Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least two vulnerabilities that are already being actively exploited. October’s Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you’re running a Windows 10 PC and you’re unable or unwilling to migrate to Windows 11, read on for other options.

The first zero-day bug addressed this month (CVE-2025-24990) involves a third-party modem driver called Agere Modem that’s been bundled with Windows for the past two decades. Microsoft responded to active attacks on this flaw by completely removing the vulnerable driver from Windows.

The other zero-day is CVE-2025-59230, an elevation of privilege vulnerability in Windows Remote Access Connection Manager (also known as RasMan), a service used to manage remote network connections through virtual private networks (VPNs) and dial-up networks.

“While RasMan is a frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022, this is the first time we’ve seen it exploited in the wild as a zero day,” said Satnam Narang, senior staff research engineer at Tenable.

Narang notes that Microsoft Office users should also take note of CVE-2025-59227 and CVE-2025-59234, a pair of remote code execution bugs that take advantage of “Preview Pane,” meaning that the target doesn’t even need to open the file for exploitation to occur. To execute these flaws, an attacker would social engineer a target into previewing an email with a malicious Microsoft Office document.

Speaking of Office, Microsoft quietly announced this week that Microsoft Word will now automatically save documents to OneDrive, Microsoft’s cloud platform. Users who are uncomfortable saving all of their documents to Microsoft’s cloud can change this in Word’s settings; ZDNet has a useful how-to on disabling this feature.

Kev Breen, senior director of threat research at Immersive, called attention to CVE-2025-59287, a critical remote code execution bug in the Windows Server Update Service  (WSUS) — the very same Windows service responsible for downloading security patches for Windows Server versions. Microsoft says there are no signs this weakness is being exploited yet. But with a threat score of 9.8 out of possible 10 and marked “exploitation more likely,” CVE-2025-59287 can be exploited without authentication and is an easy “patch now” candidate.

“Microsoft provides limited information, stating that an unauthenticated attacker with network access can send untrusted data to the WSUS server, resulting in deserialization and code execution,” Breen wrote. “As WSUS is a trusted Windows service that is designed to update privileged files across the file system, an attacker would have free rein over the operating system and could potentially bypass some EDR detections that ignore or exclude the WSUS service.”

For more on other fixes from Redmond today, check out the SANS Internet Storm Center monthly roundup, which indexes all of the updates by severity and urgency.

Windows 10 isn’t the only Microsoft OS that is reaching end-of-life today; Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are some of the other products that Microsoft is sunsetting today.

If you’re running any Windows 10 systems, you’ve probably already determined whether your PC meets the technical hardware specs recommended for the Windows 11 OS. If you’re reluctant or unable to migrate a Windows 10 system to Windows 11, there are alternatives to simply continuing to use Windows 10 without ongoing security updates.

One option is to pay for another year’s worth of security updates through Microsoft’s Extended Security Updates (ESU) program. The cost is just $30 if you don’t have a Microsoft account, and apparently free if you register the PC to a Microsoft account. This video breakdown from Ask Your Computer Guy does a good job of walking Windows 10 users through this process. Microsoft emphasizes that ESU enrollment does not provide other types of fixes, feature improvements or product enhancements. It also does not come with technical support.

Windows 10 users also have the option of installing some flavor of Linux instead. Anyone seriously considering this option should check out the website endof10.org, which includes a plethora of tips and a DIY installation guide.

Linux Mint is a great option for Linux newbies. Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.

Linux Mint also is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.

If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. Here’s a fairly thorough tutorial that walks through exactly how to do all this.

And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.

As ever, if you experience any difficulties during or after applying this month’s batch of patches, please leave a note about it in the comments below.

Fortra, in its most forceful admission yet, confirmed a maximum-severity defect it disclosed in GoAnywhere MFT has been actively exploited in attacks, yet researchers are still pressing the vendor to be more forthcoming about how attackers obtained a private key required to achieve exploitation.

The vendor published a summary of its investigation into CVE-2025-10035 Thursday, three weeks after it publicly addressed the vulnerability in its file-transfer service for the first time. “At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035,” the company said. 

“It is positive to see Fortra increase their transparency surrounding the CVE-2025-10035 saga,” Ben Harris, founder and CEO at watchTowr, told CyberScoop. “However, the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to.”

Researchers at watchTowr, Rapid7 and VulnCheck last month rang alarm bells about the private key after they independently confirmed the steps attackers would have to take to achieve exploitation. 

“The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical, and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” Harris said.

The scope of compromise has continued to grow during the past month as Fortra and researchers continue hunting for evidence of active exploitation. Fortra also shared more details about the timeline and actions it took behind the scenes prior to publicly disclosing and addressing the vulnerability. 

Security staff at Fortra began investigating a potential vulnerability after a customer reported suspicious activity Sept. 11. After inspecting customer logs, the company started notifying potentially impacted customers and reported the malicious activity to law enforcement that same day. 

The vendor also said it found three instances in its cloud-based GoAnywhere MFT environment “with potentially suspicious activity related to the vulnerability.” Fortra said it isolated those instances for further investigation and alerted customers using those managed services of potential exposure. 

The company deployed the patch to cloud-based services it hosts for customers Sept. 17, but it has not described the extent to which the vulnerability has been exploited in on-premises customer environments and Fortra-hosted services. The vendor said it updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds.

Fortra did not answer questions submitted by CyberScoop on Monday.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. Microsoft Threat Intelligence followed up on that last week, noting that a cybercriminal group it tracks as Storm-1175 has exploited CVE-2025-10035 to initiate multi-stage attacks including ransomware. 

