TeleMessage suspends service following reported hack

Don't miss Metacurity's insider report on how DOGE has been granted access to all US civilian government databases and systems under a Trump executive order designed to eliminate information silos.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Encrypted messaging app TeleMessage, the Israel-founded app that acts as a modified version of Signal, which Donald Trump’s then-national security advisor Mike Waltz used during a Cabinet meeting last week, has temporarily suspended service after it was reportedly hacked.

Although the hacker claims not to have obtained Waltz's or the people he spoke to's messages, the incident breach raises questions about whether the app that lets clients archive messages for compliance purposes, which top government officials appear to be using, is secure.

“TeleMessage is investigating a potential security incident,” a spokesperson for Smarsh, which runs the app, said. “Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”

“Out of an abundance of caution, all TeleMessage services have been temporarily suspended,” the spokesperson said. “All other Smarsh products and services remain fully operational.”

404 Media reported that the hacker stole data, including the contents of messages sent using TeleMessage’s versions of Signal, WhatsApp, Telegram, and WeChat. (Kevin Breuninger / CNBC)

Related: Reuters, NBC News, Ars Technica, Wired, HackRead, The Guardian, Axios, Bloomberg, The Verge, Rolling Stone, Portland Business Journal, r/news, r/technology, r/politics, Engadget, TechCrunch, Bleeping Computer, Data Breach Today, Tasnim News, The420

Hackers targeted GlobalX Air, one of the main airlines the Trump administration is using as part of its deportation efforts, stealing what they say are flight records and passenger manifests of all of its flights, including those for deportation.

The data could provide granular insight into who exactly has been deported on GlobalX flights, when, and to where, with GlobalX being the charter company that facilitated the deportation of hundreds of Venezuelans to El Salvador. 

“Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a defacement message posted to GlobalX’s website reads. Anonymous, well-known for using the Guy Fawkes mask, is an umbrella under which some hackers operate when performing what they see as hacktivism.

The hacker says the data includes flight records and passenger lists.

404 Media cross-checked known information about ICE deportation flights that come from official and confirmable sources with information on the flight manifests and flight details obtained by the hacker. Information about Kilmar Abrego Garcia’s flight is in the hacked data. (Joseph Cox and Jason Koebler / 404 Media)

Related: The New Arab, TechCrunch, Interesting Engineering, Cybernews, Aviation Source News, Irish Star, TechNadu

Alexander Gurevich, a dual Russian-Israeli citizen from Bat Yam, was arrested at Ben-Gurion Airport in Israel for his alleged involvement in computer crimes, laundering millions of dollars, and transferring stolen property in connection with a $190 million 2022 cryptocurrency hack of crypto bridge protocol Nomad that nearly caused the collapse of a California-based blockchain company.

Gurevich was arrested after he allegedly tried to flee to Russia using a passport with a new last name.

According to a US extradition request, Gurevich demanded a $500,000 reward after stealing digital tokens from a crypto wallet.

 Israel’s State Attorney’s Office International Department submitted a petition to the Jerusalem District Court seeking to declare Gurevich extraditable to the US. (Yoav Etiel / Jerusalem Press)

Related: Cryptoslate, The Defiant, DL News, Decrypt, Coincentral, crypto.news

The Star Fraud hacking group, better known as Scattered Spider, is a collective of largely young men and teenagers that once shut down half the Las Vegas Strip, has seemingly returned with a vengeance, causing massive turmoil at UK retailers.

UK retailers Harrods, Marks & Spencer, and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn’t been publicly named as the culprit of the hacks, but according to people familiar with the investigation, it is suspected in at least some of them.

The National Cyber Security Centre, part of the UK's intelligence agency, said it was working with affected retailers and issued new guidance on how companies can protect themselves from attacks. The NCSC said it was trying to understand “if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all.” (Robert McMillan / Wall Street Journal)

Related: The Week, The Independent, BBC News, Daily Mail, Marsh

Sources say Defense Secretary Pete Hegseth used Signal more extensively for official Pentagon business than previously disclosed, engaging in at least a dozen separate chats.

In one case, the sources said he told aides on the encrypted app to inform foreign governments about an unfolding military operation. Two sources said he also used the nongovernmental message service to discuss media appearances, foreign travel, his schedule, and other unclassified but sensitive information.

