All news in category "Incidents and Data Breaches"

Data Breach at Eurofiber France Affects Ticketing Systems

🔐 Eurofiber Group said its French subsidiary, Eurofiber France, experienced a breach after attackers exploited a software vulnerability to access its ticket management system and exfiltrate data. The company stated that sensitive bank details and other critical data were not affected. The incident impacted the ATE cloud portal and regional sub-brands (Eurafibre, FullSave, Netiwan, Avelia). Eurofiber says it closed the vulnerability, strengthened controls and engaged cybersecurity experts to support customers.

PlushDaemon Deploys EdgeStepper AitM Malware Globally

🛡️ A China-aligned group known as PlushDaemon has been observed deploying a previously undocumented network implant, codenamed EdgeStepper, to perform adversary-in-the-middle DNS attacks. ESET researchers found an ELF sample (internally called dns_cheat_v2) that forwards DNS traffic to attacker-controlled nodes, enabling update hijacking. Operators then deploy downloaders LittleDaemon and DaemonLogistics to install espionage backdoors.

Cloudflare Outage Caused by Database Permission Change

⚠️ Cloudflare suffered its worst outage in six years after a database permissions change caused its Bot Management system to generate an oversized configuration feature file containing duplicate entries. The file exceeded a hardcoded 200-feature limit, triggering a Rust panic that crashed core proxy software and produced widespread 5xx errors. Engineers restored service by replacing the problematic file, and full recovery was achieved several hours later.

China-linked WrtHug operation hits thousands of ASUS WRT

🔒 SecurityScorecard's STRIKE team warns that Operation “WrtHug” has already compromised thousands of ASUS WRT routers worldwide by chaining six primarily legacy vulnerabilities to gain elevated privileges and persistence. The campaign abuses the ASUS AiCloud service and OS injection flaws, deploying a common self-signed TLS certificate with a 100-year expiry. SecurityScorecard notes geographic clustering, with up to 50% of victims in Taiwan, and assesses a likely China-affiliated ORB-style operation.

EdgeStepper Backdoor Reroutes DNS to Hijack Updates

🔒 ESET researchers disclosed a Go-based network backdoor dubbed EdgeStepper, used by the China-aligned actor PlushDaemon to reroute DNS queries and enable adversary-in-the-middle (AitM) attacks. EdgeStepper forces update-related DNS lookups to attacker-controlled nodes, delivering a malicious DLL that stages additional components. The chain targets update mechanisms for Chinese applications including Sogou Pinyin and ultimately fetches the SlowStepper backdoor to exfiltrate data.

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

🔒 PlushDaemon operators are hijacking software-update traffic using a new network implant named EdgeStepper, ESET researchers report. Attackers compromise routers via known vulnerabilities or weak credentials, intercept DNS queries, and redirect update requests to malicious infrastructure. Trojanized updates deliver a DLL downloader (LittleDaemon), which stages DaemonicLogistics and ultimately loads the SlowStepper backdoor on Windows systems, targeting manufacturers, universities, and industrial sites across multiple countries.

Fake CAPTCHA Leads to 42-Day Akira Ransomware Compromise

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.

ShadowRay 2.0 Converts Exposed Ray Clusters to Miners

⚠ A global campaign named ShadowRay 2.0 is exploiting an unpatched code-execution flaw (CVE-2023-48022) in Ray clusters to deploy a self-propagating cryptomining botnet. Researchers at Oligo attribute the activity to an actor tracked as IronErn440, which uses AI-generated payloads submitted to Ray’s unauthenticated Jobs API. The malware deploys XMRig to mine Monero, establishes persistence via cron and systemd, and opens reverse shells for interactive control. Operators also throttle CPU use and conceal miners with deceptive names to evade detection.

French Pajemploi Reports Data Breach Affecting 1.2M

🔒 French social security service Pajemploi disclosed a data breach detected on November 14 that may have exposed personal information for up to 1.2 million registered home-based childcare workers and parents. Potentially exfiltrated data includes full names, place of birth, postal addresses, social security numbers, names of banking institutions, Pajemploi numbers, and accreditation numbers. The agency says IBANs, email addresses, phone numbers, and passwords were not accessed. Pajemploi notified CNIL and ANSSI, will inform affected individuals, and URSSAF warned of increased phishing and social engineering risks.

npm Malware Campaign Redirects Visitors to Fake Crypto Sites

🛡️ Researchers from the Socket Threat Research Team uncovered a new npm malware campaign operated by threat actor dino_reborn, distributed across seven packages that executed immediately and fingerprinted visitors. The packages used Adspect proxying and cloaking to distinguish researchers from victims, delivering branded fake CAPTCHAs and dynamic redirects to malicious crypto sites. Anti-analysis measures disabled developer tools and user interactions to hinder inspection.

AI-Enhanced Tuoni Framework Targets US Real Estate Firm

🔍 Morphisec observed an AI-enhanced intrusion in October 2025 that targeted a major US real estate firm using the modular Tuoni C2 framework. The campaign began with a Microsoft Teams impersonation and a PowerShell one-liner that spawned a hidden process to retrieve a secondary script. That loader downloaded a BMP file and used least significant bit steganography to extract shellcode, executing it entirely in memory and reflectively loading TuoniAgent.dll. Researchers noted AI-generated code patterns and an encoded configuration pointing to two C2 servers; Morphisec's AMTD prevented execution.

