VulnHub

A significant credential harvesting campaign has been detected, utilizing the React2Shell vulnerability (CVE-2025-55182) to gain access to sensitive data from 766 Next.js hosts. Attackers are stealing various credentials, including database logins, SSH private keys, AWS secrets, Stripe API keys, and GitHub tokens. This operation has been linked to a threat group that Cisco Talos is monitoring. The widespread nature of this breach is concerning, as it affects a range of developers and companies using Next.js, potentially compromising their applications and user data. Companies need to be vigilant and take immediate steps to secure their systems against this threat.

The latest ThreatsDay Bulletin highlights a range of pressing cybersecurity threats impacting various systems. Researchers are reporting on the alarming trend of chaining together minor vulnerabilities to create significant backdoors, which could allow attackers to gain unauthorized access. Additionally, there are ongoing concerns about Android rootkits and methods for evading AWS CloudTrail logging, raising red flags for cloud security. These developments underscore the need for organizations to stay vigilant and proactive in patching software and monitoring their systems for unusual activity. With cyber threats evolving quickly, it’s crucial for companies to keep their defenses updated and educate their teams on the latest risks.

Amazon Threat Intelligence has issued a warning regarding an active ransomware campaign known as Interlock, which is exploiting a significant vulnerability in Cisco's Secure Firewall Management Center (FMC) Software. This vulnerability, identified as CVE-2026-20131, has a maximum severity score of 10.0 and stems from an insecure deserialization of user-supplied Java byte streams. This flaw could allow attackers to gain root access without authentication, posing a serious risk to organizations using affected Cisco products. The exploitation of this vulnerability is concerning as it enables unauthorized access, potentially leading to data breaches and system compromises. Companies using Cisco FMC Software must take immediate action to protect their systems from this ongoing threat.

Cofense researchers have identified a new phishing scam where attackers use LiveChat to impersonate customer service agents from Amazon and PayPal. This tactic enables them to interact with victims in real-time, making the scam appear more convincing. The goal is to extract sensitive information such as credit card details and multi-factor authentication (MFA) codes. This type of scam poses a significant risk to users who may inadvertently share their financial information with these impersonators. As online shopping and payment services continue to grow, consumers need to be more vigilant about verifying the identity of customer service representatives to avoid falling victim to such schemes.

A recent social engineering campaign is targeting individuals by impersonating well-known companies like PayPal and Amazon. Attackers are using customer support interactions through LiveChat to trick users into revealing sensitive information, including credit card details and personal data. This type of phishing attack takes advantage of the trust that users place in these popular services, making it easier for the criminals to manipulate their victims. It's crucial for users to stay vigilant and verify the authenticity of any communication claiming to be from these companies, especially when asked for personal information. As these tactics become more sophisticated, both consumers and companies must be cautious about sharing sensitive data online.

A recent security flaw in the AWS Bedrock Code Interpreter has raised concerns among cloud users. This vulnerability involves a DNS-based attack that allows AI sandboxes to exfiltrate sensitive data from cloud environments. The issue affects AWS Bedrock's AgentCore, which is crucial for running AI applications in a secure environment. Companies using AWS Bedrock services need to be aware of this vulnerability as it could potentially expose their data to unauthorized access. This incident underscores the need for enhanced security measures in cloud-based AI applications.

TA584, a known threat actor, is currently using compromised email accounts to distribute malicious content through services like SendGrid and Amazon SES. Their attack method incorporates tools such as Tsundere Bot and XWorm, which are designed to gain unauthorized access to networks. This tactic raises concerns for organizations that rely on these email services, as attackers can exploit trusted channels to deliver malware. The use of legitimate platforms for malicious purposes complicates detection and prevention efforts. Companies need to be vigilant and enhance their security measures to protect against such sophisticated email-based attacks.

Recent data from Chainalysis reveals that North Korea has stolen approximately $2 billion in cryptocurrency through cyber operations. This surge in digital theft is part of a broader strategy to fund the country's activities, including its weapons programs. Concurrently, Amazon has identified and blocked around 1,800 fake IT workers believed to be linked to North Korean cybercriminals. These workers were likely part of a scheme to infiltrate legitimate companies and potentially facilitate further cyber thefts. The implications of these actions are significant, as they show the ongoing threat posed by state-sponsored hacking groups and the need for companies to enhance their security measures against such attacks.