Europol announced on Friday a major SIM farm bust in Latvia. Latvian police, in cooperation with Europol, Eurojust, Austria, Finland, and Estonia, dismantled an international network known as SIMCARTEL.
The group offered so-called "cybercrime-as-a-service," a service model where technically skilled criminals rent out technological solutions to other criminal groups who use them for scams that we also know in the Czech Republic. Scams on online marketplaces, investment fraud, WhatsApp scams where the attacker poses as a daughter or son claiming to have a new phone number, or fake police officer scams.
Authorities blocked key infrastructure, including the seizure of more than 1,200 SIM boxes, 40,000 active SIM cards, and hundreds of thousands of other inactive SIMs. Additionally, five servers were confiscated, nearly half a million euros in bank accounts were frozen, and a significant amount of cryptocurrency was seized.
Investigators were able to attribute more than 1,700 individual cases of cyber fraud in Austria and 1,500 in Latvia to this criminal network, with total damages of several million euros.
State-Sponsored Hackers Gained Access to BIG-IP Source Code
F5, one of the key players in network security, announced that it became the target of an attack by state-sponsored hackers. They managed to penetrate to the heart of development — obtaining parts of the source code, accessing developer documentation, and some customer configuration files.
The key risk is that the BIG-IP product was compromised. This system is used by tens of thousands of companies worldwide, including critical infrastructure, banking, healthcare, and government. If attackers gained knowledge of unknown vulnerabilities, the likelihood of so-called "zero-day" attacks increases, making their detection significantly more difficult.
The investigation also reveals the sophisticated level of the attackers. They used several techniques, including account compromise, exploitation of weaknesses in the administrative interface, and long-term covert movement within the network.
So far, there is no evidence that the code of other F5 products has been directly compromised.
Zero Disco Campaign Targets Cisco
Attackers as part of the "Operation Zero Disco" campaign are exploiting an SNMP subsystem vulnerability (CVE-2025–20352), which allows them remote code execution and rootkit installation.
The vulnerability lies in improper processing of SNMP requests, specifically in a stack overflow in the authentication logic of the SNMP daemon in Cisco IOS and IOS XE systems.
Attackers first gain access through the SNMP gateway, or combine attacks with modified exploit code for an older Telnet vulnerability (a remnant from CVE-2017–3881). After successful penetration, a rootkit is discreetly deployed to the device, which sets a universal password containing the string "disco" in memory, resets authentication methods, and thus enables complete control over the device.
The deployed rootkit allows attackers to persist even after changing access passwords, hides traces in system logs, and manipulates ACL configuration and EEM scripts. The rootkit persists only in memory; after device restart it disappears, which significantly complicates its detection.
Malicious VS Code Extensions Stole Code and Mined Cryptocurrency
In application development, we increasingly rely on extensions for the popular Visual Studio Code development environment. However, new research by Wiz came with an alarming finding — more than 100 extensions were vulnerable due to unintentional disclosure of sensitive access tokens, which allowed the distribution of malicious code directly to tens of thousands of users.
According to the analysis, more than 550 leaked secrets were found in the extensions, including keys to AI services, cloud platforms, and databases. An attacker with access to such a token could update extensions without the developer's knowledge, opening the door to malware, data loss, or source code theft.
The Koi Security team monitored the TigerJack group in 2025, which created at least 11 malicious extensions with a legitimate appearance. These extensions not only fulfilled their stated purpose but also stole code, mined cryptocurrency, and opened backdoors into the developer's system.