All news in category “Incidents and Data Breaches”

🚨 ReliaQuest warns that Storm-0249 appears to be evolving from an initial access broker into an active operator, adopting domain spoofing, DLL side-loading and fileless PowerShell execution to facilitate ransomware intrusions. The actor used a Microsoft-mimicking URL and the Windows Run dialog to fetch and execute a PowerShell script that installed a trojanized SentinelOne DLL via a malicious MSI. This technique leverages living-off-the-land utilities and signed processes to maintain persistence and evade detection.

📧Attackers impersonating file-sharing and e-signature platforms sent over 40,000 finance-themed phishing emails, researchers at Check Point report. These messages mimicked notifications from services like SharePoint and popular e-signing vendors to coax recipients into clicking links or entering credentials. The campaign targeted finance workflows and aimed to harvest credentials or deliver follow-on malware, underscoring the need for robust email security and user vigilance.

🔒CISA, alongside the FBI, NSA, DOE, EPA, the Department of Defense Cyber Crime Center, and international partners, published a joint advisory describing opportunistic pro-Russia hacktivist activity targeting operational technology (OT) systems. These groups exploit minimally secured, internet-facing VNC connections to access OT control devices and have caused varying impacts, including physical damage. Named actors include Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16. The advisory recommends reducing internet exposure of OT assets, adopting mature asset-management and mapping practices, and enforcing robust authentication.

🛡️ Sophos links nearly 40 intrusions from Feb 2024 to Aug 2025 to STAC6565, a cluster assessed to overlap the criminal group Gold Blade (aka RedCurl/Red Wolf). The campaign shows an unusually narrow geographic focus — almost 80% of attacks targeted Canadian organizations — and combines targeted data theft with selective ransomware deployment using QWCrypt. Attack chains abuse recruitment platforms to deliver multi‑stage loaders such as RedLoader and tools designed to evade AV and disable recovery, often leveraging WebDAV, Cloudflare Workers and program‑compatibility execution paths.

🔒 Investigators from the Cybercrime Center Baden-Württemberg, the Baden-Württemberg State Criminal Police (LKA) and BaFin said they have shut down more than 3,500 phone numbers believed to be used by investment, grandchild and fake-police scammers. The affected landline, mobile and VoIP numbers were disabled by providers, and about 350 Austrian numbers were taken offline in coordination with Vienna. The measure is part of Operation Herakles, intended to dismantle the technical infrastructure of fraud networks and protect consumers.

🔒 Security researchers uncovered malicious extensions on the Microsoft Visual Studio Code Marketplace that delivered stealer malware while posing as a dark theme and an AI assistant. Koi Security reported the extensions downloaded additional payloads, captured screenshots, and siphoned emails, Slack messages, Wi‑Fi passwords, clipboard contents and browser sessions to attacker servers. Microsoft removed the packages in early December 2025 after investigators linked them to a publisher using multiple similarly named packages.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

🔒Three Ukrainian nationals were arrested in Poland after police discovered a cache of devices alleged to be capable of interfering with strategic IT and telecommunications systems. Officers seized a Flipper Zero, a K19 RF/GS detector, antennas, laptops, numerous SIM cards, routers, portable drives, and cameras. The suspects, aged 39–43, face charges including fraud, computer fraud, and possession of tools intended for criminal activity, and are detained pending trial.

🔍 Securonix has detailed a campaign named JS#SMUGGLER that leverages compromised websites and an obfuscated JavaScript loader to deliver the NetSupport RAT. Attackers chain a hidden iframe and a remote HTA executed via mshta.exe to run encrypted PowerShell stagers and fetch the RAT. The loader applies device-aware branching and a visit-tracking mechanism to trigger payloads only on first visits, reducing detection risk. Temporary stagers are removed and payloads execute in-memory to minimize forensic artifacts.

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.

🔒 Marquis Software Solutions confirmed a breach affecting more than 780,000 individuals after attackers exploited a SonicWall firewall vulnerability on 14 August. The company shut down affected systems and engaged external cybersecurity specialists; a late-October review found unauthorized actors copied files containing personal and financial data from certain business customers. Marquis is offering free credit monitoring and has implemented multiple security controls while its investigation continues, and it reports no evidence so far that the stolen data has been posted online.

