UnitedHealth now estimates that 190 million people were affected by the massive Change Healthcare data breach nearly a year ago.

UnitedHealth says it now estimates that the data breach on its subsidiary Change Healthcare affected 190 million people, nearly doubling its previous estimate from October.

In May, UnitedHealth CEO Andrew Witty estimated that the ransomware attack compromised the data of a third of US individuals when he testified before the Senate Finance Committee on Capitol Hill. In October, this was largely confirmed when Change Healthcare reported a number of 100,000,000 affected individuals.

Besides the enormous number of victims, the story behind this ransomware attack is also very complex, because of the cybercriminals involved and how the first group that received the ransom payment disappeared without paying their affiliates.

The ALPHV/BlackCat ransomware group claimed the initial attack. The UnitedHealth Group reportedly paid $22 million to receive a decryptor and to prevent the attackers from publicly releasing the stolen data.

But shortly after the payment, ALPHV disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI, forgetting to pay its affiliates in the process. A month later, newcomer ransomware group RansomHub listed Change Healthcare as a victim on its own website, claiming to have the data that ALPHV stole.

According to BleepingComputer, the original attackers joined forces with RansomHub and never deleted the data. A few days later, the listing on the RansomHub leaks site disappeared, which usually means someone paid the ransom.

**Stolen information**

The data breach at Change Healthcare is the largest healthcare data breach in US history. Although Change Healthcare provided details about the types of medical and patient data that was stolen, it can’t provide exact details for every individual. However, the exposed information may include:

*   Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
*   Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
*   Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
*   Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
*   Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

> “The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 UnitedHealth almost doubles victim numbers from massive Change Healthcare data breach 

“Yahoo Boy” scammers are impersonating CNN and other news organizations to create videos that pressure victims into making blackmail payments.

When online romance and sextortion scammers sense they’ve found a victim who may send them money, they’ll use all kinds of villainous methods to get paid. They’ll frequently stoop to blackmail—and are constantly creating more devious approaches to incorporate it into their grifts. In recent months, cybercriminals have taken their blackmailing efforts up a notch, creating realistic-looking “news” videos that claim their victims are wanted for crimes.

Scammers based in West Africa, likely in Nigeria, and going under the broad umbrella of the Yahoo Boys, have increasingly been seen sending blackmail victims videos likely using AI-generated news anchors in a bid to pressure victims into paying up. A WIRED review of posts on Telegram by self-styled Yahoo Boys shows the cybercriminals are impersonating television stations based in the US and sharing tutorials about how to create the blackmailing videos.

The videos follow a sinister pattern. One video—which can be seen in the image below—uses CNN’s logo and branding to impersonate the news organization, with text at the bottom of the screen describing the “breaking news.” On the screen, a likely AI-generated newsreader starts talking.

“Good day. My name is Kristina Lawson, reporting from New Jersey,” the anchor says in the nearly minute-long clip. “Just in: We have received a credible report regarding a disturbing incident.” The fake presenter says that a “young lady” has come forward to allege that they were sexually assaulted by an older man. In the video, the man, who is the target of the scam, is named, and a photograph of him appears onscreen.

Other videos seen by WIRED feature different news readers and names of news channels, but they also show more graphic photos of the potential blackmail targets, including nude and explicit images. In one “news” clip, the screen is split in two, with a photo of a man’s face on one side and the other side is a short video clip of him allegedly masturbating.

David Maimon, the head of fraud insights at SentiLink and a professor at Georgia State University who first spotted the CNN video in December, says the fraudsters have made a number of “disturbing” changes to their blackmailing tactics in recent months, including trying to humiliate people and potentially targeting those outside of English-speaking countries.

Photograph Courtesy of Telegram

Typically, Yahoo Boy scammers message hundreds of people online while posing as members of the opposite sex using pictures stolen from social media profiles. They run all types of scams, but for those that involve blackmail, they often attempt to build up a relationship with their potential victim and obtain compromising information—most commonly, nude images. Then they shift gears.

“At some point, they reveal their identity after they get everything that they need, and then they start blackmailing,” Maimon says. They demand money and threaten to release images online or send them to family and friends if they’re not paid. “One of the approaches they use in order to make sure that the blackmail is realistic is actually producing those news clips that they send to the victims and in a way push them, nudge them, to pay the blackmail,” he says. “They try to push you to make decisions under conditions of stress, under conditions of urgency.”

