All news in category "Incidents and Data Breaches"

Backdoor Weakness Found in TETRA Radio Encryption Standard

🔒 Security researchers from Midnight Blue have disclosed a critical weakness in an ETSI-endorsed TETRA end-to-end encryption implementation used in professional radios. After extracting and reverse-engineering a Sepura device, they found the E2EE algorithm compresses a 128-bit key to an effective 56 bits before encryption, drastically weakening confidentiality. The behavior looks like an intentional backdoor, and it is unclear which organizations use the vulnerable implementation or whether operators are aware of the risk.

ShadowCaptcha Exploits WordPress Sites to Spread Malware

🔒 ShadowCaptcha is a large-scale campaign abusing over 100 compromised WordPress sites to push visitors to fake Cloudflare or Google CAPTCHA pages using the ClickFix social‑engineering lure. Injected JavaScript initiates redirection chains, employs anti‑debug techniques, and silently copies commands to the clipboard to coerce users into running built‑in Windows tools or saving and executing HTA files. Attackers weaponize LOLBins and DLL side‑loading to deliver installers and payloads — observed outcomes include credential stealers (Lumma, Rhadamanthys), Epsilon Red ransomware, and XMRig cryptocurrency miners — with some miner variants fetching configs from Pastebin and dropping a vulnerable driver (WinRing0x64.sys) to seek kernel access. Affected sites span multiple countries and sectors, underscoring the importance of timely WordPress hardening, network segmentation, user training, and MFA.

Maryland Transit Authority Confirms Cyber Incident

🚨 The Maryland Transit Administration (MTA) reported on August 24 that it is investigating a cyber incident involving unauthorized access to specific systems. Most core services, including Local Bus, Metro Subway, Light Rail, MARC and Commuter Bus, remain on schedule, but some functions are disrupted. Affected services include Mobility Paratransit new bookings and rescheduling, MTA real-time updates and call center support, and Baltimore Metro elevator phones, and the agency is working with the Maryland Department of Information Technology, third-party cybersecurity experts and law enforcement to investigate and remediate the issue.

HOOK Android Trojan Adds Ransomware Overlays, Expands

🔒 Cybersecurity researchers at Zimperium zLabs have identified a new HOOK Android banking trojan variant that deploys full-screen ransomware-style overlays to extort victims. The overlay is remotely triggered via the command "ransome" and displays a warning, wallet address and amount, and can be dismissed by the attacker with "delete_ransome". An offshoot of ERMAC, the latest HOOK builds on banking malware techniques and now supports 107 remote commands, introducing transparent gesture-capture overlays, fake NFC and payment screens, and deceptive unlock prompts to harvest credentials and crypto recovery phrases.

Ransomware Disrupts Operations at Data I/O Manufacturer

🔒 Data I/O, a US-based provider of programming solutions for Flash devices, disclosed a ransomware incident on 16 August that forced it to take platforms offline and deploy mitigations. The company said operations including communications, shipping, manufacturing and support functions were temporarily impacted while it restores systems. Costs for remediation and contractor fees are reasonably likely to affect finances. Major customers include Tesla, Panasonic, Amazon, Google and Microsoft.

UNC6384 Uses Captive Portal Hijacks to Deploy PlugX

🔐 Google’s Threat Intelligence Group (GTIG) detected a March 2025 campaign attributed to UNC6384 that uses captive-portal hijacks to deliver a digitally signed downloader called STATICPLUGIN. The downloader (observed as AdobePlugins.exe) retrieves an MSI and, via DLL sideloading through Canon’s IJ Printer Assistant Tool, stages a PlugX variant tracked as SOGU.SEC entirely in memory. Operators used valid TLS and GlobalSign-signed certificates issued to Chengdu Nuoxin Times Technology Co., Ltd, aiding evasion while targeting diplomats and other entities.

Phishing Campaign Uses UpCrypter to Deploy RATs Globally

📧 Fortinet FortiGuard Labs has observed a phishing campaign using fake voicemail and purchase-order lures to direct victims to convincing landing pages that prompt downloads of JavaScript droppers. The droppers retrieve the UpCrypter loader, which conducts anti-analysis and sandbox checks before fetching final payloads, including various RATs such as PureHVNC, DCRat and Babylon. Attacks since August 2025 have targeted manufacturing, technology, healthcare, construction and retail/hospitality across multiple countries; defenders are urged to block malicious URLs, strengthen email authentication, and monitor anomalous M365 activity.

Deception in Depth: UNC6384 Hijacks Web Traffic Globally

🛡️ In March 2025, Google Threat Intelligence Group identified a complex espionage campaign attributed to the PRC‑nexus actor UNC6384 that targeted diplomats in Southeast Asia and other global entities. The attackers hijacked web traffic via a captive‑portal and AitM redirect to deliver a digitally signed downloader tracked as STATICPLUGIN, which retrieved a disguised MSI and staged an in‑memory deployment of the SOGU.SEC backdoor (PlugX). The operation abused valid code‑signing certificates, DLL side‑loading via a novel launcher CANONSTAGER, and indirect execution techniques to evade detection. Google issued alerts, added IOCs to Safe Browsing, and recommends enabling Enhanced Safe Browsing, applying updates, and enforcing 2‑Step Verification.

