All news in category “Incidents and Data Breaches”

🔊 Denver's newly installed pedestrian audio units on East Colfax Avenue were hijacked over the weekend to broadcast explicit anti-Trump messages in a robotic voice, startling pedestrians. Officials report the devices were activated while still using factory-default credentials; passwords have since been changed and police are investigating. The tampering created a safety hazard for people with visual impairments and echoes prior incidents involving Polara crosswalk systems.

🔒 CISA and the Federal Bureau of Investigation issued a joint Public Service Announcement warning of ongoing phishing campaigns by cyber actors associated with Russian intelligence services targeting commercial messaging applications (CMAs). The campaigns seek to bypass encryption by compromising individual user accounts rather than breaking application cryptography. Evidence indicates thousands of CMA accounts have been accessed to view messages and contact lists, send messages, and conduct follow-on phishing. CISA and FBI urge users to review the PSA, adopt recommended cybersecurity practices, and remain vigilant for suspicious activity.

🛡️ Law enforcement in Germany, Canada and the United States have jointly disrupted two of the world’s largest DDoS botnets, taking critical infrastructure offline and seizing evidence. The operation targeted Aisuru, which infected poorly secured IoT devices, and the related Kimwolf, which focused on Android and consumer devices. Authorities recovered multiple data carriers and seized five-figure cryptocurrency holdings, though arrests were limited and the criminal network is not yet fully dismantled.

🔒 Proton Mail disclosed subscriber payment metadata to Swiss authorities, who in turn shared the records with the FBI. The released material appears to be billing- and payment-related information rather than message contents, but such metadata can still link an account to an individual. The case highlights that privacy-focused services may be compelled by legal process to produce stored user records.

🔐 Sysdig reported that threat actors exploited a critical unauthenticated remote code execution vulnerability (CVE-2026-33017) in Langflow within 20 hours of the advisory publication. The flaw, rated CVSS 9.3, allows execution of arbitrary Python via a single HTTP request and requires no credentials. Attackers built functional exploits from the advisory despite no public PoC, scanned broadly, and exfiltrated keys, database credentials and cloud secrets. Sysdig warns organizations must accelerate patching and rethink vulnerability programs.

🎵 North Carolina musician Michael Smith pleaded guilty to running a multi-year streaming fraud that generated over $10 million in illicit royalties. Smith purchased hundreds of thousands of AI-generated songs and uploaded them to Spotify, Apple Music, Amazon Music, and YouTube Music, then used automated bots routed through VPNs to create billions of fake streams between 2017 and 2024. Prosecutors say he ran more than 1,000 bot accounts, agreed to $8,091,843.64 in forfeiture, and faces up to five years in prison after pleading to one count of conspiracy to commit wire fraud.

🚨 U.S., German, and Canadian authorities dismantled command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad IoT botnets, seizing virtual servers, domains, and related assets. The Justice Department says the four botnets had ensnared more than three million devices and issued hundreds of thousands of DDoS commands, including record-setting attacks by Aisuru. Private firms such as Akamai assisted, warning the campaigns disrupted ISP services and even targeted government IPs including DoDIN.

🔒 A North Carolina contractor, 27-year-old Cameron Curry (aka "Loot"), was convicted for extorting his employer, Brightly Software, after stealing payroll and corporate data during a six-month contract that ran through December 2023. Curry sent more than 60 threatening emails from lootsoftware@outlook.com demanding $2.5 million and attached screenshots of employee PII. Brightly paid $7,540 in Bitcoin, the FBI seized devices following a January 24, 2024 search, and Curry now faces up to 12 years in prison.

🔒 The U.S. Department of Justice announced a court-authorized operation that disrupted command-and-control infrastructure used by multiple IoT Mirai variants, including AISURU, Kimwolf, JackSkid, and Mossad. Authorities from Canada and Germany, assisted by major vendors such as AWS, Cloudflare, and Akamai, helped dismantle networks that collectively enslaved roughly 3 million devices and enabled record-breaking DDoS attacks exceeding 30 Tbps. The action seeks to curb a cybercrime-as-a-service market that sold access to compromised DVRs, webcams, routers, and off-brand Android TVs.

🛡️ On March 4, 2026, Europol coordinated a technical disruption that seized 330 domains tied to Tycoon2FA, a subscription-based phishing-as-a-service platform that enabled adversary-in-the-middle (AITM) attacks to bypass multifactor authentication. CrowdStrike observed an immediate drop in activity followed by a return to pre-disruption campaign volumes as operators reconstituted infrastructure and continued using established TTPs. Defenders should maintain layered controls across phishing, DNS resolution, cloud authentication, and Exchange inbox protections while leveraging Falcon and Falcon Complete for detection and response support.