The former Fox News host set up many of the chats himself, sending texts from an unsecured line in his Pentagon office and his personal phone.

Some of Hegseth’s messages were posted by his military aide, Marine Col. Ricky Buria, who was given access to the secretary’s personal phone. (Alexander Ward and Nancy A. Youssef / Wall Street Journal)

Related: Newsweek, r/military, r/USMC

A government-industry task force investigating the recent cyberattack on SK Telecom is examining the timing and origin of eight newly identified malware strains connected to the incident.

The team is working to determine whether the newly disclosed malware variants were planted in the same home subscriber server (HSS) where four other strains were initially found or if they were planted on separate server equipment. The HSS system handles device authentication for 4G and 5G voice subscribers.

K Telecom detected abnormal data traffic on March 18 at its security monitoring center. Subsequent investigation revealed malware embedded in its billing analysis systems and signs that files had been deleted.
 
The next day, the company confirmed that data had also been leaked from its HSS, deepening concerns about the scope of the breach.
 
The Korea Internet & Security Agency, part of the ongoing investigation, said in an advisory that “attackers had targeted Linux systems,” and disclosed eight new malware samples.
 
The joint task force is conducting forensic analysis to track the malicious code's location, entry point, and creation time. (KoreaJoongAng Daily)

Related: ChosunBiz

Researchers at Hunted Labs are warning that a widely used piece of open source code, easyjson, linked to a company owned by Vladimir Kiriyenko, the son of one of Vladimir Putin’s top aides and the CEO of VK Group, may pose a “persistent” national security risk to the United States.

The open source software (OSS) easyjson has been widely used by the US Department of Defense and “extensively” across software used in the finance, technology, and healthcare sectors.

Easyjson is a code serialization tool for the Go programming language. It is often used across the wider cloud ecosystem and is present in other open-source software.

The package is hosted on GitHub by a MailRu account, which VK owns after the mail company rebranded itself in 2021. The VK Group itself is not sanctioned. Easyjson has been available on GitHub since 2016, with most of its updates coming before 2020. Kiriyenko became the CEO of VK Group in December 2021 and was sanctioned in February 2022.

Hunted Labs discovered that the most active developers on the project in recent years have listed themselves as being based in Moscow. Hunted Labs has not identified vulnerabilities in the easyjson code.

However, the link to the sanctioned CEO’s company, plus Russia’s aggressive state-backed cyberattacks, may increase potential risks. (Matt Burgess / Wired)

Related: Hunted Labs

The Solana Foundation disclosed that validators quietly patched a major bug that could have allowed exploiters to mint certain tokens in unlimited quantities or withdraw them from any account. 

The vulnerability, which would have only affected Token-22 confidential tokens, was found in the ZK ElGamal Proof program, which certifies encrypted balances and verifies the accuracy of zero-knowledge proofs. 

“In the on-chain ZK ElGamal Proof program, some algebraic components were not included in a hash used to generate a transcript for the Fiat-Shamir Transformation,” Solana said in a post-mortem. “A sophisticated attacker could use these unhashed components to develop a forged proof of an unauthorized action that passes verification.”

The potential vulnerability was first reported to Anza Github Security Advisory on April 16, with a patch rolled out to validators directly the following day after evaluation and confirmation of the vulnerability from engineers at Anza, Firedancer, and Jito. (Logan Hitchcock / Decrypt)

Related: Solana, Blockworks, The Crypto Times, CoinGape, Coinspeaker, CryptoSlate, Cointelegraph, The Block

The US Treasury Department designated Huione Group, a Cambodian financial conglomerate, as a money-laundering operation, taking the first step in severing its access to the American financial system.

Treasury said that since August 2021, Huione Group and its affiliates had laundered $4 billion for criminals, including hackers in North Korea and scammers in Southeast Asia.

Online scammers, who defraud victims with bogus investments or other schemes, rely on Huione and its affiliates to move money overseas while evading law enforcement authorities and banks’ anti-laundering departments.

