The cyber incident took place on June 5, 2025 and was discovered nearly two weeks later on June 19, 2025. Chess.com confirmed that the breach was the result of an external hack, where attackers gained unauthorized access to sensitive data.

The company reported that hackers were able to obtain names and personal identifiers, though it did not provide a full breakdown of all the data elements exposed. The breach affected users across multiple regions, including one resident of Maine.

Chess.com Response

Chess.com began notifying impacted individuals on September 3, 2025 through written notices. To help protect its community, the company is offering 12 months of complimentary identity theft protection services.

The notification was formally submitted by Elias Colabelli, Head of the Legal Department and Data Protection Officer at Chess.com, who emphasized that the company is strengthening its systems to prevent similar incidents in the future.

Although the number of affected users may seem low compared to other large-scale data breaches, the incident underscores how even major online platforms remain targets for cybercriminals. With more than 150 million users worldwide, Chess.com holds a vast amount of personal data, making it a lucrative target for hackers.

Cybersecurity experts warn that breaches of this nature can pave the way for identity theft, phishing attempts, and further fraud if stolen data circulates on underground markets.

Chess.com has not yet disclosed whether law enforcement is involved in the investigation. The company says it continues to work on tightening security protocols and monitoring its systems closely.

We have reached out to Chess.com for further details regarding the breach and are awaiting their response. This article will be updated as soon as new information becomes available.

For users, the breach is a reminder to stay vigilant, monitor financial accounts, and be cautious of suspicious emails that could exploit stolen personal details.

                   Find this Story Interesting! Follow us on X, Google News, LinkedIn, and  to Get More Instant Updates.

Recent Data Breaches:

1. PagerDuty Confirms Data Breach After Third-Party App Vulnerability Exposes Salesforce Data
2. Cloudflare Confirms Data Breach, Hackers Stole Customer Data from Salesforce Instances
3. Palo Alto Networks Confirms Data Breach – Hackers Stole Customer Data from Salesforce Instances
4. Zscaler Confirms Data Breach – Hackers Compromised Salesforce Instance and Stole Customer Data
   
   
   
   

The post Chess.com Data Breach – Hackers Breached External System and Gained Internal Access appeared first on Cyber Security News.

Getting & Applying Free Threat Intelligence

Enriching your indicators with threat intelligence is a process that shouldn’t be overlooked. It equips SOCs with data and tools for the achievement of key goals of security teams, such as:

• Acceleration of alert triage
• Detection rate growth
• Reduction of alert fatigue

The first step to take in this direction is to find a reliable source of data on attacks, which can be quickly and effortlessly accessed during triage. For that, you can try Threat Intelligence Lookup, a searchable database of threat intel.

By accumulating data from public malware investigations done by over 15,000 SOC teams and 500,000 individual researchers, it makes valuable indicators and their context available to you.

This means that in one simple query, you can tap into millions of malware analyses to identify and enrich your indicators, as well as find new ones for updates of proactive defense systems. For instance, during alert triage, you can verify a suspicious domain with a TI Lookup query like this:

domainName:”technologyenterdo.shop”

Almost instantly you’ll be given the answer: the indicator is malicious. More info can be found in ANY.RUN Sandbox. That’s where TI Lookup’s data comes from, so each indicator you can find there is tied with a corresponding analysis session.

For proactive investigation of current threats in your location, try a compound search like this to collect IOCs and update detection rules in advance:

threatName:”tycoon” AND submissionCountry:”de”

It includes the name of the threat (Tycoon) and the short name of the country it was detected in (de—Germany). Moments after you enter it, TI Lookup will return the overview of fitting threats and up to 20 recent analysis sessions done in ANY.RUN’s Interactive Sandbox. Use this info for proactive detection of potential threats and renewal of detection systems.

Other use cases of Threat Intelligence Lookup include checking not only domains, but also IPs and file hashes, as well as tracking threats by TTPs via interactive MITRE ATT&CK matrix. Through them, TI Lookup brings significant improvements to SOC performance rates:

• Deeper and Faster Threat Investigations: Uncover rich data by linking artifacts to real-world attack patterns and cut MTTR by understanding threat behavior and TTPs.
• Stronger Proactive Defense: Track relevant threats and stay ahead of them by making smarter detection rules in SIEM, IDS/IPS, and EDR.
• Better SOC Expertise: Close the knowledge gap in your team—analysts can study malware and adversary TTPs within the interactive sandbox and MITRE ATT&CK matrix.

