October 29th – This Week’s Top Cybersecurity and Dark Web Stories

Five arrested in Operation “SIMCARTEL”

An international law enforcement operation has dismantled a highly sophisticated SIM-box network that enabled thousands of cyber fraud cases across Europe. The coordinated action, codenamed “SIMCARTEL”, led to the arrest of five Latvian nationals, the seizure of critical infrastructure, and the takedown of two illicit online services offering telephone numbers for use in cybercrime.

The operation, jointly conducted by authorities from Latvia, Austria, and Estonia, with the support of Europol and Eurojust, uncovered a vast criminal enterprise responsible for enabling more than 3,200 cyber fraud cases, resulting in millions of euros in losses across Europe.

Investigators conducted 26 searches and seized:

• 1,200 SIM-box devices operating over 40,000 active SIM cards.
• Hundreds of thousands of additional SIM cards.
• Five servers hosting the illicit infrastructure.
• Two criminal websites now under law enforcement control.
• €431,000 frozen in bank accounts.
• $333,000 frozen in cryptocurrency accounts.
• Four luxury vehicles confiscated.

In total, seven suspects were apprehended, including five in Latvia.

The dismantled network provided crime-as-a-service, renting out phone numbers registered to individuals in over 80 countries. These numbers were used to create more than 49 million online accounts, making perpetrators’ identities and enabling a wide range of crimes:

• Phishing and smishing.
• Online marketplace frauds.
• “Daughter-son” scams.
• Investment and bank fraud.
• Fake police scams.

In Austria alone, losses reached approximately €4.5 million, while Latvian victims suffered €420,000 in damages.

While significant progress has been made, investigators continue to uncover the true scale of this criminal network, which may extend well beyond Europe. The seized infrastructure and digital evidence are expected to lead to further arrests and disruption of associated cybercrime operations.

Critical WSUS RCE (CVE-2025-59287) actively exploited

Attackers are now exploiting a critical-severity Windows Server Update Services (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.

Tracked as CVE-2025-59287, this remote code execution (RCE) flaw affects only Windows servers with the WSUS Server role enabled to act as an update source for other WSUS servers within the organization (a feature that isn’t enabled by default).

Threat actors can exploit this vulnerability remotely in low-complexity attacks that don’t require privileges or user interaction, allowing them to run malicious code with SYSTEM privileges. Under these conditions, the security flaw could also be potentially wormable between WSUS servers.

Microsoft released out-of-band security updates for all impacted Windows Server versions to “comprehensively address CVE-2025-59287,” and advised IT administrators to install them as soon as possible:

• Windows Server 2025 (KB5070881)
• Windows Server, version 23H2 (KB5070879)
• Windows Server 2022 (KB5070884)
• Windows Server 2019 (KB5070883)
• Windows Server 2016 (KB5070882)
• Windows Server 2012 R2 (KB5070886)
• Windows Server 2012 (KB5070887)

Microsoft also shared workarounds for admins who can’t immediately deploy the emergency patches, including disabling the WSUS Server role on vulnerable systems to remove the attack vector.

While WSUS servers aren’t usually exposed online, roughly 2,500 instances worldwide, including 250 in Germany and about 100 in the Netherlands were found.

Evidence of CVE-2025-59287 attacks was also found targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online starting Thursday, October 23.

In the attacks the threat actors executed a PowerShell command that performed reconnaissance of the internal Windows domain, which was then sent to a webhook.

Ransomware attack on Askul disrupts e-commerce operations across Japanese retailers

A ransomware attack on Askul, one of Japan’s leading office supply distributors, has disrupted e-commerce and logistics for several major retailers, including Muji owner Ryohin Keikaku, The Loft, and Sogo & Seibu.

Askul confirmed on Monday that a ransomware incident forced it to suspend orders and shipments, affecting online platforms that depend on its infrastructure.

This marks Japan’s second major consumer-sector cyberattack in under a month. Earlier in October, Asahi Group Holdings, Japan’s largest brewer, was hit by an attack that disrupted production and delayed financial reporting.

The incident highlights growing concerns about Japan’s e-commerce resilience, as many retailers share the same logistics and technology vendors.

Askul is still assessing whether any client or personal data were compromised and has not disclosed details about the ransomware used. The company warned that the attack could significantly impact earnings and may delay its October financial results.