All news in category “Incidents and Data Breaches”

🔍 Researchers uncovered a sophisticated fileless campaign that executes malicious code entirely in memory to deliver AsyncRAT. The attack began via a compromised ScreenConnect client and a VBScript that used WScript and PowerShell to download two payload blobs saved to C:\Users\Public\, which were never written as executables but loaded into memory via reflection. A .NET launcher (Obfuscator.dll) was used to orchestrate persistence, disable security logging and load the RAT, which exfiltrates credentials, browser artifacts and keystrokes.

🔒 Bitdefender tracked a Chinese APT intrusion that used a novel, fileless framework dubbed EggStreme to compromise a Philippines-based military contractor. The multi-stage toolkit injects code directly into memory, leverages DLL sideloading and abuses legitimate Windows services for persistence, and delivers a gRPC-enabled backdoor, EggStremeAgent, with extensive reconnaissance and exfiltration capabilities. Bitdefender advises limiting use of high-risk binaries and deploying advanced detection and response to detect living-off-the-land operations and anomalous behavior.

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

🔒 Three French regional healthcare agencies (ARS) have reported similar cyber-attacks that exposed patients’ personal data held on regional systems. Preliminary investigations, announced on September 8, indicate attackers gained access by impersonating healthcare professionals and used those accounts to reach GRADeS-managed services such as Normand'e-Santé. Reported exposed PII includes full names, ages, phone numbers and email addresses, while the agencies say no clinical health records appear to have been compromised. Compromised accounts were disabled, additional protections deployed, potentially affected patients will be notified and incidents have been reported to CNIL.

🔎 Volodymyr Tymoshchuk, a 28-year-old Ukrainian, has been placed on Europe’s most wanted list over alleged involvement in widespread LockerGoga, MegaCortex and Nefilim ransomware campaigns targeting hundreds of firms between 2018 and 2020. Europol and international partners tied him to high-profile incidents including the 2019 Norsk Hydro attack, which caused major operational disruption. The US has unsealed charges and an $11m reward is being offered for information leading to his arrest or conviction.

🔒 Researchers disclosed two coordinated campaigns that distribute fake browser extensions via malvertising and counterfeit sites to steal credentials, session tokens, and hijack Meta business accounts. Bitdefender documented ads pushing a fake "Meta Verified" add‑on named SocialMetrics Pro that harvests Facebook session cookies and exfiltrates them to a Telegram bot while also querying ipinfo[.]io for IP data. Cybereason described a separate campaign using counterfeit sites promoting a bogus Madgicx Plus platform and multiple rogue Chrome extensions that request broad site access, capture Google identity data, then pivot to Facebook to facilitate account takeover.

🔒 LNER has disclosed that an unauthorized third party accessed customer contact details and historical journey information via a compromised third-party supplier. No bank, payment card or password information was affected, the operator said, but warned that the data could be used in follow-on attacks. Security professionals advised customers to be cautious of unsolicited communications and recommended organisations strengthen third‑party data controls and identity protections.

⚠️ Cybersecurity researchers disclosed a campaign that abuses ConnectWise ScreenConnect remote sessions to deliver a fileless loader which ultimately executes the AsyncRAT remote-access trojan. Attackers use hands-on-keyboard activity to run a layered VBScript and PowerShell chain that loads obfuscated .NET assemblies and spawns AsyncClient.exe. Persistence is maintained via a scheduled task disguised as "Skype Updater," and stolen credentials, keystrokes, and wallet artifacts are exfiltrated to a DuckDNS command-and-control host.

🍔 In episode 434 of the award‑winning Smashing Security podcast, Graham Cluley and guest Lianne Potter examine two striking security stories: an ethical hack of Burger King that revealed drive‑thru audio recordings, hard‑coded passwords and an authentication bypass, and an alleged insider theft at xAI where a former engineer, after receiving $7 million, is accused of taking trade secrets. The hosts blend sharp analysis with irreverent commentary on operational security and human risk.

🚨 A European DDoS mitigation provider was hit by a massive packet-rate flood that peaked at 1.5 billion packets per second. FastNetMon detected the assault, which originated from thousands of compromised customer premises devices, including IoT units and MikroTik routers across more than 11,000 networks. The malicious traffic was primarily a UDP flood and was mitigated in real time using the customer's scrubbing facility, ACLs on edge routers, and packet inspection. FastNetMon warned this trend requires ISP-level filtering to prevent large-scale abuse of consumer hardware.

🚨 A US federal court has unsealed charges against Ukrainian national Volodymyr Viktorovich Tymoshchuk, accused of orchestrating ransomware campaigns using LockerGoga, MegaCortex, and Nefilim. Authorities say these campaigns, active between December 2018 and October 2021, targeted over 250 US companies and hundreds more worldwide. Tymoshchuk — also known by aliases such as 'deadforz', 'Boba', and 'msfv' — remains at large. The US is offering a $10 million reward for information leading to his arrest and conviction.

