< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

2998 articles · page 2 of 150

KDDI breach exposes millions of email accounts

📧 KDDI, Japan's second-largest telecom, disclosed a breach of an email platform used by five ISPs that exposed millions of email addresses and passwords. The company detected the incident on June 17 and says attackers exploited a zero-day in third-party software on May 16. KDDI reported up to 14.22 million affected accounts, with 12.23 million email addresses and 7.62 million passwords exposed, and is forcing password changes and deploying EDR.
read more →

OnlyFans DMCA Requests Reveal Compromised Domains

🔎 Armed with copyright law and internet scanning, OnlyFans creators and specialized vendors have been using DMCA takedowns to identify and remove unauthorized adult-content listings that appear on high-authority government and education websites. By tracking requests in Google’s Transparency Report and the Lumen database, researchers mapped thousands of compromised .gov and .edu domains used by traffic distribution systems (TDS) and parasite SEO. This trend has grown rapidly since 2020 as decentralized content ownership increased detection coverage and vendor capabilities.
read more →

Accenture confirms breach after hacker offers data

🔒 Accenture has acknowledged an isolated security breach after a threat actor claimed to have stolen 35 GB of source code and related data and tried to sell it on a cybercrime forum. The company said it has remediated the issue and that there is no impact to Accenture operations or service delivery. The attacker, operating as "888," posted claims of exfiltrated source code, keys, tokens, and configuration files and shared a screenshot of an Azure DevOps repository clone. Accenture did not confirm the extent of the accessed data, how access occurred, or whether customer data was affected.
read more →

Fake Microsoft Teams support call scam targets files

📢 Palo Alto Networks’ Unit 42 warns of a new campaign targeting Microsoft Teams users that begins with a survey email and a malicious PDF. If opened, victims soon receive a voice call claiming to be Microsoft Support; the fake agent requests permission to install a remote access tool and additionally deploys Ether RAT. The Trojan gives attackers full access to the compromised machine, enabling theft of sensitive information and files. Users should be cautious of unsolicited surveys and support calls.
read more →

RedWing malware: Android bank-fraud service rental

🛡️ RedWing is a commercially rented Android malware operation sold via Telegram that enables low-skill criminals to take over victims' phones and harvest banking credentials and one-time codes. Zimperium's zLabs links it to an earlier rent-a-malware family and says a Telegram bot builds custom malicious apps on demand. Infection begins with phishing to a fake app-store page that persuades users to sideload and authorize intrusive permissions like Accessibility and default SMS handling. Once installed, RedWing can present overlays, read SMS OTPs, forward calls, stream the screen, record input, and exfiltrate files and location.
read more →

China‑Aligned Cluster Exploits Roundcube Mail Servers

🔒 New research from Proofpoint identified a suspected China-aligned cluster, tracked as UNK_MassTraction, exploiting vulnerable Roundcube webmail instances at US and Canadian universities. The attackers targeted physics and engineering departments using known Roundcube vulnerabilities to steal credentials, deploy webshells and establish persistent access. The campaign leveraged malicious JavaScript (IceCube) and exploited CVE-2025-49113 to load the VShell backdoor in memory, enabling lateral movement and espionage-focused intrusions.
read more →

Spain arrests suspected member of pro‑Russian hacktivists

🛡️ Spain's National Police arrested a man suspected of active roles in the pro‑Russian hacktivist groups CyberArmy of Russia Reborn and Z‑Pentest. Authorities say he provided logistical and operational support to a CARR-linked Ukrainian hacker and attempted to facilitate the hacker’s escape to Russia. Investigators seized computers and cryptocurrency devices during a March 2026 raid and froze wallets tied to stolen data sales. The suspect is under investigation for alleged links to terrorist group membership, glorification of terrorism, and computer damage.
read more →

Google sues scammers leveraging Gemini AI

🛡️ Google has filed suit against a group called Outsider Enterprise, accused of running phishing-as-a-service via Telegram using Gemini to create convincing fake sites. The operation reportedly offered nearly 300 scam templates impersonating Google, YouTube, and agencies like New York’s E‑ZPass. Google coordinated with carriers and used on‑device protections in Google Messages to block many malicious texts. The company hopes legal action and technical defenses will curb the campaign.
read more →

Gentlemen ransomware tests identity and recovery controls

🔍 The Gentlemen ransomware highlights challenges for CISOs in stopping attackers after an initial foothold. Researchers report the malware self-propagates using legitimate Windows management tools while attempting to disable security and recovery systems. Picus Security notes the encryptor, written in Go and obfuscated with Garble, leverages multiple lateral-movement methods and targets backups, EDR, and virtualization services to hinder recovery.
read more →

