Texas State Bar warns of data breach after INC ransomware claims attack www.bleepingcomputer.com/news/secu…

The State Bar of Texas is warning it suffered a data breach after the INC ransomware gang claimed to have breached the organization and began leaking samples of stolen data. The State Bar of Texas is the second-largest bar association in the United States, with over 100,000 licensed attorneys. It regulates the legal profession in Texas by overseeing licensing, continuing legal education, ethical compliance, and disciplinary actions.

In a notification letter sent to affected members, the organization states that it suffered a security breach between January 28 and February 9, 2025, but it was only discovered on February 12. The threat actors were able to steal information from the network, including full names and other data that is redacted in the public data breach notifications filed with Attorney Generals' offices.

“Through the investigation, we determined that there was unauthorized access to our network between January 28, 2025 and February 9, 2025,” reads the notice.

Hackers hit Ukrainian state agencies, critical infrastructure with new ‘Wrecksteel’ malware therecord.media/hackers-u…

Ukraine recorded at least three cyberattacks in March targeting government agencies and critical infrastructure with new spying malware. The attacks were carried out using previously unknown malware — dubbed Wrecksteel — deployed through phishing emails, according to a report released on Thursday by Ukraine’s computer emergency response team (CERT-UA).

The hackers used compromised accounts to send messages containing links to public file-sharing services such as DropMeFiles and Google Drive. When opened, the links executed a PowerShell script, enabling attackers to extract text documents, PDFs, images, and presentations, as well as take screenshots of infected devices.

CERT-UA, which named the hacking group UAC-0219, said the cyberespionage campaign has been active since at least the fall of 2024. In one incident, attackers sent phishing emails falsely claiming that a Ukrainian government agency planned to cut salaries. The email contained a malicious link purportedly leading to a list of affected employees.

Israel Enters ‘Stage 3’ of Cyber Wars With Iran Proxies www.darkreading.com/threat-in…

Reported cybersecurity incidents in Israel rose 24% in 2024, largely thanks to Iran and its proxy militias. But the trajectory of this cyber conflict has not followed a straight path, as recent signals suggest it might be slowing and evolving.

Any simple comparison of cyber threat data before and after Oct. 7, 2023, tells a seemingly straightforward story. In 2023, the Israel National Cyber Directorate (INCD) released 367 alerts about vulnerabilities, attacks, and threats. In 2024, that number doubled to 736, with 518 of them being “red alerts” directed to specific organizations. Calls to Israel’s 119 cyberattack hotline rose 24% year-over-year, with 17,078 reports in only 365 days.

In a closed door briefing at INCD headquarters last week, government representatives reported even more significant figures. In the wake of the Oct. 7 attacks, calls and alerts to Israel’s national security operations center (SoC) multiplied 10 times over — from an average of 50 per day to 500-plus. The number of known APTs targeting the country has reportedly doubled as well, though Dark Reading hasn’t received specific figures to confirm this.

Threat actors leverage tax season to deploy tax-themed phishing campaigns www.microsoft.com/en-us/sec…

As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

Every year, threat actors use various social engineering techniques during tax season to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Although these are well-known, longstanding techniques, they could still be highly effective if users and organizations don’t use advanced anti-phishing solutions and conduct user awareness and training.

US, Australia, Canada warn of ‘fast flux’ scheme used by ransomware gangs therecord.media/us-austra…

Ransomware gangs and Russian government hackers are increasingly turning to an old tactic called “fast flux” to hide the location of infrastructure used in cyberattacks. Cybercriminals and nation-state actors use the fast flux technique to rapidly change the Domain Name System (DNS) records associated with a single domain name — hiding the locations of malicious servers, according to an advisory published on Thursday by cybersecurity agencies in the U.S., Australia, Canada and New Zealand.

Officials explained that malicious actors hack into devices and networks using malware that needs to “call home” to threat actors and send status updates or receive further instructions.

“To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked,” the agencies said.

HellCat Ransomware: What You Need To Know www.tripwire.com/state-of-…

What is HellCat?

HellCat is the name of a relatively new ransomware-as-a-service (RaaS) group that first came to prominence in the second half of 2024. Like many other ransomware operations, HellCat breaks into organisations, steals sensitive files, and encrypts computer systems - demanding a ransom payment for a decryption key and to prevent the leaking of stolen files.

So it’s your typical “double extortion” threat?

Yes, although HellCat has been known to take a rather unusual twist on things when it comes to plying on the pressure.

Millions of free VPN users have inadvertently sent their data to China | TechRadar

The article describes how millions of free VPN users have inadvertently sent their data to China without realizing it. At least five VPNs are linked to Qihoo 360, a Shanghai-based firm with alleged ties to the Chinese military. The article also highlights the risks associated with free VPNs and suggests using premium VPN services for enhanced privacy and security.