Fortra repeatedly declined to confirm it was aware of active exploitation in the wake of those reports. The company previously added indicators of compromise to its security advisory, but didn’t say it was aware of reports of unauthorized activity related to the defect until Thursday.

The post Fortra cops to exploitation of GoAnywhere file-transfer service defect appeared first on CyberScoop.

Having a precise pointer means you can be on top of your game, and now you don't need to spend top dollar either, with Razer, Corsair and Logitech mice from just AU$47.50.

The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.

Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.

The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.

As Aisuru’s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google’s DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.

By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru’s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.

Aisuru’s overlords aren’t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption.

For the past several weeks, ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.

Steven Ferguson is principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.

Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer.

“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” he said, explaining that TCPShield is now solely protected by GSL.

Traces from the recent spate of crippling Aisuru attacks on gaming servers can be still seen at the website blockgametracker.gg, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.

Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.

BOTNETS R US

Ferguson said he’s been tracking Aisuru for about three months, and recently he noticed the botnet’s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.

AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile and Verizon, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.

“The impact extends beyond victim networks,” Ferguson said. “For instance we have seen 500 gigabits of traffic via Comcast’s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.”

Roland Dobbins is principal engineer at Netscout. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.

“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”

“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”

KrebsOnSecurity sought comment from the ISPs named in Ferguson’s report. Charter Communications pointed to a recent blog post on protecting its network, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.

“In addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,” Charter wrote in an emailed response to questions. “With the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.”

A spokesperson for Comcast responded, “Currently our network is not experiencing impacts and we are able to handle the traffic.”

9 YEARS OF MIRAI

Aisuru is built on the bones of malicious code that was leaked in 2016 by the original creators of the Mirai IoT botnet. Like Aisuru, Mirai quickly outcompeted all other DDoS botnets in its heyday, and obliterated previous DDoS attack records with a 620 gigabit-per-second siege that sidelined this website for nearly four days in 2016.

The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.

Dobbins said Aisuru’s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.

“The people who operate this botnet are also selling (it as) residential proxies,” he said. “And that’s being used to reflect application layer attacks through the proxies on the bots as well.”

The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle “9gigsofram,” which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe that was heavily targeted in 2016 by the original Mirai botmasters.

Robert Coelho co-ran Proxypipe back then along with his business partner Erik “9gigsofram” Buckingham, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru’s botmasters chose Buckingham’s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.

“The Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,” Coelho said.

Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn’t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.

“It’s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,” he said.

RAPID SPREAD

Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab, the Chinese security company that was the first to profile Aisuru’s rise in 2024, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers and other networking gear.

“Multiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,” XLab wrote on September 15. “The node count is currently reported to be around 300,000.”

Aisuru’s operators received an unexpected boost to their crime machine in August when the U.S. Department Justice charged the alleged proprietor of Rapper Bot, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.

Once Rapper Bot was dismantled, Aisuru’s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government’s takedown, Dobbins said.

“Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”

BOTMASTERS AT LARGE

XLab’s September blog post cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: “Snow,” who’s responsible for botnet development; “Tom,” tasked with finding new vulnerabilities; and “Forky,” responsible for botnet sales.

KrebsOnSecurity interviewed Forky in our May 2025 story about the record 6.3 Tbps attack from Aisuru. That story identified Forky as a 21-year-old man from Sao Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. The FBI has seized Forky’s DDoS-for-hire domains several times over the years.

Like the original Mirai botmasters, Forky also operates a DDoS mitigation service called Botshield. Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.

In our previous interview, Forky acknowledged being involved in the development and marketing of Aisuru, but denied participating in attacks launched by the botnet.

Reached for comment earlier this month, Forky continued to maintain his innocence, claiming that he also is still trying to figure out who the current Aisuru botnet operators are in real life (Forky said the same thing in our May interview).

But after a week of promising juicy details, Forky came up empty-handed once again. Suspecting that Forky was merely being coy, I asked him how someone so connected to the DDoS-for-hire world could still be mystified on this point, and suggested that his inability or unwillingness to blame anyone else for Aisuru would not exactly help his case.

At this, Forky verbally bristled at being pressed for more details, and abruptly terminated our interview.

“I’m not here to be threatened with ignorance because you are stressed,” Forky replied. “They’re blaming me for those new attacks. Pretty much the whole world (is) due to your blog.”

Voting rights groups are asking a court to block an ongoing Trump administration effort to merge disparate federal and state voter data into a massive citizenship and voter fraud database.

Last week, the League of Women Voters, the Electronic Privacy Information Center (EPIC) and five individuals sued the federal government in D.C. District Court, saying it was ignoring decades of federal privacy law to create enormous “national data banks” of personal information on Americans.

On Tuesday, the coalition, represented by Democracy Forward Foundation, Citizens for Responsibility and Ethics in Washington (CREW), and Fair Elections Center, asked the court for an emergency injunction to halt the Trump administration’s efforts to transform the Systematic Alien Verification for Entitlements into an immense technological tool to track potential noncitizens registered to vote. Until this year, SAVE was an incomplete and limited federal database meant to track immigrants seeking federal benefits.

“This administration’s attempt to manipulate federal data systems to unlawfully target its own citizens and purge voters is one of the most serious threats to free and fair elections in decades,” Celina Stewart, CEO of the League of Women Voters, said in a statement. “The League is asking the court to act swiftly to stop this abuse of power before it disenfranchises lawful voters. Every citizen deserves privacy, fairness, and the freedom to vote without fear of government interference.”

