All news in category "Incidents and Data Breaches"

Lazarus Targets UAV Sector with Operation DreamJob

🛩️ ESET researchers observed a renewed Operation DreamJob campaign that targeted European defense and UAV-related companies and has been linked to the North Korea-aligned Lazarus group. Attackers used social-engineering lures and trojanized open-source projects on GitHub to deliver loaders and the ScoringMathTea RAT. Techniques included DLL side-loading, reflective in-memory loading and encrypted C2 channels. The apparent objective was theft of proprietary UAV designs and manufacturing know-how.

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

Iranian MuddyWater Targets 100+ Governments with Phoenix

⚠ State-sponsored Iranian group MuddyWater deployed version 4 of the Phoenix backdoor against more than 100 government and diplomatic entities across the Middle East and North Africa. The campaign began on August 19 with phishing sent from a NordVPN-compromised account and used malicious Word macros to drop a FakeUpdate loader that writes C:\ProgramData\sysprocupdate.exe. Researchers observed Phoenix v4 using AES-encrypted embedded payloads, COM-based persistence, WinHTTP C2 communications and an accompanying Chrome infostealer, while server-side C2 was taken offline on August 24, suggesting a shift in operational tooling.

Iran-Linked MuddyWater Targets 100+ Organisations Globally

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

PhantomCaptcha Phishing Targets Ukraine Aid Groups

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

PhantomCaptcha campaign targets Ukraine relief organisations

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

FinWise Breach Highlights Encryption and Insider Risk

🔒 The FinWise data breach involved a former employee who retained credentials and accessed systems on May 31, 2024, exposing personal records for 689,000 American First Finance customers. The intrusion remained undetected until June 18, 2025, prompting lawsuits alleging inadequate encryption and weak security governance. Experts say robust protection requires not only encryption but effective key management, strict access controls, and proactive monitoring. Vendor solutions such as D.AMO are presented as integrated platforms combining encryption, an isolated KMS, and centralized control to mitigate insider risk.

MuddyWater Exploits Compromised Mailboxes in Global Phishing

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

PhantomCaptcha ClickFix Attack Targets Ukraine Relief Orgs

🛡️ A one-day spearphishing campaign named PhantomCaptcha targeted Ukrainian regional government officials and multiple war-relief organizations on October 8, using malicious PDFs that linked to a fake Zoom domain and impersonated the President’s Office. According to SentinelLABS, the operation used a fake Cloudflare CAPTCHA to trick victims into copying and pasting a token into the Windows Command Prompt, which executed a PowerShell downloader and deployed a WebSocket RAT. The lightweight RAT provided remote command execution and data exfiltration capabilities, and researchers found follow-on activity delivering spyware-laced Android APKs to users in Lviv.

Chinese Groups Exploit ToolShell SharePoint Flaw Widespread

🔒 Symantec reports that China-linked threat actors exploited the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770) weeks after Microsoft issued a July 2025 patch, compromising a Middle Eastern telecom and multiple government and corporate targets across regions. Attackers used loaders and backdoors such as KrustyLoader, ShadowPad and Zingdoor, and in several incidents employed DLL side-loading and privilege escalation via CVE-2021-36942. Symantec notes the operations aimed at credential theft, stealthy persistence, and likely espionage, with activity linked to groups including Linen Typhoon, Violet Typhoon, Storm-2603 and Salt Typhoon.

Google Careers Phishing Targets Job Seekers' Credentials

🔒 Scammers are impersonating Google’s Careers recruiting outreach to trick job seekers into a fake booking flow that ends on a spoofed Google login page, harvesting account credentials and cloud data. Researchers at Sublime Security documented HTML evasion techniques, abused delivery services, dynamic phishing kits and C2 servers. Organizations should enforce strong MFA, monitor anomalous logins, and train employees to treat unsolicited recruiter invitations with skepticism.

Russian ColdRiver Hackers Use Fake CAPTCHA to Deploy Malware

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.