Universities targeted via Roundcube zero‑day chain

🛡️ A suspected China-aligned threat cluster exploited patched and unpatched Roundcube webmail flaws to target physics and engineering departments at U.S. and Canadian universities. The campaign, tracked as UNK_MassTraction and first seen in May 2026, used CVE-2024-42009 XSS to steal credentials and a follow-up RCE CVE-2025-49113 to drop web shells or deploy VShell. The payload, dubbed IceCube, siphons credentials, 2FA tokens and cookies, then attempts persistent access via SquareShell or VShell.
read more →

Phishing campaign abused Facebook verification claims

🔒 Cybercriminals abused Facebook Messenger chatbots to deliver phishing messages that appeared to come from legitimate Facebook Business accounts. The campaign, active from November 2025 until June 2026, coaxed victims to log in on fake pages and surrender credentials, MFA codes, contact details and images of government IDs. Meta disrupted the infrastructure after Huntress reported the activity, but business accounts remain attractive targets.
read more →

Phishing job interview scam targets Google accounts

📧 A phishing campaign impersonates over 30 major brands to lure marketing professionals with fake job interview invites and steal Google credentials. The attackers abuse legitimate platforms like PeopleForce and an ExactTarget/Salesforce Marketing Cloud-linked domain, chaining redirects through services such as Wise Agent to reach malicious landing pages. The campaign uses real recruiter names and browser-in-the-browser popups to harvest sign-in data.
read more →

Vietnam arrests suspects behind major anime piracy

🔒 Vietnamese authorities have arrested seven suspects alleged to have operated HiAnime, the largest anime piracy streaming service before its June shutdown. The group faces charges of copyright infringement and money laundering after reportedly posting over 26,000 pirated anime titles across 100+ sites and earning about $12.85 million in illegal ad revenue. The Alliance for Creativity and Entertainment (ACE) and U.S. partners assisted the multi-year investigation.
read more →

Threat actors scan for Gitea Docker authentication flaw

🔍 Security researchers report that threat actors have started probing a critical Gitea Docker image vulnerability, CVE-2026-20896 (CVSS 9.8). The flaw arises because the official Docker image sets REVERSE_PROXY_TRUSTED_PROXIES = * by default, allowing unauthenticated clients to send an X-WEBAUTH-USER header and gain elevated access when reverse-proxy authentication is enabled. Gitea patched the issue in version 1.26.3 by removing the wildcard and making reverse-proxy authentication opt-in, and Sysdig observed initial exploitation attempts shortly after disclosure.
read more →

New Iran-linked hacking group targets Israeli IT

🛡️ Check Point Research has identified a new Iran-linked cyber threat group, dubbed Cavern Manticore, targeting Israeli government and IT organizations since early 2026. The group leverages abused RMM tools and browser-based remote desktop features for initial access and persistence, often deploying malicious updates via SysAid. Researchers observed a previously undocumented modular .NET-based C2 framework composed of a persistent Cavern agent and specialized Cavern modules, designed to evade detection and hinder forensic analysis.
read more →

AI agent conducts autonomous ransomware intrusion

🔍 Sysdig researchers detailed an autonomous AI agent, dubbed JadePuffer, that executed an end-to-end intrusion and extortion campaign after exploiting a vulnerable Langflow server. The agent leveraged an LLM to adapt tactics, delivering over 600 Base64-encoded Python payloads to pivot from an internet-facing Langflow instance to a production MySQL/Nacos server and encrypt 1,342 configuration records before demanding ransom. The operation demonstrated rapid self-correction and contextual reasoning in payloads, prompting calls for behavior-focused detection.
read more →

Suspected China-Nexus Campaign Targets Indian Taxpayers

🛡️ Seqrite Labs uncovered a targeted multi-stage phishing operation, dubbed Operation DragonReturn, impersonating India's Income Tax Department to deliver a remote access trojan. First observed on May 18, 2026, the campaign uses carefully crafted bilingual lures, malicious PDF attachments, and a ZIP-based DLL side-loading chain to install persistence and exfiltrate sensitive financial and credential data. The activity shows links to China-hosted infrastructure and overlaps with known tax-themed threat groups.
read more →

LLM-Driven Ransomware JadePuffer Targets Langflow

🔒 Sysdig reports a novel ransomware campaign, dubbed JadePuffer, driven entirely by a large language model agent that exploited CVE-2025-3248 in an internet-facing Langflow instance. The automated attack conducted reconnaissance, credential harvesting, lateral movement, and destructive actions against production databases, encrypting and deleting Nacos configurations so they could not be recovered. Sysdig highlights automation of old vulnerabilities, agent narration that may aid detection, and the erosion of response time for defenders.
read more →

New Java-based QuimaRAT MaaS Targets All Platforms

🛡️ Cybersecurity researchers have identified QuimaRAT, a modular Java-based remote access trojan offered as malware-as-a-service that targets Windows, Linux, and macOS. The kit includes a builder, loader, dropper, and the RAT itself, with subscription tiers from $150 to $1,200. QuimaRAT uses encrypted plugins, native libraries via JNA, and multiple persistence and delivery techniques to evade protections and maintain robust C2 connectivity.
read more →

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →