All news in category “Incidents and Data Breaches”

🛡️ Lumen Technologies' Black Lotus Labs reports that SystemBC, a C-based SOCKS5 proxy malware, powers roughly 80% of the REM Proxy network and averages about 1,500 compromised hosts per day. The botnet operates through more than 80 C2 servers and mainly targets VPS instances from major commercial providers, often via dropped shell scripts that install the proxy implant. REM Proxy also advertises pools of compromised Mikrotik routers and open proxies and has been used by actors tied to TransferLoader and the Morpheus ransomware group.

🕵️ ESET researchers report that Russian state-linked groups Gamaredon and Turla collaborated in 2025 campaigns targeting high-value Ukrainian defense systems. In February, investigators observed Turla issuing commands via Gamaredon implants and Gamaredon's PteroGraphin downloader being used to restart Turla's Kazuar backdoor. Kazuar harvested machine metadata while Gamaredon later deployed Kazuar v2 installers in April and June. ESET assesses with high confidence that the interactions reflect a deliberate operational convergence.

🔒 The BMW Group has been named on the darknet by the Everest ransomware group, which claims to have stolen critical BMW audit documents, according to screenshots reported by Cybernews. The gang placed two countdown timers on its onion site—one running to Sept. 14 and a second giving BMW 48 hours to make contact. BMW has not commented and the extortionists have not confirmed whether customer or personal data were taken; Cybernews researcher Aras Nazarovas advises waiting for a published sample to assess the scope.

🔒ESET researchers observed tools from Russian-linked groups Gamaredon and Turla cooperating to deploy the .NET-based Kazuar backdoor on multiple Ukrainian endpoints in early 2025. Gamaredon delivered PowerShell downloaders — PteroGraphin, PteroOdd and PteroPaste — which retrieved Kazuar payloads via Telegraph, Cloudflare Workers domains and direct IP hosting. Analysts assess with high confidence that Gamaredon provided initial access while Turla leveraged the access for espionage, primarily targeting Ukrainian defense-sector assets.

🔒 Researchers at ESET have identified a new bootkit-style ransomware named HybridPetya that targets the NTFS Master File Table (MFT) and can override UEFI Secure Boot to install a malicious EFI component. The malware abuses a patched vulnerability (CVE-2024-7344) in a signed Microsoft EFI file to load an unsigned payload called cloak.dat. The installer replaces the Windows bootloader, triggers a crash and, on reboot, the compromised loader executes a bootkit that encrypts the disk with Salsa20, using a fake CHKDSK message to conceal activity. ESET observed a ransom demand of €850 in Bitcoin but regards the sample as likely a research proof-of-concept.

🔒 Finnish prosecutors have charged 28-year-old US citizen Daniel Lee Newhard, an Estonia resident, with aiding and abetting the extortion tied to the notorious 2018 Vastaamo psychotherapy breach. Authorities say IP logs connected extortion infrastructure to an Estonian internet connection and to the suspect’s home address; Newhard denies the allegations. This development follows earlier convictions and ongoing appeals related to the broader Vastaamo scandal.

🔒 UK law enforcement has arrested two teenagers allegedly tied to the Scattered Spider hacking group over an August 2024 cyberattack on Transport for London (TfL). Nineteen-year-old Thalha Jubair and 18-year-old Owen Flowers were detained; authorities say Jubair faces U.S. charges for dozens of intrusions, extortion and money laundering while Flowers faces additional charges linked to U.S. healthcare targets. Prosecutors allege the group extorted at least $115 million in ransoms and that law enforcement previously seized roughly $36 million in cryptocurrency tied to Jubair.

🔒 US and UK authorities have charged two UK-based teenagers linked to the Scattered Spider cybercrime group in connection with multiple high-profile intrusions. Thalha Jubair, 19, and Owen Flowers, 18, face US and UK charges including conspiracy to commit computer fraud, wire fraud, money laundering and offences under the UK Computer Misuse Act. Authorities allege extensive social engineering, ransomware extortion and transfers of victim cryptocurrency, with investigators attributing at least $115m in ransom payments to the group. The arrests follow a multinational probe and earlier detentions of other alleged members.

🔒 The New York Blood Center (NYBCe) confirmed that an unauthorized party accessed internal systems between January 20 and January 26, 2025, and copied files containing personal and health information for nearly 194,000 individuals. Compromised data includes names, Social Security numbers, driver's license or state ID numbers, bank account details for direct deposit, and health/test records. NYBCe says it moved quickly to contain the incident, is offering free identity protection through Experian, and has set up a call line for potentially affected people.

