1010.cx

  • American Airlines Subsidiary Envoy Compromised in Oracle Hacking Campaign

    ·

    , ,

    Envoy Air, a wholly owned subsidiary of American Airlines, has confirmed it fell victim to a hacking campaign exploiting vulnerabilities in Oracle’s E-Business Suite (EBS).

    The breach, first highlighted by the notorious Clop ransomware group, underscores the growing risks facing enterprise software in the aviation sector.

    Clop, known for high-profile extortion schemes like the MOVEit Transfer attacks, claimed responsibility last week, listing American Airlines among over 60 organizations hit through unpatched flaws in Oracle EBS.

    The group, which operates out of Russia-linked networks, has demanded ransoms in cryptocurrency, threatening to leak stolen data on its dark web site if unpaid.

    While Clop didn’t specify the exact vulnerabilities, security researchers point to known issues in Oracle’s WebLogic Server and EBS modules, such as CVE-2023-21931, which allow remote code execution if not properly secured.

    Envoy’s admission came swiftly after the claims surfaced, aiming to reassure stakeholders amid rising concerns over aviation data security.

    Envoy Compromised

    “We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” an Envoy spokesperson told Cybersecurity News. “Upon learning of the matter, we immediately began an investigation and law enforcement was contacted”.

    “We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.”

    The spokesperson emphasized that passenger records, flight operations, and personal identifiable information remained untouched, mitigating immediate risks to travelers.

    However, the exposure of internal business data could still pose challenges, including potential phishing vectors or competitive intelligence leaks for the regional carrier, which operates over 150 aircraft and serves millions of passengers annually under the American Airlines banner.

    Experts warn that this incident highlights systemic vulnerabilities in legacy enterprise systems. Oracle EBS, widely used for HR, finance, and supply chain management, has faced criticism for slow patching cycles.

    Cybersecurity firm Mandiant noted in a recent report that Clop’s tactics often target third-party software to amplify reach, affecting not just direct victims but entire ecosystems.

    As investigations continue with federal authorities, including the FBI’s cyber division, Envoy stated it has implemented enhanced monitoring and updated its Oracle systems. American Airlines, while not directly named in data leaks, has bolstered its subsidiary’s defenses in response.

    This breach arrives amid a wave of aviation cyberattacks, from ransomware hitting airports to state-sponsored espionage. Industry leaders are urging faster adoption of zero-trust architectures to safeguard critical infrastructure.

    For now, Envoy passengers can fly with relative peace of mind, but the event serves as a stark reminder: in cybersecurity, one weak link can ground an entire operation.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post American Airlines Subsidiary Envoy Compromised in Oracle Hacking Campaign appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft

    ·

    , , ,

    Threat actors are leveraging Microsoft Azure Blob Storage to craft highly convincing phishing sites that mimic legitimate Office 365 login portals, putting Microsoft 365 users at severe risk of credential theft.

    This method exploits trusted Microsoft infrastructure, making the attacks harder to spot as the fraudulent pages appear secured by official SSL certificates issued by Microsoft itself.

    ALI TAJRAN recently highlighted a surge in these campaigns, with alerts circulating widely on October 17, 2025, urging immediate vigilance among enterprises and individuals.​

    How the Attack Leverages Azure Blob

    The phishing scheme typically begins with deceptive emails that include links disguised as routine Microsoft Forms surveys or document shares, often starting with URLs like forms.office[.]com followed by a unique identifier.

    Victims who click these links are redirected to what seems like a harmless PDF download prompt, but this quickly escalates to a demand for Microsoft 365 credentials on a fake login page.

    The malicious URL terminates in windows.net, specifically utilizing subdomains under blob.core.windows.net, which hosts the phishing form as a simple HTML file stored in Azure’s blob storage service.​

    This storage solution, designed for unstructured data like images or documents, inadvertently provides phishers with a veil of legitimacy since browsers and endpoint protection tools inherently trust Azure endpoints.

    Once users enter their email and password, the credentials are captured and sent to attacker-controlled servers, potentially granting access to sensitive email, files, and tenant resources.

    Attackers may then escalate privileges to intercept authentication tokens or infiltrate the entire organization. Historical reports from 2018 noted similar lures using themed PDF attachments pretending to be legal documents, a tactic that persists today with more sophisticated social engineering.​

    To counter this threat, security experts recommend blocking all traffic to *.blob.core.windows.net endpoints in firewalls or web proxies, while whitelisting only specific, trusted storage accounts like <your-storage-account>.blob.core.windows.net.

    This granular approach prevents broad access without disrupting legitimate Azure operations. Additionally, enabling multi-factor authentication (MFA) and monitoring for anomalous logins via Microsoft Entra ID can detect breaches early.​

    A proactive step involves customizing company branding in your Microsoft 365 tenant, displaying your organization’s logo, colors, and name on official sign-in pages to help users distinguish genuine portals from impostors.

    Without branding, a generic Microsoft login might blend seamlessly with phishing mimics, eroding user trust at critical moments resources from Microsoft guide administrators on implementing these customizations swiftly.​

    This phishing variant underscores the dual-edged nature of cloud services: while Azure Blob Storage offers scalability and security for legitimate use, it becomes a weapon when abused by threat actors.