🔍 CrowdStrike linked a spike in script-execution detections to a compromised GitHub Action, aquasecurity/trivy-action, used widely in CI/CD pipelines. An attacker force‑repointed 76 of 77 release tags to commits that prepended a ~105‑line credential stealer to the legitimate entrypoint, enabling secret harvesting on both GitHub-hosted and self‑hosted runners. Harvested data was encrypted with AES-256-CBC and a hardcoded 4096‑bit RSA key, then exfiltrated via a typosquatted domain and, as a fallback, by creating public GitHub releases under victim accounts; the malicious code then invoked the original scanner to hide its activity.

🛡️ The U.S. Justice Department, with Canadian and German partners, dismantled infrastructure for four major IoT botnets — Aisuru, Kimwolf, JackSkid and Mossad — that compromised more than three million devices and launched hundreds of thousands of DDoS attacks. The action targeted U.S.-registered domains and virtual servers and aimed to stop further infections and future attacks. Law enforcement credited nearly two dozen tech firms for assisting in the operation.

🔒 CISA is urging IT and security leaders to harden endpoint management configurations after pro‑Iranian group Handala reportedly abused Microsoft Intune in a March 11 attack on Stryker that disrupted operations and enabled remote wipes. The guidance emphasizes least‑privilege administrative roles, phishing‑resistant MFA, privileged access hygiene, and multi‑admin approval for destructive actions. Although focused on Intune, CISA says these defensive principles apply to any UEM. Organizations should audit admin access, require multi‑party approvals, and continuously monitor privileged activity.

🔒 Navia Benefit Solutions says an unauthorized actor accessed its systems between December 22, 2025 and January 15, 2026, potentially exposing records for nearly 2.7 million people. The company discovered the activity on January 23, 2026 and launched an investigation, which found the actor acquired names, dates of birth, Social Security numbers, phone numbers, email addresses, plus HRA, FSA and COBRA enrollment details. Navia says claims and financial account information were not exposed. Affected individuals are being offered 12 months of identity protection and credit monitoring through Kroll, and federal law enforcement has been notified; no ransomware group has claimed responsibility.

🔒 Speagle is a newly identified malware that subverts the client and infrastructure of the legitimate document protection product Cobra DocGuard to harvest and exfiltrate sensitive information while masquerading as normal client-server traffic. Researchers at Symantec and Carbon Black (Broadcom) say the 32-bit .NET binary verifies the DocGuard installation, collects system and browser artefacts, and uses a compromised Cobra server for command-and-control and data theft. Tracked as Runningcrab, the activity appears narrowly targeted to environments running the security software and may stem from a supply-chain compromise; attribution remains unknown.

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.

🛡️ Bitrefill says a cyberattack in early March was likely carried out by North Korea’s Lazarus/BlueNoroff cluster, citing reused IPs, emails, malware, and on-chain tracing as linking indicators. The company traced the intrusion to a compromised employee laptop and stolen legacy credentials that exposed a snapshot containing production secrets and some cryptocurrency wallets. Bitrefill reports about 18,500 exposed purchase records (including 1,000 with names), believes losses were limited and will be covered from capital, and is strengthening security controls and monitoring.

🔒 The FBI has seized two clearnet domains used by the Iranian-linked hacktivist group Handala after its destructive cyberattack on medical device maker Stryker. A seizure banner cites a Maryland court warrant and says the domains facilitated malicious cyber activities; DNS now points to FBI name servers. Handala acknowledged the seizures and said it will rebuild resilient infrastructure. Microsoft and CISA issued guidance to help organizations secure Intune and Windows domains against similar compromises.

🔍 Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.

🔒 APT28 actors are exploiting a Zimbra Collaboration Suite stored XSS (tracked as CVE-2025-66376) in targeted attacks against Ukrainian government entities. The campaign delivers obfuscated JavaScript in phishing emails that executes when messages are opened in vulnerable Zimbra webmail, enabling remote code execution and server compromise. Researchers report the script harvests credentials, session tokens, 2FA backup codes, and 90 days of mailbox content, exfiltrating data over DNS and HTTPS. CISA has added the flaw to its catalog and ordered federal agencies to remediate affected servers under BOD 22-01.