Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database breaches, and ransomware attacks. A notable case involves the Arkana ransomware group's breach of a global online brokerage firm, In***, resulting in the theft of 50 GB of customer data, including KYC submissions and information of over 163,000 customers. The incident highlights vulnerabilities in trading platforms' identity verification and account protection systems, emphasizing the need for enhanced security measures beyond regulatory compliance.

The May 2025 Security Issues campaign highlights a series of cyber threats targeting financial institutions primarily in South Korea but with global implications. The campaign details multiple attack vectors including malware infections, phishing campaigns, and ransomware attacks, with a focus on the financial sector. Key malware strains are identified among the top 10 most prevalent, contributing to data breaches and account compromises. A significant incident involved the Arkana ransomware group breaching a global online brokerage firm, resulting in the theft of approximately 50 GB of sensitive customer data. This data included Know Your Customer (KYC) submissions and personal information of over 163,000 customers, exposing critical vulnerabilities in identity verification and account protection mechanisms within trading platforms. The campaign also discusses the presence of stolen financial data on the dark web, including credit card and database breaches, which facilitate identity theft and fraud. The threat actors employ a range of tactics, techniques, and procedures (TTPs) such as ransomware deployment (T1486), data destruction (T1489), credential access (T1078), phishing (T1566), and command and control communications (T1071). The campaign underscores that existing regulatory compliance measures are insufficient to mitigate these risks, emphasizing the need for enhanced security controls tailored to the unique challenges of financial services platforms. Indicators of compromise include multiple malware hashes linked to the Arkana group and associated ransomware families like LockBit. Although no known exploits in the wild are reported, the campaign reflects ongoing and evolving threats to financial institutions' confidentiality, integrity, and availability of data and services.

Detailed information about May 2025 Security Issues in Korean & Global Financial Sector. Get real-time updates, technical details, and mitigation strategies.

May 2025 Security Issues in Korean & Global Financial Sector - Live Threat Intelligence - Threat Radar | OffSeq.com

May 2025 Security Issues in Korean & Global Financial Sector

Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate program, offering negotiable revenue splits and supporting additional monetization paths like data extortion and access sales. Anubis has claimed victims in multiple sectors including healthcare and construction, across regions such as Australia, Canada, Peru, and the U.S. The ransomware uses spear-phishing for initial access, employs command-line execution, privilege escalation, and shadow copy deletion. Its encryption algorithm is similar to EvilByte/Prince ransomware, using Elliptic Curve Integrated Encryption Scheme (ECIES).

Anubis is a recently identified ransomware-as-a-service (RaaS) campaign active since December 2024. It distinguishes itself by combining traditional ransomware encryption with a destructive 'wipe mode' that irreversibly deletes files, preventing recovery even if victims pay the ransom. The ransomware employs spear-phishing emails as the primary initial access vector, targeting users with tailored messages to deliver malicious payloads. Once inside a system, Anubis executes commands via command-line interfaces, escalates privileges to gain higher system control, and deletes shadow copies to hinder recovery efforts. Its encryption mechanism uses the Elliptic Curve Integrated Encryption Scheme (ECIES), similar to the EvilByte/Prince ransomware family, providing strong cryptographic protection of victim files. The group operates a flexible affiliate program with negotiable revenue splits and supports multiple monetization strategies, including data extortion and selling access to compromised networks. Anubis has targeted multiple sectors such as healthcare and construction, with known victims primarily in Australia, Canada, Peru, and the United States. The ransomware’s tactics, techniques, and procedures (TTPs) include spear-phishing (T1566), command-line execution (T1059), privilege escalation (T1134.002), shadow copy deletion (T1490), and file encryption (T1486), reflecting a sophisticated and multi-faceted attack chain designed to maximize impact and complicate remediation.

