How the Attacks Unfolded -Zestix Infostealer

Researchers link the activity to a threat actor known as Zestix, also operating under the alias Sentap. The actor accessed cloud storage platforms such as ShareFile, Nextcloud, and OwnCloud, affecting around 50 organizations.

The impacted companies span sectors including aviation, healthcare, finance, defense, and government services. In several cases, attackers were able to access and extract large volumes of sensitive data.

The attacks typically start when employees unknowingly download malicious files that install infostealer malware such as RedLine, Lumma, or Vidar. These programs silently collect saved credentials and browser data from infected systems.

The stolen information is later aggregated into underground databases. The attacker then searches these datasets for corporate cloud credentials and uses them to gain unauthorized access to enterprise environments.

Researchers found that the main weakness was not an advanced exploit, but the lack of multi-factor authentication. Without MFA in place, attackers were able to access systems using only stolen usernames and passwords, some of which had been exposed in infostealer logs for years.

The impact of the breaches is significant. An engineering firm supporting U.S. utilities lost sensitive infrastructure data, while a robotics company exposed defense-related design files.

An airline also saw internal maintenance and safety documents leaked. In another case, health records and personal data tied to Brazilian military personnel were exposed, totaling several terabytes of sensitive information.

How Credentials Are Stolen and Abused

The attacks follow a simple but effective flow that makes them hard to stop if basic controls are missing.

• An employee downloads what looks like a normal file or software update from email or the web.
• An infostealer runs quietly in the background, often blending into legitimate system activity.
• The malware collects saved passwords and session data from browsers, password managers, and apps like email or collaboration tools.
• The stolen data is encrypted and sent to attacker-controlled servers.
• Attackers search through large credential dumps to find logins tied to corporate systems such as cloud storage and business platforms.

This method is dangerous because it is cheap, scalable, and easy to repeat. Access to corporate accounts is then sold on underground forums, allowing multiple attackers to reuse the same stolen credentials.

Many organizations were compromised not due to a lack of training, but because multi-factor authentication was not enforced across critical systems.

The fix is simple but urgent: enable MFA everywhere it matters and actively monitor for exposed credentials before they are used by attackers.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Infostealers Lead to Cloud Account Compromises appeared first on First Hackers News.

The outage began at 11:20 UTC and was caused by an internal configuration mistake—not a cyberattack—showing that even strong cloud systems can fail.

This event follows similar outages at Azure and AWS, raising concerns about how dependent the world has become on large cloud providers.

Cloudflare’s issue started with a routine permissions update in its ClickHouse database cluster. At 11:05 UTC, the change exposed table metadata in the ‘r0’ database. A Bot Management query didn’t handle this correctly, pulling duplicate columns and creating a feature file twice the normal size.

This file, updated every five minutes to support machine-learning bot detection, exceeded the software’s 200-feature limit. That caused failures in Cloudflare’s core proxy system, FL.

At first, engineers suspected a massive DDoS attack, especially since Cloudflare’s status page was also down. The problem was harder to trace because good and bad files appeared in an alternating pattern during the rollout.

When the Bot Management module failed, request scoring stopped completely. In Cloudflare’s newer FL2 proxy, this resulted in 5xx HTTP errors. Older FL versions defaulted bot scores to zero, which could block real users on sites using strict bot rules.

The outage hit key Cloudflare services. Many websites showed error pages, latency increased, and debugging became difficult. Turnstile CAPTCHA stopped working, blocking logins. Workers KV also had higher error rates, affecting dashboard access and Cloudflare Access authentication.

Email Security briefly lost some spam detection, and configuration updates slowed, though no customer data was compromised. Cloudflare restored full service by 17:06 UTC after stopping the bad files, rolling back to a stable version, and restarting proxies.

Cloudflare’s CEO, Matthew Prince, apologized and called this the company’s worst traffic outage since 2019.

This incident also reflects a broader pattern of configuration-related failures across major cloud providers.

On October 29, 2025, Azure went down globally due to a faulty change in its Front Door CDN, disrupting Microsoft 365, Teams, Xbox, and even airline systems.
AWS suffered a 15-hour outage on October 20 in US-East-1 caused by DNS issues in DynamoDB, which affected EC2, S3, Snapchat, and Roblox.
Another AWS issue on November 5 slowed Amazon.com checkouts during holiday preparation.

