All news in category “Incidents and Data Breaches”

🚨A cybercrime gang known as Black Cat has been linked to an SEO poisoning campaign that tricks users with fake download pages for popular programs such as Google Chrome and Notepad++. Visitors are redirected to a GitHub‑mimicking host where a ZIP delivers an installer that creates a desktop shortcut which side‑loads a malicious DLL and deploys a backdoor. The backdoor contacts a hard‑coded C2 and can steal browser data, log keystrokes and capture clipboard contents. Users should avoid clicking unknown search results and download software only from official sources.

📱 Group-IB researchers have documented Android malware enabling unauthorized tap-to-pay transactions by remotely relaying NFC card data. Malicious APK samples—over 54 identified—are distributed in Chinese-language Telegram cybercrime communities and often disguise themselves as legitimate financial apps. Attackers use smishing and vishing to get victims to install a 'reader' app and tap their card; a criminal 'tapper' app and illicit POS terminals then complete the payment. Prominent vendors, including TX-NFC, X-NFC and NFU Pay, sell access via subscriptions and support.

🔒 Palo Alto Networks warns that the Jolly Scorpius group has significantly upgraded its Ransomhouse RaaS with a dual-key encryption trojan called Mario, combining a 32-byte primary key and an eight-byte secondary key that make recovery extremely difficult. Attack automation via MrAgent targets VMware ESXi hypervisors, enabling rapid cluster-wide encryption and firewall neutralization. The campaign primarily targets German companies; recommended mitigations include hardening virtual environments, immutable backups, and strict network segmentation.

🔒 ownCloud has urged users to enable multi-factor authentication (MFA) after reports that threat actors used credentials stolen via infostealer malware to access self-hosted file-sharing instances. The company said the platform was not breached via a zero-day or vulnerability; attackers reused credentials harvested by malware such as RedLine, Lumma, and Vidar. ownCloud recommends enabling MFA, resetting passwords, invalidating sessions, and reviewing access logs to protect data.

🔎 Taiwan’s National Security Bureau (NSB) reports a dramatic rise in Chinese-sourced cyber intrusion attempts against the island’s critical infrastructure in 2025, totaling 960,620,609 recorded attempts. The NSB highlights a tenfold surge against the energy sector and a 54% rise targeting emergency rescue and hospitals, while water resources and finance saw notable declines. Top groups named include BlackTech, Mustang Panda and APT41, which used vulnerability exploitation, DDoS, social engineering and supply-chain methods, often timed to coincide with military or political events.

🔒 Brightspeed is investigating claims that the hacking group Crimson Collective obtained personally identifiable information for over one million customers and disrupted connectivity. The group posted a sample of the data on Telegram in early January and later said it had disconnected many users' home internet, although Brightspeed has not confirmed outages or the breach. The purported dataset includes account records, geolocation details, payment histories and masked card data. The ISP is probing the incident while the authenticity and scope of the claims remain unclear.

🔒 A recent Hudson Rock report reveals a threat actor known as Zestix (aka Sentap) harvested credentials from infostealer logs and accessed cloud file-sharing services such as ShareFile, Nextcloud and OwnCloud because affected organizations did not enforce multi-factor authentication. The actor exfiltrated and auctioned highly sensitive corporate and customer data. The incidents underscore persistent failures in credential hygiene, long-lived stolen credentials and the necessity of MFA and session invalidation.

🛡️ Taiwan's National Security Bureau (NSB) reports a tenfold increase in cyberattacks against the country's energy sector in 2025 compared to 2024. The NSB said incidents tied to China rose 6% overall and affected nine critical sectors, with spikes timed around political events and military activity. Observed attack methods included exploitation of hardware and software vulnerabilities, DDoS, social engineering, and supply-chain compromises targeting industrial control systems and upgrade windows.

🛡️ Researchers report the Kimwolf Android botnet — an Aisuru variant — has grown to nearly two million infected hosts by abusing residential proxy services to reach devices on internal networks. The malware scans for unauthenticated Android Debug Bridge (ADB) endpoints on ports such as 5555 and delivers payloads via telnet/netcat, often targeting low-cost Android TV boxes. Affected devices are used for DDoS, proxy resale, and ad-fraud via third-party SDKs; mitigation includes wiping compromised boxes and preferring Google Play Protect-certified hardware from reputable OEMs.

