All news in category "Incidents and Data Breaches"

North Korean Hackers Use EtherHiding to Steal Crypto

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.

Over 266,978 F5 BIG-IP Instances Exposed to Remote Attacks

⚠️ Shadowserver Foundation reports 266,978 internet-exposed F5 BIG-IP instances after F5 disclosed a breach in which nation-state actors stole source code and information on undisclosed BIG-IP flaws. F5 issued patches addressing 44 vulnerabilities and urged immediate updates for BIG-IP, F5OS, BIG-IQ, and related products. CISA issued an emergency directive requiring federal agencies to patch or mitigate affected devices by set deadlines. Nearly half of the detected instances are in the United States, with most others across Europe and Asia.

Zero Disco: Fileless Rootkits Target Legacy Cisco Switches

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.

Email-bombing Abuse Exploits Lax Zendesk Authentication

📧 Cybercriminals abused a lack of authentication in the customer-service platform Zendesk to trigger mass ticket-creation notifications that appeared to come from hundreds of legitimate customer domains. KrebsOnSecurity received thousands of messages in rapid succession from brands including The Washington Post, Discord, NordVPN and more, with subjects ranging from alleged law-enforcement warnings to insults. Because some customers allow anonymous ticket creation and enable auto-responder triggers, replies and notifications were sent from those customers' domains, amplifying brand and inbox impact. Zendesk says it is investigating and recommends customers require verified ticket submission.

Cyberattack Disrupts Hohen Neuendorf City Administration

🔒 The Hohen Neuendorf city administration reported a cyberattack detected on October 7 that forced an immediate shutdown of its IT systems and left municipal operations running in a limited capacity. Contracted cybersecurity experts found indications attackers temporarily accessed and encrypted parts of the city's data holdings, preventing immediate inspection. Authorities say it cannot yet be confirmed whether personal data were stolen and that the city will notify affected individuals under GDPR if a data outflow is verified. Preliminary investigation points to security gaps at an external IT service provider that allegedly failed to report vulnerabilities as contractually required.

Prosper Data Breach Exposes Personal Data of 17.6M

🔒 Prosper has confirmed a data breach that may have exposed personal information for approximately 17.6 million customers. The company said unauthorized queries were made against customer and applicant databases and that the activity was shut down and access revoked on September 2. Prosper reported no operational disruptions or evidence of unauthorized account access or fund theft, has notified US law enforcement, and will offer affected customers credit monitoring once the scope is confirmed.

Hackers Steal Customer Data from Spanish Retailer Mango

🔒An external marketing service provider detected unauthorized access to customer personal data for the Spanish fashion company Mango. The attackers obtained first name, country, postal code, email address and telephone number for some customers, while last names, bank details and passwords were not accessed. Mango says its own systems remain secure and has notified the Spanish data protection authority (AEPD). Customers are urged to remain vigilant for phishing attempts via email, SMS or phone.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

Nation-State Actor Steals F5 BIG-IP Source Code Exposed

🔒 On Oct. 15, 2025, F5 disclosed a nation-state compromise that exfiltrated source code and undisclosed vulnerability information from the BIG-IP product development and engineering knowledge platforms. F5 reports no evidence of modification to its software supply chain or access to CRM, financial, support case management, iHealth, NGINX or distributed cloud products. Unit 42 warns the theft could accelerate exploit development and recommends immediate patching, hardening, and targeted threat hunting for anomalous admin activity and configuration changes.

Sotheby's Data Breach Exposes Customer Financial Records

🔒 Sotheby's has notified customers that an intrusion detected on July 24 resulted in removal of sensitive data from its systems. After a two-month investigation the company determined exposed information includes full names, Social Security numbers and financial account details. Impacted individuals are being offered 12 months of free identity protection and credit monitoring through TransUnion while Sotheby's continues to assess the scope.

Sotheby's Breach Exposes Employee Financial Data Records

🔐 Sotheby's disclosed a cybersecurity incident first detected on July 24, 2025, after threat actors removed data from its environment. A two-month investigation found exposed information included full names, Social Security numbers and financial account details. The company notified impacted individuals and offered 12 months of identity protection and credit monitoring through TransUnion. An October update clarified the breach involved employees, not customers.

