All news in category "Incidents and Data Breaches"

Scattered Lapsus$ Extortion Site Goes Dark — Next Steps

🔒 Police seized several domains tied to the Scattered Lapsus$ Hunters extortion network, but one dark‑web mirror remained briefly accessible and was used to publish alleged data on October 10. The site listed victims including Qantas, Vietnam Airlines, Albertsons, GAP, Fujifilm, and Engie Resources, with claimed volumes from millions to hundreds of thousands of records. Authorities caution that domain seizures are tactical wins: actors often resurrect forums from backups or migrate to platforms such as Telegram, and the group has even promised a 2026 return with a subscription-based extortion-as-a-service model.

US Seizes $15 Billion in Crypto from Scam Kingpin Leader

💰 The U.S. Department of Justice has seized $15 billion in bitcoin tied to Chen Zhi, leader of the Prince Group, a transnational criminal network that ran large-scale “pig butchering” cryptocurrency investment and romance scams. Unsealed court documents describe fortified forced-labor compounds in Cambodia, automated call centers, and over 100 shell companies spanning 30+ countries. The Treasury’s OFAC also sanctioned Chen Zhi and 146 associates as part of the coordinated action.

Chinese Hackers Turn ArcGIS Server into Year-Long Backdoor

🛡️ReliaQuest attributes a campaign to China-linked group Flax Typhoon that compromised a public-facing ArcGIS server by converting a Java Server Object Extension (SOE) into a gated web shell, maintaining access for over a year. The attackers embedded a hard-coded key and hid the backdoor in system backups to survive full system recovery. They uploaded a renamed SoftEther executable (bridge.exe), created a "SysBridge" service to persist, and used an outbound HTTPS VPN bridge to extend the victim network for covert lateral movement. Investigators observed credential theft, admin account resets, and extensive living-off-the-land activity to evade detection.

Chinese APT Abuses ArcGIS SOE for Year-Long Persistence

🔒 Researchers say a Chinese state-linked actor, likely Flax Typhoon, exploited a component of the ArcGIS geo-mapping platform to maintain undetected access for over a year. Using valid admin credentials, the attackers uploaded a malicious Java SOE that acted as a web shell, accepting base64-encoded commands via a REST parameter protected by a hardcoded secret. They then installed SoftEther VPN as a Windows service to create an outbound HTTPS tunnel to 172.86.113[.]142 on port 443, enabling persistent lateral movement and credential harvesting even if the SOE were removed.

Chinese APT Abuses ArcGIS Component to Maintain Backdoor

🔐 ReliaQuest linked the campaign to the Flax Typhoon APT, which converted a legitimate public-facing ArcGIS Java server object extension (SOE) into a stealthy web shell. The group activated the SOE through a standard ArcGIS REST extension, embedding a base64-encoded payload and a hardcoded key to trigger command execution while hiding activity behind normal portal operations. Attackers uploaded a renamed SoftEther VPN binary to preserve access and targeted IT workstations, and the SOE was later found in backups, enabling persistence after remediation. ReliaQuest warns organisations to go beyond IOC detection, proactively hunt for anomalous behaviour in trusted tools, and treat every public-facing application as a high-risk asset.

New SonicWall SSLVPN Compromises Linked to Credentials

🔒 Huntress reports a fresh wave of compromises targeting SonicWall SSLVPN appliances in early October, affecting at least 16 organizations and more than 100 accounts. Attackers are authenticating with valid credentials rather than brute forcing, often from recurring attacker-controlled IPs. Some sessions involved internal reconnaissance and attempts against Windows administrative accounts, but Huntress says it has no evidence linking the activity to September’s MySonicWall cloud backup disclosure. It urges administrators to reset credentials, restrict remote management, review SSLVPN logs, and enable MFA.

Malicious npm, PyPI and RubyGems Packages Use Discord C2

⚠️ Researchers at a software supply chain security firm found multiple malicious packages across npm, PyPI, and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate developer secrets. Examples include npm packages that siphon config files and a Ruby gem that sends host files like /etc/passwd to a hard-coded webhook. The investigators warn that webhook-based C2 is cheap, fast, and blends into normal traffic, enabling early-stage compromise via install-time hooks and build scripts. The disclosure also links a large North Korean campaign that published hundreds of malicious packages to deliver stealers and backdoors.

Cyberattack Targets German Federal Employment Agency

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

Researchers Expose TA585 Delivering MonsterV2 RAT via Phishing

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

SimonMed: 1.2M Patients Affected in January Breach

🔒 SimonMed Imaging is notifying more than 1.2 million individuals that attackers accessed its network between January 21 and February 5, 2025. The company says hackers stole data and the Medusa ransomware group claimed a 212 GB exfiltration and published proof files including ID scans, medical reports, payment details and raw scans. SimonMed reset passwords, implemented multifactor authentication, deployed EDR, removed vendor access, restricted traffic, notified law enforcement and is offering affected people free Experian identity monitoring.

Massive Multi-Country Botnet Targets US RDP Services

🔍 Researchers at GreyNoise have identified a large-scale, multi-country botnet that began targeting Remote Desktop Protocol (RDP) services in the United States on October 8. The campaign uses over 100,000 IP addresses and employs two RDP-specific techniques: RD Web Access timing attacks to infer valid usernames and RDP Web Client login enumeration to observe differing server behaviors. Nearly all sources share a common TCP fingerprint, indicating coordinated clusters. Administrators should block attacking IPs, review RDP logs, and avoid exposing remote desktop services to the public internet—use VPNs and enable multi-factor authentication.