Experts warn these outages show how dangerous it is to rely heavily on centralized cloud services—one mistake can impact the entire internet.

To avoid future problems, Cloudflare is improving its file ingestion process, adding global kill switches, reducing excessive error logging, and reviewing proxy failure behavior.

Although this incident wasn’t caused by an attack, it highlights the need for stronger operational controls as cloud systems continue to grow.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Cloudflare Reveals Key Technical Causes of Massive Global Outage appeared first on First Hackers News.

According to a new analysis by Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman, the attackers use phishing and smishing campaigns to steal employee credentials from companies that issue or manage gift cards. Once inside, they escalate privileges and issue unauthorized cards for financial gain — often reselling them on gray markets.

Gift cards remain a preferred target for cybercriminals due to their ease of redemption, anonymity, and traceability challenges, making such fraud difficult to investigate.

A Seasonal Threat with Long-Term Persistence

The group’s name, Jingle Thief, stems from its pattern of ramping up fraud campaigns around holiday and festive seasons, when gift card transactions surge. Palo Alto Networks tracks the operation internally under the identifier CL-CRI-1032, with “CL” representing cluster and “CRI” indicating criminal motivation.

Researchers have linked Jingle Thief with moderate confidence to financially motivated actors Atlas Lion and Storm-0539, groups previously associated with operations traced back to Morocco. The threat cluster is believed to have been active since late 2021.

One of the most concerning traits of Jingle Thief is its long-term persistence within compromised environments — in some cases, maintaining access for over a year. During this period, attackers conduct extensive reconnaissance, map cloud infrastructures, move laterally, and implement methods to avoid detection.

Recent Global Campaigns

Unit 42 reported a surge in coordinated Jingle Thief campaigns between April and May 2025, targeting multiple global enterprises. In one notable incident, the attackers compromised 60 user accounts within a single organization and maintained access for approximately 10 months.

By exploiting stolen credentials, Jingle Thief operators impersonate legitimate users to infiltrate Microsoft 365 environments, steal sensitive data, and execute high-value gift card fraud at scale. They also modify log settings and forensic trails to conceal unauthorized issuance activities.

Phishing Tactics and Cloud Abuse

The group employs highly tailored phishing pages mimicking Microsoft 365 login portals, distributed via email or SMS, to harvest credentials. Once credentials are obtained, the attackers perform a second round of reconnaissance inside the organization, focusing on SharePoint, OneDrive, and internal documentation.

Targets include:

• Gift card issuance workflows
• VPN configuration guides
• Access credentials for Citrix or cloud systems
• Financial process documentation

Jingle Thief further leverages compromised accounts to send internal phishing emails, often disguised as IT service notifications or ticketing updates, exploiting the trust of corporate communication systems.

To maintain persistence, the group creates malicious inbox rules to forward emails, deletes sent messages, and even registers rogue authenticator apps to bypass multi-factor authentication (MFA). In some cases, attackers enroll their own devices in Entra ID, ensuring continued access even after password resets.

Unlike many threat actors that deploy custom malware, Jingle Thief relies heavily on identity misuse and cloud-native exploitation techniques. This stealthy approach allows them to blend in with legitimate activity and evade detection tools focused on endpoint-based threats.

The post “Jingle Thief” Cybercrime Group Targets Cloud Gift Card Systems in Retail Sector appeared first on First Hackers News.

Since late 2024, Silk Typhoon has been using stolen API keys and credentials from privilege access management (PAM), cloud app providers, and cloud data companies.

This lets them access customer environments of the compromised companies.

They’ve also gained access through password spray attacks and by finding leaked corporate passwords in public repositories.

Supply Chain Attacks and Credential Abuse

Silk Typhoon targets many industries worldwide, including IT services, healthcare, legal, education, defense, government, NGOs, and energy. Most of their attacks focus on the United States but also happen globally.

They are skilled at working with cloud environments, which helps them move between systems, stay hidden, and steal data quickly.

Since 2020, Silk Typhoon has used different web shells to run commands, stay in networks, and steal data.

Recently, Silk Typhoon used stolen API keys to access downstream customers, gather data, and run recon with admin accounts.

They also reset admin accounts, planted web shells, created new users, and cleared activity logs.

Microsoft notified affected customers to help secure their systems.