    Organizations should prioritize user education on scrutinizing URLs, legitimate Office 365 logins always direct to login.microsoftonline.com, not blob storage paths.​

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Authorities Shut Down Cybercrime-as-a-Service, Seize 40,000 SIM Cards

    ·

    , ,

    Law enforcement authorities across Europe have dismantled a sophisticated cybercrime-as-a-service operation that enabled criminals to commit widespread fraud and other serious offenses across the continent. The coordinated action, codenamed ‘SIMCARTEL’, resulted in seven arrests, the seizure of over 40,000 active SIM cards, and the takedown of infrastructure that facilitated crimes causing millions of euros in […]

    The post Authorities Shut Down Cybercrime-as-a-Service, Seize 40,000 SIM Cards appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs

    ·

    Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor. According to Seqrite Labs, the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection. The cybersecurity company’s analysis is based on the ZIP

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Critical Zimbra SSRF Flaw Exposes Sensitive Data

    ·

    , ,

    Zimbra has released an emergency security patch to address a critical Server-Side Request Forgery (SSRF) vulnerability that could allow attackers to access sensitive data through the platform’s chat proxy configuration. The flaw, classified as high severity, affects Zimbra versions 10.1.5 through 10.1.11, prompting the company to urge immediate action from users and administrators.​ Understanding the […]

    The post Critical Zimbra SSRF Flaw Exposes Sensitive Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Microsoft Windows 11 October Update Disrupts Localhost (127.0.0.1) Connectivity

    ·

    , , ,

    Microsoft’s October 2025 Windows 11 update has introduced an unexpected connectivity issue affecting developers and IT professionals worldwide. The security patch KB5066835, released on October 14, 2025, for OS Builds 26200.6899 and 26100.6899, has disrupted localhost connections, preventing applications from accessing services running on the loopback address 127.0.0.1. The update, which primarily addressed security vulnerabilities […]

    The post Microsoft Windows 11 October Update Disrupts Localhost (127.0.0.1) Connectivity appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • PoC Exploit Released for 7-Zip Vulnerabilities that Let Attackers Execute Arbitrary Code Remotely

    ·

    , , ,

    A proof-of-concept exploit for two critical vulnerabilities in the popular file archiver 7-Zip, potentially allowing attackers to execute arbitrary code remotely through malicious ZIP files.

    The flaws, tracked as CVE-2025-11001 and CVE-2025-11002, were disclosed by the Zero Day Initiative (ZDI) on October 7, 2025, and stem from improper handling of symbolic links during ZIP extraction on Windows systems.

    Both carry a CVSS v3.0 score of 7.0, highlighting their potential for serious impact despite initial perceptions of lower risk.

    These issues affect 7-Zip versions from 21.02 up to 24.09, where flaws in the symlink conversion process enable path traversal attacks. Discovered by Ryota Shiga of GMO Flatt Security Inc., the vulnerabilities exploit how 7-Zip processes Linux-style symlinks, converting them to Windows equivalents without adequate safeguards.

    In a detailed analysis shared by security expert pacbypass, the bugs arise in the ArchiveExtractCallback.cpp module, particularly in functions like IsSafePath and CLinkLevelsInfo::Parse.

    The core problem lies in 7-Zip’s extraction logic, which fails to properly validate symlink targets. When extracting a ZIP containing a Linux symlink pointing to a Windows absolute path like C:\Users, the software misclassifies it as relative due to a flawed absolute path check tailored for Linux or WSL environments.

    This bypasses safety checks in IsSafePath, allowing the symlink to resolve outside the extraction directory.

    Further, during symlink creation in SetFromLinkPath, 7-Zip prepends the extraction folder path to the target, crafting a seemingly safe relative path that evades validation.

    A subsequent check in CloseReparseAndFile skips directory-specific scrutiny for non-directories, enabling the symlink to point arbitrarily. Patches in version 25.00 introduce a new IsSafePath overload with an isWSL flag and refined parsing to detect absolute paths correctly, closing these gaps.

    The analysis draws from diffs between versions 24.09 and 25.00 on GitHub, revealing a rework of symlink support. While one CVE likely targets direct path traversal, the other involves UNC path symlinks, amplifying risks in networked scenarios.

    Exploiting these flaws requires crafting a ZIP where a symlink extracts first, redirecting subsequent files to sensitive locations like the Desktop or system directories.

    For instance, a malicious archive could create a symlink named “link” pointing to C:\Users$$Username]\Desktop, followed by a payload like calc.exe. Upon extraction, 7-Zip follows the link, writing the executable to the target, potentially leading to code execution if the user runs it.

    The PoC, available on pacbypass’s GitHub repository, demonstrates this by unpacking a directory structure that dereferences the symlink, enabling arbitrary file writes.

    However, exploitation demands elevated privileges, developer mode, or an elevated service context, limiting it to targeted attacks rather than broad phishing. It works solely on Windows, ignoring Linux or macOS.

