All news in category "Incidents and Data Breaches"

U.S. Congressional Budget Office Hit by Cyberattack

🔒 The U.S. Congressional Budget Office confirmed a cybersecurity incident after a suspected foreign hacker breached its network. The agency says it acted quickly to contain the intrusion, implemented additional monitoring and new security controls, and is investigating the scope of the compromise. Officials warned that emails and exchanges between CBO analysts and congressional offices may have been exposed, prompting some offices to halt communications with the agency.

Susvsex Ransomware Test Published on VS Code Marketplace

🔒 A malicious VS Code extension named susvsex, published by 'suspublisher18', was listed on Microsoft's official marketplace and included basic ransomware features such as AES-256-CBC encryption and exfiltration to a hardcoded C2. Secure Annex researcher John Tuckner identified AI-generated artifacts in the code and reported it, but Microsoft did not remove the extension. The extension also polled a private GitHub repo for commands using a hardcoded PAT.

Nikkei Slack Breach Exposes Data of Over 17,000 Users

🔐 Nikkei confirmed a breach of employee Slack accounts that may have exposed names, email addresses and chat histories for 17,368 registered users. The company says malware on an employee’s personal computer stole Slack authentication credentials and session tokens, enabling unauthorized access. The incident was identified in September; Nikkei implemented password changes and voluntarily reported the matter to Japan’s Personal Information Protection Commission. No reporting-source leaks have been confirmed.

Ransomware Breach: How Nevada's Systems Were Encrypted

🔒 The State of Nevada published a detailed after-action report describing how attackers used a trojanized system administration utility to establish persistent access and deploy ransomware across state infrastructure. The initial compromise occurred on May 14 and was detected on August 24, impacting more than 60 agencies and prompting a 28-day recovery that restored 90% of required data without paying a ransom. Nevada engaged external responders including Microsoft DART and Mandiant, and has since implemented account cleanups, password resets, certificate removals, and tightened access controls.

Hackers Blackmail Massage Parlour Clients in Korea

🔒 South Korean police uncovered a criminal network that used a malicious app to steal customer data from massage parlours and extort clients. The group tricked nine business owners into installing software that exfiltrated names, phone numbers, call logs and text messages, then sent threatening messages claiming to have video footage. About 36 victims paid between 1.5M and 47M KRW, with attempted extortion near 200M KRW. Authorities traced activity to January 2022 across Seoul, Gyeonggi and Daegu and made arrests in August 2023.

Phishing Campaign Targets Booking.com Partners and Guests

🔒 A large-scale phishing operation targeted Booking.com partner accounts and hotel staff, using impersonated emails and compromised hotel accounts to lure victims into running malicious commands. Attackers relied on redirection chains and the ClickFix social engineering tactic to execute PowerShell that delivered PureRAT. The remote access trojan enabled credential theft, screenshots and exfiltration, with stolen access sold or used to perpetrate payment fraud against guests.

Trojanized ESET Installers Deliver Kalambur Backdoor

🛡️ A Russia-aligned cluster tracked as InedibleOchotense impersonated Slovak vendor ESET in May 2025, sending spear-phishing emails and Signal messages to multiple Ukrainian organizations. Recipients were directed to domains such as esetsmart[.]com hosting a trojanized installer that deployed the legitimate ESET AV Remover alongside a C# backdoor dubbed Kalambur (aka SUMBUR). Kalambur leverages the Tor network for command-and-control and can install OpenSSH and enable RDP on port 3389 to facilitate remote access. ESET links the campaign to Sandworm sub-clusters and notes overlaps with activity reported by CERT-UA and EclecticIQ.

Nikkei Slack Account Compromise Exposes Employee Data

🔒 Nikkei disclosed that unauthorized actors used malware to infect an employee’s computer, obtain Slack credentials, and access accounts on the company's Slack workspace. The firm reports that data for possibly more than 17,000 employees and business partners — including names, email addresses and chat logs — may have been stolen. Nikkei discovered the incident in September and implemented password resets and other remediation measures. The company said there's no confirmation that sources or journalistic activities were affected.

DOJ Indicts 31 in High-Tech Rigging of Poker Games

🃏 The Department of Justice has indicted 31 people for using altered shuffling machines and other covert devices to rig high-stakes poker games. The modified shuffling machines read every card and relayed which player would win to off-site conspirators, who then communicated via cellphone to a table “Quarterback” who signaled accomplices. Victims lost tens to hundreds of thousands of dollars, and conspirators also used a chip-tray analyzer, an x-ray table, and special contact lenses or eyeglasses to read cards.