Recommended Actions:

• Review Entra Connect server logs for any suspicious activity.
• Check newly created applications to ensure they are legitimate.
• Monitor multi-tenant applications, especially for any unexpected changes.
• Investigate any Microsoft Graph or eDiscovery activity, especially involving SharePoint or email data access — these are common targets for Silk Typhoon.

Stronger Defenses:

• Make sure all public-facing devices are fully patched to prevent known exploits.
• Apply strict controls and monitoring on all important accounts, especially privileged accounts.
• Focus on credential hygiene, such as removing unused accounts, enforcing strong passwords, and applying least privilege access to limit damage if an account is compromised.
• Set up Conditional Access policies to enforce Zero Trust principles — requiring users to verify their identity before accessing critical systems.
• Enable risk-based sign-in protection, so suspicious logins (like from unusual locations or devices) trigger extra security checks.

The post Microsoft Warns Silk Typhoon Hackers Target IT Supply Chain via Cloud appeared first on First Hackers News.

Modern cloud environments and evolving security threats create major challenges for organizations. Security teams struggle to manage the high volume of events, making it harder to detect and respond to threats quickly.

The complexity is increased because many attacks unfold in multiple stages, making it critical for security solutions to identify these stages as part of a larger attack pattern. To address this, Amazon has upgraded GuardDuty with advanced AI and machine learning features.

These enhancements allow GuardDuty to detect not only known attack types but also new, previously unseen attack sequences. By recognizing related activities across time, security teams can quickly identify potential threats and prevent larger attacks before they can cause significant damage to systems and data.

GuardDuty’s enhanced threat detection uses advanced AI/ML models to identify complex attack sequences in AWS. These sequences may include actions like privilege discovery, API manipulation, and data exfiltration.

The update introduces a new high-severity finding level for more urgent threats and improves existing detections, making them easier to act on.

The system now offers composite detections that cover multiple data sources, timeframes, and resources in an account, giving a better view of complex cloud attacks and improving response efforts. GuardDuty’s enhanced capabilities work smoothly with existing security workflows.

Users can access these new AI/ML features through the Amazon GuardDuty console, where additional widgets appear on the Summary page.

The widgets show an overview of detected attack sequences and allow users to sort findings by severity for easier threat investigation.

Each finding includes a summary of the threat, linked to tactics from the MITRE ATT&CK® framework, and provides remediation recommendations based on AWS best practices. The enhanced detection is enabled by default, with no extra cost beyond the standard GuardDuty fees.

The new features integrate with Amazon GuardDuty workflows, including AWS Security Hub and third-party systems. It recommends activating S3 Protection to detect data risks with S3 buckets.

With AI/ML-driven detection, GuardDuty improves cloud security by providing deeper, actionable insights and automating the detection of complex threats, helping organizations strengthen their security.

The post Amazon GuardDuty Gains AI/ML Threat Detection for Cloud Security appeared first on First Hackers News.

Lazarus Group Targets Log4Shell

As of today, a recent advisory released by security researchers at Cisco Talos reveals that the attacks exploited the Log4Shell vulnerability in VMWare Horizon servers exposed to the public, gaining initial access.

The advisory states, “This campaign involves persistent opportunistic targeting of global enterprises that openly host and expose susceptible infrastructure to n-day vulnerability exploitation, such as CVE-2021-44228.”

The advisory further notes, “Lazarus has been observed focusing on companies within the manufacturing, agricultural, and physical security sectors.”

After successfully exploiting the system, Lazarus carried out thorough reconnaissance by executing various commands to collect system information, query event logs, and perform OS credential dumping.

The attackers utilized a specially crafted implant called HazyLoad, serving as a proxy tool to establish direct access to the compromised system.

Remarkably, Lazarus departed from its previous tactics by generating a local user account with administrative privileges, deviating from the use of unauthorized domain-level accounts.

In a noteworthy development, the threat actors altered their tactics during the hands-on-keyboard phase by downloading and employing credential dumping utilities, which included ProcDump and MimiKatz.

During the second phase of the operation, the deployment of a previously unknown Remote Access Trojan (RAT) named “NineRAT” was uncovered. Of significance is the RAT’s use of a Telegram-based Command and Control (C2) channel to receive initial commands for fingerprinting infected systems.

Moreover, the research identified a shift in Lazarus’ tactics, as NineRAT is coded in DLang, signaling a departure from conventional frameworks.