Achieve faster, data-fueled triage and response -> Enrich IOCs for free 

Premium Access to Threat Intel for Enterprises

The use cases described above are available in the free version of TI Lookup. This can be enough to simplify and accelerate your threat investigation. But in case you’re looking for an enterprise-grade solution with unlimited functionality, consider trying TI Lookup Premium.

It unlocks access to extra query operators and over 40 parameters, all available analysis sessions, private searches and YARA search. With these features, you can create more advanced requests and see all threat data there is. The paid version of TI Lookup can also be integrated using API and SDK for an automated and smooth workflow.

• Automated, Real-Time Detection: Correlate alerts against extensive IOCs, IOBs, and IOAs, while integrating TI Lookup with SIEM, TIP, or SOAR platforms for continuous monitoring.
• Precision Hunting & Investigation: Build and search custom YARA rules in ANY.RUN’s database, and refine investigations with 40+ parameters and advanced operators.
• Proactive Threat Awareness: Automate alerts for specific IOCs or behaviors, and leverage expert TI Reports to stay ahead of evolving malware trends across industries.

Unlock Premium threat intelligence -> Try TI Lookup

The post How SOCs Triage Incidents in Seconds with Threat Intelligence appeared first on Cyber Security News.

WinRAR has released version 7.13 to address a critical security vulnerability that has been actively exploited by cybercriminals, marking another significant security incident for the popular file compression software.

The vulnerability, designated CVE-2025-8088, allows attackers to execute arbitrary code through maliciously crafted archive files, prompting immediate action from users worldwide.

Critical Security Flaw Exploited by Russian Hackers

The newly discovered vulnerability represents a serious threat to Windows users, with security researchers confirming that it has been exploited in active campaigns.

CVE-2025-8088 is a path traversal vulnerability that affects the Windows versions of WinRAR, UnRAR, and associated components, allowing specially crafted archives to bypass user-specified extraction paths and write files to unintended locations on the file system.

This capability enables attackers to execute arbitrary code on compromised systems, making it a particularly dangerous security flaw.

ESET researchers have linked this vulnerability to exploitation by the Russian RomCom group, which has been targeting companies across Europe and Canada.

The cybersecurity firm’s research team, including Anton Cherepanov, Peter Košinár, and Peter Strýček, discovered the vulnerability and reported it to WinRAR developers.

The vulnerability has been assigned a CVSS score of 8.4, classifying it as HIGH severity, which underscores the critical nature of this security issue.

Technical Details and Affected Systems

The directory traversal vulnerability is distinct from a previously patched security flaw that was addressed in WinRAR version 7.12, indicating that this represents a new attack vector that required separate remediation. The affected systems include:

• WinRAR for Windows – All desktop installations of the primary software.
• RAR and UnRAR command-line utilities – Windows versions of these tools.
• UnRAR.dll and portable UnRAR – Dynamic library and standalone versions.
• Version range affected – All WinRAR versions from 0 through 7.12.
• Unaffected platforms – Linux/Unix builds and RAR for Android remain secure.

The vulnerability affects all WinRAR versions from 0 through 7.12, meaning that virtually all existing installations require immediate updating.

The path traversal mechanism allows malicious archives to escape their intended extraction directories, potentially overwriting system files or placing executable code in locations where it can be automatically executed by the operating system.

This type of attack can lead to complete system compromise, data theft, or deployment of additional malware payloads.

Immediate Action Required for Users

WinRAR users must immediately update to version 7.13, which was released on July 30, 2025, with updated release notes published on August 12, 2025.

The update addresses not only the critical security vulnerability but also fixes several bugs from the previous version, including issues with the “Import settings from file” command and recovery size settings for older compression profiles.

The urgency of this update cannot be overstated, particularly given the confirmed exploitation in the wild. Organizations and individual users should prioritize this update across all Windows systems running WinRAR.

Beyond the immediate security fix, WinRAR 7.13 continues to offer advanced NTFS features that distinguish it from other compression tools, including built-in options to preserve symbolic links and archive Alternate Data Streams (ADS).

