Security & IT News

Operation PowerOFF identifies and warns 75K users of DDoS-for-hire services, nets 4 arrests, and seizes 53 domains in a Europol-led crackdown.

Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it's suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. The exchange said it fell victim to what it described as a large-scale cyber attack that bore hallmarks of foreign intelligence agency involvement. This attack led to the theft of over 1

Nicholas Moore hacked into three U.S. government networks using stolen credentials, and then bragged about it and posted victims' personal data on Instagram under the handle @ihackedthegovernment.

Founders can access liquidity without exiting by selling shares via secondary deals, reducing financial pressure while staying focused on long-term growth.

A security researcher published details of three security vulnerabilities in Windows Defender, and the code used to exploit them. Now, hackers are taking advantage of the vulnerabilities in real-life attacks, according to a cybersecurity firm.

The race to quantum-proof the internet is underway as experts warn of “harvest now, decrypt later” risks and slow migration to post-quantum security.

Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies. [...]

In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]

Cybersecurity researchers at Fortinet have discovered Nexcorium, a new Mirai-based malware targeting TBK DVR systems to turn them into a botnet for DDoS attacks.

Some lawmakers are calling for widespread reforms following years of surveillance scandals and abuses across successive U.S. administrations. But even if the spy law known as Section 702 expires in April, the government's spy powers will not automatically lapse.

Bluesky has been experiencing ongoing service disruptions since just before 3 a.m. ET. on April 15.

23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. [...]

Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. [...]

Europol coordinated an operation against for-hire distributed denial-of-service (DDoS) services, including the arrest of four people and the takedown of 53 domains.

Bluesky has been experiencing ongoing service disruptions since just before 3 a.m. ET.

The U.S. Department of Justice announced that two Americans were sentenced to years in prison for helping the North Korean government place fake IT workers in U.S. companies.

Retail giant Express was publicly spilling customer information to the open web. The bug is now fixed after TechCrunch alerted Express, but the company would not say if it plans to notify customers.

Virtual assistants boost productivity but add cybersecurity risks. Poor access control, weak devices, and credential sharing can expose sensitive business data.

The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts, stolen after breaching the company's Salesforce environment earlier this month. [...]

[This is a Guest Diary by Alec Jaffe, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1]. Security cameras are great at monitoring physical doors, but terrible at locking their own digital ones. Across the internet, thousands of unpatched DVRs sit publicly exposed, many guarded only by the default vendor passwords they shipped with. For threat actors, these are low-hanging fruit. This write-up details a recent two-second Telnet capture, providing a mechanical breakdown of how quickly an exposed camera system goes from online to fully compromised by bad actors. An attack from IP address %%ip:46.6.14.135%% was detected for 1.934 seconds, successfully connecting and authenticating to TCP %%port:23%% (Telnet) for the aforementioned time period. This initial access vector (utilizing username root and password root) maps to MITRE ATT CK techniques T1110.001 (Password Guessing) [2] and T1078 (Valid Accounts) [3]. The execution of ten sequential commands within a ~2-second session is inconsistent with manual interaction, meaning the attack is most likely automated. Figure 1: Summary of attack from output of cowrieprocessor [4]. Further investigation of the IP address using Shodan [5] reveals that the offending device is an Airspace Digital Video Recorder, (DVR) exposing an 8-channel CCTV system in Spain. Note that the OEM of Airspace is Dahua, a Chinese manufacturer of surveillance cameras and related equipment. Figure 2: General information exposed services of offending device, retrieved from Shodan [5], as of 2026-04-01. Figure 3: More exposed services of the offending DVR device, retrieved from Shodan [5], as of 2026-04-01. Note that the cameras are exposed through the web service. It s highly likely that an unsophisticated threat actor could gain direct access to the camera video feeds relatively easily through this by leveraging common Dahua default credentials (e.g. admin/admin or 666666/666666 ), which are explicitly documented in the vendor's own user manuals for legacy systems [6][7]. Additionally, note that the device s firmware hasn t been updated since at latest August of 2014, indicated by the Last-Modified value. Figure 4: AbuseIPDB results [8], as of 2026-04-01. Figure 5: First attack reported on AbuseIPDB [8], indicating the device has been compromised since 2025-11-28. Noticing similar attacks in my honeypot logs, I prototyped a PowerShell script (assisted by Gemini Pro) to estimate the global footprint of these compromised DVRs. For reference, the script is available on my Github [9]. It pulls IPs from Shodan matching the offending device's RTSP server hash [10], then cross-references them against AbuseIPDB to check for malicious activity reported within the last 90 days, utilizing the APIs of both services. Figure 6: sample of PowerShell script [8] output. Due to AbuseIPDB s free-tier API limits, I could only scan the first 1,000 of the 5,313 matching IPs identified on Shodan