All news in category “Incidents and Data Breaches”

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.

🔒 A 26-year-old man, Al-Tahery Al-Mashriky, has been jailed after UK National Crime Agency investigators linked him to the Yemen Cyber Army and uncovered evidence of widespread website breaches. Arrested in August 2022 in Rotherham, he defaced and compromised sites across North America, Yemen and Israel, including government and faith organisations. Forensically seized devices contained personal data, account credentials and other files that could facilitate fraud; he pleaded guilty and was sentenced to 20 months in prison.

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.

🛡️Fortinet supported INTERPOL’s Operation Serengeti 2.0 by providing preemptive threat intelligence—IOCs, command-and-control data, and forensic insights—that helped plan and execute cross-border takedowns. Conducted June–August 2025 with 18 African nations and nine private partners, the operation led to 1,209 arrests, dismantling of 11,432 malicious infrastructures, and recovery of $97.4 million. Fortinet also contributed investigator training and capacity building to sustain disruption efforts.

🔍 Europol has confirmed that a circulated Telegram post claiming a reward of up to $50,000 for information on senior Qilin ransomware operators is false. The message originated on a newly created channel (@europolcti) rather than on Europol's official accounts and was amplified by security outlets after being copied. The bogus announcement named alleged aliases "Haise" and "XORacle", and the channel poster later boasted about fooling researchers and journalists. Europol stressed that Qilin remains a significant threat, previously linked to an attack on a UK NHS provider with severe consequences.

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

🔎 INTERPOL coordinated a multi-country crackdown that led to the arrest of 1,209 suspected cybercriminals across 18 African nations, targeting schemes that affected roughly 88,000 victims. The operation, the second phase of Operation Serengeti carried out between June and August 2025, recovered about $97.4 million and dismantled 11,432 malicious infrastructures. Private-sector partners including Group-IB and TRM Labs contributed intelligence on cryptocurrency fraud and ransomware links.

🔒 Pakistan Petroleum Limited (PPL) was struck by the Blue Locker ransomware, detected on 6 August, which appends a .blue extension to encrypted files and has reported deletion of backups and theft of some business and employee data. The incident encrypted servers and disrupted financial operations while recovery work proceeded in a phased manner. Pakistan's NCERT issued a high alert to 39 key ministries and institutions and warned of multiple distribution vectors. Organisations, especially critical infrastructure operators, are urged to verify and isolate backups, implement network segmentation and enhanced monitoring, and engage incident response and forensic teams as needed.

🛑 A former software developer was sentenced to four years in prison after intentionally sabotaging his employer's servers with custom malware that included a kill switch. Davis Lu, 55, abused his access in 2019 to introduce infinite-loop Java code, delete coworker profiles, and deploy a kill switch named 'IsDLEnabledinAD' that locked out users when his Active Directory account was disabled. The DOJ said the incident, reportedly at Eaton Corporation, disrupted thousands of users and caused hundreds of thousands of dollars in losses.

🧭 The author opens with a travel anecdote and practical reminders on securing devices while on the road, urging readers to update, back up, and avoid public charging or untrusted Wi‑Fi. The newsletter highlights field-tested precautions including disabling auto-connect, using VPNs or phone hotspots, enabling device tracking, and carrying power banks. It also warns of an active campaign by a Russian state-backed group targeting Cisco devices via CVE-2018-0171, urging immediate patching and hardening.

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.

🛡️ Microsoft Threat Intelligence and Microsoft Defender Experts describe the ClickFix social engineering technique, where attackers trick users into copying and pasting commands that execute malicious payloads. Observed since early 2024 and active through 2025, these campaigns deliver infostealers, RATs, loaders, and rootkits that target Windows and macOS devices. Lures arrive via phishing, malvertising, and compromised sites and often impersonate legitimate services or CAPTCHA verifications. Organizations should rely on user education, device hardening, and Microsoft Defender XDR layered protections to detect and block ClickFix activity.

🔒 A sophisticated phishing campaign impersonating Ledger targets Nano X and Nano S Plus users with an urgent fake firmware update notice. The email claims fragments of private keys were leaked and urges immediate action, but the sender and update domains are not affiliated with Ledger. A professionally designed scam site hosted on an unrelated domain uses a support chat to coax victims into entering their seed phrase, which grants full wallet access. Organizations and individuals should treat unsolicited firmware alerts cautiously and use trained security controls and awareness to avoid compromise.

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.

🔒 Noah Michael Urban, a 20-year-old member of the Scattered Spider cybercrime gang, was sentenced to 120 months in federal prison after pleading guilty to wire fraud and aggravated identity theft in April 2025. The court also ordered $13 million in restitution and three years of supervised release; Urban called the sentence unjust. Prosecutors say Urban and co-conspirators used SIM swapping and social engineering between August 2022 and March 2023 to steal at least $800,000 and hijack cryptocurrency accounts. His case is part of broader DoJ actions against Scattered Spider as the group forges alliances with other criminal collectives.

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

🔒 A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay about $13 million in restitution after pleading guilty to wire fraud and conspiracy. Prosecutors say Urban acted with members of Scattered Spider, using SIM-swapping and SMS phishing to divert calls and one-time codes and to phish employees into fake Okta pages. The campaign compromised access at more than 130 firms and enabled thefts of proprietary data and millions in cryptocurrency.

🛡️ In episode 431 of the Smashing Security podcast, Graham Cluley and guest Allan Liska examine a high-profile cloud-billing fraud in which a crypto influencer calling himself CP3O racked up millions in unpaid cloud costs through cryptomining schemes. They also highlight the growing threat of EDR‑killer tools that can silently disable endpoint protection to aid attackers. The show includes lighter segments on the Internet Archive’s Wayforward Machine and a visit to Mary Shelley’s grave, and carries a content warning for mature language and themes.

⚠️ Warlock is a ransomware operation that emerged in 2025 and uses double extortion — encrypting systems and threatening to publish stolen data to coerce payment. The group has targeted government agencies and critical service providers across Europe, and on August 12 a cyber incident disrupted UK telecom Colt Technology Services, with an alleged auction of one million stolen documents. Security analysts link recent intrusions to exploitation of the SharePoint vulnerability CVE-2025-53770, which Microsoft says is actively exploited; Microsoft has published analysis and urges immediate patching. Recommended mitigations include enforcing multi‑factor authentication, keeping security tools and software patched, maintaining secure off‑site backups, reducing attack surface, encrypting sensitive data, and educating staff on phishing and social engineering.

🔒 Cisco Talos identifies the threat cluster Static Tundra as a long-running, Russian state-sponsored actor that compromises unpatched and end-of-life Cisco networking devices to support espionage operations. The group aggressively exploits CVE-2018-0171 and leverages weak SNMP community strings to enable local TFTP retrieval of startup and running configurations, often exposing credentials and monitoring data. Talos also observed persistent firmware implants, notably SYNful Knock, and recommends immediate patching or disabling Smart Install, strengthening authentication, and implementing configuration auditing and network monitoring to detect exfiltration and implanted code.