All news in category "Incidents and Data Breaches"

Multiple London councils' IT systems hit by cyberattack

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.

Meet Rey, Admin of Scattered LAPSUS$ Hunters Exposed

🔍 A prolific operator known as "Rey," one of three administrators of the Scattered LAPSUS$ Hunters (SLSH) Telegram channel, has confirmed his real-world identity after investigative outreach. Rey is tied to the recent release of the group's new RaaS offering ShinySp1d3r, which he says is derived from Hellcat ransomware code modified with AI tools. Reporting shows Rey made multiple operational security mistakes that allowed analysts to link him to a shared family PC in Amman, Jordan, revealing his name as Saif Al‑Din Khader and that he is a mid‑teens minor who says he is cooperating with law enforcement.

Cyberattack Disrupts OnSolve CodeRED Emergency Alerts

⚠️ A cyber-attack on the OnSolve CodeRED platform disrupted emergency alerts used by state and local agencies across the US and exposed user data. Crisis24 shut down the legacy environment and is rebuilding the system in a new, isolated infrastructure. Investigators confirmed data theft — including names, addresses, emails, phone numbers and passwords — though there is no evidence the data has been posted online. The threat actor INC Ransom claims responsibility and has published screenshots and is selling samples of the files.

Qilin Ransomware Targets South Korean MSP, Hits Finance

🛡️ South Korea's financial sector was struck by a coordinated supply-chain campaign that deployed Qilin ransomware via a compromised MSP, Bitdefender reports. The operation, self-styled as 'Korean Leaks', unfolded in three publication waves in September–October 2025 and resulted in the theft of over 1 million files (about 2 TB) from 28 victims. Analysis ties the clustered intrusions to a single upstream MSP compromise and notes possible involvement by North Korean-affiliated actors alongside Qilin affiliates operating under a RaaS model.

FBI Warns of Widespread Account Takeover Fraud Since 2025

🔒 Since January 2025 the FBI reports account takeover (ATO) schemes have produced losses exceeding $262 million. Cybercriminals impersonate bank, payroll and health account providers and use phishing domains, SEO poisoning and social engineering to harvest credentials and one-time codes. The Bureau recommends enabling MFA, using unique complex passwords, monitoring accounts regularly, avoiding search ads and verifying unsolicited calls or messages before sharing any login information.

ClickFix Campaign Uses Fake Windows Update Pages in Stealth

🛡️ Researchers at Huntress uncovered a ClickFix campaign that hides malware inside the RGB pixels of PNG images on a fake Windows Update page, tricking victims into pasting and running commands. The delivered payloads include the LummaC2 infostealer and the Rhadamanthys malware family, with active domains observed after a mid-November takedown. Huntress warns the steganographic technique and the realistic Windows Update motif increase the attack's stealth, and recommends disabling the Windows Run dialog and strengthening endpoint monitoring.

ShadowV2 IoT Botnet Exploits Multiple Device Flaws

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.

Gainsight Breach Impacts More Salesforce Customers

🔒Gainsight has confirmed the cyber‑attack tied to Salesforce affected more customers than initially reported, though the vendor says the number remains limited and affected customers were notified. As a precaution Gainsight temporarily disabled Salesforce read/write access for several products, including Customer Success (CS), Community (CC), Northpass (CE), Skilljar (SJ) and Staircase (ST). Other vendors such as Gong.io, Zendesk and HubSpot have also disabled their connectors. Gainsight engaged Mandiant for an independent forensic investigation and is advising customers to rotate credentials and S3 keys, reset NXT passwords where appropriate, re-authorize integrations, and follow proactive hardening guidance while the investigation continues.

Malicious Chrome Extension Injects Hidden Solana Fees

🛡️ A malicious Chrome extension named Crypto Copilot was found injecting covert Solana transfers into Raydium swap transactions, diverting funds to an attacker-controlled wallet. Published by "sjclark76" on May 7, 2024, the add-on remains available on the Chrome Web Store with 12 installs. The extension appends a hidden SystemProgram.transfer to each swap before signature, charging a minimum of 0.0013 SOL (and applying a 2.6 SOL/0.05% rule) while obfuscating its code to evade detection. It also contacts backend domains to register wallets and report activity, giving a false veneer of legitimacy.

SLSH Resurgence: ShinySp1d3r RaaS Ahead of Holidays

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.

Serious Cyber Incidents Hit Multiple London Councils

⚠️ Multiple London local authorities, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, are responding to a serious cybersecurity incident identified on Monday. Both councils have informed the ICO and are working with the NCSC while invoking business continuity and emergency plans to protect critical services. A number of systems, including phone lines and shared IT services, are affected across boroughs. RBKC reports successful mitigations are in place and recovery work is continuing.

