All news in category "Incidents and Data Breaches"

Brute-force Attacks Target SonicWall Cloud Backups

🔒 SonicWall warned that brute-force attacks against its firewall API used for cloud backups may have exposed preference files stored in customers' MySonicWall.com portals. The vendor has disabled the cloud backup capability and is urging admins to restrict or disable SSLVPN and Web/SSH management over the WAN, then reset passwords, keys, and secrets. Less than 5% of the install base had backups in the cloud, but that could still affect thousands of organizations. SonicWall has provided remediation guidance and will notify customers if their accounts show impacted serial numbers.

Smashing Security 435: Casting Lures and School Hacks

🎭 In episode 435 of Smashing Security, host Graham Cluley and guest Jenny Radcliffe discuss a sophisticated phishing campaign that used fake casting calls to lure Israeli performers, illustrating how flattering, opportunity-based lures can be as persuasive as fear-based tactics. They also cover Check Point’s findings on Iran-linked activity, the UK ICO’s warning about students hacking schools, and lighter cultural items including Endeavour and a local “Catman” story. The episode blends practical security analysis with humour and sponsored segments.

ShinyHunters Claims 1.5B Salesforce Records Stolen via Drift

🔒 The ShinyHunters extortion group claims they stole approximately 1.5 billion Salesforce records from 760 companies by abusing compromised Salesloft Drift and Drift Email OAuth tokens exposed in a Salesloft GitHub breach. The attackers reportedly accessed Account, Contact, Case, Opportunity, and User tables and searched exfiltrated data for secrets to pivot further. Google/Mandiant and the FBI are tracking the activity as UNC6040/UNC6395, and Salesforce urges customers to enable MFA, enforce least privilege, and manage connected apps carefully.

Shai-Hulud Worm: Large npm Supply Chain Compromise

🪱 Palo Alto Networks Unit 42 is investigating an active supply chain attack in the npm ecosystem driven by a novel self-replicating worm tracked as "Shai-Hulud." The malware has compromised more than 180 packages, including high-impact libraries such as @ctrl/tinycolor, and automates credential theft, repository creation, and propagation across maintainers' packages. Unit 42 assesses with moderate confidence that an LLM assisted in authoring the malicious bash payload. Customers are protected through Cortex Cloud, Prisma Cloud, Cortex XDR and Advanced WildFire, and Unit 42 recommends immediate credential rotation, dependency audits, and enforcement of MFA.

TA558 Deploys AI-Generated Scripts to Install Venom RAT

⚠️Kaspersky tracked TA558, operating under the cluster known as RevengeHotels, using AI-generated JavaScript and PowerShell loaders in summer 2025 to deliver Venom RAT to hotels in Brazil and Spanish-speaking markets. Phishing emails in Portuguese and Spanish used reservation and job-application lures to coax users into running a WScript payload that chains to a PowerShell downloader fetching 'cargajecerrr.txt' and subsequent loaders. The Venom RAT, based on Quasar, includes data-stealing, reverse-proxy, persistence and aggressive anti-kill features aimed at harvesting payment card data from hotel systems and OTAs.

Companies Affected by the Shai-Hulud NPM Supply Chain

🔎 From Sept 14–16, more than 180 NPM packages were compromised in the Shai-Hulud worm. The malware propagated by pushing malicious changes to other packages and exfiltrated secrets by publishing data to public GitHub repositories. Using the GitHub Events Archive, UpGuard identified 207 affected repos (175 labeled "Shai-Hulud Migration", 33 "Shai-Hulud Repository"), mapping to 37 users and a set of corporate employers. Affected developers have removed leaked files, but organizations should still audit exposed repos and rotate secrets.

