HellCat Hackers Exploit Jira Servers in Cyberattack on Ascom
Swiss telecommunications company Ascom has confirmed a cyberattack targeting its IT infrastructure, with HellCat, a known hacker group, claiming responsibility. The attackers breached Ascom’s Jira-based technical ticketing system, potentially exposing 44GB of stolen data, including source code, invoices, confidential documents, and internal project details. Ascom assured that its business operations remain unaffected and that customers and partners do not need preventive action. However, the company has launched an internal investigation and is working with authorities to assess the full scope of the breach. The attack follows HellCat’s pattern of exploiting stolen Jira credentials, a tactic previously used against Schneider Electric, Telefónica, Orange Group, and Jaguar Land Rover (JLR). HellCat has escalated its Jira exploitation spree, targeting enterprises that rely on the platform for project management, software development, and IT tracking. Cybersecurity experts warn that Jira contains sensitive enterprise data, including source code, authentication keys, and internal discussions, making it a prime target for credential-based attacks. Researchers have linked HellCat’s success to stolen credentials harvested by infostealer malware, many of which remain valid for years due to poor password rotation practices. Given Jira’s growing role in enterprise workflows, security experts warn that these attacks will likely become more frequent, underscoring the need for stronger authentication, regular credential updates, and tighter access controls to prevent unauthorized access.
Microsoft Investigates Widespread Outlook on the Web Outage
Microsoft is actively investigating an ongoing outage preventing Outlook on the web users from accessing their Exchange Online mailboxes, impacting login attempts, website accessibility, and server connections. The issue tracked under EX1036356, has caused widespread disruptions, with users experiencing “Something went wrong” errors when accessing their accounts. Microsoft has identified a faulty code change as the root cause and is working to revert the update while analyzing telemetry data for further remediation. A separate but related issue, EX1035922, is also under investigation, which prevents some users from successfully searching within Outlook on the web or the new Outlook client. Users can apply filters to their search queries as a temporary workaround to improve results, while Microsoft works on a permanent fix. In addition to these ongoing issues, Microsoft is also dealing with a week-long Exchange Online outage, initially tracked under EX1027675 and now reclassified as EX1030895, causing delays and failures in email delivery. While this disruption reportedly affects only a small subset of messages, impacted users may encounter NDR failures and plain text calendar invites with winmail.dat attachments. Microsoft has acknowledged multiple service disruptions recently, including Teams call failures, Exchange Online authentication issues, and broader Microsoft 365 outages linked to faulty code updates. As of March 19, Microsoft has begun rolling back the problematic update, with service telemetry showing signs of improvement, and continues to monitor recovery efforts to ensure full restoration of services.
Hackers Exploiting Cisco Smart Licensing Utility Vulnerabilities
Security researchers at SANS have identified active exploitation attempts targeting two critical vulnerabilities in Cisco's Smart Licensing Utility, tracked as CVE-2024-20439 and CVE-2024-20440. These flaws, disclosed by Cisco in September 2024, include a static credential vulnerability that allows attackers to gain unauthorized access and an information disclosure issue that exposes sensitive log data. Hackers actively target specific API endpoints, such as "/cslu/v1/scheduler/jobs", using hardcoded credentials embedded within the software to bypass authentication and manipulate system functions. Once inside, attackers can extract log files containing sensitive configuration details, escalate privileges, and launch follow-up attacks on connected networks. Researchers have also observed scanning activity for configuration files and additional vulnerabilities, including DVR-related exploits, possibly CVE-2024-0305, indicating that threat actors are broadening their attack surface. Further investigation has revealed unauthorized API requests and multiple credential-based attacks, where hackers attempt to use stolen or publicly available credentials to gain persistent access. These incidents highlight a broader cybersecurity issue where IoT devices and enterprise security solutions suffer from embedded credentials and improper logging practices, creating exploitable backdoors. The attackers also leverage Traffic Direction Systems (TDS) to analyze web traffic and evade detection, a technique commonly used in large-scale cybercrime operations. Some exploitation attempts involve modifying system configurations and extracting security-sensitive files, potentially compromising the licensing utility and broader enterprise environments. Given the active nature of these attacks, organizations must immediately apply Cisco’s security patches, monitor system logs for unauthorized access attempts, enforce strong authentication policies, and restrict public exposure of critical API endpoints to mitigate the growing risks.
DollyWay Malware Exploits WordPress Sites in Global Cybercrime Operation
GoDaddy Security researchers have identified DollyWay, a large-scale malware operation that has compromised over 20,000 WordPress sites worldwide since 2016. The latest version, DollyWay v3, is a highly sophisticated threat that turns infected websites into Traffic Direction System nodes and command-and-control (C2) servers, allowing attackers to control traffic flows and monetize redirects. The malware targets website visitors, injecting scripts that track referrer data and funnel users to scam pages, including fake investment schemes, crypto fraud, and gambling sites. Attackers gain initial access by exploiting known vulnerabilities in WordPress plugins and themes, injecting malicious scripts that dynamically reload with each page visit. DollyWay also removes competing malware, updates WordPress installations, and hides within active plugins to ensure long-term persistence, making it nearly impossible to remove with traditional security tools. Beyond traffic redirection, DollyWay establishes deep control over infected sites by creating hidden administrator accounts with random 32-character hexadecimal usernames, which remain invisible in the WordPress admin panel but can be identified through direct database inspection. The malware also injects obfuscated PHP code across multiple plugins, including WPCode snippets, ensuring reinfection even after partial cleanup. To maintain control, DollyWay encrypts configuration settings and updates its C2 infrastructure daily using cryptographic signatures, preventing unauthorized modifications and allowing the operation to evolve over time. Researchers have linked this campaign to major cybercriminal affiliate networks like VexTrio and LosPollos, which pay attackers to drive high-value traffic to fraudulent websites. Given its ability to evade detection, reinfect sites automatically, and manipulate web traffic, DollyWay remains a major cybersecurity threat to WordPress site owners, businesses, and security professionals working to protect online platforms.
