< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3001 articles · page 142 of 151

Feds Seize VerifTools Marketplace Selling Fake IDs

🚨 U.S. and Dutch authorities dismantled VerifTools, an illicit marketplace that produced and sold counterfeit driver's licenses, passports, and other identity documents used to bypass verification systems and facilitate fraud. Two domains and a blog were seized and redirected to an FBI splash page after servers in Amsterdam were confiscated. The FBI linked roughly $6.4 million in illicit proceeds to the service, which offered forged documents for as little as $9. Operators have since signaled a relaunch on a new domain.
read more →

TransUnion Breach Exposes Data of 4.5 Million US Consumers

🔐 TransUnion has disclosed unauthorized access to a third-party application serving its US consumer support operations, affecting nearly 4.5 million Americans. The company says the incident exposed specific personal data elements but did not include credit reports or core credit information. Detected July 30 after an intrusion on July 28, TransUnion is offering free credit monitoring and proactive fraud assistance while it enhances security controls.
read more →

Google: Salesloft Drift OAuth Breach Impacts Integrations

🔐 Google and Mandiant warn Salesloft Drift customers that OAuth tokens tied to the Drift platform should be treated as potentially compromised. Stolen tokens for the Drift Email integration were used to access email from a small number of Google Workspace accounts on August 9, 2025; Google stressed this is not a compromise of Workspace or Alphabet. Google revoked affected tokens, disabled the Workspace–Drift integration, and is urging customers to review, revoke, and rotate credentials across all Drift-connected integrations while investigations continue.
read more →

TamperedChef Malware Hidden in Fake PDF Editor Installers

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.
read more →

Google warns Salesloft breach hit some Workspace accounts

🔒 Google warns that the Salesloft Drift compromise is larger than first reported and included theft of OAuth tokens beyond the Salesforce integration. Threat actors used stolen tokens tied to the Drift Email integration to access a very small number of Google Workspace email accounts on August 9. Google says the tokens have been revoked, the Drift–Workspace integration is disabled, and affected customers were notified. Organizations using Drift should revoke and rotate all connected authentication tokens and review integrations for exposed secrets.
read more →

Supply-Chain Attacks on Nx and React Expose Dev Credentials

🔒 A coordinated supply-chain campaign compromised multiple npm packages — most notably the Nx build system — and used post-install scripts to harvest developer assets across enterprise environments. Wiz found the malware weaponized local AI CLI tools to exfiltrate filesystem contents, tokens, SSH keys, and environment variables. Separately, JFrog uncovered obfuscated malicious React packages designed to steal Chrome data. Vendors removed the packages and recommend rotating credentials, removing affected versions, and auditing developer and CI systems.
read more →

Fake IT Support Phishing Targets Microsoft Teams Users

🔒 Researchers at Permiso have uncovered phishing campaigns that abuse Microsoft Teams by impersonating IT support to trick employees into installing remote access tools like QuickAssist and AnyDesk. Attackers gain full control of compromised endpoints, deploy credential-stealing malware and establish persistence. Campaigns are linked to the financially motivated actor EncryptHub and use simple impersonation tactics that bypass email defences. Security teams should monitor unusual external Teams activity and verify unexpected support requests.
read more →

Salt Typhoon Exploits Router Flaws to Breach 600 Orgs

🔒Salt Typhoon, a China-linked APT, exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks edge devices to compromise and persistently control routers worldwide. The actors modified device configurations, created GRE tunnels, and used on-box Linux containers to stage tools and exfiltrate data. Agencies from 13 countries linked the campaign to three Chinese firms and warned of espionage impacting telecoms, government, transport, lodging, and military sectors.
read more →

Netherlands Confirms Salt Typhoon Targeting Small Telcos

🔍 Dutch intelligence agencies MIVD and AIVD have independently confirmed parts of U.S. findings that the Chinese-sponsored group Salt Typhoon targeted organizations in the Netherlands. Investigations in late 2024 indicate the group accessed the routers of primarily small ISPs and hosting providers. There is no evidence the threat actors moved deeper into internal networks. The agencies and the NCSC have shared threat intelligence and stressed that risks can be reduced but not entirely eliminated.
read more →

VS Code Marketplace Name Reuse Enables Malware Campaign

🔍 ReversingLabs has exposed a campaign in which malicious Visual Studio Code extensions exploited a name-reuse loophole on the VS Code Marketplace. A downloader extension named ahbanC.shiba executed the command shiba.aowoo to fetch a second payload that encrypted files and demanded one Shiba Inu token, although no wallet address was provided. The vulnerability arises because removed extensions free their names for reuse, contrary to Marketplace guidance that names are unique. Researchers demonstrated the issue by republishing test extensions under previously used names and warned developers to exercise greater caution when installing Marketplace packages.
read more →

Nevada Confirms Ransomware Attack, Data Exfiltrated

🔒 Nevada has confirmed a ransomware attack that resulted in data being exfiltrated from state networks. Tim Galluzi, Nevada's chief information officer, said the incident was first detected on August 24 and was disclosed by the governor's office on August 25; he provided an update in a press conference on August 27. Systems and digital services were taken offline to prevent further intrusion, and a forensic investigation involving third-party specialists, the FBI and CISA is ongoing to determine the nature and scope of the stolen information. No criminal actor had claimed responsibility at the time of reporting.
read more →

