< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3000 articles · page 4 of 150

Scammers Exploit Venezuela Earthquake Registrations

🧭Researchers uncovered 212 domains registered within five days of the Venezuela earthquake, many claiming to offer aid, donations, or rescue services. While some registrations may be legitimate, 93% hid registrant contact details and several solicit Bitcoin with no verifiable accountability. The pattern mirrors past disaster-driven scams; donors are advised to use known charity sites and avoid new or crypto-only donation pages.
read more →

Silent Swap clipper exploits browser extensions

🛡️ McAfee Labs uncovered an active campaign, dubbed Silent Swap, that deploys malicious Chromium extensions masquerading as a 'Google Notes' utility to intercept and replace cryptocurrency wallet addresses copied to the clipboard. The installers, observed in .NET and Golang variants, inject the extension into Chromium-based browsers by modifying protected preferences and recalculating security hashes to bypass store installation. The threat uses an EtherHiding technique to resolve C2 domains via the blockchain and performs dynamic, server-side wallet mappings to redirect funds to attacker-controlled addresses. Telemetry shows global infections, with higher concentration in India.
read more →

Critical SimpleHelp RMM authentication bypass exploited

🔒 A critical authentication bypass in SimpleHelp's RMM software was exploited to forge a technician login token and deliver two previously unseen malware families. Researchers at Blackpoint Cyber found the flaw (CVE-2026-48558) allowed unauthenticated token forgery by skipping cryptographic signature checks in OpenID Connect. Attackers abused built-in file transfer and remote execution to deploy a Node.js loader named TaskWeaver and a cross-platform stealer called Djinn Stealer. The vulnerability received a CVSS score of 10 and was patched in late May; CISA added it to KEV on June 29.
read more →

Aflac Japan breach exposes policy and bank data

🔒 Aflac disclosed that attackers accessed systems at its wholly owned Japan subsidiary between June 15 and June 25, 2026, prompting suspension of certain systems while operations continue. The insurer is working with external cybersecurity experts, has notified Japanese regulators, and will inform affected individuals. Aflac said U.S. systems were not accessed and the full scope of the incident remains under investigation.
read more →

Attackers Use TON Blockchain to Target Hotels

🛡️ Trend Micro's TrendAI discovered a phishing campaign targeting Booking.com partner accommodations in Japan that uses guest complaint impersonations to trick staff into opening malicious attachments. The delivered malware, TONResolver, is hosted via a smart contract on the TON blockchain and acts as a remote access trojan, establishing persistent backdoor connectivity for follow-up intrusion. Attackers abused scheduling-tool notifications to bypass SPF/DKIM/DMARC protections and used Node.js obfuscation and LNK-based delivery to frustrate detection.
read more →

Counterfeit USBs Infected JGSDF Networks Nearly Year

🔍 Leaked documents reveal that counterfeit USB flash drives carrying malware entered Japan's Ground Self-Defense Force (JGSDF) networks after being distributed during 2024 earthquake relief operations. The malicious drives, traced to sellers in China and priced below market rates, were discovered in February 2025 and found on over 50 computers, nearly half handling classified data. Investigators linked the malware to a strain previously associated with a China-linked hacking group, while authorities maintain the infection showed only self-replication behavior.
read more →

CISA: BlueHammer bug now exploited by ransomware

🛡️ CISA confirms ransomware actors are exploiting the high-severity Microsoft Defender privilege escalation flaw dubbed BlueHammer (CVE-2026-33825). The bug was leaked with proof-of-concept code by researcher "Nightmare Eclipse" in April and later patched by Microsoft on April 14. CISA added the flaw to its KEV Catalog and ordered federal agencies to patch, and has now flagged it as used in ransomware campaigns.
read more →

UK Firms Face Rising Ransomware Incidents in 2025–26

🔒 Report Fraud received 323 ransomware reports from UK organisations between April 2025 and March 2026, with SMEs accounting for over half of victims. Financial losses rose about 50% year-on-year to approximately £270,000 per incident, though police warned this likely understates the true cost. Authorities and experts urge firms to adopt proactive measures like regular backups and strong access controls to reduce risk and impact.
read more →

Nissan reports employee data breach after PeopleSoft zero-day

🔒 Nissan has disclosed a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft vulnerability tied to a wider campaign. The automaker says the incident may have exposed contact, financial, tax, and identification details and impacts employees in the US, Canada, Mexico, and Brazil. Nissan has engaged external cybersecurity experts, restricted certain payroll functions, and will offer monitoring services to affected individuals while working with Oracle on remediation.
read more →

Malicious Perplexity-themed Chrome Extension Captured Searches

🔍 Microsoft discovered a malicious Chrome extension posing as Perplexity that logged every search query and each character typed in the address bar by routing input through an attacker-controlled server before redirecting to legitimate results. The extension, named "Search for perplexity ai" and using a look-alike domain, set itself as the default search engine and redirected queries and live suggestion traffic to the attacker domain, collecting headers, IPs, and user agent data. Microsoft reported the extension to Google, which removed it from the Chrome Web Store; defenders are urged to remove the extension and verify search settings immediately.
read more →

