All news in category "Incidents and Data Breaches"

Analyzing ClickFix: A Rising Click-to-Execute Threat

🛡️ Microsoft Threat Intelligence and Microsoft Defender Experts describe the ClickFix social engineering technique, where attackers trick users into copying and pasting commands that execute malicious payloads. Observed since early 2024 and active through 2025, these campaigns deliver infostealers, RATs, loaders, and rootkits that target Windows and macOS devices. Lures arrive via phishing, malvertising, and compromised sites and often impersonate legitimate services or CAPTCHA verifications. Organizations should rely on user education, device hardening, and Microsoft Defender XDR layered protections to detect and block ClickFix activity.

Phishing Campaign Targets Ledger Users with Fake Update

🔒 A sophisticated phishing campaign impersonating Ledger targets Nano X and Nano S Plus users with an urgent fake firmware update notice. The email claims fragments of private keys were leaked and urges immediate action, but the sender and update domains are not affiliated with Ledger. A professionally designed scam site hosted on an unrelated domain uses a support chat to coax victims into entering their seed phrase, which grants full wallet access. Organizations and individuals should treat unsolicited firmware alerts cautiously and use trained security controls and awareness to avoid compromise.

Threat Actors Abuse SDKs to Sell Victim Bandwidth Stealthily

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.

Scattered Spider Member Sentenced to 10 Years in US

🔒 Noah Michael Urban, a 20-year-old member of the Scattered Spider cybercrime gang, was sentenced to 120 months in federal prison after pleading guilty to wire fraud and aggravated identity theft in April 2025. The court also ordered $13 million in restitution and three years of supervised release; Urban called the sentence unjust. Prosecutors say Urban and co-conspirators used SIM swapping and social engineering between August 2022 and March 2023 to steal at least $800,000 and hijack cryptocurrency accounts. His case is part of broader DoJ actions against Scattered Spider as the group forges alliances with other criminal collectives.

MURKY PANDA: Trusted-Relationship Cloud Threats and TTPs

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

SIM-Swapper Scattered Spider Hacker Sentenced 10 Years

🔒 A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay about $13 million in restitution after pleading guilty to wire fraud and conspiracy. Prosecutors say Urban acted with members of Scattered Spider, using SIM-swapping and SMS phishing to divert calls and one-time codes and to phish employees into fake Okta pages. The campaign compromised access at more than 130 firms and enabled thefts of proprietary data and millions in cryptocurrency.

Smashing Security Podcast 431: Cloud Bill Fraud & EDR Risks

🛡️ In episode 431 of the Smashing Security podcast, Graham Cluley and guest Allan Liska examine a high-profile cloud-billing fraud in which a crypto influencer calling himself CP3O racked up millions in unpaid cloud costs through cryptomining schemes. They also highlight the growing threat of EDR‑killer tools that can silently disable endpoint protection to aid attackers. The show includes lighter segments on the Internet Archive’s Wayforward Machine and a visit to Mary Shelley’s grave, and carries a content warning for mature language and themes.

Warlock Ransomware: Emerging Threat Targeting Services

⚠️ Warlock is a ransomware operation that emerged in 2025 and uses double extortion — encrypting systems and threatening to publish stolen data to coerce payment. The group has targeted government agencies and critical service providers across Europe, and on August 12 a cyber incident disrupted UK telecom Colt Technology Services, with an alleged auction of one million stolen documents. Security analysts link recent intrusions to exploitation of the SharePoint vulnerability CVE-2025-53770, which Microsoft says is actively exploited; Microsoft has published analysis and urges immediate patching. Recommended mitigations include enforcing multi‑factor authentication, keeping security tools and software patched, maintaining secure off‑site backups, reducing attack surface, encrypting sensitive data, and educating staff on phishing and social engineering.

Static Tundra: Russian State Actor Targets Cisco Devices

🔒 Cisco Talos identifies the threat cluster Static Tundra as a long-running, Russian state-sponsored actor that compromises unpatched and end-of-life Cisco networking devices to support espionage operations. The group aggressively exploits CVE-2018-0171 and leverages weak SNMP community strings to enable local TFTP retrieval of startup and running configurations, often exposing credentials and monitoring data. Talos also observed persistent firmware implants, notably SYNful Knock, and recommends immediate patching or disabling Smart Install, strengthening authentication, and implementing configuration auditing and network monitoring to detect exfiltration and implanted code.

Falcon Stops COOKIE SPIDER's SHAMOS macOS Delivery

🔒 Between June and August 2025, the CrowdStrike Falcon platform blocked a widespread malware campaign that attempted to compromise more than 300 customer environments. The campaign, operated by COOKIE SPIDER and renting the SHAMOS stealer (an AMOS variant), used malvertising and malicious one-line install commands to bypass Gatekeeper and drop a Mach-O executable. Falcon detections—machine learning, IOA behavior rules and threat prevention—prevented SHAMOS at download, execution and exfiltration stages. CrowdStrike published hunting queries, mitigation guidance and IOCs including domains, a spoofed GitHub repo and multiple script and Mach-O hashes.

