All news in category “Incidents and Data Breaches”

🛡️Microsoft said it executed coordinated legal action in the U.S. and U.K. to seize infrastructure and take RedVDS (redvds[.]com) offline after linking the service to large‑scale fraud. For as little as US $24 per month, the subscription offered disposable Windows RDP hosts and a Telegram management bot with no activity logs. Microsoft attributed roughly US $40 million in U.S. fraud since March 2025 and says RedVDS‑enabled attacks compromised over 191,000 organizations worldwide since September 2025.

🛡️ International law enforcement, together with Microsoft, dismantled the RedVDS cybercrime service after seizing servers hosted in Germany. Authorities from Germany, the United States and the United Kingdom, confirmed by the ZIT and the State Criminal Police Office of Brandenburg, say the platform enabled large-scale phishing and boss‑scam frauds. Microsoft reports $40 million in US losses over seven months and highlights prolific phishing volumes from rented virtual machines. No arrests have been reported; suspects are believed to be located in an unspecified Middle Eastern country.

🔐 The npm ecosystem has shifted from simple typosquatting to coordinated, credential-driven supply‑chain intrusions that target maintainers, CI pipelines, and trusted automation. Attackers now compromise legitimate packages via stolen tokens and publish trojanized updates that quietly propagate to millions of downstream projects. Detection increasingly requires runtime and anomaly analysis rather than static scanning, while mitigations focus on treating CI runners as production assets, aggressively rotating and scoping publish tokens, disabling unnecessary lifecycle scripts, and pinning dependencies to immutable versions.

🔒 Microsoft says it disrupted RedVDS, a cybercrime-as-a-service platform tied to at least $40 million in U.S. losses since March 2025. The company filed civil lawsuits in the U.S. and U.K., and — working with Europol and German authorities — seized servers, took the marketplace and customer portal offline, and removed malicious infrastructure. RedVDS rented disposable Windows cloud servers worldwide to enable large-scale phishing, BEC, credential theft and AI‑enhanced impersonation campaigns.

🔒 Kyowon Group confirmed a ransomware incident in January that disrupted services and resulted in the theft of customer data. The company says roughly 9.6 million accounts (about 5.5 million people) may be affected and that approximately 600 of its 800 servers were impacted. Kyowon is working with authorities and security experts to investigate, restore services, and will disclose confirmed details to customers.

🔒 The French data protection authority, CNIL, fined Free Mobile and parent company Free a combined €42 million for insufficient protection of customer data after an October 2024 breach that exposed information of nearly 23 million subscribers. CNIL cited weak VPN authentication, poor detection of abnormal activity, delayed notifications, and excessive data retention. The companies must complete security fixes and perform mandated data clean-up within required deadlines.

🔍 The near-total internet blackout Iran imposed on January 8 may offer SOC teams a rare chance to observe and digitally fingerprint government-controlled traffic. Vendors argue that with residential and business noise silenced, remaining connections likely originate from state assets, making them high-confidence signals for threat modeling and short-term intelligence collection. Analysts caution, however, that sophisticated state actors can deceive attribution, legitimate government traffic may be benign, and routing artifacts often disappear once services are restored, so captured data should be treated as contextual input, not definitive proof.

🚨 Black Lotus Labs said it null-routed traffic to more than 550 command-and-control nodes tied to the AISURU/Kimwolf botnet after detecting rapid growth beginning in early October 2025. Researchers attribute the expansion to a malicious ByteConnect SDK delivered to unsanctioned Android TV devices and proxy services that expose Android Debug Bridge (ADB). The botnet, leveraged for DDoS and residential proxy leasing, has infected more than two million devices and has been linked to hosting providers and proxy marketplaces where compromised nodes were offered for sale.

🔴 Verizon Wireless is experiencing a widespread outage across the United States, leaving affected phones displaying an SOS indicator and unable to make normal cellular calls. Reports to DownDetector began around 12 PM ET, and callers attempting to reach impacted numbers hear a recording that the called party is temporarily unavailable. The disruption appears to span multiple states rather than a single region, and some other carriers also showed issues during similar timeframes. Verizon has been contacted and the incident is under investigation.

🛡️ Microsoft announced on 14 January that it has seized the infrastructure and website of RedVDS, a subscription-based cybercrime platform that rented disposable virtual machines and AI tools to facilitate phishing, business email compromise (BEC) and fraud. The service, available from about $24/month, has been linked to more than $40 million in losses in the US and nearly 190,000 victimised organisations worldwide. Legal partners in the US and the UK, with international law enforcement support, coordinated the takedown.