🚗 Jaguar Land Rover (JLR) says a September 2025 cyberattack forced production shutdowns and resulted in a 43.3% year‑on‑year decline in third‑quarter wholesale volumes. Production only returned to normal by mid‑November and global distribution delays further reduced sales. JLR booked a £196 million hit, confirmed data theft, and said the incident was claimed by the Scattered Lapsus$ Hunters. The U.K. government later approved a £1.5 billion loan guarantee to help stabilise supply chains while tariffs and the planned discontinuation of legacy Jaguar models also weighed on performance.

🔍 OX Security researchers uncovered two malicious Chrome extensions — Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude, and more — installed by over 900,000 users. The add-ons scrape ChatGPT and DeepSeek conversation content and all open tab URLs, then batch-upload harvested data to attacker-controlled servers. Operators used hosted privacy pages and impersonation to obscure activity; users should remove these extensions and audit exposed data immediately.

⚠️ Securonix researchers have identified a multi-stage malware campaign, tracked as PHALT#BLYX, that targets hospitality organizations during the holiday season. The attack begins with phishing emails impersonating Booking.com, using urgent, high‑value reservation charges to lure victims to a convincing clone site. Victims are coerced through fake CAPTCHA and simulated BSOD prompts to paste a PowerShell command that downloads a project file executed by MSBuild.exe, culminating in a heavily obfuscated DCRat remote access Trojan. Securonix advises staff training, strict handling of browser‑prompted commands and enhanced monitoring of trusted binaries and process behaviour.

🔍 President Donald Trump suggested that U.S. cyber operations or other technical measures were used to cut power in Caracas during strikes that preceded the capture of Nicolás Maduro. If confirmed, this would be a rare, overt instance of U.S. offensive cyber action. Such operations are typically classified, and public details, technical indicators, and independent verification remain scarce. The claim raises significant legal and diplomatic concerns.

🔒 Sedgwick has confirmed a security incident affecting its federal contractor subsidiary, Sedgwick Government Solutions. The company says the parent firm's network was not affected and that the incident involved an isolated file transfer system. Sedgwick notified law enforcement, engaged external cybersecurity experts, and reported no evidence of access to claims management servers. The TridentLocker ransomware group claims to have exfiltrated 3.39 GB of documents and posted samples on a Tor leak site.

⚠️ AI-powered VS Code forks such as Cursor, Windsurf, Google Antigravity and Trae were found recommending extensions that do not exist in the Open VSX registry, creating unclaimed namespaces attackers could register. Koi researcher Oren Yomtov showed that a single click on a suggested install (for example, a placeholder ms-ossdata.vscode-postgresql) can deploy a rogue package, and one placeholder received over 500 installs. Cursor and Google have released fixes, and the Eclipse Foundation removed non-official contributors and tightened registry safeguards. Developers should verify publishers before accepting IDE extension recommendations.

🚗 Jaguar Land Rover is still reeling from a late‑August cyber-attack that disrupted production from September through mid-November, Tata Motors reported. Retail sales in Q3 2025 fell 25.1% year‑on‑year to 79,600 vehicles, while wholesale shipments plunged 43% to 59,200 units. Tata said the incident "significantly disrupted operations," forcing factory stoppages and ongoing distribution delays, compounded by US tariffs and model phase-outs.

🔒 A former Coinbase customer service agent was arrested in Hyderabad, India, after allegedly accepting bribes from criminal gangs to access and sell sensitive customer records, Coinbase CEO Brian Armstrong announced. The incident, disclosed in May 2025, involved compromised support staff leaking data on nearly 70,000 customers, including IDs and financial details. Coinbase refused a US $20 million ransom and instead committed that sum to a reward fund while cooperating with law enforcement.

🔍 Cloudflare analyzed a BGP route leak observed on January 2 involving AS8048 (CANTV) redistributing prefixes originated by AS21980 (Dayco Telecom) via upstreams including AS6762 (Sparkle) and AS52320 (V.tal/GlobeNet). The pattern — with eleven similar events since December, heavy AS prepending, and an upstream provider relationship — suggests misconfigured export/import policies rather than deliberate interception. ROV would not have prevented this path-based leak; adoption of ASPA, RFC9234/OTC, and Peerlock-style checks is recommended to mitigate future leaks.

🔐 A threat actor known as Zestix is offering corporate data reportedly stolen from dozens of companies after breaching ShareFile, Nextcloud, and OwnCloud instances. Hudson Rock links initial access to credentials harvested by infostealers such as RedLine, Lumma, and Vidar, often delivered via malvertising or ClickFix campaigns. Many affected accounts lacked multi-factor authentication, enabling unauthorized access and large-scale data exfiltration.

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.