An attacker is offering for sale information from dozens of companies after gaining access through stolen authentication details using Infostealers.
The attacker, Zestix, is selling information that includes confidential documents, customer data, engineering plans, and sensitive information from various sectors.
The full research is available on the Hudson Rock website.
Among the affected companies:
- Pickett & Associates
- Intecro Robotics
- Maida Health
- Burris & Macomber
- Iberia Airlines
- CRRC MA
- K3G Solutions
- IFLUSAC
- GreenBills
- CiberC
- Sekisui House
- Hydratec Inc.
- Total ETO
- Degewo AG
- ThermoEx
- Voltras
- Aion Law Partners LLP
- NMCV Business LLC
- PT Pasifik Satelit Nusantara (PSN)
- VYTL-SFT (Verahealth)
- Navee Teknoloji
- La Esperanza Fuel
- Esenboğa Airport
- Injaro Investments
- Industrial CMMS
- UrbanX.io
- Bradley R Tyer
- Lex Logos Romania
- Australian NBN
- Hutchinson Builders
- imss-consultores
- GTD System
- Clevertech S.p.A.…
The attacker, Zestix, is selling information that includes confidential documents, customer data, engineering plans, and sensitive information from various sectors.
The full research is available on the Hudson Rock website.
Among the affected companies:
- Pickett & Associates
- Intecro Robotics
- Maida Health
- Burris & Macomber
- Iberia Airlines
- CRRC MA
- K3G Solutions
- IFLUSAC
- GreenBills
- CiberC
- Sekisui House
- Hydratec Inc.
- Total ETO
- Degewo AG
- ThermoEx
- Voltras
- Aion Law Partners LLP
- NMCV Business LLC
- PT Pasifik Satelit Nusantara (PSN)
- VYTL-SFT (Verahealth)
- Navee Teknoloji
- La Esperanza Fuel
- Esenboğa Airport
- Injaro Investments
- Industrial CMMS
- UrbanX.io
- Bradley R Tyer
- Lex Logos Romania
- Australian NBN
- Hutchinson Builders
- imss-consultores
- GTD System
- Clevertech S.p.A.…
Higham Lane School, a secondary school in England, has suspended classes due to a cyber attack.
As a result of the attack, telephone services, email, servers, and other systems were disabled, and about 1,500 students were asked to stay home and not to connect to systems remotely.
The school states that they hope to return to normalcy later in the week.
https://news.1rj.ru/str/CyberSecurityIL/8337
@CyberSecurityIL
As a result of the attack, telephone services, email, servers, and other systems were disabled, and about 1,500 students were asked to stay home and not to connect to systems remotely.
The school states that they hope to return to normalcy later in the week.
https://news.1rj.ru/str/CyberSecurityIL/8337
@CyberSecurityIL
The crypto wallet company Ledger informs its customers that, due to a breach by a third party (Global-e), customer information has been leaked.
This is not the first time Ledger customer data has been leaked; last time it led to a widespread and sophisticated scam attempt.
https://news.1rj.ru/str/CyberSecurityIL/8338
@CyberSecurityIL
This is not the first time Ledger customer data has been leaked; last time it led to a widespread and sophisticated scam attempt.
https://news.1rj.ru/str/CyberSecurityIL/8338
@CyberSecurityIL
At the beginning of the week, I received reports of a cyberattack on an Israeli company that provides cloud services, integration, and information security.The attackers, a terror-supporting group likely associated with Iran, sent prints with messages in Arabic, deleted knowledge servers from servers, and more.At this stage, there is no known information that has leaked out, and the attackers have (yet) not published anything.Another event that again sharpens the focus on supply chain security and reminds you to ensure that you know who all your suppliers are, what their security level is, what you do in the event of a cyber incident at a third party, and how this affects you and the information that this third party manages on your behalf or has access to.
