Infosec News

cyclone

Malicious "Solidity" VSCode Extension Steals Over $500K in Crypto

A polished VSCode-compatible extension targeting Cursor AI users named “Solidity Language” sneaked into Open VSX, masquerading as a legit Solidity syntax helper. Instead, it executed a PowerShell payload, installed ScreenConnect for remote access, and rolled out VBScript-based downloaders that deployed Quasar RAT and PureLogs stealer. The result: capture of crypto wallet seed phrases and a $500,000 loss for one Russian Ethereum dev.

Key attack highlights:

Fake vs. real: The malicious plugin (54,000+ downloads) was ranked higher than the official “solidity” (61,000) by gaming Open VSX’s ranking with inflated download counts.
Quick re-upload: Removed on July 2, but republished the next day as “solidity” with around 2 million fake installs, using near-identical naming (“juanbIanco” vs “juanblanco”).
Supply-chain risk hub: This campaign isn’t an isolated case; variants like “solaibot”, “among-eth” and malicious npm package “solsafe” have similarly used Open VSX or VS Code as vectors.

Sources:

cyclone

Abacus Market: Darknet Domination Turns Into Disappearing Act

Abacus Market, once the largest Western darknet marketplace accepting Bitcoin (and Monero), abruptly shut down in early July 2025 in what analysts believe is a classic exit scam, likely funded by hundreds of millions in cryptocurrency.

Launched in September 2021 (originally as Alphabet Market), Abacus surged holding about 70% of the Bitcoin-enabled darknet market in 2024. In June 2025 it peaked at $6.3 million/month in brokered sales, with daily deposits about $230K across 1,400 transactions. Over the 4+ years, Abacus processed around $100 million in Bitcoin, adding Monero brings estimated total sales to $300–$400 million.

The platform went completely offline without any legal takedown notification, pointing to disappearance with funds. TRM Labs and analysts lean toward an exit scam, though a covert law enforcement operation can't be entirely ruled out.

Sources:

freeroute

Cloudflare 1.1.1.1 incident on July 14, 2025
On 14 July 2025, Cloudflare made a change to our service topologies that caused an outage for 1.1.1.1 on the edge, resulting in downtime for 62 minutes for customers using the 1.1.1.1 public DNS Resolver as well as intermittent degradation of service for Gateway DNS.

Cloudflare's 1.1.1.1 Resolver service became unavailable to the Internet starting at 21:52 UTC and ending at 22:54 UTC. The majority of 1.1.1.1 users globally were affected. For many users, not being able to resolve names using the 1.1.1.1 Resolver meant that basically all Internet services were unavailable. This outage can be observed on Cloudflare Radar.

The outage occurred because of a misconfiguration of legacy systems used to maintain the infrastructure that advertises Cloudflare’s IP addresses to the Internet.

This was a global outage. During the outage, Cloudflare's 1.1.1.1 Resolver was unavailable worldwide.

We’re very sorry for this outage. The root cause was an internal configuration error and not the result of an attack or a BGP hijack. In this blog, we’re going to talk about what the failure was, why it occurred, and what we’re doing to make sure this doesn’t happen again.

Source: https://blog.cloudflare.com/cloudflare-1-1-1-1-incident-on-july-14-2025/

cyclone

Salt Typhoon Hackers Breaches U.S. National Guard

Chinese state-sponsored APT Salt Typhoon pulled off a major breach, infiltrating a U.S. Army National Guard network for 9 months throughout 2024. They quietly exfiltrated network configs, admin creds, and inter-state comms data, potentially laying groundwork for lateral movement across other government networks.

Exploited vulnerabilities:
- CVE-2018-0171 – Cisco Smart Install RCE
- CVE-2023-20198 + 20273 – Cisco IOS XE chain
- CVE-2024-3400 – PAN-OS GlobalProtect injection
Stolen data:
- Network diagrams
- Admin credentials
- Interconnected traffic logs with other U.S. states & 4 territories
- PII of service members

Source:

https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/

cyclone

Global SharePoint Zero-Day Attack Hits Thousands: Microsoft Warns of Ongoing Exploitation

A critical zero-day vulnerability in Microsoft SharePoint Server is being actively exploited by unknown threat actors, prompting urgent alerts from Microsoft, U.S. federal agencies, and international cybersecurity experts. The vulnerability affects only on-premises SharePoint servers. SharePoint Online (cloud) is not impacted.

