All news in category “Incidents and Data Breaches”

🔒 Salesforce has urged Experience Cloud customers to audit configurations after the ShinyHunters group reportedly stole data from hundreds of sites by exploiting overly permissive guest user settings. Attackers used a customized fork of the open-source Aura Inspector to mass-scan the /s/sfsites/aura API endpoint, identify exposed CRM objects and extract contact details. Salesforce stressed this is a customer configuration issue, not a platform vulnerability, and recommended immediate audits and permission tightening.

🔒 Since April 2024, Russian state-sponsored APT28 has deployed a customized variant of the open-source Covenant post-exploitation framework alongside a modern implant called BeardShell. The dual-implant approach enabled long-term surveillance of Ukrainian military personnel and central executive bodies, researchers at ESET and CERT-UA report. Attacks exploited the CVE-2026-21509 Microsoft Office vulnerability using malicious DOC files. APT28 modified Covenant with deterministic implant IDs, altered execution flows to evade behavioral detection, and added new cloud-based communication channels.

🛩️ The article examines growing international concerns about dependence on U.S.-supplied aircraft software, focusing on the F-35 program and the political and operational risks that follow. It highlights a recent remark by the Dutch Defense Secretary that the jets could be jailbroken to run third-party software, a statement that underscores frustration with vendor-controlled maintenance. The piece frames this as part of a broader debate over vendor lock-in, sovereignty, and the security implications of controlling mission-critical systems. It warns that technical, legal, and safety trade-offs complicate any unilateral attempt to modify certified avionics.

🔍Salesforce has warned that a threat actor is using a customized version of the open-source tool AuraInspector to mass-scan publicly accessible Experience Cloud sites and exploit overly permissive guest user configurations. The modified tool can both identify vulnerable API endpoints and extract data from misconfigured environments without authentication. Salesforce says the activity targets customer configuration weaknesses rather than a platform flaw and urges customers to review guest user settings and follow recommended configuration guidance.

🔐 Researchers at BlueVoyant describe a Microsoft Teams phishing campaign that social-engineers employees into initiating Quick Assist remote sessions to install a newly observed backdoor, A0Backdoor. Attackers deliver digitally signed MSI installers and use DLL sideloading with legitimate Microsoft binaries to load a malicious hostfxr.dll that decrypts and runs shellcode. The backdoor fingerprints hosts, communicates with command-and-control over DNS MX queries with encoded subdomains, and has been observed targeting financial and healthcare organizations.

🔐Russian state-sponsored actors are tied to a targeted phishing campaign that hijacks Signal and WhatsApp accounts to monitor messages of government officials, military personnel, and journalists. The Dutch MIVD and AIVD warn attackers use fake support chats, SMS verification-code prompts, Signal PIN requests, and malicious QR links to link attacker devices. Signal says its infrastructure is intact and urges users never to share codes or PINs and to review linked devices immediately.

🔎 Check Point Research observed increased activity by Chinese-nexus APT groups targeting Qatar following the recent Middle East escalation. Within a day of Operation Epic Fury's launch, the Camaro Dragon actor attempted to deploy a PlugX variant against Qatari targets. Attackers leveraged the conflict in their lures and demonstrated rapid adaptation to breaking events. The campaign highlights elevated regional cyber risk and the need for vigilant defenses.

🔒 Ericsson Inc.'s U.S. subsidiary disclosed that attackers stole personal data for an undisclosed number of employees and customers after a breach at a third‑party service provider detected on April 28, 2025. The provider's investigation found files were accessed between April 17 and April 22, 2025, and a review completed on February 23, 2026 identified exposed personal information. Ericsson says it has not seen evidence of misuse and is offering free IDX identity protection and monitoring to affected individuals, with enrollment open through June 9, 2026.

🚨 JFrog researchers found a malicious npm package, @openclaw-ai/openclawai, uploaded on March 3, 2026 and downloaded 178 times, that masquerades as an OpenClaw installer to deploy a remote access trojan and harvest sensitive macOS data. It uses a postinstall hook and a global reinstallation to expose a CLI entry point, and the staged GhostLoader payload is delivered encrypted from a C2 server and run as a detached background process. The installer displays a polished fake CLI and an iCloud Keychain prompt to capture system passwords and prompts users for Full Disk Access to unlock Apple Notes, iMessage, Safari history and Mail. Collected files — Keychain databases, browser cookies, crypto wallets, SSH and cloud credentials — are archived and exfiltrated via direct upload, the Telegram Bot API and GoFile.io, while the RAT maintains persistence, clipboard monitoring and browser session cloning.