In an Oct. 7 court filing, the groups said an immediate injunction was needed to prevent permanent privacy harms due to the “illegal and secretive consolidation of millions of Americans’ sensitive personal data across government agencies into centralized data systems” through SAVE.

“While Plaintiffs’ Complaint challenges a broader set of Defendants’ unlawful data consolidation, Plaintiffs here seek emergency relief concerning one particularly harmful and urgent facet of Defendants’ conduct: their overhaul of the Systematic Alien Verification for Entitlements (“SAVE”) system,” the groups wrote.

In addition to SAVE, the lawsuit also claims the existence of “at least one other Interagency Data System that consolidates other data sources from around the government that might have information concerning immigrants into a centralized ‘data lake’ housed at” U.S. Citizenship Immigration Services.

Federal agencies collect massive amounts of data on Americans as part of their work, but the groups argue the 1974 Privacy Act and other privacy laws were explicitly designed to prevent the kind of large, centralized federal datasets on Americans the administration is putting together. Subsequent legislative updates in 1988 amended the Privacy Act to specifically prohibit the use of “computer matching programs” that compare data across different agencies without informing Congress or publicizing the written agreements between agencies.

“For decades, these protections have guarded against improper data pooling across federal agencies, preventing the government from building a potentially dangerous tool for surveilling and investigating Americans without guardrails,” the voting groups wrote. “Until now.”

As CyberScoop reported earlier this year, USCIS, along with the Department of Government Efficiency (DOGE), began merging SAVE data with other major federal data streams — including federal Social Security data — while removing fees and building in the technical capacity for states to conduct easier, bulk searches of voters against the database. The Department of Justice has sought voter data from all 50 states, with some cooperating and others refusing. Last month, the administration sued six states to force them to hand over voter data that would be used in SAVE.

Less than a week before the suit was filed, the Social Security Administration released a redacted copy of its information-sharing agreement with the Department of Homeland Security, which claims that “personnel have been directed to comply, to the maximum extent possible and permissible under law … taking into account federal statutory requirements, including the Privacy Act of 1974 … as well as other laws, rules, regulations, policies, and requirements regarding verification, information sharing, and confidentiality.”

Administration officials say the overhaul is needed to crack down on instances of noncitizen voting and other forms of voter fraud, but such fraud is exceedingly rare outside a handful of isolated cases, as numerous academic studies and post-election audits have proven.

DOGE officials were singled out in the lawsuit for particularly egregious violations, accused of embarking on a “months-long campaign to access, collect and consolidate vast troves of personal data about millions of U.S. citizens and residents stored at multiple federal agencies.”

An executive order from the Trump administration earlier this year sought to explicitly empower the DOGE administrator, along with DHS, to “review” state voter registration lists and other records to identify noncitizen voters. That order is still the subject of ongoing lawsuits challenging its legality.

In this case, the plaintiffs claim the need for emergency relief is urgent as the Trump administration is simultaneously challenging the accuracy of state voter rolls in courts across the country, while “encouraging and enabling states to use unreliable [Social Security Administration] citizenship data pooled in the overhauled SAVE system to begin purging voter rolls ahead of fast-approaching November elections and to open criminal investigations of alleged non-citizen voting.”

“Both the ongoing misuse of Plaintiffs’ sensitive SSA data through the overhauled SAVE system, and the increased risk of cybertheft and additional misuse, qualify as irreparable injuries,” the filing states.

The post Voting groups ask court for immediate halt to Trump admin’s SAVE database overhaul appeared first on CyberScoop.

Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a blog post Monday.

Microsoft’s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra’s file-transfer service was exploited as a zero-day before the company disclosed and patched CVE-2025-10035 on Sept. 18.

Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its security advisory Sept. 18 to include indicators of compromise. 

Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft. 

“They used this access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, to move laterally across networks using built-in Windows utilities,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop in an email. “In at least one instance, the intrusion led to data theft via Rclone and a Medusa ransomware deployment.”

Microsoft’s findings bolster research from other firms including watchTowr, which said it obtained credible evidence of active exploitation of the GoAnywhere vulnerability dating back to Sept. 10, a day before Fortra maintains the vulnerability was discovered. 

“Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least Sept. 11, with little clarity from Fortra,” said Ben Harris, founder and CEO at watchTowr.

“Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers. What’s still missing are the answers only Fortra can provide,” Harris added.

This includes details about how the attackers accessed private keys required to achieve exploitation, as researchers from multiple firms flagged as a worrying signal last month. “Customers deserve transparency, not silence,” Harris said. 

Federal cyber authorities have confirmed active exploitation of GoAnywhere’s defect as well. The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. 

DeGrippo said Storm-1175’s attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance and manufacturing sectors. “Their tactics reflect the broader pattern we’re seeing, which is blending legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft,” she added.

Researchers haven’t said how many organizations are impacted by GoAnywhere attacks, but Fortra customers went through this before when a zero-day vulnerability in the same file-transfer service was widely exploited two years ago, resulting in attacks on more than 100 organizations.

The post Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175 appeared first on CyberScoop.

Three House Democrats questioned the Department of Homeland Security on Monday over a reported Immigration and Customs Enforcement contract with a spyware provider that they warn potentially “threatens Americans’ freedom of movement and freedom of speech.”

