Several months after this thread, Conduent have finally filed at 8-K for a cyber incident.
They don’t say it, but it was ransomware. Ransomware group was Safepay. This is their second big ransomware incident.
The Fediverse had the thread first.
https://www.sec.gov/ix?doc=/Archives/edgar/data/1677703/000167770325000067/cndt-20250409.htm
Healthcare provider DaVita Inc have filed an 8-K with the SEC for an ongoing ransomware incident.
https://www.sec.gov/Archives/edgar/data/927066/000119312525079593/d948299d8k.htm
Sensata Technologies Holding plc filed an 8-K with the SEC for a ransomware attack which is remarkably honest, and pretty much the textbook example of how to do it well. https://www.sec.gov/ix?doc=/Archives/edgar/data/1477294/000147729425000047/st-20250406.htm
LFTD Partners Inc. filed an 8K with the SEC for a cyber incident.
They purchased $350k in cryptocurrency.. and immediately had it stolen.
“On April 1, 2025, the Company converted $350,000 of its cash into USD Coin (USDC), a digital stablecoin pegged to the U.S. dollar. Shortly thereafter, the digital wallet containing the USDC was compromised by an unauthorized and unknown third party, resulting in the theft of the full amount.”
https://www.sec.gov/ix?doc=/Archives/edgar/data/1391135/000109690625000425/lsfp-20250401.htm
The Oracle cloud threat actor has told the BBC they plan to release European region Oracle Cloud Classic data this weekend.
(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/
A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.
Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.
Update: security vendor Resecurity hacked Blacklock and published their shell history, accounts etc.
Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com
The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com
Black Basta ransomware group is indeed dead, post hack and dump of their chats.
Blacklock ransomware group aka El Dorado aka Dragon Force appear to have been hacked. Or should I say free pentest.
The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.
From: @ScumBots
#StagedC2 config observed at Sat Mar 15 18:09:04 2025 UTC, located at hXXps://pastebin[.]com/raw/a0epCKQK C2: xdeadlylez-30616[.]portmap[.]io:30616 (IP: 193.161.193.99)
These have all been shut down.
NoName’s main Russian Telegram channel has been shut down this evening.
If anybody from NCA/NCSC etc that are dealing with Telegram follow me, get them to nuke:
https://t.me/noname05716engver
https://t.me/CyberArmyofRussiaReborn
https://t.me/+LpLxgU4upoYxMzQ8
https://t.me/+c6nkFWrv5XA3OTU0
https://t.me/Not_Realy_DDoSia_Bot
https://t.me/c/2013394917/1/4069Email account:
noname057_16_official@proton.meThis is 100% of their messaging infrastructure.
About this X DDoS campaign: I've seen reports of attribution to Ukraine, and at least based on attack data at network level — I just don't see it. (And I should note: attribution is hard, so I am generally skeptical.)
Top contributors are 🇺🇸🇲🇽🇪🇸🇮🇹🇧🇷, and as with most botnets: very geographically distributed.
Most of the source IPs intersect with #Eleven11bot as we started seeing them on 26 February.
OK, now back to regularly scheduled skiing.
🚨 patch your Cisco AnyConnect boxes 🚨
For a 2020 vulnerability. Really.
Lots of ransomware cases coming in for Cisco AnyConnect/ASA recently and finally we know how - CVE-2020-3259
It was a vuln which allowed a CitrixBleed style memory dump, found by a Russian research org now under US sanctions. Ransomware operators have an exploit.
Sadly it looks like many orgs never patched.
National Presto Industries has filed an 8-K with the SEC for probably ransomware. Apparently they didn’t like including their company name in the text. https://www.sec.gov/ix?doc=/Archives/edgar/data/80172/000143774925006475/npk20250306_8k.htm
I wrote up everything I know about #ESXicape https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc
Handala have been fully kicked off Telegram, including their backup channel.
Achievement unlocked as I can't remember a group ever getting fully booted.
Not sure if anybody else caught this, but CISA added CVE-2024-49035 to KEV a week ago - that vuln is about partner.microsoft.com being owned.
Partner.microsoft.com is a portal which allows orgs to grant access to Microsoft 365 tenants, ie read data of downstream customers.
3 different VMware zero days, under active exploitation by ransomware group
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform
(Exploitation actually ESXi)
MOD Police’s website is back online today, almost 3 months after NoName DDoS’d it. https://www.mod.police.uk/
I’ve been seeing an increase in the number of malicious emails using infogram[.]com in the lure url.
Apparently infogram[.]com is trusted by over 10M+ users worldwide. I wonder if they include malicious threat actors in that count?
Infogram[.]com says you can use their service for charts, maps, Infographics, Reports, and More. I guess phishing is “more”. Since the service has a free tier that lets you publish online, you can see why it’s perfect for your budding threat actor.
Recently I’ve seen a number of good looking malicious emails pretending to be from various orgs, all with included company logos.
Looking over the HTML of the emails I noticed an image URL common to all of them, logo.clearbit[.]com. It was in the image tag for logo.
It’s a company logo API that uses logo.clearbit[.]com/“domain.whatever” for logo creation.
Might be a domain you want to start filtering for, as the API is clearly being abused thanks to it being absolutely free.
For some reason people are sharing llm garbage instead of the real chat logs for black basta. Here are the real logs and the telegram channel they're being shared in: https://t[.]me/shopotbasta/21
CTI is a team sport. Not a secret boys club. Sharing is caring.
@GossiTheDog The MEGA site is down, but the Telegram channel where this is being discussed provides a direct download of the chat contents via a ~50MB JSON file. Grepping for ZoomInfo URLs and using cut/sort/uniq can get folks a quick and dirty list of potentially targeted companies. Some of the company names I saw are listed on their ransom site, but some are attributed to other ransomware gangs. Some of the messages also have Forti/Cisco/Citrix as well as the $$$ amount after the ZoomInfo link for the company. Gonna guess this is likely the pwned appliance vendor and ransom amount for the company. One can likely walk back the vendor name to a critical RCE vulnerability which they exploited.
Grepping for CVEs, theres tons of chatter about various RCE vulnerabilities, mitigations, and PoC exploits. Same as Conti Leaks. I’m sure we’ll see a bunch of vendor write-ups in the coming days with Black Basta CTI analysis of the data.
Netskope https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor
Backdoor written in Golang using Telegram for C2-communication. Perhaps most interestingly the referenced Github repository with IoCs is not there anymore? Or will be published soon perhaps?