This is one of the most significant post-SolarWinds-era attacks on enterprise infrastructure. Analysts warn that patching alone may not fully secure already compromised environments. Forensic investigation and credential auditing are essential.

Details:

Exploit Type: Zero-day vulnerability allowing spoofing and remote exploitation.
Affected Systems: Only on-prem SharePoint 2016/2019 installations; Microsoft 365 SharePoint Online is unaffected.
Threat Actor: Likely a single coordinated actor, based on identical payloads and attack patterns across victims.
Initial Exploits Detected: July 19–20, 2025, rapidly expanding globally.
Targets: U.S. federal and state agencies, banks, energy companies, telecom, and universities. Over 8,000 vulnerable servers detected online (via Shodan).

Response:

Microsoft released emergency security updates.
FBI and CISA are involved in mitigation and investigation.
Customers are urged to patch immediately or disconnect unpatched servers from the internet.
Experts recommend an “assume breach” posture and full incident response.

Sources:

cyclone

Starlink Suffers Global Outage on July 24, 2025

On July 24, 2025, at approximately 19:13 UTC, SpaceX’s Starlink network experienced a worldwide outage, resulting in a complete service blackout for thousands of users. By 20:54 UTC, platforms like Downdetector recorded 36k+ incident reports.

The outage extended across every major region including the US, Europe, Asia, Africa, and Australia, and severely impacted critical users, such as Ukrainian military terminals and T-Mobile’s newly launched satellite messaging service.

Starlink acknowledged the disruption via a website banner and posts on X, stating they were “actively implementing a solution”. CEO Elon Musk apologized, promising to rectify the underlying issue and restore service “shortly”.

Sources:

cyclone

Announced on 8/1/2025 by jsteube:

hashcat v7.0.0

Repository: hashcat/hashcat · Tag: v7.0.0 · Commit: 483efe2 · Released by: jsteube

Welcome to hashcat v7.0.0!

We're proud to announce the release of hashcat v7.0.0, the result of over two years of development, hundreds of features and fixes, and a complete refactor of several key components. This version also includes all accumulated changes from the v6.2.x minor releases.

This release is huge. The full write-up is nearly 10 000 words, which exceeds what MyBB supports in a single post.

If you have 30 minutes, here's the write-up (PDF):
https://github.com/hashcat/hashcat/blob/master/docs/release_notes_v7.0.0.pdf

Quick summary

Over 900 000 lines of code changed
Contributions from 105 developers, including 74 first-time contributors
Merged and documented all previously unannounced 6.2.x features

This release has 2 assets:

Source code (zip)
Source code (tar.gz)

Visit the release page to download them.

cyclone

WinRAR Zero-Day Exploit (CVE-2025-8088)

A critical zero‑day vulnerability, CVE‑2025‑8088, affecting Windows versions of WinRAR (and related tools such as UnRAR.dll and portable UnRAR) has been actively exploited in targeted spear‑phishing attacks by the Russian‑linked threat group RomCom (also known as Storm‑0978, Tropical Scorpius, UNC2596).

A path traversal flaw using alternate data streams (ADSes) allows attackers to embed malicious files in RAR archives, which WinRAR may extract to sensitive system locations such as the Startup folder, enabling automatic code execution on system boot.

Between July 18–21, 2025, spear‑phishing emails carrying booby‑trapped RAR attachments disguised as job applications or CVs were sent to financial, manufacturing, defense, and logistics organizations across Europe and Canada. The payloads included stealth delivery of backdoors such as Mythic Agent, SnipBot, and RustyClaw.

BI.ZONE reports that another group, Paper Werewolf, also exploited this same vulnerability in separate phishing campaigns targeting Russian organizations. Evidence suggests the exploit may have been sold on dark‑web forums for approximately $80,000.

WinRAR acknowledged the vulnerability following ESET’s disclosure on July 24, 2025, releasing a patched version (7.13) by July 30, 2025. Users must manually update, as WinRAR lacks an auto‑update feature.

Sources:

cyclone

OpenAI GPT-5 - Mixed User Reception

GPT-5 is now the default in ChatGPT with selectable “thinking” modes and an auto-router. After user backlash, OpenAI restored legacy 4 models behind a toggle and promised better deprecation hygiene. “Thinking” usage now has a 3,000 per week cap for paid Plus users.

Early writeups and reporting show jailbreakability remains (narrative/multi-turn attacks still work).

Backlash on removals/personality: Users complained about 4o being pulled and GPT-5 feeling “colder.” OpenAI rolled 4o back (opt-in) and pledged advance notice before removing models next time; personality tweaks inbound.

