< ciso
brief />
Tag Banner

All news with #data exfiltration tag

217 articles · page 5 of 11

Infrastructure Already in the Espionage Collection Path

🔍 Enterprises now sit directly in adversaries' collection paths: they may not be primary targets but their shared telecom, cloud, MSP, and identity dependencies are being exploited upstream. Commercial spyware like Predator and state‑aligned groups documented in Singapore's February 2026 telco breaches show how device and backbone compromises create persistent, upstream access. CISOs must assume provider compromise, demand attestation, harden session and identity layers, and shift detection to low‑noise, long‑duration intelligence operations.
read more →

Speagle Malware Hijacks Cobra DocGuard in Targeted Campaign

🔒 Speagle is a newly identified malware that subverts the client and infrastructure of the legitimate document protection product Cobra DocGuard to harvest and exfiltrate sensitive information while masquerading as normal client-server traffic. Researchers at Symantec and Carbon Black (Broadcom) say the 32-bit .NET binary verifies the DocGuard installation, collects system and browser artefacts, and uses a compromised Cobra server for command-and-control and data theft. Tracked as Runningcrab, the activity appears narrowly targeted to environments running the security software and may stem from a supply-chain compromise; attribution remains unknown.
read more →

Ransomware Exfiltration Playbook: Abusing Everyday Tools

🔍 Exfiltration Framework examines how attackers repurpose legitimate OS utilities, third-party endpoint tools, and cloud clients to move sensitive data while evading traditional detections. The research shows that static IOCs and tool-blocking strategies are frequently ineffective when adversaries operate inside trusted software and infrastructure. By normalizing execution context, parent-child process relationships, network patterns, forensic artifacts, and destination characteristics, the framework exposes stable behavioral signals that persist despite masquerading, renaming, or relocation. It recommends correlating endpoint, network, and cloud telemetry, applying behavioral baselining, and focusing on cumulative transfer analysis rather than single-event or allow-list approaches.
read more →

DNS Exfiltration and RCE Risk in AI Code Sandboxes

🔒 Researchers disclosed that Amazon Bedrock AgentCore Code Interpreter's sandbox mode permits outbound DNS queries, enabling attackers to create bidirectional command-and-control channels and exfiltrate data via DNS despite a "no network access" setting. BeyondTrust rated the issue 7.5/10 and recommends migrating critical workloads to VPC mode and using a Route53 DNS Firewall. Administrators should audit IAM roles and inventory active interpreters immediately.
read more →

Stryker Attack Wipes Tens of Thousands of Devices Globally

🔒 Stryker reported a targeted attack that remotely wiped nearly 80,000 corporate devices by abusing Microsoft admin privileges and issuing remote wipe commands through Intune. The company says the incident was confined to its internal Microsoft environment, did not involve deployed malware, and investigators found no evidence of data exfiltration. Operational impacts include offline electronic ordering systems and manual order processing while recovery continues.
read more →

DNS-Based Data Exfiltration via AWS Bedrock Code Interpreter

⚠️ Phantom Labs Research demonstrated a DNS-based exfiltration technique targeting the AWS Bedrock AgentCore Code Interpreter that bypasses expected Sandbox Mode network restrictions. Maliciously crafted files (for example, CSVs) can influence generated Python code to use DNS queries as a covert command-and-control channel. In tests, researchers executed commands, enumerated and retrieved S3 content and secrets while the environment still reported network access disabled. AWS says this is intended behavior and updated documentation; organisations should inventory AgentCore instances, tighten IAM roles and move sensitive workloads to VPC mode.
read more →

Iran-linked Group Claims Massive Wiper Attack on Stryker

🚨 Pro-Iranian group Handala claimed it wiped over 200,000 devices and exfiltrated 50TB of data from medical device maker Stryker, asserting offices in 79 countries were forced to close. Stryker confirmed a cyber incident causing global disruption to its Microsoft environment but said there is no indication of ransomware and that it believes the incident is contained. Experts warned the attack appears to have leveraged enterprise management tools such as Microsoft Intune, suggesting a credential compromise and tactics consistent with Iranian state-linked activity.
read more →

PhantomRaven npm Campaign Steals Developer Data via 88 pkgs

🔒 Endor Labs identified a new PhantomRaven npm campaign wave that published 88 malicious packages across 50 disposable accounts, many using slopsquatting to mimic popular projects and names suggested by LLMs. The packages use Remote Dynamic Dependencies in package.json so malware is fetched from attacker-hosted URLs at install time, exfiltrating .gitconfig, .npmrc, environment variables and CI/CD tokens to C2 servers. Researchers note consistent EC2-hosted 'artifact' domains without TLS, an almost unchanged payload across waves, and 81 packages still available; developers should verify publishers and avoid unvetted AI suggestions.
read more →

Nine LeakyLooker Cross-Tenant Flaws in Google Looker Studio

🔒 Cybersecurity researchers disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have allowed attackers to execute arbitrary SQL and exfiltrate data across Google Cloud projects. Tenable has labeled the set of flaws LeakyLooker; there is no evidence of active exploitation and Google patched the issues after responsible disclosure in June 2025. Affected connectors include BigQuery, Spanner, Google Sheets, PostgreSQL, MySQL and many JDBC-based sources, and several bugs could retain stored credentials or enable one-click data exfiltration via crafted reports.
read more →

