Featured
FeaturedCyber Security
Luna Moth Extortion, Android Update Vulnerabilities, Supply Chain Attacks & Government Hack Expose Digital Security Gaps
By TechDogs Bureau
Updated on Tue, May 6, 2025
Share
As our world becomes increasingly connected, there are more intersections for threat actors to target. Plus, the rising number of threat vectors are increasing the scale and frequency of cyber threats. Naturally, it demands constant vigilance from individuals and organizations alike to stay safe and secure.
Well, the start of May has underlined the need for strong, adaptive cybersecurity measures again, with various incidents interrupting the normalcy of business operations. Dive in to explore the latest in cybersecurity!
Data extortion has emerged as a concerning trend in the realm of cybersecurity. The latest involving the data-theft extortion group known as Luna Moth, or Silent Ransom Group, has escalated the incidents of phishing campaigns targeting legal and financial institutions within the United States.
Unlike traditional ransomware attacks that encrypt data, Luna Moth's primary objective is data exfiltration followed by extortion. They initiate contact through emails impersonating IT help desks or IT support teams, urging recipients to call a number to resolve fictitious technical issues.
Once a victim makes the call, a Luna Moth operative posing as an IT professional skillfully convinces them to install remote monitoring and management (RMM) software from fake IT help desk websites.
These websites often employ typosquatted domain names, closely resembling those of the targeted firms. For instance, [company_name]-helpdesk.com instead of the original [company_name]helpdesk.com.
The RMM tools abused in these attacks include well-known applications such as Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop. As these are legitimate and digitally signed tools commonly used by large businesses, they often bypass security software and raise no red flags to help the unsuspecting victim.
Once installed, these tools grant the attackers unfettered remote access to the victim's system, allowing the attackers to navigate the compromised system and search for valuable data.
After identifying and exfiltrating sensitive files using tools like WinSCP or Rclone, Luna Moth contacts the victim organization with a ransom demand, threatening to leak the stolen data on their clearweb domain, with ransom amounts reaching up to USD 8 million.
What makes these attacks particularly insidious, as noted by EclecticIQ researcher Arda Büyükkaya, is their stealthy nature–they involve no malware, malicious attachments, or links to compromised websites.
This shift towards sophisticated social engineering attacks highlights the need for robust employee training and awareness programs. Moreover, beyond adding the identified indicators of compromise (IoCs) to your blocklists, consider restricting RMM tools that aren't part of your organization's suite.
Yet the threat landscape is multifaceted, as another security update revealed vulnerabilities.
Google has released its May security update for Android, addressing a total of 47 vulnerabilities. Among these, one high-severity defect, CVE-2025-27363, is particularly concerning as Google has indicated it "may be under limited, targeted exploitation."
As per Google, the source code patches for all 47 vulnerabilities will be released to the Android Open-Source Project repository by Wednesday.
This actively exploited vulnerability resides within the widely used FreeType software library, specifically in versions 2.13.0 and below, potentially allowing attackers to execute arbitrary code on affected devices.
Given that FreeType is a fundamental library for rendering fonts and is integrated into products across billions of Android devices, the implications of this vulnerability are significant.
The security update also addresses 15 high-severity vulnerabilities within the Android framework and 9 within the Android system. If exploited, these flaws could lead to escalation of privileges, remote or local code execution, information disclosure, and denial of service.
While Google Pixel users will receive these updates automatically, other manufacturers’ devices – including Arm, Imagination Technologies, MediaTek, and Qualcomm – will need to wait for customized updates tailored to their specific hardware.
While security update vulnerabilities are significant, an emerging threat vector is now targeting the backbone of online commerce.
In a stark reminder of the interconnectedness and inherent risks within the digital supply chain, hundreds of e-commerce websites have been compromised in an ongoing attack that started in April.
Security researchers at Sansec have uncovered that these sites were backdoored through at least three software providers, with malware that lay dormant for six years before activating in recent weeks.
The compromised software providers identified by Sansec include Tigren, Magesolution (MGS), and Meetanshi, all based on the popular Magento Ecommerce platform. Sansec reports that Tigren and Magesolution were still distributing backdoored versions of their software while Meetanshi, denying any tampering, admitted to being hacked.
Additionally, customers of a fourth provider, Weltpixel, were affected, although the source of the compromise is still under investigation. Sansec has also identified 21 infected extensions across the three primary affected vendors.
The backdoor grants attackers full remote code execution (RCE) on the ecommerce site’s servers. Subsequently, this access is used to inject skimming software that operates within the user's browser to capture payment information.
The method of infection involves a seemingly less harmful function that executes a file named $licenseFile as PHP code. This file initiates a chain of functions that ultimately execute malicious PHP code on the website visitors’ devices.
The potential impact of this attack on both businesses and their customers is substantial, highlighting the far-reaching consequences of supply chain vulnerabilities.
Now, adding another layer to the complexities of digital security is a shocking revelation about a secure messaging application used by government officials.
