The Breach News

Tonto Team Exploits Anti-Malware File to Attack South Korean Institutions

April 28, 2023
Malware / Cyber Threat

Recent attacks by the China-aligned threat actor known as the Tonto Team have targeted South Korean education, construction, diplomatic, and political institutions. The AhnLab Security Emergency Response Center (ASEC) reported that the group is utilizing a file associated with anti-malware products to carry out their malicious activities. Active since at least 2009, Tonto Team has a history of attacks across various sectors in Asia and Eastern Europe. Earlier this year, they were linked to an unsuccessful phishing attempt on the cybersecurity firm Group-IB. According to ASEC, the attack begins with a Microsoft Compiled HTML Help (.CHM) file that runs a binary to side-load a malicious DLL (slc.dll) and deploy the ReVBShell backdoor, an open-source VBScript tool also used by another Chinese threat actor, Tick.

Emerging Cyber Attacks: Tonto Team Targets South Korean Institutions with Unusual Tactics April 28, 2023 In a notable escalation of cyber threats, South Korean institutions across several critical sectors—namely education, construction, diplomacy, and politics—are facing fresh attacks attributed to a China-aligned threat group known as the Tonto Team. A report…

Read More

Tonto Team Exploits Anti-Malware File to Attack South Korean Institutions

April 28, 2023
Malware / Cyber Threat

Recent attacks by the China-aligned threat actor known as the Tonto Team have targeted South Korean education, construction, diplomatic, and political institutions. The AhnLab Security Emergency Response Center (ASEC) reported that the group is utilizing a file associated with anti-malware products to carry out their malicious activities. Active since at least 2009, Tonto Team has a history of attacks across various sectors in Asia and Eastern Europe. Earlier this year, they were linked to an unsuccessful phishing attempt on the cybersecurity firm Group-IB. According to ASEC, the attack begins with a Microsoft Compiled HTML Help (.CHM) file that runs a binary to side-load a malicious DLL (slc.dll) and deploy the ReVBShell backdoor, an open-source VBScript tool also used by another Chinese threat actor, Tick.

From Ladders to Lattices: Rethinking Career Advancement

Recruitment & Reskilling Strategy, Training & Security Leadership Workers Opt for Flexible and Purpose-Driven Career Paths Over Conventional Advancement Brandy Harris • August 20, 2025 Image: Shutterstock The conventional approach to career success—characterized by upward mobility through promotions and prestigious titles—is undergoing a significant transformation. In 2025, an increasing number…

Read MoreFrom Ladders to Lattices: Rethinking Career Advancement

How Vulnerabilities Lead to Breaches: Analyzing 5 Real-World Examples

📅 April 28, 2025
Cloud Security / Vulnerability

Not all security vulnerabilities pose a high risk on their own, but in the hands of skilled attackers, even minor weaknesses can escalate into significant breaches. This article highlights five real vulnerabilities identified by Intruder’s bug-hunting team, illustrating how attackers exploit overlooked flaws to create serious security incidents.

  1. Compromising AWS Credentials via Redirects
    Server-Side Request Forgery (SSRF) is a prevalent vulnerability that can have severe consequences, particularly in cloud environments. If a web application retrieves resources from user-provided URLs, it’s crucial to prevent attackers from manipulating requests to access unauthorized resources. During our evaluation of a home-moving application hosted on AWS, our team explored common SSRF bypass techniques. The attack unfolded as follows: the application sent a webhook request to the attacker’s server, which responded with a 302 redirect to AWS’s metadata service. The application followed the redirect and logged the response, inadvertently exposing sensitive metadata…

Understanding the Genesis of Breaches: Analyzing Five Real Vulnerabilities April 28, 2025 In the realm of cybersecurity, not every vulnerability is inherently catastrophic. However, when exploited by skilled attackers, even minor weaknesses can culminate in significant breaches. Recent findings from Intruder’s dedicated bug-hunting team illustrate the alarming potential of overlooked…

Read More

How Vulnerabilities Lead to Breaches: Analyzing 5 Real-World Examples

📅 April 28, 2025
Cloud Security / Vulnerability

Not all security vulnerabilities pose a high risk on their own, but in the hands of skilled attackers, even minor weaknesses can escalate into significant breaches. This article highlights five real vulnerabilities identified by Intruder’s bug-hunting team, illustrating how attackers exploit overlooked flaws to create serious security incidents.

