Arda Büyükkaya

This has been confirmed today: operation-endgame.com

Europol took down servers for the Rhadamanthys infostealer, the VenomRAT, and the Elysium botnet

FIRST — Forum of Incident Response and Security Teams

Que "The Final Countdown" by Europe 🎶 and lock in 💻-- it's time for final submissions for #FIRSTCTI26 #lastcall #timesup 🔗 go.first.org/EHUnv

ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications EclecticIQ analysts assess with high confidence that ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders.

🚨 New research: ShinyHunters teamed up with Scattered Spider for vishing attacks on cloud application users, bribed employees for insider access, and targeted engineering users to compromise CI/CD tools. blog.eclecticiq.com/shinyhunters...

@likethecoins.bsky.social @campuscodi.risky.biz
#CTI

Yep, I've been pwned. 2FA reset email, looked very legitimate.

Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.

Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

Hackers stole Social Security numbers during Allianz Life cyberattack | TechCrunch The U.S. insurance giant tells state regulators that Social Security numbers were among the personal information stolen in its mid-July cyberattack.

New, by me: The hackers who breached Allianz Life earlier this month and stole the personal information belonging to the "majority" of its 1.4 million customers, also took Social Security numbers during the breach, per new filings with U.S. states.

LOL... someone scrapped celebrity Spotify accounts/playlists and leaked their music preferences

The *chef's kiss* here is the name of the site: Panama Playlists 😆

panamaplaylists.com

Screenshot of text that reads: "Mandatory reporting is also being developed, which would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities, allowing for better support for victims. Consultation responses showed strong support for a new mandatory reporting regime to better protect British organisations and industry."

This is by far the coolest part in the UK's proposed ransomware ban and mandatory reporting proposal

www.gov.uk/government/n...

"This report presents the first detailed study of China’s cyber militia system since 2015. It draws from an analysis of 136 individual militia units, as well as authoritative Chinese-language military writings and mobilization documents."

margin.re/mobilizing-c...

FBI: Play ransomware gang has attacked 600 organizations since 2023 Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to exploit multiple vulnerabilities in remote monitoring and management tool SimpleHelp.

Ohhh…I smell a takedown coming!

Via @jgreig.bsky.social & @therecordmedia.bsky.social

GreyNoise observed a major spike in scanning against Ivanti products weeks before two zero-days were disclosed in Ivanti EPMM. Full update: www.greynoise.io/blog/surge-i...
#Ivanti #GreyNoise #Cybersecurity #ZeroDays

Victoria’s Secret website down as company investigates security incident The retailer's domain now features a brief message to customers explaining that it has “identified and are taking steps to address a security incident.”

Victoria’s Secret website down as company investigates security incident

via @jgreig.bsky.social & @therecordmedia.bsky.social

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | Microsoft Security Blog Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.

Microsoft has discovered a cluster of worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. https://msft.it/63324S9Jkp

Dutch intelligence discover a new Russian APT—LAUNDRY BEAR

www.aivd.nl/documenten/p...

Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...

Ivanti patches two zero-days under active attack as intel agency warns customers Vendor says vulns are linked with 2 mystery open source libraries integrated into EPMM product Australia's intelligence agency is warning organizations about several new Ivanti zero-days chained for remote code execution (RCE) attacks. The vendor itself has said the vulns are linked to two mystery open source libraries which it declined to name.…

Ivanti patches two zero-days under active attack as intel agency warns customers

Russia's APT28 accused of infiltrating Western logistics, technology firms Int'l partners destroy Lumma Stealer infrastructure, IT contractor breach led to M&S attack, Interlock stole data from West Lothian, 70K Coinbase customers exposed, EU sanctions GRU for disinformation...

Never a dull day in cybersecurity. Check out today's Metacurity for the critical infosec developments you need to know.
www.metacurity.com/russias-apt2...

"A global law enforcement operation coordinated by Europol has struck a major blow to the criminal underground, with 270 arrests of dark web vendors and buyers across ten countries"

www.europol.europa.eu/media-press/...

