A cybersecurity researcher has discovered an unprotected online database exposing over 184 million unique login credentials tied to major platforms including Google, Meta (Facebook, Instagram), Apple, Microsoft, Snapchat, Roblox, and more.
Jeremiah Fowler, the researcher behind the discovery, reported that the 47.42GB database contained sensitive details like emails, usernames, passwords, and direct login URLs. The data appears to have been harvested through infostealer malware, often embedded in phishing emails, malicious sites, or pirated software.
The exposed credentials also included access to banking services, health platforms, and even government portals—putting users at serious risk of identity theft, fraud, and further cyberattacks.
While the origin of the database remains unclear, its IP address was linked to two domain names—one inactive and the other unregistered. Most filenames used the Portuguese word “senha” (password), hinting at a possible region of origin.
Fowler validated several records by contacting affected individuals, confirming their email-password combinations were accurate and currently in use. He notified the hosting provider, which has since removed the database, but did not disclose who owned it.
Security experts, including AppOmni’s Chief Security Officer Cory Michal, stress that while leaked credentials are often traded on dark web forums, the scale and freshness of this breach make it particularly dangerous. Michal noted that identity providers tied to SaaS and cloud services are prime targets, heightening the potential for downstream account takeovers.
Fowler urges users to change their passwords immediately and avoid storing sensitive files—like medical documents or tax records—in their email. Instead, he recommends using encrypted cloud services for secure data sharing.
This breach underscores the growing threat of credential theft and highlights the urgent need for better personal cybersecurity practices and data protection awareness.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
In a landmark cybersecurity breakthrough this February, researchers uncovered a new and highly sophisticated malware strain—BypassERWDirectSyscallShellcodeLoader—marking the first documented instance of generative AI being used to both create and analyze malicious code.
This advanced malware, generated using large language models like ChatGPT and DeepSeek, showcases a turning point in cyber warfare. No longer confined to manually written code, cybercriminals are now leveraging AI to produce complex, stealthy threats at scale, posing a fresh challenge for traditional defense systems.
The malicious code came to light through Deep Instinct’s proprietary DIANNA (Deep Instinct Artificial Neural Network Assistant)—an AI-powered detection tool that successfully explained and categorized this AI-born threat. The analysis revealed the malware’s capacity to evade detection while deploying multiple payloads through direct system calls, bypassing standard API monitoring tools.
What sets this malware apart is its modular framework, which allows attackers to tailor payloads for specific objectives. It also employs advanced evasion techniques, including anti-debugging, anti-sandboxing, and Bypass-ETW (Event Tracing for Windows). These features enable it to operate silently, deceiving security tools while maintaining its functionality in infected systems.
Remarkably, DIANNA identified and blocked the malware hours before it surfaced on VirusTotal, where only six security vendors initially flagged it as malicious. This detection gap underscores the limitations of signature-based methods and emphasizes the growing necessity for next-generation AI-driven cybersecurity solutions.
The emergence of BypassERWDirectSyscallShellcodeLoader is a wake-up call: as cybercriminals adopt AI to innovate attacks, defenders must evolve equally fast. AI-assisted tools like DIANNA are no longer just an option—they’re a critical frontline in the escalating battle against intelligent cyber threats.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
Ohio-based healthcare provider Kettering Health cancelled patient procedures and appointments following a cyberattack that crippled its systems. The non-profit, which operates 14 hospitals and over 100 outpatient facilities across the state, confirmed the incident on Tuesday, May 20.
The cyberattack significantly impacted Kettering Health’s call centers and patient care systems, prompting the cancellation of both elective inpatient and outpatient procedures. The organization assured patients that affected appointments would be rescheduled and updates would follow.
“Our call center is also down and may be unreachable at this time,” the company stated, urging patients to remain alert to phishing scams. Kettering Health warned that scammers might attempt to exploit the situation and emphasized that it would temporarily suspend phone-based payment requests as a precaution.
According to CNN, the ransomware group Interlock has claimed responsibility for the attack. The group threatened to leak sensitive data unless a ransom is paid, stating, “Your network was compromised, and we have secured your most vital files.”
Interlock, an emerging ransomware gang active since late 2024, has gained notoriety with a string of attacks—16 confirmed and 17 unverified, according to Rebecca Moody, head of data research at Comparitech. The group previously breached DaVita, a national kidney care provider, and recently targeted a school network in West Lothian, Scotland, leaking 3.3 million files online.
Kettering Health continues to assess the damage and work toward restoring systems while cooperating with authorities.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
In a major international crackdown, law enforcement agencies have disrupted several major ransomware operations by dismantling their infrastructure and issuing multiple indictments.