The security of messaging platforms used by government officials is paramount, but recent revelations about TeleMessage—a messaging and archiving application built on the Signal app—have raised serious concerns about its ability to safeguard sensitive communications.
It has been reported that an unidentified actor gained access to chat logs via TeleMessage, used by former national security advisor Michael Waltz, as seen in Reuter’s image below.
TeleMessage, acquired by Smarsh in 2024, has acknowledged a "potential security incident" and has temporarily suspended services as a precautionary measure with an external cybersecurity firm investigating.
The issue came to light after a photograph showed Waltz using an app with a PIN verification popup similar to Signal's. While the official Signal app employs strong end-to-end encryption to protect messages during transit, questions have been raised about how TeleMessage handles secure communication and storage of archived messages.
Reports suggest that the compromised chat logs were stored without adequate protection, and decrypted messages were archived without re-encryption, representing a significant security risk.
Screenshots of the obtained data reportedly include correspondence with the US Customs and Border Protection (CBP), cryptocurrency firm Coinbase, and other financial entities.
While messages directly involving Waltz were seemingly not included in this particular breach, the fact that a former national security advisor was using software with reported security flaws is concerning.
Further analysis of the TeleMessage's source code, briefly accessible to the public, revealed hard-coded credentials and other vulnerabilities that were a sign of poor security practices. There have also been allegations that TeleMessage's version of Signal violates Signal's open-source license.
These separate incidents serve as a critical reminder of the risks in today’s interconnected digital world. They reveal one truth: no system can be foolproof, and no threat is too far-fetched. From fake IT help desks to supply chain hacks and cloned messaging apps, data security is the need of the hour.
Do you think we are prioritizing convenience over security without realizing the cost?
Share your thoughts in the comments below!
Well, the start of May has underlined the need for strong, adaptive cybersecurity measures again, with various incidents interrupting the normalcy of business operations. Dive in to explore the latest in cybersecurity!
Luna Moth Targets US Businesses Through Phishing Campaigns
Data extortion has emerged as a concerning trend in the realm of cybersecurity. The latest involving the data-theft extortion group known as Luna Moth, or Silent Ransom Group, has escalated the incidents of phishing campaigns targeting legal and financial institutions within the United States.
Unlike traditional ransomware attacks that encrypt data, Luna Moth's primary objective is data exfiltration followed by extortion. They initiate contact through emails impersonating IT help desks or IT support teams, urging recipients to call a number to resolve fictitious technical issues.
Once a victim makes the call, a Luna Moth operative posing as an IT professional skillfully convinces them to install remote monitoring and management (RMM) software from fake IT help desk websites.
These websites often employ typosquatted domain names, closely resembling those of the targeted firms. For instance, [company_name]-helpdesk.com instead of the original [company_name]helpdesk.com.
The RMM tools abused in these attacks include well-known applications such as Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop. As these are legitimate and digitally signed tools commonly used by large businesses, they often bypass security software and raise no red flags to help the unsuspecting victim.
Once installed, these tools grant the attackers unfettered remote access to the victim's system, allowing the attackers to navigate the compromised system and search for valuable data.
After identifying and exfiltrating sensitive files using tools like WinSCP or Rclone, Luna Moth contacts the victim organization with a ransom demand, threatening to leak the stolen data on their clearweb domain, with ransom amounts reaching up to USD 8 million.
What makes these attacks particularly insidious, as noted by EclecticIQ researcher Arda Büyükkaya, is their stealthy nature–they involve no malware, malicious attachments, or links to compromised websites.
This shift towards sophisticated social engineering attacks highlights the need for robust employee training and awareness programs. Moreover, beyond adding the identified indicators of compromise (IoCs) to your blocklists, consider restricting RMM tools that aren't part of your organization's suite.
Yet the threat landscape is multifaceted, as another security update revealed vulnerabilities.
Google Addresses 47 Vulnerabilities In The Latest Android Security Update
Google has released its May security update for Android, addressing a total of 47 vulnerabilities. Among these, one high-severity defect, CVE-2025-27363, is particularly concerning as Google has indicated it "may be under limited, targeted exploitation."
As per Google, the source code patches for all 47 vulnerabilities will be released to the Android Open-Source Project repository by Wednesday.
This actively exploited vulnerability resides within the widely used FreeType software library, specifically in versions 2.13.0 and below, potentially allowing attackers to execute arbitrary code on affected devices.
Given that FreeType is a fundamental library for rendering fonts and is integrated into products across billions of Android devices, the implications of this vulnerability are significant.
The security update also addresses 15 high-severity vulnerabilities within the Android framework and 9 within the Android system. If exploited, these flaws could lead to escalation of privileges, remote or local code execution, information disclosure, and denial of service.
While Google Pixel users will receive these updates automatically, other manufacturers’ devices – including Arm, Imagination Technologies, MediaTek, and Qualcomm – will need to wait for customized updates tailored to their specific hardware.
While security update vulnerabilities are significant, an emerging threat vector is now targeting the backbone of online commerce.
