All news in category "Incidents and Data Breaches"

Co-op Reports £206m Revenue Loss After Cyberattack

🛒 The Co-op revealed a £206m revenue shortfall resulting from a “malicious” cyber-attack in April after it temporarily shut down multiple systems to contain the threat. The retailer recorded an overall six-month loss of £80m to 5 July 2025 and said sales disruption is likely to continue into H2 2025. No remediation breakdown was provided, although a one-off non-underlying cost of £20m was logged. The intrusion has been linked to Scattered Spider, and UK authorities have made several arrests related to this and similar retail attacks.

NCA Arrests Man Linked to HardBit Ransomware Disruption

🔒 British investigators arrested a man in his forties in West Sussex in connection with a suspected ransomware outbreak that disrupted flights across Europe. The National Crime Agency said the suspect was released on conditional bail and the probe remains at an early stage. Security researchers have linked the incident to the HardBit variant, which affected ARINC vMUSE systems and forced airlines to revert to paper processes amid repeated reinfections.

Malicious Rust crates stole Solana and Ethereum keys

🛡️ Security researchers discovered two malicious Rust crates impersonating the legitimate fast_log library that covertly scanned source files for Solana and Ethereum private keys and exfiltrated matches to a hardcoded command-and-control endpoint. Published on May 25, 2025 under the aliases rustguruman and dumbnbased, the packages — faster_log and async_println — accumulated 8,424 downloads before crates.io maintainers removed them following responsible disclosure. Socket and crates.io preserved logs and artifacts for analysis, and maintainers noted the payload executed at runtime when projects were run or tested rather than at build time.

Chinese Backdoor Grants Year-Long Access to US Firms

🔐 Chinese state-linked actors deployed a custom Linux/BSD backdoor called BRICKSTORM on network edge appliances to maintain persistent access into U.S. legal, technology, SaaS and outsourcing firms. These implants averaged 393 days of undetected dwell time and were used to pivot to VMware vCenter/ESXi hosts, Windows systems, and Microsoft 365 mailboxes. Mandiant and Google TAG attribute the activity to UNC5221 and have released a scanner and hunting guidance to locate affected appliances.

Ransomware-Enabled Heist and npm Worm Supply-Chain Threats

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.

Retail at Risk: Single Alert Reveals Persistent Threat

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

Malicious npm Package Uses QR Code to Steal Cookies

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.

Interpol-led Operation Seizes $439M From Cybercrime

🕵️‍♂️ In a five-month international campaign, Operation HAECHI VI led by Interpol and partner agencies recovered more than $439 million in cash and cryptocurrency tied to cyber-enabled financial crimes. Investigators from 40 countries across five continents targeted a broad range of scams — including voice phishing, investment fraud, BEC, sextortion and romance scams — freezing 400 crypto wallets and blocking over 68,000 bank accounts. The action included 45 arrests in Portugal and multimillion-dollar recoveries in Thailand, building on prior HAECHI phases that netted hundreds of millions and thousands of arrests.

ShadowV2 Botnet Highlights Growth of DDoS-as-a-Service

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.

UNC5221 Deploys BRICKSTORM Backdoor Against US Targets

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.

Obscura: New Ransomware Variant Targeting Domains Globally

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.

Google: Brickstorm malware stole data from U.S. orgs

🔒 Google researchers warn that the Go-based Brickstorm backdoor was used in prolonged espionage against U.S. technology, legal, SaaS, and BPO organizations, averaging a 393-day dwell time. Suspected activity from the UNC5221 cluster involved deploying the malware on appliances lacking EDR protection such as VMware vCenter/ESXi, where it acted as a web server, SOCKS proxy, file dropper, and remote shell. Operators used techniques like a malicious Java Servlet Filter (Bricksteal), VM cloning, and startup-script modifications to capture credentials and move laterally, then tunneled to exfiltrate emails via Microsoft Entra ID Enterprise Apps. Mandiant published a scanner and YARA rules to aid detection but cautions it may not catch all variants or persistence.

BRICKSTORM espionage campaign targeting appliances in US

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

Brickstorm: Long-term Go-based Backdoor Targets US Orgs

🔒 Google researchers report suspected China-linked operators used a Go-based backdoor named Brickstorm to persistently exfiltrate data from U.S. technology, legal, SaaS and BPO organizations, with an average dwell time of 393 days. Brickstorm operated as a web server, file dropper, SOCKS relay and remote command executor while masquerading traffic as legitimate cloud services and targeting edge appliances that often lack EDR. GTIG attributes the activity to UNC5221, a cluster linked to Ivanti zero-day exploitation and custom tools like Spawnant and Zipline. Mandiant published a scanner with YARA rules but cautioned it may not detect all variants or persistence mechanisms.

UK Arrests Suspect After RTX MUSE Ransomware Hits Airports

🛫 The UK's National Crime Agency arrested a man in his forties in West Sussex on suspicion of Computer Misuse Act offences linked to a ransomware attack that disrupted airports across Europe. RTX Corporation confirmed the incident affected its Collins Aerospace MUSE passenger processing software, first detected on September 19. The suspect has been released on conditional bail while the probe, supported by the South East ROCU and other agencies, remains in its early stages. Affected customers shifted to backup and manual processes while RTX and external cybersecurity experts work to contain and remediate the impact.

PyPI warns users to reset credentials after phishing

🔒 The Python Software Foundation warns of a phishing campaign using a convincing fake PyPI site at pypi-mirror[.]org that asks users to 'verify their email address' and threatens account suspension. If you clicked the link and submitted credentials, change your password immediately, inspect your account's Security History, and report suspicious activity to security@pypi.org. Maintainers should avoid clicking links in unsolicited emails, use password managers that auto-fill only on matching domains, and enable phishing-resistant 2FA such as hardware security keys.

GitHub notifications abused to impersonate Y Combinator

📩 Attackers abused GitHub's notification system to send fake Y Combinator W2026 invitations by creating issues and tagging users so the platform would deliver legitimate-looking emails. The lure promised participation in a purported $15 million funding program and linked to a typo-squatted domain. That site ran obfuscated JavaScript and presented an EIP-712-style wallet verification prompt that, when signed, authorized draining transactions.

AI-Obfuscated SVG Phishing Campaign Detected and Blocked

🔍 Microsoft Threat Intelligence detected and blocked a credential-phishing campaign that likely leveraged AI-generated code to obfuscate its payload inside an SVG attachment. The malicious SVG imitated a PDF and hid JavaScript within invisible, business-themed elements and a long sequence of business terms that the embedded script decoded into redirects, browser fingerprinting, and session tracking. Microsoft Defender for Office 365 blocked the activity by correlating infrastructure, behavioral, and message-context signals, while Security Copilot flagged the code as likely LLM-generated.

One Weak Password Topples 158-Year-Old Transport Firm

🔒 KNP Logistics Group, a 158-year-old UK transport firm, collapsed after the Akira ransomware group accessed an employee account by guessing a weak password. Attackers bypassed protections by targeting an internet-facing account without MFA, deployed ransomware across the estate, and destroyed backups, halting operations across 500 trucks and precipitating administration and 700 job losses. The incident underscores the urgent need for strong password policies, MFA, and isolated, tested backups.