All news in category “Incidents and Data Breaches”

🔒 Singapore's Cyber Security Agency says China-linked threat actor UNC3886 breached the country's four largest telcos — Singtel, StarHub, M1, and Simba — at least once last year, gaining limited access to critical systems but failing to disrupt services or exfiltrate confirmed customer data. Investigators found a zero-day used to bypass perimeter firewalls and rootkits employed for stealth and persistence. The government launched Operation Cyber Guardian, mobilized multiple agencies, and contained the intrusions while increasing monitoring across critical sectors.

🔒 SmarterTools confirmed that the Warlock ransomware group breached its network after exploiting an authentication-bypass flaw in a single, unpatched SmarterMail VM (CVE-2026-23760) on January 29, allowing attackers to reset admin passwords and obtain full privileges. The intrusion led to compromise of 12 Windows servers in the company’s office network and a secondary data center used for testing and hosting, while the company’s Linux infrastructure was not affected. Security tooling, including SentinelOne, blocked the final encryption payload, impacted systems were isolated, and data was restored from backups; SmarterTools urges administrators to upgrade to Build 9511 or later.

🛡️ Singapore's Cyber Security Agency (CSA) disclosed that the China-linked espionage group UNC3886 executed a deliberate, targeted campaign against the nation's telecommunications sector, naming M1, SIMBA Telecom, Singtel and StarHub as targets. The agency said the actor used sophisticated tools, including a weaponized zero-day and kernel-level rootkits, to gain unauthorized access to portions of telco networks. CSA reported no evidence of customer personal data exfiltration or service disruption and said a defensive operation called CYBER GUARDIAN has closed the group's access points and expanded monitoring across affected operators.

🎰 Two Connecticut residents, Amitoj Kapoor and Siddharth Lillaney, were federally indicted on 45 counts alleging a wide-ranging identity theft and gambling fraud scheme that generated about $3 million in illicit profits. Prosecutors say the men bought PII for roughly 3,000 victims on darknet markets and Telegram, used background-check services to pass verifications, and opened fraudulent accounts on FanDuel, DraftKings and BetMGM. Winnings were routed through virtual stored-value cards and then moved into accounts controlled by the defendants. Both were released on $300,000 bonds; the charges remain allegations.

🔒 Microsoft reported a multi-stage intrusion that exploited internet‑exposed SolarWinds Web Help Desk instances to gain unauthenticated remote code execution and lateral access. Exploitation spawned PowerShell which used BITS to download payloads, and attackers deployed legitimate Zoho ManageEngine components to maintain persistent remote control. They enumerated domain users, established reverse SSH and RDP persistence, performed DLL side‑loading to dump LSASS, and in at least one case executed a DCSync. Organizations are advised to patch WHD, remove unauthorized RMM tools, rotate service and admin credentials, and isolate compromised systems.

🔒 Mandiant links a targeted intrusion to UNC1069 that leveraged AI-enabled social engineering to compromise a cryptocurrency executive and deploy multiple macOS malware families. The attacker used a hijacked Telegram account, a spoofed Zoom meeting allegedly featuring a deepfake video, and a ClickFix paste-and-execute ruse to trick the victim into running troubleshooting commands. The operation dropped WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, DEEPBREATH, CHROMEPUSH, and SILENCELIFT to harvest credentials, browser data, and session tokens. GTIG and Mandiant highlight UNC1069's expanding use of GenAI for lures and tooling.

🔐 This week's briefing highlights attackers abusing trust across AI agents, update channels, and developer ecosystems. OpenClaw announced a partnership with VirusTotal to scan ClawHub skills after researchers discovered malicious packages and explosive typosquatting growth. High‑impact incidents include a 31.4 Tbps AISURU DDoS, a Notepad++ updater compromise delivering the Chrysalis backdoor, and an RCE in Docker's Ask Gordon AI assistant. Security teams should prioritize update integrity, supply‑chain controls, and agentic AI hygiene.

🛡️ Cisco Talos discovered DKnife, a modular AitM framework operating on Linux-based network gateways since at least 2019 and active into early 2026. Deployed at the edge rather than endpoints, it performs deep packet inspection, credential interception, and selective traffic manipulation. Operators use it to hijack software and app updates to deliver ShadowPad and DarkNimbus payloads, and to perform DNS and binary replacement attacks.

