All news in category "Incidents and Data Breaches"

Hackers Leak Personal Data of Hundreds of US Agents

🔓 A hacking collective known as The Com has posted alleged personal details — names, addresses, and phone numbers — of hundreds of US government employees on private Telegram channels. Reporting by 404 Media indicates spreadsheets containing roughly 680 DHS entries, over 170 FBI email addresses, and more than 190 Department of Justice records were shared; the origin of the information is unclear. The group, which has ties to known ransomware and extortion actors, suggested further doxing and even solicited criminal collaboration, raising concerns about threats and physical safety for affected personnel and their families.

China Accuses U.S. of Attacking National Time Authority

🔍 China’s Ministry of State Security has accused the U.S. National Security Agency of conducting cyber intrusions against the National Time Service Center in Xi'an, alleging activity beginning in March 2022. The statement says the campaign initially exploited vulnerabilities in employees’ mobile phones and later affected center computers. Beijing warned that the center’s role in providing official time underpins communications, finance and power systems, and that interference could cause major disruptions. U.S. officials did not immediately respond to the allegation.

SharePoint Flaws Led to Breach at Kansas City Nuclear Plant

🔒 A foreign threat actor exploited unpatched Microsoft SharePoint vulnerabilities to infiltrate the Kansas City National Security Campus (KCNSC), which produces most non‑nuclear components for U.S. nuclear weapons. Honeywell FM&T, which manages the site for the NNSA, and the Department of Energy did not respond to requests for comment. Federal responders, including the NSA, were onsite in early August after Microsoft issued fixes on July 19. Attribution remains disputed between Chinese-linked groups and possible Russian actors; there is no public evidence that classified information was taken.

China Accuses NSA of Multi-Stage Attack on NTSC Systems

🕒 The Chinese Ministry of State Security (MSS) has accused the U.S. National Security Agency (NSA) of a "premeditated" multi-stage cyber intrusion targeting the National Time Service Center (NTSC), which manages Beijing Time. The MSS says the campaign began with SMS-based compromises of staff devices in March 2022 and escalated through credential reuse and a deployed "cyber warfare platform" between August 2023 and June 2024. According to the statement, the platform employed 42 specialized tools, forged digital certificates, and high-strength encryption while routing traffic through VPSes across the U.S., Europe, and Asia; Chinese agencies say they detected, neutralized the activity, and reinforced defenses.

TikTok Videos Push Infostealers via ClickFix Activation Scams

🔒 Cybercriminals are using TikTok videos disguised as free activation guides for software such as Windows, Adobe, Spotify, and Discord to distribute info‑stealing malware via a ClickFix technique. The videos instruct users to run a short PowerShell command that fetches a script from slmgr.win, which then downloads a variant of Aura Stealer and an additional payload from Cloudflare Pages. Victims should assume credentials are compromised, reset passwords, and avoid running copied commands in shells or terminal windows.

Europol Dismantles International SIM Farm Network; SIMCARTEL

🚨 Europol announced the disruption of a sophisticated cybercrime-as-a-service SIM farm in Operation SIMCARTEL, resulting in seven arrests and 26 searches across multiple countries. Authorities seized 1,200 SIM box devices containing about 40,000 active SIM cards, dismantled five servers and took over two websites, and froze significant cash and cryptocurrency assets. The platform supplied numbers from over 80 countries and is tied to the creation of more than 49 million online accounts used in phishing, smishing, investment fraud and other serious offences.

Google Ads Promote Fake Homebrew, LogMeIn, TradingView Sites

🚨 Researchers uncovered a malvertising campaign that uses Google Ads to surface convincing fake Homebrew, LogMeIn, and TradingView download sites targeting macOS developers. The pages prompt victims to copy a curl command into Terminal, but the clipboard often contains a base64-encoded installer that decodes and runs an install.sh payload. That script removes quarantine flags, bypasses Gatekeeper, and delivers infostealers that check for analysis environments before executing. Operators deploy AMOS and Odyssey, which harvest browsers, wallets, and credentials; users are urged not to paste unknown commands into Terminal.

New .NET CAPI Backdoor Targets Russian Auto and E-commerce

🔒 Seqrite Labs uncovered a new .NET implant named CAPI Backdoor linked to a phishing campaign targeting Russian automobile and e-commerce organizations. The attack leverages a ZIP archive containing a decoy Russian tax notice and a Windows LNK that loads a malicious adobe.dll via the legitimate rundll32.exe. The backdoor gathers system and browser data, takes screenshots, and communicates with a remote C2 for commands and exfiltration. Persistence is achieved through scheduled tasks and a Startup LNK.

Silver Fox Expands Winos 4.0 Attacks to Japan, Malaysia

🔎 Silver Fox operators have expanded the Winos 4.0 (ValleyRAT) campaign from China and Taiwan to target Japan and Malaysia, and are also deploying a secondary RAT tracked as HoldingHands. The actors use phishing emails with booby‑trapped PDFs, SEO‑poisoned pages and targeted .LNK résumé lures to deliver multiple payloads, including Winos modules and HoldingHands. Observed techniques include DLL sideloading, Task Scheduler recovery abuse, anti‑VM checks and AV termination to maintain persistence and evade detection.

