This week in cybersecurity, researchers exposed hidden alliances between ransomware groups, the rise of AI-powered phishing platforms, and large-scale vulnerabilities affecting telecom and enterprise systems. <\/p>\n
Major data breaches at financial services and luxury brands highlighted insider threats and supply chain risks, while arrests of Scattered Spider hackers signaled rare law enforcement wins. <\/p>\n
From botnets hijacking VPS servers to disinformation networks expanding globally, the threat landscape shows how cybercrime, espionage, and propaganda increasingly intersect, demanding stronger defenses and smarter detection strategies.<\/p>\n
Stay updated with the latest critical vulnerabilities, exploits, and supply chain threats impacting software, infrastructure, and end-users.<\/p>\n
Vulnerabilities<\/strong><\/h2>\nJenkins Security Updates Patch Multiple Flaws<\/strong><\/h3>\nJenkins has released urgent patches for four vulnerabilities affecting its weekly releases up to 2.527 and LTS up to 2.516.2. The most severe,\u00a0CVE-2025-5115<\/strong>, is an HTTP\/2 denial-of-service issue in the bundled Jetty component, rated\u00a0high severity<\/em>. Additional flaws include permission-check omissions and a log message injection bug.<\/p>\nAdministrators are strongly advised to upgrade to\u00a0weekly 2.528 or LTS 2.516.3<\/strong>\u00a0or disable HTTP\/2 where immediate upgrades aren\u2019t feasible. Read More<\/a><\/p>\nPixie Dust Wi-Fi Attack Targets WPS<\/strong><\/h3>\nThe\u00a0Pixie Dust<\/strong>\u00a0attack re-emerges as a significant threat to Wi-Fi security, exploiting weak randomization in the\u00a0WPS (Wi-Fi Protected Setup)<\/strong>\u00a0protocol. Attackers can recover router WPS PINs offline, bypass WPA2 safeguards, and obtain the network\u2019s pre-shared key without brute forcing.<\/p>\nResearchers emphasize disabling WPS or updating firmware as the only reliable defense. Organizations should audit wireless infrastructure immediately. Read More<\/a><\/p>\nGreenshot Vulnerability Exposes Sensitive Data<\/strong><\/h3>\nResearchers discovered a flaw in\u00a0Greenshot<\/strong>, the popular screenshot tool, that could expose sensitive information. The vulnerability stems from unsafe file handling and could allow attackers to access or leak captured screenshots. A patch has been released, and users are urged to upgrade promptly. Read More<\/a><\/p>\nChaos Mesh Vulnerabilities Impact Kubernetes Workloads<\/strong><\/h3>\nMultiple vulnerabilities have been identified in\u00a0Chaos Mesh<\/strong>, the chaos engineering tool for Kubernetes testing. Flaws could allow attackers to escalate privileges, inject malicious configurations, or disrupt cluster stability. Organizations using Chaos Mesh must apply the latest security updates.<\/p>\n![\"\ud83d\udd17\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/16.0.1\/72x72\/1f517.png?ssl=1\")
\u00a0Read More<\/a><\/p>\nKubernetes C Client Vulnerability Exposes Clusters<\/strong><\/h3>\nThe Kubernetes\u00a0C Client library<\/strong>\u00a0vulnerability exposes clusters to potential privilege escalation and unauthorized API access. Attackers could exploit misconfigurations or API flaws to gain deeper control over workloads. Upgrading to patched versions and tightening API access controls is advised. Read More<\/a><\/p>\nLinux Kernel KSMBD Subsystem Vulnerability<\/strong><\/h3>\nA critical flaw in the\u00a0KSMBD subsystem<\/strong>\u00a0of the Linux kernel allows attackers to execute code remotely in certain configurations. This vulnerability poses a high risk for file-sharing services relying on SMB. Admins should apply kernel patches as soon as possible. Read More<\/a><\/p>\nShai Halud Supply Chain Attack Uncovered<\/strong><\/h3>\nA new\u00a0software supply-chain attack<\/strong>\u00a0named\u00a0Shai Halud<\/em>\u00a0has been observed abusing CI\/CD pipelines and developer tools. Malicious dependencies were injected into trusted builds, potentially impacting downstream software users. Organizations are urged to implement strict code-signing and package validation practices. Read More<\/a><\/p>\n0-Click Linux Kernel KSMBD RCE Exploit<\/strong><\/h3>\nResearchers have demonstrated a\u00a00-click RCE exploit<\/strong>\u00a0in the Linux kernel\u2019s\u00a0KSMBD subsystem<\/strong>, allowing remote code execution without user interaction. This development raises the severity of ongoing kernel threats, highlighting the urgency of patching affected systems immediately. Read More<\/a><\/p>\nSpring Framework and Microsoft 900+ XSS Vulnerabilities<\/strong><\/h3>\nTwo major updates reveal widespread exposure:<\/p>\n