Oregon Man Charged Over Rapper Bot DDoS Service Probe

🔒 Federal agents arrested 22‑year‑old Ethan J. Foltz of Springfield, Ore., on Aug. 6, 2025, on suspicion of operating Rapper Bot, a global IoT botnet rented to extortionists for DDoS attacks. The complaint alleges Rapper Bot routinely generated attacks exceeding 2 terabits per second and at times surpassed 6 Tbps, including an attack tied to intermittent outages on Twitter/X. Investigators traced control infrastructure and payments through an ISP subpoena, PayPal records and Google data, recovered Telegram chats with a co‑conspirator known as 'Slaykings,' and say Foltz wiped logs regularly to hinder attribution. He faces one count of aiding and abetting computer intrusions, carrying a maximum statutory term of 10 years.

Dutch prosecution hack disables multiple speed cameras

⚠️ The Netherlands' Public Prosecution Service (Openbaar Ministerie) disconnected its networks on July 17 after suspecting attackers had exploited Citrix device vulnerabilities, leaving several fixed, average and portable speed cameras unable to record offences. Internal email remained available, but external communications and documents required printing and postal delivery. Regulators including the National Cybersecurity Centre were informed, and prosecutors warned that ongoing downtime will delay cases and hamper road-safety enforcement while systems remain offline.

Dissecting PipeMagic: Architecture of a Modular Backdoor

🔍 Microsoft Threat Intelligence details PipeMagic, a modular backdoor used by Storm-2460 that masquerades as an open-source ChatGPT Desktop Application. The malware is deployed via an in-memory MSBuild dropper and leverages named pipes and doubly linked lists to stage, self-update, and execute encrypted payload modules delivered from a TCP C2. Analysts observed exploitation of CVE-2025-29824 for privilege escalation followed by ransomware deployment, with victims across IT, finance, and real estate in multiple regions. The report includes selected IoCs, Defender detections, and mitigation guidance to help defenders detect and respond.

Mobile Phishers Target Brokerage Accounts in Ramp-and-Dump

📈 Cybercriminals selling advanced mobile phishing kits have shifted from converting stolen cards into mobile wallets to hijacking brokerage accounts for a coordinated ramp and dump scheme that inflates and then collapses foreign and penny stock prices. Vendors such as Outsider (aka Chenlun) offer templates that spoof brokers via iMessage and RCS to harvest logins and SMS one-time codes. Operators use banks of phones and human handlers to preposition, trade, and liquidate positions, leaving victims with worthless shares while brokers and regulators contend with the fallout.

UAT-7237 Targets Taiwanese Web Hosting Infrastructure

🔍 Cisco Talos describes UAT-7237, a Chinese‑speaking APT active since 2022 that compromised a Taiwanese web hosting provider to establish long‑term persistence. The actor relies largely on open‑source tooling, customized utilities and a tailored shellcode loader tracked as SoundBill, which can decode and execute Cobalt Strike beacons. UAT-7237 favors SoftEther VPN and RDP for access rather than mass web‑shell deployment. Talos provides IOCs and mitigation guidance for detection and blocking.

Donut Shellcode: End-to-End Malware Analysis Tutorial

🧩 This Unit 42 tutorial walks analysts through a complete infection chain that uses Donut-generated shellcode, showing how a small position-independent routine computes its own base address via a call/pop/sub pattern and how that base drives payload offsets. The authors use step-by-step static and dynamic analysis with IDA Pro, x64dbg, dnSpy, and ProcessHacker to validate findings. Readers are shown common techniques such as dynamic API resolution, process injection, and AMSI bypass through memory patching, and are directed to a full PDF on the authors' GitHub for the complete walkthrough.

Defending Against SCATTERED SPIDER with Falcon SIEM

🔒 Falcon Next-Gen SIEM provides real-time, cross-domain detection to help organizations detect and respond to the identity-centric eCrime group SCATTERED SPIDER. The platform correlates identity, cloud, SaaS, network and email telemetry, offering out-of-the-box rule templates for phishing, MFA fatigue, suspicious SSO events and exfiltration. CrowdStrike recommends comprehensive log ingestion and tuning of these templates to improve detection and response across the full attack lifecycle.

MedusaLocker RaaS Recruits Penetration Testers Globally

🔒 MedusaLocker, a ransomware-as-a-service (RaaS) group active since 2019, has posted a dark web job advert openly recruiting penetration testers and insiders who already have direct access to corporate networks. The advert explicitly instructs applicants not to apply unless they possess network access, signalling a preference for initial access brokers and company insiders. CISA previously linked MedusaLocker to exploitation of RDP vulnerabilities, and the group’s tactic highlights the blurred line between legitimate pentesting and criminal activity. Organisations should prioritise layered defenses, authorised penetration testing, and strict controls over remote access and privileged accounts.

Analyzing organizational traffic to Leakzone forum

🔍 UpGuard examined a leaked Elastic index containing 22 million client requests to Leakzone.net covering 28 days in June–July 2025. By mapping source IP metadata to known organizations, investigators identified traffic originating from universities, government networks, and private companies, including security vendors and large technology firms. Traffic patterns ranged from steady, automated scanning from services like Censys and SEMRush to bursty, human-like spikes from university and government networks, but the logs do not include request content, so intent remains uncertain.

Malvertising Campaign Delivers PS1Bot Multi-Stage Malware

🔍 Cisco Talos reports an active malvertising campaign delivering a multi-stage PowerShell/C# malware framework dubbed PS1Bot. The modular framework executes modules in-memory to minimize artifacts and supports information theft, keylogging, screenshot capture and cryptocurrency wallet exfiltration. Delivery begins with SEO-poisoning archives containing a downloader that writes a polling PowerShell script to C:\ProgramData and executes received code with Invoke-Expression.