All news in category "Incidents and Data Breaches"

LNER Customer Data Exposed in Supplier Security Breach

🔒 LNER has alerted customers after a security breach at a third-party supplier exposed traveller contact details and some historical journey information. The operator says no banking, payment or password data were accessed and that ticketing and timetable systems were not impacted. LNER is urging passengers to be cautious of unsolicited communications and potential phishing attempts. The company has engaged the supplier and cybersecurity experts to investigate and strengthen safeguards.

Yurei Ransomware: Rapid Rise from Open-Source Code

🛡️ Yurei ransomware emerged on September 5, quickly claiming victims in Sri Lanka, India and Nigeria within its first week. The payload is largely copied from the open-source Prince-Ransomware project, illustrating how easily attackers can deploy commodity code. Although technical flaws allow partial recovery, Yurei focuses on data theft and public exposure to coerce payments. Early indicators point to links with Morocco, signaling a geographically shifting threat landscape.

Man Sentenced to 57 Months for Selling Pre‑Release Movies

🎬 A Tennessee man was sentenced to 57 months in prison after admitting he stole and sold ripped DVD and Blu-ray copies of unreleased blockbuster films. Steven R. Hale, 37, worked for a DVD/Blu-ray manufacturing and distribution company and sold pre-release discs through various e-commerce sites, returning about 1,160 discs as part of restitution. He also pleaded guilty to unlawful firearm possession. Prosecutors say the piracy caused tens of millions of dollars in losses.

Fileless AsyncRAT infection leverages in-memory loaders

🔍 Security researchers at LevelBlue Labs identified an open-source Remote Access Trojan, AsyncRAT, being deployed via a multi-stage, fileless in-memory loader that avoids writing executables to disk. Attackers gained initial access through a compromised ConnectWise ScreenConnect client, executing a VBScript which invoked PowerShell to fetch two staged .NET assemblies. The first-stage assembly decodes payloads into byte arrays and uses reflection to run the secondary assembly directly in memory, while operators disabled AMSI and tampered with ETW to evade runtime detection. Persistence was achieved with a scheduled task disguised as "Skype Update," and the RAT used an AES-256 encrypted configuration to connect to a DuckDNS-based C2.

France Alerts Apple Users to New Spyware Campaigns

🔔Apple has alerted some iCloud account holders to a newly identified spyware campaign that may have compromised at least one device tied to notified accounts. France’s national CERT (CERT-FR), run by ANSSI, published an advisory on 11 September after Apple issued notifications starting 3 September. CERT-FR urged recipients to contact the team immediately, retain the original Apple notification (from threat-notifications@email.apple.com or threat-notifications@apple.com), and avoid altering or restarting affected devices to preserve forensic evidence. The advisory reiterated basic and advanced risk-reduction steps including two-factor authentication, timely updates, enabling automatic updates, separating work and personal use, and activating Lockdown Mode.

Akira Ransomware Exploits Unpatched SonicWall VPNs

🚨 The Australian Cyber Security Centre has observed increased exploitation of SonicWall SSL VPNs by the Akira ransomware group, leveraging CVE-2024-40766. The vulnerability, patched over a year ago, affects SonicWall Gen 5 and Gen 6 appliances and Gen 7 devices running SonicOS 7.0.1-5035 and earlier. Organisations remain at risk if they did not both install firmware updates and immediately rotate administrative credentials after migration. Security vendors Rapid7 and Recorded Future report automated intrusions tied to this issue; operators are advised to patch, reset passwords, restrict VPN access and enable robust MFA.

Microsoft Probes Exchange Online Outage in North America

⚠️ Microsoft is investigating an ongoing Exchange Online outage across North America that is preventing users from accessing mailboxes via any Exchange Online connection method. Customers have reported issues for more than six hours on DownDetector, with sign-in and server connection failures affecting Teams, Outlook, and Hotmail. Microsoft says it is reviewing telemetry and applying changes to optimize affected mailbox infrastructure while the root cause is still under investigation.

Apple warns customers targeted by recent spyware attacks

🔔 Apple warned customers that their accounts were targeted in a series of mercenary spyware attacks, according to France's CERT‑FR. Notifications were issued on March 5, April 29, June 25 and September 3 and appear at the top of account.apple.com and via the email or phone linked to users' Apple IDs. The alerts indicate highly sophisticated campaigns often using zero‑day and zero‑click techniques, meaning at least one device tied to the account may be compromised. Apple recommends enabling Lockdown Mode and seeking rapid-response assistance through Access Now.

Panama Finance Ministry Reports Possible Ransomware Breach

🔒 The Panama Ministry of Economy and Finance (MEF) says a workstation may have been infected with malicious software; established security protocols were activated immediately and the incident has been contained. The ministry asserted that central systems and platforms remain unaffected, and that personal and institutional data are protected while preventive measures were reinforced. However, the INC Ransom group added MEF to its leak site on September 5, claiming to have stolen more than 1.5 TB of emails, financial records and budgeting files; MEF had not responded to requests for comment by publication.