\n- \nSpring Framework<\/strong>\u00a0patches multiple flaws, including input validation weaknesses that could lead to system compromise.<\/li>\n
- \nMicrosoft confirms over 900 XSS vulnerabilities<\/strong>\u00a0across its ecosystem, stressing the scale of insecure coding practices.<\/li>\n<\/ul>\n
Both cases underscore the growing challenge of secure software development at scale. Read More<\/a><\/p>\nTheats<\/strong><\/h2>\nHidden Connections Between Ransomware Groups<\/strong><\/h3>\nRecent research shows that ransomware operations like Conti, LockBit, and Evil Corp are no longer isolated competitors but participants in a flexible underground marketplace. After the Conti takedown, affiliates regrouped under new banners, leading to overlaps in infrastructure and code reuse. Analysts identified shared SSL certificates, passive DNS footprints, and identical encryption routines across Black Basta and QakBot, showing how code and infrastructure circulate freely. This evolution means defenders must focus less on brand names and more on shared TTPs and hidden infrastructure patterns. Read More<\/a><\/p>\nAI-Powered Phishing Platforms on the Rise<\/strong><\/h3>\nPhishing has entered a new era with the adoption of AI-driven platforms capable of generating convincing lures at scale. Attackers increasingly automate email writing, domain registration, and credential phishing kits, making campaigns harder to detect. These platforms drastically lower the barrier for novice cybercriminals while amplifying the reach of veteran actors. Security teams are now challenged to identify behavioral anomalies rather than relying on syntactic cues. Read More<\/a><\/p>\nRussian Groups Gamaredon and Turla Join Forces<\/strong><\/h3>\nTwo of Russia\u2019s most notorious cyber-espionage groups, Gamaredon and Turla, have shown signs of collaboration. While Gamaredon specializes in initial compromise across Ukrainian targets, Turla is known for stealthy persistence and espionage capabilities. By combining tools and infrastructure, these groups present a growing strategic risk for governmental and defense organizations. Read More<\/a><\/p>\nHackers Exploiting Ivanti Endpoint Manager Mobile<\/strong><\/h3>\nThreat actors are abusing multiple vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), targeting enterprise networks with remote exploitation. These flaws allow attackers to gain initial footholds into corporate infrastructure, often chaining with other exploits for lateral movement. Nation-state groups and ransomware affiliates have already begun weaponizing these vulnerabilities in the wild. Read More<\/a><\/p>\nWeaponized ScreenConnect App<\/strong><\/h3>\nIn another software abuse trend, attackers are turning legitimate tools like ConnectWise\u2019s ScreenConnect app into weapons. By deploying trojanized installers, hackers establish remote access footholds disguised as IT management activity. This \u201cliving-off-the-land\u201d technique allows evasion of traditional defenses and grants persistent control of victim networks. Read More<\/a><\/p>\nBelsen Malware Campaign Linked<\/strong><\/h3>\nResearchers uncovered connections between a new malware strain dubbed\u00a0Belsen<\/em>\u00a0and previously active intrusion sets. Analysis indicates shared C2 infrastructure and loader techniques overlapping with known financially motivated threat groups. This discovery highlights the trend of rebranded payloads leveraging old foundations for renewed attacks. Read More<\/a><\/p>\nSystemBC Botnet Hits 1,500 VPS Servers<\/strong><\/h3>\nThe notorious SystemBC botnet continues to expand its footprint, recently compromising over 1,500 VPS servers. Known for serving as a proxy for ransomware affiliates, SystemBC enhances anonymity by tunneling malicious traffic. The surge shows ongoing demand for infrastructure capable of concealing command-and-control operations behind layers of obfuscation. Read More<\/a><\/p>\nNew Malware Loader \u201cCountLoader\u201d<\/strong><\/h3>\nA fresh loader called\u00a0CountLoader<\/em>\u00a0has surfaced in underground markets, featuring modular design and advanced evasion tactics. Its ability to deliver diverse payloads\u2014ranging from banking trojans to ransomware\u2014makes it a high-value tool for cybercriminal groups. Analysts note that its dynamic configuration updates make blocking efforts difficult.
