All news in category “Incidents and Data Breaches”

⚠ Check Point Research discovered a critical implementation bug in Vect 2.0 that causes files larger than 131,072 bytes (128 KB) to be permanently destroyed rather than recoverably encrypted. The ransomware uses raw ChaCha20-IETF without the Poly1305 MAC and a faulty nonce-handling routine that discards three of four decryption nonces, effectively turning the RaaS into a wiper across Windows, Linux and ESXi variants. Researchers also identified multiple additional coding and design errors that undermine the group's RaaS ambitions and affiliate program.

🛡️ Security researchers at Socket uncovered 73 additional fraudulent Open VSX extensions impersonating trusted developer tools; many now include benign code to evade scanners and later fetch a GlassWorm loader. The extensions act as thin loaders, sometimes bundling native binaries, and connect to newly created repositories to download malicious updates. Of the 73, small subsets were activated in staged waves; Socket notified the Eclipse Foundation, and most have been removed.

⚠️ VECT 2.0 ransomware contains a nonce-handling defect that overwrites per-chunk nonces when encrypting files, leaving only the final nonce saved. As a result, files larger than about 128 KB are partially unrecoverable — roughly only the last quarter can be decrypted — causing the malware to act like a wiper for many enterprise assets. Check Point researchers report the flaw affects Windows, Linux and ESXi builds and means victims cannot recover corrupted data even if they pay.

🔒 Vimeo says an unauthorized actor accessed certain user and customer data following the breach at Anodot. Initial findings indicate the impacted databases primarily contained technical data, video titles and metadata, and, in some cases, customer email addresses. Vimeo confirmed that uploaded video content, account credentials, and payment card information were not exposed, and that platform operations were unaffected. The company has disabled Anodot credentials, removed the integration, and engaged third-party security experts and law enforcement to investigate.

🛡️ A Brazil-based cybercrime group known as LofyGang has resurfaced after more than three years, deploying a new infostealer called LofyStealer (aka GrabBot) that specifically targets Minecraft players. The malware is disguised as a game cheat called 'Slinky' and uses a JavaScript loader to drop and execute chromelevator.exe in memory to harvest browser data. It captures cookies, passwords, tokens, payment cards and IBANs across multiple browsers and exfiltrates them to a C2 at 24.152.36[.]241. ZenoX highlights a strategic shift to a malware-as-a-service model with free and premium tiers and warns that attackers are increasingly abusing GitHub, SEO-poisoned lures and other trusted platforms to distribute malicious payloads.

🔍 A 19-year-old dual U.S.-Estonian citizen arrested in Finland faces federal charges in the United States, accused of acting as a prolific member of the Scattered Spider hacking collective under the alias Bouquet. Prosecutors allege he helped extort millions through multiple breaches, including a March 2023 intrusion when he was 16 and a May 2025 attack on a multibillion-dollar luxury retailer that prompted an $8 million ransom demand and over $2 million in remediation costs.

🔒 Medtronic has confirmed a data security incident in which an unauthorized party accessed certain internal corporate IT systems. The company said there was no disruption to products, patient safety or operations and that hospital networks managed by customers were not affected. Cybercrime group ShinyHunters previously claimed to have exfiltrated millions of records, but Medtronic has not verified those figures and is actively investigating with external cybersecurity specialists. If sensitive data access is confirmed, affected individuals will be notified and offered support services.

🔒 Checkmarx confirmed that the LAPSUS$ group published data taken from its private GitHub repository after a March 23 supply-chain compromise tied to the Trivy incident. Investigators say credentials harvested from that earlier intrusion enabled repository access and the insertion of malicious code. On April 22 attackers published malicious Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner that collected credentials, keys, tokens, and config files. Checkmarx states the 96GB leak originated from its GitHub, contains no customer data, and is under forensic review while the repository remains locked.

⚠️ VECT 2.0 is effectively a destructive wiper rather than recoverable ransomware due to a critical implementation bug that discards key nonces during encryption. Check Point found that any file larger than 131,072 bytes loses three of four ChaCha20 nonces, rendering those chunks irrecoverable even if victims pay. The RaaS's Windows, Linux, and ESXi variants and affiliate model raise broad operational risk, but the technical flaw means payment will not restore most enterprise data.

🛑 VECT is a destructive ransomware family that permanently destroys large files instead of producing recoverable encrypted copies, so paying the ransom will not restore data. The group leveraged partnerships with TeamPCP and BreachForums to build a massive affiliate pipeline to thousands of potential victims. An encryption bug affects Windows, Linux, and ESXi variants and has persisted since before the public 2.0 release. Check Point's Threat Emulation and Harmony Endpoint provide full protection against known variants.

🌐 This report reviews major Internet disruptions in Q1 2026, including prolonged government-directed shutdowns in Uganda and Iran, repeated national grid failures in Cuba, and physical damage to AWS facilities in the Middle East. It summarizes outages caused by power failures, severe weather, cable damage, technical faults, and military action, and highlights their scale and duration. The analysis is based on Cloudflare Radar observations and routing data and emphasizes systemic risks to connectivity.

