University College London Hospitals (UCLH) NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been hit by cyber attacks that compromised staff information. The breach stemmed from a vulnerability in Ivanti Endpoint Manager Mobile (EPMM)—a tool used to manage employee mobile devices. Ivanti patched the flaw on May 15, shortly after its discovery.
UCLH, with assistance from NHS England cybersecurity experts, confirmed no evidence of patient data exposure. The compromised system reportedly contained details like mobile numbers and IMEI codes, but no passwords or clinical records.
Sky News, which broke the story, cited security analysts at EclecticIQ, who uncovered additional global victims spanning the UK, Scandinavia, the US, Germany, Ireland, South Korea, and Japan. The attacks originated from a China-based IP address, though official attribution remains unclear.
This incident adds to a growing list of NHS-related breaches. In June 2024, a ransomware attack on Synnovis, a blood testing provider, disrupted thousands of procedures across London hospitals. Just months earlier, in November, Wirral University Teaching Hospital Trust also faced a major cybersecurity event.
Cybersecurity experts, including Dray Agha from Huntress, stressed the urgent need for stronger vendor risk management. “This breach, linked to third-party software, underscores the importance of securing the entire healthcare supply chain,” Agha noted. He emphasized the need for constant patching, vendor coordination, and rapid response strategies.
In response to escalating threats, the NHS recently introduced a cybersecurity charter that sets stricter requirements for suppliers. These include using multi-factor authentication, maintaining immutable backups, applying timely patches, and 24/7 threat monitoring—steps aimed at reinforcing digital resilience across all NHS-connected vendors.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
Cybersecurity experts have uncovered an alarming trend among ransomware groups and advanced threat actors exploiting Cloudflare’s tunneling tool, Cloudflared, to quietly infiltrate and persist within compromised networks.
By leveraging this legitimate service, attackers create encrypted tunnels that appear as normal network traffic, effectively bypassing conventional security measures. The encrypted Cloudflared tunnels allow for continuous remote access that blends into authorized traffic, making detection extremely difficult.
Groups like BlackSuit, Royal, Akira, Scattered Spider, and Medusa have widely adopted this method. After gaining initial access—often through VPN or RDP vulnerabilities—they install Cloudflared to deploy tunnels, extract tokens, and move laterally across networks.
Researchers from Sudo rem have mapped this into a full “Cloudflared Abuse Lifecycle,” noting how attackers maintain long-term access by embedding tunnels as startup services. These tunnels often survive reboots and network resets, ensuring persistent control.
The attackers also manipulate Cloudflared tunnel tokens, which are Base64-encoded JSON files containing identifiers that, if tracked, can indicate compromise. However, adversaries have responded with clever obfuscation tactics. For instance, Medusa renames the tunnel executable to mimic system files like svchost.exe, while BlackSuit disguises it as software updaters such as AdobeUpdater.exe or LogMeInUpdater.exe—a tactic that tricks many security systems.
Security teams are now facing the challenge of distinguishing between legitimate admin usage of Cloudflared and its malicious abuse. Though intelligence on some actors like Hunter International remains scarce, the broad adoption of this technique signals a growing trend in the weaponization of enterprise tools.
Cyber defenders are urged to tighten monitoring around tunneling activities, scrutinize unusual service names, and investigate persistent account identifiers to stay ahead of these stealthy intrusions.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
GoTo has formed a strategic alliance with cybersecurity firm Acronis, introducing the new LogMeIn Data Protection Suite powered by Acronis. This collaboration aims to simplify endpoint management and improve data security for managed service providers (MSPs) and small-to-medium-sized enterprises (SMEs).
The suite merges GoTo’s LogMeIn Resolve unified endpoint management (UEM) with Acronis’ business continuity and disaster recovery (BCDR) solutions, enabling IT teams to centralize operations across increasingly complex environments.
Joseph George, General Manager of GoTo’s IT Solutions Group, highlighted that siloed systems often hinder IT teams, resulting in missed backups, policy inconsistencies, and delayed disaster recovery. “Our partnership with Acronis directly addresses these gaps by offering a connected and scalable data protection experience,” he said.
Key features of the new suite include streamlined enrollment, customizable scheduling, and broad compatibility with cloud platforms like Google Workspace and Microsoft 365. MSPs will also benefit from rapid one-click recovery and multi-tenancy tools, helping reduce downtime and scale operations seamlessly.