Led by Europol and Eurojust, Operation Endgame took down 300 servers and neutralized 650 domains tied to ransomware and malware activity. The coordinated effort also resulted in 20 international arrest warrants and the seizure of over €3.5 million in cryptocurrency, bringing the total haul from the operation to more than €21.2 million.
The campaign targeted malware strains used for initial access, including Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie. These tools serve as entry points for ransomware attacks, enabling cybercriminals to infiltrate networks before deploying ransomware payloads.
“This operation shows law enforcement’s ability to strike back, even as cybercriminals evolve,” said Europol’s executive director, Catherine De Bolle. “By disrupting their support services, we’re cutting the ransomware chain at its origin.”
Authorities have also appealed for public assistance in identifying additional suspects tied to the disrupted infrastructure.
As part of the ongoing operation, the U.S. Department of Justice charged Russian national Rustam Rafailevich Gallyamov, 48, for leading a group that used Qakbot malware to infect thousands of systems globally. He allegedly provided access to co-conspirators who deployed high-profile ransomware strains including REvil, Conti, and Black Basta, and profited from ransom payments.
In a parallel development, 16 individuals have been indicted for developing and spreading DanaBot malware, which infected over 300,000 systems and caused an estimated $50 million in damages.
Kenneth DeChellis, special agent in charge at the Department of Defense’s Cyber Field Office, emphasized the threat DanaBot posed. “These actions disrupted a group that endangered sensitive networks and profited from stolen data,” he said. “We remain committed to defending our digital infrastructure.”
Operation Endgame marks one of the most significant global strikes against ransomware infrastructure to date, showcasing the growing capability and cooperation of international cybercrime enforcement.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
A major data breach has pulled back the curtain on LockBit, one of the world’s most aggressive ransomware syndicates, revealing deep insights into its affiliate operations and victim engagement methods.
On May 7, 2025, cybercriminals hijacked LockBit’s own leak site and published sensitive data, uncovering extensive details about its “Lite” Ransomware-as-a-Service (RaaS) offering. The compromised files include chat logs between affiliates and victims, covering a critical period from December 19, 2024, to April 29, 2025.
The breach provides cybersecurity experts and law enforcement agencies with rare access to the inner dynamics of ransomware negotiations and operational procedures.
Researchers at SearchLight Cyber confirmed that the leaked data pertains specifically to LockBit’s “Lite” program—a lower-tier entry point designed to lower participation barriers. Unlike the full affiliate model, which requires a Bitcoin deposit and stringent vetting, Lite affiliates could join for just $777 USD with minimal checks.
This streamlined model was crafted to attract less-experienced cybercriminals while limiting their access. Notably, these Lite users didn’t receive encryption keys directly and often had to rely on LockBit’s central team—referred to as “bosses” or “tech support”—to conduct successful ransom negotiations.
Despite these limitations, the Lite initiative helped LockBit broaden its reach. The leak identified five key actors among the most active Lite affiliates: Christopher led with 44 victim negotiations, followed by jhon0722 (42), PiotrBond (19), and both JamesCraig and Swan with 17 each.
Analysts believe the Lite program likely launched in December 2024, aligning with the earliest registration timestamps in the leaked data.
The fallout from this breach equips cybersecurity teams with vital intelligence to strengthen defenses against a ransomware landscape that continues to evolve rapidly.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
Hackers are now exploiting the viral nature of TikTok videos to distribute Vidar and StealC malware, targeting unsuspecting users through deceptive tutorial content. According to Trend Micro researchers, threat actors are leveraging popular TikTok trends by posting faceless, AI-generated videos that mimic legitimate tech guides. These clips instruct viewers to run harmful PowerShell commands, posing as software activation hacks for tools like Windows OS, CapCut, Spotify, and Microsoft Office.
Unlike typical phishing tactics, these attackers rely entirely on video content to mislead users—no malicious links or code are hosted directly on TikTok. The content appears convincing and garners high engagement. One video alone amassed half a million views, 20,000 likes, and over 100 comments, demonstrating the potential reach of this campaign.
Several TikTok accounts involved have been flagged, including @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. Once users execute the suggested PowerShell command, the script silently creates hidden folders, modifies Windows Defender settings, and downloads the payloads—Vidar and StealC.
These infostealers are capable of extracting saved passwords, authentication cookies, and crypto wallet data. Once installed, they connect to command-and-control servers—some masked via Telegram channels and Steam profiles—to send back stolen data. Vidar, in particular, uses these as Dead Drop Resolvers to obscure its infrastructure.
