Storm-1175, a financially motivated cybercrime group, is conducting "high velocity" Medusa ransomware campaigns that move from initial breach to data theft in as little as 24 hours. Microsoft reports the group exploits vulnerabilities in the critical window between disclosure and widespread patching, recently targeting healthcare, education, and finance organizations across Australia, the UK, and US.

The attackers have weaponized over a dozen known vulnerabilities, including recent flaws in BeyondTrust and CrushFTP software. They've also exploited zero-day vulnerabilities in SmarterMail and GoAnywhere before public disclosure. Storm-1175 disables Microsoft Defender Antivirus by tampering with Windows registry settings, allowing their ransomware to execute undetected. Microsoft urges immediate patching and enabling tamper protection features.

Source: Dark Reading

Cybercriminals are exploiting a critical React2Shell vulnerability (CVE-2025-55182) in Next.js web applications to launch a massive automated credential theft campaign. Cisco Talos researchers discovered the operation, attributed to threat group UAT-10608, has compromised at least 766 hosts across multiple industries and regions.

The attackers use an automated tool called "NEXUS Listener" that harvests credentials, SSH keys, cloud tokens, and environment secrets after exploiting the pre-authentication remote code execution flaw. The framework includes a graphical interface with search capabilities, turning stolen data into a searchable intelligence database.

Defenses include patching the vulnerability, rotating exposed credentials, and monitoring for suspicious processes spawned from /tmp/ directories with randomized names.

Source: Dark Reading

Cybercriminals launched a targeted supply chain attack against Guardarian, a cryptocurrency payment gateway, using 36 malicious NPM packages in the Strapi ecosystem. Security firm SafeDep discovered the campaign Friday, revealing attackers deployed multiple payloads capable of Redis code execution, Docker container escapes, and credential theft.

The attack specifically targeted Strapi users through fake plugins that could inject crontab entries, deploy webshells, harvest wallet credentials, and establish persistent access to systems. The attackers showed clear progression - starting with aggressive tactics like Redis attacks, then pivoting to reconnaissance and data collection when initial methods failed.

Users who installed these malicious packages should immediately rotate all credentials, including database passwords, API keys, and JWT secrets stored on their systems.

Source: Security Week

CISA added a dangerous TrueConf software vulnerability (CVE-2026-3502) to its Known Exploited Vulnerabilities catalog after detecting active attacks. The flaw lets hackers hijack software updates by replacing legitimate files with malicious code, potentially giving attackers full system control.

The vulnerability affects TrueConf Client's update process, which fails to verify file authenticity. When users update their software, attackers can substitute malware that executes with full privileges.

Federal agencies must patch by April 16, 2026, under mandatory security directives. CISA recommends immediately applying vendor patches or discontinuing TrueConf if fixes aren't available. Private organizations should also patch urgently, as the flaw creates an easy entry point for ransomware and data theft.

Source: Cybersecurity News

Hackers stole over 300GB of data from the European Commission's AWS cloud environment after compromising an API key through the Trivy supply chain attack on March 19. The TeamPCP hacking group exploited a vulnerability in Aqua Security's scanner, which the EC unknowingly received through regular software updates.

The breach affected Europa.eu's hosting service, impacting 71 clients including 42 internal EC departments and 29 other EU entities. Stolen data includes personal information like names, email addresses, and usernames from multiple EU websites.

The notorious ShinyHunters group later published the 340GB dataset on their leak site. The EC has revoked compromised credentials and notified data protection authorities, confirming internal systems weren't affected.

Source: Security Week

Apple made an unusual move by patching the dangerous DarkSword exploit for iOS 18 users after initially leaving them vulnerable. The company typically patches its newest OS and older devices that can't upgrade, but skips users who choose to stay on older but upgradeable versions.

DarkSword leaked on GitHub March 22, forcing Apple's hand. The exploit is particularly nasty because it doesn't root devices, making it harder to detect while still accessing critical system processes. Unlike the earlier Coruna exploit kit, DarkSword affects more users since iOS 18 has wider adoption.

Security researchers praise Apple's unprecedented response, including backported patches and threat alerts, showing how seriously they're taking these government-grade hacking tools now circulating among cybercriminals.

Source: Dark Reading

Cybersecurity researchers at Cisco Talos discovered a massive attack by hacker group UAT-10608 that has compromised over 700 Next.js servers using the React2Shell vulnerability (CVE-2025-55182). The attackers exploit this remote code execution flaw to automatically steal credentials without needing passwords or user interaction.

In just 24 hours, their "NEXUS Listener" dashboard recorded 766 compromised hosts. Over 90% had database credentials stolen, nearly 80% lost SSH keys, and hackers also grabbed AWS credentials, Stripe payment keys, and GitHub tokens.

The stolen data gives attackers access to private user information, financial records, and the ability to move across company networks or take over entire cloud environments. Companies using Next.js should immediately update their applications and change all passwords and security tokens.

Source: Cybersecurity News

Toy giant Hasbro confirmed hackers breached its network on March 28, affecting brands like Peppa Pig, Transformers, Monopoly, and Dungeons & Dragons. The company's websites displayed error messages Wednesday afternoon, with Hasbro warning the attack could delay product deliveries for several weeks.

The 103-year-old entertainment company filed notice with the SEC but hasn't revealed whether hackers remain in their systems or if customer data was compromised. Hasbro took swift action by taking some systems offline while keeping business operations running.

This attack follows a wave of recent cyber incidents hitting major retailers including M&S, Co-op, and Jaguar Land Rover in what became the UK's costliest cyber event.

Source: BBC News

Cybersecurity researchers at Cisco Talos discovered a massive attack by hacker group UAT-10608, which has compromised over 700 servers in just 24 hours. The attackers are exploiting React2Shell (CVE-2025-55182), a critical remote code execution flaw in Next.js applications that requires no passwords or user interaction.

The hackers use automated tools to scan for vulnerable servers, then deploy malicious scripts that steal credentials like digital vacuum cleaners. Their custom "NEXUS Listener" dashboard shows devastating results: 90% of compromised hosts lost database credentials, 80% had SSH keys stolen, plus AWS credentials, Stripe payment keys, and GitHub tokens were taken.

Companies must immediately update Next.js applications and change all passwords, API keys, and security tokens.

Source: Cybersecurity News

AI recruiting startup Mercor was caught up in a massive supply chain attack that compromised thousands of companies through the popular LiteLLM library. The attack began March 27 when hackers from TeamPCP used stolen credentials to publish malicious versions of LiteLLM on PyPI for 40 minutes.

The Lapsus$ extortion group now claims to have stolen over 4 terabytes of Mercor's data, including candidate profiles, personal information, employer data, video interviews, source code, and VPN credentials. They're reportedly auctioning this information online.

Mercor says it's working with forensics experts to investigate the breach, but hasn't confirmed the extent of the data theft.

Source: Security Week