🛡️ On September 8, 2025, a sophisticated phishing campaign led to the compromise of a trusted maintainer account and the insertion of cryptocurrency-stealing malware into more than 18 foundational npm packages. The malicious versions collectively represented over 2 billion weekly downloads and affected millions of applications from personal projects to enterprise systems. The debug package was among those compromised and alone exceeds 357 million weekly downloads. npm has removed several malicious package versions and is coordinating ongoing remediation.

🚨 A phishing attack against maintainer Josh Junon (qix) led to a widespread compromise of highly popular npm packages, including chalk and debug-js, whose combined footprint exceeds billions of weekly downloads. The attacker pushed malicious updates that attempted to steal cryptocurrency by swapping wallet addresses, but the community discovered and removed the tainted releases within two hours. According to Wiz, the compromised modules reached roughly 10% of cloud environments in that short window, yet the actor ultimately profited only minimally as the injected payload targeted browser crypto-signing and yielded just a few hundred dollars at most.

🛡️ Bitdefender attributed a campaign against a Philippines-based military contractor to a China-linked APT that deployed a previously undocumented fileless framework named EggStreme. The multi-stage operation begins with EggStremeFuel (mscorsvc.dll), which profiles systems, opens a C2 channel, stages loaders, and triggers in-memory execution of the core backdoor via DLL sideloading. EggStremeAgent functions as a central backdoor, injecting a session-specific keylogger (EggStremeKeylogger), communicating over gRPC, and exposing a 58-command toolkit for discovery, lateral movement, privilege escalation and data theft. An auxiliary implant, EggStremeWizard (xwizards.dll), provides reverse-shell access and resilient C2 options; Bitdefender warned that fileless execution and heavy DLL sideloading make detection and forensics difficult.

🔒 A newly identified phishing-as-a-service called Salty2FA is being used in campaigns that bypass multi-factor authentication by intercepting verification flows and abusing trusted services like Cloudflare Turnstile. Ontinue researchers report the kit uses subdomain rotation, domain-pairing, geo-blocking and dynamic corporate branding to make credential pages appear legitimate. The framework simulates SMS, authenticator apps, push approvals and even hardware-token prompts, routing victims through Turnstile gates to filter automated analysis before harvesting credentials.

🔒 Jaguar Land Rover (JLR) confirmed that attackers stole "some data" during a recent cyberattack that forced system shutdowns and instructed staff not to report to work. The company disclosed the disruption on September 2 and says it is working with the U.K. National Cyber Security Centre and third‑party specialists to restart applications in a controlled manner. JLR has notified relevant regulators and said its forensic investigation is ongoing; it will contact individuals if their data is affected. No definitive attribution or confirmed ransomware claim has been announced.

🔒 A ransomware incident attributed to KillSec has disrupted MedicSolution, a Brazilian healthcare IT vendor, after attackers claimed to exfiltrate more than 34 GB comprising 94,818 files. Resecurity reports the haul includes medical evaluations, lab results, X‑rays and unredacted patient photos, and says data was exposed via misconfigured AWS cloud buckets. MedicSolution has not publicly responded; regulators and affected providers face notification and remediation challenges.

🔐 Attackers affiliated with the Scattered Spider group exploited weak vendor phone procedures to obtain repeated password and MFA resets from Cognizant’s service desk, then used the access to escalate to domain-admin footholds at Clorox. Clorox says the intrusion caused roughly $380 million in damages, including remediation and extended business-interruption losses. The case highlights failure to follow agreed verification processes and the amplified risk of outsourced help desks. Organizations should enforce out-of-band caller verification, immutable reset logs, and automated containment to reduce the attacker window.

🔒 A newly observed ransomware group, The Gentlemen, has rapidly expanded operations across Asia Pacific, South America, the US and the Middle East since first being identified in August. Trend Micro reports the group leverages legitimate drivers, GPO abuse and custom tooling to disable endpoint security and move laterally. Victims span manufacturing, construction, healthcare and insurance, and defenders are urged to adopt zero-trust, behavioral EDR/XDR and rigorous segmentation.

🔐 The SalesLoft acquisition of Drift exposed a hidden fourth‑party attack surface when legacy OAuth tokens—some dormant for 18 months—were abused to access customer Salesforce instances and a limited number of Google Workspace accounts. Attackers leveraged inherited tokens to enumerate and exfiltrate data, revealing how M&A can transfer persistent permissions outside visibility. The author calls for continuous, behavior‑based monitoring of every OAuth token and API call and recommends practical "OAuth archaeology" to inventory, rotate, or revoke legacy access.