company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Zero-Day

Vulnerability

loading..
loading..
loading..

80,000 Devices Vulnerable to QNAP Zero-Day Vulnerability

80,000 QNAP devices worldwide are vulnerable due to zero-day vulnerabilities, impacting performance and security. Read for details and urgent fix updates...

08-Apr-2023
3 min read

No content available.

Related Articles

loading..

NPM

RAT

Researchers uncover a sophisticated npm supply chain attack targeting the deprec...

On May 5, 2025, security firm Aikido [detected](https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise) unauthorized malicious versions of the **`rand-user-agent`** npm package, a once-popular library (45k weekly downloads) used to generate randomized user-agent strings for web scraping and testing. Threat actors exploited its semi-abandoned status to inject a **Remote Access Trojan (RAT)** via versions `1.0.110`, `2.0.83`, and `2.0.84`, bypassing GitHub's source code repository and targeting npm artifacts directly. ### **Technical Anatomy of the Attack** #### **1. Malicious Code Injection** - **File**: Obfuscated payload hidden in `dist/index.js`, visible only via horizontal scrolling on npm’s UI. - **Obfuscation Layers**: - **String Shuffling**: A custom `pHg` function rearranged characters to evade static analysis. - **Multi-Stage Execution**: Decrypted malicious payloads via nested functions (`zlJ`, `fqw`). - **Dynamic Imports**: Used `global["r"] = require` to bypass dependency checks. #### **2. Payload Execution** - **Persistence Mechanism**: - Created `~/.node_modules` in the user’s home directory. - Modified `module.paths` to prioritize this directory, enabling sideloading of malicious dependencies (`axios`, `socket.io-client`). - **C2 Infrastructure**: - **Socket.IO Server**: `http://85.239.62[.]36:3306` (command delivery). - **File Exfiltration**: `http://85.239.62[.]36:27017/u/f` (HTTP POST). - **Data Harvesting**: Transmitted system fingerprints: ```plaintext Hostname: [Victim Hostname] Username: [Current User] OS Type: [Windows/Linux/macOS] UUID: [Generated via crypto.randomBytes] ``` #### **3. RAT Capabilities** | **Command** | **Function** | |--------------------|-----------------------------------------------------------------------------| | `cd <path>` | Change working directory. | | `ss_dir` | Reset directory to the script’s original path. | | `ss_fcd:<path>` | Force-change directory (bypass permissions). | | `ss_upf:f,d` | Upload file `f` to destination `d` (e.g., `ss_upf:passwords.txt,/exfil`). | | `ss_upd:d,dest` | Upload all files in directory `d` to `dest`. | | `ss_stop` | Halt ongoing file transfers. | | **Any shell cmd** | Execute arbitrary commands via `child_process.exec()`. | - **Windows-Specific Hijacking**: Prepended `%LOCALAPPDATA%\Programs\Python\Python3127` to `PATH`, enabling execution of malicious binaries masquerading as Python tools. ### **Attack Vector: How the Package Was Compromised** - **Compromised npm Token**: Attackers used an **outdated automation token** from a maintainer, lacking 2FA, to publish malicious versions directly to npm. - **Version Spoofing**: Incremented version numbers (`2.0.82` → `2.0.83/2.0.84`) to mimic legitimacy. - **GitHub Decoupling**: Malicious code existed **only in npm artifacts**; GitHub repo remained untouched, delaying detection. ### **Indicators of Compromise (IoCs)** - **Malicious Versions**: `1.0.110`, `2.0.83`, `2.0.84`. - **Network Activity**: - `85.239.62.36:3306` (TCP, C2 socket). - `85.239.62.36:27017/u/f` (HTTP POST, file uploads). - **File System Artifacts**: - `~/.node_modules` (hidden directory). - `node_modules/rand-user-agent/dist/index.js` (obfuscated payload). - **Processes**: Unusual `child_process.exec()` activity or Python3127-related paths in `PATH`. ### **Mitigation & Remediation: Immediate Actions** #### **1. For Affected Systems** - **Step 1**: Identify installed versions: ```bash npm list rand-user-agent ``` If versions `1.0.110`, `2.0.83`, or `2.0.84` are present: - **Step 2**: Uninstall the package: ```bash npm uninstall rand-user-agent ``` - **Step 3**: Audit system for: - Files under `~/.node_modules`. - Unauthorized connections to `85.239.62.36`. - Unusual processes spawned from `node` or `python`. #### **2. Long-Term Security Enhancements** - **Enforce 2FA for npm**: ```bash npm profile enable-2fa auth-and-writes ``` - **Scope Automation Tokens**: Limit tokens to specific packages/IP ranges. - **Adopt Forked Alternatives**: Switch to actively maintained forks like `random-user-agent-generator`. ### **Developer Statement: Lessons from the Breach** In a comment, the maintainers clarified: > *“The attacker exploited an outdated token without 2FA. We’ve since invalidated all legacy tokens, enforced 2FA, and will implement automated npm-GitHub version parity checks.”*

