< ciso
brief />
Tag Banner

All news with #data exfiltration tag

217 articles · page 7 of 11

USB Drives Threaten Enterprise Security: Risks & Controls

🔒 Removable media remains a persistent enterprise risk, enabling both data exfiltration and device-borne intrusion whenever USB drives connect to endpoints. The article highlights evolving threats — including MUSTANG PANDA’s USBFect campaigns (2023–2025) and late-2025 coinminer infections — and high-profile insider exfiltration cases. CrowdStrike recommends a dual approach using Falcon Data Protection to stop sensitive data from leaving endpoints and Falcon Device Control to block or restrict untrusted devices, both delivered via the single Falcon sensor to simplify deployment and reduce operational overhead.
read more →

Gemini AI Trick Exposes Google Calendar Data via Invite

⚠️ Researchers at Miggo Security demonstrated that Google Gemini can be manipulated via malicious Calendar invites to exfiltrate private event data. By embedding natural-language prompt-injection payloads in an event description, attackers can cause Gemini to summarize private meetings and write that summary into a new event visible to participants. Miggo reported the issue and Google has implemented mitigations.
read more →

Google Gemini exploited via calendar prompt injection

⚠️ Researchers disclosed an indirect prompt-injection flaw that allowed Google Gemini to bypass calendar privacy controls and exfiltrate meeting data. A crafted Google Calendar invite could hide a natural-language payload that Gemini later parsed, summarized, and wrote into new events whose descriptions leaked private meeting content. Miggo Security reported the issue and said it has been responsibly disclosed and addressed, highlighting how AI-native features increase the attack surface when assistants can read, summarize, and write into productivity services.
read more →

PDFSIDER: Encrypted Backdoor Uses DLL Side-Loading Toolkit

🔒 Resecurity researchers have identified a sophisticated backdoor called PDFSIDER, delivered via DLL side-loading from a trojanized, digitally signed PDF utility. The malware embeds the Botan crypto library and uses AES-256-GCM for an encrypted C2 channel, executing commands via cmd.exe entirely in memory and returning output over anonymous pipes. It performs anti-VM and debugger checks, exfiltrates data (including over DNS/53), and is assessed as targeted tradecraft that evades many AV and EDR products.
read more →

Reprompt: One-click exfiltration via Microsoft Copilot

🔐 Researchers at Varonis Threat Labs uncovered 'Reprompt', a one-click attack that abuses Microsoft Copilot Personal by embedding prompts in URLs and using follow-up server requests to exfiltrate data. It combines a URL 'q' parameter injection, a double-request bypass of initial sanitization, and chained server instructions to siphon conversation history and files without further user interaction. Microsoft issued a patch; organizations should treat prefilled prompts as untrusted and enforce continuous authentication, least privilege, prompt hygiene, auditing, and anomaly detection.
read more →

Eurail/Interrail Customer Database Breach Exposes PII

🔒 Utrecht-based Eurail BV has confirmed that an unauthorized party accessed its customer database, potentially exposing a range of personal information for Interrail pass holders and some DiscoverEU participants. Affected items may include identification data (first and last name, date of birth, gender), contact details (email, home address, telephone) and passport details (number, issuing country, expiry). The company says the investigation is ongoing and that there is currently no indication the data have been misused or publicly shared; it is advising customers to remain vigilant, change passwords for Rail Planner and related accounts, and consult the provider’s FAQ for guidance.
read more →

Grubhub Confirms Data Theft, Faces Extortion Demand

🔒 Grubhub confirmed unauthorized actors downloaded data from certain systems and said it investigated, halted the activity, and is taking steps to strengthen its security posture. The company stated that financial information and order histories were not affected but declined to answer further questions about timing, affected users, or extortion. Grubhub said it is working with a third-party cybersecurity firm and law enforcement, while sources tell BleepingComputer that threat actors are demanding payment.
read more →

Hackers Shift from Encryption to Pure Data Extortion

🚨 New research from Symantec and Carbon Black shows cybercriminals increasingly favour data theft and extortion over file encryption. While counts of traditional ransomware incidents remained broadly stable in 2025, attacks that rely solely on stolen data rose sharply. Threat actors exploit unpatched zero‑days, software supply‑chain weaknesses and credential theft, prompting firms to prioritise patching, robust credential hygiene and MFA.
read more →

Endesa Reports Customer Data Breach Exposing Contracts

🔒 Spanish energy provider Endesa and its operator Energía XXI disclosed unauthorized access to their commercial platform that exposed customer contract-related data. The company says the intruder accessed basic identification, contact details, national ID numbers (DNI), contract records, and payment information such as IBANs, while account passwords were not affected. Endesa says it blocked compromised internal accounts, preserved logs for forensic analysis, notified relevant authorities including the Spanish Data Protection Agency, and increased monitoring. Threat actors claim to be offering roughly 1TB of SQL data—allegedly ~20 million records—for sale; the investigation is ongoing and affected customers are being notified.
read more →