Stark Industries Rebrands to Evade EU Sanctions, Persists

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.

Akira Ransomware Reuses Critical SonicWall SSLVPN Bug

🔒 The Akira ransomware gang is actively exploiting CVE-2024-40766 to target unpatched SonicWall SSL VPN endpoints and gain unauthorized network access. SonicWall released a patch in August 2024 and warned that exposed credentials could allow attackers to configure MFA or TOTP and bypass protections. Administrators should apply the vendor update, rotate local SSLVPN passwords, enforce MFA, mitigate Default Group risks, and restrict Virtual Office Portal access.

Fileless Malware Uses Legitimate Tools to Deploy AsyncRAT

🔍 Researchers uncovered a sophisticated fileless campaign that executes malicious code entirely in memory to deliver AsyncRAT. The attack began via a compromised ScreenConnect client and a VBScript that used WScript and PowerShell to download two payload blobs saved to C:\Users\Public\, which were never written as executables but loaded into memory via reflection. A .NET launcher (Obfuscator.dll) was used to orchestrate persistence, disable security logging and load the RAT, which exfiltrates credentials, browser artifacts and keystrokes.

Chinese APT Uses Fileless 'EggStreme' Against Military Firm

🔒 Bitdefender tracked a Chinese APT intrusion that used a novel, fileless framework dubbed EggStreme to compromise a Philippines-based military contractor. The multi-stage toolkit injects code directly into memory, leverages DLL sideloading and abuses legitimate Windows services for persistence, and delivers a gRPC-enabled backdoor, EggStremeAgent, with extensive reconnaissance and exfiltration capabilities. Bitdefender advises limiting use of high-risk binaries and deploying advanced detection and response to detect living-off-the-land operations and anomalous behavior.

Akira Exploits SonicWall SSL VPN Flaw and LDAP Settings

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

Three French Regional Healthcare Agencies Hit by Attack

🔒 Three French regional healthcare agencies (ARS) have reported similar cyber-attacks that exposed patients’ personal data held on regional systems. Preliminary investigations, announced on September 8, indicate attackers gained access by impersonating healthcare professionals and used those accounts to reach GRADeS-managed services such as Normand'e-Santé. Reported exposed PII includes full names, ages, phone numbers and email addresses, while the agencies say no clinical health records appear to have been compromised. Compromised accounts were disabled, additional protections deployed, potentially affected patients will be notified and incidents have been reported to CNIL.

Ukrainian Suspect Added to Europe's Most Wanted List

🔎 Volodymyr Tymoshchuk, a 28-year-old Ukrainian, has been placed on Europe’s most wanted list over alleged involvement in widespread LockerGoga, MegaCortex and Nefilim ransomware campaigns targeting hundreds of firms between 2018 and 2020. Europol and international partners tied him to high-profile incidents including the 2019 Norsk Hydro attack, which caused major operational disruption. The US has unsealed charges and an $11m reward is being offered for information leading to his arrest or conviction.

Malicious Browser Extensions Target Meta Advertisers

🔒 Researchers disclosed two coordinated campaigns that distribute fake browser extensions via malvertising and counterfeit sites to steal credentials, session tokens, and hijack Meta business accounts. Bitdefender documented ads pushing a fake "Meta Verified" add‑on named SocialMetrics Pro that harvests Facebook session cookies and exfiltrates them to a Telegram bot while also querying ipinfo[.]io for IP data. Cybereason described a separate campaign using counterfeit sites promoting a bogus Madgicx Plus platform and multiple rogue Chrome extensions that request broad site access, capture Google identity data, then pivot to Facebook to facilitate account takeover.

LNER Supply-Chain Breach Exposes Customer Contact Data

🔒 LNER has disclosed that an unauthorized third party accessed customer contact details and historical journey information via a compromised third-party supplier. No bank, payment card or password information was affected, the operator said, but warned that the data could be used in follow-on attacks. Security professionals advised customers to be cautious of unsolicited communications and recommended organisations strengthen third‑party data controls and identity protections.

AsyncRAT Delivery via ConnectWise ScreenConnect Abuse

⚠️ Cybersecurity researchers disclosed a campaign that abuses ConnectWise ScreenConnect remote sessions to deliver a fileless loader which ultimately executes the AsyncRAT remote-access trojan. Attackers use hands-on-keyboard activity to run a layered VBScript and PowerShell chain that loads obfuscated .NET assemblies and spawns AsyncClient.exe. Persistence is maintained via a scheduled task disguised as "Skype Updater," and stolen credentials, keystrokes, and wallet artifacts are exfiltrated to a DuckDNS command-and-control host.

Smashing Security #434: Whopper Hackers and AI Failures

🍔 In episode 434 of the award‑winning Smashing Security podcast, Graham Cluley and guest Lianne Potter examine two striking security stories: an ethical hack of Burger King that revealed drive‑thru audio recordings, hard‑coded passwords and an authentication bypass, and an alleged insider theft at xAI where a former engineer, after receiving $7 million, is accused of taking trade secrets. The hosts blend sharp analysis with irreverent commentary on operational security and human risk.