If Treasury’s proposed rules come into force, they will stop US banks from opening or maintaining accounts for Huione’s group of companies. The rules will also require financial institutions to scrutinize transactions that may be linked to the Cambodian firm. (Selam Gebrekidan / New York Times)

Related: FinCEN, PaymentSecurity.io, FinanceFeeds, CoinDesk, Cointelegraph, Decrypt, Reuters, Elliptic, CoinDesk, SC Media, The Block

Multiple school districts and a university in New Mexico are currently experiencing cyberattacks, which are causing operational issues for thousands of students.

Georgia’s Coweta County School System said it experienced a cyberattack on Friday evening that will impact its 23,000 students across 29 K-12 schools.

“Some school system network processes will be hampered in the coming days, and school system employees have been advised not to access desktop devices, while the matter is being investigated,” the school district said.

School system official Dean Jackson called the attack “serious” and said it has been reported to the Georgia Emergency Management Authority and Homeland Security. The district’s IT system was alerted to unusual activity on Friday and took systems offline.

Western New Mexico University has struggled for weeks with a cyberattack that took down its website and forced officials to provide alternative services to students and administrators. 

The school, serving more than 3,000 students in Silver City, said the attack began on April 13 and disrupted the university’s website and other systems and services. 

Officials have continued to provide updates on the school's Facebook page, but are still using a temporary website. There is no estimated date for when the official site will be back up and running. 

The temporary website warns students not to use campus desktops until a member of the IT department has verified that they are safe. Campus WiFi is still down. (Jonathan Greig / The Record)

Related: 11Alive, The Newnan Times-Herald, WSB, Atlanta News First, Searchlight New Mexico, Hoodline

Researchers at Arctic Wolf report that a threat actor tracked as "Venom Spider" is targeting HR staff like recruiters with a complex phishing scheme that capitalizes on the need for such staff to open email attachments.

The campaign targets hiring managers and recruiters with specialized spear-phishing emails. Employees responsible for hiring can be some of the most vulnerable in these kinds of cyberattacks.

Their research details Venom Spider, a financially motivated threat actor that applies for real jobs using fake résumés. The emails it sends contain files that, when downloaded, drop a multipurpose backdoor named "More_eggs."

"The More_eggs_Dropper executable library is complex, utilizing obfuscated code that generates JavaScript code polymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers," Arctic Wolf said. "More_eggs_Dropper creates a legitimate Windows msxsl.exe executable to run XML files that may also contain JavaScript code. This technique is known to have been used by Venom Spider in previous campaigns."

Arctic Wolf said Venom Spider has been conducting these attacks since at least October 2023. (Alexander Culafi / Dark Reading)

Related: SC Media, Arctic Wolf

Researchers at ElecticIQ report that the data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States.

Luna Moth, known internally as Silent Ransom Group, is a threat actor who previously conducted BazarCall campaigns to gain initial access to corporate networks for Ryuk and, later, Conti ransomware attacks.

Luna Moths's latest attacks involve impersonating IT support through email, fake sites, and phone calls. They rely solely on social engineering and deception, with no ransomware deployment in any of the cases.

"As of March 2025, EclecticIQ assesses with high confidence that Luna Moth has likely registered at least 37 domains through GoDaddy to support its callback-phishing campaigns," the researchers said. "Most of these domains impersonate IT helpdesks or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." (Bill Toulas / Bleeping Computer)

Related: EclecticIQ, GBHackers

Microsoft is warning about the security risks posed by default configurations in Kubernetes deployments, particularly those using out-of-the-box Helm charts, which could publicly expose sensitive data.

In many cases, those Helm charts required no authentication, left exploitable ports open, and used weak or hardcoded passwords that were trivial to break.

Helm is a package manager for Kubernetes, and charts are templates/blueprints for deploying apps on the platform. They provide YAML files that define key resources needed to run an app.

Helm charts are popular because they simplify and speed up complex deployments. However, as highlighted in Microsoft's report, the default settings in those charts often lack proper security measures.

Users inexperienced with cloud security often deploy those Helm charts as they are, unintentionally exposing services to the internet and allowing attackers to scan and exploit misconfigured applications. (Bill Toulas / Bleeping Computer)

Related: Microsoft, TechMonitor

Peru’s government denies claims that its federal digital platform was taken over by the Rhysida ransomware gang, which has previously attacked governments worldwide. 

The Ministry of Government and Digital Trans,rmation published a statement addressing a posting on the Rhysida ransomware gang’s leak site about a government domain takeover. 