China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier.

A Chinese APT (UNC5221) is behind recent attacks exploiting an Ivanti zero-day (CVE-2025-4427)

This is a known Chinese APT group that seems to be specialized in Ivanti and other Western enterprise products... they have a long list of past zero-days in their name

blog.eclecticiq.com/china-nexus-...

cc @likethecoins.bsky.social

🇨🇳 UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428).Targets critical networks like US airports and Telecommunications companies in EU. Exfiltrating sensitive data from managed mobile devices. #cyber

Here is the full report:

blog.eclecticiq.com/china-nexus-...

-Ransomware IAB spreads trojanized KeePass installer
-APT28 targets email servers with XSS attacks
-Good report on DPRK cyber and IT worker schemes
-Russia uses USAID shutdown in info-op targeting Moldova
-RU disinfo group Storm-1516 is behind the Macron coke memes

Storm-1516 Deploys AI-Generated Media to Spread Disinformation: Targets European Leaders and Influences Istanbul Peace Talks EclecticIQ analysts assess with high confidence that on May 11, 2025, pro-Kremlin disinformation group Storm-1516 amplified a fabricated story on X, falsely claiming European leaders used drugs while ...

Storm-1516, a pro-Kremlin 🇷🇺 disinformation group, launched an AI-driven influence operation to discredit European leaders. 🇪🇺 blog.eclecticiq.com/storm-1516-d...
@hatr.bsky.social

🎉 Happy to share that my talk has been accepted at Virus Bulletin! I’ll be presenting in 🇩🇪 Berlin on Friday, September 26 at VB2025:

Details: www.virusbulletin.com/conference/v...

See you there! #vbconference #VB2025

FBI awaits signal that Salt Typhoon is fully excised from telecom firms, official says FBI Deputy Director for Cyber Operations Brett Leatherman said that "there’s a lot of work focused on containment" when it comes to the Salt Typhoon hacks.

The FBI is awaiting signals from telecom victims that Salt Typhoon is fully excised from their systems. My Q&A with Deputy Assistant Director for Cyber Operations Brett Leatherman about Salt Typhoon and other topics at #RSAC2025 below:
www.nextgov.com/cybersecurit...

Microsoft Teams appears to have been used as part of the cyber kill chain in the Co-Op hack. I've recently seen similar tactics, where threat actors employed voice phishing via Teams calls. It’s a threat worth watching.

Podcast: risky.biz/RBNEWS418/
Newsletter: news.risky.biz/risky-bullet...

-French government grows a spine and calls out Russia's hacks
-Marks & Spencer sends staff home after ransomware attack
-China accuses US of hacking cryptography provider
-AirBorne vulnerabilities impact Apple's AirPlay

France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021 Kristi Noem urges "back-to-basics" for CISA, WhatsApp to roll out private processing for new AI features, Indian court blocks Proton Mail, Nova Scotia Power copes with a cyber breach, Israeli hacker-f...

As RSA 2025 gets into full swing, stay ahead of the curve by checking out today's Metacurity for the most critical infosec developments you should know.
www.metacurity.com/france-accus...

🚨 Erlang SSH RCE (CVE-2025-32433) is a significant supply chain risks to ICS and OT devices, particularly critical networking equipment like routers, switches, and smart sensors. The public availability of a POC makes this vulnerability especially concerning, as it is straightforward to exploit.

Since April 15, 2025, BreachForums 2 was offline. Admin “Normal” confirmed its return at breached[.]fi, with no prior data restored. The new site faces skepticism, with some calling it a potential honeypot, likely pushing threat actors toward other platforms.

BreachForums has reportedly resumed operations under a new domain, breached[.]fi

Sri Lanka’s Foreign Ministry hit by phishing email posing as peacekeeper notice sent from Pakistan’s Naval Uni (likely breached) “pro-rector.admin@bahria.edu.pk.” Malicious link led to fake Gmail login via Railway-hosted page "gs23-production.up.railway[.]app", stealing user credentials and OTPs.