loading..   12-May-2025
loading..   3 min read
loading..

Hospital

Ascension Health’s latest data breach exposes 437,000 patients’ data via a third...

Ascension, one of the largest private healthcare systems in the U.S., has disclosed a massive [data breach](https://www.secureblink.com/cyber-security-news/5-6-million-patient-data-exposed-in-black-basta-ransomware-breach) impacting **437,329 patients**, with sensitive personal and medical information stolen through a former business partner’s compromised systems. The breach, linked to a third-party software vulnerability, marks the second major cybersecurity incident for the healthcare giant in less than a year. ### **Details of Exposed Information** According to breach notifications sent to affected patients in April 2025, hackers accessed: - **Personal Data**: Names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers (SSNs). - **Health Information**: Physician names, admission/discharge dates, diagnosis codes, medical record numbers, insurance details, and billing codes. The stolen data could enable identity theft, insurance fraud, or targeted phishing attacks, underscoring risks for impacted individuals. ### **Timeline and Investigation** - **December 5, 2024**: Ascension first learned of a “potential security incident” involving a former business partner. - **January 21, 2025**: Investigation confirmed patient data was “inadvertently disclosed” to the partner and later stolen due to a vulnerability in their third-party file transfer software. While Ascension did not name the partner, cybersecurity experts suspect links to **[Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware)’s widespread attacks** in late 2024, which exploited a zero-day flaw in Cleo file transfer tools. ### **State-Specific Impacts** - **Texas**: 114,692 residents affected. - **Massachusetts**: 96 individuals had medical records and SSNs exposed. - **Nationwide**: The U.S. Department of Health & Human Services (HHS) filing revealed the total impacted individuals on April 28, 2025. ### **Ascension’s Response & Remediation** The healthcare provider is offering impacted patients: - **Two years of free identity monitoring** (credit monitoring, fraud consultation, identity theft restoration). - A dedicated call center for breach-related inquiries. In a statement, Ascension emphasized it _“immediately initiated an investigation”_ upon discovering the incident and has since _“strengthened third-party vendor oversight.”_ **Repeat Cybersecurity Challenges** This breach follows a **May 2024 Black Basta ransomware attack** that exposed data of 5.6 million patients and employees. That incident, caused by an employee downloading a malicious file, forced Ascension hospitals to: - Switch to paper records temporarily. - Redirect emergency services and postpone non-urgent procedures. The repeat breaches highlight systemic vulnerabilities in healthcare cybersecurity, particularly risks posed by third-party vendors. **Broader Implications for Healthcare Security** With Ascension operating **142 hospitals and 40 senior facilities** across North America and reporting **$28.3 billion in 2023 revenue**, the breach underscores critical challenges: 1. **Third-Party Risks**: Vendors remain a weak link in data protection. 2. **Ransomware Targeting**: Healthcare systems are prime targets due to sensitive data. 3. **Regulatory Scrutiny**: HHS is likely to intensify oversight under HIPAA regulations. “Healthcare organizations must adopt zero-trust frameworks and rigorously audit vendors,” as advised.

loading..   10-May-2025
loading..   3 min read
loading..

5Socks

Anyproxy

FBI dismantles 20-year Anyproxy botnet behind $46M cybercrime empire. Learn risk...

