Cybersafe Cyber Security News

 The “Korean Leaks” campaign has rapidly become one of the most significant and sophisticated supply chain attacks to hit South Korea’s financial sector in recent years. This operation combined the efforts of the Qilin Ransomware-as-a-Service (RaaS) group with suspected support from North Korea–aligned threat actors known as Moonstone Sleet. By compromising a Managed Service Provider (MSP), the attackers gained a single, powerful entry point into multiple financial organizations. In September 2025, South Korea rose to the second most-targeted nation for ransomware attacks, with Qilin claiming 25 victims in just one month. The group heavily focused on financial services, especially asset The post Qilin Ransomware hits Korean MSP, leaks 2 TB data first appeared on Cybersafe News.

Iberia has notified customers of a data breach caused by unauthorized access to a third-party supplier’s systems. The airline confirmed that customer names, email addresses, and Iberia Club loyalty IDs were exposed, but emphasized that no passwords, account access, or financial data were compromised. In its notification, Iberia said it immediately activated security protocols, strengthened system monitoring, and coordinated with the affected supplier and relevant regulators. The company says it has no evidence of fraudulent use of the leaked data but urges customers to remain vigilant for suspicious messages. The disclosure comes as a threat actor claims to be selling The post Iberia confirms data breach via supplier hack first appeared on Cybersafe News.

CrowdStrike has confirmed that internal screenshots shared by a now-terminated employee made their way to hackers, after being published on Telegram by the Scattered Lapsus$ Hunters cybercrime collective. The company emphasized that no breach of its systems occurred and that no customer data was exposed. According to a CrowdStrike spokesperson, their systems were never compromised and customers remained protected throughout. They have turned the case over to relevant law enforcement agencies. CrowdStrike did not name the insider or the threat group involved, but the statement followed inquiries about screenshots leaked by members of ShinyHunters, Scattered Spider, and Lapsus$. ShinyHunters said The post CrowdStrike Insider leak exposed, No breach reported first appeared on Cybersafe News.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is urging government agencies to immediately patch a critical Oracle Identity Manager flaw, tracked as CVE-2025-61757, which is actively exploited as a zero-day. The vulnerability, discovered by Searchlight Cyber analysts Adam Kues and Shubham Shah, is a pre-authentication remote code execution (RCE) flaw caused by an authentication bypass in Oracle Identity Manager’s REST APIs. Attackers can trick the security filter into treating protected endpoints as public by adding parameters like ?WSDL or ;.wadl to URL paths. Once inside, attackers can access a Groovy script compilation endpoint that normally doesn’t execute code—but can The post Oracle Identity Manager Zero-Day exploited first appeared on Cybersafe News.

Dutch authorities have seized around 250 physical servers running a bulletproof hosting service used exclusively by cybercriminals to maintain anonymity and evade law enforcement. The Dutch police (Politie) did not disclose the name of the service but said it had supported illegal activity since 2022 and had appeared in over 80 cybercrime investigations worldwide. Bulletproof hosting providers offer infrastructure that ignores abuse reports, resists takedown requests, and avoids Know Your Customer (KYC) checks. These services are typically used by ransomware gangs, malware operators, phishing groups, spammers, and even money-laundering operations. Clients often pay in cryptocurrency to stay anonymous. Thousands of The post Dutch Police seize 250 servers used for Bulletproof Hosting first appeared on Cybersafe News.

A threat actor known as “888” has reportedly leaked sensitive data belonging to LG Electronics, triggering serious cybersecurity concerns. The breach, which was first highlighted on November 16, 2025, allegedly includes source code repositories, configuration files, SQL databases, and hardcoded credentials and SMTP server details that could expose LG’s internal communications and development systems. The leak appeared on ThreatMon, where “888” shared sample files to demonstrate authenticity. The data is said to originate from a contractor access point, suggesting a supply-chain weakness rather than a direct corporate intrusion. Cybersecurity experts warn that hardcoded credentials within code can allow attackers to The post LG Source Code and Credentials allegedly leaked by hacker first appeared on Cybersafe News.

China’s Ministry of State Security (MSS) says it has uncovered “irrefutable evidence” that the U.S. National Security Agency (NSA) carried out a series of cyberattacks against its National Time Service Center (NTSC) — the institution responsible for maintaining the country’s official time standard. According to reports from Bloomberg, the MSS claims the NSA exploited vulnerabilities in the mobile phones of NTSC employees beginning in March 2022, allowing it to steal sensitive data and monitor communications. The NTSC, part of the Chinese Academy of Sciences (CAS), provides precise time services critical to sectors such as telecommunications, finance, energy, transportation, defense, and The post China accuses U.S. NSA of hacking National Time Center first appeared on Cybersafe News.

A major Amazon Web Services (AWS) outage has disrupted millions of websites and apps worldwide, taking down platforms like Amazon.com, Prime Video, Perplexity AI, Canva, and more. The outage that began today is impacting users across multiple regions, including the United States and Europe. According to the AWS Health Dashboard, Amazon has acknowledged a significant disruption affecting multiple services. AWS noted that they can confirm increased error rates and latencies for multiple AWS Services in the US-EAST-1 Region. This issue may also be affecting Case Creation through the AWS Support Center or the Support API. They are actively engaged and The post Massive AWS Outage crashes major sites offline first appeared on Cybersafe News.

LastPass has issued a warning about an active, large-scale campaign that uses fake GitHub repositories to deliver an information-stealing malware family called Atomic to macOS users. The repositories pose as trusted utilities, tricking victims into downloading malware-laced installers that masquerade as legitimate apps. Researchers Alex Cox, Mike Kosak, and Stephanie Schneider of the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team explained that the fraudulent repositories often redirect users to a secondary repo that installs the Atomic infostealer.  Attackers impersonate many well-known tools—examples observed include 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck—specifically targeting The post LastPass warns of macOS Atomic Infostealer via Fake GitHub Repos first appeared on Cybersafe News.

The ShinyHunters extortion group says it has stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Drift OAuth tokens linked to Salesloft. For the past year, attackers have used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating data and extorting victims with ransom demands to prevent leaks. The campaigns are tied to groups operating under the names ShinyHunters, Scattered Spider, and Lapsus$, now calling themselves “Scattered Lapsus$ Hunters.” Google tracks them as UNC6040 and UNC6395. In March, one actor reportedly breached Salesloft’s GitHub repo, locating secrets—including OAuth tokens for Drift and Drift Email—using the The post ShinyHunters steal 1.5B salesforce records via Drift OAuth Breach first appeared on Cybersafe News.