These capabilities remain valuable for backup, deployment, and forensic environments, but users must ensure they are running the latest secure version to benefit from these features safely.

Users who cannot immediately update should consider discontinuing use of WinRAR until the update can be applied, particularly in environments where untrusted archive files are regularly processed.

Uncover full scope of any attack any attack from hidden redirects to payloads in minutes — Try ANY.RUN free for 14 days.

The post CISA Added WinRaR Zero-Day (CVE-2025-8088) Vulnerability That is Actively Exploited In the Wild appeared first on Cyber Security News.

The update includes fixes for 90 vulnerabilities, classified as follows: 13 are Critical, 76 are Important, one is Moderate, and one is Low. Notably, none of these vulnerabilities are listed as actively exploited zero-days, which provides some relief for IT administrators.

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

On August 12, 2025, Microsoft released its monthly Patch Tuesday security updates, addressing a significant number of vulnerabilities across its product ecosystem.

Remote Code Execution (RCE) Vulnerabilities: 36 Total

Remote Code Execution vulnerabilities dominate this month’s Patch Tuesday, with 36 vulnerabilities patched, 10 of which are rated Critical. These flaws could allow attackers to execute arbitrary code, potentially compromising entire systems. Key RCE vulnerabilities include:

Windows Graphics Component (CVE-2025-50165, Critical): An untrusted pointer dereference in the Microsoft Graphics Component allows unauthorized attackers to execute code over a network.

DirectX Graphics Kernel (CVE-2025-50176, Critical): A type confusion flaw in the Graphics Kernel enables local code execution by an authorized attacker.

Microsoft Office (CVE-2025-53731, CVE-2025-53740, Critical): Multiple use-after-free vulnerabilities in Microsoft Office allow unauthorized attackers to execute code locally.

Microsoft Word (CVE-2025-53733, CVE-2025-53784, Critical): Flaws in Microsoft Word, including incorrect numeric type conversion and use-after-free issues, permit local code execution.

GDI+ (CVE-2025-53766, Critical): A heap-based buffer overflow in Windows GDI+ allows network-based code execution.

Windows Hyper-V (CVE-2025-48807, Critical): An improper restriction of communication channels in Hyper-V enables local code execution.

Microsoft Message Queuing (MSMQ) (CVE-2025-50177, Critical; CVE-2025-53143, CVE-2025-53144, CVE-2025-53145, Important): Multiple vulnerabilities, including use-after-free and type confusion flaws, affect MSMQ, allowing network-based code execution.

Microsoft Excel (CVE-2025-53741, CVE-2025-53759, CVE-2025-53737, CVE-2025-53739, Important): Heap-based buffer overflows and use-after-free issues in Excel enable local code execution.

Windows Routing and Remote Access Service (RRAS) (CVE-2025-49757, CVE-2025-50160, CVE-2025-50162, CVE-2025-50163, CVE-2025-50164, CVE-2025-53720, Important): Heap-based buffer overflows in RRAS allow network-based code execution.

Microsoft Patch Tuesday August 2025 – Vulnerabilities list

The post Microsoft Patch Tuesday August 2025 Released – 107 Vulnerabilities Fixed Including 36 RCE appeared first on Cyber Security News.

These systems, using multisignature wallets and automated release mechanisms, aim to ensure transaction security and facilitate dispute resolution.

However, vulnerabilities in centralized dispute processes and the persistent threat of exit scams highlight significant risks, as detailed in a recent analysis of darknet market operations.

Multisig Escrow: Balancing Security and Trust

Modern darknet markets commonly employ multisignature (multisig) escrow systems, typically using a 2-of-3 signature model involving the buyer, vendor, and market administrator. 

When a buyer places an order, funds are locked in a multisig address requiring two signatures to release—usually the buyer and vendor for successful transactions, with the administrator stepping in for disputes. This setup prevents any single party from accessing funds unilaterally, offering stronger security than centralized escrow systems where markets hold funds directly.

According to Sam Bent Report, In a typical transaction, the market platform generates the multisig address, distributing private keys to the buyer and vendor, though some markets allow users to supply their own keys for added control. Successful transactions see buyers and vendors signing to release funds to the vendor without administrator involvement.

