The North Korean state-backed espionage group Stonefly (aka Andariel, Onyx Sleet) is using a technique known as RID hijacking to trick Windows into treating low-privileged accounts as those with administrator permissions.

The Relative Identifier (RID) in Windows is part of the Security Identifier (SID) system, which assigns a unique tag to every user account to distinguish between them. RID can take values that indicate the account’s level of access. RID hijacking involves attackers modifying the RID of a low-privilege account to match the value of an administrator account.

RID hijacking, however, requires access to the SAM registry, so an attacker would need first to breach the system and gain SYSTEM access. According to AhnLab ASEC researchers, a recent Stonefly attack campaign saw the actors use PsExec to execute a malicious file through a remote command. The malicious file operated with SYSTEM privileges.

SYSTEM access does not allow remote access, cannot interact with GUI apps, is very noisy and likely to be detected, and cannot persist between system reboots. To address this, the attackers created a hidden, low-privilege local user by using the “net user” command and adding the ‘$’ character at the end. This ensured that the account was not visible through the “net user” command and could be identified only in the SAM registry. Then they used RID hijacking to increase permissions to admin.

To mitigate the risk of RID hijacking, system admins should use Local Security Authority (LSA) Subsystem Service to check for logon attempts and password changes, as well as prevent unauthorized access and changes to the SAM registry.

Customer data belonging to U.S. insurance company American National Insurance has been discovered circulating online.

The breach was uncovered by SafetyDetectives, who said that it consisted of a 90 MB CSV file containing over 279,000 lines of customer data including account IDs, status, email addresses, names, dates of birth, age, occupation, phone, address, and insurance premiums. Some employee data such as the insurance agent’s name was also present.

The breach may be related to the 2023 MOVEit zero-day attack since the company was listed as one of the users of the software. At the time of the attack, American National was listed as a victim by the attackers — the Snakefly cybercrime group. American National said that it was investigating the validity of the claims.

An advanced phishing campaign uncovered by Cisco Talos delivers a newly identified TorNet backdoor via .tgz attachments.

First uncovered in July 2024, the campaign targets users primarily in Poland and Germany with emails impersonating financial institutions and businesses. The emails are written in Polish and German and contain TGZ compressed archive files.

Opening one of the attachments results in a.NET executable appearing, which downloads the PureCrypter malware from a remote server or from within the loader itself (decrypted using the AES algorithm and loaded into the targeted device’s memory).

PureCrypter is an obfuscated Windows DLL that contains encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL, and the TorNet backdoor.

TorNet is a .NET backdoor used to connect to a command-and-control (C&C) server over the TOR network for stealthy communication. After establishing a connection, the malware sends identifying information and allows attackers to carry out remote code execution by sending arbitrary .NET assemblies to the C&C server, expanding the attack surface.

Researchers have observed new activity which they have attributed to the Russia-linked TAG-110 (aka UAC-0063) threat actor. The new activity seen in European countries such as Germany, the UK, the Netherlands, Romania, and Georgia suggests that the group has now expanded the range of its intelligence-gathering operations beyond Central Asia, where it previously focused on targeting government-related organizations in countries such as Kazakhstan.

Previous attacks saw the group steal official government documents, which they have used in recent campaigns against new targets by planting the HATVIBE malware inside them. Emails containing links to these booby-trapped documents are then sent to targets to wait for them to download the file and begin the infection process.

Once the document is opened, scripts within the document will prepare the environment by lowering security levels, install the HATVIBE malware, and establish persistence for it. It then also communicates with a remote command-and-control (C&C) server to send data and provide remote access for the attackers. It may download a plethora of other components, many of which are implemented using Python. These include DownExPyer (aka CherrySpy) for infostealing and backdoor functionality, PyPlunderPlug for collecting and exfiltrating files, and LOGPIE for keylogging.

DeepSeek recently made a big splash by offering a new low-cost but high-performance AI service to the public, which despite its origins, promptly caught on with many users worldwide.

The attention generated by DeepSeek not only attracted users but also made curious security researchers pay attention. Researchers at Wiz probed the new DeepSeek AI service for potential security holes and quickly found that the backend ClickHouse database used to store user conversations and other sensitive data was left wide open.

The researchers discovered that an unauthenticated user could access the web endpoint of the database to run arbitrary SQL queries. This could be used to modify the database or harvest large amounts of sensitive data from millions of user conversations, as well as any secrets or keys that may be held in the database.

Despite the permissive and open approach to its work, DeepSeek clearly didn’t intend to offer free and open access to its backend database. Luckily for the DeepSeek team, the researchers warned them of this major security lapse, and the issue was promptly fixed. However, the easily avoidable security oversight could have brought the high-flying service back down to earth with a crash.

A new Mirai variant called Aquabot is exploiting a vulnerability in Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks.

The vulnerability (CVE-2024-41710 – CVSS score: 6.8) is a command injection flaw in the boot process that could allow an attacker to execute arbitrary commands within the context of the phone. It affects Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. Mitel addressed the vulnerability in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw became publicly available in August.

According to Akamai researchers, active exploitation attempts against CVE-2024-41710 began in early January 2025, with the attacks mirroring a “payload almost identical to the PoC” to deploy Aquabot.

The researchers believe that the threat actors behind Aquabot are offering the network of compromised hosts as a DDoS service on Telegram.

The Federal Bureau of Investigation (FBI), in coordination with several other international law enforcement departments, has seized control of several major cybercrime platforms in a sweeping takedown operation.

Dubbed Operation Talent, the law enforcement action resulted in seizure banners being added to the websites of cracked[.]io, nulled[.]to, starkrdp[.]io, mysellix[.]io, and sellix[.]io. The Cracked and Nulled forums were known hubs for password theft, software piracy, and credential-stuffing attacks. SellIX enabled users to create storefronts for illicit goods and StarkRDP was a Windows remote desktop hosting service allegedly leveraged by threat actors to anonymize attacks.

“This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners,” the banners read.

Operation Talent included authorities from the U.S., Italy, Spain, Europe, France, Greece, Australia, and Romania.

Smiths Group PLC, a major UK-based engineering firm operating in over 50 countries with over 15,000 employees, has filed a cybersecurity incident report with the London Stock Exchange to notify the exchange that it has become aware of an incident of “unauthorised access to the Company’s systems.”

Little information is disclosed in the filing nor to the media except to say that once the company became aware of the unauthorized activity, it promptly “isolated affected systems and activated business continuity plans,” wordings that hint at a possible ransomware attack.

The company is said to be currently working with cybersecurity experts brought in to help with the cleanup and investigations. Further updates are expected as the investigation and recovery progresses.