Detailed information about Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper. Get real-time updates, technical details, and mitigation strateg

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper - Live Threat Intelligence - Threat Radar | OffSeq.com

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

CVE-2025-49583 is a medium-severity vulnerability affecting the XWiki platform, a widely used generic wiki software. The issue stems from a privilege context switching error (CWE-270) related to the handling of notification email templates. Specifically, when a user without script rights creates a document containing an object of the class `XWiki.Notifications.Code.NotificationEmailRendererClass`, the email templates embedded in this object are later used for notifications when an administrator edits and saves that document. Although these templates support Velocity scripting code, the platform's existing generic analyzer warns administrators before they edit any Velocity code, preventing direct execution of malicious scripts. The primary risk is that attackers could abuse this mechanism to send spam emails, potentially containing phishing links, or to conceal notifications about other attacks by manipulating notification content. This could facilitate social engineering attacks or reduce the visibility of ongoing compromises. The vulnerability affects XWiki versions prior to 15.10.16, versions between 16.0.0-rc-1 and 16.4.7, and versions between 16.5.0-rc-1 and 16.10.2. The issue was addressed in versions 15.10.16, 16.4.7, and 16.10.2 by implementing enhanced analysis of the relevant XClass properties to detect and block dangerous templates. Notably, warning prompts before editing documents with dangerous properties were introduced only in version 15.9; earlier versions lacked such safeguards, increasing risk. The CVSS 4.0 base score is 5.1 (medium), reflecting network exploitability without authentication but requiring some privilege (limited user rights) and user interaction (admin editing). No known exploits are reported in the wild as of publication. Overall, the vulnerability allows limited privilege escalation in the context of notification emails, primarily enabling spam or phishing campaigns rather than direct code execution or system compromise.

Detailed information about CVE-2025-49583: CWE-270: Privilege Context Switching Error in xwiki xwiki-platform affecting xwiki xwiki-platform. Get real-time upda

CVE-2025-49583: CWE-270: Privilege Context Switching Error in xwiki xwiki-platform - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-49583: CWE-270: Privilege Context Switching Error in xwiki xwiki-platform

In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could arbitrarily delete local system files with SYSTEM privilege, potentially leading to local privilege escalation.

CVE-2025-36633 is a high-severity vulnerability affecting Tenable Agent versions prior to 10.8.5 on Windows hosts. The root cause is improper privilege management (CWE-269), where a non-administrative user can delete local system files with SYSTEM-level privileges. This vulnerability arises because the Tenable Agent improperly exposes privileged file deletion capabilities to users without administrative rights. Exploiting this flaw allows an attacker with limited local access to escalate their privileges to SYSTEM, the highest level on Windows, enabling full control over the affected machine. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The scope is changed, meaning the vulnerability affects resources beyond the initially compromised component. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make this a critical concern for organizations using Tenable Agent on Windows endpoints. The vulnerability can lead to unauthorized deletion of critical system files, potentially causing system instability, denial of service, or enabling further malicious activities such as persistence, data theft, or lateral movement within a network.

Detailed information about CVE-2025-36633: CWE-269 Improper Privilege Management in Tenable Agent affecting Tenable Agent. Get real-time updates, technical deta

CVE-2025-36633: CWE-269 Improper Privilege Management in Tenable Agent - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-36633: CWE-269 Improper Privilege Management in Tenable Agent

Apple confirmed that Messages app flaw was actively exploited in the wild

Source: https://securityaffairs.com/178962/mobile-2/apple-confirmed-messages-app-flaw-actively-exploited.html

Apple has confirmed that a vulnerability in its Messages app has been actively exploited in the wild. Although specific technical details about the flaw are not provided in the available information, the exploitation of a messaging app vulnerability typically implies that attackers could leverage this flaw to execute unauthorized code, intercept or manipulate messages, or compromise device integrity. The Messages app is a core communication tool on Apple devices, including iPhones, iPads, and Macs, which makes any security flaw in it particularly critical. Active exploitation indicates that threat actors have already developed and deployed attack vectors targeting this vulnerability, potentially affecting users who have not yet applied any available patches or mitigations. The lack of detailed technical data, such as the nature of the vulnerability (e.g., buffer overflow, logic flaw), affected versions, or patch availability, limits the ability to fully characterize the exploit. However, given the medium severity rating and the fact that exploitation is confirmed, it is reasonable to infer that the flaw could allow attackers to compromise confidentiality and integrity of communications, and possibly device availability if the exploit leads to denial-of-service conditions. The absence of known exploits in the wild according to the provided data conflicts with the statement of active exploitation, suggesting either limited or targeted attacks rather than widespread campaigns. The vulnerability's presence in a widely used app on Apple devices means that a large user base is potentially at risk, especially if the flaw can be exploited remotely without user interaction or authentication. However, the minimal discussion level and low Reddit score indicate that the cybersecurity community has limited public information or analysis on this issue at this time.

