< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3000 articles · page 7 of 150

RaaS group equips affiliates with EDR-killing toolkit

🔍 New research from ESET reveals that The Gentlemen ransomware-as-a-service platform now supplies affiliates with an advanced EDR killer framework called GentleKiller, alongside third-party tools like HexKiller, ThrottleBlood and HavocKiller. The leak shows affiliates can deploy bring-your-own vulnerable driver (BYOVD) techniques to gain kernel privileges and disable hundreds of EDR processes across many vendors. ESET warns this lowers the bar for less skilled attackers and urges organizations to enforce protections such as HVCI and KMCI, apply strict driver allow/block policies, and regularly audit drivers.
read more →

Gentlemen RaaS standardizes EDR-killer suite

🛡️ ESET researchers say the Gentlemen ransomware-as-a-service (RaaS) operation supplies affiliates with a standardized suite of EDR killers, centered on a framework named GentleKiller, to disable security tooling prior to encryption. The tooling mimics legitimate security products and leverages abused vulnerable drivers through a BYOVD technique, incorporating third-party killers like HexKiller and ThrottleBlood. The group rapidly operationalizes public proof-of-concept exploits, and ESET also found a Rust-based credential stealer called OxideHarvest in use.
read more →

Texas license vendor breach exposes 3M+ records

🔒 The Texas Parks and Wildlife Department disclosed a breach at its external license system vendor that exposed personal information for 3,087,721 hunting and fishing license customers. The Texas Cyber Command discovered the intrusion and confirmed no Social Security numbers, dates of birth, or financial data were affected. Exposed fields may include driver’s license data, passport numbers, emails, phone numbers, and residential addresses. TPWD is working with the vendor on enhanced safeguards and offering affected individuals one year of free credit monitoring.
read more →

CISA Warns Fortinet Customers Amid FortiBleed Campaign

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure FortiGate appliances after a large-scale campaign, dubbed FortiBleed, compromised 86,644 devices as of June 19, 2026. The campaign, attributed to Russian-speaking actors, used mass scanning and credential spraying against internet-facing VPN and firewall endpoints, leveraging leaked and reused credentials. Telecom, government, and education sectors were heavily affected, prompting guidance to reset passwords, enable MFA, and move to PBKDF2 hashing for admin credentials.
read more →

Salesforce disables Klue app after OAuth breach

🔒 Salesforce has disabled the Klue Battlecards app integration after unusual activity tied to a Klue security incident on June 11, 2026, which may have allowed unauthorized access to some customer data. Klue says attackers used a compromised legacy credential to obtain OAuth tokens and access connected third-party platforms, while Salesforce emphasizes the issue stemmed from the app connection and not its platform. Klue and customers like Huntress are investigating, revoking tokens, and remediating impacts.
read more →

New York man charged with AI-enabled cyberstalking

📢 A New York man was indicted on cyberstalking charges after allegedly creating multiple fake social media and email accounts to harass a former college classmate. The defendant is accused of distributing AI-generated nude images and fabricated racist messages across platforms including Instagram, LinkedIn, Reddit, X, Strava, and Yahoo between January and March 2025. Authorities say he used spoofed accounts to send images to the victim’s family and continued the campaign after the victim transferred to a Georgia college. Federal prosecutors emphasize that sharing intimate images without consent is a prosecutable offense and urge victims to report such abuse.
read more →

CISA Urges Fortinet Users to Secure Devices Now

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Fortinet customers to secure devices after nearly 74,000 firewall and VPN credentials were exposed in a leak dubbed "FortiBleed." The agency advised terminating SSL VPN and admin sessions, resetting passwords, enabling phishing-resistant multifactor authentication, and reviewing logs for signs of unauthorized access. CISA also recommended using PBKDF2 for admin credential storage and restricting management interfaces from the public internet.
read more →

Gentlemen Ransomware Deploys Multiple EDR Killers

🛡️ ESET researchers report the Gentlemen RaaS actively develops and deploys multiple EDR-killing tools, led by a primary utility named GentleKiller with at least eight variants. These tools use BYOVD techniques and vulnerable drivers to obtain kernel privileges and disable security products from dozens of vendors. The framework permits easy driver swaps, is protected by commercial packers, and is supplemented by external tools like HexKiller, ThrottleBlood, and HavocKiller.
read more →

Nintendo confirms TinyPulse survey data stolen

🛡️ Nintendo of America confirmed that threat actors accessed survey data from the third-party TinyPulse service used for internal employee surveys, but its own systems were not compromised. The company said the information is limited to a small subset of employees and mostly dates back several years. Nintendo is working with the service provider while denying any access to customer or financial data.
read more →

ICO cautions healthcare worker over royal records

🔒 The ICO has issued a formal caution to a former London Clinic healthcare worker who attempted to access and sell the Princess of Wales’ medical records. The regulator opened a criminal investigation in 2024 but concluded a caution under section 170(5) of the Data Protection Act 2018 was an appropriate enforcement response. The ICO found no wider organisational failings meeting the threshold for further action and emphasised its readiness to pursue prosecution when necessary.
read more →