Yahoo Boy fraudsters widely use social media platform Telegram as a way of organizing, chatting with each other, and as a marketplace where they sell knowledge and tutorials about how to operate different types of scams. The “news” videos seen by WIRED appear to include the details and images of real-world victims, although it was not possible to immediately verify the cases.

Brian Mason, a constable with the Edmonton Police Service in Canada who investigates fraud and works with the victims of scams, says he has seen cases where videos or screenshots of fake CNN broadcasts have been sent to victims. “It looks like your typical CNN broadcast,” Mason says. “It's very, very convincing.” Mason says the approach has been utilized in sextortion scams, which commonly target teenagers and have been linked to a series of suicides.

Mason says he has seen incidents where the news clips falsely accuse scam victims of talking with underage females and that police are searching for them or have issued warrants for their arrest. “It makes the victim panic, because now they’re seeing themselves on this broadcast, and it’s a screen capture from when they were actually talking with the scammer from their own webcam,” Mason adds. The effect can potentially push the person into sending money or following demands from the scammers.

Telegram spokesperson Remi Vaughn tells WIRED that activities observed in the scammer channels are a violation of the app's rules and suggested the company would take action against such channels.

“Content encouraging scamming is explicitly forbidden by Telegram's terms of service,” Vaughn says. “Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports from users and organizations in order to remove millions of pieces of harmful content each day.”

Last year, Telegram removed more than a dozen Yahoo Boy channels after WIRED reported on their public activity; however, the scammers still have a presence on the platform and other social media platforms, including Facebook, WhatsApp, and YouTube.

Messages shared within Telegram channels show how the fraudsters are quick to evolve their cons, use new technologies, and widely share or sell advice with each other. For instance, when people moved to Chinese alternative Rednote ahead of the proposed TikTok ban in the US earlier this month, Yahoo Boys recommended targeting people who had joined the app.

Within one Telegram channel, which has 10,000 subscribers, a scammer explained the steps needed to create false news videos and mocked-up front pages of newspapers over a series of messages. “In blackmailing (BM) work we get two different types which are: TV news \[and\] newspapers,” the first message says.

In subsequent messages, they gave examples of text that can be inserted into the script for the news bulletin, which says the alleged victim has been “accused of distributing nude images and videos without consent.” All a scammer following the tutorial needs to do is substitute the name and town of their victim and add any pictures they have.

The tutorial suggests headlines for news articles, such as “Local Man Accused of Online Blackmail and Harassment.” It also lists the names of US TV news networks, cable news, and “specialized news”—it listed 17 news outlets ranging from ABC News and Fox News to C-Span and Al Jazeera America. One other cybercriminal shared a video of a folder of blackmail scripts and tutorials needed to create fake news items.

In some fabricated news videos, the news anchor appears to be an AI-generated avatar, although it was not possible to determine which software was being used to create the clips. Tutorials shared on Telegram, however, also show that the grifters are not always using sophisticated technology. Some apps they point to are simple “meme generators.”

Last year, WIRED reported on how Yahoo Boys are adopting deepfake face-swapping technology to make video calls with their targets and try to “prove” their false identities are real. However, Maimon also points to one troubling video shared by Yahoo Boy scammers that appears to show a potential victim making a video to apologize for questioning the scammer’s fake identity.

Within the video, the woman says, “I am truly sorry that I called you a fake” and asks the scammer to accept their apology. The individual says they hope they get to meet the person they believe they are in love with in the future, before they start removing their clothes to “make up” for the earlier accusation. “I think that what followed that video was them blackmailing her,” Maimon explains, “and of course posting it on the markets they’re on.”

_Updated 10:45 am EST, January 28, 2025: Added comment from a Telegram spokesperson._

Scammers Are Creating Fake News Videos to Blackmail Victims

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

January 27, 2025 - UnitedHealth now estimates that 190 million people were affected by the massive Change Healthcare data breach nearly a year ago.

January 24, 2025 - The Texas Attorney General has requested information of four more car manufacturers about their data handling.

January 23, 2025 - iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

January 22, 2025 - A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

January 21, 2025 - Forget OSINT, AI-supported tool GeoSpy can determine a person's location based on their surroundings in a picture.

 A week in security (January 20 &#8211; January 26) 

iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

After TikTok was briefly banned in the US last weekend, an unusual phenomenon unearthed. Reportedly, people are selling iPhones that have TikTok installed for up to $25,000.

