Security. The malicious code modifications are believed to have been introduced by a…

Ripple’s xrpl.js npm Package Compromised in Significant Supply Chain Attack April 23, 2025 Blockchain / Cryptocurrency In a concerning development within the cryptocurrency sector, the npm JavaScript library for Ripple, known as xrpl.js, has fallen victim to unknown adversaries in a software supply chain attack aimed at capturing users’ private…

Read More

Major Supply Chain Compromise: Backdoor Found in Ripple’s xrpl.js npm Package Targeting Private Keys

April 23, 2025
Blockchain / Cryptocurrency

The JavaScript library xrpl.js, associated with Ripple cryptocurrency, has been compromised in a supply chain attack by unidentified threat actors, aimed at stealing users’ private keys. This vulnerability impacts several versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Versions 4.2.5 and 2.14.3 have since addressed the issue. xrpl.js serves as a widely-used API for interacting with the XRP Ledger blockchain, developed by Ripple Labs since 2012, and has garnered over 2.9 million downloads along with more than 135,000 weekly downloads. “The official xrpl (Ripple) NPM package was compromised by sophisticated attackers who embedded a backdoor specifically designed to steal cryptocurrency private keys and access wallets,” stated Charlie Eriksen of Aikido Security. The malicious code modifications are believed to have been introduced by a…

How NHIs Provide Value in Data Security – Security Boulevard

Value Delivery in Data Security by NHIs In a rapidly evolving digital landscape, healthcare organizations are increasingly turning to Network Health Information Exchanges (NHIs) to bolster their data security frameworks. Recent discussions have highlighted the critical role NHIs play in enhancing data security, particularly as cyber threats grow more sophisticated.…

Read MoreHow NHIs Provide Value in Data Security – Security Boulevard