All news in category “Incidents and Data Breaches”

🚗 Local authorities in Perm, Russia, reported a large-scale cyberattack that knocked the city's automated parking payment systems offline, attributing the outage to a massive DDoS attack. The permparking.ru portal and associated payment channels were overwhelmed, prompting officials to waive parking fees from 10–13 March while recovery teams worked. Authorities aimed to have services restored by 16 March. DDoS campaigns typically use botnets to flood services and block legitimate transactions.

🔒 Companies House says its WebFiling service is back after a security flaw introduced in October 2025 exposed data for about five million U.K. companies. The bug let authenticated users view other firms' dashboards — including dates of birth, residential addresses and company email addresses — by navigating back after attempting a 'file for another company' action. The agency says no passwords or identity‑verification documents were accessed, and it has reported the issue to the ICO and NCSC while investigating whether any data was accessed or changed without permission.

🔒 In this Cyberattack Series report, Microsoft Incident Response (DART) details an identity-first, human-operated intrusion that began with persistent Microsoft Teams voice phishing (vishing). After two failed attempts, the attacker persuaded a third employee to grant remote access via Quick Assist, then directed the user to a spoofed web form to capture corporate credentials and download multiple payloads. An early, disguised MSI sideloaded a malicious DLL to establish outbound command-and-control. DART contained the activity, removed artifacts, and recommends tightening external collaboration and disabling unnecessary remote-access utilities.

🔒 This weekly recap spotlights multiple high‑urgency incidents, including two actively exploited Chrome zero‑days—an out‑of‑bounds write in Skia (CVE‑2026‑3909) and an implementation flaw in V8 (CVE‑2026‑3910)—patched in Chrome 146.0.7680.75/76. It also documents large router botnets such as SocksEscort and KadNap that flash custom firmware to maintain persistence and operate as proxy services. Supply‑chain abuse reappears with UNC6426, which used stolen nx npm keys and abused GitHub→AWS OIDC trust to gain admin access and exfiltrate S3 data within 72 hours. Prioritize patching actively exploited flaws, audit OIDC/S3 trusts and router persistence, and monitor for emerging supply‑chain and AI‑agent risks.

🛡️ Sophos researchers identified three ClickFix campaigns that used malicious search ads and trusted-host lures to coax macOS users into pasting and executing terminal commands, resulting in the deployment of the MacSync infostealer. The campaigns—first observed in November and December 2025 and refreshed in February 2026—leveraged fake Google Sites, ChatGPT conversation redirects, and GitHub-style pages. The February variant introduced dynamic AppleScript and in-memory execution to harvest credentials, keychain data, files, and crypto seed phrases while attempting to erase traces.

🐛 Researchers at Socket say attackers are abusing dependency relationships in the Open VSX registry to deliver a loader linked to GlassWorm. Since Jan 31, 2026, Socket identified at least 72 malicious listings that pose as developer utilities and later add dependencies to fetch payload extensions. By using VS Code features like extensionPack and extensionDependencies, threat actors turn trusted-looking extensions into transitive delivery vehicles during updates. Mitigations include auditing extension dependencies, monitoring updates, and restricting installs to trusted publishers.

🕵️ The FBI’s Seattle Division is asking gamers who unintentionally downloaded malware via the Steam platform to assist an ongoing investigation into a campaign active between May 2024 and January 2026. Investigators say several titles — including BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova — have been identified as distribution points and are requesting affected users complete a short questionnaire. The FBI is collecting information on pre- and post-download communications, financial losses, and crypto wallet or bank account details; responses are voluntary, may result in follow-up contact, and victims’ identities will be kept confidential.

🛑 The UK’s Companies House has suspended its WebFiling dashboard after researchers Dan Neidle and John Hewitt revealed a simple flaw that allows an authenticated user to view another company’s dashboard by selecting “file for another company” and using the browser back button to bypass an authentication code. The weakness could expose personal and corporate details for millions of directors and, in some cases, permit unauthorized changes to registrations. The agency is investigating and directors are advised to review their filings.

🛡️ S2 Grupo's LAB52 has uncovered a February 2026 campaign delivering a JavaScript backdoor called DRILLAPP that executes through Microsoft Edge in headless mode. The attackers use LNK files or Windows Control Panel modules to spawn an HTA that fetches obfuscated scripts from Pastefy, then run the browser with debugging flags that grant file, microphone, camera, and screen access without user prompts. Variants added recursive file enumeration, batch uploads, and arbitrary downloads while employing canvas fingerprinting and time‑zone checks to profile victims.

