In short:

Australian internet provider iiNet has compromised the email addresses or phone numbers of hundreds of thousands of customers.

A third party gained access to its system after stealing account credentials from an employee, early investigations suggest.

What's next?

The telco has hired external IT and cybersecurity experts to assist its response.

cross-posted from: https://lemmy.sdf.org/post/40704783

Archived

In a concerning development on the cyber-espionage front, China-linked threat actor APT41 has been attributed to a new targeted campaign that infiltrates government IT infrastructure across Africa. The attackers used advanced techniques including command execution, credential harvesting, DLL side-loading, and covert command-and-control (C2) communication through internal systems like SharePoint servers.

While APT41 has a long-standing history of cyberattacks against global organizations across sectors such as energy, healthcare, telecom, and education, this is one of the few known large-scale campaigns that focuses on African targets—an area traditionally considered outside their operational focus.

[...]

This espionage campaign [...] represents a sophisticated intrusion that combines both custom-built and publicly available tools. It involves multiple attack stages: from initial access using Impacket modules, to privilege escalation via credential theft, to command execution using a compromised internal SharePoint server.

APT41’s strategy showcases a blend of traditional malware deployment and living-off-the-land (LotL) techniques, where trusted system tools and internal services are repurposed for malicious activities—making detection far more difficult.

The attackers demonstrated advanced knowledge of the victim’s infrastructure by embedding hardcoded IP addresses, internal service names, and proxy servers within their malware. The use of SharePoint as a C2 server is particularly unique, allowing the attackers to remain under the radar within internal network traffic.

[...]

A real estate developer fell victim to a cruise line scam after calling a phone number provided by Google's AI Overview feature. The scammer, impersonating Royal Caribbean customer service, obtained his credit card details by demonstrating knowledge of shuttle costs and pickup locations in Venice[^1].

The Washington Post found the same fraudulent number appearing across multiple cruise lines including Disney and Carnival's Princess line. "Bad guys write on online review sites, message boards and other websites claiming that a number they control belongs to a company's customer service center," the Post reports[^1].

Google and OpenAI's ChatGPT have become new vectors for this classic impostor scam. When these AI systems scan the web for information, they may surface fraudulent numbers that scammers have planted across multiple sites[^1].

"I've seen so many versions of similar trickery targeting Google users that I largely blame the company for not doing enough to safeguard its essential gateway to information," said the Post's reporter[^1].

Google stated they had "taken action" on several impostor numbers and were working on "broader improvements." OpenAI noted that many webpages referencing the bogus cruise number were removed, though their systems take time to update[^1].

[^1]: Slashdot - Google's 'AI Overview' Pointed Him to a Customer Service Number. It Was a Scam

MadeYouReset: A New HTTP/2 Vulnerability

Security researchers from Tel Aviv University have discovered a critical vulnerability in HTTP/2 implementations that allows attackers to trigger denial-of-service conditions by making servers reset their own connections[^1].

Unlike the 2023 HTTP/2 Rapid Reset attack that relied on clients spamming RST_STREAM frames, MadeYouReset tricks servers into performing the resets themselves through carefully crafted protocol-compliant frames[^1]. The attack exploits four key mechanisms:

• Window-Overflow: Sending WINDOW_UPDATE frames that exceed protocol limits
• Zero-Increment: Using invalid zero-value WINDOW_UPDATE frames
• Half-Closed Stream Abuse: Sending illegal frames on half-closed streams
• Priority-Length Mismatch: Creating malformed PRIORITY frames

The vulnerability (CVE-2025-8671) affects major HTTP/2 implementations including Netty, Jetty, Apache Tomcat, IBM WebSphere, and BIG-IP[^1]. Over 100 vendors required notification during the coordinated disclosure process[^8].

"Most servers are susceptible to a complete DoS, with a significant number also susceptible to an out-of-memory crash," said researcher Gal Bar Nahum[^8].

Recommended mitigations include:

• Stricter protocol validation
• Enhanced stream state tracking
• Connection-level rate controls
• Behavioral monitoring for protocol violations[^1]

[^1]: Imperva - MadeYouReset: Turning HTTP/2 Server Against Itself [^8]: The Register - 'MadeYouReset' HTTP/2 flaw lets attackers DoS servers

cross-posted from: https://scribe.disroot.org/post/4016991

Archived

...

Confidential documents ... reveal that Serbia is procuring equipment to expand China's eLTE network system, increasing the capacity of the "Safe City" by another 3.500 cameras, despite domestic public opposition and criticism from the EU.

...

[New] documents contain details of the purchase of components to expand the protected eLTE network, which is based on Chinese Huawei technology and connects video surveillance cameras, police terminals and command centers of the Ministry of Internal Affairs (MUP).

It is the first written clue about the development of the network on which the "Safe City" project relies, a program that was launched back in 2017, when the Ministry of Interior of Serbia and the Chinese company Huawei signed the "Strategic Partnership Agreement for the introduction of eLTE technologies and solutions for the Safe City in the field of public security".