Their letter follows publication of a notice that ICE had lifted a stop-work order on a $2 million deal with Israeli spyware company Paragon Solutions, a contract that the Biden administration had frozen one year ago pending a review of its compliance with a spyware executive order.

Paragon is the maker of Graphite, and advertises it as having more safeguards than competitors that have received more public and legal scrutiny, such as NSO Group’s Pegasus, a claim researchers have challenged. A report earlier this year found suspected deployments of Graphite in countries across the globe, with targets including journalists and activists. WhatsApp also notified users this year about a Paragon-linked campaign targeting them. The tool can infect phones without its target having to click on any malicious lure, then mine data from them.

“Given the Trump Administration’s disregard for constitutional rights and civil liberties in pursuit of rapid mass deportation, we are seriously concerned that ICE will abuse Graphite software to target immigrants, people of color, and individuals who express opposition to ICE’s repeated attacks on the rule of law,” the three congressional Democrats, two of whom serve as ranking members of House Oversight and Government Reform subcommittees, wrote Monday.

The trio behind the letter are Reps. Summer Lee of Pennsylvania, top Democrat on the Subcommittee on Federal Law Enforcement; Ohio Rep. Shontel Brown, ranking member of the Subcommittee on Cybersecurity, Information Technology and Government Innovation; and Rep. Yassamin Ansari of Arizona.

Their letter pointed to two Supreme Court rulings — Riley v. California from 2014 and Carpenter v. United States from 2018 — that addressed warrantless surveillance of cellular data. “Allowing ICE to utilize spyware raises serious questions about whether ICE will respect Fourth Amendment protections against warrantless search and seizure for people residing in the U.S.,” the lawmakers wrote.

The trio also asked for communications and documents about ICE’s use of spyware, as well as legal discussions about ICE using spyware and its compliance with the 2023 Biden executive order. They also sought a list of data surveillance targets.

ICE’s surveillance tactics have long drawn attention, but they’ve gained more attention in the Trump administration, which has sought to vastly expand the agency. ICE has conducted raids that have often swept in U.S. citizens. Other federal contracting records have pointed to ICE’s intentions to develop a 24/7 social media surveillance regime.

DHS and ICE did not immediately answer requests for comment about the Democrats’ letter. ICE has not provided answers about the contract in other media inquiries. 

404 Media is suing for information about the ICE contract.

The post House Dems seek info about ICE spyware contract, wary of potential abuses appeared first on CyberScoop.

Social media is pointing to a support document that indicates that when classic Outlook is opened, it may have issues opening folders. The only “fix” is to open a support case with Microsoft. But the problem with support documents is they don’t indicate where this is being seen or how many people are impacted. For […]

Attackers appearing to be aligned with the Clop ransomware group have sent emails to Oracle customers seeking extortion payments, claiming they stole data from the tech giant’s E-Business Suite, according to researchers who spoke with CyberScoop. 

Researchers haven’t confirmed the veracity of Clop’s claimed data theft, but multiple investigations into Oracle environments belonging to organizations that received the emails are underway.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Clop hasn’t made the claims public through its leak sites.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The extortion activity involves targeted emails sent to company executives from hundreds of compromised third-party accounts beginning on or before Sept. 29, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group.

“It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” Stark told CyberScoop.

While the tactics and contact email addresses align with Clop, researchers have yet to verify if the financially-motivated group is behind the attacks.

Clop is a highly prolific and notorious ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. 

The financially motivated threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The extortion emails originate from hundreds of compromised third-party accounts at various legitimate websites, and not from one specific vendor, said Austin Larsen, principal analyst at GTIG. “The claim within those emails is that they have stolen data from the Oracle E-Business Suite of the targeted organizations,” he added. 

The emails observed by researchers don’t contain a specific demand, but pressure victims to contact the threat group to start negotiations.  

“The primary indicators of this new campaign are the extortion emails themselves and the use of email addresses associated with the Clop data leak site,” Stark said. “At this time, we do not have evidence of a successful data breach or a specific malware family associated with this particular campaign.”

Investigators are working through the night to confirm if and how attackers gained access to Oracle’s E-Business Suite and the extent to which Oracle customers may be impacted.

Update: 10/02/25, 5:30 p.m.: This story has been updated with information about Oracle’s security alert.

The post Oracle customers being bombarded with emails claiming widespread data theft appeared first on CyberScoop.

Threat intelligence professionals have a sense of foreboding about a maximum-severity vulnerability Forta disclosed last week in its file-transfer service GoAnywhere MFT, as they steel themselves for active exploitation and signs of compromise.

Forta has not declared the defect actively exploited and did not answer questions to that effect from CyberScoop. Yet, researchers at watchTowr said they’ve obtained credible evidence of active exploitation of the vulnerability dating back to Sept. 10. 

The disagreement between vendor and research firm highlights a stubborn conundrum in the world of vulnerability disclosure and management. When defects turn out to be more severe  and actively exploited than vendors initially report, it creates unnecessary challenges for defenders and impacted users.

Forta did not answer questions about or respond to watchTowr’s latest findings. Forta maintains it discovered the vulnerability or its potential impact during a “security check” on Sept. 11, but it hasn’t included those details in the advisory. 

The cybersecurity vendor previously updated its security advisory for the deserialization vulnerability — CVE-2025-10035 — with details that baffled some researchers due to its lack of clarity. Forta added indicators of compromise and stack traces that, if present in customers’ log files, indicate their “instance was likely affected by this vulnerability,” the company said.