https://news.1rj.ru/str/CyberSecurityIL/8340
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8340
@CyberSecurityIL
The treasure revealed in the leaks of Naftali Bennett, Tzachi Braverman, and Ayelet ShakedThe leak of thousands of contact details of Naftali Bennett, Tzachi Braverman, and Ayelet Shaked constitutes a serious information security issue, as revealed by an investigation by "Haaretz." Many of them—senior officials and those who currently hold or have previously held sensitive positions—are now at risk of being targets of espionage by foreign entities. Officials previously responsible for the matter say this is a severe failure. The "Haaretz" investigation found that the hacking group that leaked the numbers has already begun cross-referencing and enhancing the new information against significant databases that had leaked in the past from Israel.The severity of the data leak lies in the fact that those who identified the sensitive officials in the leaked contact list, along with their personal mobile phone numbers, can now use this information to locate them in Israel and around the world, to find their network accounts linked to the number, and to track them using various advanced means.For now, it is unclear whether the hackers actually managed to breach the devices of Bennett, Braverman, and Shaked, or just the online backups of their WhatsApp and Telegram accounts, which include contacts, messages, and videos.The "Haaretz" investigation shows that Israelis whose numbers were exposed in the contact leak have received SMS messages in recent weeks from a foreign entity pretending to be Iranian intelligence."Iranian intelligence is ready for your cooperation - you are invited to contact one of our embassies online," read the first message. "The doors of the Iranian embassy are open to you," stated the second message.The third message included a threat: "This is your last opportunity to save yourself and your family. Our embassies are open. We know everything about you." Each message included a link that featured the ID number of the target's children for tracking, with an invitation to "see the information we have."Anyone who clicked on the link was shocked to discover an extensive family tree that included the names and ID numbers of their parents, children, uncles, cousins, and more.An investigation revealed that the foreign server hosts family trees of many Israelis—all of whom are contacts whose numbers were exposed in the leaks of Bennett, Braverman, and Shaked.The full article is available in Haaretz.Just a reminder that in previous cyber events, attackers gathered information from various sources and sent documents detailing their connections, etc. I previously wrote about this here on the channel (the leak of information from the Air Force).
https://news.1rj.ru/str/CyberSecurityIL/8341
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8341
@CyberSecurityIL
🌍Some cyber updates from around the world:
- A hacker has published about 150 databases allegedly belonging to the Dutch chip company ASML. Note that this is the hacker (1011) who recently published a data leak from NordVPN, but the company indicated that the information is insignificant from a testing environment.
- Veeam has released a patch for vulnerabilities that allow remote code execution on backup servers.
- Sedgwick reports a data leak from its subsidiary Sedgwick Government Solutions, which provides services to government agencies in the U.S.
- Communications company Brightspeed reports that it is investigating a possible data leak after the attack group Crimson Collective claimed to have stolen information from the company's network.
https://news.1rj.ru/str/CyberSecurityIL/8344
@CyberSecurityIL
- A hacker has published about 150 databases allegedly belonging to the Dutch chip company ASML. Note that this is the hacker (1011) who recently published a data leak from NordVPN, but the company indicated that the information is insignificant from a testing environment.
- Veeam has released a patch for vulnerabilities that allow remote code execution on backup servers.
- Sedgwick reports a data leak from its subsidiary Sedgwick Government Solutions, which provides services to government agencies in the U.S.
- Communications company Brightspeed reports that it is investigating a possible data leak after the attack group Crimson Collective claimed to have stolen information from the company's network.
https://news.1rj.ru/str/CyberSecurityIL/8344
@CyberSecurityIL
Following the above, a terror-supporting attack group, likely affiliated with Iran, claims responsibility for the attack against Skynet Computers. They also assert that they attacked two additional organizations (Dpaz, a company providing electrical services, and the travel agency "Cardinal").This group refers to itself as "Children of Gaza" and has been operating against entities in Israel since the beginning of the war in October 2023. The group primarily focuses on vandalism and data theft.
https://news.1rj.ru/str/CyberSecurityIL/8345
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8345
@CyberSecurityIL
The group Anonymous For Justice (remember?) is publishing information allegedly belonging to Elbit and the development of drones.This information is largely old (2002-2019) and appears to have been obtained from a single computer.The data includes several documents and images allegedly related to Elbit, as well as personal information unrelated to Elbit that seems to be related to the employee from whom the information was obtained.
https://news.1rj.ru/str/CyberSecurityIL/8346
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8346
@CyberSecurityIL
Earlier today, Walla! News published an article stating that the website of the Shorok Desalination Institute redirects to a Persian advertisement.
Website takeover? Cyberattack, defacement? Not really...
1. The institute doesn't have an official website at all.
2. It seems someone used Google's "Suggest a Website" feature for a business by entering a Persian website address for the desalination institute's "business."
3. Google likely didn't check too thoroughly and actually linked the website to the desalination institute's "business" for a certain period.
From here, Walla! News deleted the article, and Google removed the website association.