RomCom via SocGholish Fake Update Targets US Civil Firm

🔒 Arctic Wolf Labs reports that a RomCom payload was delivered via a JavaScript loader known as SocGholish to a U.S.-based civil engineering company, marking the first observed use of this distribution method. The chain relied on fake browser update prompts to run a loader that established a reverse shell, dropped a custom Python backdoor called VIPERTUNNEL, and installed a RomCom DLL loader that launched the Mythic Agent. Attribution to GRU Unit 29155 is assessed at medium-to-high confidence, and the intrusion was blocked before it could progress further.

Ransomware Alliances Drive Large October Attack Surge

🔴 A seasonal surge and new alliances between ransomware groups drove a 41% month-on-month jump in attacks from September to October, NCC Group reports. Qilin was the most active actor, blamed for 170 of 594 incidents (29%), followed by Sinobi and Akira. The rise coincides with LockBit 5.0 realigning with DragonForce and Qilin, and the emergence of newcomers such as The Gentlemen. Organisations are urged to reinforce monitoring, staff awareness, and secure backups ahead of the peak threat season.

OnSolve CodeRED Cyberattack Disrupts U.S. Alert Systems

🚨 Crisis24 confirmed its CodeRED emergency-notification platform was breached, disrupting alerts for state and local governments, police, and fire agencies nationwide. The company decommissioned the legacy environment and is rebuilding from a March 31, 2025 backup, so recent accounts may be missing. Crisis24 says the incident was contained to CodeRED, but names, addresses, emails, phone numbers and passwords were stolen; no public posting has been confirmed.

Developers Exposed Large Cache of Credentials Online

🔒 Security researchers at watchTowr discovered that two popular code utility sites — JSON Formatter and Code Beautify — inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ “Recent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.

FBI: $262M Stolen in Bank Support Impersonation Scams

⚠️ The FBI warns that cybercriminals impersonating bank and payroll support teams have stolen over $262 million in account takeover (ATO) fraud since January 2025, with more than 5,100 complaints reported to the Internet Crime Complaint Center. Attackers use calls, texts, phishing sites and SEO‑poisoned search results to harvest credentials and MFA/OTP codes, then quickly wire funds to crypto wallets and lock owners out. The FBI advises monitoring accounts, using unique complex passwords, enabling MFA, bookmarking official banking sites, contacting financial institutions immediately to request recalls and indemnification, and filing detailed complaints with IC3.

Years of JSONFormatter and CodeBeautify Credentials Leak

🔒 New research from watchTowr Labs found over 80,000 files saved to online code-formatting tools, exposing thousands of passwords, API keys, repository tokens and other sensitive credentials across government, telecoms, finance, healthcare and critical infrastructure. The datasets comprise five years of JSONFormatter content and one year of CodeBeautify content (about 5GB), and both services used predictable, shareable URLs and a Recent Links page that made mass crawling trivial. Researchers uploaded decoy AWS keys that were abused within 48 hours, and both sites have temporarily disabled save functionality while implementing enhanced content-prevention measures.

Shai-Hulud 2.0: Inside a Major npm Supply-Chain Attack

🧨 Check Point Research details the Shai-Hulud 2.0 campaign, a rapid and extensive npm supply-chain attack observed in November 2025. Between 21–23 November attackers compromised hundreds of npm packages and over 25,000 GitHub repositories by abusing the npm preinstall lifecycle script to execute payloads before installation completed. The report outlines techniques, scale, and practical mitigations to help organizations protect development pipelines.

FlexibleFerret macOS Campaign Uses Go-Based Backdoor

🦊 Jamf Threat Labs reports a macOS malware chain, named FlexibleFerret, that employs staged scripts, credential‑harvesting decoys and a persistent Go-based backdoor to maintain long-term access. The campaign uses a second-stage shell script that reconstructs download paths and fetches different payloads for arm64 and Intel systems, then unpacks and runs a loader while writing a LaunchAgent for persistence. A decoy app mimics Chrome permission prompts and a Chrome-style password window to steal credentials, which are exfiltrated via the legitimate Dropbox API. The final stage invokes a Golang backdoor, CDrivers, that provides remote command-and-control and extensive data-theft capabilities.

Code formatters left 80,000+ secrets exposed publicly

🔓 Researchers at external attack surface management firm watchTowr discovered more than 80,000 JSON snippets saved via JSONFormatter and CodeBeautify's unprotected Recent Links feature, exposing credentials, private keys, tokens, and configuration files. The platforms generated predictable, shareable URLs when users saved snippets and stored them without access controls, allowing anyone to scrape content via the services' APIs. Leaked material spans government, finance, healthcare, telecoms, and other sensitive sectors. watchTowr's Canarytoken test showed attackers accessed planted fake AWS keys after links had expired, indicating active scanning.