Ben Harris, founder and CEO at watchTowr, discredited some of Forta’s public statements about the vulnerability as he and his team of researchers confirmed suspicions they had about attacks linked to the vulnerability when it was first disclosed.

“What a mess,” he told CyberScoop. “All they had to do was just be honest and transparent — and instead, have turned this into scandal.”

Threat hunters’ concerns about the vulnerability were amplified when Forta updated its advisory to share specific strings for customers to monitor in their log files. 

The IOCs added to Forta’s advisory “makes us logically uneasy because it strongly suggests that attackers may already be active,” Harris said prior to confirming active exploitation. The details added to the vendor’s “Am I Impacted?” section in the advisory “implies this isn’t just a hypothetical risk,” Harris added. 

Researchers from Rapid7 and VulnCheck drew similar conclusions, noting its rare for vendors to publish IOCs for new critical vulnerabilities absent confirmed exploitation. 

“While the IOCs do not confirm exploitation in the wild, they strongly suggest the vendor believes that this vulnerability will be exploited if it has not already been,” said Stephen Fewer, senior principal researcher at Rapid7.

Private key, the missing link

Vulnerability researchers uncovered additional details about the steps attackers would have to take to achieve exploitation, including unexplained access to a specific private key.

“To successfully achieve remote-code execution, an attacker must send a signed Java object to the target GoAnywhere MFT server. The target server will use a public key to verify the signed object and, if the signature is valid, then an unsafe deserialization vulnerability can be hit, achieving arbitrary code execution,” Fewer said. 

“The missing detail is how the attacker can achieve this when the required private key is not present in the code base of GoAnywhere MFT,” he added.

This key, its whereabouts and how an attacker might gain access to it has researchers on edge, leading some to speculate the private key may have been leaked or otherwise stolen from a cloud-based GoAnywhere license server, which is designed to legitimize signed objects.

Researchers don’t have the private key and have been unable to produce a working exploit without it.

“Adversaries overall are opportunistic,” said Caitlin Condon, vice president of security research at VulnCheck. “It’s a pretty big deal for them to somehow get access to private keys.”

Cybercriminals have accessed private keys before, as evidenced earlier this month when an attacker exploited a zero-day vulnerability in Sitecore by using sample keys customers copied and pasted from the vendor’s documentation. 

A key was at the root cause of a major China-affiliated espionage attack on Microsoft Exchange Online in 2023, which exposed emails belonging to high-ranking U.S. government officials and others. Microsoft never definitively determined how the threat group it tracks as Storm-0558 acquired the key, and a federal review board later lambasted the company for “a cascade of security failures” in a scathing report about the attack and its widespread impact.

Vendor responsibility tested

Vendors are responsible for providing their customers with timely and actionable information that can protect them against attacks, including explicit acknowledgement of active exploitation, experts said. 

“This provides clarity and peace of mind for defenders looking to prioritize vulnerabilities more effectively in a challenging threat climate, rather than forcing them to speculate or rely on third-party research to answer questions that the supplier is best positioned to address,” said Caitlin Condon, vice president of security research at VulnCheck. 

“The easiest way to know whether this vulnerability, or any vulnerability, has been exploited would be for the vendor to explicitly disclose whether they’re aware of confirmed malicious activity in customer environments,” she said.

The maximum-severity score designated to CVE-2025-10035 is a revealing signal, Condon added. “It’s unusual for a vendor to assign a perfect 10 CVSS score unless they’ve validated vulnerability details and confirmed how an adversary would conduct a successful attack,” she said. 

Forta has been through this before. Its customers were previously targeted with a widely exploited zero-day vulnerability in the same file-transfer service two years ago. Fortra’s description of CVE-2025-10035 bears striking similarities to CVE-2023-0669, a defect exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups.

Harris criticized Fortra for its reluctance to share crucial information.

“As an organization that signed CISA’s Secure By Design pledge that includes wording around transparency for in-the-wild exploitation, the situation seems rather disappointing,” he said. 

Enterprises, security professionals and defenders rely on accurate data to determine exposure and react accordingly, Harris added. 

“When transparency is missing, these same teams are left in the dark and left with inadequate information to make risk decisions,” he said. “Given the context of the solution being used, and the organizations that use this solution, we cannot understate the impact of additional dwell time for an attacker in some of these environments.”

The post Worries mount over max-severity GoAnywhere defect appeared first on CyberScoop.

Impact Statement: Starting at 23:54 UTC on 26 September 2025, customers in Switzerland North may experience service unavailability or degraded performances for resources hosted in the region. Virtual Machines may have shutdown to preserve data integrity. 

Current Status: We were alerted to this issue by our telemetry informing us in a significant drop in traffic. It was discovered that a recent deployment introduced a malformed prefix in one of the certificates used for connection authorization. We have pinpointed the deployment error involving the certificate prefix and are rolling back the faulty deployment to restore normal traffic flow and service availability.

Majority of the impacted services have been fully recovered, and a subset are nearing completion. We continue to monitor traffic and service stability to ensure full recovery.

The Secret Service said Tuesday that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.

The range of threats included enabling encrypted communications between threat groups and criminals, or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”

In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.

“The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.

McCool said in a video statement that the investigation was ongoing, but the threat the network posed had been neutralized.

“These devices allowed anonymous, encrypted communications between potential threat actors and criminal enterprises, enabling criminal organizations to operate undetected,” he said. “This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City.