    Mitigations

    Users should update to 7-Zip 25.00 immediately, as it addresses these issues comprehensively. Disabling symlink support during extraction or scanning archives with antivirus tools can reduce exposure. These vulnerabilities underscore ongoing risks in archive handlers, echoing past 7-Zip flaws like directory traversals.

    With the PoC public, attackers may weaponize these for initial access in phishing campaigns. Organizations relying on 7-Zip for bulk extractions should audit workflows and monitor for anomalous file writes.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

      The post PoC Exploit Released for 7-Zip Vulnerabilities that Let Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

    1. Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT

      ·

      The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins). “The campaign relied on phishing emails with PDFs that contained embedded malicious links,” Pei Han Liao, researcher with Fortinet’s FortiGuard

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

    2. Authorities Dismantle Cybercrime-as-a-Service Platform, Seize 40,000 Active SIM Cards

      ·

      ,

      An international law enforcement operation has dismantled a large-scale cybercrime-as-a-service network responsible for fueling thousands of online fraud cases across Europe.

      The operation, known as SIMCARTEL, took place on 10 October 2025 in Latvia and resulted in five arrests, the seizure of key infrastructure, and the disruption of a sophisticated online criminal marketplace.

      During coordinated raids, authorities executed 26 searches across multiple sites, arresting five Latvian nationals suspected of operating the illegal platform.

      Investigators seized five servers, 1,200 SIM-box devices, and more than 40,000 active SIM cards used to power the fraudulent service. Two linked websites gogetsms[.]com and apisim[.]com were taken over by law enforcement and replaced with “splash pages” announcing their seizure.

      The seized operation had enabled more than 49 million fake online accounts and was tied to over 3,200 known cyber fraud cases across Austria and Latvia alone.

      Financial losses from these crimes exceeded EUR 4.5 million in Austria and an additional EUR 420,000 in Latvia. Authorities also froze EUR 431,000 in bank assets, USD 333,000 in cryptocurrency, and confiscated four luxury vehicles belonging to suspects.

      Cybercrime-as-a-Service Platform Dismantled

      The dismantled service sold access to phone numbers registered in more than 80 countries, allowing clients to mask their identities while committing crimes ranging from phishing and smishing to large-scale fraud, extortion, and child exploitation.

      The platform allowed criminals to create fake social media, banking, and e-commerce accounts that appeared legitimate but were used to defraud unsuspecting victims.

      The network’s offerings supported several widespread scams, including fraudulent second-hand marketplace listings, “daughter–son” WhatsApp scams, investment fraud schemes, fake bank websites, and impersonations of police officers targeting Russian-speaking victims. Each of these crimes relied on the anonymity provided by the rented SIM-based numbers.

      The operation was coordinated by Europol and Eurojust, working in close collaboration with law enforcement agencies from Austria, Latvia, Estonia, and Finland.

      Technical support from the Shadowserver Foundation helped dismantle the network’s infrastructure and secure digital evidence. Europol analysts conducted OSINT mapping of the platform’s online footprint and facilitated international data exchange to track financial and digital assets.

      The joint action marks a major success in Europe’s fight against crime-as-a-service networks, striking at the infrastructure that enabled cybercriminals to hide behind false identities and target victims worldwide.

      Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

      The post Authorities Dismantle Cybercrime-as-a-Service Platform, Seize 40,000 Active SIM Cards appeared first on Cyber Security News.

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

    3. Critical Zimbra SSRF Vulnerability Let Attackers Access Sensitive Data

      ·

      , , ,

      A newly disclosed Server-Side Request Forgery (SSRF) flaw in Zimbra Collaboration Suite has raised major security concerns, prompting administrators to patch systems immediately.

      The issue, identified in the chat proxy configuration component, could allow attackers to gain unauthorized access to internal resources and sensitive user data.

      According to Zimbra’s latest advisory, this critical SSRF vulnerability affects Zimbra versions 10.1.5 through 10.1.11. Malicious actors could exploit the issue by manipulating URL requests to make the server perform unintended actions, such as accessing restricted endpoints or internal systems.

      Although the deployment risk is categorized as low, the security severity is classified as high due to the potential data exposure and privilege abuse.

      The vulnerability stems from improper validation in the chat proxy configuration module, which could enable crafted requests to route through Zimbra’s internal network.

      This vector might allow attackers to retrieve configuration files, tokens, or other sensitive data stored in connected services, posing a significant privacy risk for enterprise users who rely on Zimbra for email and collaboration.

      Mitigations

      Zimbra has released version 10.1.12, which patches the SSRF flaw and introduces several performance stability updates. Administrators are strongly advised to review the Zimbra 10.1.12 Release Notes and deploy the newest update as soon as possible to prevent exploitation.

      Security teams should also verify system integrity following patch installation and monitor access logs for any suspicious or unauthorized internal requests that might indicate prior compromise.

      Applying the latest update not only mitigates this SSRF threat but also enhances Zimbra’s overall resilience and performance.

      Regular patch maintenance, combined with proper configuration hardening, remains the best defense against evolving threat vectors targeting enterprise collaboration platforms.

      Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

      The post Critical Zimbra SSRF Vulnerability Let Attackers Access Sensitive Data appeared first on Cyber Security News.

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶

      ¶¶¶¶¶