Acronis BCDR customers will now be able to integrate with LogMeIn Resolve, simplifying backup workflows by enabling direct agent enrollment and schedule configuration from within the platform.
Fernanda Silva, Senior Alliances Manager at Acronis, emphasized the value of this collaboration. “This is not just a technical integration; it’s a solution to real-world problems MSPs face daily,” she said. “We’ve combined endpoint security, backup, and disaster recovery into a unified experience.”
This marks the initial phase of the GoTo–Acronis partnership, with more integrations and upgrades expected in the near future.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
Threat actors are increasingly leveraging a variety of top-level domains (TLDs) to carry out phishing campaigns, with the .li extension emerging as the most malicious. A recent analysis reveals that 57.22% of all observed .li domains are flagged as harmful, making it the highest-risk TLD currently in circulation.
According to cybersecurity firm ANY.RUN, domains like .es, .sbs, .dev, .cfd, and .ru frequently appear in phishing attacks, often mimicking login portals or delivering fake documents to steal user credentials. These domains are central to evolving phishing methods that bypass traditional detection systems, prompting a renewed call for tighter domain monitoring within Security Operations Centers (SOCs).
.li Domains Act as Redirectors, Not Just Payload Hosts
While .li domains rank highest in terms of malicious activity, researchers emphasize that many don’t host malware directly. Instead, they serve as redirectors—guiding victims through multi-step attack chains to final phishing or malware destinations. Techniques such as PHP header() calls, JavaScript’s location.replace(), and HTML meta-refresh tags are commonly used to execute seamless redirections while masking the threat.
Cheap Domains Fuel Mass-Scale Phishing
Low-cost TLDs like .sbs, .cfd, and .icu are driving large-scale phishing operations. With domain registration costs as low as $1.54, attackers can easily purchase vast numbers of throwaway domains. Historical data from the Cybercrime Information Center shows 11,224 phishing domains registered under .sbs and 5,558 under .cfd. The .icu extension, promoted as “I see you,” also remains a preferred vector, linked to 3,171 malicious sites.
Cloudflare Services Targeted by Sophisticated Phishing Kits
Legitimate hosting services, including Cloudflare’s Pages.dev and Workers.dev, are being misused to host phishing pages that exploit the provider’s trusted reputation. Phishing incidents on Pages.dev surged by 198% between 2023 and 2024, jumping from 460 to 1,370 reported cases.
Among the most notable threats is the Tycoon 2FA phishing kit. This tool uses advanced evasion methods such as browser fingerprinting, CAPTCHA hurdles, and control server domain triangulation across TLDs like .ru, .es, .su, .com, .net, and .org. Many attacks begin with hijacked Amazon SES accounts and evolve through intricate redirect chains before capturing user credentials.
Call for Enhanced Monitoring and Sandbox Analysis
Experts stress the importance of real-time domain analysis using interactive sandbox environments to uncover indicators of compromise (IOCs). Implementing robust TLD monitoring protocols will help organizations strengthen their defenses and stay ahead of these increasingly sophisticated phishing operations.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
As cyber threats grow more advanced and budgets remain tight, Chief Information Security Officers (CISOs) are doubling down on AI-driven solutions to strengthen cybersecurity operations while managing rising costs, according to Wipro’s 2025 State of Cybersecurity Report.
The report shows a shift in spending behavior, with only 20% of global security leaders now allocating over 10% of their annual IT budgets to cybersecurity—a 12% drop from 2023. Yet, nearly 30% of respondents said AI automation is their top investment priority, especially to reduce operational costs and improve security response.
CISOs are increasingly leveraging AI to boost threat detection and enhance incident response, with 25% using it specifically for better incident handling. However, widespread adoption faces significant obstacles. A majority (84%) cited data privacy and quality issues as leading challenges, while around 75% struggle with internal skill shortages, pushing them toward costly external support or upskilling efforts.
Integration with outdated systems and budget constraints also continue to hinder progress, with 70% of leaders naming legacy systems and hardware investments as significant roadblocks.
To cut costs further, CISOs are turning to tools rationalization—analyzing and consolidating redundant tools to improve efficiency. Just over a quarter of respondents identified this as a key cost-optimization strategy. Tool sprawl, long a concern for security teams, is driving frustration across organizations.