Nx Build Supply-Chain Attack: Trojanized Packages Detected

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.
read more →

Malicious Nx npm Packages in 's1ngularity' Supply Chain

🔒 The maintainers of nx warned of a supply-chain compromise that allowed attackers to publish malicious versions of the npm package and several supporting plugins that gathered credentials. Rogue postinstall scripts scanned file systems, harvested GitHub, cloud and AI credentials, and exfiltrated them as Base64 to public GitHub repositories named 's1ngularity-repository' under victim accounts. Security firms reported 2,349 distinct secrets leaked; maintainers rotated tokens, removed the malicious versions, and urged immediate credential rotation and system cleanup.
read more →

Chinese Tech Firms Linked to Salt Typhoon Espionage

🔍 A joint advisory from the UK, US and allied partners attributes widespread cyber-espionage operations to the Chinese APT group Salt Typhoon and alleges assistance from commercial vendors that supplied "cyber-related products and services." The report names Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology and Sichuan Zhixin Ruijie Network Technology. It warns attackers exploited known vulnerabilities in edge devices to access routers and trusted provider connections, and urges immediate patching, proactive hunting using supplied IoCs, and regular review of device logs.
read more →

115,000 Phishing Emails Leveraged Google Classroom

Check Point uncovered a global phishing campaign that delivered 115,000 fake invitations via Google Classroom to about 13,500 organizations worldwide within a single week. Attackers used seemingly legitimate classroom invites to present unrelated commercial offers and instructed recipients to continue contact via WhatsApp, shifting conversations off monitored email channels. Because many filters treat messages from Google services as trustworthy, these messages often bypass conventional protections. Experts advise staff training, adoption of AI-driven detection that evaluates context and intent, and extending phishing defenses beyond email to collaboration and messaging platforms.
read more →

Crypto Firms Freeze $47M Linked to Romance Baiting

🔒 Several cryptocurrency firms, including Chainalysis, Binance, OKX and stablecoin issuer Tether, collaborated to block $46.9m in USDT tied to a Southeast Asia-based romance baiting (pig butchering) operation. Chainalysis traced payments from hundreds of victim wallets into five collector wallets and a consolidation address before funds were moved to intermediary accounts. At the direction of an APAC law enforcement agency, Tether froze the assets in June 2024, preventing those proceeds from reaching scammers.
read more →

US Treasury Sanctions DPRK IT-Worker Revenue Network

🛡️ The U.S. Treasury's Office of Foreign Assets Control (OFAC) announced sanctions on two individuals and two entities tied to a DPRK remote IT-worker revenue scheme that funneled illicit funds to weapons programs. Targets include Vitaliy Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology Co., Ltd, and Korea Sinjin Trading Corporation. Treasury says nearly $600,000 in crypto-derived transfers were converted to U.S. dollars and that front companies generated over $1 million in profits. Officials also highlighted the group's use of AI tools to fabricate résumés, secure employment, exfiltrate data, and enable extortion.
read more →

Storm-0501 Deletes Azure Data and Backups After Exfiltration

🔒 Microsoft Threat Intelligence details a campaign by Storm-0501 that exfiltrated data from a large enterprise’s Azure environment, then deleted backups and encrypted remaining resources to block recovery. The actor abused Entra Connect synchronization, elevated to Global Administrator, and used Azure Owner privileges to steal storage keys and transfer blobs via AzCopy. Microsoft recommends enabling blob backups, least privilege, logging, and Azure Backup to mitigate these cloud-native ransomware tactics.
read more →

Chinese 'Salt Typhoon' Hackers Active in 80 Countries

🛡️ The FBI says the Chinese-linked hacker group Salt Typhoon has been observed operating in at least 80 countries, with activity reported across regions including the UK, Canada, Australia and New Zealand. U.S. authorities disclosed that the actors compromised U.S. telecommunications firms, exfiltrating more than one million connection records and targeting calls and SMS for over 100 Americans. A detailed technical analysis was published with international partners, including Germany's BSI, to help network defenders detect and remediate the intrusion, and U.S. officials now say the activity appears to have been contained.
read more →

Storm-0501 Exploits Entra ID to Exfiltrate Azure Data

🔐 Microsoft Threat Intelligence reports that the financially motivated actor Storm-0501 has refined cloud-native techniques to rapidly exfiltrate and delete data in hybrid Azure environments. The group leveraged on-premises footholds—using tools such as Evil-WinRM and a DCSync attack—to compromise an Entra Connect server and identify a non-human synced Global Admin account without MFA. With that account the attackers registered a threat actor-owned federated tenant as a backdoor, escalated Azure privileges, and proceeded to mass-extract data and remove resources and backups before extorting victims through compromised Microsoft Teams accounts. Microsoft has updated Entra ID behavior, released Entra Connect 2.5.3.0 to support Modern Authentication, and recommended enabling TPM, enforcing MFA, and other hardening controls.
read more →