This may require some explanation, so bear with me.

TikTok has had a rough time in the US the last weeks. The ban we mentioned originates from back in March, when the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

Despite an overruled emergency injunction to stop or postpone the planned ban on the platform in the US, the ban took effect on January 19.

But TikTok’s messaging was clear, they were coming back.

> “Sorry TikTok isn’t available right now
> 
> A law banning TikTok has been enacted in the U.S. Unfortunately that means you can’t Use TikTok for now.
> 
> We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!

And it was indeed back for millions of US users as of January 19 and 20. That is to say, for those that had the app installed.

Update 3

> Welcome back!
> 
> Thanks for your patience and support. As a result of President Trump’s efforts, TikTok is back in the U.S.!
> 
> You can continue to create, share, and discover all the thing you love on TikTok.

However, anyone that deleted or never had the app installed are unable to download it as the Apple and Google app stores in the US still don’t have it available. And despite an executive order to delay enforcing the ban, it is unclear when it will be available for download again.

**Second hand iPhones for sale**

Some people have seized on this as a money-making opportunity, selling their iPhones for thousands of dollars on eBay. But is that a smart thing to do?

According to Apple’s Support pages, there is a recommended procedure to follow before you sell, give away, or trade in your iPhone or iPad. One of those steps is to **Erase All Content and Settings**. From that page:

> “When you tap **Erase All Content and Settings**, it completely erases your device, including any credit or debit cards you added for Apple Pay and any photos, contacts, music, or apps. It will also turn off iCloud, iMessage, FaceTime, Game Center, and other services. Your content won’t be deleted from iCloud when you erase your device.”

If you want to leave an app like TikTok behind, you will have to manually erase all the other items on that list to make sure the buyer will not get hold of other private information about you. This is tough to do and is highly likely you would leave some of your data behind.

If you’re considering buying a second hand iPhone so you can use TikTok, how can you be sure that TikTok is the only thing that’s left behind? I wouldn’t put it past cybercriminals to sell devices they can still access, or even malware.

Another bad idea is to roam the internet for unofficial TikTok apps (in the form of IPA or APK files). Installing an unsigned app requires a jailbreak and it can pose significant risks to your device and personal data. Files from unreliable sources may contain malware, spyware, or information stealers and, once installed, these malicious programs can compromise your device’s security.

My advice would be to exercise some patience. TikTok may well reappear in app stores or it’ll be completely removed from access, so everyone will be in the same boat.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Warning: Don&#8217;t sell or buy a second hand iPhone with TikTok already installed 

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability. The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document. What […]

**About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability.** The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document.

What is this vulnerability about? The attacker’s code executes when a specially crafted RTF document is opened or when **a malicious email is opened or previewed in Microsoft Outlook**. In the second case, no action is required from the victim other than clicking on the message. 🤷‍♂️ Microsoft recommends viewing messages in Outlook only in plain text.

On January 20, an exploit PoC appeared on GitHub that demonstrates Memory Corruption when opening an RTF document. Now we are waiting for an RCE exploit for Outlook. 😉

There have been no reports of attacks yet.

Fix this vulnerability ASAP!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability

# Authenticated arbitrary file deletion in YesWiki <= 4.4.5

### Summary
It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope.

This Proof of Concept has been performed using the followings:
- YesWiki v4.4.5 (`doryphore-dev` branch, latest)
- Docker environnment (`docker/docker-compose.yml`)
- Docker v27.5.0
- Default installation

### Details
The vulnerability makes use of the `filemanager` that allows a user to manage files that are attached to a resource when they have owner permission on it. This part of the code is managed in `tools/attach/libs/attach.lib.php`

```php
public function doFileManager($isAction = false)
{
    $do = (isset($_GET['do']) && $_GET['do']) ? $_GET['do'] : '';
    switch ($do) {
        case 'restore':
            $this->fmRestore();
            $this->fmShow(true, $isAction);
            break;
        case 'erase':
            $this->fmErase();
            $this->fmShow(true, $isAction);
            break;
        case 'del':
            $this->fmDelete();
            $this->fmShow(false, $isAction);
            break;
        case 'trash':
            $this->fmShow(true, $isAction);
            break;
        case 'emptytrash':
            $this->fmEmptyTrash(); //pas de break car apres un emptytrash => retour au gestionnaire
            // no break
        default:
            $this->fmShow(false, $isAction);
    }
}
```