📧 CyberProof documented a wave of phishing-led intrusions where attackers used fake PayPal alerts to trick victims into installing legitimate remote access software. The campaign targeted both personal and corporate accounts and represents a shift from seasonal lures to high-urgency financial themes. Attackers initially deployed LogMeIn Rescue then pivoted to AnyDesk to maintain access while avoiding EDR detection. Recommended mitigations include tighter phishing controls, restricting RMM ports and adopting a zero-trust posture.

📌 Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace that sold inexpensive, unlicensed Windows RDP servers enabling widespread BEC, mass phishing, account takeover, and financial fraud. The service repeatedly cloned a single Windows Server 2022 image (host name WIN-BUNS25TD77J), producing consistent fingerprints defenders could detect. RedVDS tenants deployed mass-mailer tools, harvesters, remote access utilities and AI writing assistants to craft and scale phishing campaigns. In coordination with law enforcement, Microsoft disrupted the infrastructure and published detection and mitigation guidance including Defender XDR telemetry and recommended email and identity controls.

🔒Push Security discovered ConsentFix in December — a browser-native OAuth phishing technique that tricks victims into pasting a legitimate Microsoft authorization URL so attackers can exchange the code and hijack accounts. The campaign targeted pre-consented first-party Microsoft apps and legacy scopes to evade default logging and Conditional Access controls. Push and the security community have published hunting guidance and mitigations focused on logging, access restrictions, and browser-based detection.

🔒 Group-IB researchers report that the DeadLock ransomware is using Polygon smart contracts to store and rotate proxy server addresses, enabling more resilient command-and-control. Rather than rely on hard-coded servers, the malware performs read-only calls to blockchain contracts to fetch proxy URLs and uses fallback RPC endpoints to avoid transactions and fees. An HTML component communicates via the Session encrypted messaging platform, while operators also employ AnyDesk and PowerShell to escalate impact; victims' files are suffixed .dlock and ransom notes threaten data sale.

🔒 Researchers detail an active campaign abusing a DLL side-loading flaw in the open-source c-ares runtime to evade defenses and deploy commodity trojans and stealers. Attackers pair a malicious libcares-2.dll with signed copies of ahost.exe (commonly from GitKraken) placed in the same folder to hijack load order and achieve code execution. The operation distributes families including Agent Tesla, CryptBot, Formbook, Vidar, Lumma, Remcos and others using invoice- and RFQ-themed lures in multiple languages targeting finance, procurement and admin roles.

⚠️ Pax8 confirmed it mistakenly emailed a CSV attachment on January 13 that contained internal pricing and Microsoft licensing data to fewer than 40 UK-based partners. Recipients reported the file listed about 56,000 entries covering roughly 1,800 partners, with fields including partner and customer IDs, SKUs, license counts, renewal dates, and booking details. Pax8 asked recipients to delete the message, required deletion confirmations, and said it launched an internal review. The company maintains the file did not contain personally identifiable information and that marketplace availability and security controls were not affected.

🔒The Victorian Department of Education has notified parents that an unauthorized third party accessed a database containing student names, school names, year levels and school-issued email addresses, along with encrypted passwords for accounts that use those emails. The department said more sensitive fields such as birth dates, home addresses and phone numbers were not exposed. All student passwords have been reset and access to school accounts is blocked until new credentials are issued; VCE students will be prioritised. Authorities say they removed the attack vector and have not found evidence the data was publicly released or shared, and further updates will be provided.

🚨 On Saturday, 10 January, the city of Halle (Saale) experienced a widespread false alarm when all sirens sounded around 10:00 p.m., accompanied by an English announcement: “Active shooter. Lockdown now.” City officials, including Mayor Alexander Vogt and security head Tobias Teschner, said the alert was likely triggered by external access to the siren system and not by local, state, or federal authorities. Authorities have secured the system, filed a police report, and are investigating; the municipal website was briefly unavailable due to high visitor traffic rather than a targeted DDoS, and resilience measures have been implemented.

⚠️ Microsoft confirmed a recent Windows 365 update is preventing some customers from signing in to their Cloud PC sessions. The disruption began Tuesday at 19:00 UTC after automated monitoring detected a spike in failed connection attempts, and engineers traced the problem to the update. Microsoft says the change was intended to improve security and is now analyzing it to determine mitigation and a permanent fix. As temporary workarounds, affected users can connect via the Windows App Web Client or use the Remote Desktop client to reach Azure Virtual Desktop.

🔒 Monroe University disclosed that threat actors accessed its network from December 9 to December 23, 2024, and stole personal, financial, and health information affecting 320,973 people. The university said stolen records may include names, dates of birth, Social Security numbers, government IDs, medical and insurance data, account usernames, passwords, and financial account information. Notifications began January 2 and affected individuals were offered one year of free credit monitoring through Cyberscout; the incident follows prior ransomware attacks and broader targeting of higher education institutions.