Read More<\/a><\/p>\nPhishing Attack Targets Facebook Users<\/strong><\/h3>\nSocial media users face renewed phishing threats as adversaries launch campaigns to steal Facebook login credentials. The attacks employ deceptive login pages and multi-step phishing kits designed to evade detection. Given the centrality of social media accounts for identity theft, the scale of these attacks poses a broad consumer security challenge. Read More<\/a><\/p>\nRussian Disinformation Network Expands<\/strong><\/h3>\nBeyond malware, Russia-linked\u00a0CopyCop<\/em>\u00a0has expanded its fake news infrastructure by adding 200 new websites. The campaign seeks to amplify disinformation globally, blurring the lines between targeted psychological operations and cyber-enabled propaganda. Coordinated amplification on these sites makes detection and takedown a persistent challenge for defenders. Read More<\/a><\/p>\nData Breaches<\/strong><\/h2>\nFinWise Insider Breach Exposes 689K Records<\/strong><\/h3>\nAmerican First Finance confirmed a major insider incident after a terminated employee exploited residual access to its production database. The breach compromised nearly 700,000 sensitive records, including Social Security numbers and financial data, which were exfiltrated using direct SQL queries and SSH tunnels. Investigators found the attacker took advantage of an archived service account with lingering privileges, bypassing standard RBAC and MFA safeguards. The company has since moved toward just-in-time access and user behavior analytics, alongside offering affected customers 24 months of identity protection. Read More<\/a><\/p>\nTiffany & Co. Confirms Data Breach<\/strong><\/h3>\nLuxury jeweler Tiffany & Co. disclosed a data breach that exposed sensitive employee and customer information following unauthorized access to internal systems. Although the company did not release specifics on the volume, the breach has raised concerns over the protection of VIP clientele data. The incident adds to a growing list of attacks aimed at brands handling high-net-worth individuals. Read More<\/a><\/p>\nGucci, Balenciaga, and Alexander McQueen Leak Linked to BMW Breach<\/strong><\/h3>\nA massive breach has reportedly tied together data leaks affecting iconic fashion houses Gucci, Balenciaga, and Alexander McQueen, allegedly connected to a wider compromise involving BMW\u2019s systems. The intrusion exposed internal documents, customer records, and operational data, raising alarms about cross-industry supply chain vulnerabilities. The fashion and automotive sectors, both attractive to cybercriminals, now appear increasingly linked through shared risk factors. Read More<\/a><\/p>\nUK Arrests Two Scattered Spider Hackers<\/strong><\/h3>\nBritish law enforcement arrested two alleged members of the Scattered Spider group, which has been tied to high-profile intrusions, including MGM Resorts. The arrests mark a significant disruption to the group\u2019s operations, known for SIM swap attacks, phishing campaigns, and corporate intrusions. While arrests disrupt some activity, experts note that the group\u2019s wide affiliate network means residual risk is expected to continue. Read More<\/a><\/p>\nGreat Firewall of China Data Leak<\/strong><\/h3>\nAn unprecedented leak exposed sensitive datasets tied to China\u2019s Great Firewall infrastructure, revealing operational insights into surveillance operations and censorship controls. The compromised data, reportedly accessible on cybercriminal forums, included internal schema, employee records, and technical configurations. This incident underscores the rising risks posed when state or nation-level security tools themselves become the targets of hackers. Read More<\/a><\/p>\nFollow Us on Google News<\/a>,\u00a0LinkedIn<\/a>, X<\/a>\u00a0to Get Daily Cyber Security Updates and Contact Us<\/a> to Feature Your Stories.<\/strong><\/code><\/p>\nThe post Cybersecurity Newsletter Weekly \u2013 Shai Halud Attack, Ivanti Exploits, FinWise, BMW Data Leak, and More<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