 In disputes, administrators use their key to allocate funds based on evidence like shipping confirmations or product photos. While multisig wallets reduce the risk of funds theft if market servers are compromised, they still rely on trust in administrators for fair dispute resolution and require users to safeguard their private keys.

Automated Timers and Exit Scam Vulnerabilities

To streamline operations, many darknet markets use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes.

These timers, shorter for domestic orders and longer for international shipments, assume buyers will receive goods within the timeframe and only dispute problematic transactions.

Buyers can manually release funds early upon satisfactory delivery, benefiting vendors with faster payouts, while graduated release systems for large orders provide partial payments to vendors while protecting buyers.

However, these automated systems burden buyers with monitoring orders to dispute issues before deadlines, and extended escrow periods can strain vendor liquidity or tempt administrators into exit scams, where they abscond with all escrowed funds. Historical data shows exit scams dominate darknet market closures, often timed during high escrow volumes like holiday seasons. 

The centralized dispute resolution process, reliant on administrators reviewing evidence, introduces risks of bias or corruption, as administrators earn fees from transactions and resolutions, potentially skewing decisions to favor market continuity over fairness.

The inherent trust required in administrators, combined with the anonymity of darknet markets, leaves users vulnerable to systematic theft, prompting many to favor direct deals with trusted vendors or limit escrow use to minimize losses. 

As darknet markets navigate the balance between security and operational efficiency, the persistent threat of exit scams underscores the need for decentralized alternatives to reduce reliance on centralized trust models.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!

The post Darknet Market Escrow Systems is Vulnerable to Administrator Exit Scams appeared first on Cyber Security News.

Charlotte-based steel giant Nucor Corporation disclosed a significant cybersecurity incident where threat actors gained unauthorized access to the company’s information technology infrastructure. 

The breach prompted temporary production shutdowns across multiple facilities as the company implemented emergency containment protocols and engaged federal law enforcement authorities to investigate the intrusion.

According to the SEC filing report, Nucor’s cybersecurity team detected unauthorized access to critical IT systems that support operational functions across the company’s steel manufacturing facilities. 

The threat actors successfully penetrated the company’s network perimeter and maintained persistence within the compromised infrastructure, forcing Nucor to activate its formal incident response plan immediately upon discovery.

Steelmaker Nucor Hacked

The company proactively implemented network segmentation procedures and took potentially affected systems offline to prevent lateral movement by the attackers. 

This defensive measure resulted in temporary limitations to information technology applications that support manufacturing operations, compelling management to halt production activities at various locations as a precautionary measure. 

The disruption affected multiple facilities within Nucor’s nationwide network of steel production plants.

Nucor’s comprehensive forensic analysis, conducted in partnership with leading external cybersecurity specialists, confirmed that the threat actors successfully exfiltrated limited datasets from the company’s information technology systems during the breach period. 

The investigation revealed evidence of data extraction activities, though the company characterized the volume of compromised information as “limited” in scope.

The stolen data is currently undergoing detailed review and classification to determine the specific types of information accessed by the attackers. 

Nucor indicated it will provide appropriate notifications to potentially affected parties and regulatory agencies in compliance with applicable data breach notification statutes and industry-specific cybersecurity regulations. 

The company’s investigation team continues analyzing system logs and network traffic patterns to establish a complete timeline of the attackers’ activities within the compromised environment.

Mitigations

Since the initial Form 8-K filing, Nucor has successfully restored all affected production operations and reestablished access to critical information technology applications required for normal business functions. 

The company’s cybersecurity team, working alongside external incident response specialists, implemented additional security controls and network hardening measures to prevent future unauthorized access attempts.

Federal law enforcement authorities remain actively involved in the investigation, with Nucor providing full cooperation to support the criminal inquiry into the cyberattack. 

The company confirmed that threat actors no longer maintain access to its information technology systems following the comprehensive remediation activities.

Despite the operational disruptions and security breach, Nucor’s management assessment indicates the incident has not materially impacted the company’s financial condition or operational capabilities.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial

The post Steelmaker Nucor Hacked – Attackers Gained Unauthorized Access to IT Systems appeared first on Cyber Security News.

Through meticulous analysis of leaked communications, travel records, financial data, and public records, GangExposed has unmasked core leaders including Vladimir Viktorovich Kvitko (“Professor”), the elusive mastermind “Target,” negotiator Arkady Valentinovich Bondarenko, and system administrator Andrey Yuryevich Zhuykov (“Defender”).