Insight Partners Notifies Thousands After Ransomware Breach

🔒 Insight Partners is notifying thousands of people after a ransomware incident in which a threat actor gained network access via a sophisticated social engineering attack. The attackers reportedly exfiltrated sensitive data — including banking and tax records, personal information of current and former employees, and details related to limited partners, funds, management companies, and portfolio companies — before encrypting servers on January 16, 2025. The firm says formal notification letters and complimentary credit or identity monitoring are being mailed; if you do not receive a letter by the end of September 2025, your personal data was determined not to be impacted. State filings indicate 12,657 individuals were affected, and no group has publicly claimed responsibility.

SonicWall urges credential resets after MySonicWall breach

🔐 SonicWall says firewall configuration backup files in certain MySonicWall accounts were exposed in a security incident and is urging customers to reset credentials immediately. The company reports it cut off attacker access and is working with cybersecurity and law enforcement to investigate. SonicWall published an Essential Credential Reset checklist to help administrators update passwords, API keys, tokens and related secrets and to restrict WAN access before making changes.

TaskUs Employee Allegedly Central to Coinbase Breach

🔒 A US court filing identifies a TaskUs employee as a key conspirator in the December 2024 breach of Coinbase, a compromise publicly disclosed in May 2025. Prosecutors allege support agents were bribed and recruited to steal customer PII, impacting almost 70,000 users and facilitating social engineering and asset theft. The filing names employee Ashita Mishra, accuses her of stealing and photographing hundreds of records per day and selling data for $200 a record, and claims TaskUs tried to minimize and conceal its security failures. Plaintiffs seek monetary damages and court-ordered security reforms.

Microsoft and Cloudflare Disrupt RaccoonO365 Phishing

🔒 Microsoft and Cloudflare coordinated a disruption of the RaccoonO365 Phishing-as-a-Service operation in early September 2025, seizing 338 malicious websites and Cloudflare Worker accounts. The service is linked to at least 5,000 stolen Microsoft 365 credentials from 94 countries since July 2024 and was used in large campaigns, including a tax-themed sweep that targeted over 2,300 U.S. organizations. Kits bundled CAPTCHA and anti-bot evasion, were sold via a private Telegram channel, and investigators identified a suspected leader, prompting a criminal referral.

Chinese TA415 Abuses VS Code Remote Tunnel for Espionage

🔒 Proofpoint reported that a China-aligned threat actor tracked as TA415 conducted spear-phishing in July–August 2025, impersonating U.S. policy officials and the U.S.-China Business Council to target government, think tank, and academic personnel focused on trade and economic policy. The messages delivered password-protected archives on public cloud services that contained a Windows shortcut which executed a hidden batch script and an obfuscated Python loader named WhirlCoil while displaying a decoy PDF. The loader establishes a VS Code Remote Tunnel to enable persistent backdoor access, harvests system and user data, exfiltrates it via base64-encoded HTTP posts to free request-logging services, and establishes scheduled tasks (e.g., GoogleUpdate) for persistence.

Microsoft and Cloudflare Disrupt RaccoonO365 Phishing

🔒 Microsoft and Cloudflare executed a coordinated takedown of RaccoonO365, a Nigerian-run phishing-as-a-service platform tracked by Microsoft as Storm-2246. The joint effort seized 338 domains and dismantled infrastructure that reportedly generated hundreds of millions of malicious messages and could bypass some MFA protections. Cloudflare removed intermediary Cloudflare Workers shields and deployed phish warning pages, while Microsoft pursued legal action and criminal referrals. The disruption exposed risks to healthcare providers and highlighted cross-border enforcement limits.

Cyberattack on HEM expert affects all ten southern stores

🔒 HEM expert has informed customers that a cyberattack on July 18, 2025 affected all ten of its branches in southern Germany. The retailer says business operations continued almost without disruption, but acknowledges that data was stolen and that customer and employee personal information — potentially including names, addresses, dates of birth, contact details and bank or credit card data — may have been compromised. The company is investigating the scope of the leak, working with data protection authorities, and notifying those potentially affected. Some customers complained about delayed notification; HEM expert says it will strengthen security and staff awareness.

