The Breach News

“Deceptively Normal Network Traffic: Unmasking Hidden Threats”


Jul 02, 2025
Network Security / Threat Detection

With nearly 80% of cyber threats now imitating legitimate user actions, how can leading Security Operations Centers (SOCs) distinguish between authentic traffic and potential hazards? What options remain when traditional firewalls and endpoint detection and response (EDR) systems fail to identify critical threats facing your organization? Verizon’s latest Data Breach Investigations report reveals a troubling increase in breaches at edge devices and VPN gateways, rising from 3% to 22%. EDR tools are increasingly challenged by zero-day exploits, living-off-the-land tactics, and malware-free attacks. According to CrowdStrike’s 2025 Global Threat Report, almost 80% of identified threats employ malware-free techniques that closely resemble typical user behavior. Conventional detection methods are no longer adequate as threat actors evolve, frequently utilizing sophisticated methods like credential theft or DLL hijacking to evade detection. In light of this, security operations centers (SOCs) are adopting a multi-layered…

Network Traffic May Seem Innocuous, Yet It Could Conceal Significant Threats July 02, 2025 Network Security / Threat Detection As cyber threats increasingly adopt tactics that mimic legitimate user behavior, discerning between legitimate traffic and potentially harmful activity poses a substantial challenge for Security Operations Centers (SOCs). With the rise…

Read More

“Deceptively Normal Network Traffic: Unmasking Hidden Threats”


Jul 02, 2025
Network Security / Threat Detection

With nearly 80% of cyber threats now imitating legitimate user actions, how can leading Security Operations Centers (SOCs) distinguish between authentic traffic and potential hazards? What options remain when traditional firewalls and endpoint detection and response (EDR) systems fail to identify critical threats facing your organization? Verizon’s latest Data Breach Investigations report reveals a troubling increase in breaches at edge devices and VPN gateways, rising from 3% to 22%. EDR tools are increasingly challenged by zero-day exploits, living-off-the-land tactics, and malware-free attacks. According to CrowdStrike’s 2025 Global Threat Report, almost 80% of identified threats employ malware-free techniques that closely resemble typical user behavior. Conventional detection methods are no longer adequate as threat actors evolve, frequently utilizing sophisticated methods like credential theft or DLL hijacking to evade detection. In light of this, security operations centers (SOCs) are adopting a multi-layered…

Kimsuky Hackers from North Korea Face Data Breach After Insider Leaks Information Online

A notable breach has emerged from North Korea’s Kimsuky espionage group, with insiders leaking hundreds of gigabytes of sensitive internal files and tools to the public. This incident, which surfaced in early June 2025, reveals critical backdoors, phishing mechanisms, and reconnaissance strategies employed by the state-sponsored threat actor—marking an unusual…

Read MoreKimsuky Hackers from North Korea Face Data Breach After Insider Leaks Information Online

Warning: Exposed JDWP Interfaces are Being Exploited for Crypto Mining; Hpingbot Targets SSH for DDoS

Date: July 5, 2025
Category: Vulnerability / Botnet

Cybercriminals are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain code execution access and deploy cryptocurrency miners on compromised systems. According to Wiz researchers Yaara Shriki and Gili Tikochinski, “The attacker utilized a modified version of XMRig with a hard-coded configuration, allowing them to evade detection from suspicious command-line arguments that security measures often flag.” They added that the mining payload employed proxies to obscure the cryptocurrency wallet address, complicating investigations. The cloud security firm, recently acquired by Google Cloud, reported observing this activity on its honeypot servers running TeamCity, a well-known continuous integration and delivery (CI/CD) tool. JDWP, a debugging communication protocol for Java, enables users to manage Java applications in separate processes.

Alert: Exposed JDWP Interfaces Facilitate Cryptocurrency Mining Attacks; Hpingbot Targets SSH for DDoS July 5, 2025 In a troubling development within the cybersecurity landscape, threat actors are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain unauthorized code execution capabilities, subsequently deploying cryptocurrency miners on affected systems. Researchers from…

Read More

Warning: Exposed JDWP Interfaces are Being Exploited for Crypto Mining; Hpingbot Targets SSH for DDoS

Date: July 5, 2025
Category: Vulnerability / Botnet

Cybercriminals are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain code execution access and deploy cryptocurrency miners on compromised systems. According to Wiz researchers Yaara Shriki and Gili Tikochinski, “The attacker utilized a modified version of XMRig with a hard-coded configuration, allowing them to evade detection from suspicious command-line arguments that security measures often flag.” They added that the mining payload employed proxies to obscure the cryptocurrency wallet address, complicating investigations. The cloud security firm, recently acquired by Google Cloud, reported observing this activity on its honeypot servers running TeamCity, a well-known continuous integration and delivery (CI/CD) tool. JDWP, a debugging communication protocol for Java, enables users to manage Java applications in separate processes.