Fake macOS Help Sites Spread SHAMOS Infostealer via Ads

🔒 CrowdStrike disrupted a malvertising campaign that redirected users to counterfeit macOS help pages and urged them to run a malicious one-line installation command. Observed between June and August 2025, the operation sought to deliver the SHAMOS variant of the Atomic macOS Stealer (AMOS), a Mach-O binary distributed by MaaS operator Cookie Spider. The installer decoded a Base64 string, executed a Bash script that captured credentials and fetched the payload from icloudservers[.]com.

Chinese Developer Jailed for Deploying Malicious Code

⚖️ A software developer was sentenced to four years in prison after deploying malicious code inside his US employer's network, the Department of Justice said. The defendant, identified as Davis Lu, introduced infinite-loop logic, deleted coworker profile files and implemented a credential-dependent kill-switch that locked out thousands of users in September 2019. The sabotage followed a corporate realignment that reduced his access; investigators found deleted encrypted data and internet searches showing intent to escalate privileges and rapidly delete files while obstructing remediation.

Phishing Campaign Exploits Google Classroom: 115K Emails

📚 Check Point researchers uncovered a large-scale phishing campaign that abused Google Classroom to deliver more than 115,000 malicious emails in five coordinated waves over a single week. Attackers used fake classroom invitations carrying unrelated commercial offers to trick recipients across Europe, North America, the Middle East and Asia. The campaign targeted roughly 13,500 organizations and highlights risks when trusted collaboration tools are weaponized.

Major Corporation Uses '123456' for Critical Access

🔒 McDonald's reportedly configured a major corporate system with the password 123456, illustrating a glaring failure in basic security hygiene. That weak credential makes systems trivially susceptible to brute-force and credential-stuffing attacks and indicates lax oversight of password policies, privileged accounts, and access controls. Immediate remediation should include forcing password rotation, deploying multi-factor authentication, implementing centralized secrets management, and auditing privileged access.

Transparent Tribe Targets Indian Govt with Shortcut Malware

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.

Yemen Cyber Army Hacker Jailed for Massive Data Theft

🔒 A 26-year-old man, Al-Tahery Al-Mashriky, has been jailed after UK National Crime Agency investigators linked him to the Yemen Cyber Army and uncovered evidence of widespread website breaches. Arrested in August 2022 in Rotherham, he defaced and compromised sites across North America, Yemen and Israel, including government and faith organisations. Forensically seized devices contained personal data, account credentials and other files that could facilitate fraud; he pleaded guilty and was sentenced to 20 months in prison.

Malicious Go Module Poses as SSH Brute-Force Tool, Steals

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.

Fortinet Supports INTERPOL in Operation Serengeti 2.0

🛡️Fortinet supported INTERPOL’s Operation Serengeti 2.0 by providing preemptive threat intelligence—IOCs, command-and-control data, and forensic insights—that helped plan and execute cross-border takedowns. Conducted June–August 2025 with 18 African nations and nine private partners, the operation led to 1,209 arrests, dismantling of 11,432 malicious infrastructures, and recovery of $97.4 million. Fortinet also contributed investigator training and capacity building to sustain disruption efforts.

Europol: Telegram Post Claiming $50,000 Qilin Bounty Is Fake

🔍 Europol has confirmed that a circulated Telegram post claiming a reward of up to $50,000 for information on senior Qilin ransomware operators is false. The message originated on a newly created channel (@europolcti) rather than on Europol's official accounts and was amplified by security outlets after being copied. The bogus announcement named alleged aliases "Haise" and "XORacle", and the channel poster later boasted about fooling researchers and journalists. Europol stressed that Qilin remains a significant threat, previously linked to an attack on a UK NHS provider with severe consequences.

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

INTERPOL Arrests 1,209 Cybercriminals in Africa Sweep

🔎 INTERPOL coordinated a multi-country crackdown that led to the arrest of 1,209 suspected cybercriminals across 18 African nations, targeting schemes that affected roughly 88,000 victims. The operation, the second phase of Operation Serengeti carried out between June and August 2025, recovered about $97.4 million and dismantled 11,432 malicious infrastructures. Private-sector partners including Group-IB and TRM Labs contributed intelligence on cryptocurrency fraud and ransomware links.

Blue Locker Ransomware Targets Critical Infrastructure

🔒 Pakistan Petroleum Limited (PPL) was struck by the Blue Locker ransomware, detected on 6 August, which appends a .blue extension to encrypted files and has reported deletion of backups and theft of some business and employee data. The incident encrypted servers and disrupted financial operations while recovery work proceeded in a phased manner. Pakistan's NCERT issued a high alert to 39 key ministries and institutions and warned of multiple distribution vectors. Organisations, especially critical infrastructure operators, are urged to verify and isolate backups, implement network segmentation and enhanced monitoring, and engage incident response and forensic teams as needed.