Additionally, 23% are refining security processes, while 20% aim to simplify operational models.
Wipro’s study highlights a more strategic posture in cybersecurity planning. Nearly all respondents (97%) are investing in Zero Trust frameworks, while 82% are prioritizing IoT security. Around 78% are backing Secure Access Service Edge (SASE) solutions to address the demands of cloud growth and remote work.
As AI tools multiply, 55% of CISOs are now placing emphasis on implementing guardrails for Large Language Models (LLMs), ensuring secure and responsible usage across enterprise systems.
“In the face of complex technologies, shifting regulations, and persistent threats, security leaders must evolve from reactive roles to strategic risk advisors,” said Tony Buffomante, SVP and Global Head of Cybersecurity & Risk Services at Wipro. “AI empowers CISOs to deliver risk-adjusted outcomes while enhancing resilience.”
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
A major vulnerability in the widely used TI WooCommerce Wishlist plugin has exposed over 100,000 WordPress websites to cyber threats, prompting serious concerns among security experts.
Tracked as CVE-2025-47577, the flaw carries a maximum CVSS score of 10.0, allowing unauthenticated attackers to upload arbitrary files to vulnerable sites. This could potentially give hackers full control over affected servers.
The plugin, known for adding wishlist features to WooCommerce stores, now poses a serious risk to global e-commerce platforms. Versions 2.9.2 and earlier remain unpatched, leaving users defenseless as developers have yet to release a fix.
Patchstack security analysts discovered the flaw during routine assessments and first reached out to the plugin vendor on March 26, 2025. After receiving no response for nearly two months, they published the vulnerability details in their database on May 16, followed by a public advisory on May 27.
Due to the developer’s silence, experts recommend that site administrators remove the plugin entirely until a secure version is released.
How the Exploit Works:
The issue lies in the plugin’s tinvwl_upload_file_wc_fields_factory function. It utilizes WordPress’s wp_handle_upload system but disables essential security checks through the 'test_type' => false parameter. This omission allows attackers to upload and execute malicious PHP files directly on the server.
Importantly, the exploit only becomes active if the WC Fields Factory plugin is also installed and active, narrowing the threat to a specific segment of users—but one still large enough to warrant immediate action.
Security professionals continue to urge administrators to act quickly, warning that the risk of exploitation remains extremely high.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
A cybersecurity researcher has discovered an unprotected online database exposing over 184 million unique login credentials tied to major platforms including Google, Meta (Facebook, Instagram), Apple, Microsoft, Snapchat, Roblox, and more.
Jeremiah Fowler, the researcher behind the discovery, reported that the 47.42GB database contained sensitive details like emails, usernames, passwords, and direct login URLs. The data appears to have been harvested through infostealer malware, often embedded in phishing emails, malicious sites, or pirated software.
The exposed credentials also included access to banking services, health platforms, and even government portals—putting users at serious risk of identity theft, fraud, and further cyberattacks.
While the origin of the database remains unclear, its IP address was linked to two domain names—one inactive and the other unregistered. Most filenames used the Portuguese word “senha” (password), hinting at a possible region of origin.
Fowler validated several records by contacting affected individuals, confirming their email-password combinations were accurate and currently in use. He notified the hosting provider, which has since removed the database, but did not disclose who owned it.
Security experts, including AppOmni’s Chief Security Officer Cory Michal, stress that while leaked credentials are often traded on dark web forums, the scale and freshness of this breach make it particularly dangerous. Michal noted that identity providers tied to SaaS and cloud services are prime targets, heightening the potential for downstream account takeovers.
Fowler urges users to change their passwords immediately and avoid storing sensitive files—like medical documents or tax records—in their email. Instead, he recommends using encrypted cloud services for secure data sharing.
This breach underscores the growing threat of credential theft and highlights the urgent need for better personal cybersecurity practices and data protection awareness.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
In a landmark cybersecurity breakthrough this February, researchers uncovered a new and highly sophisticated malware strain—BypassERWDirectSyscallShellcodeLoader—marking the first documented instance of generative AI being used to both create and analyze malicious code.
This advanced malware, generated using large language models like ChatGPT and DeepSeek, showcases a turning point in cyber warfare. No longer confined to manually written code, cybercriminals are now leveraging AI to produce complex, stealthy threats at scale, posing a fresh challenge for traditional defense systems.