Hundreds Of E-Commerce Sites Fall Victim To Supply Chain Attack
In a stark reminder of the interconnectedness and inherent risks within the digital supply chain, hundreds of e-commerce websites have been compromised in an ongoing attack that started in April.
Security researchers at Sansec have uncovered that these sites were backdoored through at least three software providers, with malware that lay dormant for six years before activating in recent weeks.
The compromised software providers identified by Sansec include Tigren, Magesolution (MGS), and Meetanshi, all based on the popular Magento Ecommerce platform. Sansec reports that Tigren and Magesolution were still distributing backdoored versions of their software while Meetanshi, denying any tampering, admitted to being hacked.
Additionally, customers of a fourth provider, Weltpixel, were affected, although the source of the compromise is still under investigation. Sansec has also identified 21 infected extensions across the three primary affected vendors.
The backdoor grants attackers full remote code execution (RCE) on the ecommerce site’s servers. Subsequently, this access is used to inject skimming software that operates within the user's browser to capture payment information.
The method of infection involves a seemingly less harmful function that executes a file named $licenseFile as PHP code. This file initiates a chain of functions that ultimately execute malicious PHP code on the website visitors’ devices.
The potential impact of this attack on both businesses and their customers is substantial, highlighting the far-reaching consequences of supply chain vulnerabilities.
Now, adding another layer to the complexities of digital security is a shocking revelation about a secure messaging application used by government officials.
Insecure Signal Clone Exposes Government Communications
The security of messaging platforms used by government officials is paramount, but recent revelations about TeleMessage—a messaging and archiving application built on the Signal app—have raised serious concerns about its ability to safeguard sensitive communications.
It has been reported that an unidentified actor gained access to chat logs via TeleMessage, used by former national security advisor Michael Waltz, as seen in Reuter’s image below.
TeleMessage, acquired by Smarsh in 2024, has acknowledged a "potential security incident" and has temporarily suspended services as a precautionary measure with an external cybersecurity firm investigating.
The issue came to light after a photograph showed Waltz using an app with a PIN verification popup similar to Signal's. While the official Signal app employs strong end-to-end encryption to protect messages during transit, questions have been raised about how TeleMessage handles secure communication and storage of archived messages.
Reports suggest that the compromised chat logs were stored without adequate protection, and decrypted messages were archived without re-encryption, representing a significant security risk.
Screenshots of the obtained data reportedly include correspondence with the US Customs and Border Protection (CBP), cryptocurrency firm Coinbase, and other financial entities.
While messages directly involving Waltz were seemingly not included in this particular breach, the fact that a former national security advisor was using software with reported security flaws is concerning.
Further analysis of the TeleMessage's source code, briefly accessible to the public, revealed hard-coded credentials and other vulnerabilities that were a sign of poor security practices. There have also been allegations that TeleMessage's version of Signal violates Signal's open-source license.
These separate incidents serve as a critical reminder of the risks in today’s interconnected digital world. They reveal one truth: no system can be foolproof, and no threat is too far-fetched. From fake IT help desks to supply chain hacks and cloned messaging apps, data security is the need of the hour.
Do you think we are prioritizing convenience over security without realizing the cost?
Share your thoughts in the comments below!
First published on Tue, May 6, 2025
Enjoyed what you've read so far? Great news - there's more to explore!
Stay up to date with the latest news, a vast collection of tech articles including introductory guides, product reviews, trends and more, thought-provoking interviews, hottest AI blogs and entertaining tech memes.
Plus, get access to branded insights such as informative white papers, intriguing case studies, in-depth reports, enlightening videos and exciting events and webinars from industry-leading global brands.
Dive into TechDogs' treasure trove today and Know Your World of technology!
Disclaimer - Reference to any specific product, software or entity does not constitute an endorsement or recommendation by TechDogs nor should any data or content published be relied upon. The views expressed by TechDogs' members and guests are their own and their appearance on our site does not imply an endorsement of them or any entity they represent. Views and opinions expressed by TechDogs' Authors are those of the Authors and do not necessarily reflect the view of TechDogs or any of its officials. While we aim to provide valuable and helpful information, some content on TechDogs' site may not have been thoroughly reviewed for every detail or aspect. We encourage users to verify any information independently where necessary.
Trending TD NewsDesk
Tech Titans’ AI Legal Storms: Microsoft, Google, OpenAI & X Mixed In Lawsuits
By TechDogs Bureau
Meta Reveals Video Editor, Threads Ads & Smart Glasses Updates Amid Criticism
By TechDogs Bureau
AI Under Scrutiny From Regulators Amid Missteps, Mistakes & Mounting Mistrust
By TechDogs Bureau
Marks & Spencer And Hertz Affected By The Latest Bout Of Cyber Incidents
By TechDogs Bureau
Fujitsu & RIKEN Unveil Superconducting Quantum Computer To Bridge Classical & Quantum Computing
By TechDogs Bureau
Join Our Newsletter
Get weekly news, engaging articles, and career tips-all free!
By subscribing to our newsletter, you're cool with our terms and conditions and agree to our Privacy Policy.
Join The Discussion