Microsoft Disrupts RaccoonO365 Phishing Kit Network

🛡️ Microsoft’s Digital Crimes Unit says it has dismantled the infrastructure behind RaccoonO365, seizing 338 malicious websites tied to the Storm-2246 phishing kit. The DCU, acting under a court order from the Southern District of New York, identified Nigeria-based operator Joshua Ogundipe and disrupted a Telegram-based subscription service with roughly 850 members. Microsoft says the service, launched July 2024, enabled the theft of thousands of Microsoft365 credentials, included tools to bypass MFA, and recently promoted an AI-powered feature to scale attacks.

Wormable npm campaign infects hundreds, steals secrets

🪱 Researchers have identified a self-propagating npm worm dubbed Shai-Hulud that injects a 3MB+ JavaScript bundle into packages published from compromised developer accounts. A postinstall action executes the bundle to harvest npm, GitHub, AWS and GCP tokens and to run TruffleHog for broader secret discovery. The worm creates public GitHub repositories to dump secrets, pushes malicious Actions to exfiltrate tokens, and has exposed at least 700 repositories; vendors urge rotation of affected tokens.

Scattered Spider Resurfaces, Targets Financial Sector Again

🔍 Cyber threat group Scattered Spider has been linked to a new campaign targeting financial services, according to ReliaQuest. The attackers gained access by socially engineering an executive and abusing Azure AD self-service password reset, then moved laterally via Citrix and VPN to compromise VMware ESXi. They escalated privileges by resetting a Veeam service account, assigning Azure Global Administrator rights, and attempted data extraction from Snowflake and AWS. The activity contradicts the group's retirement claims and suggests regrouping or rebranding.

DoJ Resentences BreachForums Founder to Three Years

⚖️ The U.S. Department of Justice resentenced Conor Brian Fitzpatrick (aka Pompompurin) to three years in prison after vacating his prior 17‑day time‑served sentence for operating BreachForums and possessing child sexual abuse material. Fitzpatrick pleaded guilty in 2023 to access device conspiracy, access device solicitation, and CSAM possession and agreed to forfeit domains, devices, and cryptocurrency representing illicit proceeds. The resentencing followed a Fourth Circuit decision that remanded his case for a new term.

RaccoonO365 Phishing Network Disrupted; 338 Domains Seized

🔒 Microsoft and Cloudflare coordinated a court-ordered disruption that seized 338 domains used by RaccoonO365, a phishing-as-a-service accused of harvesting over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The takedown, executed between September 2–8, 2025, removed malicious Workers scripts, placed interstitial phish warnings, and suspended accounts to cut criminal access. RaccoonO365 was marketed by subscription and used legitimate services like Cloudflare Turnstile and Workers to harden phishing pages and evade detection.

BreachForums Admin Resentenced to Three Years Prison

🔒 Conor Brian Fitzpatrick, 22, who operated the BreachForums hacking forum under the alias Pompompurin, was resentenced to three years in prison after the U.S. Court of Appeals vacated his earlier sentence of time served and 20 years of supervised release. Fitzpatrick pleaded guilty in July 2023 to conspiracy to commit access device fraud, solicitation to offer access, and possession of child sexual abuse material (CSAM). Prosecutors say he violated pretrial release by using VPNs and unauthorized, unmonitored devices to conceal internet activity. BreachForums, created in 2022, rapidly grew to over 330,000 members and facilitated the sale and leakage of stolen data and access to corporate networks.

Hackers Insert Credential-Stealing Malware into npm Packages

🛡️ Researchers disclosed a campaign that trojanized more than 40 npm packages, including the popular tinycolor, embedding self-replicating credential-stealing code. The malware harvested AWS, GCP and Azure credentials, used TruffleHog for secrets discovery, and established persistence via GitHub Actions backdoors. Affected packages were removed, but developers are urged to remove compromised versions, rebuild from clean caches, and rotate any exposed credentials.