company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Blacksuit

Conti

CDK

loading..
loading..
loading..

From Royal to BlackSuit How Rebranded Ransomware Crippled CDK Global

With over 350 attacks and $275M in ransom demands the notorious BlackSuit ransomware a rebrand of the Royal operation has set its sights on CDK Global

24-Jun-2024
4 min read

No content available.

Related Articles

loading..

Scattered Spider

M&S cyberattack by Scattered Spider exposes customer data; triggers 15% stock cr...

A ruthless [cyberattack](https://www.secureblink.com/cyber-security-news/marks-and-spencer-hit-by-major-cyberattack-click-and-collect-services-disrupted) has ignited chaos at British retail titan Marks & Spencer (M&S), as the 140-year-old institution faces its most crippling crisis in decades. The Scattered Spider syndicate—a global hacking collective linked to audacious strikes on Caesars Entertainment and MGM Resorts—has infiltrated M&S’s defenses, plundering vast troves of customer data and triggering a 15% stock market freefall that has left investors reeling. For over three weeks, the retailer’s £1.4 billion online empire has been paralyzed, its reputation hanging by a thread, while executives wage a desperate battle to stem the bleeding. ### **How the Attack Unfolded** The nightmare began on **April 25**, when M&S abruptly halted all online orders without explanation, leaving millions of customers in the dark. Behind the scenes, cyber mercenaries linked to Scattered Spider — a shadowy syndicate of English-speaking hackers — infiltrated M&S’s systems in what insiders describe as a “surgical strike” targeting personal customer data. While M&S claims payment details and passwords were *not* compromised (as card data is outsourced to third parties), hackers accessed **names, addresses, contact information, and purchase histories** — a goldmine for identity theft and phishing schemes. The breach forced M&S to freeze its £1.4 billion e-commerce platform for over 21 days, triggering a **15% stock plunge** and wiping hundreds of millions off its market value. _“This wasn’t just a hack — it was a *financial hemorrhage*,”_ declared a City of London analyst. _“M&S’s reputation is bleeding out.”_ ### **Scattered Spider’s Global Reign of Terror** The attack has been pinned on **Scattered Spider**, a cybercrime cabal also known as **Octo Tempest** and **Muddled Libra**, whose members operate from the UK, U.S., and beyond. The group gained global notoriety in 2023 for crippling Las Vegas titans **Caesars Entertainment** and **MGM Resorts**, extracting a staggering **$15 million ransom** from Caesars in a single stroke. Sources reveal Scattered Spider’s UK wing is allegedly led by **Tyler Buchanan**, a 23-year-old tech savant from Dundee, Scotland, who operated under the alias *“Tylerb”* on encrypted platforms. Buchanan was reportedly arrested in Spain last summer and extradited to California in **April 2025** to face charges — though his alleged associates continue their rampage. Meanwhile, U.S. operations are spearheaded by **Noah Urban**, aka *“King Bob”*, a hacker linked to high-profile ransomware schemes. The group’s signature blend of **social engineering, phishing, and ransomware** has made them one of the most feared entities in cybercrime. ### **Inside the Fallout: Panic, Profits, and a Retail Giant Under Siege** As M&S races to restore systems with help from cybersecurity firm **DarkTrace**, law enforcement, and the UK’s National Cyber Security Centre (NCSC), questions mount over how hackers bypassed defenses at a company serving **30 million loyal customers**. **Key Revelations:** - **Customer Trust Erodes:** Despite M&S’s assurances, experts warn stolen personal data could fuel *targeted scams*. “Imagine getting a fake ‘M&S voucher’ email — that’s just the start,” said cybersecurity expert Dr. Elena Voss. - **Physical Stores Survive, But Stock Market Carnage Continues:** While M&S’s 1,000 UK stores remain open, investors are fleeing. Shares have cratered to a 12-month low, with analysts predicting long-term brand damage. - **The 2025 Extradition Twist:** Tyler Buchanan’s reported extradition timeline raises eyebrows. Legal experts question how a 2025 date aligns with his 2023 arrest — suggesting either a typo or a prolonged legal saga. ### **We Will Not Be Broken** In a fiery statement, M&S CEO Stuart Machin vowed: _“We are working tirelessly to protect our customers and emerge stronger. This attack will *not* define us.”_ The retailer has launched a 24/7 helpline for affected shoppers and pledged free credit monitoring. Yet critics accuse M&S of downplaying risks. _“Calling this ‘sophisticated’ is corporate jargon for *‘we were outsmarted*,’”_ snapped retail analyst Priya Kapoor. The M&S debacle underscores a chilling reality: no company, however venerable, is safe from Scattered Spider’s evolving tactics. With ties to Russia’s ALPHV/BlackCat ransomware group, the gang epitomizes the borderless, mercenary nature of modern cyberwarfare.