This exclusive report delves into the syndicate’s Dubai-based operations, its attacks on hospitals during the COVID-19 pandemic, and the critical infrastructure sustaining its global cybercrime empire, offering law enforcement a rare opportunity to dismantle one of the world’s most dangerous ransomware networks.

The U.S. Department of State’s Rewards for Justice (RFJ) program has announced a reward of up to $10 million for information leading to the identification or location of individuals involved in malicious cyber activities against U.S. critical infrastructure, in violation of the Computer Fraud and Abuse Act (CFAA).

The initiative specifically targets members of the Conti ransomware group, a Russian government-linked ransomware-as-a-service (RaaS) operation known for attacking vital U.S. and Western infrastructure.

Conti Ransomware Group and Key Actors

The RFJ program is seeking information on malicious cyber actors operating under the aliases “Target,” “Reshaev,” “Professor,” “Tramp,” and “Dandis,” believed to be associated with Conti, also known as Wizard Spider.

First detected in 2019, Conti has conducted over 1,000 ransomware operations, targeting critical infrastructure sectors including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.

Of the more than 400 organizations worldwide victimized by Conti, over 290 are located in the United States.

Unmasking “Professor”: Vladimir Viktorovich Kvitko

GangExposed has conclusively identified “Professor,” a core Conti leader, as Vladimir Viktorovich Kvitko (born October 23, 1984), a Russian national who relocated from Moscow to Dubai in autumn 2020.

Kvitko’s role in Conti involves orchestrating real-world carding schemes, leveraging weak banking systems in countries like India, Cuba, and Iran.

His identity was confirmed through synchronized travel patterns and chat inactivity: Russian records show Kvitko in the Altai Republic from June 15–17, 2021, matching periods when “Professor” was silent in Conti’s Jabber chats, resuming communication upon his return to Moscow on June 18.

FSB border data further document his frequent trips to the UAE, Cuba, Iran, Austria, and Turkey, aligning with Conti’s operations. Since August 2022, Kvitko has remained in Dubai, managing visa extensions via trips to the Netherlands and Austria.

His dossier, including passports, phone numbers, emails, social media profiles, and property records tied to income from RM RAIL Management Company and Rosselkhozbank, is part of GangExposed’s digital archive Mega link.

The Dubai Hub: Conti’s Autumn 2021 Offensive

In autumn 2021, Conti transformed Dubai into a strategic hub for a massive wave of ransomware attacks targeting Western, Middle Eastern, and Chinese companies.

Led by “Target,” a figure with a $10 million FBI bounty, the group operated from physical offices equipped with dedicated attack infrastructure, coordinated by system administrator Andrey Zhuykov and involving negotiator Arkady Bondarenko.

The operation’s timeline reveals meticulous planning:

• On October 1, 2021, leaked chats reference a “negotiator” described as a “Canadian from a recovery company,” identified as Bondarenko, who flew from Dubai to Moscow that day (flight EK-133), discussing payment issues via the Suex exchange. This coincided with Conti’s attack preparations.
• By October 2, “Target” coordinated the setup of a Dubai office, ordering equipment and collaborating with deputy Sergey Khitrov.
• Between October 10–14, key members, including Marat Nurtdinov, Oleg Fakeev, Kvitko, and Elizaveta Suchkova, arrived in Dubai via flights SU-520 and G9-956.
• From October 17 to November 6, Conti executed peak attacks: 7 on October 17 (e.g., Graff Diamonds, JVCKenwood), 11 on October 23 (e.g., Obeikan Investment Group in the UAE), and 13 on November 6, including ARM China and TRINA SOLAR (UAE).

These attacks exploited the UAE’s lack of extradition agreements and lax cybercrime oversight, targeting not only Western firms but also local and Asian companies, with Bondarenko managing victim negotiations and Zhuykov ensuring the technical infrastructure’s stability.

Target: The $10 Million Predator

“Target,” operating under aliases like “Bloodrush” and “Red,” is Conti’s disciplined and ruthless leader, commanding a near-corporate criminal enterprise with nearly 100 operatives.

Despite a $10 million FBI bounty, he has evaded capture for three years, boasting ties to Russia’s FSB and amassing millions in Bitcoin while paying operatives $200 weekly.