🚨 Two teenagers have been arrested in the UK on suspicion of involvement in the August 2024 cyberattack against Transport for London; authorities say the suspects are believed to be members of the Scattered Spider collective. The National Crime Agency is prosecuting both on computer misuse and fraud-related charges, while U.S. prosecutors also filed charges against one suspect tied to multiple intrusions and extortion schemes. TfL reported that the breach disrupted internal systems and later confirmed customer data, including names and contact details, was compromised, causing operational disruption and financial losses.

🔎 Researchers at Lumen Technology’s Black Lotus Labs say the SystemBC proxy botnet actively targets commercial VPS instances worldwide to build a high-capacity proxy network. The operation averages about 1,500 bots daily, relies on more than 80 C2 servers, and primarily exploits unpatched systems that often contain dozens of vulnerabilities. Customers and operators exhibit poor operational security, and the service is used by ransomware groups and third-party proxy resellers.

🔒 SonicWall is urging customers to reset credentials after detecting suspicious activity that exposed firewall configuration backup files stored in MySonicWall cloud for under 5% of users. Although stored credentials were encrypted, the preference files contained information that could help attackers exploit related firewalls; the company says this was a series of brute-force accesses, not a ransomware event. Customers should verify backups, disable remote management and VPN access, reset passwords and TOTPs, review logs, and import the provided randomized preferences file that resets local passwords, TOTP bindings, and IPSec keys.

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.

🔒 Researchers have identified CountLoader, a multi‑language malware loader used by Russian ransomware affiliates and initial access brokers to deploy post‑exploit tools such as Cobalt Strike, AdaptixC2 and the commercial PureHVNC RAT. Appearing in .NET, PowerShell and JavaScript flavors, the loader has been observed in PDF phishing campaigns targeting Ukraine and employs LOLBins and multiple download/execution methods to evade detection. The JavaScript variant is most feature‑complete, offering diverse downloaders, execution paths and persistence via a Google‑update‑named scheduled task.

🛡️ Microsoft's Digital Crimes Unit has seized 338 domains to dismantle the Phishing‑as‑a‑Service platform RaccoonO365, which enabled low‑skilled actors to deploy convincing Microsoft login pages. The DCU reports the service compromised more than 5,000 accounts across 94 countries since July 2024 and could bypass MFA to maintain persistent access. Operators marketed AI enhancements to scale attacks and collected at least $100,000 in cryptocurrency, prompting legal action to disrupt the infrastructure and seize control of the platform.

🔒 SonicWall has disclosed a security incident affecting its cloud backup service for firewalls, reporting that threat actors accessed stored preference files for roughly 5% of its install base. While credentials inside those files are encrypted, exposed metadata such as serial numbers could enable future targeting. SonicWall said this was not a ransomware event but a series of brute-force attempts. Impacted customers are asked to check MySonicWall, restrict WAN access, follow the vendor's remediation checklist, and import a supplied preferences file that randomizes local passwords and IPSec keys.

⚠️ Zscaler ThreatLabz researchers discovered two malicious Python packages, sisaws and secmeasure, that were designed to deliver the SilentSync remote access trojan to Windows hosts. Both packages, uploaded by a user identified as 'CondeTGAPIS' and since removed from PyPI, contained downloader logic that retrieved a second-stage Python payload (via Pastebin) and executed code in memory. SilentSync can execute commands, harvest browser credentials and cookies, capture screenshots, and exfiltrate files, while offering persistence mechanisms across Windows, Linux and macOS.

🔒 Insight Partners disclosed a ransomware attack that occurred around 25 October 2024 but was first detected on 16 January 2025. The firm says a sophisticated social engineering attack enabled a threat actor to exfiltrate data and encrypt servers before being expelled the same day. About 12,657 individuals may be affected; the firm offers free identity-theft protection and urges password resets and MFA.

🔒 The UK's National Crime Agency will chair the Five Eyes Law Enforcement Group (FELEG) and concentrate on disrupting cybercrime, money laundering and online sexual abuse of children over the next two years. The NCA singled out loosely affiliated native-English networks known as 'The Com', which operate across messaging apps, gaming platforms and forums and share violent and child-abuse material. It also linked these groups to data-theft and extortion campaigns involving actors such as Scattered Spider, ShinyHunters and Lapsus$, citing incidents affecting retailers and luxury brands. FELEG has promoted the UK's Counter Terrorism Policing to full member status to strengthen responses to hybrid threats.

🔒 Conor Brian Fitzpatrick, known online as "Pompompurin", has been resentenced to three years in prison after a U.S. appeals court overturned his earlier lenient term. He created and administered the notorious BreachForums, a marketplace for stolen data and hacking tools, and was arrested after the Department of Justice disrupted the site. Fitzpatrick had violated pretrial release conditions and pleaded guilty to hacking charges and possession of child sexual abuse material; the forum remains active under a new domain.