🛡️ The AppsFlyer Web SDK was temporarily hijacked to deliver obfuscated JavaScript that intercepts cryptocurrency wallet inputs and replaces them with attacker-controlled addresses, diverting funds. Profero researchers identified the malicious payload being served from websdk.appsflyer.com between March 9 and March 11. AppsFlyer says the mobile SDK was not affected, the incident has been contained, and an investigation with external forensics is ongoing.

🔒 Cybersecurity researchers have identified a significant escalation in the GlassWorm campaign, which has abused at least 72 extensions in the Open VSX registry to target developers, Socket reports. The actor leverages extensionPack and extensionDependencies to turn benign-looking extensions into transitive delivery vehicles that install malicious packages after trust is established. The malicious listings impersonated common developer tools and used heavier obfuscation, invisible Unicode characters, Solana transactions as dead drops, and rotating wallets to evade detection. Open VSX has removed the flagged extensions while vendors and researchers continue their analysis.

🎮 The FBI's Seattle Division is seeking information from gamers who installed Steam titles later found to contain malware between May 2024 and January 2026. Identified titles include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The agency's questionnaire targets cryptocurrency theft and account hijacking and requests transaction details, compromised account information, and screenshots of communications to help trace stolen funds and those who distributed the malware.

🛡️ Palo Alto Networks' Unit 42 attributes a China-linked espionage campaign, tracked as CL-STA-1087, to long-running intrusions against Southeast Asian military organizations dating to 2020. The operators used staged loaders, DLL hijacking and sleep-based sandbox evasion to deploy backdoors AppleChris and MemFun, plus a credential stealer named Getpass. Persistent, modular tooling and Pastebin-based dead drops enabled stealthy, long-term access focused on C4I and organizational intelligence.

🛡️ Poland’s National Centre for Nuclear Research (NCBJ) says its IT infrastructure was targeted by a cyberattack that was detected and blocked before causing any impact. Security systems and internal procedures enabled rapid containment, and the institute reports that the MARIA research reactor was unaffected and continues to operate safely. Authorities have been notified and an investigation is underway.

🔍 Interpol coordinated Operation Synergia III from 18 July 2025 to 31 January 2026, involving law enforcement units in 72 countries and private partners. The action produced 94 arrests, the seizure of 212 electronic devices and servers, and the takedown of some 45,000 malicious IP addresses, while 110 individuals remain under investigation. The operation targeted phishing, ransomware, romance scams and credit card fraud and disrupted infrastructure used to impersonate banks, government sites and payment services. Private-sector partners including Group-IB, Trend Micro and S2W supplied intelligence that helped identify hosting and malware distribution points.

🛡️ INTERPOL announced the takedown of 45,000 malicious IP addresses and servers linked to phishing, malware, and ransomware campaigns across 72 countries. The effort, part of Operation Synergia's third phase, resulted in 94 arrests, 212 devices seized and 110 suspects under investigation. Targeted actions in Bangladesh, Togo and Macau uncovered large fraud rings and over 33,000 phishing sites.

🔒 Microsoft disclosed a credential-theft campaign that uses SEO poisoning to push trojanized VPN clients impersonating legitimate enterprise software. Attackers hosted ZIPs on GitHub containing MSI installers that sideload malicious DLLs and deploy a Hyrax variant, presenting a fake sign-in dialog to harvest VPN credentials. Microsoft removed the repositories and revoked the signing certificate; organizations should enable MFA and verify software sources.

🔍 An Interpol-led operation, Operation Synergia III, sinkholed tens of thousands of IP addresses and seized servers linked to global cybercrime between July 2025 and January 2026. Authorities from 72 countries made 94 arrests and seized 212 electronic devices, disrupting thousands of phishing and fraud sites including a large 33,000-site network identified in Macau. The action builds on earlier Synergia efforts and highlights the importance of international cooperation and private-sector partnerships to dismantle criminal infrastructures.

🔒 A threat actor tracked as Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors such as Ivanti, Cisco, and Fortinet to harvest corporate VPN credentials. The campaign uses SEO poisoning to push victims to convincing fake vendor pages that link to a GitHub-hosted ZIP containing a malicious MSI installer. When run, the installer places a fake Pulse.exe, drops a loader (dwmapi.dll) and a Hyrax infostealer variant (inspector.dll), captures credentials and configuration files, then displays an installation error and redirects victims to the legitimate vendor site to avoid immediate suspicion.

🔒Operation Lightning dismantled the malicious proxy service SocksEscort, which investigators say compromised hundreds of thousands of routers and IoT devices globally. The service marketed thousands of proxy endpoints that enabled criminals to hide originating IPs and carry out bank and cryptocurrency account takeovers, fraudulent unemployment claims, ransomware operations, DDoS attacks and distribution of CSAM. Authorities seized domains and servers, froze cryptocurrency assets, and urged users and vendors to regularly update device firmware and apply security patches.