SonicWall SSLVPN Accounts Breached With Stolen Credentials

🛡️ Researchers report that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign that began on October 4 and persisted through at least October 10. The attackers appear to be using valid, stolen credentials rather than brute-force methods, and many malicious requests originated from IP 202.155.8[.]73. After authenticating, actors conducted reconnaissance and attempted lateral movement to access numerous local Windows accounts; investigators recommend immediate secret rotation, strict access restrictions, and multi-factor authentication for all admin and remote accounts.

Spain Arrests Leader of GXC Team Phishing Operation

🚨 Spanish authorities have arrested a 25-year-old Brazilian national accused of leading the GXC Team, a Crime-as-a-Service operation that sold phishing kits, Android malware and AI-based tools to cybercriminals. The Guardia Civil detained the suspect known as "GoogleXcoder" after a year-long investigation and six coordinated raids across Spain. Investigators seized devices containing source code, client communications and cryptocurrency records, and identified six suspected accomplices. The probe, supported by Group-IB and Brazil's Federal Police, remains ongoing as authorities disable the group's online infrastructure.

Stealit Infostealer Campaign Deploys via Fake VPN Apps

🛡️ FortiGuard Labs has identified a campaign distributing the Stealit infostealer via disguised game and VPN installers shared on file‑hosting sites and platforms like Discord. Attackers use Node.js Single Executable Apps (SEA) and PyInstaller bundles, heavy obfuscation and multiple anti‑analysis techniques to avoid detection. Once executed, Stealit harvests data from browsers, game clients, messaging apps and cryptocurrency wallets, and its operators rotate C2 domains while marketing the toolkit commercially.

Aisuru IoT Botnet Cripples Major US ISPs at 29.6 Tbps

⚠️ Aisuru, an IoT botnet derived from Mirai, generated a nearly 29.6 Tbps DDoS surge on Oct. 8, 2025, briefly disrupting major US ISPs and online gaming platforms. Logs show most attack traffic originated from compromised home routers, IP cameras and DVRs on networks operated by AT&T, Comcast, Verizon, T‑Mobile and Charter. TCPShield reported over 15 Tbps of junk traffic, and researchers warn Aisuru now operates as both a DDoS engine and a residential proxy network.

Botnet Uses 100,000 IPs in Massive RDP Attack Wave

🛡️ GreyNoise researchers uncovered a massive RDP attack wave using more than 100,000 IP addresses across over 100 countries, which analysts link to a single large botnet targeting U.S. Remote Desktop infrastructure. The attackers used two enumeration techniques — an RD Web Access timing attack to infer valid usernames and an RDP Web Client login enumeration to guess credentials — enabling efficient compromise while reducing obvious alerts. GreyNoise published a dynamic blocklist template, microsoft-rdp-botnet-oct-25, and recommends that organizations review logs for unusual RDP access patterns and automatically block associated IPs at the network edge.

Harvard Probes Data Breach Linked to Oracle Zero-Day

🔒 Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site and attributed the incident to a recently disclosed Oracle E-Business Suite zero-day (CVE-2025-61882). A Harvard IT spokesperson said the issue affected a limited number of parties within a small administrative unit and that a patch from Oracle was applied upon receipt. The university reports no evidence of broader compromise while it continues monitoring.

Researchers Warn RondoDox Botnet Expands Exploitation

🔍 Trend Micro warns that RondoDox botnet campaigns have significantly expanded their targeting, exploiting more than 50 vulnerabilities across over 30 vendors to compromise routers, DVR/NVR systems, CCTV devices, web servers and other networked infrastructure. First observed by Trend Micro on June 15, 2025 via exploitation of CVE-2023-1389, and first documented by Fortinet FortiGuard Labs in July 2025, the threat now leverages a loader-as-a-service model that co-packages RondoDox with Mirai/Morte payloads, accelerating automated, multivector intrusions. The campaign includes 56 tracked flaws—18 without CVEs—spanning major vendors and underscores urgent detection and remediation needs.

FBI and French Police Seize BreachForums Domain Again

🛡️ US and French authorities say they have seized at least one clearweb domain used by the cybercrime forum BreachForums, which has been acting as a leak site linked to recent Salesforce breaches. Screenshots of the site display logos for the FBI, DOJ, BL2C and JUNALCO, although the forum's .onion instance appears still accessible. Reports suggest breachforums[.]hn was disrupted while threat actors such as ShinyHunters claim backups and backend servers were compromised or destroyed. Experts warn the seizure may yield valuable historical data for investigations, but will not immediately stop ongoing extortion of victims.

Millions of Qantas Customers' Data Published Online

🔐 Around three months after an early-July cyberattack, hackers have published online data reportedly belonging to up to 5.7 million Qantas customers. The airline says the information was stolen via a third-party provider's platform and included names, emails, phone numbers, dates of birth and frequent flyer numbers, but not credit card, financial or passport data. Qantas obtained an Australian court injunction prohibiting use of the information; the data appeared on both the dark web and publicly accessible sites.