His chilling disregard for human suffering was evident during the COVID-19 pandemic, when he targeted 428 U.S. hospitals in October 2020, gloating in chats: “428 hospitals… I’m satisfied” and “make them die or pay up.”

Target’s offline offices, strict employee oversight, and erasure of digital traces via platforms like Jabber and RocketChat highlight his operational sophistication.

GangExposed recovered deleted messages through metadata and quotes, exposing his schemes, including the Dubai hub’s establishment.

Arkady Bondarenko: The Conti Negotiator

Arkady Valentinovich Bondarenko (born August 2, 1970), a dual Russian-Canadian citizen, is identified as Conti’s key negotiator, managing victim communications and ransom payments.

On October 1, 2021, Conti member “Mango” described him as a “Canadian from a recovery company” in chats, aligning with his departure from Dubai to Moscow (flight EK-133).

His travel frequently overlapped with Kvitko’s, notably on January 17, 2020 (Kvitko on SU-522, Bondarenko on EK-134), May 2022, and February 2019, suggesting in-person coordination while avoiding shared flights.

Bondarenko’s financial profile, with over 107 million RUB from VTB Bank and ownership of luxury Moscow properties, premium vehicles (e.g., Infiniti QX80), and shell companies like LLC “Jewelry House Millennium,” indicates money laundering activities.

His dossier details multiple phones (e.g., +7 926 686-00-00), emails (e.g., arkadiy.bondarenko.70@mail.ru), and bank accounts, confirming his role as a financial intermediary.

Andrey Zhuykov: The Technical Backbone

Andrey Yuryevich Zhuykov (born February 18, 1982), known as “Defender” or “Def,” is Conti’s principal system administrator and DevOps specialist, responsible for the group’s technical infrastructure.

Operating from Russia’s Sverdlovsk Region and Sochi, Zhuykov manages servers, domains, proxies, VPNs, control panels, and backup channels, ensuring the stability and anonymity of Conti’s operations.

His high technical competence and strict management style make him a critical “single point of failure” for the group.

Leaked chats show him coordinating with leadership (e.g., Stern, Buza), suppliers, and coders, handling payments for servers and licenses, and conducting security audits to prevent vulnerabilities.

His dossier includes passports (e.g., 6511090337), phones (e.g., +7 989 165 9356), emails (e.g., megaprof@gmail.com), and social profiles (e.g., Telegram@nohau).

Zhuykov’s financial struggles, with debts exceeding 2 million RUB and enforcement cases for child support, contrast with his critical role in Conti’s multimillion-dollar operations.

Other Key Figures

Additional Conti leaders exposed include:

Vitaly Kovalev (“Stern”), whose leaked Telegram messages (@tguser1) reveal network connections. Despite plastic surgery to alter his appearance, GangExposed exposed his new face and passports.

Mikhail Mikhailovich Tsaryov (“Mango”), born April 20, 1989, a coordinator in the Conti-TrickBot ecosystem who referenced Bondarenko’s negotiator role link.

Leaked Data: A Goldmine for Investigators

GangExposed’s unprecedented data release includes Conti Jabber and RocketChat leaks, Black Basta Matrix-Chat leaks, and Telegram messages from Kovalev, available in table and CSV formats.

These datasets detail internal communications, including Bondarenko’s negotiations and Zhuykov’s infrastructure management, enabling investigators to map Conti’s structure, track financial flows, and identify remaining figures. Recovered deleted chats reveal attempts to erase evidence of the Dubai hub, hospital attacks, and financial operations.

When GangExposed leaked Conti’s secrets, the group offered $4 million for a Telegram exploit to retaliate, as reported by Habr. This failed attempt underscores their desperation to silence the investigator, who noted, “I poked the hornet’s nest,” promising further revelations about Target’s identity.

The exposure of Conti’s Dubai hub, coupled with dossiers on Kvitko, Bondarenko, Zhuykov, and others, provides actionable intelligence for UAE authorities to investigate local victims like Obeikan Investment Group and TRINA SOLAR, and for Chinese authorities to probe ARM China’s breach.

Western agencies can leverage the $10 million bounty on Target, while Bondarenko’s dual citizenship and Zhuykov’s financial trails offer avenues for international cooperation to seize illicit funds.