Detailed information about Apple confirmed that Messages app flaw was actively exploited in the wild. Get real-time updates, technical details, and mitigation s

Apple confirmed that Messages app flaw was actively exploited in the wild - Live Threat Intelligence - Threat Radar | OffSeq.com

Apple confirmed that Messages app flaw was actively exploited in the wild

Reddit Discussion: Apple confirmed that Messages app flaw was actively exploited in the wild

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Source: https://securityaffairs.com/178952/security/trend-micro-fixes-critical-bugs-in-apex-central-and-tmee-policyserver.html

Trend Micro has released patches addressing critical vulnerabilities in two of its key security management products: Apex Central and TMEE PolicyServer. Apex Central is a centralized management console used to administer Trend Micro security products across an enterprise, while TMEE PolicyServer manages policies for Trend Micro Endpoint Encryption. The critical bugs fixed in these products could potentially allow attackers to execute unauthorized actions, including remote code execution, privilege escalation, or unauthorized access to sensitive security configurations. Although specific technical details about the vulnerabilities have not been disclosed publicly, the critical severity rating implies that these flaws could be exploited without requiring complex conditions such as authentication or user interaction. The lack of known exploits in the wild suggests that these vulnerabilities were responsibly disclosed and patched before widespread exploitation. However, given the central role of these products in managing endpoint security and encryption policies, successful exploitation could compromise the confidentiality, integrity, and availability of enterprise security infrastructure. This could lead to unauthorized decryption of sensitive data, disabling of security controls, or lateral movement within affected networks. Organizations relying on Trend Micro Apex Central and TMEE PolicyServer should prioritize applying the available patches to mitigate these risks. Monitoring for unusual activity around these management consoles is also advised until all systems are updated.

Detailed information about Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer. Get real-time updates, technical details, and mitigation strat

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer - Live Threat Intelligence - Threat Radar | OffSeq.com

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Reddit Discussion: Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

An investigation into VexTrio, a malicious traffic distribution system (TDS), revealed surprising connections between WordPress hackers and adtech companies. When VexTrio's operations were disrupted, multiple malware actors migrated to a new TDS that was discovered to be related to VexTrio. Several commercial TDSs were found to share software elements with VexTrio and benefit from its relationship with website malware actors. The investigation uncovered a complex network of adtech firms, including Partners House, BroPush, and RichAds, that use similar technologies and tactics to distribute malicious content. These firms have information about the identities of malware actors, which could potentially lead to their disruption.

The threat revolves around VexTrio, a malicious Traffic Distribution System (TDS) that operates by redirecting web traffic to deliver malware and other malicious payloads. VexTrio has been linked to a network of WordPress hackers who compromise websites to inject malicious code, which then funnels visitors through the TDS infrastructure. When VexTrio's operations were disrupted, malware actors migrated to a successor TDS sharing code and operational tactics with VexTrio, indicating a resilient and adaptive threat ecosystem. The investigation uncovered that several commercial adtech firms, including Partners House, BroPush, and RichAds, share software components and methodologies with VexTrio, blurring the lines between legitimate advertising technology and malicious activity. These adtech companies leverage push notifications, DNS manipulation, and affiliate networks to distribute malicious content, exploiting the trust and reach of advertising platforms. The relationship between these adtech firms and malware actors is complex, with the adtech companies possessing detailed information about the identities of malware operators, potentially enabling law enforcement or security researchers to disrupt these networks. The threat employs multiple tactics and techniques as categorized by MITRE ATT&CK, including command and control over web protocols (T1071), exploitation of public-facing applications (T1190), use of affiliate networks (T1608), and social engineering via push notifications (T1204). The lack of known exploits in the wild suggests that the threat is more focused on distribution and persistence rather than zero-day exploitation. Overall, this threat represents a sophisticated convergence of cybercrime and adtech ecosystems, leveraging compromised WordPress sites and advertising infrastructure to propagate malware at scale.

Detailed information about What is the Real Relationship between WordPress Hackers and Malicious Adtech?. Get real-time updates, technical details, and mitigati

What is the Real Relationship between WordPress Hackers and Malicious Adtech? - Live Threat Intelligence - Threat Radar | OffSeq.com

What is the Real Relationship between WordPress Hackers and Malicious Adtech?

An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall.

Cloud NGFW and Prisma® Access are not affected by this vulnerability.

