All news in category “Incidents and Data Breaches”

🎥 Check Point Research reported a surge of attempts to compromise internet‑connected surveillance cameras across the Middle East beginning 28 February, with additional focused activity in parts of Lebanon on 1 March. The campaign targeted Hikvision and Dahua devices, scanning for known authentication‑bypass and remote‑code‑execution flaws for which patches exist. Infrastructure attributed to Iran used commercial VPN exit nodes and VPS hosts. Recommended mitigations include removing WAN exposure, enforcing strong credentials, applying firmware updates, and segmenting cameras onto a dedicated VLAN.

🐾 ClearSky researchers uncovered a multi-stage malware campaign named BadPaw that leverages emails from the Ukrainian provider ukr.net to lure recipients to a ZIP download. The archive contains an HTA disguised as HTML that displays a decoy document while launching hidden components. BadPaw checks system age to evade sandboxes, extracts payloads, and uses a scheduled task plus steganography to persist. A staged C2 flow ultimately deploys a multi-layered backdoor, MeowMeowProgram.exe, with low AV detection.

📱 Google Threat Intelligence Group (GTIG) identified a powerful exploit framework named Coruna (aka CryptoWaters) that bundles five full iOS exploit chains and 23 exploits targeting devices running iOS 13 through 17.2.1. The framework fingerprints devices, loads tailored WebKit remote code execution exploits and executes pointer authentication code (PAC) bypasses to achieve persistence. Observed in multiple campaigns since February 2025, the kit moved from commercial surveillance users to nation-state actors and later financially motivated operators; users should keep devices current and enable Lockdown Mode.

🧭 When organizations rely on whitelists to protect high-value blockchain assets, those lists become a playbook for determined attackers. Nation-state groups targeted entities such as Bybit ($1.5B), WazirX ($235M), and Radiant ($53M), compromising whitelisted vendors and counterparties to drain funds. Treat every whitelisted address as potentially compromised and enforce strict verification, segmentation, and least-privilege controls.

🔴 Security researchers identified malicious Packagist PHP packages posing as Laravel utilities that install a cross-platform remote access trojan (RAT) affecting Windows, macOS, and Linux. The actor published nhattuanbl/lara-helper, nhattuanbl/simple-queue, and nhattuanbl/lara-swagger, with lara-swagger pulling the helper as a Composer dependency to trigger installation. The embedded payload phones home to a reported C2 at helper.leuleu[.]net:2096, supports extensive remote commands, and activates at application boot or via autoloading, exposing application credentials and environment secrets.

🔒 Check Point disclosed an advanced persistent threat dubbed Silver Dragon, active since mid-2024 and assessed to operate under the APT41 umbrella. The group gains access via vulnerable public servers and phishing, deploying loaders such as MonikerLoader and the C++ BamboLoader to stage Cobalt Strike beacons. Post-exploitation tools include screen capture, SSH utilities, and a Google Drive backdoor used for file-based C2.

🔓AkzoNobel confirmed a security incident at a U.S. site after the Anubis ransomware group posted a partial data leak. The company says the intrusion was contained locally and the impact is limited, and it is notifying and supporting affected parties. Anubis claims about 170GB and nearly 170,000 files were stolen, including confidential agreements and passport scans.

⚠️ Users worldwide are reporting that Facebook is inaccessible, with many seeing a notice that their "account is temporarily unavailable" due to a site issue. Outages tracked by DownDetector began around 4:15 PM ET and appear global. Meta's status page, however, only lists High Disruptions for Facebook Ads Manager, Instagram Boost, and the WhatsApp Business API. Facebook has been contacted for comment; the incident remains under investigation.

🔒 In February 2026 Microsoft Defender Experts uncovered phishing campaigns that delivered digitally signed malware impersonating common workplace applications. The threat actor used an EV certificate issued to TrustConnect Software PTY LTD to sign trojanized installers (examples include msteams.exe, adobereader.exe, and invite.exe) that deployed RMM tools such as ScreenConnect, Tactical RMM, and MeshAgent. Executables reinforced legitimacy by copying to Program Files, registering services, creating Run keys, and executing encoded PowerShell to stage additional payloads and connect to attacker-controlled domains, enabling persistent remote access and lateral movement.

🔐 Microsoft warns that attackers are abusing legitimate OAuth error redirection to bypass email and browser phishing protections and deliver malware. Campaigns target government and public-sector organizations with lures such as e-signature requests, meeting invites, and financial notices that contain OAuth redirect URLs. Attackers register malicious OAuth apps and invoke silent-auth parameters or invalid scopes to trigger error redirects to attacker-controlled pages. Those pages can host credential-phishing frameworks or automatically deliver ZIP packages that launch PowerShell loaders and DLL side‑loading routines, enabling final payload execution.