  1. Compromising AWS Credentials via Redirects
    Server-Side Request Forgery (SSRF) is a prevalent vulnerability that can have severe consequences, particularly in cloud environments. If a web application retrieves resources from user-provided URLs, it’s crucial to prevent attackers from manipulating requests to access unauthorized resources. During our evaluation of a home-moving application hosted on AWS, our team explored common SSRF bypass techniques. The attack unfolded as follows: the application sent a webhook request to the attacker’s server, which responded with a 302 redirect to AWS’s metadata service. The application followed the redirect and logged the response, inadvertently exposing sensitive metadata…

Higher Education Needs to Improve Its Understanding of Data Breaches

Columbia University Data Breach: A Stark Wake-Up Call for Educational Institutions Columbia University recently announced a significant data breach that occurred in May and was uncovered in June, but the details were not made public until August 7th. Public filings reveal that this breach affected 868,969 individuals, compromising sensitive personal…

Read MoreHigher Education Needs to Improve Its Understanding of Data Breaches

Critical 10-Year Vulnerability in Roundcube Webmail Allows Code Execution by Authenticated Users

On June 3, 2025, cybersecurity researchers revealed a significant security flaw in Roundcube webmail software, active for a decade, that could enable authenticated users to execute malicious code on vulnerable systems. Classified as CVE-2025-49113, the vulnerability has a CVSS score of 9.9 out of 10, highlighting its severity. It involves post-authentication remote code execution through PHP object deserialization. According to the National Vulnerability Database (NVD), “Roundcube Webmail versions before 1.5.10 and 1.6.x prior to 1.6.11 allow authenticated users to execute remote code due to the lack of validation for the _from parameter in the URL in program/actions/settings/upload.php.” This flaw affects all versions up to and including 1.6.10 but has been patched in versions 1.6.11 and 1.5.10 LTS. The vulnerability was discovered and reported by Kirill Firsov, founder and CEO of FearsOff.

Critical Vulnerability in Roundcube Webmail Exposes Systems to Remote Code Execution On June 3, 2025, cybersecurity researchers revealed a significant security vulnerability in the Roundcube webmail software, a flaw that has remained undetected for a decade. This vulnerability has the potential to be exploited by authenticated users, compromising affected systems…

Read More

Critical 10-Year Vulnerability in Roundcube Webmail Allows Code Execution by Authenticated Users

On June 3, 2025, cybersecurity researchers revealed a significant security flaw in Roundcube webmail software, active for a decade, that could enable authenticated users to execute malicious code on vulnerable systems. Classified as CVE-2025-49113, the vulnerability has a CVSS score of 9.9 out of 10, highlighting its severity. It involves post-authentication remote code execution through PHP object deserialization. According to the National Vulnerability Database (NVD), “Roundcube Webmail versions before 1.5.10 and 1.6.x prior to 1.6.11 allow authenticated users to execute remote code due to the lack of validation for the _from parameter in the URL in program/actions/settings/upload.php.” This flaw affects all versions up to and including 1.6.10 but has been patched in versions 1.6.11 and 1.5.10 LTS. The vulnerability was discovered and reported by Kirill Firsov, founder and CEO of FearsOff.