CVE-2025-4229 is an information disclosure vulnerability identified in the SD-WAN feature of Palo Alto Networks PAN-OS software, specifically impacting the Cloud NGFW product. The vulnerability allows an unauthorized attacker to intercept and view unencrypted data transmitted from the firewall via the SD-WAN interface. Exploitation requires the attacker to have the capability to intercept network packets sent from the affected firewall, which implies a need for network-level access or the ability to perform man-in-the-middle attacks on the SD-WAN traffic. Notably, this vulnerability does not affect Palo Alto Networks' Cloud NGFW and Prisma Access cloud services, limiting the scope to on-premises or hybrid deployments of PAN-OS with SD-WAN enabled. The CVSS 4.0 base score is 6.0, indicating a medium severity level, with the vector highlighting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:P). The vulnerability impacts confidentiality (data exposure) but does not affect integrity or availability. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been explicitly linked yet. The CWE classification is CWE-497, which relates to exposure of sensitive system information to unauthorized entities. This vulnerability underscores the risk of transmitting sensitive data in unencrypted form over SD-WAN interfaces, which can be intercepted by attackers with network access, potentially leading to leakage of sensitive operational or configuration data from the firewall environment.

Detailed information about CVE-2025-4229: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in Palo Alto Networks Cloud NGFW af

CVE-2025-4229: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in Palo Alto Networks Cloud NGFW - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-4229: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in Palo Alto Networks Cloud NGFW

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.

CVE-2025-5282 is a high-severity vulnerability affecting the WP Travel Engine – Tour Booking Plugin, a WordPress plugin widely used for tour operator software and booking management. The vulnerability arises from a missing authorization check in the delete_package() function across all versions up to and including 6.5.1. Specifically, the plugin fails to verify whether the user has the necessary capabilities to delete tour packages, allowing unauthenticated attackers to invoke this function remotely. This lack of access control means that an attacker can delete arbitrary posts representing tour packages without any authentication or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper permission checks before performing sensitive operations. The CVSS 3.1 base score is 7.5 (high), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires no privileges or user interaction, and results in a high impact on integrity (data modification) but no impact on confidentiality or availability. Although no known exploits have been reported in the wild yet, the ease of exploitation and the critical nature of the affected function make this a significant threat. The plugin is commonly deployed on WordPress sites operated by tour operators, travel agencies, and related businesses to manage tour packages and bookings, making the integrity of their data crucial for business operations and customer trust. The vulnerability could be exploited to maliciously delete tour package data, disrupting business operations and potentially causing financial and reputational damage.

Detailed information about CVE-2025-5282: CWE-862 Missing Authorization in wptravelengine WP Travel Engine – Tour Booking Plugin – Tour Operator Software affect

CVE-2025-5282: CWE-862 Missing Authorization in wptravelengine WP Travel Engine – Tour Booking Plugin – Tour Operator Software - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5282: CWE-862 Missing Authorization in wptravelengine WP Travel Engine – Tour Booking Plugin – Tour Operator Software

An improper neutralization of wildcards vulnerability in the log collection feature of Palo Alto Networks GlobalProtect™ app on macOS allows a non administrative user to escalate their privileges to root.

CVE-2025-4232 is a high-severity vulnerability identified in the Palo Alto Networks GlobalProtect application for macOS, specifically affecting versions 6.0.0 through 6.3. The flaw stems from improper neutralization of wildcards or matching symbols (CWE-155) in the log collection feature of the app. This vulnerability allows a non-administrative user on a macOS system to escalate their privileges to root level. The root cause is that the application does not correctly sanitize or handle wildcard characters in log collection operations, which can be exploited to execute unauthorized commands or access restricted resources. Given that GlobalProtect is widely used as a VPN client to secure remote access, this vulnerability undermines the security boundary by enabling local privilege escalation without requiring user interaction or authentication beyond local access. The CVSS 4.0 base score of 8.5 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. Although no known exploits are currently reported in the wild, the vulnerability’s presence in a security-critical application and its ability to grant root privileges make it a significant threat. The vulnerability affects only macOS versions of the GlobalProtect app, which narrows the scope but still impacts organizations relying on macOS endpoints for secure VPN access.

Detailed information about CVE-2025-4232: CWE-155: Improper Neutralization of Wildcards or Matching Symbols in Palo Alto Networks GlobalProtect App affecting Pa

CVE-2025-4232: CWE-155: Improper Neutralization of Wildcards or Matching Symbols in Palo Alto Networks GlobalProtect App - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Affecting Switzerland

Filter Threats

Threats Affecting Switzerland