🔍 Two Connecticut men were indicted for an alleged scheme that used about 3,000 stolen identities to defraud online gambling platforms, including FanDuel, of roughly $3 million. Prosecutors say Amitoj Kapoor and Siddharth Lillaney purchased PII on darknet markets and Telegram, maintained a spreadsheet called "Tracker.xlsx", and used services like TruthFinder and BeenVerified to pass verification. The indictment charges multiple counts including wire and identity fraud, aggravated identity theft, and money laundering; both were arrested and released on $300,000 bond.

🔒 BridgePay Network Solutions has confirmed a ransomware attack triggered a system-wide IT outage, according to security alerts published on February 6. Initial forensic work indicates no payment card data appears to have been compromised and that any accessed files were encrypted. The company said it is working with cybersecurity specialists, the FBI and the US Secret Service and that recovery may be lengthy; it will provide regular updates to affected customers and partners.

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.

🔒 The European Commission is investigating a breach after detecting traces of a cyberattack against its mobile device management platform on 30 January. The incident may have exposed some staff names and mobile numbers, but investigators say there is no evidence that individual mobile devices were compromised. The Commission says the affected system was contained and cleaned within nine hours. The activity is believed to be linked to exploitation of Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities.

🚨 Researchers warn of a massive, worm-driven campaign by TeamPCP that began around December 25, 2025, systematically compromising cloud-native environments. The group abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and a critical React2Shell vulnerability (CVE-2025-55182) to deploy proxy, scanning, and C2 infrastructure. Compromised hosts are used for persistence, data exfiltration, extortion, crypto-mining, and proxy/C2 relays, with tooling tailored to Kubernetes and AWS/Azure deployments.

🔐 German security agencies warn of an active campaign targeting high‑ranking politicians, soldiers, diplomats and journalists by seizing their Signal accounts. Attackers impersonate support teams to request secret PINs or trick users into approving device pairing via QR codes, then move the account to a number they control. No malware or software vulnerabilities are involved; the campaign relies on social engineering. Authorities note similar methods could be used against WhatsApp, and stress that official support will never request PINs via message.

🕵️‍♂️ Palo Alto Networks' Unit 42 reports a state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 has run global-scale "Shadow Campaigns," compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance tied to 155 countries. The actor has been active since at least January 2024 and is assessed to operate from Asia. Initial access combined tailored phishing lures hosted on Mega.nz with exploitation of known flaws in SAP Solution Manager, Microsoft Exchange, D-Link, and Windows to deploy loaders such as Diaoyu. Victim environments were instrumented with Cobalt Strike, webshells, tunneling tools, and a bespoke Linux eBPF rootkit named ShadowGuard to hide activity and evade detection.

🔎 A detailed investigation by OCCRP traced a romance scammer who impersonated the Crown Prince of Dubai and defrauded a Romanian businesswoman of more than US $2.5 million. Over two years the con combined thousands of messages, staged in-person meetings, and an elaborate fake banking site showing a phantom £200 million balance. Photographs and bank-trace evidence led reporters and UK police to identify intermediaries and to locate the suspect at a mansion in Abuja, Nigeria. The case underscores the sophistication and international reach of modern romance and investment scams.

🔒 Germany's Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory about a likely state‑sponsored phishing campaign that abuses Signal's legitimate features to seize accounts. Threat actors impersonate "Signal Support" or a "Signal Security ChatBot" to solicit SMS PINs or trick victims into scanning QR codes, enabling account registration on attacker‑controlled devices or silent device linking. Authorities recommend enabling Registration Lock, avoiding sharing verification codes, and routinely reviewing linked devices; the same methods can be applied to WhatsApp.

🔒 BridgePay Network Solutions confirmed a ransomware incident that took multiple payment systems offline, triggering a nationwide outage. The company says it has engaged federal law enforcement, including the FBI and U.S. Secret Service, and retained external forensic and recovery teams. Initial forensics report no payment card data compromised, files were encrypted, and restoration is ongoing with no ETA.

📝 Bruce Schneier reports that his name appears only incidentally in the Epstein files. He recounts a 2016 email from someone identified as “Vincenzo lozzo” addressing DDoS attacks and dismissing Schneier’s commentary as dramatizing and misunderstanding. He also notes a separate incidental mention of a Rabbi Schneier. Schneier emphasizes these mentions do not indicate any connection or wrongdoing.

🔒 Substack has confirmed a security incident in which an unauthorized third party accessed limited user information, including email addresses, phone numbers and other internal metadata. CEO Chris Best said the company detected evidence of the issue on February 3 and notified some users on February 5, saying the data collection occurred in October 2025. Substack stated that no financial data or passwords were accessed, that the vulnerability has been fixed, and that a full investigation is underway.