All news in category “Incidents and Data Breaches”

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

🛒 The Co-op revealed a £206m revenue shortfall resulting from a “malicious” cyber-attack in April after it temporarily shut down multiple systems to contain the threat. The retailer recorded an overall six-month loss of £80m to 5 July 2025 and said sales disruption is likely to continue into H2 2025. No remediation breakdown was provided, although a one-off non-underlying cost of £20m was logged. The intrusion has been linked to Scattered Spider, and UK authorities have made several arrests related to this and similar retail attacks.

🔒 British investigators arrested a man in his forties in West Sussex in connection with a suspected ransomware outbreak that disrupted flights across Europe. The National Crime Agency said the suspect was released on conditional bail and the probe remains at an early stage. Security researchers have linked the incident to the HardBit variant, which affected ARINC vMUSE systems and forced airlines to revert to paper processes amid repeated reinfections.

🛡️ Security researchers discovered two malicious Rust crates impersonating the legitimate fast_log library that covertly scanned source files for Solana and Ethereum private keys and exfiltrated matches to a hardcoded command-and-control endpoint. Published on May 25, 2025 under the aliases rustguruman and dumbnbased, the packages — faster_log and async_println — accumulated 8,424 downloads before crates.io maintainers removed them following responsible disclosure. Socket and crates.io preserved logs and artifacts for analysis, and maintainers noted the payload executed at runtime when projects were run or tested rather than at build time.

🔐 Chinese state-linked actors deployed a custom Linux/BSD backdoor called BRICKSTORM on network edge appliances to maintain persistent access into U.S. legal, technology, SaaS and outsourcing firms. These implants averaged 393 days of undetected dwell time and were used to pivot to VMware vCenter/ESXi hosts, Windows systems, and Microsoft 365 mailboxes. Mandiant and Google TAG attribute the activity to UNC5221 and have released a scanner and hunting guidance to locate affected appliances.

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.

🕵️‍♂️ In a five-month international campaign, Operation HAECHI VI led by Interpol and partner agencies recovered more than $439 million in cash and cryptocurrency tied to cyber-enabled financial crimes. Investigators from 40 countries across five continents targeted a broad range of scams — including voice phishing, investment fraud, BEC, sextortion and romance scams — freezing 400 crypto wallets and blocking over 68,000 bank accounts. The action included 45 arrests in Portugal and multimillion-dollar recoveries in Thailand, building on prior HAECHI phases that netted hundreds of millions and thousands of arrests.

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.

🔒 Google researchers warn that the Go-based Brickstorm backdoor was used in prolonged espionage against U.S. technology, legal, SaaS, and BPO organizations, averaging a 393-day dwell time. Suspected activity from the UNC5221 cluster involved deploying the malware on appliances lacking EDR protection such as VMware vCenter/ESXi, where it acted as a web server, SOCKS proxy, file dropper, and remote shell. Operators used techniques like a malicious Java Servlet Filter (Bricksteal), VM cloning, and startup-script modifications to capture credentials and move laterally, then tunneled to exfiltrate emails via Microsoft Entra ID Enterprise Apps. Mandiant published a scanner and YARA rules to aid detection but cautions it may not catch all variants or persistence.

🔒 Google researchers report suspected China-linked operators used a Go-based backdoor named Brickstorm to persistently exfiltrate data from U.S. technology, legal, SaaS and BPO organizations, with an average dwell time of 393 days. Brickstorm operated as a web server, file dropper, SOCKS relay and remote command executor while masquerading traffic as legitimate cloud services and targeting edge appliances that often lack EDR. GTIG attributes the activity to UNC5221, a cluster linked to Ivanti zero-day exploitation and custom tools like Spawnant and Zipline. Mandiant published a scanner with YARA rules but cautioned it may not detect all variants or persistence mechanisms.

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

🛫 The UK's National Crime Agency arrested a man in his forties in West Sussex on suspicion of Computer Misuse Act offences linked to a ransomware attack that disrupted airports across Europe. RTX Corporation confirmed the incident affected its Collins Aerospace MUSE passenger processing software, first detected on September 19. The suspect has been released on conditional bail while the probe, supported by the South East ROCU and other agencies, remains in its early stages. Affected customers shifted to backup and manual processes while RTX and external cybersecurity experts work to contain and remediate the impact.

🔒 The Python Software Foundation warns of a phishing campaign using a convincing fake PyPI site at pypi-mirror[.]org that asks users to 'verify their email address' and threatens account suspension. If you clicked the link and submitted credentials, change your password immediately, inspect your account's Security History, and report suspicious activity to security@pypi.org. Maintainers should avoid clicking links in unsolicited emails, use password managers that auto-fill only on matching domains, and enable phishing-resistant 2FA such as hardware security keys.

📩 Attackers abused GitHub's notification system to send fake Y Combinator W2026 invitations by creating issues and tagging users so the platform would deliver legitimate-looking emails. The lure promised participation in a purported $15 million funding program and linked to a typo-squatted domain. That site ran obfuscated JavaScript and presented an EIP-712-style wallet verification prompt that, when signed, authorized draining transactions.

🔍 Microsoft Threat Intelligence detected and blocked a credential-phishing campaign that likely leveraged AI-generated code to obfuscate its payload inside an SVG attachment. The malicious SVG imitated a PDF and hid JavaScript within invisible, business-themed elements and a long sequence of business terms that the embedded script decoded into redirects, browser fingerprinting, and session tracking. Microsoft Defender for Office 365 blocked the activity by correlating infrastructure, behavioral, and message-context signals, while Security Copilot flagged the code as likely LLM-generated.