Threat Actor Used Elastic Cloud SIEM to Store Stolen Data

🔒 Researchers uncovered a campaign in which a threat actor exploited multiple enterprise software flaws to harvest system data and deposit it into a free-trial Elastic Cloud SIEM instance. The attacker used an encoded PowerShell payload to collect OS, hardware, Active Directory and patch details, sending records into an Elasticsearch index named systeminfo. Telemetry showed the trial was registered via a disposable email and accessed repeatedly through Kibana as the operator triaged victims. Huntress coordinated with Elastic and law enforcement to notify affected organisations and take the instance offline.
read more →

Chrome Extensions Turn Malicious After Ownership Transfer

🔒 Two Google Chrome extensions were modified following apparent ownership transfers, allowing attackers to remotely deliver JavaScript payloads, inject code, and harvest sensitive data from users. The affected extensions — QuickLens (~7,000 users) and ShotBird (~800 users) — changed owners in early 2026 and began polling C2 servers for runtime payloads. The update to QuickLens stripped security headers to bypass cross-origin protections, while ShotBird used a fake Chrome-update lure to pivot from browser compromise to host-level execution. Users should remove these extensions, audit browsers, and enterprises should treat extensions as supply-chain risk.
read more →

Ransomware Shift: From Loud Disruption to Stealth Tactics

🔒 Ransomware operators are shifting from noisy, disruptive attacks to covert, long-term intrusions focused on data theft and extortion. Picus Security's Red-Teaming report—based on simulations and analysis of 1.1 million malware files and 15.5 million MITRE-mapped actions—finds most common techniques aim to remain undetected. Adversaries increasingly chain vulnerabilities, route C2 through trusted services like OpenAI and AWS, and favor persistence over immediate encryption, though some vendors dispute a reduction in overall activity.
read more →

Cognizant TriZetto Breach Exposes 3.4M Patient Records

🔒 TriZetto Provider Solutions, part of Cognizant, disclosed a breach that exposed sensitive health and insurance records for about 3,433,965 individuals. The company detected suspicious portal activity on October 2, 2025, and determined that unauthorized access began on November 19, 2024. Exposed data may include names, addresses, dates of birth, Social Security numbers, Medicare and insurance identifiers, provider and insurer names, and other demographic or health information. TriZetto says no payment card or bank account data were exposed, has engaged external cybersecurity experts, notified law enforcement, alerted providers on December 9, 2025, and began customer notifications in early February 2026; affected individuals are being offered 12 months of credit monitoring and identity protection services from Kroll.
read more →

Ransomware Threats Increasingly Target Education Sector

🎓 Ransomware groups have shifted from encrypting files to extortion via stolen data, putting schools and universities at higher risk. Incidents in 2025–2026 include an attack on Sapienza University of Rome in February 2026, a vocational center in Treviso and Blacon High School, causing outages and operational disruption. Affordable, set-and-forget security that blocks phishing links and automatically scans USB devices can materially reduce exposure.
read more →

CL-UNK-1068 Targets Critical Sectors Across Asia Region

🛡️ Unit 42 details CL-UNK-1068, a cluster observed since 2020 that targets aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications organizations across South, Southeast and East Asia. The actor deploys web shells (GodZilla, an AntSword variant), performs DLL side-loading with legitimate python binaries, and uses custom scanners and tunneling tools such as FRP. Exfiltration focuses on web configuration files, databases and credentials; defenders should prioritize detections for behavioral anomalies over static IOCs.
read more →

Fake Google Security PWA Steals OTPs, Wallets, Proxies

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.
read more →

Exposed Google API keys can now reveal Gemini AI data

🔓 Google Cloud API keys that were once treated as non-sensitive can now authenticate to the Gemini generative AI assistant, creating a new attack path where keys embedded in client-side JavaScript expose private assistant data. TruffleSecurity discovered nearly 2,800 live, publicly accessible keys across sectors — including financial firms and a Google product — by scanning the November 2025 Common Crawl. Attackers who copy exposed keys can call Gemini endpoints to retrieve data or generate costly API usage; developers should audit projects for the Generative Language API, rotate exposed keys immediately, and use detection tools to prevent abuse.
read more →

China-linked Hackers Used Google Sheets for Espionage

🛡️ Google disrupted a China-linked espionage group that repurposed Google Sheets as a covert command-and-control channel to manage a custom backdoor tracked as UNC2814 and named GRIDTIDE. The backdoor abused legitimate Sheets API calls to send commands, retrieve stolen data, poll spreadsheets frequently, and wipe rows to erase traces. Mandiant flagged unusual activity on a CentOS server, leading to discovery of intrusions at 53 organizations across 42 countries focused on telecoms and government systems. Google terminated attacker Cloud projects, revoked API access, sinkholed domains, and published IOCs.
read more →

UFP Technologies Says Data Stolen in Cyberattack Report

🔒 UFP Technologies disclosed a cybersecurity incident detected on February 14 that compromised portions of its IT environment and resulted in data theft. The company says it isolated affected systems, engaged external cybersecurity advisors, and believes the intruder has been removed with access restored in all material respects. Some functions such as billing and label making were impacted, and the firm is investigating whether personal information was exfiltrated.
read more →

CarGurus Data Leak Exposes 12.4 Million Account Records

🔓 The extortion group ShinyHunters published a 6.1GB archive on February 21 containing 12.4 million records it alleges were stolen from CarGurus. Have I Been Pwned (HIBP) has added the dataset and reports compromised data types including email addresses, IPs, full names, phone numbers, physical addresses, account IDs, finance application data, dealer details, and subscription information. CarGurus has not confirmed the breach or replied to requests for comment. HIBP says about 70% of the records were already known, leaving roughly 3.7 million newly exposed entries that could be abused for phishing and other scams.
read more →