In a landmark global operation, U.S. and international authorities have dismantled one of the longest-running cybercrime networks in history. Dubbed **Operation Moonlander**, the takedown targeted the **Anyproxy** and **5socks** botnets, which infected thousands of ageing routers over two decades to fuel a $46 million illicit proxy service empire. The U.S. Department of Justice (DOJ) unsealed indictments against **four individuals**—three Russians and one Kazakhstani—exposing their roles in operating malware-laden networks that enabled cyberattacks, ad fraud, and cryptocurrency theft worldwide. ### **Rise and Fall of Anyproxy & 5socks** **A 20-Year Cybercrime Legacy** Court documents reveal the botnet began infecting routers as early as **2004**, exploiting devices from brands like **Linksys** and **Cisco** to create sprawling proxy networks. These proxies, marketed on **Anyproxy.net** and **5socks.net**, were sold to cybercriminals for $9.95 to $110 monthly, offering anonymity for illegal activities ranging from **DDoS attacks** to **credential brute-forcing**. **How the Botnet Operated** - **Targeting Vulnerable Hardware**: The hackers exploited **end-of-life (EoL) routers**—devices no longer receiving security updates—using a variant of **TheMoon malware**. - **Proxy Networks for Hire**: Compromised routers were repurposed into “residential proxies,” masking malicious traffic as legitimate user activity. - **Evading Detection**: Only **10% of infected IPs** triggered alerts on platforms like VirusTotal, making the networks ideal for high-risk criminal operations. ### **International Collaboration: A Global Takedown** Operation Moonlander united the **U.S. DOJ**, **Dutch National Police**, **Royal Thai Police**, and analysts from **Lumen Technologies’ Black Lotus Labs**. Key actions included: 1. **Seizing Domains**: Anyproxy.net and 5socks.net now display law enforcement seizure banners. 2. **Charging Suspects**: - **Alexey Chertkov**, **Kirill Morozov**, and **Aleksandr Shishkin** (Russian nationals) - **Dmitriy Rubtsov** (Kazakhstani national) The group faces charges of **conspiracy**, **damaging protected computers**, and **domain fraud**. ### **Infrastructure Insights** - Servers hosted in **Russia** (via JCS Fedora Communications), the **Netherlands**, and **Türkiye** supported the botnet. - Payments were processed in **cryptocurrency**, complicating financial tracking. ### **TheMoon Malware: A Silent Router Killer** The FBI’s latest advisory warns that the botnet relied on a **new variant of TheMoon malware**, which: - Exploited routers with **remote administration features enabled**. - Installed covert proxies to facilitate **cybercrime-for-hire services**. **Affected Devices** | **Brand** | **Models** | |------------------|---------------------------------------------------------------------------| | Linksys | E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N | | Cisco | M10, Cradlepoint E100 | ### **Why Residential Proxies Are a Cybercrime Goldmine** Residential IPs are prized for their ability to mimic legitimate traffic. According to **Black Lotus Labs**: > *“Proxies like Anyproxy help criminals bypass fraud detection systems, making ad scams, credential stuffing, and data theft harder to trace.”* **Documented Misuses** - **Ad Fraud**: Generating fake clicks to siphon advertising revenue. - **DDoS Attacks**: Masking the origin of disruptive traffic floods. - **Data Exploitation**: Harvesting sensitive information from compromised networks. ### **FBI Warning: Secure Your Routers Now** The FBI’s **public service announcement** urges users and businesses to: 1. **Replace EoL Routers**: Upgrade devices no longer supported by manufacturers. 2. **Disable Remote Administration**: Limit exposure to malware like TheMoon. 3. **Monitor Network Traffic**: Use tools to detect unusual proxy activity. **Quote from the DOJ**: > *“This operation disrupts a critical tool for cybercriminals. Residential proxies are not just a privacy threat—they're a gateway to global harm."* ### **Broader Implications and Lessons Learned** - **The Cost of Outdated Tech**: The botnet thrived on neglected hardware, underscoring risks of using unsupported devices. - **Global Jurisdiction Challenges**: Prosecuting foreign nationals (e.g., Russian suspects) highlights legal hurdles in cybercrime enforcement. - **Public-Private Partnerships**: Collaboration with firms like **Lumen** proved vital in mapping the botnet’s infrastructure. While Operation Moonlander marks a victory, experts warn botnets will adapt. **Black Lotus Labs** notes: > *“Threat actors increasingly target IoT devices. Vigilance and firmware updates are non-negotiable.”*

loading..   09-May-2025
loading..   4 min read