Threatsday Bulletin: Rustfs Flaw, Iranian Ops, Webui Rce, Cloud

The internet never stays quiet. Every week, new hacks, scams, and security problems show up somewhere.

This week's stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in.

Cybersecurity company Resecurity revealed that it deliberately lured threat actors who claimed to be associated with Scattered LAPSUS$ Hunters (SLH) into a trap, after the group claimed on Telegram that it had hacked the company and stolen internal and client data. The company said it set up a honeytrap account populated with fake data designed to resemble real-world business data and planted a fake account on an underground marketplace for compromised credentials after it uncovered a threat actor attempting to conduct malicious activity targeting its resources in November 2025 by probing various publicly facing services and applications. The threat actor is also said to have targeted one of its employees who had no sensitive data or privileged access. "This led to a successful login by the threat actor to one of the emulated applications containing synthetic data," it said. "While the successful login could have enabled the actor to gain unauthorized access and commit a crime, it also provided us with strong proof of their activity. Between December 12 and December 24, the threat actor made over 188,000 requests attempting to dump synthetic data." As of January 4, 2025, the group removed the post announcing the hack from their Telegram channel. Resecurity said the exercise also allowed them to identify the threat actor and link one of their active Gmail accounts to a U.S.-based phone number and a Yahoo account. Regardless of the setback, new findings from CYFIRMA indicate that the loose-knit collective has resurfaced with scaled-up recruitment activity, seeking initial access brokers, insider collaborators, and corporate credentials. "Chatroom discussions repeatedly reference legacy threat brands such as LizardSquad, though these mentions remain unverified and are likely part of an intimidation or reputation-inflation strategy rather than proof of a formal alliance," it said.

Threat actors are exploiting a known flaw in GeoServer, CVE-2024-36401, to distribute an XMRig cryptocurrency miner by means of PowerShell commands. "Additionally, the same threat actor is also distributing a coin miner to WegLogic servers," AhnLab said. "It appears that they are installing CoinMiner when they scan

Source: The Hacker News