loading..   14-May-2025
loading..   4 min read
loading..

NPM

RAT

Researchers uncover a sophisticated npm supply chain attack targeting the deprec...

On May 5, 2025, security firm Aikido [detected](https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise) unauthorized malicious versions of the **`rand-user-agent`** npm package, a once-popular library (45k weekly downloads) used to generate randomized user-agent strings for web scraping and testing. Threat actors exploited its semi-abandoned status to inject a **Remote Access Trojan (RAT)** via versions `1.0.110`, `2.0.83`, and `2.0.84`, bypassing GitHub's source code repository and targeting npm artifacts directly. ### **Technical Anatomy of the Attack** #### **1. Malicious Code Injection** - **File**: Obfuscated payload hidden in `dist/index.js`, visible only via horizontal scrolling on npm’s UI. - **Obfuscation Layers**: - **String Shuffling**: A custom `pHg` function rearranged characters to evade static analysis. - **Multi-Stage Execution**: Decrypted malicious payloads via nested functions (`zlJ`, `fqw`). - **Dynamic Imports**: Used `global["r"] = require` to bypass dependency checks. #### **2. Payload Execution** - **Persistence Mechanism**: - Created `~/.node_modules` in the user’s home directory. - Modified `module.paths` to prioritize this directory, enabling sideloading of malicious dependencies (`axios`, `socket.io-client`). - **C2 Infrastructure**: - **Socket.IO Server**: `http://85.239.62[.]36:3306` (command delivery). - **File Exfiltration**: `http://85.239.62[.]36:27017/u/f` (HTTP POST). - **Data Harvesting**: Transmitted system fingerprints: ```plaintext Hostname: [Victim Hostname] Username: [Current User] OS Type: [Windows/Linux/macOS] UUID: [Generated via crypto.randomBytes] ``` #### **3. RAT Capabilities** | **Command** | **Function** | |--------------------|-----------------------------------------------------------------------------| | `cd <path>` | Change working directory. | | `ss_dir` | Reset directory to the script’s original path. | | `ss_fcd:<path>` | Force-change directory (bypass permissions). | | `ss_upf:f,d` | Upload file `f` to destination `d` (e.g., `ss_upf:passwords.txt,/exfil`). | | `ss_upd:d,dest` | Upload all files in directory `d` to `dest`. | | `ss_stop` | Halt ongoing file transfers. | | **Any shell cmd** | Execute arbitrary commands via `child_process.exec()`. | - **Windows-Specific Hijacking**: Prepended `%LOCALAPPDATA%\Programs\Python\Python3127` to `PATH`, enabling execution of malicious binaries masquerading as Python tools. ### **Attack Vector: How the Package Was Compromised** - **Compromised npm Token**: Attackers used an **outdated automation token** from a maintainer, lacking 2FA, to publish malicious versions directly to npm. - **Version Spoofing**: Incremented version numbers (`2.0.82` → `2.0.83/2.0.84`) to mimic legitimacy. - **GitHub Decoupling**: Malicious code existed **only in npm artifacts**; GitHub repo remained untouched, delaying detection. ### **Indicators of Compromise (IoCs)** - **Malicious Versions**: `1.0.110`, `2.0.83`, `2.0.84`. - **Network Activity**: - `85.239.62.36:3306` (TCP, C2 socket). - `85.239.62.36:27017/u/f` (HTTP POST, file uploads). - **File System Artifacts**: - `~/.node_modules` (hidden directory). - `node_modules/rand-user-agent/dist/index.js` (obfuscated payload). - **Processes**: Unusual `child_process.exec()` activity or Python3127-related paths in `PATH`. ### **Mitigation & Remediation: Immediate Actions** #### **1. For Affected Systems** - **Step 1**: Identify installed versions: ```bash npm list rand-user-agent ``` If versions `1.0.110`, `2.0.83`, or `2.0.84` are present: - **Step 2**: Uninstall the package: ```bash npm uninstall rand-user-agent ``` - **Step 3**: Audit system for: - Files under `~/.node_modules`. - Unauthorized connections to `85.239.62.36`. - Unusual processes spawned from `node` or `python`. #### **2. Long-Term Security Enhancements** - **Enforce 2FA for npm**: ```bash npm profile enable-2fa auth-and-writes ``` - **Scope Automation Tokens**: Limit tokens to specific packages/IP ranges. - **Adopt Forked Alternatives**: Switch to actively maintained forks like `random-user-agent-generator`. ### **Developer Statement: Lessons from the Breach** In a comment, the maintainers clarified: > *“The attacker exploited an outdated token without 2FA. We’ve since invalidated all legacy tokens, enforced 2FA, and will implement automated npm-GitHub version parity checks.”*