🔒Barts Health NHS Trust has applied to the High Court seeking an order to prevent the sharing, publication or use of data stolen from an Oracle E-business Suite database. A criminal group known as Cl0p posted compressed files on the dark web containing names, addresses and invoicing records relating to patients, suppliers and former staff. The trust says clinical systems and core IT infrastructure were unaffected and it is working with NHS England, the NCSC and law enforcement while notifying regulators.

🔴 A critical remote code execution flaw in the Sneeit Framework WordPress plugin (CVE-2025-6389) is being actively exploited, according to Wordfence. The issue, patched in version 8.4 on August 5, 2025, affects all releases up to and including 8.3 and lets unauthenticated attackers invoke arbitrary PHP functions via sneeit_articles_pagination_callback() and call_user_func(). Wordfence reported more than 131,000 blocked attempts since disclosure, including tens of thousands in a single day, and observed uploads of PHP shells and creation of malicious admin accounts on vulnerable sites.

🔒 The Iranian-linked group MuddyWater has been observed deploying a new UDP-based backdoor called UDPGangster, using UDP channels for command-and-control, data exfiltration, and remote command execution. Fortinet FortiGuard Labs says the campaign targeted users in Turkey, Israel, and Azerbaijan via spear-phishing messages that deliver macro-enabled Word documents (e.g., "seminer.doc" inside "seminer.zip") and display a Hebrew-language decoy image. The embedded VBA macro decodes Base64 content into C:\Users\Public\ui.txt and launches it via CreateProcessA; the payload establishes registry persistence and runs multiple anti-analysis checks before communicating over UDP to 157.20.182[.]75:1269 to exfiltrate data, run commands with "cmd.exe", transfer files, and deploy additional payloads.

🔐 Beginning December 2, a campaign using more than 7,000 IPs from German host 3xK GmbH (AS200373) carried out brute-force login attempts against Palo Alto GlobalProtect portals and soon pivoted to scanning SonicWall SonicOS API endpoints. GreyNoise links the activity to three recurring client fingerprints seen in prior scans and to earlier campaigns that generated millions of HTTP sessions. Organizations should monitor authentication velocity and failures, block implicated IPs and fingerprints, and enforce MFA to reduce credential abuse.

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

🔒 Barts Health NHS Trust disclosed that the Cl0p ransomware group stole invoice data from an Oracle E-Business Suite database after exploiting a zero-day vulnerability (CVE-2025-61882). Stolen files include full names and addresses of payers, records of former employees with debts, supplier details, and accounting files relating to Barking, Havering and Redbridge University Hospitals. The trust says its electronic patient record and clinical systems were not affected, has notified the NCSC, Metropolitan Police and the ICO, and is seeking a High Court order while advising patients to check invoices and remain vigilant for suspicious communications.

🛡️ CrowdStrike has attributed a sophisticated cyber‑espionage campaign to a China-linked group dubbed Warp Panda, which has targeted North American legal, technology and manufacturing firms to support PRC intelligence priorities. The actor employed BRICKSTORM implants and Golang-based tools to persist on VMware vSphere infrastructures, including vCenter and ESXi hosts. CISA’s advisory corroborates long-term access and vCenter exploitation.

⚠️ Within hours of public disclosure, two China-linked groups began exploiting the newly disclosed CVE-2025-55182 (React2Shell) remote code execution flaw in React Server Components. AWS telemetry from MadPot honeypots attributes activity to Earth Lamia and Jackpot Panda, showing attempts to run discovery commands such as "whoami", write files like "/tmp/pwned.txt", and read sensitive files such as "/etc/passwd". Vendors addressed the bug in React 19.0.1, 19.1.2, and 19.2.1, but attackers are concurrently scanning for other N-day flaws.

🔒 Inotiv, an Indiana-based contract research organization, disclosed an August ransomware attack that disrupted operations after networks, databases, and internal applications were taken offline. The company says it has 'restored availability and access' to impacted systems and is notifying 9,542 individuals whose information was stolen. The incident, dated to approximately August 5–8, 2025, was claimed by the Qilin ransomware group, which published alleged samples and asserted it exfiltrated roughly 162,000 files totaling about 176 GB, though Inotiv has not confirmed the specific data types or publicly attributed the attack.