All news in category "Incidents and Data Breaches"

JLR Extends Production Halt After Cyber Attack, Suppliers

🔒 Jaguar Land Rover (JLR) has extended its production pause until at least 24 September after a cyber-attack earlier this month. The outage is causing cascading disruption across its supply chain, with some third-party workers reportedly laid off while JLR employees are not facing job losses. Unite has called for government-backed furloughs for affected contractors. A group using the name Scattered Lapsus$ Hunters has claimed responsibility and JLR confirmed some data were affected and regulators have been informed.

FinWise Bank warns of insider data breach affecting 689K

🔒 FinWise Bank notified customers that a former employee accessed customer data after their employment ended, with the incident occurring on May 31, 2024 and discovered on June 18, 2025. The breach affected 689,000 FinWise and American First Finance (AFF) customers, and the bank confirmed that customers' full names were exposed. FinWise engaged external cybersecurity experts, offered 12 months of free credit monitoring and identity-theft protection, and advised customers to place fraud alerts or security freezes and to monitor credit reports and account statements.

Supply-Chain Attack Trojanizes Over 40 npm Packages

🚨 Security researchers say a new software supply chain campaign has compromised more than 40 npm packages by injecting a malicious bundle.js into republished releases. The trojan installs a downloader that executes TruffleHog to scan hosts for secrets and cloud credentials, targeting both Windows and Linux developer environments. Vendors warn maintainers to audit environments, rotate tokens, and remove affected versions to prevent ongoing exfiltration.

Fraudulent Account Created in Google's LERS Portal

🔒 Google has confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) and has been disabled. The company says no requests were made and no data was accessed. The claim was posted by a group calling itself Scattered Lapsus$ Hunters, which also alleged access to the FBI's eCheck system; the FBI declined to comment. The group has a history of high-profile Salesforce-related thefts and has publicly taunted law enforcement and security researchers.

Google: Fraudulent Account Created in Law Enforcement Portal

🔒 Google confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) portal and has been disabled. The company said no requests were made with the account and no data was accessed. The claim follows posts by a group calling itself "Scattered Lapsus$ Hunters", which also asserted access to the FBI's eCheck system. The actors have previously targeted Salesforce-related infrastructure and taunted security teams.

Mustang Panda Uses SnakeDisk USB Worm to Deliver Yokai

🐍 IBM X-Force reports that China-aligned Mustang Panda is deploying a new USB worm, SnakeDisk, to propagate the Yokai backdoor against machines geolocated to Thailand. The actor also introduced updated TONESHELL variants (TONESHELL8/9) with proxy-aware C2 and parallel reverse shells. SnakeDisk abuses DLL side-loading and USB volume masquerading—moving user files into a subfolder and presenting a deceptive 'USB.exe' lure before restoring originals—to spread selectively on Thailand-based public IPs.

FinWise Insider Data Breach Affects 689K AFF Customers

🔒 FinWise Bank says a former employee accessed sensitive files after their employment ended, in a data security incident identified on May 31, 2024. The bank notified corporate partner American First Finance (AFF), which reported that data for 689,000 customers was affected. FinWise launched an external investigation, strengthened internal controls, and is offering 12 months of credit monitoring and identity theft protection to impacted individuals.

HybridPetya Resembles NotPetya and Adds UEFI Bootkit

🔒 ESET Research identified HybridPetya on VirusTotal in February 2025, with filenames implying a connection to the destructive NotPetya outbreak. The strain encrypts the NTFS Master File Table using Salsa20 and deploys a UEFI bootkit on the EFI System Partition to ensure firmware‑level persistence. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot via a signed but vulnerable Microsoft component, yet retains a working decryption mechanism for victims. Analysts found no signs of self-propagation like NotPetya, but the combination of pre-boot compromise and MFT encryption raises significant concern.

SEO Poisoning Targets Chinese Windows Users at Scale

🔍 Security researchers at FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search results to steer Chinese-speaking Microsoft Windows users to spoofed download sites. Attackers registered lookalike domains and used subtle character substitutions to present compromised installers that bundled legitimate apps with hidden malware such as Hiddengh0st and Winos. The operation used a redirection script known as nice.js, anti-analysis checks in components like EnumW.dll, and persistence mechanisms including registry changes and TypeLib hijacking. FortiGuard warns the final payloads supported monitoring, keystroke and clipboard capture, Telegram interception, and cryptocurrency wallet theft.

Darknet Drug Shipping Ring Dismantled on German–Dutch Border

🚓 Law enforcement dismantled a darknet drug shipping operation across the German–Dutch border following an extensive IT-led investigation. Three men, aged 33, 39 and 40, are suspected of selling ecstasy and cocaine on darknet marketplaces and using border-area mailboxes to forward shipments into Germany. Searches of three residences and a boxing studio yielded multi-million-euro quantities of drugs, a firearm, five-figure cash, and numerous electronic devices that will now undergo forensic analysis.

Experts Say Scattered Spider 'Retirement' Is a Smokescreen

🕵️ Scattered Spider and roughly 15 affiliated ransomware and cybercrime groups posted a joint manifesto on BreachForums claiming to 'go dark' after recent arrests. Experts point to inconsistencies — an unlikely coalition, rapid timing, and no observed money‑movement — and call the announcement a likely smokescreen. They warn organizations not to lower their guard and to assume tactics and infrastructure remain active, taking immediate hardening steps.