While the core of the Safe City project is the introduction of an intelligent video surveillance system, the eLTE network represents a platform for protected communication and data transfer within such a system.

The procurement of equipment, software and services for the expansion of the eLTE communication network was carried out in March 2024, marked as confidential.

Among the order items is a significant increase in the dispatch system using the eLTE network, including GIS software for resource access that expands the ability to view footage from cameras at specific locations.

...

cross-posted from: https://lemmy.sdf.org/post/40359316

Archived

Taiwan’s approach is also notable for its emphasis on transparency and civil society involvement..

[...]

Rather than adopting censorship-heavy models, Taiwan relies on openness, public trust and participatory defences to combat cognitive warfare."

[...]

China’s cyber activities against Taiwan are extensive and strategically coordinated. Prominent Chinese intruder groups capable of lurking in networks have conducted long-term cyber operations against Taiwanese government agencies, critical infrastructure and private sector entities. These campaigns are not solely intelligence-gathering exercises; many implant malware and establish persistent access that could be exploited in the event of a military contingency.

Taiwan’s National Security Bureau reported more than 2.4 million intrusion attempts per day targeting government networks in 2024—more than double the previous year. Many of these are attributed to Chinese actors seeking to exfiltrate sensitive data and prepare for potential sabotage of communications, energy systems and military infrastructure. US officials have described this activity as the ‘preparation of the battlefield’, whereby China positions itself to disrupt Taiwan’s command-and-control, logistics and public services at the outset of any conflict.

[...]

The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.

[...]

Many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub as base layers for their own containers, and if those images are compromised, the new build inherits the flaw or malicious code.

A new malware campaign discovered in August 2025 uses adult websites to spread a clickjack Trojan that secretly makes users "Like" Facebook posts without their knowledge[^1]. The scheme works by having users download what appears to be an SVG image file while browsing adult content sites, but the file contains malicious JavaScript code that executes a "LikeJack Trojan"[^1].

The campaign specifically targets users seeking adult content, taking advantage of increased restrictions around age verification on legitimate adult websites. When users click through links on these malicious sites, some visitors receive a downloaded SVG file that opens an empty Edge browser tab titled "Process Monitor"[^1].

The SVG file uses an obfuscation technique called "hybrid JSFuck" to hide its true purpose - downloading additional malicious code from crhammerstein[.]de that automatically clicks Facebook Like buttons on adult content posts. This artificially inflates the Like counts, helping the posts appear more prominently in Facebook feeds[^1].

Malwarebytes researchers found "a huge amount" of blogspot[.]com pages participating in this campaign. The criminals appear to be exploiting recent government age verification requirements that are pushing users away from legitimate adult sites toward shadier alternatives[^1].

[^1]: Malwarebytes - Adult sites trick users into Liking Facebook posts using a clickjack Trojan

Just heard about this on a podcast, and I've often looked for ways to put my skills to use on a volunteer basis. This would probably also be an excellent resume builder for students / aspiring cybersecurity professionals.

In his groundbreaking new research, HTTP/1.1 Must Die: The Desync Endgame, Kettle challenges the security community to completely rethink its approach to request smuggling. He argues that, in practical terms, it's nigh on impossible to consistently and reliably determine the boundaries between HTTP/1.1 requests, especially when implemented across the chains of interconnected systems that comprise modern web architectures. Mistakes such as parsing discrepancies are inevitable, and when using upstream HTTP/1.1, even the tiniest of bugs often have critical security impact, including complete site takeover.

This research demonstrates unequivocally that patching individual implementations will never be enough to eliminate the threat of request smuggling. Using upstream HTTP/2 offers a robust solution.

I just read this article in a marketing blog from portswigger, the maker of the penetration testing tool burp suite.

Can someone with more insight explain what we're supposed to do? Completely disabling HTTP/1.1 is probably not doable for many organisations.

Security researchers at Cisco Talos discovered critical vulnerabilities in Dell's ControlVault3 hardware security module that affect over 100 Dell laptop models[^1]. Called "ReVault," these five vulnerabilities allow attackers to compromise the system in two main ways:

1. Post-compromise persistence: A non-administrative user can exploit the Windows APIs to execute arbitrary code on the ControlVault firmware, steal security keys, and modify the firmware to maintain access even after Windows reinstallation[^1].

2. Physical attack: An attacker with physical access can directly connect to the Unified Security Hub board via USB, bypass login credentials and disk encryption, and even trick the fingerprint reader into accepting any fingerprint[^1].

The affected ControlVault3 and ControlVault3+ modules are primarily found in Dell Latitude and Precision business laptops used in cybersecurity, government, and other security-sensitive environments[^1].

Key mitigations include:

• Installing the latest firmware updates
• Disabling unused security peripherals
• Enabling chassis intrusion detection
• Using Windows Enhanced Sign-in Security (ESS)
• Monitoring for suspicious crashes in Windows Biometric Service[^1]

[^1]: Cisco Talos - ReVault! When your SoC turns against you…

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!