US offers $10M for info on hackers targeting Signal and WhatsApp

🔔 The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and UNC4221, two groups tied to Russian intelligence and military services. The bounty follows FBI and CISA updates that these groups conducted phishing campaigns targeting Signal and WhatsApp users, including attempts to steal Signal Backup Recovery Keys by impersonating support agents. Targets included U.S. and NATO officials, journalists, NGOs, and researchers.
read more →

Mustang Panda uses cloud service for stealth C2

🛡️ A China-aligned espionage group, Mustang Panda, has run two campaigns targeting Indian government and hydropower-related networks, using new malware and abusing Zoho WorkDrive as a covert command-and-control channel. Acronis Threat Research Unit found active compromises affecting senior administrative systems, worked with CERT-In for remediation, and detailed three tools: SHARDLOADER, MINIRECON, and ZOHOMURK. The intrusions leveraged DLL sideloading via signed binaries and spear-phishing lures themed to hydropower and bilateral memoranda, with beaconing recorded from June 12–22, 2026.
read more →

Weekly Cyber Recap: Kernel Flaws and AI Risks

🛡️ This week’s recap highlights how seemingly small mistakes — missed patches, old access paths, or unprivileged namespaces — can yield significant compromises. New findings include the DirtyClone Linux kernel flaw allowing local privilege escalation, active exploitation of a critical PTC Windchill vulnerability, and novel macOS malware designed to deceive AI analysis tools. The briefing also covers disruptive takedowns, trending CVEs, and emerging AI-model risks.
read more →

236,000 DCloud Uni‑App Sites Fuel Investment Scams

🛡️ Infoblox reports that over 236,000 domains use DCloud Uni‑App templates to power investment scams, including fake crypto exchanges, wallet drainers, gambling sites, and WhatsApp phishing pages. The malicious sites span continents, target multiple languages, and have been active since mid‑2022, with some operators stripping framework fingerprints to evade detection. While many domains use mainstream hosting providers, a subset relies on bulletproof hosting and centralized template sales may explain coordinated activity.
read more →

Gamaredon expands malware and exfiltration tactics

🛡️ ESET observed 35 spear-phishing campaigns by the Russian APT group Gamaredon across 2025, primarily targeting Ukrainian government and military entities. Campaigns used HTML smuggling, archive attachments and a patched WinRAR flaw (CVE-2025-8088) to deploy HTA downloaders that drop payloads like PteroSand. The group enhanced persistence and lateral movement via PteroLNK, PteroPaste and PteroSetup while increasingly abusing tunnel and serverless services to hide infrastructure.
read more →

US seizes nearly 400 illegal FIFA World Cup domains

⚖️ The U.S. Justice Department has seized nearly 400 domains tied to illegal live streams of FIFA World Cup 2026 matches. The operation, coordinated via the ICHIP Network and partners, targeted servers and domains across multiple countries, including Peru and Bulgaria. Authorities acted with support from FIFA, broadcasters and industry groups to disrupt piracy and warn of malware and fraud risks to viewers.
read more →

NAIC Confirms PeopleSoft Breach Exposes Credit Data

🔒 The US National Association of Insurance Commissioners (NAIC) disclosed a security breach detected on June 11 and revealed on June 17 that an unauthorized actor exploited a zero-day in Oracle PeopleSoft to access parts of its environment. The attacker obtained and published some statutory financial reporting and credit rating agency data, and possibly routine technical files. NAIC says personal, payment, and several regulatory system records were not compromised and operations are largely restored.
read more →

Suspected Russian Involvement in JLR Cyberattack

🛡️ Security experts have reacted to a New York Times report linking Russian hackers to the Jaguar Land Rover breach, which reportedly cost the British economy £1.9bn. Microsoft flagged the activity, and specialists pointed to the lack of a ransom demand, timing before a vehicle rollout, and novel ransomware as indicators of state involvement. Former JLR security leaders and industry analysts suggest the attack resembled sabotage more than typical cybercrime.
read more →

FBI warns of Russian targeting Signal backup keys

🔔 The FBI has issued a public service announcement warning that multiple clusters of Russian intelligence actors, including FSB officers and military hackers, are targeting high-risk users to steal Signal Backup Recovery Keys. The campaign uses phishing messages masquerading as messaging app support to elicit verification codes, account PINs, and recovery keys. Victims include government officials, military personnel, journalists and Ukrainian officials. Users are advised to only trust official support channels and to generate a new recovery key to invalidate older backups.
read more →

Hijacked npm and Go packages deploy cross‑platform stealer

🛡️ Cybersecurity researchers discovered two malicious npm packages and a cluster of Go packages that deploy a Python-based information stealer targeting Windows, Linux, and macOS. The attack hides execution in a VS Code task that runs when a project folder is opened and retrieves encrypted JavaScript from blockchain transaction data to configure a socket.io backdoor. The campaign uses a disguised font file to deliver multi-stage payloads and ultimately installs a Python infostealer that exfiltrates credentials, wallets, and developer artifacts.
read more →