Jenkins has released urgent patches for four vulnerabilities affecting its weekly releases up to 2.527 and LTS up to 2.516.2. The most severe,\u00a0CVE-2025-5115<\/strong>, is an HTTP\/2 denial-of-service issue in the bundled Jetty component, rated\u00a0high severity<\/em>. Additional flaws include permission-check omissions and a log message injection bug.<\/p>\n Administrators are strongly advised to upgrade to\u00a0weekly 2.528 or LTS 2.516.3<\/strong>\u00a0or disable HTTP\/2 where immediate upgrades aren\u2019t feasible. Read More<\/a><\/p>\n The\u00a0Pixie Dust<\/strong>\u00a0attack re-emerges as a significant threat to Wi-Fi security, exploiting weak randomization in the\u00a0WPS (Wi-Fi Protected Setup)<\/strong>\u00a0protocol. Attackers can recover router WPS PINs offline, bypass WPA2 safeguards, and obtain the network\u2019s pre-shared key without brute forcing.<\/p>\n Researchers emphasize disabling WPS or updating firmware as the only reliable defense. Organizations should audit wireless infrastructure immediately. Read More<\/a><\/p>\n Researchers discovered a flaw in\u00a0Greenshot<\/strong>, the popular screenshot tool, that could expose sensitive information. The vulnerability stems from unsafe file handling and could allow attackers to access or leak captured screenshots. A patch has been released, and users are urged to upgrade promptly. Read More<\/a><\/p>\n Multiple vulnerabilities have been identified in\u00a0Chaos Mesh<\/strong>, the chaos engineering tool for Kubernetes testing. Flaws could allow attackers to escalate privileges, inject malicious configurations, or disrupt cluster stability. Organizations using Chaos Mesh must apply the latest security updates.<\/p>\n The Kubernetes\u00a0C Client library<\/strong>\u00a0vulnerability exposes clusters to potential privilege escalation and unauthorized API access. Attackers could exploit misconfigurations or API flaws to gain deeper control over workloads. Upgrading to patched versions and tightening API access controls is advised. Read More<\/a><\/p>\n A critical flaw in the\u00a0KSMBD subsystem<\/strong>\u00a0of the Linux kernel allows attackers to execute code remotely in certain configurations. This vulnerability poses a high risk for file-sharing services relying on SMB. Admins should apply kernel patches as soon as possible. Read More<\/a><\/p>\n A new\u00a0software supply-chain attack<\/strong>\u00a0named\u00a0Shai Halud<\/em>\u00a0has been observed abusing CI\/CD pipelines and developer tools. Malicious dependencies were injected into trusted builds, potentially impacting downstream software users. Organizations are urged to implement strict code-signing and package validation practices. Read More<\/a><\/p>\n Researchers have demonstrated a\u00a00-click RCE exploit<\/strong>\u00a0in the Linux kernel\u2019s\u00a0KSMBD subsystem<\/strong>, allowing remote code execution without user interaction. This development raises the severity of ongoing kernel threats, highlighting the urgency of patching affected systems immediately. Read More<\/a><\/p>\n Two major updates reveal widespread exposure:<\/p>\n Both cases underscore the growing challenge of secure software development at scale. Read More<\/a><\/p>\n Recent research shows that ransomware operations like Conti, LockBit, and Evil Corp are no longer isolated competitors but participants in a flexible underground marketplace. After the Conti takedown, affiliates regrouped under new banners, leading to overlaps in infrastructure and code reuse. Analysts identified shared SSL certificates, passive DNS footprints, and identical encryption routines across Black Basta and QakBot, showing how code and infrastructure circulate freely. This evolution means defenders must focus less on brand names and more on shared TTPs and hidden infrastructure patterns. Read More<\/a><\/p>\n Phishing has entered a new era