The company also highlighted, “NineRAT possesses the capability to uninstall itself from the system using a BAT file.”

According to Cisco Talos, the information gathered by Lazarus through NineRAT might be shared with distinct Advanced Persistent Threat (APT) groups, stored in a separate repository distinct from the initial access and implant deployment data.

IOCs

HazyLoad

000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

NineRAT

534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433

ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4

47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30

f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59

5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541

82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def

BottomLoader

0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f

DLRAT

e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f

9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a

Network IOCs

tech[.]micrsofts[.]com

tech[.]micrsofts[.]tech

27[.]102[.]113[.]93

185[.]29[.]8[.]53

155[.]94[.]208[.]209

162[.]19[.]71[.]175

201[.]77[.]179[.]66

hxxp://27[.]102[.]113[.]93/inet[.]txt

hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif

hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Lazarus Group Targets Log4Shell Flaw Via Telegram Bots appeared first on First Hackers News.

what is Gafgyt?

Gafgyt is a type of malware that targets and takes control of vulnerable Internet-connected devices to launch cyber attacks, often participating in DDoS attacks.

Gafgyt targets the CVE-2017-18368, a command injection vulnerability of critical severity (CVSS v3: 9.8) in the forwarding mode of remote device logging systems. This vulnerability was patched by Zyxel in 2017.

Zyxel warned about the new Gafgyt variant in 2019, advising firmware updates. Yet, Fortinet still sees 7,100 daily attacks since July 2023, with ongoing high attack numbers.

“Until August 7, 2023, FortiGuard Labs has observed ongoing attack attempts on the 2017 vulnerability. In the last month alone, they’ve thwarted attacks on over a thousand distinct IPS devices,” states a recent Fortinet alert.

It is not clear which part of the attack attempts resulted in successful infections. Nevertheless, activity has remained flat since July.

The CISA he warned this week to actively exploit CVE-2017-18368 in this case, adding the vulnerability to the list of known vulnerabilities under attack. The cybersecurity agency now requires federal services to patch the Zyxel vulnerability by August 28, 2023.

In response to the growing exploit, Zyxel has updated its security advisory. They’ve informed customers that CVE-2017-18363 impacts only Appliances using firmware versions 7.3.15.0 v001/3.40(ULM.0)b31 or earlier.

Zyxel P660HN-T1A routers with the latest 2017 firmware (version 3.40(BYF.11)) remain unaffected by these attacks. However, the device has reached the end of its life cycle and is no longer supported. Therefore, it’s recommended to think about upgrading to a newer model.

Indicators of router botnet infections often involve connection issues, device overheating, settings changes, unresponsiveness, odd network activity, new ports opening, and unexpected reboots.

If you suspect a botnet attack, consider doing a factory reset, updating firmware, and changing admin user credentials.

Recommendation

Zyxel advises users to frequently update device firmware and consider replacing older devices with newer models for optimal data and network security.

The post Gafgyt: Exploits five year old flaw in EoL Zyxel appeared first on First Hackers News.

The Lapsus$ team

The group uses simple but effective hacking techniques. They might lack advanced skills, but their persistence and creativity make up for it. For instance, they found a way to bypass strong security measures like MFA in well-protected organizations.

Instead of hacking into the MFA infrastructure like more advanced teams, a Lapsus$ leader used a different tactic. He said, “Call the employee multiple times at 1 a.m. when they’re sleeping. They’ll probably answer. Then, you can access the MFA portal and add another device.”

Recently, the Department of Homeland Security’s Cybersecurity Review Board issued a report. It shared effective Lapsus$ tactics and advised organizations to create defenses against them.

The Lapsus$ team, even though they’ve been around for only a little over a year and are mostly motivated by fame, has managed to breach a surprisingly long list of targets.

They successfully conducted a phishing attack on MFA provider Twilio, hacked into Nvidia’s corporate network to steal a huge amount of data, sent out confidential data from Microsoft and Okta, breached Globant IT’s network, and executed multiple attacks on T-Mobile using SIM swapping.

In addition, the Brazilian Ministry of Health was breached, leading to the deletion of more than 50 terabytes of data. Various other organizations were also targeted, including Vodafone Portugal, Impresa, Confina, Samsung, and Localiza.

The group employed straightforward methods, such as purchasing authentication cookies and credentials through initial access brokers.