The **[fmErase()](https://github.com/YesWiki/yeswiki/blob/doryphore-dev/tools/attach/libs/attach.lib.php#L999)** function doesn't sanitize or verify the path that has been provided by the user in any way. Thus allowing a malicious user to specify any arbitrary file on the filesystem and having it deleted through the use of `unlink()` (as long as the user that runs the process has permission to delete it).

```php
public function fmErase()
{
    $path = $this->GetUploadPath();
    $filename = $path . '/' . ($_GET['file'] ? $_GET['file'] : '');
    if (file_exists($filename)) {
        unlink($filename);
    }
}
```

In addition to this deletion accross all the filesystem through `fmErase()`, it is also possible to delete any file attached to an existing wiki page, for instance, if user A creates a page and attaches images/documents to it, they always get uploaded to the files/ directory. If user B (malicious), knows the path of the files he can also arbitrarly delete them. (**[fmDelete()](https://github.com/YesWiki/yeswiki/blob/doryphore-dev/tools/attach/libs/attach.lib.php#L1011)** is also impacted by this case)

### PoC
#### 1. Environnement setup
> The following actions have been performed as a privileged user

First, let's create one user (in addition to the WikiAdmin user):

![poc1](https://github.com/user-attachments/assets/f977106e-0618-4594-a673-14840ed6cb83)

Restrict the edition of 'PagePrincipale' wiki page to administrators only:

![poc2](https://github.com/user-attachments/assets/c40c43dd-1b4f-48fc-b425-9d7915c626bc)

#### 2. Upload of a file on a resource not owned by our user
> The following actions have been performed as a privileged user

Second, let's upload a media to this `PagePrincipale` wiki page:

![poc3](https://github.com/user-attachments/assets/da1cf714-34d6-4d06-8768-f6e0984172fe)
![poc4](https://github.com/user-attachments/assets/3391986d-8d65-4ed0-b614-b71e9938846e)

Then view it in the page's filemanager:

![poc5](https://github.com/user-attachments/assets/821bb42c-9cb7-4209-82ac-a5884cc57eb4)

We can confirm that our file has been uploaded to the `files/` directory by directly looking at the `yeswiki` container:

![poc5 1](https://github.com/user-attachments/assets/629c88c5-744a-4203-b017-03abded00ca5)

#### 3. Arbitrary deletion (in files/)
> The following actions have been performed using an unprivileged user

Now, get the full path/name of the media in the files directory by opening it in a new tab:

![poc6](https://github.com/user-attachments/assets/43cdc5f6-5e05-4797-91d8-3bed0142d72a)

Afterwards, we need an instance of filemanager to be accessible to our user so we need to create a page that we own, here is used the agenda and the creation of a new event:

![poc7](https://github.com/user-attachments/assets/1ef17353-04d0-42c8-8a80-dc9f10ca7f80)

Call the `erase` method on the PagePrincipale's uploaded media:

![poc](https://github.com/user-attachments/assets/9d05fe78-a8ec-4835-b480-297d0f8fc037)

The media is now deleted from PagePrincipale (the button is shown when the attached media doesn't exist, it's an intended behaviour):

![poc9](https://github.com/user-attachments/assets/5d20ae80-0eaa-48c1-8411-fd1c5632f524)

It has also disappeared from the `files/` directory:

![poc10](https://github.com/user-attachments/assets/a6b3e305-ec4f-4ffb-b5df-34bfddf198b3)

This behaviour can be applied to **any** file under the `files/` directory.

#### 4. Arbitrary deletion (in /tmp/)
> The following actions have been performed using a privileged access

Finally, using the same user as the process running the app, we create a file under the `/tmp` directory:

![poc11](https://github.com/user-attachments/assets/45befa45-1023-4aed-b55a-f49864eb2174)

> The following actions have been performed using an unprivileged user

We can once again call the `erase` method using a relative path:

![poc3](https://github.com/user-attachments/assets/b9ee7d19-5f2c-4de3-9a8d-5049c2480d3e)

The file isn't here anymore:

![poc13](https://github.com/user-attachments/assets/1ec440b6-cc95-40b5-b061-22fc46b8ae67)

### Impact
This vulnerability allows any authenticated user to arbitrarly remove content from the Wiki resulting in partial loss of data and defacement/deteroriation of the website. In the context of a container installation of YesWiki without any modification, the 'yeswiki' files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki).