Have I Been Pwned Flags Prosper Breach Affecting 17.6M

🔐Prosper, a peer-to-peer lending marketplace, disclosed a security incident detected on September 2 that resulted in unauthorized access to company databases and the theft of customer and applicant data. While Prosper says it has found no evidence that attackers accessed customer accounts or funds, investigators report that Social Security numbers and other sensitive fields may have been exposed. Breach notification service Have I Been Pwned published that 17.6 million unique email addresses were impacted, though Prosper says it cannot yet validate that figure and is still determining which data elements were affected. The company has notified authorities and says it will offer free credit monitoring as appropriate.

Ransomware Victim Responses and Human Impact Analysis

🔒 Ransomware attacks inflict both operational and deep personal harm, often devastating small businesses lacking cash reserves and cybersecurity expertise. Research underscores lasting trauma, exhaustion, and financial ruin that can outlast technical recovery. Organizations should pair an incident response plan with compassionate leadership and employee support. Cisco Talos also warns of evolving supply‑chain campaigns targeting developers and job seekers, reinforcing the need for layered defenses.

Microsoft Disrupts Rhysida Ransomware Targeting Teams

🔒 Microsoft disrupted a campaign by the financially motivated group Vanilla Tempest (also tracked as VICE SPIDER/Vice Society) after revoking over 200 code signing certificates used to sign malicious Microsoft Teams installers. The attackers used malvertising and SEO-poisoned domains mimicking Teams to distribute fake MSTeamsSetup.exe files that deployed the Oyster backdoor. The intervention curtailed a wave of Rhysida ransomware launches.

North Korean Group Adopts EtherHiding for Malware Campaign

🔐 Google Threat Intelligence has linked a campaign to UNC5342, a cluster tied to North Korea, that now uses EtherHiding to distribute malware via smart contracts on public blockchains such as BNB Smart Chain and Ethereum. The attackers lure developers through LinkedIn recruitment ruses, move conversations to Telegram or Discord, and deliver npm-package downloaders that chain into BeaverTail, JADESNOW, and the Python backdoor InvisibleFerret. By embedding payloads in on-chain contracts, the group turns blockchains into tamper-resistant dead-drops that are hard to takedown and easy to update, enabling sustained cryptocurrency theft and long-term espionage.

Smart Contracts Abused to Serve Malware on WordPress

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.

LinkPro Rootkit Uses eBPF and Magic TCP Packets to Hide

🔒 An AWS-hosted compromise revealed a new GNU/Linux rootkit dubbed LinkPro, discovered by Synacktiv. Attackers leveraged an exposed Jenkins server vulnerable to CVE-2024-23897 and deployed a malicious Docker image (kvlnt/vv) to Kubernetes clusters, delivering a VPN/proxy (vnt), a Rust downloader (vGet) and vShell backdoors. LinkPro relies on two eBPF modules—Hide and Knock—to conceal processes and activate via a magic TCP packet, with a user-space fallback via /etc/ld.so.preload when kernel support is missing.

DPRK Hackers Adopt EtherHiding to Conceal Malware Campaigns

🔒 Google Threat Intelligence Group (GTIG) reports that a DPRK-aligned threat actor tracked as UNC5342 has employed EtherHiding since February to host and deliver malware via smart contracts on Ethereum and the BNB Smart Chain. Campaigns begin with fake technical interviews that trick developers into running a JavaScript downloader named JADESNOW, which fetches a JavaScript build of InvisibleFerret for in-memory espionage and credential theft. The method offers anonymity, takedown resistance, and low-cost, stealthy payload updates.

DPRK Actor UNC5342 Employs EtherHiding for Crypto Theft

🧩 GTIG reports that DPRK-linked UNC5342 has adopted EtherHiding, using smart contracts on public blockchains to store and deliver malicious JavaScript payloads. The actor leverages social engineering—fake recruiter lures and technical interviews—to deploy the JADESNOW downloader, which fetches and decrypts on-chain payloads and stages the Python backdoor INVISIBLEFERRET. Google recommends enterprise controls and Chrome management policies to disrupt this resilient, decentralized C2 method.

LastPass: Phishing campaign impersonates product, warns users

🔒 LastPass has confirmed it was not breached after detecting a targeted phishing campaign that mimicked its branding. The emails used the subject line "We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security" and came from spoofed senders such as hello@lastpasspulse.blog and hello@lastpassgazette.blog. Links in the messages redirected recipients to phishing sites (lastpassdesktop.com and lastpassgazette.blog), and attackers have also registered lastpassdesktop.app for potential follow-ups. Cloudflare is displaying warnings and LastPass said it is working to have the malicious domains taken down.