Meta Exposes Extensive Cyber Espionage Campaigns on Social Media in South Asia

May 04, 2023
Social Media / Cyber Risk

Three distinct threat actors exploited countless elaborate fake profiles on Facebook and Instagram to conduct targeted attacks against individuals in South Asia. “These advanced persistent threats (APTs) relied heavily on social engineering tactics to deceive users into clicking malicious links, downloading malware, or sharing sensitive information online,” stated Guy Rosen, Meta’s chief information security officer. “This focus on social engineering reduced their need to invest heavily in malware development.” The counterfeit accounts utilized traditional tactics, pretending to be romantic interests, recruiters, journalists, or military personnel. Notably, two cyber espionage initiatives involved low-sophistication malware, likely attempting to evade app verification measures from Apple and Google. Meta’s findings revealed…

Meta Uncovers Extensive Cyber Espionage Campaigns Targeting South Asia On May 4, 2023, Meta revealed the discovery of a significant cyber espionage operation involving multiple threat actors utilizing a network of fraudulent identities on Facebook and Instagram. These campaigns aimed at individuals across South Asia, deploying a variety of deceptive…

Read More

Meta Exposes Extensive Cyber Espionage Campaigns on Social Media in South Asia

May 04, 2023
Social Media / Cyber Risk

Three distinct threat actors exploited countless elaborate fake profiles on Facebook and Instagram to conduct targeted attacks against individuals in South Asia. “These advanced persistent threats (APTs) relied heavily on social engineering tactics to deceive users into clicking malicious links, downloading malware, or sharing sensitive information online,” stated Guy Rosen, Meta’s chief information security officer. “This focus on social engineering reduced their need to invest heavily in malware development.” The counterfeit accounts utilized traditional tactics, pretending to be romantic interests, recruiters, journalists, or military personnel. Notably, two cyber espionage initiatives involved low-sophistication malware, likely attempting to evade app verification measures from Apple and Google. Meta’s findings revealed…

CISA Adds Critical Broadcom and Commvault Vulnerabilities to KEV Database

April 29, 2025
Vulnerability / Web Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that two serious security vulnerabilities affecting Broadcom’s Brocade Fabric OS and Commvault’s Web Server have been added to its Known Exploited Vulnerabilities (KEV) database, following reports of active exploitation. The specific vulnerabilities are:

  • CVE-2025-1976 (CVSS score: 8.6) – A code injection vulnerability in Broadcom Brocade Fabric OS that permits a local user with administrative rights to execute arbitrary code with full root access.
  • CVE-2025-3928 (CVSS score: 8.7) – An unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells. Commvault’s advisory from February 2025 noted, “Exploiting this vulnerability requires the attacker to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your organization must …”

CISA Integrates Broadcom and Commvault Vulnerabilities into KEV Database On April 29, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) fortifies its Known Exploited Vulnerabilities (KEV) catalog by including two critical security flaws affecting Broadcom’s Brocade Fabric OS and Commvault Web Server. This addition follows confirmed instances of active…

Read More

CISA Adds Critical Broadcom and Commvault Vulnerabilities to KEV Database

April 29, 2025
Vulnerability / Web Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Monday that two serious security vulnerabilities affecting Broadcom’s Brocade Fabric OS and Commvault’s Web Server have been added to its Known Exploited Vulnerabilities (KEV) database, following reports of active exploitation. The specific vulnerabilities are:

  • CVE-2025-1976 (CVSS score: 8.6) – A code injection vulnerability in Broadcom Brocade Fabric OS that permits a local user with administrative rights to execute arbitrary code with full root access.
  • CVE-2025-3928 (CVSS score: 8.7) – An unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells. Commvault’s advisory from February 2025 noted, “Exploiting this vulnerability requires the attacker to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your organization must …”

STC to Introduce Cybersecurity Clinic Aimed at Assisting Valley Businesses in Preventing Data Breaches

South Texas College to Launch Innovative Cybersecurity Clinic Aimed at Local Businesses South Texas College (STC) is set to introduce a pioneering cybersecurity clinic, designed to extend its services beyond student involvement. This initiative underscores the institution’s commitment to address real-world security challenges faced by local enterprises. A stark illustration…

Read MoreSTC to Introduce Cybersecurity Clinic Aimed at Assisting Valley Businesses in Preventing Data Breaches