All news in category “Incidents and Data Breaches”

🛡️ The U.S. Treasury's Office of Foreign Assets Control (OFAC) announced sanctions on two individuals and two entities tied to a DPRK remote IT-worker revenue scheme that funneled illicit funds to weapons programs. Targets include Vitaliy Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology Co., Ltd, and Korea Sinjin Trading Corporation. Treasury says nearly $600,000 in crypto-derived transfers were converted to U.S. dollars and that front companies generated over $1 million in profits. Officials also highlighted the group's use of AI tools to fabricate résumés, secure employment, exfiltrate data, and enable extortion.

🔒 Microsoft Threat Intelligence details a campaign by Storm-0501 that exfiltrated data from a large enterprise’s Azure environment, then deleted backups and encrypted remaining resources to block recovery. The actor abused Entra Connect synchronization, elevated to Global Administrator, and used Azure Owner privileges to steal storage keys and transfer blobs via AzCopy. Microsoft recommends enabling blob backups, least privilege, logging, and Azure Backup to mitigate these cloud-native ransomware tactics.

🛡️ The FBI says the Chinese-linked hacker group Salt Typhoon has been observed operating in at least 80 countries, with activity reported across regions including the UK, Canada, Australia and New Zealand. U.S. authorities disclosed that the actors compromised U.S. telecommunications firms, exfiltrating more than one million connection records and targeting calls and SMS for over 100 Americans. A detailed technical analysis was published with international partners, including Germany's BSI, to help network defenders detect and remediate the intrusion, and U.S. officials now say the activity appears to have been contained.

🔐 Microsoft Threat Intelligence reports that the financially motivated actor Storm-0501 has refined cloud-native techniques to rapidly exfiltrate and delete data in hybrid Azure environments. The group leveraged on-premises footholds—using tools such as Evil-WinRM and a DCSync attack—to compromise an Entra Connect server and identify a non-human synced Global Admin account without MFA. With that account the attackers registered a threat actor-owned federated tenant as a backdoor, escalated Azure privileges, and proceeded to mass-extract data and remove resources and backups before extorting victims through compromised Microsoft Teams accounts. Microsoft has updated Entra ID behavior, released Entra Connect 2.5.3.0 to support Modern Authentication, and recommended enabling TPM, enforcing MFA, and other hardening controls.

⚠️A protected whistleblower alleges that the Department of Government Efficiency (DOGE) copied the Social Security Administration's NUMIDENT database to an unsecured Amazon Web Services test environment, bypassing mandated oversight and authorization. The complaint names several DOGE-affiliated hires and documents approvals and risk assessments dated June 12, June 25, and July 25, 2025. It alleges the move circumvented required FISMA authorization and NIST SP 800-53 controls, exposing sensitive personal data for more than 300 million people and potentially violating the Privacy Act and the CFAA.

🔒 ESET disclosed a new proof-of-concept ransomware called PromptLock that uses OpenAI's gpt-oss:20b model via the Ollama API to generate malicious Lua scripts in real time. Written in Golang, the strain produces cross-platform scripts that enumerate files, exfiltrate selected data, and encrypt targets using SPECK 128-bit. ESET warned that AI-generated scripts can vary per execution, complicating detection and IoC reuse.

🚨 Cephalus is a mid‑2025 ransomware operation that both encrypts systems and exfiltrates sensitive data for publication on a dark‑web leak site. The group commonly gains initial access via Remote Desktop Protocol (RDP) accounts lacking multi‑factor authentication and uses a DLL sideloading chain that abuses SentinelOne's SentinelBrowserNativeHost.exe to load a malicious DLL and execute the payload. Infected files are renamed with the .sss extension, Volume Shadow Copies are deleted, and Windows Defender is disabled. Organisations should prioritise MFA, timely patching, secure offline backups, network segmentation and staff training to reduce risk.

🔒 Microsoft Threat Intelligence reports that financially motivated actor Storm-0501 has shifted from on‑premises endpoint encryption toward cloud‑native ransomware tactics emphasizing rapid data exfiltration, destruction of backups, and extortion. The actor leverages compromised Entra Connect sync accounts, DCSync, and hybrid‑joined devices to escalate to Global Administrator and gain full Azure control. In cloud environments they abuse Azure operations (listing storage keys, AzCopy exfiltration, snapshot and resource deletions) and create malicious federated domains for persistence and impersonation. Microsoft recommends hardening sync configurations, enforcing phishing‑resistant MFA, enabling Defender for Cloud and storage protections, and applying least‑privilege access controls.

🚨 Microsoft Threat Intelligence says financially motivated group Storm-0501 has refined a brutal hybrid ransomware chain that leverages hijacked privileged accounts to pivot from on‑prem Active Directory into Azure, exploiting visibility gaps to exfiltrate, encrypt, and mass‑delete cloud resources and backups. The actor used Evil‑WinRM for lateral movement and DCSync to harvest credentials, abused a non‑MFA synced global admin to reset passwords, and created a malicious federated domain for broad persistence. After exfiltration they deleted backups where possible, encrypted remaining cloud data, and initiated extortion via a compromised Microsoft Teams account. CISOs are urged to enforce least privilege, audit on‑prem assets, close cloud visibility gaps, and rehearse ransomware playbooks.