Law enforcement disrupts SocGholish infections at scale

🛡️ International law enforcement agencies cleaned nearly 15,000 WordPress sites and took down over 100 servers tied to the SocGholish botnet and the Evil Corp cybercrime group as part of Operation Endgame. Authorities from the Netherlands, Canada, the United States, and Germany removed malware and backdoors from 14,971 compromised sites, advised remediation steps, and decommissioned 106 servers and domains. The action aims to deny criminals access, limit malware spread, and reduce risks to critical infrastructure.
read more →

Attackers exploit trusted AI platforms and ads

🔐 Threat actors abused trusted services — Google Ads, GitLab Pages, and Claude’s shared-chat feature — to trick developers into executing malicious PowerShell and terminal commands via ClickFix social engineering. Researchers at TrendAI observed a six-wave campaign that funnelled over 2,000 victims from sponsored search results to malicious pages and then to weaponized Claude shared chats. By impersonating popular developer tools and brands, the attackers leveraged reputation stacking to make their lures appear legitimate and evade detection.
read more →

Telegram admits limits detecting exam leak channels

📄 India's government told the Delhi High Court that it warned Telegram roughly two weeks before blocking the app amid allegations channels were selling leaked NEET-UG 2026 exam papers. The Ministry of Electronics and Information Technology and the National Testing Agency identified groups, channels and bots circulating stolen material and reported them to Telegram. The affidavit says Telegram acknowledged limited proactive detection and relied on reported content, while India's block—initially framed as a measured step—remains in effect pending the court's ruling.
read more →

Operation Escaneo exposes Latin American intrusions

🔍 New research from CloudSEK reveals Operation Escaneo, a coordinated campaign targeting government and financial entities across Latin America after attackers left a staging server exposed. The group exploited internet-facing appliances and known vulnerabilities in Fortinet and Ivanti devices, plus Apache Tomcat, Windows, and Log4Shell flaws. Attackers used custom reconnaissance (Kimera), webshells, reverse tunnels and a compromised Cisco router to exfiltrate large volumes of sensitive data.
read more →

Fortibleed campaign exposes 75,000 Fortinet firewalls

🔒 Researchers have uncovered a large credential-compromise campaign called Fortibleed that exposed tens of thousands of Fortinet FortiGate devices worldwide. Analysis by SOCRadar, Hudson Rock, and independent researchers found stolen configuration files, administrator and SSL VPN credentials, and tooling used to automate collection and cracking. Affected devices span 194 countries, with roughly 75,000 devices reportedly compromised, prompting urgent remediation advice including credential rotation and upgrading to modern FortiOS hashes.
read more →

ESET analysis of Gentlemen’s EDR-killer suite

🔎 ESET researchers detail the EDR-killing toolset used by the ransomware-as-a-service gang Gentlemen, which rose to prominence in early 2026. The group provides affiliates with an operator-maintained suite centered on an in-house framework dubbed GentleKiller plus integrated third-party tools like HexKiller and HavocKiller. A May 2026 internal leak and long-term incident visibility enabled deep linkage between leaked data, actual samples, and the gang’s TTPs.
read more →

NCSC: 75% of CNI Incidents Linked to Hostile States

🛡️ Richard Horne, CEO of the UK National Cyber Security Centre, told the RUSI Annual Security Lecture that three-quarters of cyber incidents affecting UK critical national infrastructure over the past year were traced to nation-state actors or hostile states. The NCSC handled around 200 incidents between June 2025 and May 2026, with threats described across three contested digital spaces: far, mid and near. Horne warned that AI and cloud supply-chain exploitation increase attacker scale and urged organisations to prioritise continuous defence, fix legacy vulnerabilities and close IT-OT knowledge gaps.
read more →

Fake Reputation Campaign Pushes Crypto Clipper

🛡️ Check Point Research found a coordinated campaign using paid posts, fake accounts, and a WordPress phishing hub to promote malicious warez. The operators pushed a Rust-based clipboard hijacker hidden in Solana and sniper bot packages targeting Windows and macOS, replacing crypto wallet addresses to steal funds. They used GitHub, SourceForge, YouTube, VirusTotal manipulation, and press release services to fabricate trust and inflate metrics.
read more →

FortiBleed leak exposes Fortinet VPN credentials

🔒 A newly discovered data leak called FortiBleed appears to expose Fortinet and FortiGate VPN credentials for 73,932 firewall URLs worldwide. Researcher Bob Diachenko discovered a server containing usernames, emails, and plaintext passwords and linked the collection to a Russian-speaking multi-operator group that performed massive credential harvesting and cracking. Hudson Rock and other researchers validated the dataset, noting impacts across many industries and countries, and urged affected organizations to rotate credentials and enforce MFA.
read more →

Serverless GitHub Pages Phishing Hits Mexican Banks

🛡️ New research from Group-IB describes the GitBait campaign, a multi-year phishing operation targeting Mexican banks that used GitHub Pages for hosting and SheetBest to exfiltrate credentials into Google Sheets. The operation relied on modular phishing kits, automated publishing, and crafted Open Graph tags to spread links via messaging apps while evading search indexing. Group-IB reported over 100 GitHub-hosted domains and urges banks to monitor brand abuse and suspicious traffic to cloud services.
read more →