### Suggestion of possible corrective measures

- Restrict the possible paths of `fmErase()` to the `upload_path` directory.

- Restrict the use of `fmErase()` to trashed files only.

```php
public function fmErase()
{
    $path = $this->GetUploadPath();
    $filename = $this->GetUploadPath() . '/' . basename(realpath(($_GET['file'] ? $_GET['file'] : ''))); //Sanitize file path
    if (file_exists($filename) && preg_match('/trash\d{14}$/', $filename)) { //Make sure that the filename ends with trash and a date
        unlink($filename);
    }
}
```

- Make sure that any request to `fmErase()` or `fmDelete()` originates from the owner of the resource to which the attachment is linked (asks a bit more than a few lines of code).



**Authenticated arbitrary file deletion in YesWiki <= 4.4.5****Summary**

It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope.

This Proof of Concept has been performed using the followings:

*   YesWiki v4.4.5 (doryphore-dev branch, latest)
*   Docker environnment (docker/docker-compose.yml)
*   Docker v27.5.0
*   Default installation

**Details**

The vulnerability makes use of the filemanager that allows a user to manage files that are attached to a resource when they have owner permission on it. This part of the code is managed in tools/attach/libs/attach.lib.php

public function doFileManager($isAction = false)
{
    $do = (isset($\_GET\['do'\]) && $\_GET\['do'\]) ? $\_GET\['do'\] : '';
    switch ($do) {
        case 'restore':
            $this\->fmRestore();
            $this\->fmShow(true, $isAction);
            break;
        case 'erase':
            $this\->fmErase();
            $this\->fmShow(true, $isAction);
            break;
        case 'del':
            $this\->fmDelete();
            $this\->fmShow(false, $isAction);
            break;
        case 'trash':
            $this\->fmShow(true, $isAction);
            break;
        case 'emptytrash':
            $this\->fmEmptyTrash(); //pas de break car apres un emptytrash => retour au gestionnaire
            // no break
        default:
            $this\->fmShow(false, $isAction);
    }
}

The **fmErase()** function doesn't sanitize or verify the path that has been provided by the user in any way. Thus allowing a malicious user to specify any arbitrary file on the filesystem and having it deleted through the use of unlink() (as long as the user that runs the process has permission to delete it).

public function fmErase()
{
    $path = $this\->GetUploadPath();
    $filename = $path . '/' . ($\_GET\['file'\] ? $\_GET\['file'\] : '');
    if (file\_exists($filename)) {
        unlink($filename);
    }
}

In addition to this deletion accross all the filesystem through fmErase(), it is also possible to delete any file attached to an existing wiki page, for instance, if user A creates a page and attaches images/documents to it, they always get uploaded to the files/ directory. If user B (malicious), knows the path of the files he can also arbitrarly delete them. (**fmDelete()** is also impacted by this case)

**PoC****1\. Environnement setup**

> The following actions have been performed as a privileged user

First, let's create one user (in addition to the WikiAdmin user):

Restrict the edition of 'PagePrincipale' wiki page to administrators only:

**2\. Upload of a file on a resource not owned by our user**

> The following actions have been performed as a privileged user

Second, let's upload a media to this PagePrincipale wiki page:

  

Then view it in the page's filemanager:

We can confirm that our file has been uploaded to the files/ directory by directly looking at the yeswiki container:

**3\. Arbitrary deletion (in files/)**

> The following actions have been performed using an unprivileged user

Now, get the full path/name of the media in the files directory by opening it in a new tab:

Afterwards, we need an instance of filemanager to be accessible to our user so we need to create a page that we own, here is used the agenda and the creation of a new event:

Call the erase method on the PagePrincipale's uploaded media:

The media is now deleted from PagePrincipale (the button is shown when the attached media doesn't exist, it's an intended behaviour):

It has also disappeared from the files/ directory:

This behaviour can be applied to **any** file under the files/ directory.

**4\. Arbitrary deletion (in /tmp/)**

> The following actions have been performed using a privileged access

Finally, using the same user as the process running the app, we create a file under the /tmp directory:

> The following actions have been performed using an unprivileged user

We can once again call the erase method using a relative path:

The file isn't here anymore:

**Impact**

This vulnerability allows any authenticated user to arbitrarly remove content from the Wiki resulting in partial loss of data and defacement/deteroriation of the website. In the context of a container installation of YesWiki without any modification, the 'yeswiki' files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki).