“We will continue working toward identifying those responsible and their intent, including whether their plan was to disrupt the U.N. General Assembly and communications of government and emergency personnel during the official visit of world leaders in and around New York City,” McCool continued.

News outlets briefed on the operation reported that the network anonymously conveyed assassination threats against senior U.S. officials, that the agency had never seen such an extensive operation, that the investigation uncovered empty electronic safehouses rented around the area and that hackers, terrorists, spies and human traffickers could’ve made use of the network. The investigation reportedly began in response to swatting and bomb threats against U.S. officials.

Other participants in the investigation were the Department of Homeland Security’s Homeland Security Investigations, the Department of Justice, the Office of the Director of National Intelligence and the New York Police Department.

Some cybersecurity professionals reacted skeptically to elements of the Secret Service announcement.

“Super weird framing by the Secret Service,” Marcus Hutchins, the researcher known for stopping the 2017 WannaCry ransomware attack, wrote on BlueSky. “They found a SIM card farm, which is typically used by criminals to anonymously send calls and texts. They issued a press release claiming ‘it could have shut down the entire NY cell network during the UN general assembly’ which is some serious FUD,” he said, using the acronym for “fear, uncertainty and doubt.”

He added: “it’s possible they found an actual plot to cause widespread destruction, but way more likely they found some generic cybercrime service and have absolutely no clue what it’s for.”

Johns Hopkins cryptography expert Matthew Green wrote on the same social media platform that “I no longer know what we can trust from the Secret Service, especially when a ‘Trump speech’ is involved, and the mechanics of this thing are a little bizarre.”

Updated 9/23/25: to include reaction from cybersecurity professionals.

The post Secret Service says it dismantled extensive telecom threat in NYC area appeared first on CyberScoop.

More than 300 servers and 100,000 SIM cards designed to mimic cellphones and overwhelm networks.

The post A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York appeared first on SecurityWeek.

Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.

Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.

File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks. 

Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.

The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post. 

Clop, a highly prolific, financially motivated ransomware group, specializes in exploiting vulnerabilities in file-transfer services. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

“By design, file transfer services process and store sensitive files,” Dewhurst said. “These are a prime target for threat actors, especially ransomware groups, which can use the exposed files as blackmail.”

Stephen Fewer, senior principal researcher at Rapid7, noted that file-transfer services are often exposed to the internet with network credentials supporting data access, storage and flow — factors that create a high-value target for attackers. 

The new defect doesn’t require authentication, and deserialization vulnerabilities are typically more reliable than other bugs, including memory-corruption errors, Fewer said.

Researchers aren’t aware of publicly available proof-of-concept exploit code, yet it could exist privately. “As always, if the vulnerability turns out to have been exploited in the wild as a zero-day — which was unclear at time of disclosure — patching alone will not eradicate adversaries from compromised systems,” Condon said.

Fortra told CyberScoop it discovered the vulnerability during a security check Sept. 11. “We identified that GoAnywhere customers with an admin console accessible over the internet could be vulnerable to unauthorized third-party exposure,” Jessica Ryan, public relations manager at Fortra, said in an email. 

“We immediately developed a patch and offered customers mitigation guidance to help resolve the issue,” she added.

The managed file-transfer service is one of three GoAnywhere products used by more than 3,000 organizations, including Fortune 500 businesses, according to Fortra.

The vendor appears three times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, with all three defects added under a two-month period in 2023.

The post Researchers raise alarm over maximum-severity defect in GoAnywhere file-transfer service appeared first on CyberScoop.

MICROSOFT 365 By Peter Deegan There are many font options for Office, including some you probably don’t know about. There was a time when fonts were simple. For most people, there was only one sort of typeface with bold, italic, and underline. The boom in fonts came with TrueType (.ttf) fonts, either installed automatically or […]

A 22-year-old Oregon man has been arrested on suspicion of operating “Rapper Bot,” a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets — including a March 2025 DDoS that knocked Twitter/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecurity.

On August 6, 2025, federal agents arrested Ethan J. Foltz of Springfield, Ore. on suspicion of operating Rapper Bot, a globally dispersed collection of tens of thousands of hacked Internet of Things (IoT) devices.

The complaint against Foltz explains the attacks usually clocked in at more than two terabits of junk data per second (a terabit is one trillion bits of data), which is more than enough traffic to cause serious problems for all but the most well-defended targets. The government says Rapper Bot consistently launched attacks that were “hundreds of times larger than the expected capacity of a typical server located in a data center,” and that some of its biggest attacks exceeded six terabits per second.

Indeed, Rapper Bot was reportedly responsible for the March 10, 2025 attack that caused intermittent outages on Twitter/X. The government says Rapper Bot’s most lucrative and frequent customers were involved in extorting online businesses — including numerous gambling operations based in China.

The criminal complaint was written by Elliott Peterson, an investigator with the Defense Criminal Investigative Service (DCIS), the criminal investigative division of the Department of Defense (DoD) Office of Inspector General. The complaint notes the DCIS got involved because several Internet addresses maintained by the DoD were the target of Rapper Bot attacks.

Peterson said he tracked Rapper Bot to Foltz after a subpoena to an ISP in Arizona that was hosting one of the botnet’s control servers showed the account was paid for via PayPal. More legal process to PayPal revealed Foltz’s Gmail account and previously used IP addresses. A subpoena to Google showed the defendant searched security blogs constantly for news about Rapper Bot, and for updates about competing DDoS-for-hire botnets.