GangExposed’s relentless investigation has shattered Conti’s anonymity, unmasking Kvitko as “Professor,” Bondarenko as the negotiator, Zhuykov as the technical backbone, and detailing Target’s hospital attacks and Dubai operations. With comprehensive dossiers and leaked data, this breakthrough offers law enforcement and victims a historic chance to dismantle a global cybercrime syndicate.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post Exclusive! Entire Conti Ransomware Gang Including Key Leaders With Photo & Infrastructure Exposed appeared first on Cyber Security News.

The breach, which impacted a small number of ScreenConnect customers, has prompted an immediate response from the company, including an investigation led by top cybersecurity firm Mandiant.

ConnectWise is a global leader in business automation software for technology service providers, offering solutions like ScreenConnect to streamline remote support and management. The company serves thousands of partners worldwide, delivering tools to enhance operational efficiency and client service.

In a statement released on May 28, ConnectWise confirmed that the incident involved unauthorized access to its internal systems. While the company emphasized that only a limited number of customers were affected, the involvement of a nation-state actor underscores the growing threat of advanced cyberattacks targeting critical software providers.

“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the Tampa, Fla.-based vendor said in a statement.

“We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement.”

“As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment.”

“We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”

“We take the security of our services extremely seriously,” ConnectWise stated. Upon detecting the suspicious activity, we swiftly engaged Mandiant, one of the leading forensic experts, to investigate the incident. We have also implemented enhanced monitoring and hardening measures across our environment to prevent further incidents.

ConnectWise has notified all affected customers and is working closely with law enforcement to address the breach.

The company reports that no additional suspicious activity has been observed in customer instances since the initial detection. ConnectWise has committed to providing updates as more information becomes available.

ScreenConnect, a remote access and support tool widely used by IT service providers, could represent a high-value target for attackers seeking to infiltrate multiple organizations through a single point of compromise.

Cyber Security News reached out to Connectwise to learn more about how many customers affected by this incident, But did not disclose information about when the breach occurred as well as the number of affected MSPs or end users, however the source said the vendor reached out to all those impacted by the breach.

Cybersecurity experts are urging ConnectWise customers to remain vigilant, apply any recommended patches or updates, and monitor their systems for unusual activity.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post ConnectWise Hacked – Nation State Actors Compromised the Systems to Access Customer Data appeared first on Cyber Security News.

Tracked as CVE-2025-40595, the vulnerability carries a CVSS v3 score of 7.2, indicating a high-severity risk.

Discovered by security researcher Ronan Kervella of Bishopfox, the flaw could enable remote, unauthenticated attackers to exploit encoded URLs to trick the appliance into sending unauthorised requests to unintended destinations, potentially compromising system security.

The vulnerability affects SonicWall SMA1000 devices running firmware version 12.4.3-02925 (platform-hotfix) or earlier.

According to SonicWall’s Product Security Incident Response Team (PSIRT), this flaw in the Work Place interface could allow attackers to manipulate the appliance’s behavior, potentially accessing internal systems or external resources not intended to be reachable.

“By using an encoded URL, a remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.” SonicWall said.

Affected Systems and Urgent Fix

The SMA1000, part of SonicWall’s Secure Mobile Access (SMA) product line, is designed to provide secure remote access for organizations. The vulnerability impacts all SMA1000 devices on the specified firmware versions.

Importantly, SonicWall has confirmed that its Firewall and SMA 100 series products are not affected by this issue.

To address the vulnerability, SonicWall has released a hotfix, version 12.4.3-02963 (platform-hotfix) and higher, which fully resolves the SSRF flaw.

The update is available for download through the MySonicWall portal (mysonicwall.com). SonicWall PSIRT strongly urges all SMA1000 users to apply the hotfix immediately to protect their systems from potential exploitation.

The advisory notes that failing to upgrade could leave organizations vulnerable to attacks that could disrupt operations or expose sensitive data.

No Workaround Available

Unlike some vulnerabilities where temporary mitigations can reduce risk, SonicWall has stated that no workaround is available for this issue.

This underscores the urgency of applying the hotfix, as attackers could potentially exploit the flaw without requiring authentication, increasing the likelihood of targeted attacks.

The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) highlights the ease of exploitation, with low attack complexity and no user interaction or privileges required.