**Suggestion of possible corrective measures**

*   Restrict the possible paths of fmErase() to the upload_path directory.
    
*   Restrict the use of fmErase() to trashed files only.
    

public function fmErase()
{
    $path = $this\->GetUploadPath();
    $filename = $this\->GetUploadPath() . '/' . basename(realpath(($\_GET\['file'\] ? $\_GET\['file'\] : ''))); //Sanitize file path
    if (file\_exists($filename) && preg\_match('/trash\\d{14}$/', $filename)) { //Make sure that the filename ends with trash and a date
        unlink($filename);
    }
}

*   Make sure that any request to fmErase() or fmDelete() originates from the owner of the resource to which the attachment is linked (asks a bit more than a few lines of code).

**References**

*   GHSA-43c9-gw4x-pcx6
*   https://nvd.nist.gov/vuln/detail/CVE-2025-24019
*   YesWiki/yeswiki@3ddd833

GHSA-43c9-gw4x-pcx6: Authenticated arbitrary file deletion in YesWiki

January 17, 2025 - A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

January 16, 2025 - Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

January 16, 2025 - The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

January 15, 2025 - An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

January 14, 2025 - An insurance company is accused of unlawfully collecting, using, and selling location data from millions of people's cell phones.

 A week in security (January 13 &#8211; January 19) 

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and…

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online.

The notorious IntelBroker hacker along with their associates have claimed responsibility for breaching Hewlett Packard Enterprise (**HPE**), a Houston, TX, United States-based global company that provides technology solutions to businesses.

The hacker, who was previously linked to several high-profile data breaches, is now selling the allegedly stolen data, demanding payment in Monero (XML) cryptocurrency to remain anonymous and untraceable.

This was revealed to Hackread.com by the hacker himself and later announced on Breach Forums, a cybercrime and data breach forum administered by the hacker. In an exclusive conversation with Hackread.com, IntelBroker claimed that the breach was the result of a direct attack on HPE’s infrastructure and did not involve compromising a third party for access, as has been **common in recent attacks**.

****What’s in the Allegedly Stolen Data?****

IntelBroker also shared a data tree and two screenshots allegedly taken from the company’s internal infrastructure. The data tree, analyzed by Hackread.com, appears to reference a development or system environment involving both open-source software and proprietary package management systems.

Additionally, the hacker claims to have extracted sensitive data, including source code, private GitHub repositories, Docker builds, certificates (both private and public keys), product source code belonging to Zerto and iLO, user data such as old PII related to deliveries, and access to APIs, WePay, self-hosted GitHub repositories, and more.

IntelBroker on Breach Forums claiming Hewlett Packard Enterprise (HPE) breach Credit: Hackread.com

During Hackread.com’s initial analysis of the alleged data tree, several findings align with the hacker’s claims. The directory structure includes private keys and certificates, such as ca-signed.key and hpe_trusted_certificates.pem, suggesting possible exposure to sensitive cryptographic material.

Source code for HPE products like iLO and Zerto is present, with files such as ilo_client.py and zerto_bootstrapper.py hinting at leaked proprietary implementations. References to .github directories and .tar archives for private repositories further point to compromised development assets.

Additionally, the presence of files like VMW-esx-7.0.0-hpe-zertoreplication.zip and ZertoRunner.exe suggests the possible leak of compiled software packages and deployment files. If verified by HP, this could be a major security incident.

The following image combines two screenshots shared by the hacker, providing detailed insights into Hewlett Packard Enterprise’s internal systems. The first screenshot shared by the hacker shows details of Hewlett Packard Enterprise’s internal SignonService web service. The image displays the service’s endpoint address, WSDL link, and implementation class, potentially exposing sensitive infrastructure information.

The second screenshot reveals sensitive configuration details from Hewlett Packard Enterprise’s internal systems. The image exposes credentials for Salesforce and QIDs integrations, internal URLs for SAP S/4 HANA quoting services, and placeholder email addresses for error logging, potentially highlighting serious security vulnerabilities within HPE’s infrastructure.”