The group demanded a 5 bitcoin ransom — worth about $472,000 —  and shared documents allegedly stolen from Peru’s government portal gob.pe. 

The Presidency of the Council of Ministers said the website was not compromised and its services continued operating throughout the week, but admitted the hackers gained access to the tax administration website of regional capital Piura. 

“As soon as we learned about the possible security event, the National Digital Security Department (CNSD) immediately activated preventive alerts in order to mitigate any potential risks,” they wrote.

Federal authorities said they are investigating the incident and working with officials in Piura on the issue.

On Friday, the Tax Administration Service in Piura released its own statement confirming that it dealt with a cyberattack early on March 29. According to Piura officials, the incident impacted the organization’s operations, but service was restored in 48 hours. (Jonathan Greig / The Record)

Related: Secretariat of Government and Digital Transformation, Security Affairs

Researchers on Aon's Stroz Friedberg Incident Response team report that a new "Bring Your Own Installer" EDR bypass technique is being exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware.

This technique exploits a gap in the agent upgrade process, allowing threat actors to terminate running EDR agents, leaving devices unprotected.

The technique does not rely on third-party tools or drivers, as normally seen with EDR bypasses, but instead abuses the SentinelOne installer itself.

SentinelOne recommends customers enable the "Online Authorization" setting, which is turned off by default, to mitigate this attack. (Lawrence Abrams / Bleeping Computer)

Related: AON, GBHackers, The420, Security Affairs

Researchers at Sansec report that a supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational.

Some extensions were backdoored as far back as 2019, but the malicious code was only activated in April 2025.

Given the ability to upload and run any PHP code, the potential repercussions of the attack include data theft, skimmer injection, arbitrary admin account creation, and more.

Sansec says the compromised extensions are from vendors Tigren, Meetanshi, and MGS.

Sansec warned the three vendors of the discovered backdoor, but MGS didn't respond. Tigren denied a breach and continues to distribute backdoored extensions, and Meetanshi admitted to a server breach but not an extension compromise. (Bill Toulas / Bleeping Computer)

Related: Sansec, NDTV, TechRadar, Ars Technica, inkl

Researchers at Socket discovered a supply-chain attack that targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.

The campaign relied on three malicious Go modules, including “highly obfuscated code,” to retrieve and execute remote payloads.

The attack appears designed specifically for Linux-based servers and developer environments. The destructive payload—a Bash script named done.sh—runs a ‘dd’ command for the file-wiping activity.

Furthermore, before trying to execute, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux").

An analysis from supply-chain security company Socket shows that the command overwrites every byte of data with zeroes, leading to irreversible data loss and system failure. The target is the primary storage volume, /dev/sda, which holds critical system data, user files, databases, and configurations.

Socket researchers warn that even minimal exposure to the analyzed destructive modules can significantly impact, such as complete data loss. (Ionut Ilascu / Bleeping Computer)

Related: Socket, SC Media

Google addressed 47 vulnerabilities affecting Android devices in its May security update, including an actively exploited software defect first disclosed in March.

Google said the high-severity vulnerability, CVE-2025-27363, “may be under limited, targeted exploitation.”

Facebook disclosed the vulnerability in a security advisory in March. The out-of-bounds write defect in FreeType versions 2.13.0 and below may result in arbitrary code execution.

The vulnerability has a base score of 8.1 on the CVSS scale and is still awaiting further assessment by the National Institute of Standards and Technology’s National Vulnerability Database program. (Matt Kapko / Cyberscoop)

Related: Android, Security Week, Forbes, Express, Business Today

Best Thing of the Day: Even If You Pay the Ransom, You're Going to Be a Mess

Security researcher Kevin Beaumont dispels the common myth that if a ransomware attack is causing ongoing disruption, it means that the ransom hasn't been paid.

Worst Thing of the Day: The Stronger the Drug, the Crazier the Trip

As so-called reasoning systems from companies like OpenAI, Google, and the Chinese start-up DeepSeek become more powerful, they also hallucinate more.

Bonus Worst Thing of the Day: How About Capturing Nobody in a Vehicle?

The US Customs and Border Protection is urging tech companies to produce real-time face recognition technology that can capture everyone in a vehicle, not just those in the front seats.

Closing Thought