JLR Hack Deemed UK’s Costliest Cyber Incident at £1.9bn

🔒The Cyber Monitoring Centre (CMC) concluded that the August 2025 cyber-attack on Jaguar Land Rover (JLR) produced an estimated UK financial impact of £1.9bn ($2.55bn) and affected more than 5,000 organisations. The CMC said the vast majority of the cost derived from halted manufacturing after an IT shutdown that stopped production at major UK plants and disrupted suppliers and dealer systems. Analysts ranked the incident a Category 3 systemic event and warned costs could rise if operational technology or intellectual property were compromised. Industry experts called for stronger governmental oversight and for boards to treat cybersecurity as a strategic risk.

Typosquatted Nethereum NuGet Package Steals Wallet Keys

🔒Security researchers uncovered a NuGet typosquat, Netherеum.All, created to harvest cryptocurrency wallet secrets and exfiltrate them to a hidden command-and-control server. Uploaded on October 16, 2025 by user "nethereumgroup" and removed four days later, the package uses a Cyrillic 'e' homoglyph to impersonate Nethereum and falsely claims 11.7 million downloads to appear legitimate. Socket analysts found an XOR-decoded C2 endpoint (solananetworkinstance[.]info/api/gads) and a payload in EIP70221TransactionService.Shuffle that steals mnemonics, private keys, and keystore files. Developers are advised to verify publisher identity, watch for sudden download surges, and monitor anomalous network traffic before adding dependencies.

Ransomware Attack Disrupts IT at Nickelhütte Aue Company

🔒 A ransomware attack on Nickelhütte Aue's office IT encrypted data and caused disruptions across multiple back-office systems, with HR, accounting, finance, purchasing and sales identified as affected. A company spokesperson told CSO that production remained unaffected and management established a crisis organisation after the incident was discovered on Saturday, October 18. The attackers left an extortion note threatening to publish stolen files; investigations by IT forensics teams and authorities are ongoing while the firm consults on how to respond to the ransom demand. The company says it is cleaning infected devices and making steady progress, but the timeframe to fully rebuild IT systems remains unclear.

ToolShell SharePoint Exploit Hits Organizations Worldwide

⚠️ Symantec reports that hackers linked to China exploited the ToolShell vulnerability (CVE-2025-53770) in on-premise Microsoft SharePoint servers to target government agencies, universities, telecommunications providers, and financial firms across four continents. The zero-day, disclosed on July 20, was used to plant webshells and enable remote code execution. Attackers deployed DLL side-loading to load a Go backdoor named Zingdoor, later chained to ShadowPad, KrustyLoader, and the Sliver framework, and performed credential dumping and PetitPotam abuse to escalate to domain compromise.

Jingle Thief: Inside a Cloud Gift Card Fraud Campaign

🔍Unit 42 details the Jingle Thief campaign, a Morocco‑based, financially motivated operation that uses phishing and smishing to harvest Microsoft 365 credentials and abuse cloud services to commit large‑scale gift card fraud. The actors maintain prolonged, stealthy access for reconnaissance across SharePoint, OneDrive and Exchange, and rely on internal phishing, inbox rules and rogue device enrollment in Entra ID to persist and issue unauthorized cards. The report (cluster CL‑CRI‑1032) links the activity to Atlas Lion/STORM‑0539 and emphasizes identity‑centric detections and mitigations.

PassiveNeuron APT Uses Neursite and NeuralExecutor

🧠 Kaspersky researchers have identified a sophisticated cyber-espionage campaign dubbed PassiveNeuron that has targeted government, financial, and industrial organizations across Asia, Africa, and Latin America since late 2024. The operation uses bespoke implants—Neursite (a C++ modular backdoor) and NeuralExecutor (a .NET loader)—alongside Cobalt Strike, leveraging compromised internal servers as intermediate C2s and a plugin architecture to maintain persistence and adapt tooling. Victims include internet-exposed servers; attackers have used SQL-based remote command execution, attempted ASPX web shells, deployed DLL loaders into the System32 directory, and in 2025 adopted a GitHub-based dead-drop resolver to retrieve C2 addresses.

Scattered LAPSUS$ Hunters Shift to Extortion-as-Service

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

Dreamforce Highlights Salesforce Amid OAuth Security Storm

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.