Hunters International Ransomware Gang Rebranding, Shifting Focus - SecurityWeek

The notorious cybercrime group Hunters International, known for ransomware attacks, is rebranding and shifting its focus to data theft and extortion. Evidence suggests Hunters is a rebrand of the Hive ransomware gang, utilizing similar tools and techniques. The group plans to move away from file-encrypting ransomware, opting instead for exfiltration-only attacks through a new project called World Leaks.

Attackers are leveraging Cisco Smart Licensing Utility static admin credentials (CVE-2024-20439) - Help Net Security

Attackers are exploiting CVE-2024-20439, a static credential vulnerability in Cisco Smart Licensing Utility, allowing unauthenticated remote access. Cisco released a fix in September 2024, but exploitation attempts were only detected in March 2025. CISA urges US federal agencies to apply mitigations or discontinue use by April 21, 2025.

HellCat Ransomware: What You Need To Know | Tripwire

HellCat is a ransomware-as-a-service group that emerged in 2024, employing a “double extortion” tactic by stealing sensitive data and encrypting systems. The group gained attention for demanding part of a ransom from Schneider Electric in baguettes, though the company did not disclose payment. HellCat has targeted organizations like Israel’s parliament and Jordan’s Ministry of Education, and there is currently no public decryption tool for their ransomware.

EvilCorp join with RansomHub to launch global cyber attacks - Cybersecurity Insiders

EvilCorp, a notorious cybercriminal group led by Maksim Yakubets, has partnered with RansomHub, a ransomware-as-a-service provider. This alliance poses a significant threat to global industries and law enforcement agencies, as it combines EvilCorp’s expertise in financial crimes with RansomHub’s ability to launch sophisticated ransomware attacks. The collaboration, which aims to bolster EvilCorp’s financial capabilities, highlights the evolving cyber threat landscape and the need for enhanced cybersecurity measures.

Hackers Exploit Stripe API for Web Skimming Card Theft on Online Stores

Hackers are using a sophisticated web-skimming campaign targeting online retailers, utilizing a deprecated Stripe API to validate stolen credit card details in real-time. The attack involves injecting malicious JavaScript code into checkout pages, obfuscating crucial URLs, and using Stripe’s API to validate card details before transmitting them to malicious servers. Researchers have identified around 49 affected merchants and recommend implementing real-time webpage monitoring solutions to detect unauthorized script injections.

Localhost dangers: CORS and DNS rebinding - The GitHub Blog

Cross-Origin Resource Sharing (CORS) allows websites to communicate with each other, but improperly configured CORS policies can lead to vulnerabilities. Developers often use broad or faulty CORS rules, allowing attackers to bypass authentication and execute remote code. Real-world examples demonstrate how these misconfigurations can result in significant security risks, including remote code execution and unauthorized access to sensitive data.

Ivanti security advisory (AV25-184) - Canadian Centre for Cyber Security

Ivanti published a security advisory on April 3, 2025, addressing a vulnerability in multiple products. A critical update is available for Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways.

Chinese APT Pounces on Misdiagnosed RCE in Ivanti VPN Appliances  - SecurityWeek

Ivanti recently discovered a critical vulnerability in its Connect Secure VPN appliances, CVE-2025-22457, which was originally patched in February but misdiagnosed as a denial-of-service issue. Chinese hackers, tracked as UNC5221, are actively exploiting this vulnerability to deploy backdoors. Ivanti urges customers to update to the latest version and migrate away from unsupported appliances.

New advanced FIN7’s Anubis backdoor allows to gain full system control on Windows

Russian cybercrime group FIN7 (also known as Savage Ladybug or Carbanak) has developed a new Python-based backdoor called Anubis that provides complete remote control over infected Windows systems. This sophisticated malware is distributed as a ZIP package containing Python scripts and executables, using AES-CBC encryption with base64 encoding to obscure its activities. According to cybersecurity firm PRODAFT, Anubis employs obfuscation techniques to evade detection by most antivirus solutions and is primarily delivered through phishing campaigns using compromised SharePoint sites. The backdoor communicates via TCP sockets and supports numerous malicious capabilities including executing shell commands, keylogging, file transfers, registry modifications, and loading DLLs into memory. This threat represents a significant security risk to enterprise environments, particularly targeting restaurants, gambling, and hospitality industries in the United States.​​​​​​​​​​​​​​​​

79 Arrested as Dark Web’s Largest Child Abuse Network ‘Kidflix’ Busted

In a sweeping global operation, authorities have dismantled “Kidflix,” the dark web’s largest child sexual abuse material network with over 1.8 million registered users and more than 91,000 unique videos. The platform, which operated from 2021 until its seizure on 11 March 2025, incentivized abuse through a cryptocurrency token system rewarding uploads and engagement. Operation Stream, involving law enforcement from 35+ countries, has resulted in 79 arrests thus far, the identification of nearly 1,400 suspects, the seizure of 3,000+ electronic devices, and the rescue of 39 children from abusive situations. Europol Executive Director Catherine De Bolle emphasized that “behind every video is a child who has experienced real abuse,” highlighting the urgent need to stop such exploitation at its source.​​​​​​​​​​​​​​​​

Andy Yen gegen Revisionsplan des Bundesrats: «Mit dieser aggressiven Überwachung müsste Proton die Schweiz verlassen» | Der Bund

Andy Yen, CEO of Swiss tech company Proton, warns that proposed revisions to Switzerland’s surveillance law could force secure communications providers like ProtonMail and Threema to hand over user data—something they currently are not required to do without a court order. Yen argues the revision represents an “aggressive expansion of the surveillance state” and directly threatens both the privacy of users and the business viability of companies like his.