loading..   12-May-2025
loading..   3 min read
loading..

Hospital

Ascension Health’s latest data breach exposes 437,000 patients’ data via a third...

Ascension, one of the largest private healthcare systems in the U.S., has disclosed a massive [data breach](https://www.secureblink.com/cyber-security-news/5-6-million-patient-data-exposed-in-black-basta-ransomware-breach) impacting **437,329 patients**, with sensitive personal and medical information stolen through a former business partner’s compromised systems. The breach, linked to a third-party software vulnerability, marks the second major cybersecurity incident for the healthcare giant in less than a year. ### **Details of Exposed Information** According to breach notifications sent to affected patients in April 2025, hackers accessed: - **Personal Data**: Names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers (SSNs). - **Health Information**: Physician names, admission/discharge dates, diagnosis codes, medical record numbers, insurance details, and billing codes. The stolen data could enable identity theft, insurance fraud, or targeted phishing attacks, underscoring risks for impacted individuals. ### **Timeline and Investigation** - **December 5, 2024**: Ascension first learned of a “potential security incident” involving a former business partner. - **January 21, 2025**: Investigation confirmed patient data was “inadvertently disclosed” to the partner and later stolen due to a vulnerability in their third-party file transfer software. While Ascension did not name the partner, cybersecurity experts suspect links to **[Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware)’s widespread attacks** in late 2024, which exploited a zero-day flaw in Cleo file transfer tools. ### **State-Specific Impacts** - **Texas**: 114,692 residents affected. - **Massachusetts**: 96 individuals had medical records and SSNs exposed. - **Nationwide**: The U.S. Department of Health & Human Services (HHS) filing revealed the total impacted individuals on April 28, 2025. ### **Ascension’s Response & Remediation** The healthcare provider is offering impacted patients: - **Two years of free identity monitoring** (credit monitoring, fraud consultation, identity theft restoration). - A dedicated call center for breach-related inquiries. In a statement, Ascension emphasized it _“immediately initiated an investigation”_ upon discovering the incident and has since _“strengthened third-party vendor oversight.”_ **Repeat Cybersecurity Challenges** This breach follows a **May 2024 Black Basta ransomware attack** that exposed data of 5.6 million patients and employees. That incident, caused by an employee downloading a malicious file, forced Ascension hospitals to: - Switch to paper records temporarily. - Redirect emergency services and postpone non-urgent procedures. The repeat breaches highlight systemic vulnerabilities in healthcare cybersecurity, particularly risks posed by third-party vendors. **Broader Implications for Healthcare Security** With Ascension operating **142 hospitals and 40 senior facilities** across North America and reporting **$28.3 billion in 2023 revenue**, the breach underscores critical challenges: 1. **Third-Party Risks**: Vendors remain a weak link in data protection. 2. **Ransomware Targeting**: Healthcare systems are prime targets due to sensitive data. 3. **Regulatory Scrutiny**: HHS is likely to intensify oversight under HIPAA regulations. “Healthcare organizations must adopt zero-trust frameworks and rigorously audit vendors,” as advised.

loading..   10-May-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958