The report has suggestions. One main idea is to switch to passwordless systems, called passkeys, using FIDO2. Passkeys are secure against credential phishing because they need devices to be nearby.

Another tip is for the Federal Communications Commission and Federal Trade Commission to make rules stronger for transferring phone numbers between SIM cards to prevent SIM swapping.

• Organizations need to take immediate action to safeguard themselves, as outlined by the Council’s suggestions in collaboration with the US government and expert companies.
• The authors of the report emphasized that many of the Council’s recommendations align with the “security by design” approach, in line with broader industry discussions, including efforts by CISA for “Secure by Design.”

The post Lapsus$: How They Hacked Some of the Biggest Targets appeared first on First Hackers News.

The findings come as a follow-up to Team Cymru’s previous malware infrastructure analysis, emerging just over two months after Lumen Black Lotus Labs disclosed that 25% of its C2 servers remain active for only a single day.

QakBot Malware

QakBot, also known as QBot, is a sophisticated banking Trojan malware that targets financial institutions and their customers. It steals sensitive information, creates botnets, and establishes a command-and-control network to control infected computers remotely.

The cybersecurity firm reported that QakBot has a consistent pattern of going on an extended break each summer and then resurfacing sometime in September. This year, its spamming activities halted around 22 June 2023.

QakBot’s C2 network has a tiered architecture similar to Emotet and IcedID. The C2 nodes communicate with Tier 2 (T2) C2 nodes hosted on VPS providers in Russia.

Most of the bot C2 servers, which communicate with victim hosts, are in India and the U.S. The outbound T2 connections lead to IP addresses primarily based in the U.S., India, Mexico, and Venezuela.

Additionally, there is a BackConnect (BC) server alongside the C2s and Tier 2 C2s, which turns the infected bots into proxies for other malicious activities.

Team Cymru’s latest research shows a significant decrease in the number of C2s communicating with the T2 layer, leaving only eight remaining. This reduction was partly due to Black Lotus Labs’ null-routing of the higher-tier infrastructure in May 2023.

An analysis of NetFlow data reveals a pattern where increased outbound T2 connections often follow spikes in inbound bot C2 connections. Conversely, spikes in outbound T2 connections coincide with a decline in bot C2 activity.

Team Cymru explained that QakBot’s strategy of using victims as C2 infrastructure with T2 communication results in double harm to users – first in the initial compromise and then in the risk of being publicly identified as malicious.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post QakBot Malware Operators Ramp Up C2 Network with 15 New Servers appeared first on First Hackers News.

With this key, the hackers gained access to breached accounts on Exchange Online and Outlook.com, as previously acknowledged by the company.

The cloud-based email service, Exchange Online, has gained widespread adoption among small, medium, and large businesses. Offering enhanced security, reliability, and scalability, it has become a preferred choice for many organizations.

Microsoft: Stolen key

In essence, Microsoft initially stated that only Outlook.com and Exchange Online were affected by the token forging technique. However, Wiz Research uncovered that the compromised signing key was more powerful than initially believed and wasn’t limited to just those two services.

According to their security researchers, the compromised MSA key could have allowed the threat actor to forge access tokens for various types of Azure Active Directory applications.

After revoking the stolen signing key, Microsoft did not recover from any other unauthorized access to its customers’ accounts using the same technique.

Microsoft reports that it has noticed a change in Storm-0558’s tactics, and this suggests that the malicious agents they no longer have access to any signing keys.

The company has recently made an announcement stating that they are yet to determine how Chinese hackers were able to steal the signature key used by Microsoft consumers.

However, in response to pressure from CISA, they have now agreed to provide free extended access to cloud log data. This decision aims to assist defenders in recognizing and thwarting similar breach attempts in the future.

How to Detect the Compromised Key in Your Environment?

• Monitor key activity and access regularly.
• Utilize robust key management solutions with logging capabilities.
• Analyze log data for unusual patterns or anomalies.
• Implement IDS and IPS to identify suspicious activities.
• Monitor user and system behavior related to key access.
• Conduct regular security audits to identify vulnerabilities.
• Stay updated with threat intelligence to be aware of potential attacks.
• Use multi-factor authentication for key access.
• Engage in red teaming or penetration testing to identify weaknesses.
• Have an incident response plan to respond quickly to suspected compromises.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Microsoft: Stolen key gave access to cloud services appeared first on First Hackers News.