Yen, whose company employs 500 people globally (150 in Switzerland), stated that if the changes are implemented, Proton would be compelled to relocate. He emphasized that the proposed law would make Swiss surveillance stricter than that in the United States or the European Union, thereby harming Switzerland’s reputation for security, privacy, and trust.

A previous attempt to broaden surveillance powers in 2018 was blocked by the Swiss Federal Court in 2021. Yen claims the new proposal effectively circumvents that ruling.

China’s FamousSparrow APT Hits Americas with SparrowDoor Malware

A recent ESET investigation reveals that China-linked APT group FamousSparrow (also known as Salt Typhoon) has launched a new cyberespionage campaign targeting organizations in the Americas with upgraded versions of its SparrowDoor malware. The campaign, detected in July 2024, compromised a U.S. financial trade group, a Mexican research institute, and a Honduran government institution. Notably, this marks the first documented case of FamousSparrow using ShadowPad, a backdoor exclusively provided to China-aligned threat actors. The attack chain began with webshell deployment on IIS servers, likely exploiting vulnerabilities in outdated Windows Server and Microsoft Exchange systems, followed by privilege escalation and the implementation of a sophisticated “trident loading scheme” to execute SparrowDoor. Though ESET researchers maintain that FamousSparrow is distinct from GhostEmperor and Earth Estries groups, they acknowledge code overlaps that might indicate a shared third-party supplier of digital tools.​​​​​​​​​​​​​​​​

Google Calendar leading to Phishing Scams and Data Thefts - Cybersecurity Insiders

Cybercriminals are increasingly exploiting Google Calendar by sending deceptive event invitations, meetings, or payment reminders that appear to come from trusted sources. These invitations contain links to fraudulent websites where victims are tricked into entering sensitive credentials. Once hackers obtain these details, they often immediately change passwords to lock out legitimate users. This threat is particularly concerning with the rise of single sign-on systems, where compromising one account could grant access to multiple platforms. To protect yourself, enable Multi-Factor Authentication on all accounts, create complex passwords of at least 14-18 characters combining uppercase and lowercase letters, numbers, and special characters, verify sender legitimacy before clicking links, and keep your devices updated with the latest security patches.​​​​​​​​​​​​​​​​

T-Mobile Shows Users the Names, Pictures, and Exact Locations of Random Children

On Tuesday, T-Mobile experienced a significant privacy breach with its SyncUP tracking devices, whereby parents lost the ability to monitor their own children’s locations and instead were shown the precise whereabouts of random children across the country. A parent identified as Jenna logged into the app to check if her young children had left school, only to discover the real-time locations, names, and profile pictures of eight different children elsewhere in the United States. Similar complaints emerged on social media platforms, with users reporting they could see strangers' children or vehicles rather than their own. T-Mobile acknowledged the issue, stating that a “temporary system issue” resulting from a “planned technology update” had been “fully resolved” by the following day, though they were still assessing potential impacts to what they described as “a small number of customers.“​​​​​​​​​​​​​​​​

Cisco security advisory (AV25-182) - Canadian Centre for Cyber Security

Jenkins security advisory (AV25-183) - Canadian Centre for Cyber Security

China Regulator Proposes Amendments to Cybersecurity Law – DataBreaches.Net

The Cyberspace Administration of China recently released draft amendments to China’s Cybersecurity Law for public consultation until April 27, 2025. These amendments aim to align the law with newer legislation including the Personal Information Protection Law, Data Security Law, and Law of Administrative Penalties. Key changes focus on liability provisions, introducing stricter penalties for major data breaches and critical infrastructure failures, imposing liability for selling uncertified cybersecurity equipment, and clarifying penalties for critical information infrastructure operators using unapproved network products or services.​​​​​​​​​​​​​​​​

UK sets out new cyber reporting requirements for critical infrastructure therecord.media/uk-sets-o…

In a policy statement published Tuesday, the British government set out what its forthcoming Cyber Security and Resilience Bill will include when it is introduced to parliament later this year. The belated reworking of the country’s cybersecurity regulations comes three years after the previous government had prematurely described those laws as “updated” while failing to actually introduce the legislation.

“For too long, successive governments have failed to properly address the growing risk posed by cyber criminals and hostile states. Our people have paid the price,” said Peter Kyle, the Secretary of State, in a foreword to the policy document.

Britain’s cybersecurity laws were passed in 2018 and are based on the European Union’s Network and Information Systems (NIS) Directive. They were not reworked following the United Kingdom’s withdrawal from the European Union in 2020, even though the EU itself did so through the NIS2 update in 2022.