All news in category “Incidents and Data Breaches”

🔒 Three former Google engineers and one spouse were indicted in U.S. federal court for allegedly stealing trade secrets and transferring sensitive files, including materials related to Google's Tensor processor, to unauthorized locations reportedly including Iran. The defendants — Samaneh Ghandali, Mohammadjavad Khosravi and Soroor Ghandali — are accused of exfiltrating documents to third‑party channels, copying files to personal and employer devices, and concealing their actions. They were arrested in San Jose after Google detected suspicious activity and notified law enforcement; the indictment carries multiple counts with significant prison and fine exposures.

🔐 Researchers at KnowBe4 discovered a campaign aimed at North American businesses that tricks employees into entering a “Secure Authorization” code on a legitimate Microsoft 365 login page. Unknown to victims, the code actually authorizes an attacker-controlled device through the OAuth 2.0 Device Authorization Grant, issuing access and refresh tokens that grant persistent access to Outlook, Teams, OneDrive and other services. Recommended mitigations include allowlisting OAuth apps, disabling device-code flow in Entra conditional access where feasible, auditing integrations, and ongoing employee awareness training.

🛡️ Operation Red Card 2.0, led by INTERPOL and law enforcement from 16 African nations between December 8, 2025 and January 30, 2026, targeted infrastructure and actors behind high-yield investment scams, mobile money fraud, and fraudulent loan apps. Authorities arrested 651 suspects, recovered over $4.3 million, confiscated 2,341 devices and disrupted 1,442 malicious IPs, domains and servers. The operation linked scams to more than $45 million in losses and identified 1,247 victims, underscoring the value of multinational cooperation against transnational cybercrime.

🔍 Group-IB uncovered a sophisticated campaign that impersonated Indonesia’s official Coretax service to distribute malicious Android APKs, causing an estimated $1.5m–$2m in losses nationwide. Attackers combined phishing sites, WhatsApp impersonation and vishing to coerce victims into installing RATs such as Gigabud.RAT and MMRat, enabling remote access and unauthorized banking transfers. The operation produced 996 phishing URLs, 228 new malware samples and used infrastructure that impersonated over 16 trusted brands, suggesting a scalable MaaS model.

🚨 Operation Red Card 2.0 demonstrates how synchronized public‑ and private‑sector action can disrupt transnational fraud. Between December 2025 and January 2026, authorities across 16 African countries used shared intelligence and operational coordination to identify victims, arrest operators, seize devices, and dismantle malicious infrastructure. Fortinet supported the effort through data contributions and the Cybercrime Atlas, helping turn intelligence into enforcement outcomes.

🔒 A Nigerian national, Matthew Abiodun Akande, was sentenced to eight years in prison after hacking multiple Massachusetts tax preparation firms and filing over 1,000 fraudulent tax returns seeking more than $8.1 million in refunds. Authorities say he stole clients' Social Security numbers and prior-year tax data by deploying the Warzone RAT masked with a crypter, and used convincing CEO-impersonation phishing messages with a Dropbox link to silently install malware. Akande was arrested in October 2024 at London’s Heathrow Airport, extradited to the U.S. in March 2025, and ordered to pay nearly $1.4 million in restitution plus three years of supervised release.

📞 Threat actors are combining device-code phishing and voice-based social engineering to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Instead of malicious apps, attackers leverage legitimate Microsoft OAuth client IDs and the standard device login workflow so victims unknowingly produce valid tokens and complete MFA. Security researchers suspect the ShinyHunters extortion group is involved; administrators should audit and revoke suspicious consents, disable the device code flow when not needed, and enforce conditional access policies.

🔍 A coordinated operation led by INTERPOL and the African Joint Operation against Cybercrime (AFJOC) arrested 651 suspects across 16 countries between December 8 and January 30. Authorities recovered over $4.3 million and identified 1,247 victims linked to schemes responsible for more than $45 million in losses. Investigators seized 2,341 devices, dismantled networks of fraudulent accounts and took down 1,442 malicious websites, domains, and servers.

🛡️ ThreatFabric has disclosed Massiv, a new Android trojan that impersonates IPTV apps to deliver device takeover (DTO) attacks aimed at financial theft. Distributed via SMS phishing droppers, Massiv abuses Android accessibility and MediaProjection APIs to stream screens, capture keystrokes and SMS, and deploy fake overlays that harvest banking credentials and KYC data. Operators have used stolen information to open accounts, launder money and remotely control infected devices while concealing malicious activity behind black-screen overlays.