Media/dev takes: Coverage spans “smarter coding/agents, messier lineup.” BleepingComputer called the new menu “a mess (again)” after OpenAI added options while saying GPT-5 would simplify things.

OpenAI’s claims: Fewer hallucinations, better instruction-following, less sycophancy; strongest coding model to date.

Sources:

cyclone

Storm0501 Ransomware Gang Wipes Data and Backups in Azure

A financially motivated threat group known as Storm0501 has executed one of the most destructive cloud ransomware attacks seen to date. According to Microsoft Threat Intelligence, the group infiltrated a large enterprise operating multiple subsidiaries and successfully pivoted from on premises systems into Microsoft Azure.

Once inside, Storm0501 exfiltrated large volumes of data using the AzCopy CLI tool before deleting backups and encrypting what remained. The attackers exploited weaknesses in Microsoft Entra ID by compromising synchronization servers and abusing a non human global administrator account that lacked multifactor authentication. With full global admin access, the group granted itself ownership of Azure subscriptions, stole storage account keys, and ultimately wiped or encrypted critical resources.

This tactic prevented the victim from restoring operations, forcing them into a difficult recovery scenario. The incident shows how ransomware actors are evolving beyond traditional malware and now weaponizing cloud features to maximize damage.

Microsoft has warned that other threat groups are likely to adopt these same methods and recommends several defensive measures. Organizations should enforce least privilege across Azure environments, enable blob and VM backups, log activity in Key Vault, and harden hybrid cloud attack paths.

Storm0501 has previously targeted schools and healthcare organizations, and with this latest pivot to cloud only operations the group has raised the stakes for enterprises everywhere.

Sources:

cyclone

RAID Failure Causes Matrix.org Outage - Sep 2–3, 2025

What happened: On Sep 2, a RAID failure took out Matrix.org’s DB secondary (11:17 UTC), and later the primary failed (17:26 UTC). Engineers abandoned an unsafe filesystem recovery and instead restored a full 55 TB PostgreSQL snapshot from the previous night, rebuilt the DB, and replayed queued traffic. The homeserver came back online around 17:00 UTC on Sep 3 and was then monitored as it caught up.

Who was affected: Users on the matrix.org homeserver (e.g., @user:matrix.org) lost service during the restore/catch-up window. Folks running their own homeservers were not impacted.

Timeline (UTC):

Sep 2, 11:17 — DB secondary lost its filesystem due to a RAID failure.
Sep 2, 17:26 — DB primary failed.
Sep 2, 17:39 — Incident acknowledged on the status page (“identified an issue with the matrix.org database”).
Sep 2, 19:02 — Public post confirms RAID failure + plan (point-in-time restore).
Sep 2, 19:42 — Begin restoring from backup; matrix.org homeserver kept offline.
Sep 2, 21:41 — “Bad news”: switching to full 55 TB snapshot restore.
Sep 3, 07:13 — Progress: 47 TB/55 TB restored; still need DB rebuild + ~17 h traffic replay.
Sep 3, 08:49 — Status page: restoration ongoing; live-updates link shared.
Sep 3, 10:56 — “Snapshot + incrementals restored; about to replay remaining traffic” (ETA 3–4 h if all goes well).
Sep 3, 17:00 — matrix.org back online (reported).
Sep 3, 17:03 — Status: “Database restored; verification complete; Synapse started” — monitoring.
Sep 3, 17:37 — Continued monitoring.

Sources:

Incident history timestamps: https://status.matrix.org/incidents/mm9hdm78svgv
Matrix.org Mastodon updates (Sep 2–3, 2025):
- https://mastodon.matrix.org/@matrix/115136866878237078
- https://mastodon.matrix.org/@matrix
Live update link shared by Matrix.org: https://bsky.app/profile/matrix.org/post/3lxuslbzjuc2t

cyclone

Plex Breached... Again - Reset Your Passwords Now

Plex breached again, change your password and sign out everywhere.

Plex says an attacker got into one of its databases and pulled a limited set of user data, email, username, hashed passwords, authentication data. No payment info was stored. Plex is telling all users to reset their password, tick “Sign out connected devices” during the reset, then re-enable 2FA. If you use SSO, sign out of all devices from your account security page. Expect phishing around this, Plex won’t ask for your password or card details by email.

This mirrors the 2022 incident, so treat it seriously.

Sources:

hashpwn

Infosec News

hashcat v7.0.0

Quick summary

Who's Online [Full List]

Board Statistics