🔒 Salesforce warns customers that attackers are targeting misconfigured Experience Cloud sites by abusing the /s/sfsites/aura API, allowing guest users to access more data than intended. Threat actors have used a modified AuraInspector scanner and bespoke exfiltration tools; the extortion group ShinyHunters claims responsibility and reports hundreds of compromises. Salesforce stresses this stems from customer guest‑user settings, not a platform vulnerability, and provides immediate mitigation guidance.

🔒 Researchers uncovered a campaign in which a threat actor exploited multiple enterprise software flaws to harvest system data and deposit it into a free-trial Elastic Cloud SIEM instance. The attacker used an encoded PowerShell payload to collect OS, hardware, Active Directory and patch details, sending records into an Elasticsearch index named systeminfo. Telemetry showed the trial was registered via a disposable email and accessed repeatedly through Kibana as the operator triaged victims. Huntress coordinated with Elastic and law enforcement to notify affected organisations and take the instance offline.

⚠️ The FBI warns that criminals are impersonating city and county planning and zoning officials to phish businesses and individuals with active land-use or permit applications. Victims receive emails referencing permit details, zoning application numbers, or property addresses and are instructed to pay invoices via wire transfers, peer-to-peer platforms, or cryptocurrency, often pressured with urgency. The agency urges recipients to verify sender domains, call local government offices to confirm fees, and report incidents to the IC3.

🔒 Google links the North Korean actor UNC4899 to a 2025 cloud compromise that leveraged personal-to-corporate file transfers (AirDrop) and malicious code embedded in a shared archive. Attackers pivoted from a compromised developer device into Google Cloud, abused CI/CD and Kubernetes workflows, and manipulated Cloud SQL to extract funds. The campaign employed living-off-the-cloud techniques and persisted by injecting commands into deployment configurations. Recommended mitigations include phishing-resistant MFA, strict secrets management, and restricting P2P file sharing on corporate endpoints.

🔒 TriZetto Provider Solutions (TPS) has reported a breach that impacted more than 3.4 million individuals after suspicious activity was detected in a customer-facing web portal on 2 October 2025. TPS confirmed that no payment card or bank account data were taken, but said names, addresses, dates of birth, Social Security numbers and health insurance identifiers may have been accessed. The company, owned by Cognizant, says it is working with law enforcement, has implemented additional security measures and is offering credit monitoring to those affected.

🔒 Two Google Chrome extensions were modified following apparent ownership transfers, allowing attackers to remotely deliver JavaScript payloads, inject code, and harvest sensitive data from users. The affected extensions — QuickLens (~7,000 users) and ShotBird (~800 users) — changed owners in early 2026 and began polling C2 servers for runtime payloads. The update to QuickLens stripped security headers to bypass cross-origin protections, while ShotBird used a fake Chrome-update lure to pivot from browser compromise to host-level execution. Users should remove these extensions, audit browsers, and enterprises should treat extensions as supply-chain risk.

🔒 A Ghanaian national, Derrick Van Yeboah, has pleaded guilty to conspiracy in a global fraud ring blamed for over $100 million in victim losses. Prosecutors say Van Yeboah impersonated romantic partners and corporate leaders to induce victims and orchestrated laundering of stolen funds, accounting for roughly 10% of the operation's take. He faces up to 20 years in prison and agreed to $10.1m in restitution and forfeiture; his plea follows extradition and indictment last year.

🔒Ransomware-as-a-service (RaaS) has driven a rise in financially motivated attacks, combining double and triple extortion, data theft, and growing use of AI. Law enforcement disruptions have fragmented the marketplace and helped spawn new players such as Akira, BlackCat, and RansomHub. Attackers exploit unpatched VPNs, open RDP, phishing, and zero-day flaws to hit healthcare, manufacturing, education, telecom and critical infrastructure.

🛡️ Palo Alto Networks Unit 42 attributes a years-long espionage campaign against high-value organizations in South, Southeast and East Asia to a previously undocumented cluster dubbed CL-UNK-1068. The actor uses a mixed toolkit of custom malware, modified open-source utilities and living-off-the-land binaries to operate on both Windows and Linux. Intrusions commonly begin with web server exploits and web shells, followed by credential theft and targeted file harvesting. Researchers observed novel exfiltration methods—archiving with WinRAR, Base64-encoding via certutil, and printing the encoded output to the web shell to avoid direct file transfer.

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.

🔐 Fortinet investigated recent reports of AI-assisted attacks and found no exploitation of FortiGate vulnerabilities; attackers instead exploited exposed management ports and weak single-factor credentials using automated password spraying. The novel concern is that conversational AI prompts and cloud resources can now automate target discovery, credential guessing, vulnerability assessment, and exploitation at scale with no coding required. Fortinet stresses defense-in-depth and rapid remediation.