For organizations relying on the SMA1000 for secure remote access, this vulnerability represents a significant risk. SSRF attacks can be particularly dangerous, as they may allow attackers to pivot to internal networks, access sensitive resources, or even chain the vulnerability with other exploits.

With remote work and hybrid environments still prevalent, ensuring the security of remote access solutions like the SMA1000 is paramount.

SonicWall’s swift response in releasing a hotfix demonstrates its commitment to addressing security threats, but the onus is now on administrators to act quickly.

Organizations are advised to verify their SMA1000 firmware version, download the latest hotfix, and apply it as soon as possible.

Additionally, monitoring for unusual network activity and reviewing access logs may help detect any prior exploitation attempts.

How to Discover Vulnerable External Assets Associated with a Domain or an IP? -> Try Cyber Asset Finder for Free

The post SonicWall SMA1000 Vulnerability Let Attackers to Exploit Encoded URLs To Gain Internal Systems Access Remotely appeared first on Cyber Security News.

The Pwn2Own competition, known for pushing the boundaries of cybersecurity, saw successful breaches of Windows 11, Red Hat Linux, Oracle VirtualBox, and Docker Desktop, alongside the first-ever AI category win in Pwn2Own history.

STAR Labs surged to an early lead in the race for Master of Pwn, but with more challenges ahead, the title remains up for grabs.

Day 1 Highlights: Major Systems Compromised

End of Day 1 results, Several products has been exploited with zero-days as follows.

Red Hat Linux Falls Twice: Pumpkin (@u1f383) from DEVCORE Research Team exploited an integer overflow to escalate privileges, earning $20,000 and 2 Master of Pwn points.

Meanwhile, Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori used an information leak and a use-after-free (UAF) bug for a root escalation, but a known N-day bug led to a collision, netting them $15,000 and 1.5 Master of Pwn points.

Windows 11 Breached Multiple Times: Chen Le Qi (@cplearns2h4ck) of STAR Labs SG combined a UAF and integer overflow to escalate to SYSTEM, securing $30,000 and 3 Master of Pwn points.

Marcin Wiązowski delivered a flawless out-of-bounds write exploit for another SYSTEM escalation, also earning $30,000 and 3 points. Hyeonjin Choi (@d4m0n_8) of Out Of Bounds capped the Windows 11 attacks with a type confusion bug, winning $15,000 and 3 Master of Pwn points.

Oracle VirtualBox Escape: Team Prison Break (Best of the Best 13th) used an integer overflow to break out of Oracle VirtualBox and execute code on the host OS, pocketing $40,000 and 4 Master of Pwn points.

Docker Desktop Hacked: Billy and Ramdhan of STAR Labs executed a UAF in the Linux kernel to escape Docker Desktop and run code on the underlying OS, earning the day’s biggest prize of $60,000 and 6 Master of Pwn points.

Historic AI Exploit Steals the Show

In a Pwn2Own first, Sina Kheirkhah (@SinSinology) of Summoning Team successfully exploited Chroma in the new AI category, earning $20,000 and 2 Master of Pwn points. This landmark achievement highlights the growing focus on AI system security as artificial intelligence becomes integral to modern technology.

NVIDIA Triton Collisions Spark Discussion

The NVIDIA Triton Inference Server saw multiple exploit attempts, but all resulted in collisions due to known bugs.

Sina Kheirkhah (@SinSinology) of Summoning Team and Viettel Cyber Security (@vcslab) both demonstrated successful exploits, each earning $15,000 and 1.5 Master of Pwn points despite the vendor’s prior knowledge of the vulnerabilities. Wiz Research, however, failed to get their Triton exploit working within the allotted time.

With STAR Labs leading the Master of Pwn leaderboard, anticipation is high for Day 2 as more researchers target Microsoft, AI systems, and other platforms.

The collisions on NVIDIA Triton underscore the challenge of patching known vulnerabilities before they’re exploited, while the AI category’s debut signals a new frontier in cybersecurity.

How to Discover Vulnerable External Assets Associated with a Domain or an IP? -> Try Cyber Asset Finder for Free

The post Windows 11, Red Hat Linux, & Oracle VirtualBox Hacked – Pwn2Own Day 1 appeared first on Cyber Security News.