Organized fraud ring abused payment providers, stole €300M

🔍 Authorities across three continents executed coordinated raids and arrests in a probe that uncovered an organized fraud network accused of using stolen credit‑card data to create over 19 million fake subscriptions and siphon more than €300 million. Investigators say suspects exploited vulnerabilities at multiple payment service providers, operated hundreds of sham websites offering porn, dating and streaming services, and used small recurring charges with opaque descriptions to avoid detection. The operation, named Operation Chargeback, was halted in 2021 and is the focus of ongoing international legal assistance.

Sandworm Deploys Data Wipers Against Ukraine's Grain Sector

🔒Russian state-backed Sandworm (aka APT44) deployed multiple data-wiping malware families in June and September 2025, targeting Ukrainian education, government, and grain-production organizations. ESET says these wipers — distinct from ransomware — corrupt files, partitions, and boot records to prevent recovery and cause long outages. Some intrusions began with access by UAC-0099, which then handed access to APT44 for destructive payloads.

Hackers Use Hyper-V to Hide Linux VM and Evade EDR

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.

SonicWall Attributes September Backup Breach to State Actor

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

Cloudflare Removes Aisuru Botnet Domains from Rankings

🛡️ Cloudflare has begun redacting and hiding domains tied to the rapidly growing Aisuru botnet after those malicious hostnames repeatedly appeared atop its public domain rankings. The botnet — comprised of hundreds of thousands of compromised IoT devices — recently shifted from querying 8.8.8.8 to 1.1.1.1, flooding Cloudflare’s resolver and skewing popularity metrics. Cloudflare says attackers are likely both manipulating rankings and mounting attacks on its DNS service, and the company is refining its ranking algorithm while removing known malicious entries.

Smashing Security #442: Clock Hack and Rogue Negotiators

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

Gootloader Returns After Seven Months With Evasion Tricks

🛡️ Gootloader has resumed operations after a seven-month pause, using SEO poisoning to promote fake legal-document sites that trick users into downloading malicious ZIP archives containing JScript loaders. The campaign now employs novel evasion techniques — a custom web font that renders readable keywords in the browser while the HTML source remains gibberish, and malformed ZIPs that extract a .js in Windows Explorer but a benign .txt for many analysis tools. Infected hosts receive follow-on payloads such as Cobalt Strike, backdoors including the Supper SOCKS5 implant, and bots that provide initial access for ransomware affiliates.

Russian APT Uses Hyper‑V VMs for Stealth and Persistence

🛡️ Bitdefender researchers describe how the Russia-aligned APT group Curly COMrades enabled Windows Hyper-V to deploy a minimal Alpine Linux VM on compromised Windows 10 hosts, creating a hidden execution environment. The compact VM (≈120MB disk, 256MB RAM) hosted two libcurl-based implants, CurlyShell (reverse shell) and CurlCat (HTTP-to-SSH proxy), enabling C2 and tunneling that evaded many host EDRs. Attackers used DISM and PowerShell to enable and run the VM under the deceptive name "WSL," and also employed PowerShell and Group Policy for credential operations and Kerberos ticket injection. Bitdefender warns that VM isolation can bypass EDR and recommends layered defenses including host network inspection and proactive hardening.

Hyundai AutoEver America: SSNs and IDs Exposed in Systems

🔐 Hyundai AutoEver America (HAEA) says hackers breached its IT environment, with the intrusion discovered on March 1, 2025. The investigation found unauthorized access dating back to February 22, 2025, and last observed activity on March 2, 2025. Affected data reportedly includes names and, according to the Massachusetts portal, Social Security numbers and driver's licenses. HAEA engaged external cybersecurity experts and law enforcement; the scope and number of individuals impacted remain unclear.

SonicWall: State-Sponsored Hackers Behind September Breach

🔒 SonicWall says a Mandiant-led investigation concluded that state-sponsored actors accessed cloud-stored firewall configuration backup files in September. The company reports the activity was isolated to a specific cloud environment and did not affect SonicWall products, firmware, source code, or customer networks. As a precaution, customers were advised to reset account credentials, temporary access codes, VPN passwords, and shared IPSec secrets. SonicWall also stated there is no connection between the breach and separate Akira ransomware activity.

Operation Chargeback: Dismantling Global Card-Fraud Rings

🔍 Operation Chargeback led to coordinated raids and arrests targeting three alleged international fraud and money-laundering networks that exploited stolen payment data from more than 4.3 million cardholders across 193 countries. Authorities executed 60 searches and 18 arrest warrants after nearly five years of investigation, seizing assets and digital evidence. Investigators say the groups generated roughly 19 million fraudulent subscription charges, abused payment-provider systems and used shell companies to launder proceeds while masking low-value recurring fees to avoid detection.