What happened in the alleged Malaysian government websites breach?

Cybercriminals have allegedly compromised more than a dozen Malaysian government websites and are offering unauthorized access to these critical systems for sale on a dark web forum. The threat actor claims to possess both live access to the compromised government systems and complete data dumps from the affected organizations.

Who claimed responsibility for the Malaysian government breach?

The breach was posted on the Dark Forums website by a user identifying themselves as 'Bigbrother,' with the posting titled 'First time breach/leak.' This appears to be their first publicly announced cybercrime activity.

Which Malaysian government organizations were allegedly affected by the breach?

The government entities allegedly affected include the National Registration Department (JPN), MyGovernment portal, Radio Televisyen Malaysia (RTM), Ministry of Health, Ministry of Defence, Ministry of Foreign Affairs, and Ministry of Higher Education.

How much are the cybercriminals asking for the Malaysian government access?

The hacker is offering to sell access to the systems for US$20,000 (approximately RM85,500), with payments accepted exclusively in Monero cryptocurrency to maintain transaction anonymity.

What types of data were allegedly exposed in the Malaysian government breach?

Exposed data types allegedly include VPN account connection information, shell access credentials, network and web databases, subdomain information, and local file-sharing details.

What do security experts think about the asking price for the Malaysian government breach?

Security experts note that the US$20,000 asking price appears unusually low for such extensive government access. An anonymous cybersecurity expert suggested this could indicate either that the compromised data is not critical, or that the breach was conducted by inexperienced individuals who may not fully understand the true value of the access they obtained.

What is the National Registration Department (JPN) and why is its compromise significant?

The National Registration Department (JPN) handles citizen identification records in Malaysia. A compromise of this organization could potentially expose sensitive personal information of Malaysian citizens, making it a particularly critical target.

How are Malaysian authorities responding to the alleged government breach?

Cybersecurity Malaysia, the country's national cybersecurity specialist agency, has been officially notified of this alleged breach and is presumably conducting investigations to determine the validity of the claims and assess the potential scope of any compromise. The agency has not yet released any public statements regarding the incident.

Why did the cybercriminals choose Monero cryptocurrency for payment?

The cybercriminals are accepting payments exclusively in Monero cryptocurrency to maintain transaction anonymity. Monero is known for its privacy features that make transactions much harder to trace compared to other cryptocurrencies like Bitcoin.

Has the number of affected individuals in the Malaysian government breach been disclosed?

No, the nature of the attack and number of affected individuals have not been disclosed. The full scope and impact of the alleged breach remain unclear pending official investigation by Malaysian authorities.

Attack

SonicWall Gen 7 firewalls targeted with SSL VPN Zero-Day vulnerability

published: Aug. 4, 2025

Take action: If you have SonicWall Gen 7 firewalls with SSL VPN enabled, immediately update to firmware version 7.3.0 and reset all local user account passwords that have SSLVPN access. Until you can update, limit SSL VPN connectivity to only trusted source IP addresses.

Learn More

Multiple cybersecurity incident response firms have issued urgent warnings about a significant campaign targeting SonicWall Gen 7 firewalls through what appears to be a ~~previously~~ ~~unknown~~ ~~zero-day~~ vulnerability in SSL VPN implementations.

Update - as of 7th of August, SonicWall reported that the spike in attacks was not a not connected to a zero-day vulnerability. Instead, it's most probably related to CVE-2024-40766.

SonicWall recommends that users:

Update firmware to version 7.3.0, which includes enhanced protections against brute force attacks and additional MFA controls. Firmware update guide
Reset all local user account passwords for any accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.

The attacks, first observed on July 15, 2025, have affected ~~fully patched~~ SonicWall devices even after credential rotation and despite multi-factor authentication being enabled, ~~indicating exploitation of a critical security flaw.~~

Arctic Wolf Labs reported the campaign on August 1, 2025, observing multiple intrusions within a short timeframe, each involving VPN access through SonicWall SSL VPNs. The cybersecurity firm noted that available evidence strongly points to the existence and exploitation of a zero-day vulnerability.

The vulnerability appears to target the SSL VPN authentication mechanism in SonicWall's Gen 7 firewall products. Evidence supporting the zero-day theory includes the fact that fully patched SonicWall devices were compromised following credential rotation, and accounts with time-based one-time password multi-factor authentication enabled were still successfully breached. This suggests the attackers are bypassing standard authentication mechanisms entirely.

The Akira ransomware group has been identified as the primary threat actor exploiting this vulnerability.

Huntress researchers have confirmed approximately 20 different attacks directly related to this campaign since July 25, 2025. The security firm observed that threat actors are moving with unprecedented speed, pivoting to domain controllers within hours of the initial breach and completing the full attack chain from initial access to ransomware deployment in as little as 1.5 to 2 hours.

The vulnerability impacts SonicWall Gen 7 firewall devices running SonicOS with SSL VPN functionality enabled. SonicWall confirmed on August 4, 2025, that it is aware of the campaign affecting Gen 7 SonicWall firewalls that use the secure sockets layer protocol. The vendor stated it is actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability is responsible.

The reports of attacks come one week after SonicWall urged customers to patch their SMA 100 appliances for CVE-2025-40599 that may be exploited to gain remote code execution on unpatched devices. Attackers would need admin privileges for CVE-2025-40599 exploitation, but SonicWall still urged administrators to secure their SMA 100 appliances, as they're already being targeted.

As of 10th of September 2025 the Australian Cyber Security Center warns of increased exploitation activity and that Akira ransomware gang is actively exploiting CVE-2024-40766.

~~Given the high likelihood of a zero-day vulnerability, organizations should immediately consider disabling SonicWall SSL VPN services until a patch becomes available and can be deployed.~~

As an alternative, organizations should limit SSL VPN connectivity to trusted source IP addresses only.

SonicWall Gen 7 firewalls targeted with SSL VPN Zero-Day vulnerability

Read More
CISA confirms exploitation of two BeyondTrust flaws, urges …
Authentication bypass flaw in OttoKit/SureTriggers WordPress plugin actively …
Suspected China-Nexus threat actor actively exploiting critical Ivanti …
Critical Ivanti vTM flaw now actively exploited
Oracle WebLogic Servers Face Immediate Exploitation of Critical …