Now we are left to wonder, who are those users (many...) who attempted to access the non-existent website of the Shorok Desalination Institute, saw a message in Persian, and took the trouble to report it to Walla! News 🙃
https://news.1rj.ru/str/CyberSecurityIL/8347
@CyberSecurityIL
Website takeover? Cyberattack, defacement? Not really...
1. The institute doesn't have an official website at all.
2. It seems someone used Google's "Suggest a Website" feature for a business by entering a Persian website address for the desalination institute's "business."
3. Google likely didn't check too thoroughly and actually linked the website to the desalination institute's "business" for a certain period.
From here, Walla! News deleted the article, and Google removed the website association.
Now we are left to wonder, who are those users (many...) who attempted to access the non-existent website of the Shorok Desalination Institute, saw a message in Persian, and took the trouble to report it to Walla! News 🙃
https://news.1rj.ru/str/CyberSecurityIL/8347
@CyberSecurityIL
The Handele Group published a trailer and claimed that it would reveal information that would shake the market in state institutions... Meanwhile, they have released several videos that presumably came from informants, claiming to expose a Mossad agent. I don't know, so far it doesn't seem like a major cyber event 🤷♂️
The interesting part, however, comes from another area in Iran, where NetBlocks claims that the internet in Tehran and other parts of the country is down. This is likely an attempt to reduce exposure to the riots there.
It's unclear how Handele will be able to continue their publications without a network connection 😄
https://news.1rj.ru/str/CyberSecurityIL/8349
@CyberSecurityIL
The interesting part, however, comes from another area in Iran, where NetBlocks claims that the internet in Tehran and other parts of the country is down. This is likely an attempt to reduce exposure to the riots there.
It's unclear how Handele will be able to continue their publications without a network connection 😄
https://news.1rj.ru/str/CyberSecurityIL/8349
@CyberSecurityIL
Please provide the content you would like to have translated into English.
https://news.1rj.ru/str/CyberSecurityIL/8350
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8350
@CyberSecurityIL
The Battle for the Internet: Shutdown in Iran, Starlink, and Cyber
The regime in Iran has shut down the internet in the country for over 48 hours, aiming to minimize exposure to the riots occurring within the nation.
Following this move (and some say after a request from Israeli officials), Elon Musk activated Starlink technology over Iran at no cost, allowing anyone with the appropriate equipment to now access the internet from Elon’s satellites.
What is Starlink and how does it work:
Starlink is a project aimed at providing high-speed internet to every point on Earth, with a focus on remote areas. Unlike traditional communication satellites that are located far from Earth (about 36,000 km), Starlink satellites orbit in a low satellite orbit of just around 550 km (which allows for low latency).
To use the network, the user installs a small "dish" that communicates with the satellite passing overhead, and the satellite transmits information to a ground station…
The regime in Iran has shut down the internet in the country for over 48 hours, aiming to minimize exposure to the riots occurring within the nation.
Following this move (and some say after a request from Israeli officials), Elon Musk activated Starlink technology over Iran at no cost, allowing anyone with the appropriate equipment to now access the internet from Elon’s satellites.
What is Starlink and how does it work:
Starlink is a project aimed at providing high-speed internet to every point on Earth, with a focus on remote areas. Unlike traditional communication satellites that are located far from Earth (about 36,000 km), Starlink satellites orbit in a low satellite orbit of just around 550 km (which allows for low latency).
To use the network, the user installs a small "dish" that communicates with the satellite passing overhead, and the satellite transmits information to a ground station…
Attention to a critical (additional) vulnerability in the n8n service.The vulnerability CVE-2026-21858 allows remote code execution and affects versions from 1.121.0 onwards (this version was released about a month ago and is relevant for those using the self-hosted service).Please note that according to the Shadowserver website, there are over 60 n8n servers in Israel that are exposed to the vulnerability and publicly accessible from the internet.
https://news.1rj.ru/str/CyberSecurityIL/8352
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8352
@CyberSecurityIL
The user database of the BreachForums forum was leaked online.
The BreachForums site is used by various hackers for posting, buying, and selling stolen information from different attacks, etc.
The database, which contains information about approximately 324,000 forum users, was distributed under a domain named ShinyHunters, but the ShinyHunters group claimed they had no connection to the leak.
The current administrator of BreachForums confirmed the breach and stated that the database had been exposed for a short period without appropriate protections.
https://news.1rj.ru/str/CyberSecurityIL/8353
@CyberSecurityIL
The BreachForums site is used by various hackers for posting, buying, and selling stolen information from different attacks, etc.