By disguising malicious intent within helpful-looking tech tutorials, the campaign reflects a dangerous evolution in social engineering attacks. It underscores the urgent need for digital literacy and caution, especially regarding unsolicited tech advice on social platforms.
Cybersecurity experts urge users to remain skeptical of online videos offering software shortcuts, especially those that involve system-level commands like PowerShell. This emerging threat highlights how social media can be weaponized to bypass conventional security filters and compromise both individual and organizational data.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
Dell Technologies has introduced new AI-powered cybersecurity enhancements across its PowerStore, PowerScale, and PowerProtect Data Domain product lines, aiming to strengthen data protection and cyber resilience for enterprise environments.
Speaking at the Day 2 keynote of Dell Technologies World, Chief Operating Officer Jeff Clarke spotlighted how the company is expanding its private cloud and data center offerings with security as a core pillar.
PowerStore, Dell’s storage platform launched in 2020, now includes built-in ransomware defense powered by AI. The system analyzes data snapshots directly on the array, allowing early detection of threats and rapid identification of the last clean copy for recovery.
“This helps customers recover faster and minimize the impact of cyberattacks,” said Varun Chhabra, SVP of Infrastructure and Telecom Marketing at Dell. The AI engine tracks suspicious behavior—such as sudden deletions or encryption—not just known malware signatures. It also delivers post-attack forensic insights for streamlined recovery.
PowerScale has also received a security boost with the launch of the PowerScale Cybersecurity Suite. It actively monitors for anomalies and can instantly block malicious activity to prevent large-scale data loss. It features an air-gapped vault for critical backups and supports disaster recovery. The suite integrates with existing incident response tools like ServiceNow, enabling seamless operation within traditional ITSM workflows.
Dell also introduced PowerProtect Data Domain All-Flash appliances, promising significantly faster performance with enhanced cyber resilience. According to Chhabra, the new appliance offers up to 4x faster data storage, 100% faster replication, and 2.8x faster analytics for data integrity checks—while using 40% less rackspace and consuming up to 80% less power compared to traditional HDD systems.
These announcements follow Dell’s Day 1 focus on its “AI Factories” initiative, made in collaboration with Nvidia, AMD, and Intel.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
As the auto transport sector embraces smarter, more connected technology, cybersecurity risks have grown in both scale and complexity. Vehicles now communicate with traffic systems, mobile devices, and other cars, creating seamless experiences—but also expanding the attack surface for hackers.
With digital transformation accelerating across the automotive landscape, manufacturers, transport companies, and drivers must confront a critical truth: technological convenience comes with cyber vulnerability.
Digital Integration Exposes Vehicles to New Risks
Modern vehicles rely heavily on digital infrastructure, including tools like BATS CRM and integrated IoT devices. While these systems streamline operations, they also increase the risk of data breaches, user errors, and unauthorized access.
A recent surge in cyber incidents—up 125% over two years—shows that bad actors are actively exploiting the growing interconnectivity. These cyberattacks don’t just threaten data; they pose a direct risk to vehicle safety and passenger wellbeing.
Connected Cars and Critical Entry Points for Hackers
With vehicle-to-everything (V2X) communication becoming the norm, weak encryption and authentication protocols have opened the door to potential attacks. Hackers can manipulate incoming data, interfere with OTA updates, and even seize control of vehicle functions.
The European Union Agency for Cybersecurity (ENISA) reports that 60% of automotive cyberattacks target infotainment systems and communication protocols—vulnerable areas that must be fortified.
Passenger Safety at Risk as Systems Become Targeted
As vehicles grow more autonomous, the consequences of cybersecurity failures become more severe. A breach could compromise steering, braking, or navigation, endangering lives. The infamous Jeep Cherokee hack of 2022, where attackers remotely controlled key functions, remains a chilling reminder of what’s at stake.
Beyond safety, personal data is also at risk. PwC data reveals that more than 5 million vehicle owners faced data breaches in 2024 alone, leaving sensitive details such as driving patterns and financial information exposed.
Proactive Strategies to Strengthen Defenses
Addressing these threats requires a layered defense strategy. Manufacturers are now urged to implement regular system audits, advanced authentication, and continuous software updates. Multi-factor authentication (MFA), for example, adds crucial protection by requiring additional verification—like biometrics—before granting access to vehicle systems.
Setting Industry Standards to Keep Up with Innovation
Organizations and regulators are working to create strong cybersecurity frameworks tailored for the automotive industry. The National Institute of Standards and Technology (NIST) offers a structured guide to help companies identify and manage risk while fostering a culture of cybersecurity awareness.
