All news in category “Incidents and Data Breaches”

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.

🔒 Since at least August 2025, Microsoft Threat Intelligence reports that the Russian military-linked actor Forest Blizzard (and sub-group Storm-2754) has been exploiting insecure SOHO routers to reroute DNS queries to actor-controlled resolvers. The actor appears to use the legitimate dnsmasq service on thousands of devices to capture DNS traffic and, selectively, perform TLS adversary-in-the-middle (AiTM) attacks against Microsoft Outlook on the web and targeted government services. Microsoft identified over 200 affected organizations and more than 5,000 consumer devices and published mitigation, detection, and hunting guidance.

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.

⚠️ Microsoft says financially motivated actor Storm-1175 has run a high-tempo campaign that weaponizes both n-day and zero-day vulnerabilities to deliver Medusa ransomware against internet-facing systems. The group has exploited at least 16 flaws since 2023, including the zero-day CVE-2025-10035 affecting GoAnywhere MFT, and has impacted healthcare, education, professional services and finance in Australia, the UK and the US. Recommended protections include perimeter scanning, isolating web-facing systems behind VPNs, WAFs or a DMZ, enforcing MFA for RMM tools, enabling tamper protection and configuring XDR to detect and block common ransomware tactics.

🔒 China-linked threat actor Storm-1175 has been observed exploiting a mix of zero-day and N-day flaws to quickly compromise internet-facing systems and deploy Medusa ransomware. Microsoft reports the group moves with high operational tempo, chaining exploits and abusing legitimate RMM tools to evade detection. Targets include healthcare, education, professional services and finance across Australia, the UK and the US. Intrusions often lead to rapid data exfiltration and encryption within days, sometimes under 24 hours.

🔍 German Federal Police (BKA) have identified two Russian nationals as the leaders of GandCrab and REvil between 2019 and 2021. The suspects — 31‑year‑old Daniil Maksimovich Shchukin (alias UNKN/UNKNOWN) and 43‑year‑old Anatoly Sergeevitsch Kravchuk — are linked to at least 130 extortion cases in Germany. At least 25 victims paid roughly $2.2 million, with total damages estimated above $40 million; authorities believe both are now in Russia and have released identifying images to solicit tips.

🔎 German Federal Police (BKA) say they have identified two Russian nationals as alleged leaders of the GandCrab and REvil ransomware operations active from 2019 to 2021. Authorities attribute at least 130 extortion cases in Germany to the pair, with 25 victims paying roughly $2.2 million and estimated total damages exceeding $40 million. Images, including tattoo photos, have been released and the suspects are listed on the EU Most Wanted portal as authorities seek public tips.

🔒 Check Point reports an ongoing Iran-nexus password-spraying campaign against Microsoft 365 tenants, primarily impacting Israel and the U.A.E. in three waves on March 3, 13 and 23, 2026. The actor employed Tor exit nodes and commercial VPN infrastructure (AS35758) and used tools and techniques resembling Gray Sandstorm to scan, attempt logins, and exfiltrate mailbox content. Organizations are advised to enforce MFA, apply conditional access by geography, and monitor sign-in and audit logs for signs of compromise.

🛡️ Microsoft says the China-based, financially motivated threat group Storm-1175, an affiliate that deploys Medusa ransomware, has been rapidly weaponizing n-day and zero-day vulnerabilities to gain access and move to data exfiltration and encryption within days, sometimes within 24 hours. Microsoft observed the operators chaining exploits to create accounts, deploy remote management tools, steal credentials, and disable security controls before dropping ransomware, with recent victims across healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States.

🔒 Drift Protocol says a coordinated, six-month operation led to a $280M+ theft after attackers built "a functioning operational presence" inside the platform and engaged contributors in person and via Telegram. The attackers reportedly hijacked Security Council administrative powers and drained assets in about 12 minutes. Drift suspects two contributors were compromised via a malicious code repository (possible VSCode/Cursor exploit) and a fake TestFlight wallet app. Blockchain firms attribute the campaign to UNC4736, linked to North Korea.

🔒 Microsoft Defender Security Research describes an AI-enabled campaign that abused the OAuth Device Code flow to compromise organizational accounts at scale. Actors used generative AI to craft hyper-personalized lures and automated backend infrastructure (including Railway.com and other PaaS) to generate dynamic device codes at click time, defeating the standard 15-minute expiry. The activity is linked to the PhaaS toolkit EvilToken and shows a marked escalation in automation and scale versus earlier device code phishing campaigns. Post-compromise actions focused on device registration, Microsoft Graph reconnaissance, malicious inbox rules, and email exfiltration.

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.

🛡️ Fortinet reports a DPRK-linked espionage campaign leveraging weaponized Windows shortcut (.LNK) files and GitHub repositories as command-and-control channels to target South Korean organizations. The attackers rely on multi-stage PowerShell scripts, progressively embedding decoding functions and encoded payloads inside LNK arguments to evade detection. This approach reflects a living off the land strategy that abuses native Windows utilities and legitimate services.

🔒 TeamPCP's March 2026 compromise of LiteLLM packages on PyPI injected infostealer malware into versions 1.82.7 and 1.82.8 that ran during installs and updates. The malware harvested plaintext SSH keys, cloud credentials (AWS, Azure, GCP), Docker configs, IDE and agent memory files, and other local secrets, exploiting transitive dependencies. PyPI removed the packages within hours, but many downstream packages would have triggered execution. Use ggshield, pre-commit hooks, and filesystem scanning to detect and contain local secrets.

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.