The database, which contains information about approximately 324,000 forum users, was distributed under a domain named ShinyHunters, but the ShinyHunters group claimed they had no connection to the leak.
The current administrator of BreachForums confirmed the breach and stated that the database had been exposed for a short period without appropriate protections.
https://news.1rj.ru/str/CyberSecurityIL/8353
@CyberSecurityIL
Last week, a hacker published a database of about 17 million Instagram users after exploiting an API...
The hacker claims that the database was collected in 2024 and contains names, phone numbers, email addresses, and more.
I did a quick check, and it seems that the example information the hacker published was already posted in another forum in 2023... so I'm not clear on how it was collected in 2024 if it was already published in 2023... 😕
In any case, some news sites are making a big deal out of this, and there are likely attackers exploiting the database to send phishing attempts. Please be careful.
https://news.1rj.ru/str/CyberSecurityIL/8354
@CyberSecurityIL
The hacker claims that the database was collected in 2024 and contains names, phone numbers, email addresses, and more.
I did a quick check, and it seems that the example information the hacker published was already posted in another forum in 2023... so I'm not clear on how it was collected in 2024 if it was already published in 2023... 😕
In any case, some news sites are making a big deal out of this, and there are likely attackers exploiting the database to send phishing attempts. Please be careful.
https://news.1rj.ru/str/CyberSecurityIL/8354
@CyberSecurityIL
2,590 documents containing the names of pilots and sensitive information were exposed online. The IDF took six days to close the breach (an article by Ran Bar-Zik in TheMarker).
Full names of pilots who participated in the strike in Jenin, a detailed map of a military detention facility, and information about the cyber system against Iran — all these and more were revealed in military documents that were stored insecurely in a public folder of the IDF Spokesperson, which could be found with a simple Google search. The military censor characterized this information as "life-threatening" — but the documents were removed from the internet only six days after TheMarker alerted the IDF about the leak.
Some of the documents were stored in an open folder on the internet without the need for identification. Google was also able to access some of them, and any user with minimal knowledge could easily access them. The server contained 2,590 PDF documents, some of which…
Full names of pilots who participated in the strike in Jenin, a detailed map of a military detention facility, and information about the cyber system against Iran — all these and more were revealed in military documents that were stored insecurely in a public folder of the IDF Spokesperson, which could be found with a simple Google search. The military censor characterized this information as "life-threatening" — but the documents were removed from the internet only six days after TheMarker alerted the IDF about the leak.
Some of the documents were stored in an open folder on the internet without the need for identification. Google was also able to access some of them, and any user with minimal knowledge could easily access them. The server contained 2,590 PDF documents, some of which…
Instagram reports that the glitch/issue that allowed sending password reset emails to various users has been fixed.
It is unclear whether there is a connection to the database that was recently published again or to a separate incident.
https://news.1rj.ru/str/CyberSecurityIL/8356
@CyberSecurityIL
It is unclear whether there is a connection to the database that was recently published again or to a separate incident.
https://news.1rj.ru/str/CyberSecurityIL/8356
@CyberSecurityIL
🔔Here are some important reminders:📰The channel has an X and Twitter account available here.🗯The channel has an RSS feed available here.🧠I operate a feed system with unique cybersecurity information 24/7 available here.
https://news.1rj.ru/str/CyberSecurityIL/8357
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8357
@CyberSecurityIL
I receive a report from you that a malware of the type Clickfix has been implanted on the website of Melam, leading to the downloading of a stealer.
If there is an official response from Melam, I will publish it here.
https://news.1rj.ru/str/CyberSecurityIL/8359
@CyberSecurityIL
If there is an official response from Melam, I will publish it here.
https://news.1rj.ru/str/CyberSecurityIL/8359
@CyberSecurityIL
Dear Customers,Following your inquiry to us, we would like to update you that the information security incident that occurred with our website hosting provider has been addressed, and no breach of the company’s systems has been found, no malicious access was made, and no customer information has been exposed.The incident is not related to our operational systems but rather to the marketing website that details our products and services, and the matter is under complete monitoring and management with the provider. Due to this incident, your monitoring systems have apparently blocked legitimate emails that came from the payroll domain. The emails will likely be released during the night and tomorrow.For any further questions – we are happy to assist you.
https://news.1rj.ru/str/CyberSecurityIL/8360
@CyberSecurityIL
https://news.1rj.ru/str/CyberSecurityIL/8360
@CyberSecurityIL