Ticker feed

Cybercriminals are targeting developers with fake Claude Code installation sites that spread through Google-sponsored search results. Push Security researchers discovered the "InstallFix" campaign, where attackers create near-perfect clones of Anthropic's legitimate installation pages.

When users copy installation commands from these fake sites, they unknowingly deploy Amatera Stealer malware that can steal credentials and access enterprise development environments. The attack exploits developers' common practice of copy-pasting terminal commands directly from websites.

The malicious ads appear above legitimate search results for terms like "Claude Code install," making them easy to mistake for official pages. Attackers use trusted hosting services like Cloudflare Pages to make their fake domains appear legitimate.

Source: Dark Reading

Over 3.4 million patients had their personal and health insurance information compromised in a cyberattack on TriZetto Provider Solutions, a healthcare IT firm owned by Cognizant Technology Solutions. The company discovered suspicious activity in its web portal on October 2, 2025.

While no financial data was stolen, hackers accessed names, addresses, Social Security numbers, dates of birth, health insurance member numbers, and other medical information. TPS provides billing and claims management software to hospitals, physician practices, and insurers.

The company has implemented additional security measures and is offering credit monitoring to affected patients. Parent company Cognizant has faced previous major breaches, including a 2020 ransomware attack costing $50-70 million.

Source: Infosecurity Magazine

A cybercriminal named Kamirmassabi is selling a zero-day exploit for Windows Remote Desktop Services vulnerability CVE-2026-21533 for $220,000 on a dark web forum. The exploit targets improper privilege management, allowing attackers to gain full administrative control from standard user accounts.

The vulnerability affects Windows 10, Windows 11, and Windows Server editions from 2012 to 2025. With a CVSSv3 score of 7.8, it's classified as high severity and added to CISA's Known Exploited Vulnerabilities catalog.

The steep price suggests the exploit is highly reliable and works across multiple Windows systems. Organizations must immediately apply Microsoft's security patches and consider disabling Remote Desktop Services if not essential.

Source: Cybersecurity News

Security researcher Arkmarta discovered a critical zero-click vulnerability (CVE-2026-29058) in AVideo, a popular open-source video streaming platform. The flaw affects version 6.0 and allows attackers to execute arbitrary commands without authentication through the objects/getImage.php component.

The vulnerability occurs when AVideo processes base64Url parameters in network requests. While the platform attempts basic URL validation, it fails to neutralize dangerous shell characters before executing ffmpeg commands. This oversight lets attackers inject malicious code, steal credentials, and hijack live streams.

Administrators should immediately upgrade to version 7.0, which fixes the issue with proper shell argument escaping. Those unable to upgrade can restrict access to the vulnerable endpoint or deploy WAF rules blocking suspicious Base64 patterns.

Source: Cybersecurity News

Transport for London suffered one of the UK's largest data breaches when hackers from the Scattered Spider crime group stole personal information from around 10 million customers in late 2024. The BBC discovered the true scale after obtaining a copy of the stolen database containing names, addresses, phone numbers, and email addresses.

TfL initially said only "some" customers were affected and has never publicly disclosed the full numbers. The attack disrupted online services and cost £39 million in damages, though London transport itself wasn't impacted. Two British teenagers face trial in June for the hack.

While TfL emailed over 7 million customers, only 58% opened the notifications, leaving millions unaware their data was stolen.

Source: BBC

The FBI is investigating a sophisticated cyber attack on an internal system containing sensitive surveillance information, including pen register data and personal details from investigations. The breach was discovered February 17 when agents noticed abnormal network activity.

Hackers used advanced techniques and exploited a commercial internet provider's infrastructure to penetrate FBI security controls. The compromised system holds law enforcement data like phone surveillance records and personally identifiable information about investigation subjects.

While the FBI confirmed the incident and says it addressed the suspicious activities, officials haven't identified who's responsible or revealed the full scope of the breach.

Source: Security Week

The Iranian hacking group MuddyWater has infiltrated multiple US organizations, including an airport, bank, aerospace defense contractor, and software company with Israeli operations, according to Broadcom's Symantec team. The attacks continued even after recent US and Israeli military strikes on Iran, suggesting ongoing cyber warfare amid regional tensions.

The hackers deployed new backdoors called Dindoor and Fakeset across victim networks, using fake certificates under names like "Amy Cherne" and "Donald Gay." They attempted to steal data from the software company's Israeli branch, highlighting their focus on Israeli-connected targets.

Linked to Iran's Ministry of Intelligence since 2017, MuddyWater has previously supported kinetic attacks by hacking Jerusalem CCTV cameras during missile strikes. While this specific campaign was disrupted, security experts warn other organizations remain vulnerable.

Source: Security Week

Cisco disclosed 48 vulnerabilities across its firewall products, including two critical flaws scoring perfect 10s on the severity scale. The most dangerous bugs affect the Secure Firewall Management Center (FMC), allowing attackers to bypass authentication and gain root access through crafted HTTP requests or malicious Java objects.

The vulnerabilities impact Cisco's ASA firewalls, Secure FTD systems, and FMC management platforms. Nine additional flaws earned "high" severity ratings, mostly denial-of-service bugs plus SQL injection issues.

Experts warn these critical vulnerabilities could give attackers control over network security at a fundamental level, letting them modify firewall rules or disable protections across multiple devices. Nation-state groups have increasingly targeted edge devices as primary attack vectors. Cisco urges immediate updates.

Source: Dark Reading

A Feb. 21 ransomware attack on Change Healthcare has crippled electronic billing systems nationwide, leaving doctors unable to process payments for weeks. The attack on UnitedHealth's subsidiary is being called "the most significant incident of its kind" against U.S. healthcare.

Doctors like Margaret Parsons in Sacramento can't bill electronically, while paper claims take months to process. Miami's Jackson Health System faces $30 million in lost payments if outages continue. Relief efforts have fallen short—one Long Island physician was offered just $540 weekly for a practice earning hundreds of thousands monthly.

Reports suggest hackers received $22 million in bitcoin, potentially encouraging future attacks. UnitedHealth says core systems won't be restored until later this month, highlighting dangerous vulnerabilities in America's healthcare infrastructure.

Source: CBS News

A critical vulnerability in FreeScout help desk software (CVE-2026-28289) lets attackers completely compromise servers without any user interaction. The flaw bypasses a recent security patch using an invisible zero-width space character in filenames, allowing hackers to upload malicious .htaccess files simply by sending an email to any FreeScout mailbox.

Rated 10/10 on the severity scale, this zero-click remote code execution attack affects all FreeScout 1.8.206 installations running on Apache servers. Successful exploitation gives attackers full server control, access to helpdesk tickets and emails, plus potential network access for further attacks. Users should immediately update to version 1.8.207.

Source: Security Week