Yurei Ransomware Uses Open-Source Tools for Extortion

🔒 A newly identified ransomware group called Yurei is conducting double-extortion attacks, encrypting files and exfiltrating sensitive data before demanding payment. First observed by Check Point Research on September 5, Yurei has targeted organizations in Sri Lanka, India and Nigeria and may have ties to Morocco. Built largely from open-source Prince-Ransomware code, the malware encrypts each file using per-file ChaCha20 keys protected with ECIES, appending a .Yurei extension, and attempts to provide a ransom page and .onion contact. Although the early variant omits some operational features (for example it fails to set a ransom wallpaper and does not remove Windows shadow copies), the group still threatens publication of stolen data to pressure victims.

Phishing Campaigns Deploy RMM Tools via Multiple Lures

🔒 New phishing campaigns are delivering remote monitoring and management (RMM) software by using multiple realistic lures, security firms warn. Attackers spoof browser updates, meeting software installers, party e-invites and government forms to trick victims into running installers for ITarian (Comodo), Atera, PDQ, SimpleHelp and ScreenConnect. Some campaigns host payloads on trusted services such as Cloudflare R2 and may install multiple RMM tools in quick succession. Analysts caution RMM compromise can lead to ransomware and data theft and recommend endpoint detection, approved-tool enforcement and enhanced network controls such as browser isolation.

FBI FLASH: UNC6040 and UNC6395 Target Salesforce

🔔 The FBI issued a FLASH advisory linking two threat clusters, UNC6040 and UNC6395, to intrusions of corporate Salesforce environments that resulted in data theft and extortion. Early campaigns relied on social engineering and malicious Data Loader OAuth apps to mass-exfiltrate Accounts and Contacts, while later activity used stolen Salesloft/Drift OAuth and refresh tokens to access support cases and harvest secrets. Multiple large enterprises were impacted and the FBI released IOCs to help organizations detect and mitigate compromise.

VoidProxy PhaaS Uses AitM to Target Microsoft, Google

🔒 VoidProxy is a newly observed phishing-as-a-service platform that leverages adversary-in-the-middle techniques to capture credentials, MFA codes, and session cookies from Microsoft 365 and Google accounts. Discovered by Okta Threat Intelligence, the service routes victims through shortened links and disposable domains protected by Cloudflare, serving CAPTCHAs and realistic login pages to selected targets. When credentials are entered, VoidProxy proxies requests to the real providers, records MFA responses, and extracts session cookies which are exposed in the platform admin panel for immediate abuse.

WhiteCobra Floods VSCode Market with Malicious Extensions

⚠️ A threat actor known as WhiteCobra has been publishing malicious VSIX extensions across VS Code Marketplace and OpenVSX, targeting users of VSCode, Cursor, and Windsurf with professionally crafted listings. The campaign comprises at least 24 identified extensions and remains active as the actor quickly re-uploads packages after takedown. Installed extensions execute a small loader that fetches platform-specific payloads; on Windows this chain leads to deployment of LummaStealer, while macOS builds execute a malicious Mach-O. Researchers warn that polished icons, forged descriptions, and inflated download counts were used to lend credibility and trick developers into installing the packages.

FBI Alerts on UNC6040 and UNC6395 Targeting Salesforce

⚠️ The FBI released IoCs linking two threat clusters, UNC6040 and UNC6395, to a series of data theft and extortion attacks that targeted organizations' Salesforce environments. UNC6395 exploited compromised OAuth tokens tied to the Salesloft Drift app after a March–June 2025 GitHub breach, prompting Salesloft to isolate Drift and take its AI chatbot offline. UNC6040, active since October 2024, used vishing, a modified Data Loader and custom Python scripts to hijack instances and exfiltrate bulk data, while extortion activity has been associated with actors using the ShinyHunters brand.

Deep Dive: Cloudflare's Sept 12 Dashboard and API Outage

⚠️ A bug in a dashboard React useEffect dependency caused an object to be recreated on every render, triggering repeated calls to the Tenant Service /organizations endpoint. Those excessive requests coincided with a Tenant Service deployment, overwhelming the service and breaking API authorization checks so many API requests returned 5xx errors and the Cloudflare dashboard became unavailable. Cloudflare mitigated the incident by scaling pods, applying a global rate limit, reverting a problematic patch, and applying a dashboard hotfix. They plan to prioritize Argo Rollouts for safer deployments, add randomized retry delays, increase Tenant Service capacity, and improve observability.

HybridPetya UEFI Bootkit Bypasses Secure Boot on PCs

🔒 HybridPetya is a newly identified UEFI bootkit that can bypass Secure Boot by exploiting CVE-2024-7344, enabling installation of malicious components into the EFI System Partition. ESET located a sample on VirusTotal and describes it as possibly a proof-of-concept, research project, or an early-stage criminal tool. The bootkit replaces the Windows bootloader, forces reboots to execute at startup, encrypts MFT clusters with Salsa20 while showing a fake CHKDSK, and then presents a ransom screen demanding a Bitcoin payment and a 32-character key to restore the bootloader and decrypt data.

Apple Alerts French Users to Fourth 2025 Spyware Campaign

🔔 Apple has notified users in France that devices linked to some iCloud accounts may have been compromised in a fourth spyware campaign this year, CERT-FR confirmed on September 3, 2025. The agency said the alerts target high-profile individuals — journalists, lawyers, activists, politicians and senior officials — and follow prior notices on March 5, April 29 and June 25. Recent disclosures also link WhatsApp and iOS vulnerabilities exploited in zero-click chains, while Apple’s Memory Integrity Enforcement aims to harden new iPhones against such memory-corruption attacks.