with the adoption of AI-driven platforms capable of generating convincing lures at scale. Attackers increasingly automate email writing, domain registration, and credential phishing kits, making campaigns harder to detect. These platforms drastically lower the barrier for novice cybercriminals while amplifying the reach of veteran actors. Security teams are now challenged to identify behavioral anomalies rather than relying on syntactic cues. Read More<\/a><\/p>\n Two of Russia\u2019s most notorious cyber-espionage groups, Gamaredon and Turla, have shown signs of collaboration. While Gamaredon specializes in initial compromise across Ukrainian targets, Turla is known for stealthy persistence and espionage capabilities. By combining tools and infrastructure, these groups present a growing strategic risk for governmental and defense organizations. Read More<\/a><\/p>\n Threat actors are abusing multiple vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), targeting enterprise networks with remote exploitation. These flaws allow attackers to gain initial footholds into corporate infrastructure, often chaining with other exploits for lateral movement. Nation-state groups and ransomware affiliates have already begun weaponizing these vulnerabilities in the wild. Read More<\/a><\/p>\n In another software abuse trend, attackers are turning legitimate tools like ConnectWise\u2019s ScreenConnect app into weapons. By deploying trojanized installers, hackers establish remote access footholds disguised as IT management activity. This \u201cliving-off-the-land\u201d technique allows evasion of traditional defenses and grants persistent control of victim networks. Read More<\/a><\/p>\n Researchers uncovered connections between a new malware strain dubbed\u00a0Belsen<\/em>\u00a0and previously active intrusion sets. Analysis indicates shared C2 infrastructure and loader techniques overlapping with known financially motivated threat groups. This discovery highlights the trend of rebranded payloads leveraging old foundations for renewed attacks. Read More<\/a><\/p>\n The notorious SystemBC botnet continues to expand its footprint, recently compromising over 1,500 VPS servers. Known for serving as a proxy for ransomware affiliates, SystemBC enhances anonymity by tunneling malicious traffic. The surge shows ongoing demand for infrastructure capable of concealing command-and-control operations behind layers of obfuscation. Read More<\/a><\/p>\n A fresh loader called\u00a0CountLoader<\/em>\u00a0has surfaced in underground markets, featuring modular design and advanced evasion tactics. Its ability to deliver diverse payloads\u2014ranging from banking trojans to ransomware\u2014makes it a high-value tool for cybercriminal groups. Analysts note that its dynamic configuration updates make blocking efforts difficult. Social media users face renewed phishing threats as adversaries launch campaigns to steal Facebook login credentials. The attacks employ deceptive login pages and multi-step phishing kits designed to evade detection. Given the centrality of social media accounts for identity theft, the scale of these attacks poses a broad consumer security challenge. Read More<\/a><\/p>\n Beyond malware, Russia-linked\u00a0CopyCop<\/em>\u00a0has expanded its fake news infrastructure by adding 200 new websites. The campaign seeks to amplify disinformation globally, blurring the lines between targeted psychological operations and cyber-enabled propaganda. Coordinated amplification on these sites makes detection and takedown a persistent challenge for defenders. Read More<\/a><\/p>\n American First Finance confirmed a major insider incident after a terminated employee exploited residual access to its production database. The breach compromised nearly 700,000 sensitive records, including Social Security numbers and financial data, which were exfiltrated using direct SQL queries and SSH tunnels. Investigators found the attacker took advantage of an