Looking Ahead: The Road to Safer Auto Transport
To future-proof vehicles, industry leaders must invest in R&D, tighten API security, and prioritize training. The fast pace of innovation often outpaces existing laws, highlighting the need for ongoing collaboration between manufacturers and policymakers.
With the right investments and a shared commitment to resilience, the auto transport industry can strengthen its cyber defenses—ensuring both data protection and road safety in an increasingly digital world.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com
NHS England has introduced a new cybersecurity charter, urging its suppliers to commit to stronger security measures amid a surge in ransomware attacks.
In a letter addressed to its vendors, NHS England warned of the rising severity and frequency of cyber incidents across its network. The charter outlines eight core security commitments that suppliers must adopt to better safeguard healthcare services.
Mike Fell, NHS England’s Director of Cyber, emphasized the urgency of collaborative action in a LinkedIn post, stating, “The complexity of cybersecurity and our supply chain, combined with the UK’s persistent cyber threats, means we must work together to protect care delivery.”
Suppliers signing the charter are expected to keep their systems up to date with the latest patches and achieve at least ‘Standards Met’ on the Data Security and Protection Toolkit (DSPT). They must also implement multi-factor authentication (MFA) and ensure MFA features are available in their own products.
The initiative also stresses infrastructure security, calling for round-the-clock cyber monitoring and detailed logging of critical IT systems. Suppliers are encouraged to maintain immutable backups of vital data, plan for rapid recovery, and conduct board-level response drills to enhance incident preparedness.
In the event of a breach, suppliers must report swiftly, coordinate with NHS England, and comply with all regulatory obligations. Additionally, software providers are required to align with the DSIT and NCSC’s software code of practice, covering secure design, development, deployment, and customer communication.
NHS England is supporting compliance by creating tools to help identify critical suppliers, drafting national requirements for supplier management, and refining its contractual frameworks to include specific security clauses. A self-assessment form will be introduced later this year, with webinars and a cybersecurity forum planned for autumn.
This move follows several major supply chain cyber attacks, including last year’s ransomware incident targeting Synnovis, which severely disrupted services at NHS King’s College and Guy’s and St Thomas’.
The launch of this charter also sets the stage for the upcoming Cyber Security and Resilience Bill, which aims to strengthen digital and infrastructure security across essential UK services.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
In the evolving world of cybersecurity, raw data without context often leaves Security Operations Center (SOC) teams with more questions than answers. Indicators of Compromise (IOCs) can flood systems, but without understanding the story behind them, they rarely translate into meaningful action.
Threat intelligence bridges this gap, helping teams interpret attacker behaviors, tactics, and real-world campaigns. ANY.RUN’s Threat Intelligence (TI) Lookup offers SOC teams a powerful way to enrich IOCs with real-time insights derived from a global malware analysis community and a vast malware database used by over 15,000 teams worldwide.
Here are five practical ways TI Lookup helps SOC analysts connect IOCs to real-world threats:
- Leverage Mutexes for Initial Investigation
While a mutex alone doesn’t confirm a threat, it serves as a starting point when data is limited. For example, a mutex tied to Nitrogen ransomware can be searched in TI Lookup to access sandbox analysis, offering fresh insights into this emerging threat and enriching EDR systems. - Validate Domains Through Network Indicators
Suspicious domains—like “eczamedikal.org”—can be investigated via TI Lookup to confirm malicious activity. The tool reveals connections to Lumma stealer infrastructure and uncovers related malware samples, offering a deeper look into ongoing campaigns. - Trace Command Lines to Malware Behavior
Unfamiliar command strings, such as PowerShell fragments, can reveal stealer activity. TI Lookup traces these commands back to malware like AsyncRat, showing the full attack chain and providing clarity on how the breach occurred. - Check File Hashes to Identify Known Threats
Hash-based searches (SHA256, SHA1, MD5) allow analysts to determine if a file is part of a malware campaign. A sample hash, for instance, may reveal ties to the Xworm remote access trojan, helping teams detect known malicious documents. - Discover Related Samples with Filename Patterns
Campaign-related files often share naming patterns. Using wildcards in TI Lookup enables teams to find files linked to campaigns like WannaCry. This expands IOC collections and helps refine detection rules.
Special Offer Until May 31
SOC teams can take advantage of a limited-time offer: ANY.RUN is doubling TI Lookup search quotas and offering extra Interactive Sandbox licenses. This means faster alert triaging, improved threat visibility, and more efficient incident response.
Conclusion
By enriching IOCs with threat context, TI Lookup empowers SOC teams to respond with clarity and speed. It’s not just about improving detection—it’s about aligning cybersecurity with real business priorities and responding to the threats that matter most.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CyberSecurityNews.com