According to the complaint, after having a search warrant served on his residence the defendant admitted to building and operating Rapper Bot, sharing the profits 50/50 with a person he claimed to know only by the hacker handle “Slaykings.” Foltz also shared with investigators the logs from his Telegram chats, wherein Foltz and Slaykings discussed how best to stay off the radar of law enforcement investigators while their competitors were getting busted.

Specifically, the two hackers chatted about a May 20 attack against KrebsOnSecurity.com that clocked in at more than 6.3 terabits of data per second. The brief attack was notable because at the time it was the largest DDoS that Google had ever mitigated (KrebsOnSecurity sits behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content).

The May 2025 DDoS was launched by an IoT botnet called Aisuru, which I discovered was operated by a 21-year-old man in Brazil named Kaike Southier Leite. This individual was more commonly known online as “Forky,” and Forky told me he wasn’t afraid of me or U.S. federal investigators. Nevertheless, the complaint against Foltz notes that Forky’s botnet seemed to diminish in size and firepower at the same time that Rapper Bot’s infection numbers were on the upswing.

“Both FOLTZ and Slaykings were very dismissive of attention seeking activities, the most extreme of which, in their view, was to launch DDoS attacks against the website of the prominent cyber security journalist Brian Krebs,” Peterson wrote in the criminal complaint.

“You see, they’ll get themselves [expletive],” Slaykings wrote in response to Foltz’s comments about Forky and Aisuru bringing too much heat on themselves.

“Prob cuz [redacted] hit krebs,” Foltz wrote in reply.

“Going against Krebs isn’t a good move,” Slaykings concurred. “It isn’t about being a [expletive] or afraid, you just get a lot of problems for zero money. Childish, but good. Let them die.”

“Ye, it’s good tho, they will die,” Foltz replied.

The government states that just prior to Foltz’s arrest, Rapper Bot had enslaved an estimated 65,000 devices globally. That may sound like a lot, but the complaint notes the defendants weren’t interested in making headlines for building the world’s largest or most powerful botnet.

Quite the contrary: The complaint asserts that the accused took care to maintain their botnet in a “Goldilocks” size — ensuring that “the number of devices afforded powerful attacks while still being manageable to control and, in the hopes of Foltz and his partners, small enough to not be detected.”

The complaint states that several days later, Foltz and Slaykings returned to discussing what that they expected to befall their rival group, with Slaykings stating, “Krebs is very revenge. He won’t stop until they are [expletive] to the bone.”

“Surprised they have any bots left,” Foltz answered.

“Krebs is not the one you want to have on your back. Not because he is scary or something, just because he will not give up UNTIL you are [expletive] [expletive]. Proved it with Mirai and many other cases.”

[Unknown expletives aside, that may well be the highest compliment I’ve ever been paid by a cybercriminal. I might even have part of that quote made into a t-shirt or mug or something. It’s also nice that they didn’t let any of their customers attack my site — if even only out of a paranoid sense of self-preservation.]

Foltz admitted to wiping the user and attack logs for the botnet approximately once a week, so investigators were unable to tally the total number of attacks, customers and targets of this vast crime machine. But the data that was still available showed that from April 2025 to early August, Rapper Bot conducted over 370,000 attacks, targeting 18,000 unique victims across 1,000 networks, with the bulk of victims residing in China, Japan, the United States, Ireland and Hong Kong (in that order).

According to the government, Rapper Bot borrows much of its code from fBot, a DDoS malware strain also known as Satori. In 2020, authorities in Northern Ireland charged a then 20-year-old man named Aaron “Vamp” Sterritt with operating fBot with a co-conspirator. U.S. prosecutors are still seeking Sterritt’s extradition to the United States. fBot is itself a variation of the Mirai IoT botnet that has ravaged the Internet with DDoS attacks since its source code was leaked back in 2016.

The complaint says Foltz and his partner did not allow most customers to launch attacks that were more than 60 seconds in duration — another way they tried to keep public attention to the botnet at a minimum. However, the government says the proprietors also had special arrangements with certain high-paying clients that allowed much larger and longer attacks.

Most people who have never been on the receiving end of a monster DDoS attack have no idea of the cost and disruption that such sieges can bring. The DCIS’s Peterson wrote that he was able to test the botnet’s capabilities while interviewing Foltz, and that found that “if this had been a server upon which I was running a website, using services such as load balancers, and paying for both outgoing and incoming data, at estimated industry average rates the attack (2+ Terabits per second times 30 seconds) might have cost the victim anywhere from $500 to $10,000.”

“DDoS attacks at this scale often expose victims to devastating financial impact, and a potential alternative, network engineering solutions that mitigate the expected attacks such as overprovisioning, i.e. increasing potential Internet capacity, or DDoS defense technologies, can themselves be prohibitively expensive,” the complaint continues. “This ‘rock and a hard place’ reality for many victims can leave them acutely exposed to extortion demands – ‘pay X dollars and the DDoS attacks stop’.”

The Telegram chat records show that the day before Peterson and other federal agents raided Foltz’s residence, Foltz allegedly told his partner he’d found 32,000 new devices that were vulnerable to a previously unknown exploit.

Shortly before the search warrant was served on his residence, Foltz allegedly told his partner that “Once again we have the biggest botnet in the community.” The following day, Foltz told his partner that it was going to be a great day — the biggest so far in terms of income generated by Rapper Bot.