⚠️ The State of Nevada confirmed a 'network security incident' on 25 August that prompted the closure of in-person government offices and the temporary takedown of state websites and phone lines while 24/7 recovery efforts continue. The Governor's Office said emergency call-taking and essential services remain available and that temporary routing and operational workarounds are in place. There is currently no evidence that personally identifiable information was compromised, but residents were advised to be cautious of unsolicited calls, emails or texts requesting personal information or payments. The matter is under active investigation and agencies will announce reopening timelines.

🔒 Anthropic said it disrupted a sophisticated July 2025 operation that weaponized its AI chatbot Claude and the agentic tool Claude Code to automate large-scale theft and extortion targeting at least 17 organizations across healthcare, emergency services, government and religious institutions. The actor exfiltrated personal, financial and medical records and issued tailored ransom demands in Bitcoin from $75,000 to over $500,000. Anthropic reported building a custom classifier and sharing technical indicators with partners to mitigate similar abuses.

🔍 Group-IB links a broad cyber-espionage campaign, active since 2023 and ongoing into mid‑2025, to the ShadowSilk cluster targeting Central Asian and Asia‑Pacific government organizations. The operation, which has compromised at least 35 government victims, primarily seeks data theft and distributes stolen material on dark web forums. ShadowSilk uses phishing with password‑protected archives, commodity web panels such as JRAT and Morf Project, and post‑compromise tools like Cobalt Strike and Metasploit. Researchers found indicators of both Russian‑ and Chinese‑language operators and advise stronger email defenses, strict application control, regular patching and proactive threat hunting.

🔎 Group-IB attributes a new cluster dubbed ShadowSilk to recent intrusions against 35 government and related organizations across Central Asia and APAC. The operators employ spear-phishing with password-protected archives to deploy a custom loader that conceals command-and-control traffic using Telegram bots and achieves persistence via Windows Registry modifications. Observed tooling includes web shells (ANTSWORD, Behinder, Godzilla, FinalShell), tunneling utilities, Cobalt Strike, and bespoke credential-stealing components used to exfiltrate data.

🛡️ U.S. and international agencies warn that People's Republic of China (PRC) state-sponsored actors have been compromising global networks since at least 2021 to collect communications and other intelligence. Actors targeted telecommunications backbone routers, provider- and customer-edge devices, and infrastructure across government, transportation, lodging, and military sectors. They exploited known CVEs (for example CVE-2024-21887, CVE-2024-3400, Cisco CVEs), modified devices to maintain persistence using on-box PCAP/containers and tunnels, and exfiltrated data via peering and covert channels. The advisory includes IP indicators, binary hashes, Yara/Snort rules, hunting guidance, and prioritized mitigations to patch, isolate management planes, harden credentials, and detect PCAP creation.

🚨 CISA, the NSA, the FBI, and international partners released a joint advisory detailing ongoing malicious activity by PRC state-sponsored APT actors seeking long-term access to critical infrastructure worldwide. The advisory highlights exploitation of vulnerabilities in routers and edge devices used by telecommunications and infrastructure operators, and notes actors' evasion and persistence tactics. It urges organizations to patch known exploited vulnerabilities, enable centralized logging, secure edge infrastructure, and hunt for signs of compromise immediately.

🔒 CISA and public- and private-sector partners are assisting Nevada following an August 24 cyber attack, focusing on restoring networks that support lifesaving and critical services. At the state's request, CISA Threat Hunting teams are actively examining systems to determine the full scope of impact and mitigate threats. The agency also advised on FEMA emergency response grants, and the FBI is supporting the investigation.

🔒 CISA, the NSA, the FBI, and international partners issued a joint advisory describing People’s Republic of China state-sponsored APT actors compromising networks worldwide to support long-term espionage. Investigations through July 2025 reveal these actors exploit vulnerabilities in large backbone provider edge and customer edge routers—often modifying firmware and configurations to evade detection and maintain persistent access. Affected sectors include telecommunications, government, transportation, lodging, and defense. The advisory urges network defenders, especially in high-risk sectors, to actively hunt for intrusions and apply the recommended mitigations.

🔒 A campaign tied to threat actor UNC6395 exploited compromised OAuth and refresh tokens associated with the Drift chat integration to exfiltrate data from Salesforce instances connected via Salesloft. Observed between Aug 8 and Aug 18, 2025, the actor executed targeted queries to retrieve Cases, Accounts, Users and Opportunities and hunted for credentials such as AWS access keys and Snowflake tokens. Salesloft and Salesforce invalidated tokens, removed Drift from AppExchange, and advised affected customers to re-authenticate integrations and rotate credentials.

⚠️ Recorded Future's Insikt Group attributes five distinct activity clusters to the actor Blind Eagle (tracked as TAG-144) active between May 2024 and July 2025. The campaigns largely targeted Colombian government agencies across local, municipal, and federal levels using spear-phishing, cracked and open-source RATs (including AsyncRAT, Remcos, DCRat, and Lime RAT) and legitimate internet services for staging. Operators abused dynamic DNS, VPS and VPN services and leveraged geofencing and compromised accounts to redirect or evade detection.

🔍 ESET researchers uncovered PromptLock, identified as the first known AI-powered ransomware capable of exfiltrating and encrypting data, with a potential destructive function that appears not yet implemented. The proof-of-concept uses the gpt-oss-20b model locally via the Ollama API to generate malicious Lua scripts on the fly for filesystem enumeration, targeted data exfiltration and encryption. The sample is written in Golang and both Windows and Linux variants were uploaded to VirusTotal.