Credit: Hackread.com

****HPE and HP, What’s the Difference?****

While the names Hewlett-Packard Enterprise (HPE) and HP Inc. are often used interchangeably, they are two different companies with different focuses. In 2015, Hewlett-Packard **split** into two separate entities. HP Inc. continues to specialize in consumer products like laptops, desktops, and printers, while Hewlett-Packard Enterprise (HPE) focuses on providing enterprise-level IT solutions, including servers, storage, networking, and cloud computing.

Both companies are separate with independent ownership and management. The mention of this distinction is important, as the reported breach specifically targets HPE, not HP Inc.

****Right After the CICSO Incident****

Intel Broker is known for high-profile data breaches. In October 2024, the hacker announced **breaching Cisco** and stealing terabytes of data. Cisco later confirmed that the stolen data originated from a misconfigured, public-facing DevHub resource exposed without password protection, allowing hackers to download it.

In November 2024, the hackers claimed to have **breached Nokia** through a third-party contractor. The data was being sold for $20,000. The same hackers boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

_This is a developing story. Hackread.com is closely monitoring the situation and will provide updates as new information becomes available. Stay tuned for further details._

1.  **Hacker Leak Over 10,000 DELL Employee Details**
2.  **Acer Data Breach: Hacker Sells 160GB of Stolen Data**
3.  **Dell Discloses Data Breach As Hacker Sells 49M User Data**
4.  **3 Billion National Public Data Records with SSNs Dumped Online**
5.  **Trello Data Breach: Hacker Dumps Personal Info of Millions of Users**
6.  **Hackers Steal Call and Text Records for “Nearly All” AT&T Customers  
    **

Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

After an opaque and uncertain saga, TikTok went dark on millions of phones across the United States on Saturday evening around 10:30 pm EST. Google Play and Apple’s App Store both pulled the app late Saturday as well. If it was already installed prior to Saturday evening, the app is still there on your phone, but launching it only reveals a pop-up warning about the ban. As the deadline loomed, TikTok users had been bracing for the change and flooding other platforms, including the Chinese social app Xiaohongshu or “RedNote.” But if you’re not quite ready to give up the latest skin-care hacks, budgeting tips, and pet tortoise influencers, there are some options for circumventing the ban and continuing to use the platform.

“Sorry, TikTok isn’t available right now,” the app alert reads. “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now. We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” Other ByteDance-owned apps, including CapCut and Lemon8, also disappeared from US app stores.

Such a ban has never existed in the US before, so the technical methods being employed to implement it are still evolving, and circumvention techniques may need to change as well. The law driving the situation, the Protecting Americans From Foreign Adversary Controlled Applications Act (PAFACA), doesn’t make it illegal to have TikTok on your phone. And, notably, it also doesn’t say that TikTok itself has to stop the app from working in the US.

Nonetheless, the company said in the days before the law took effect that it planned to make the app inaccessible to US users—a level of cooperation and accommodation that the outgoing Biden White House called a “stunt” on Saturday afternoon. Even if TikTok itself had obligations under the law, the Biden White House had signaled that it did not plan to enforce the ban before Trump took office on Monday.

Rather than putting the pressure on TikTok, PAFACA requires app stores and cloud hosting services to stop doing anything to “distribute, maintain or update” TikTok. That puts the pressure on Apple and Google to stop new users from downloading TikTok, as well as infrastructure providers like Oracle to keep new content or software updates from reaching the app’s users. Over time, TikTok would likely degrade and become unusable.

Officials in India banned TikTok in 2020, and the company also proactively blacked out the app in that case. When Indian users who already had the app installed tried to launch it, a pop-up appeared telling them that they couldn’t access the service.

Devashish Gosain, a network analysis researcher and assistant professor at the Indian Institute of Technology Bombay, says that in India, TikTok users must remove their Indian SIM card from their phone or use an international SIM card and then run a VPN in order to load content in the app.

“Even VPNs do not lead to circumvention” in India, Gosain told WIRED.

In the early hours of the US ban, it was unclear exactly how feasible it would be to get around the restrictions for US accounts. It seemed that TikTok had taken a more extreme approach, turning any US builds of the app dark—blacking out versions of the TikTok app software that had been made to be downloaded and used by US users. It also seemed that US-linked accounts were being blocked regardless of IP address or SIM country information.