🛡️ Halcyon reports a public feud between 0APT and newcomer KryBit after the rivals leaked each other's operational data online. 0APT initially published KryBit's administrator panel, operator details, affiliate information and victim negotiation files, prompting KryBit to retaliate by stealing and releasing 0APT's access logs, PHP source code and system files. The exchanges exposed fabricated victim claims, insecure infrastructure practices and forced both groups to consider rebuilding, rebranding and rotating infrastructure to remain viable.

🔒 Xu Zewei, a 34-year-old Chinese national, has been extradited to the US and charged in connection with a series of intrusions between February 2020 and June 2021 allegedly tied to the Silk Typhoon campaign. US prosecutors allege Xu acted under direction of China's Ministry of State Security and used a private contractor, Shanghai Powerock Network Co. Ltd., to obscure government involvement. Authorities say early intrusions targeted US universities and COVID-19 researchers and later exploited Microsoft Exchange vulnerabilities; Xu faces counts including wire fraud, unauthorized access and identity theft, and his co-defendant remains at large.

🔒 French authorities have arrested a 21-year-old who used the alias 'HexDex', suspected of carrying out around 100 data breaches since late 2025. Prosecutors say he was preparing another data dump when detained and has been charged with six offences, including aggravators for organised gang activity. Alleged victims include the Ministry of National Education, where the Compas trainee-teacher system exposed roughly 243,000 employee records, as well as registries, unions, cultural institutions, sports federations, food banks and hotel chains. Stolen files were redistributed on criminal marketplaces; his account page now displays a message saying it was seized.

🔒 Arctic Wolf attributes a large-scale spear-phishing campaign to BlueNoroff, a subgroup of the Lazarus Group, which targeted more than 100 cryptocurrency and fintech organizations across 20+ countries. The operation used typosquatted Zoom and Microsoft Teams links, manipulated Calendly invites, fake meeting interfaces and ClickFix-style clipboard injection to harvest credentials and wallet data. Researchers observed a self-sustaining deepfake pipeline, PowerShell-based C2, AES-encrypted browser payloads and Telegram-based exfiltration, with some intrusions persisting for 66 days.

🛡️ A Chinese national accused of ties to the Silk Typhoon group has been extradited to the United States from Italy to face charges alleging multiple cyber intrusions and theft of COVID‑19 vaccine research. U.S. prosecutors say 34-year-old Xu Zewei and co-defendant Zhang Yu carried out operations between February 2020 and June 2021 under direction of the MSS Shanghai State Security Bureau, exploiting zero-day vulnerabilities in Microsoft Exchange Server to deploy web shells for remote access. Xu, arrested in Milan in July 2025 while on vacation with his wife, has pleaded not guilty and maintains he is a case of mistaken identity; Zhang remains at large.

🔒 Threat actors abused a flaw in Robinhood's account creation flow to inject arbitrary HTML into account confirmation emails, producing convincing Unrecognized Device warnings that directed recipients to a phishing site. The messages originated from noreply@robinhood.com and passed SPF and DKIM checks, which made them appear legitimate. Robinhood confirmed there was no systems breach or impact to customer funds and removed the vulnerable Device: field to remediate the issue. Recipients are advised to delete the emails and verify any suspicious alerts through the official app or website.

🚨 A new wave of the GlassWorm campaign is targeting the OpenVSX ecosystem with 73 'sleeper' extensions that upload as benign clones of legitimate listings and later deliver malicious payloads via updates. Socket researchers say six extensions have already been activated to install malware, while the other packages are considered suspicious or dormant. The attackers use thin loaders that fetch secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript to retrieve and install payloads at runtime. Developers who installed any listed extensions should rotate all secrets and clean their development environments.

📱 Canadian police arrested three men for operating an SMS blaster in Toronto that impersonates cellular towers to push phishing texts to nearby phones. Investigators said Project Lighthouse began in November 2025; searches on March 31 in Markham and Hamilton recovered multiple devices. Authorities estimate about 13 million instances of network entrapment and warn SMS is insecure, advising users to avoid following text links and use encrypted channels for sensitive communications.

🛡️ A Chinese national, identified as Xu Zewei, has been extradited from Italy to the United States to face charges accusing him of conducting cyberespionage on behalf of China's Ministry of State Security (MSS). Prosecutors allege Xu worked as a contracted hacker for the group known as Silk Typhoon (also called Hafnium), carrying out intrusions from February 2020 to June 2021. The indictment ties him to attacks on COVID-19 research organizations and widespread exploitation of Microsoft Exchange zero-day vulnerabilities in late 2020, during which web shells were deployed to access mailboxes, move laterally, and exfiltrate data. Xu is expected to appear in federal court on multiple counts related to computer intrusions and conspiracy.