archived service account with lingering privileges, bypassing standard RBAC and MFA safeguards. The company has since moved toward just-in-time access and user behavior analytics, alongside offering affected customers 24 months of identity protection. Read More<\/a><\/p>\n Luxury jeweler Tiffany & Co. disclosed a data breach that exposed sensitive employee and customer information following unauthorized access to internal systems. Although the company did not release specifics on the volume, the breach has raised concerns over the protection of VIP clientele data. The incident adds to a growing list of attacks aimed at brands handling high-net-worth individuals. Read More<\/a><\/p>\n A massive breach has reportedly tied together data leaks affecting iconic fashion houses Gucci, Balenciaga, and Alexander McQueen, allegedly connected to a wider compromise involving BMW\u2019s systems. The intrusion exposed internal documents, customer records, and operational data, raising alarms about cross-industry supply chain vulnerabilities. The fashion and automotive sectors, both attractive to cybercriminals, now appear increasingly linked through shared risk factors. Read More<\/a><\/p>\n British law enforcement arrested two alleged members of the Scattered Spider group, which has been tied to high-profile intrusions, including MGM Resorts. The arrests mark a significant disruption to the group\u2019s operations, known for SIM swap attacks, phishing campaigns, and corporate intrusions. While arrests disrupt some activity, experts note that the group\u2019s wide affiliate network means residual risk is expected to continue. Read More<\/a><\/p>\n An unprecedented leak exposed sensitive datasets tied to China\u2019s Great Firewall infrastructure, revealing operational insights into surveillance operations and censorship controls. The compromised data, reportedly accessible on cybercriminal forums, included internal schema, employee records, and technical configurations. This incident underscores the rising risks posed when state or nation-level security tools themselves become the targets of hackers. Read More<\/a><\/p>\n The post Cybersecurity Newsletter Weekly \u2013 Shai Halud Attack, Ivanti Exploits, FinWise, BMW Data Leak, and More<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPixie Dust Wi-Fi Attack Targets WPS<\/strong><\/h3>\n
Greenshot Vulnerability Exposes Sensitive Data<\/strong><\/h3>\n
Chaos Mesh Vulnerabilities Impact Kubernetes Workloads<\/strong><\/h3>\n
\u00a0Read More<\/a><\/p>\nKubernetes C Client Vulnerability Exposes Clusters<\/strong><\/h3>\n
Linux Kernel KSMBD Subsystem Vulnerability<\/strong><\/h3>\n
Shai Halud Supply Chain Attack Uncovered<\/strong><\/h3>\n
0-Click Linux Kernel KSMBD RCE Exploit<\/strong><\/h3>\n
Spring Framework and Microsoft 900+ XSS Vulnerabilities<\/strong><\/h3>\n
\n
Theats<\/strong><\/h2>\n
Hidden Connections Between Ransomware Groups<\/strong><\/h3>\n
AI-Powered Phishing Platforms on the Rise<\/strong><\/h3>\n
Russian Groups Gamaredon and Turla Join Forces<\/strong><\/h3>\n
Hackers Exploiting Ivanti Endpoint Manager Mobile<\/strong><\/h3>\n
Weaponized ScreenConnect App<\/strong><\/h3>\n
Belsen Malware Campaign Linked<\/strong><\/h3>\n
SystemBC Botnet Hits 1,500 VPS Servers<\/strong><\/h3>\n
New Malware Loader \u201cCountLoader\u201d<\/strong><\/h3>\n
Read More<\/a><\/p>\nPhishing Attack Targets Facebook Users<\/strong><\/h3>\n
Russian Disinformation Network Expands<\/strong><\/h3>\n
Data Breaches<\/strong><\/h2>\n
FinWise Insider Breach Exposes 689K Records<\/strong><\/h3>\n
Tiffany & Co. Confirms Data Breach<\/strong><\/h3>\n
Gucci, Balenciaga, and Alexander McQueen Leak Linked to BMW Breach<\/strong><\/h3>\n
UK Arrests Two Scattered Spider Hackers<\/strong><\/h3>\n
Great Firewall of China Data Leak<\/strong><\/h3>\n
Follow Us on Google News<\/a>,\u00a0LinkedIn<\/a>, X<\/a>\u00a0to Get Daily Cyber Security Updates and Contact Us<\/a> to Feature Your Stories.<\/strong><\/code><\/p>\n