Running a VPN alone was certainly not enough to circumvent the ban and get back on TikTok. But seemingly using a non-US TikTok account after removing a SIM (or on a device without a US SIM card/US phone number) worked when combined with a VPN. Similarly, using a VPN with a desktop browser or the Tor Browser was enough to get a non-US TikTok account to load in the US early on Sunday morning, though TikTok’s desktop version has always been much more limited than its mobile app.

“TikTok inspects the source IP of the network packets—if the source IP belongs to India, it drops the packets,” Gosain explains, of the restrictions in India. “Also, the TikTok app fetches the country information embedded in the SIM card, and if the country code is ‘IN,’ it filters the network connection. When we remove the SIM card, the TikTok app fails to identify Indian users from the SIM card, and when we use VPNs, the IP address changes, and it no longer belongs to the Indian IP range. Thus, TikTok again fails to identify that the user is accessing from India. This is how we bypass the filtering.”

Virtual private networks, or VPNs, work by passing your internet traffic through servers that are physically maintained in locations around the world, so you can select an IP address that is tied to a different location than where you physically are. For example, American TikTok users can use VPNs to make it look like they are accessing the internet from outside the US. VPNs also stop your internet service provider (ISPs) from seeing your browsing data, adding an extra potential layer of privacy. When you’re using a VPN, your ISP will simply see connections to the VPN instead of having access to the detailed list of all the websites you’re visiting.

As a result of these capabilities, VPNs are frequently used in attempts to get around digital geolocation restrictions, like those on Netflix or other streaming platforms. They’re also an important, and familiar, tool for circumventing internet censorship programs for people living under authoritarian regimes like those in Russia, China, and Iran.

Using a VPN comes with caveats, though. Some commercial VPNs log people’s browsing history, which essentially just shifts data collection from ISPs to VPN makers. This means that the data isn’t more protected, and that law enforcement could request it from a VPN provider in the same way that they make requests to ISPs. As a result, picking a free VPN is generally not a good idea—with some even selling access to your home internet connections. But some VPNs publish no-logging policies and offer third-party audits and other transparency features in an attempt to show their compliance.

For now, it seems that TikTok’s efforts to block US users are extremely draconian, and even a non-US SIM card or no SIM card plus a VPN may not be a workable path to getting back on the app with a US TikTok account. But the restrictions may only be temporary anyway. In practice, there seems to be little appetite for a permanent ban in the US. And, in spite of originating the idea, President Trump has said in recent days that he doesn’t want the app to be banned.

“My decision on TikTok will be made in the not too distant future, but I must have time to review the situation,” Trump said in a Truth Social post on Friday. “Stay tuned!”

How to Get Around the US TikTok Ban

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft.

The group, which Microsoft tracks by the name “Star Blizzard,” is also referred to as Coldriver by other researchers. Last year, the group created impersonation accounts where members posed as experts in a field that their targets might be interested in—or that was somehow affiliated with the target. Once a relationship had been established, the target would receive a phishing link or a document that contained a phishing link.

But over time, that tactic became widely known, and part of the cybercriminals’ infrastructure was taken down. Now, it seems the group has changed tactics and is sending QR codes instead of malicious links to the targets that they have established an initial relationship with.

These QR codes do not take the target to a malicious website, nor will they join them to the promised WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs,” as is claimed in one of the cybercriminal lures.

In reality, the link in the QR code is intentionally broken. The idea is that the target will respond with a remark about the broken link. When that happens the cybercriminals send out a shortened URL to a website that displays another QR code.

_Screenshot courtesy of Microsoft_

> “I apologize for the inconvenience with the QR code. Kindly try this alternative link: US-Ukraine NGOs Group  
> It should work without any issues.

By scanning this QR code and following the instructions on the website they confirm the addition of an extra device to the WhatsApp account of the target. With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.

**How to stay safe**

These spear phishing campaigns are highly targeted and you’ll probably never see an invite to this group. But cybercriminals tend to copy ideas that work, so you may see them in another form.

There are a few simple rules that will help you avoid this kind of phishing.

*   Always hover over links before clicking them.
*   When you find a shortened URL, think about the possible reason for shortening. Was there a real need to do this or is it just meant to hide the destination?
*   When still in doubt, unshorten the URL.
*   When following instructions on a website, scrutinize whether the prompts on your device actually match the expected ones. WhatsApp will double-check whether you want to add a device to the account.
*   Double-check whether the sender is who they claim to be through another method of contact.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#sap