🔒 A new Android banking trojan called Massiv is being distributed as a fake IPTV application to harvest credentials, perform keylogging, and seize remote control of infected devices. Researchers at ThreatFabric observed campaigns that targeted a Portuguese government app integrated with Chave Móvel Digital, enabling fraudsters to bypass KYC checks and open accounts in victims' names. Massiv supports live screen streaming via Android's MediaProjection API and a UI-tree mode using the Accessibility Service to extract interface elements, click controls, and bypass screen-capture protections.

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.

🔐 The author of Notepad++ says the recently released updates have hardened a previously compromised update mechanism so it is now effectively unexploitable. Releases from 8.8.9 through 8.9.2 add layered checks: the updater now verifies both the signed installer and the signed XML manifest with independent cryptographic signatures and aborts on any anomaly. The auto-updater was reinforced, though users can still opt out during installation. The developer warns no system is absolutely unbreakable, but the changes substantially raise attacker cost.

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.

🔍 Citizen Lab identified indicators that Kenyan authorities used Cellebrite forensic extraction tools on the personal Samsung phone of pro-democracy activist Boniface Mwangi while it was held in police custody in July 2025. The researchers assessed with high confidence that the extraction occurred on or around July 20–21; the device was returned in September and was no longer password-protected. Such access could have enabled full extraction of messages, files, passwords and other sensitive data. The finding compounds other recent reports of commercial spyware and extraction-tool misuse against civil society.

🚨 Flare researchers observed rapid exploitation after disclosure of critical SmarterMail vulnerabilities CVE-2026-24423 and CVE-2026-23760. Within days, underground Telegram channels and cybercrime forums circulated proof-of-concept exploits, offensive tooling, and stolen administrator credentials, enabling mass scanning and automated compromise. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities (KEV). Organizations are urged to patch immediately, increase identity telemetry, and segment mail servers to limit lateral movement.

⚠️ Microsoft says a software error in its email security system incorrectly flagged thousands of legitimate URLs as phishing links, preventing users from opening messages across Exchange Online and Teams. The issue, which began on February 5 and persisted until February 12, caused some emails to be quarantined and generated false "potentially malicious URL click" alerts for administrators. Microsoft traced the fault to a logic error in heuristic detection rules intended to catch credential phishing and said it will publish a final report after full remediation.

🛡️ Trellix uncovered a multi-stage cryptojacking campaign that spreads via pirated software installers and deploys a customized XMRig miner alongside a stateful controller. The dropper installs a primary Explorer.exe controller and multiple watchdog processes for persistence, with a hardcoded expiry of December 23, 2025. Attackers load a signed vulnerable driver (WinRing0x64.sys/CVE-2020-14979) to gain kernel access and disable CPU prefetchers, boosting Monero RandomX performance by an estimated 15–50%. Researchers observed connections to the Kryptex pool and recommend enabling Microsoft's vulnerable driver blocklist, restricting USB access and blocking known mining pool traffic.

🔒 Figure Technology Solutions confirmed a social engineering breach that exposed personal and contact data for 967,200 accounts. Notification service Have I Been Pwned reported files posted in February 2026 containing unique emails, names, phone numbers, physical addresses and dates of birth dating back to January 2026. The extortion group ShinyHunters claimed responsibility and posted roughly 2.5 GB of alleged loan applicant data.

⚠️ Kaspersky researchers have uncovered Keenadu, a multifaceted Android malware family that can be embedded in device firmware and run with system-level privileges from first boot. Detected on more than 13,000 devices across multiple countries, the backdoor impersonates legitimate system components (including face-unlock and home-screen apps) and can infect other apps, install APKs, and harvest sensitive data. It may remain dormant under certain locales and lacks easy removal through standard user tools. Kaspersky recommends checking firmware updates, running security scans, disabling suspect apps, and coordinating with vendors to address supply chain integrity.

🔒 Searchlight Cyber's report found a 30% year-on-year increase in ransomware victims listed on extortion sites in 2025, recording 7,458 incidents split virtually 50:50 across the year. The number of active groups reached a record 124, with 73 newly observed, and the firm warned that AI is lowering the barrier to entry by aiding social engineering, data analysis and malware refinement. The report urged organizations to address insider risk, patching, MFA and compromised accounts to reduce exposure.