The malicious code came to light through Deep Instinct’s proprietary DIANNA (Deep Instinct Artificial Neural Network Assistant)—an AI-powered detection tool that successfully explained and categorized this AI-born threat. The analysis revealed the malware’s capacity to evade detection while deploying multiple payloads through direct system calls, bypassing standard API monitoring tools.
What sets this malware apart is its modular framework, which allows attackers to tailor payloads for specific objectives. It also employs advanced evasion techniques, including anti-debugging, anti-sandboxing, and Bypass-ETW (Event Tracing for Windows). These features enable it to operate silently, deceiving security tools while maintaining its functionality in infected systems.
Remarkably, DIANNA identified and blocked the malware hours before it surfaced on VirusTotal, where only six security vendors initially flagged it as malicious. This detection gap underscores the limitations of signature-based methods and emphasizes the growing necessity for next-generation AI-driven cybersecurity solutions.
The emergence of BypassERWDirectSyscallShellcodeLoader is a wake-up call: as cybercriminals adopt AI to innovate attacks, defenders must evolve equally fast. AI-assisted tools like DIANNA are no longer just an option—they’re a critical frontline in the escalating battle against intelligent cyber threats.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
Ohio-based healthcare provider Kettering Health cancelled patient procedures and appointments following a cyberattack that crippled its systems. The non-profit, which operates 14 hospitals and over 100 outpatient facilities across the state, confirmed the incident on Tuesday, May 20.
The cyberattack significantly impacted Kettering Health’s call centers and patient care systems, prompting the cancellation of both elective inpatient and outpatient procedures. The organization assured patients that affected appointments would be rescheduled and updates would follow.
“Our call center is also down and may be unreachable at this time,” the company stated, urging patients to remain alert to phishing scams. Kettering Health warned that scammers might attempt to exploit the situation and emphasized that it would temporarily suspend phone-based payment requests as a precaution.
According to CNN, the ransomware group Interlock has claimed responsibility for the attack. The group threatened to leak sensitive data unless a ransom is paid, stating, “Your network was compromised, and we have secured your most vital files.”
Interlock, an emerging ransomware gang active since late 2024, has gained notoriety with a string of attacks—16 confirmed and 17 unverified, according to Rebecca Moody, head of data research at Comparitech. The group previously breached DaVita, a national kidney care provider, and recently targeted a school network in West Lothian, Scotland, leaking 3.3 million files online.
Kettering Health continues to assess the damage and work toward restoring systems while cooperating with authorities.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
In a major international crackdown, law enforcement agencies have disrupted several major ransomware operations by dismantling their infrastructure and issuing multiple indictments.
Led by Europol and Eurojust, Operation Endgame took down 300 servers and neutralized 650 domains tied to ransomware and malware activity. The coordinated effort also resulted in 20 international arrest warrants and the seizure of over €3.5 million in cryptocurrency, bringing the total haul from the operation to more than €21.2 million.
The campaign targeted malware strains used for initial access, including Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie. These tools serve as entry points for ransomware attacks, enabling cybercriminals to infiltrate networks before deploying ransomware payloads.
“This operation shows law enforcement’s ability to strike back, even as cybercriminals evolve,” said Europol’s executive director, Catherine De Bolle. “By disrupting their support services, we’re cutting the ransomware chain at its origin.”
Authorities have also appealed for public assistance in identifying additional suspects tied to the disrupted infrastructure.
As part of the ongoing operation, the U.S. Department of Justice charged Russian national Rustam Rafailevich Gallyamov, 48, for leading a group that used Qakbot malware to infect thousands of systems globally. He allegedly provided access to co-conspirators who deployed high-profile ransomware strains including REvil, Conti, and Black Basta, and profited from ransom payments.
In a parallel development, 16 individuals have been indicted for developing and spreading DanaBot malware, which infected over 300,000 systems and caused an estimated $50 million in damages.
Kenneth DeChellis, special agent in charge at the Department of Defense’s Cyber Field Office, emphasized the threat DanaBot posed. “These actions disrupted a group that endangered sensitive networks and profited from stolen data,” he said. “We remain committed to defending our digital infrastructure.”
Operation Endgame marks one of the most significant global strikes against ransomware infrastructure to date, showcasing the growing capability and cooperation of international cybercrime enforcement.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