🔒 Huntress researchers uncovered a campaign where attackers posed as IT support, using email spam and follow-up phone calls to coerce victims into granting remote access and visiting a counterfeit Microsoft page hosted on AWS. The fake site harvested credentials and prompted a download that executed a legitimate binary which sideloaded a malicious DLL to launch the Havoc Demon. The intrusions showed rapid lateral movement, scheduled-task persistence, and use of legitimate RMM tools as backup persistence.

🚨 Researchers at CloudSEK have uncovered a mobile espionage campaign, dubbed RedAlert, that distributes a trojanized version of Israel's official Red Alert rocket warning app via SMS phishing and sideloaded fake updates. The malicious build imitates the genuine interface and continues to deliver real alerts while running a covert surveillance payload that requests high-risk permissions such as SMS access, contacts and precise GPS. It uses advanced anti-detection techniques — including spoofing the original signing certificate, falsifying Play Store installation metadata and manipulating Android's package manager via reflection and proxy hooks — to hide secondary payloads and avoid integrity checks. Incident response guidance recommends isolating affected devices, revoking privileges, performing factory resets when necessary, and blocking known domains while restricting sideloading through mobile device management.

🔑 South Korea's National Tax Service (NTS) accidentally included a photograph in a press release that exposed a handwritten cryptocurrency mnemonic seed phrase next to a seized Ledger device. Within hours the wallet holding roughly 4 million PRTG tokens (about US $4.8M) was emptied. The NTS removed the release and issued an apology; the incident underscores that publishing a wallet's seed phrase instantly nullifies any cold-storage security.

🔒 LexisNexis has confirmed a breach after the threat actor FulcrumSec posted 2.04 GB of files allegedly exfiltrated from its AWS environment. The group says they exploited a React2Shell vulnerability in an unpatched React frontend container on February 24 to reach Redshift tables, VPC databases and plaintext Secrets Manager entries. LexisNexis characterizes the material as mostly legacy data from before 2020 and says it contained no Social Security numbers, driver’s license numbers, financial data, active passwords, customer search queries, client/matter data, or contracts.

🔍 Resecurity analysed a leaked Ariomex database covering 2022–2025 and concluded the exchange's records suggest potential sanctions evasion and large capital transfers linked to actors inside Iran. The review covered 11,826 verified users, identified 27 potential sanctions matches and found about 7,710 Iran-linked accounts, with roughly 70% of volume in Tether and Tron. Resecurity flagged mechanisms such as shell accounts, stablecoin routing and intermediary wallets and said it will assist regulators.

🚨 Security researchers say an open-source, AI-native offensive platform called CyberStrikeAI was used to automate mass scanning and exploitation of Fortinet FortiGate appliances, contributing to compromises of more than 600 devices across 55 countries. Team Cymru traced activity to a Russian-speaking actor after analyzing an IP address and observed 21 unique IPs running the tool between January 20 and February 26, 2026. The tool's GitHub maintainer, known as Ed1s0nZ, has published a range of exploitation and AI-jailbreak utilities and shows interactions with organizations linked to Chinese state cyber capabilities.

🔍 Google Threat Intelligence Group describes Coruna, a sophisticated iOS exploit kit containing five full exploit chains and 23 exploits that target iOS 13.0 through 17.2.1. The kit combines WebKit RCEs, PAC/PPL bypasses, and a root-capable loader called PlasmaLoader that exfiltrates financial data and cryptocurrency wallet information. GTIG observed deployments by both suspected state-backed and financially motivated actors and added affected domains to Safe Browsing. Users are urged to update iOS or enable Lockdown Mode if updates are not possible.

🐉 Silver Dragon is a China-nexus cyber espionage group focusing on government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe. The group gains access through exploitation of public-facing servers and targeted phishing campaigns. It maintains long-term persistence by hijacking legitimate Windows services and deploying a custom backdoor, GearDoor, which uses Google Drive for covert C2, blending malicious activity with trusted services to evade detection.

🚨 Amazon has confirmed that drone strikes damaged three AWS data centers in the United Arab Emirates and one in Bahrain, causing an ongoing outage that is affecting dozens of cloud services. The attacks caused structural and power damage and triggered fire suppression that resulted in additional water damage. Amazon is restoring physical infrastructure while pursuing software-based recovery paths and advising customers to back up and migrate workloads to unaffected regions.

🔒 Cybersecurity researchers disclosed Starkiller, a commercial phishing suite marketed by a group calling itself Jinkusu that proxies legitimate login pages to bypass multi-factor authentication. The platform launches a headless Chrome instance inside a Docker container and acts as an AitM reverse proxy, relaying keystrokes, form submissions and session tokens. Abnormal warns the toolkit centralizes deployment, URL masking and session monitoring to give low-skill criminals effective MFA-bypass capabilities at scale.