“I sat next to Foltz while the messages poured in — promises of $800, then $1,000, the proceeds ticking up as the day went on,” Peterson wrote. “Noticing a change in Foltz’ behavior and concerned that Foltz was making changes to the botnet configuration in real time, Slaykings asked him ‘What’s up?’ Foltz deftly typed out some quick responses. Reassured by Foltz’ answer, Slaykings responded, ‘Ok, I’m the paranoid one.”

The case is being prosecuted by Assistant U.S. Attorney Adam Alexander in the District of Alaska (at least some of the devices found to be infected with Rapper Bot were located there, and it is where Peterson is stationed). Foltz faces one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison, although a federal judge is unlikely to award anywhere near that kind of sentence for a first-time conviction.

Authorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.” 

The takeover and effective disruption of the botnet, also known as Eleven Eleven Botnet and CowBot, occurred after officials identified and served a warrant at the Oregon residence of a 22-year-old man who allegedly developed and ran the operation since at least 2021.

Ethan Foltz of Eugene, Ore., was charged with one count of aiding and abetting computer intrusions in the U.S. District Court for the District of Alaska on Tuesday. He faces a maximum penalty of up to 10 years in prison, the Justice Department said.

Rapper Bot allegedly conducted more than 370,000 attacks, targeting 18,000 unique victims across 1,000 unique autonomous system numbers from April to early August, according to officials. 

The botnet, which primarily infected digital video recorders and Wi-Fi routers, infected between 65,000 and 95,000 devices to regularly conduct high-tempo DDoS attacks. Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.

Rapper Bot attacks impacted 80 countries, with DDoS attacks most heavily concentrated in China, Japan, the United States, Ireland and Hong Kong, officials said.

“Because Rapper Bot has been in operation since at least 2021, there is a strong likelihood that there are millions of victims, in terms of infected IoT devices, as well as millions of Rapper Bot initiated DDoS attacks,” a special agent with the Defense Criminal Investigative Service said in an affidavit for the criminal complaint against Foltz.

Investigators traced the botnet to Foltz after linking the botnet’s hosting provider to a PayPal account. Under court order, PayPal sent records to investigators indicating Foltz controlled the account and shared email addresses he associated with the account. Investigators said they determined the same IP address was used to access Foltz’s Gmail, PayPal and internet service provider simultaneously, despite his apparent use of VPN services.

Google accounts linked to Foltz revealed extensive evidence linking him to Rapper Bot, according to investigators. Foltz conducted searches for “RapperBot” and “Rapper Bot” more than 100 times, and sometimes after conducting these searches he viewed cybersecurity blogs, indicating he might have been monitoring what was known about the botnet in real time, officials said in the court documents.

DCIS served a warrant at Foltz’s residence in Oregon on Aug. 6, and during a recorded interview “Foltz stated that he was the primary administrator of Rapper Bot.” Foltz also named his primary partner as a person he only knew as “SlayKings,” adding that the botnet code was derived from the Mirai, Tsunami and fBot botnets.

Upon an official’s request, Foltz terminated Rapper Bot’s outbound attack capabilities and passed the administrative control of Rapper Bot to DCIS personnel. Foltz hasn’t been arrested but officials familiar with the case said they’ve requested summons in this case.

Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal and Unit 221B assisted law enforcement with the investigation.

The post Officials gain control of Rapper Bot DDoS botnet, charge lead developer and administrator appeared first on CyberScoop.

ISSUE 22.32 • 2025-08-11 TAME YOUR TECH By Susan Bradley A few weeks ago, I had “the talk” with Dad. This is a 97-year-old man who has gone from mechanical (not to mention heavy) 10-key calculators that he had to lug around — along with slide rules — to mainframe computers, then to portable computers, […]

LAS VEGAS — The Russian cybercrime group behind BlackSuit and Royal ransomware was more prolific and successful at extorting payments from its victims than previously known, according to an update Thursday from an investigative unit inside the Department of Homeland Security.

“Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in healthcare, education, public safety, energy and government sectors,” said a report from Homeland Security Investigations, which operates out of U.S. Immigration and Customs Enforcement. “Combined, the groups have received more than $370 million in ransom payments, based on present-day valuations of cryptocurrency.”

BlackSuit’s technical infrastructure, including servers, domains and tools used to deploy ransomware, extort victims and launder proceeds, was seized and dismantled in a globally coordinated takedown operation last month. BlackSuit’s leak site has displayed a seizure notice since July 24, but U.S. officials waited two weeks to publicly acknowledge the international takedown.

“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” Michael Prado, deputy assistant director of HSI’s Cyber Crimes Center, said in a statement. 

German officials involved in the takedown previously said they identified 184 BlackSuit victims. The group’s combined take from victim extortions was unknown, but in an advisory last year the Cybersecurity and Infrastructure Security Agency said BlackSuit’s total extortion demands surpassed $500 million by August 2024.

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” John A. Eisenberg, assistant attorney general for national security, said in a statement.  The majority of BlackSuit’s victims were based in the U.S.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

The impact from the takedown will be limited because BlackSuit associates were already dispersed and abandoned the BlackSuit brand prior to the global law enforcement action on the group’s operations, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

Former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year, according to Boguslavskiy.

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The post BlackSuit, Royal ransomware group hit over 450 US victims before last month’s takedown appeared first on CyberScoop.

TAME YOUR TECH By Susan Bradley It’s almost August, three months before many devices will no longer receive updates. Will you extend your Windows 10? Microsoft acknowledged that both consumers and businesses need more time to deal with the end of life for Windows 10, offering both consumers and businesses extended security update services (ESUs). […]