Deeba Ahmed

1828 posts

Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage.

Interlock Ransomware Say It Stole 1.5TB of DaVita Healthcare Data

3 minute read

Interlock Ransomware Say It Stole 20TB of DaVita Healthcare Data

Interlock ransomware group claims it stole 20TB of sensitive patient data from DaVita Healthcare. While the group has…

byDeeba Ahmed

April 25, 2025

3 minute read

North Korean Hackers Use Fake Crypto Firms in Job Malware Scam

Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake…

byDeeba Ahmed

April 25, 2025

2 minute read

Backdoor Found in Official XRP Ledger NPM Package

XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update…

byDeeba Ahmed

April 24, 2025

3 minute read

Blue Shield Leaked Millions of Patient Info to Google for Years

Blue Shield of California exposed the health data of 4.7 million members to Google for years due to…

byDeeba Ahmed

April 24, 2025

New SessionShark Phishing Kit Steals Session Tokens to Bypass Office 365 MFA

2 minute read

New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins

SessionShark phishing kit bypasses Office 365 MFA by stealing session tokens. Experts warn of real-time attacks via fake…

byDeeba Ahmed

April 24, 2025

2 minute read

Elusive Comet Attack: Hackers Use Zoom Remote-Control to Steal Crypto

Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in…

byDeeba Ahmed

April 24, 2025

3 minute read

Ransomware Surge Hits US Healthcare: AOA, DaVita and Bell Ambulance Breached

AOA, DaVita, and Bell Ambulance hit by ransomware in 2025. Over 245K affected as hackers steal patient data,…

byDeeba Ahmed

April 23, 2025

3 minute read

M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…

byDeeba Ahmed

April 23, 2025

SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

2 minute read

Security

SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in…

byDeeba Ahmed

April 22, 2025

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies. Cybersecurity experts at Trustwave's SpiderLabs have discovered an increase in malicious online activities originating from a Russian "bulletproof" hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025. Researchers have detailed their findings in a two-part series. The first part highlights a major increase in "mass scanning, credential brute-forcing, and exploitation attempts" coming from Proton66's network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale. SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66's network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021. Traffic Volume Analysis (Source: SpiderLabs) Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing "some of the latest critical priority exploits,” researchers noted in the blog post. The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps. The domain naming conventions used suggest targets speaking English ("us-playmarket.com"), French ("playstors-france.com"), Spanish ("updatestore-spain.com"), and Greek ("playstors-gr.com"). SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025. Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for "$2,000, transferred in BTC or USDT." Sample Ransom Note (Source: SpiderLabs) Interestingly, SpiderLabs' investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST. SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a "CHANGWAY / HOSTWAY" theme. Still, technical connections between the infrastructures remained, suggesting an underlying link. Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware. It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks' PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided. Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise. Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

3 minute read

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

byDeeba Ahmed

April 22, 2025

The Latest

Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation

Fake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts

New ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk

TeamPCP Hijacks Bitwarden CLI, Uses Dependabot to Deploy Shai-Hulud Malware

Deeba Ahmed

Interlock Ransomware Say It Stole 20TB of DaVita Healthcare Data

North Korean Hackers Use Fake Crypto Firms in Job Malware Scam

Backdoor Found in Official XRP Ledger NPM Package

Blue Shield Leaked Millions of Patient Info to Google for Years

New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins

Elusive Comet Attack: Hackers Use Zoom Remote-Control to Steal Crypto

Ransomware Surge Hits US Healthcare: AOA, DaVita and Bell Ambulance Breached

M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services

SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

BreachLock Named Representative Vendor in the 2026 Gartner Market Guide for Adversarial Exposure Validation

The Ungoverned Workforce: Cybersecurity Insiders Finds 92% Lack Visibility Into AI Identities

Security Risk Advisors Purple Team Participants Can Now Earn CPE Credits

Mallory Launches AI-Native Threat Intelligence Platform, Turning Global Threat Data Into Prioritized Action

AI Future: The Leading International AI and Web3 Forum to Take Place in April