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Chinese Hackers Exploit CloudScout Toolset to Steal Session Cookies from Cloud Services On October 28, 2024, reports surfaced highlighting the cyber operations of a China-linked threat actor known as Evasive Panda. This group targeted a governmental entity and a religious organization in Taiwan, deploying a previously undocumented post-compromise toolset identified…

Read More

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Unsolved Crime Wave Hits National Guard Equipment Locations

A series of previously unreported break-ins at Tennessee National Guard armories last fall highlights escalating security vulnerabilities across U.S. military facilities, igniting serious concerns over the susceptibility of these sites to theft and unauthorized access. Confidential information obtained from the Tennessee Fusion Center reveals that four break-ins occurred at various…

Read MoreUnsolved Crime Wave Hits National Guard Equipment Locations

Pediatric Practice and IT Vendor Reach $5.15M Settlement in Breach Lawsuit

Data Privacy, Data Security, Fraud Management & Cybercrime More Than 918,000 Individuals Impacted by 2024 BianLian Data Theft Incident Marianne Kolbasuk McGee (HealthInfoSec) • August 11, 2025 Boston Children’s Health Physicians and its vendor ATSG have reached a settlement in a class action lawsuit linked to a data breach in…

Read MorePediatric Practice and IT Vendor Reach $5.15M Settlement in Breach Lawsuit

Rethinking Manufacturing Security: The Case Against Default Passwords

Date: July 7, 2025
Categories: IoT Security / Cyber Resilience

The recent breach by Iranian hackers at U.S. water facilities serves as a stark reminder of the vulnerabilities lurking within our systems. Though they only accessed a single pressure station serving 7,000 residents, their method was alarmingly simple: they exploited the factory-set password “1111.” This incident highlights a pressing issue that the Cybersecurity and Infrastructure Security Agency (CISA) has been vocal about— the urgent need for manufacturers to eliminate default credentials, which have consistently proven to be a major security flaw.

As we await improved security protocols from manufacturers, the onus is on IT teams to take action. Whether overseeing critical infrastructure or standard business networks, allowing unchanged default passwords creates an open invitation for cyber attackers. This article explores why default passwords remain widespread, the business and technical implications they carry, and the steps manufacturers must take to enhance security measures.

Manufacturing Security: The Necessity of Eliminating Default Passwords On July 7, 2025, the cybersecurity landscape faced renewed scrutiny following a breach at U.S. water facilities orchestrated by Iranian hackers. While the attack resulted in the hackers gaining control over a single pressure station servicing approximately 7,000 individuals, it highlighted a…

Read More

Rethinking Manufacturing Security: The Case Against Default Passwords

Date: July 7, 2025
Categories: IoT Security / Cyber Resilience

The recent breach by Iranian hackers at U.S. water facilities serves as a stark reminder of the vulnerabilities lurking within our systems. Though they only accessed a single pressure station serving 7,000 residents, their method was alarmingly simple: they exploited the factory-set password “1111.” This incident highlights a pressing issue that the Cybersecurity and Infrastructure Security Agency (CISA) has been vocal about— the urgent need for manufacturers to eliminate default credentials, which have consistently proven to be a major security flaw.

As we await improved security protocols from manufacturers, the onus is on IT teams to take action. Whether overseeing critical infrastructure or standard business networks, allowing unchanged default passwords creates an open invitation for cyber attackers. This article explores why default passwords remain widespread, the business and technical implications they carry, and the steps manufacturers must take to enhance security measures.

How to Claim Your Share of the $177 Million AT&T Data Breach Settlement – PCMag

Title: Navigating the AT&T Data Breach Settlement: What Business Owners Need to Know In recent developments, AT&T has reached a landmark settlement of $177 million related to a significant data breach that exposed sensitive customer information. This breach, which primarily affected customers who had entrusted their data to AT&T, underscores…

Read MoreHow to Claim Your Share of the $177 Million AT&T Data Breach Settlement – PCMag

CISA Adds Four High-Risk Vulnerabilities to KEV Catalog Amid Ongoing Exploitation

July 8, 2025
Cyber Attacks / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included four critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The identified vulnerabilities are as follows:

  • CVE-2014-3931 (CVSS score: 9.8): A buffer overflow flaw in Multi-Router Looking Glass (MRLG) allowing remote attackers to perform arbitrary memory writes and cause memory corruption.
  • CVE-2016-10033 (CVSS score: 9.8): A command injection vulnerability in PHPMailer enabling attackers to execute arbitrary code within the application or trigger a denial-of-service (DoS) condition.
  • CVE-2019-5418 (CVSS score: 7.5): A path traversal vulnerability in Ruby on Rails’ Action View that may expose the contents of arbitrary files on the target system’s filesystem.
  • CVE-2019-9621 (CVSS score: 7.5): A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could…

CISA Expands KEV Catalog with Four Newly Identified Vulnerabilities Amid Active Exploitation On July 8, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This update comes in response to new evidence indicating that these vulnerabilities…

Read More

CISA Adds Four High-Risk Vulnerabilities to KEV Catalog Amid Ongoing Exploitation

July 8, 2025
Cyber Attacks / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included four critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The identified vulnerabilities are as follows:

  • CVE-2014-3931 (CVSS score: 9.8): A buffer overflow flaw in Multi-Router Looking Glass (MRLG) allowing remote attackers to perform arbitrary memory writes and cause memory corruption.
  • CVE-2016-10033 (CVSS score: 9.8): A command injection vulnerability in PHPMailer enabling attackers to execute arbitrary code within the application or trigger a denial-of-service (DoS) condition.
  • CVE-2019-5418 (CVSS score: 7.5): A path traversal vulnerability in Ruby on Rails’ Action View that may expose the contents of arbitrary files on the target system’s filesystem.
  • CVE-2019-9621 (CVSS score: 7.5): A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could…