UK Weighed Destroying Data Hub After Decade-Long Intrusion

🔐 British officials briefly considered physically destroying a government data hub after uncovering a decade-long intrusion attributed to China-aligned actors. The breach reportedly exposed official-sensitive and secret material on government servers, though no top secret data was taken. Rather than demolish the facility, the government implemented alternative protections and commissioned a classified review. Cybersecurity experts say the episode underscores the critical need to secure supply chains and hunt long-term APT presence.

Envoy Air Confirms Oracle E-Business Suite Data Theft

🔒 Envoy Air confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its leak site. The carrier said it immediately launched an investigation, contacted law enforcement, and determined that no sensitive or customer data were affected, though limited business information and commercial contact details may have been exposed. The incident is tied to an August campaign by Clop, which exploited an E-Business Suite zero‑day (CVE‑2025‑61882) and is now publishing claimed stolen files.

Europol Dismantles Large SIM-box Service Used for Fraud

🔍 Europol, together with national police units and the Shadowserver Foundation, dismantled an illegal SIM‑box service codenamed SIMCARTEL that rented phone numbers to criminals for creating fraudulent online accounts. The service operated about 1,200 SIM‑box devices with roughly 40,000 active SIM cards and offered numbers tied to individuals in more than 80 countries via seized sites gogetsms.com and apisim.com. Authorities linked the infrastructure to thousands of fraud cases and at least EUR 4.5 million in losses in Austria and EUR 420,000 in Latvia.

Three Dutch Teens Linked to Russian-Associated Hackers

🧑‍💻 Three 17-year-olds in the Netherlands are suspected of providing services to a foreign power after one was found communicating with an unnamed Russian-government-affiliated hacking group. Prosecutors say the linked suspect directed the others to repeatedly map Wi‑Fi networks in The Hague and then sold the collected data to the client's contact for a fee. The investigation, opened after a report from the Military Intelligence and Security Service, led to two arrests on 22 September and seizure of devices from a third minor. An updated Criminal Code effective 15 May 2025 now criminalizes digital espionage, carrying up to eight years' imprisonment (or up to 12 years in the most serious cases).

North Korean Hackers Merge BeaverTail and OtterCookie

🔐 Cisco Talos reports that a North Korean-linked threat cluster has blended features of its BeaverTail and OtterCookie JavaScript malware families, with recent OtterCookie variants adding keylogging, screenshot capture, and clipboard monitoring. The intrusion chain observed involved a trojanized Node.js application called Chessfi and a malicious npm dependency published on August 20, 2025 that executed postinstall hooks to launch multi-stage payloads. Talos tied the activity to the Contagious Interview recruitment scam and highlighted continued modularization and abuse of legitimate open-source packages and public Git hosting to distribute malicious code.

North Korean Hackers Use EtherHiding to Steal Crypto

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.

Over 266,978 F5 BIG-IP Instances Exposed to Remote Attacks

⚠️ Shadowserver Foundation reports 266,978 internet-exposed F5 BIG-IP instances after F5 disclosed a breach in which nation-state actors stole source code and information on undisclosed BIG-IP flaws. F5 issued patches addressing 44 vulnerabilities and urged immediate updates for BIG-IP, F5OS, BIG-IQ, and related products. CISA issued an emergency directive requiring federal agencies to patch or mitigate affected devices by set deadlines. Nearly half of the detected instances are in the United States, with most others across Europe and Asia.

Zero Disco: Fileless Rootkits Target Legacy Cisco Switches

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.

Email-bombing Abuse Exploits Lax Zendesk Authentication

📧 Cybercriminals abused a lack of authentication in the customer-service platform Zendesk to trigger mass ticket-creation notifications that appeared to come from hundreds of legitimate customer domains. KrebsOnSecurity received thousands of messages in rapid succession from brands including The Washington Post, Discord, NordVPN and more, with subjects ranging from alleged law-enforcement warnings to insults. Because some customers allow anonymous ticket creation and enable auto-responder triggers, replies and notifications were sent from those customers' domains, amplifying brand and inbox impact. Zendesk says it is investigating and recommends customers require verified ticket submission.

Cyberattack Disrupts Hohen Neuendorf City Administration

🔒 The Hohen Neuendorf city administration reported a cyberattack detected on October 7 that forced an immediate shutdown of its IT systems and left municipal operations running in a limited capacity. Contracted cybersecurity experts found indications attackers temporarily accessed and encrypted parts of the city's data holdings, preventing immediate inspection. Authorities say it cannot yet be confirmed whether personal data were stolen and that the city will notify affected individuals under GDPR if a data outflow is verified. Preliminary investigation points to security gaps at an external IT service provider that allegedly failed to report vulnerabilities as contractually required.

Prosper Data Breach Exposes Personal Data of 17.6M

🔒 Prosper has confirmed a data breach that may have exposed personal information for approximately 17.6 million customers. The company said unauthorized queries were made against customer and applicant databases and that the activity was shut down and access revoked on September 2. Prosper reported no operational disruptions or evidence of unauthorized account access or fund theft, has notified US law enforcement, and will offer affected customers credit monitoring once the scope is confirmed.