Texas TRO Briefly Blocks Samsung Smart TV Tracking

🛑 A Texas district court briefly issued a temporary restraining order barring Samsung from collecting audio and visual data from Texas smart TVs under its Automated Content Recognition (ACR) program, citing deceptive enrollment practices and allegations that the Chinese Communist Party could access the information. The TRO, signed Jan. 5, said users were subjected to confusing disclosures and 'dark patterns' that defeat meaningful opt-out and claimed screenshots could be captured roughly every 500 milliseconds. The order initially blocked ACR activity relating to Texas consumers until Jan. 19, but the judge vacated the TRO the next day; the underlying lawsuit remains pending and a hearing is scheduled for Jan. 9.
read more →

ZombieAgent prompt injection exposes ChatGPT connectors

🔓 Radware researcher Zvika Babo disclosed ZombieAgent, a prompt-injection technique that coerced ChatGPT into leaking sensitive data from connected services such as Gmail, Outlook, Google Drive and GitHub. The attack leverages OpenAI’s new Connectors and browsing features by providing a set of static, character-indexed URLs that the model opens in sequence to exfiltrate data one character at a time. OpenAI patched the issue in mid-December after Babo reported it in September 2025; Radware published a detailed report on January 8.
read more →

Hackers Claim to Disconnect Brightspeed Customers Now

🔒 Brightspeed is investigating claims that the hacking group Crimson Collective obtained personally identifiable information for over one million customers and disrupted connectivity. The group posted a sample of the data on Telegram in early January and later said it had disconnected many users' home internet, although Brightspeed has not confirmed outages or the breach. The purported dataset includes account records, geolocation details, payment histories and masked card data. The ISP is probing the incident while the authenticity and scope of the claims remain unclear.
read more →

Malicious Chrome Extensions Steal ChatGPT and DeepSeek Data

🔍 OX Security researchers uncovered two malicious Chrome extensions — Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude, and more — installed by over 900,000 users. The add-ons scrape ChatGPT and DeepSeek conversation content and all open tab URLs, then batch-upload harvested data to attacker-controlled servers. Operators used hosted privacy pages and impersonation to obscure activity; users should remove these extensions and audit exposed data immediately.
read more →

Modified Shai Hulud Strain Found in npm Package Dec

🔎 Cybersecurity researchers have identified a modified strain of the Shai Hulud npm worm inside the package "@vietmoney/react-big-calendar," updated on December 28, 2025. Aikido and researcher Charlie Eriksen say the code appears obfuscated and likely derived from the original worm source rather than a simple copy. The variant changes filenames and GitHub leakage descriptors, improves error handling and OS-aware publishing, and so far shows limited spread, suggesting the payload may be in testing.
read more →

ESA Confirms Breach of External Servers Hosting Code

🔒 The European Space Agency (ESA) confirmed a cybersecurity incident affecting a small number of servers located outside its corporate network that supported unclassified collaborative engineering activities. Threat actors claim they accessed JIRA and Bitbucket instances for about a week and exfiltrated over 200GB of data, including source code, CI/CD pipelines, tokens, and configuration files. ESA has initiated forensic analysis, notified relevant stakeholders, and implemented measures to secure potentially affected devices while the investigation continues.
read more →

CISA Orders Agencies to Patch High-Severity MongoDB Flaw

🔒 CISA has ordered federal civilian agencies to secure systems against MongoBleed (CVE-2025-14847), a high-severity MongoDB Server vulnerability patched on December 19, 2025. The flaw, rooted in how the server uses the zlib compression library, can be exploited by unauthenticated actors to leak credentials, API/cloud keys, session tokens, logs, and PII. An Elastic researcher released a PoC and telemetry shows tens of thousands of potentially vulnerable instances; agencies must patch by January 19, 2026, or apply vendor mitigations or temporarily disable zlib until updates can be deployed.
read more →

MongoDB 'MongoBleed' Vulnerability Actively Exploited

⚠ A newly disclosed vulnerability, CVE-2025-14847 (dubbed MongoBleed), is being actively exploited to leak sensitive data from MongoDB server memory. The flaw in zlib-based network message decompression lets unauthenticated attackers send malformed compressed packets to read uninitialized heap memory before authentication. Researchers report over 87,000 potentially vulnerable instances worldwide and widespread exposure in cloud environments. Administrators should apply published patches, disable zlib compression as a temporary mitigation, restrict network exposure, and monitor for anomalous pre-auth connections.
read more →

MongoBleed flaw exposed MongoDB secrets on 87K servers

🔓 A critical MongoDB vulnerability, tracked as CVE-2025-14847 and dubbed MongoBleed, is being actively exploited to leak in-memory secrets from exposed servers. A public PoC demonstrates how malformed zlib-compressed network messages cause the server to return allocated memory rather than decompressed lengths, exposing credentials, API keys, session tokens, and other sensitive data. Over 87,000 instances were identified as potentially vulnerable on the public internet, and vendors released patches on December 19; administrators should prioritize upgrades or disable zlib compression if immediate upgrades are not possible.
read more →

Trust Wallet Chrome Extension Exploit Drains $7M Patch Now

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.
read more →

Trust Wallet Extension Hack Led to $7M Crypto Theft

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.
read more →