DoorDash Confirms October 2025 Customer Data Breach

🔒 DoorDash has confirmed a data breach in October 2025 that exposed customers' names, phone numbers, physical addresses and email addresses. The company said an employee was targeted in a social engineering scam that allowed unauthorized access, but there is currently no indication the data has been misused. DoorDash stated that sensitive identifiers and payment information were not accessed and that it has engaged an external firm, notified law enforcement, rolled out security enhancements and issued additional staff training.

Researchers Detail Tuoni C2's Role in Real-Estate Attack

🔒 Cybersecurity researchers disclosed an attempted intrusion against a major U.S. real-estate firm that leveraged the emerging Tuoni C2 and red-team framework. The campaign, observed in mid-October 2025, used Microsoft Teams impersonation and a PowerShell loader that fetched a BMP-steganographed payload from kupaoquan[.]com and executed shellcode in memory. That sequence spawned TuoniAgent.dll, which contacted a C2 server but ultimately failed to achieve its goals. The incident highlights the risk of freely available red-team tooling and AI-assisted code generation being abused by threat actors.

Stadtwerke Detmold Hit by Hacker Attack, IT Shutdown

🔒 Stadtwerke Detmold has reported a widespread IT outage following an apparent hacker attack that prompted the operator to take all systems offline. Online services are unavailable and the company cannot be reached by phone or email. The utility says the supply of drinking water, electricity, gas and district heating remains assured, and customers can report technical problems via a hotline. Authorities are investigating the incident and, so far, no ransom demand has been reported.

Iranian-backed UNC1549 Deploys TWOSTROKE and DEEPROOT

🛡️ Mandiant has linked suspected Iranian espionage actors to a sustained campaign by UNC1549 that deployed backdoors such as TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. Operating from late 2023 through 2025, the group abused trusted third parties and VDI sessions to pivot into customer environments and leveraged highly targeted, role‑relevant phishing. Observed operations combined credential theft, lateral movement, custom tunnellers and credential‑stealing utilities to execute long‑term reconnaissance and data exfiltration.

Azure Mitigates Record 15.72 Tbps DDoS from IoT Botnet

🛡️ Microsoft Azure said it blocked a record 15.72 Tbps DDoS attack tied to the Aisuru IoT botnet that surged to roughly 3.64 billion packets per second and targeted a single cloud endpoint in Australia. The attacker launched extremely high-rate UDP floods from over 500,000 source IPs with minimal spoofing and random source ports. Azure DDoS Protection automatically detected and mitigated the traffic without disrupting customer workloads, and Microsoft urged organizations to validate internet-facing protections ahead of peak periods, noting systemic IoT security gaps.

Checkout.com Apologizes After Breach, Donates Ransom

🔒 Checkout.com publicly disclosed a breach after the ShinyHunters group accessed data from a legacy third‑party cloud storage system used prior to 2020, and issued an apology taking responsibility for the error. The company said fewer than 25% of current merchants were affected, confirmed no payment card data was taken, and refused the ransom demand. Instead of paying, it donated the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support research into cybercrime.

Microsoft Mitigates 15.72 Tbps IoT-Driven DDoS Attack

🛡 Microsoft automatically detected and mitigated a massive DDoS attack that peaked at 15.72 Tbps and roughly 3.64 billion packets per second against a single Australian endpoint. The traffic was attributed to a TurboMirai-class IoT botnet called AISURU, sourced from hundreds of thousands of compromised routers, cameras, and DVRs and launched from over 500,000 source IPs across multiple regions. Attackers used high-rate UDP floods with minimal source spoofing and random source ports, factors Microsoft said helped simplify traceback and provider enforcement. The incident underscores rising DDoS baselines as broadband speeds increase and IoT devices become more capable.

Defeating BLOCKADE SPIDER: Stopping Cross-Domain Attacks

🔒 CrowdStrike describes how OverWatch detected and disrupted BLOCKADE SPIDER, a financially motivated eCrime group that has used cross-domain techniques since at least April 2024 to access unmanaged systems, dump credentials, and deploy Embargo ransomware. By correlating endpoint, identity, and cloud telemetry in Falcon Next-Gen SIEM and Falcon Identity Threat Protection, analysts traced a compromised VPN service account and observed MFA bypass and AD manipulation. The account underscores the value of unified visibility to stop lateral movement and protect critical assets.

Malicious npm Packages Use Adspect to Cloak Crypto Scams

⚠️Seven npm packages published under the developer name 'dino_reborn' were found leveraging the cloud-based Adspect service to distinguish researchers from potential victims and redirect targeted users to cryptocurrency scam pages. Socket's analysis shows six packages include a ~39 KB cloaking script that fingerprints visitors, employs anti-analysis controls, and forwards data to an actor-controlled proxy and the Adspect API. Targets are redirected to deceptive Ethereum and Solana-branded CAPTCHA pages, while likely researchers are shown a benign Offlido-style decoy.