Ticker feed

Microsoft disrupted a major ransomware operation by revoking over 200 digital certificates that cybercriminals were using to make malware look legitimate. The Vanilla Tempest group, also known as Vice Society, created fake Microsoft Teams installers that appeared authentic thanks to stolen certificates from Microsoft's own Azure service and other providers like DigiCert and GlobalSign.

The scammers hosted these fake installers on domains like teams-download[.]buzz and used search engine tricks to lure victims. When users downloaded what they thought was Teams, they actually got the "Oyster" backdoor, which later delivered Rhysida ransomware. Vanilla Tempest has previously targeted schools and hospitals, though their latest victims remain unclear.

Source: Dark Reading

Russian cyber-attacks against NATO countries jumped 25% over the past year, with Microsoft's analysis showing nine of the ten most targeted nations are alliance members. The US faced 20% of attacks, followed by the UK at 12% and Ukraine at 11%. Government agencies bore the brunt, accounting for a quarter of all strikes, with research institutions and think tanks also heavily targeted.

Experts warn this reflects Russia's broader "hybrid warfare" strategy using unconventional tactics like drone incursions and sabotage. Recent incidents include 19 Russian drones crossing into Poland and fighter jets violating Estonian airspace. Microsoft noted Russia increasingly leverages its cybercriminal networks as proxies, particularly ransomware groups that have crippled businesses worldwide.

Source: The Guardian

Harvard University confirmed it was breached through a critical zero-day vulnerability in Oracle's E-Business Suite system. The flaw, tracked as CVE-2025-61882, allows attackers to remotely access systems without authentication. The notorious Clop ransomware gang exploited this vulnerability, adding Harvard to their dark web leak site and claiming to have stolen university data.

The attack is part of a broader campaign that began on September 29, though evidence suggests Clop may have been exploiting this vulnerability as early as August 9 - weeks before Oracle released a patch. Harvard says the breach impacted "a limited number of parties associated with a small administrative unit" and they've found no evidence of further system compromise after applying Oracle's patch.

Source: Dark Reading

The Cybersecurity and Infrastructure Security Agency issued an emergency order Wednesday directing all federal agencies to immediately patch F5 technology systems after a foreign nation-state actor gained access to the company's source code. F5 first discovered the breach in August but kept it quiet until now at the Justice Department's request.

The Seattle-based company revealed that hackers maintained "long-term, persistent access" to its development systems, stealing source code and information about unpatched vulnerabilities. CISA warns attackers could exploit these flaws to steal credentials and take control of federal networks.

Federal agencies have until October 22 to apply F5's security updates, with thousands of F5 devices currently in use across government networks. CISA isn't naming the country behind the attack but calls it part of a broader campaign targeting U.S. technology suppliers.

Source: CBS News

F5 disclosed that state-sponsored hackers breached its systems and stole sensitive data, including BIG-IP source code and information on undisclosed vulnerabilities. The attackers maintained persistent access to development systems, though F5 says no critical vulnerabilities or remote code execution flaws were compromised.

The company detected the August 9 attack but delayed disclosure with Justice Department permission. Some customer configuration data from a "small percentage" of clients was also stolen from an engineering platform.

While F5 found no evidence of supply chain tampering or access to financial systems, the attack profile suggests Chinese state-sponsored involvement. Chinese hackers frequently target major software companies hunting for zero-day vulnerabilities.

Source: Security Week

Microsoft just released its biggest Patch Tuesday update ever, fixing a staggering 175 security vulnerabilities in October. This breaks all previous records and pushes 2025's total past 1,021 CVEs—already exceeding all of 2024 with two months remaining.

Two zero-day flaws are being actively exploited by attackers. CVE-2025-59230 affects Windows Remote Access Connection Manager, letting hackers escalate privileges to admin level. CVE-2025-24990 targets a Windows Agere modem driver, which Microsoft is completely removing from Windows.

The update also marks Windows 10's end of life. Organizations still using the OS—which holds 41% of the desktop market—must switch to Extended Security Updates to keep receiving patches.

Source: Dark Reading

Cyber-attacks against the UK jumped 50% in the past year, with security services now handling a nationally significant attack every other day, according to the National Cyber Security Centre. The agency dealt with 429 cyber incidents through September, with 18 classified as "highly significant" - including attacks on Marks & Spencer and Co-op Group.

China, Russia, Iran and North Korea pose the main state-level threats, while ransomware criminals drive much of the increase. GCHQ director Anne Keast-Butler warned businesses: "Don't be an easy target." Government ministers are urging all organizations to make cyber-resilience a board-level priority and prepare contingency plans for complete IT system failures.

Source: The Guardian

Federal authorities seized 127,271 Bitcoin worth $15 billion from Chen Zhi, alleged leader of a massive cybercrime network operating from Cambodia. The 38-year-old UK-Cambodian national built the Prince Group empire since 2015, running scam compounds across 30+ countries that relied on human trafficking and forced labor.

Chen faces up to 40 years in prison but remains at large. His network scammed over 250 people in New York alone out of millions. The U.S. and UK imposed coordinated sanctions on 146 people and organizations linked to Prince Group, while severing Cambodia's Huione Group from the U.S. financial system for laundering $4 billion in illicit proceeds.

Source: CyberScoop

Cybercriminals are targeting macOS users through fake Homebrew package manager websites that look identical to the real thing. The attackers created convincing replicas of brew.sh using domains like homebrewfaq.org and homebrewclubs.org.

When users visit these spoofed sites to install Homebrew, hidden JavaScript code manipulates their clipboard without permission. Instead of copying just the legitimate installation command, the fake "Copy" button secretly adds malicious code that downloads additional payloads from attacker-controlled servers.

The scam is particularly clever because it runs malicious commands in the background while the real Homebrew installation proceeds normally, making detection difficult. This represents a new twist on supply chain attacks by targeting the installation process rather than compromising official repositories.

Source: Cybersecurity News

Hackers calling themselves Scattered Lapsus$ Hunters have leaked personal details of over 5 million Qantas customers on the dark web after the airline refused to pay ransom demands. The stolen data includes names, email addresses, frequent flyer numbers, and in some cases home addresses, phone numbers, and even meal preferences.

The hackers gained access by calling Qantas call centers in June, pretending to be IT support staff and tricking employees into giving them access to customer service systems. Federal politicians were among those whose home addresses were exposed.

While no credit card details or passwords were stolen, authorities warn of increased scam attempts. Customers should hang up on unexpected calls claiming to be from Qantas and verify contact through official channels ending in qantas.com or qantas.com.au.

Source: The Guardian