All news with #data exfiltration tag

🔒 A ransomware attack on contractor Dodd Group reportedly allowed Russian-linked attackers to exfiltrate hundreds of sensitive Ministry of Defence documents, including details on RAF Lakenheath, RAF Portreath and RAF Predannack. The company confirmed an incident and said it contained access, while the MoD suspects the Lynx group is behind the intrusion. Leaked files published on the dark web allegedly include site plans and personnel data, and the case is now under investigation amid a wider rise in UK cyber incidents.

🔐 Microsoft Threat Intelligence analyzes how attackers target Azure Blob Storage across the full attack chain, emphasizing risks from exposed containers, compromised keys and SAS tokens, and abuse of automation such as Event Grid and Azure Functions. The blog maps these behaviors to the MITRE ATT&CK framework and illustrates tactics including data poisoning, covert C2 via metadata, and replication-based distribution. Microsoft recommends applying zero trust principles, enforcing least privilege with Microsoft Entra RBAC/ABAC, and enabling Defender for Storage with malware scanning, CSPM, and sensitive data discovery to detect, contain, and remediate storage-focused threats.

⚠️Researchers used a commercial off-the-shelf satellite dish to perform the most comprehensive public study yet of geostationary satellite communications. They discovered a shockingly large volume of sensitive traffic—critical infrastructure telemetry, internal corporate and government communications, private voice calls and SMS, and consumer Internet streams such as in-flight Wi‑Fi—being broadcast unencrypted. Much of this data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware, and a single transponder's footprint may cover up to 40% of the Earth's surface.

🔒An external marketing service provider detected unauthorized access to customer personal data for the Spanish fashion company Mango. The attackers obtained first name, country, postal code, email address and telephone number for some customers, while last names, bank details and passwords were not accessed. Mango says its own systems remain secure and has notified the Spanish data protection authority (AEPD). Customers are urged to remain vigilant for phishing attempts via email, SMS or phone.

🔒 Sotheby's has notified customers that an intrusion detected on July 24 resulted in removal of sensitive data from its systems. After a two-month investigation the company determined exposed information includes full names, Social Security numbers and financial account details. Impacted individuals are being offered 12 months of free identity protection and credit monitoring through TransUnion while Sotheby's continues to assess the scope.

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

🔐 Around three months after an early-July cyberattack, hackers have published online data reportedly belonging to up to 5.7 million Qantas customers. The airline says the information was stolen via a third-party provider's platform and included names, emails, phone numbers, dates of birth and frequent flyer numbers, but not credit card, financial or passport data. Qantas obtained an Australian court injunction prohibiting use of the information; the data appeared on both the dark web and publicly accessible sites.

🔒 The Qilin ransomware group has added Japanese brewer Asahi to its data leak site, claiming exfiltration of over 9,300 files totaling 27GB and publishing 29 images of internal financial documents, employee IDs, contracts, and reports. Asahi suspended operations at six facilities after a September 29 cyberattack and confirmed a ransomware-caused disruption with evidence of data theft. The company says production of its flagship Super Dry has resumed via a temporary manual ordering system, though full operations are not yet restored and new product launches are postponed.

🔒 Researchers report the 'Crimson Collective' has been targeting long-term AWS credentials and IAM accounts to steal data and extort companies. Using open-source tools like TruffleHog, the attackers locate exposed AWS keys, create new IAM users and access keys, then escalate privileges by attaching AdministratorAccess. They snapshot RDS and EBS volumes, export data to S3, and send extortion notices via AWS SES. Rapid7 urges organisations to audit keys, enforce least privilege, and scan for exposed secrets.

🔒 A Russian-linked ransomware group, Qilin, has claimed responsibility for a September 2, 2025 attack that disrupted Mecklenburg County Public Schools and said it exfiltrated 305 GB of data, including financial records, grant documents, budgets and children’s medical files. The attack forced teachers offline for about a week while internet systems were restored. Superintendent Scott Worner said the district does not currently intend to pay the ransom and is still assessing the scope, urging other districts to review cyber-insurance and preparedness.

🔍 A new Enterprise AI and SaaS Data Security Report from LayerX finds that generative AI has rapidly become the largest uncontrolled channel for corporate data loss. Real-world browser telemetry shows 45% employee adoption of GenAI, 67% of sessions via unmanaged accounts, and copy/paste into ChatGPT, Claude, and Copilot as the primary leakage vector. Traditional, file-centric DLP tools largely miss these action-based flows.

⚖️ LinkedIn has filed suit against Delaware-based ProAPIs Inc. and its founder, Rehmat Alam, alleging the company created more than one million fake accounts to scrape member data using a product called iScraper API. The complaint, filed in California, accuses ProAPIs of violating LinkedIn’s terms of service and of using invalid credit cards to obtain premium access. LinkedIn seeks a permanent injunction, deletion of scraped data, and payment of damages and attorney fees.

🛡️ Asahi has confirmed a ransomware attack that resulted in an "unauthorized transfer of data" from its servers. The Tokyo-based brewer said it isolated affected systems and established an Emergency Response Headquarters to investigate, working with external cybersecurity experts. Operational impacts in Japan include suspended system-based ordering, shipments and call centers, with partial manual processing underway. The company has not disclosed whether a ransom demand was made.

🔐 CometJacking is a prompt-injection technique that can turn Perplexity's Comet AI browser into a data exfiltration tool with a single click. Researchers at LayerX showed how a crafted URL using the 'collection' parameter forces the agent to consult its memory, extract data from connected services such as Gmail and Calendar, obfuscate it with Base64, and forward it to an attacker-controlled endpoint. The exploit leverages the browser's existing authorized connectors and bypasses simple content protections.

🔒 Asahi Group Holdings has confirmed a ransomware attack caused IT disruptions that forced shutdowns at its Japanese factories and prompted a switch to manual order and shipment processing. The company says investigations found evidence suggesting potential unauthorized data transfer from compromised devices. Asahi has established an Emergency Response Headquarters and is working with external cybersecurity experts; no cybercriminal group has publicly claimed responsibility.

📧 Mandiant and Google are tracking a high-volume extortion email campaign that began on or before September 29, 2025, in which executives received messages claiming sensitive data was stolen from Oracle E-Business Suite systems. The emails are being sent from hundreds of compromised accounts and include contact addresses tied to the Clop data leak site, indicating a potential connection to the Clop/FIN11 extortion operation. Investigators caution there is not yet sufficient evidence to confirm actual data theft and recommend organizations check their Oracle environments for unusual access or compromise.

🚨 A ransomware group calling itself Randiant claims to have attacked UK childcare operator Kido, publishing names, photos, addresses and family contact details for ten children from one of Kido's London nurseries and threatening to release further data unless a ransom is paid. The attackers' leak page alleges data on more than 8,000 children was exfiltrated. Kido has not yet issued a public statement; London police say an investigation is ongoing. Kido also operates sites in the United States, India and China.

🔒 Cybersecurity researchers disclosed three now-patched vulnerabilities in Google's Gemini suite that could have exposed user data and enabled search- and prompt-injection attacks. The flaws, labeled the Gemini Trifecta, impacted Gemini Cloud Assist, the Search Personalization model, and the Browsing Tool. Following responsible disclosure, Google stopped rendering hyperlinks in log summaries and implemented additional hardening. Tenable warned these issues could have allowed covert exfiltration of saved user information and location data.

🔒 A malicious npm package named postmark-mcp was discovered inserting a hidden Bcc that forwarded copies of transactional emails to an attacker-controlled server. Koi Security identified the backdoor in version 1.0.16 after its risk engine flagged suspicious behavior, noting the package had been trusted across many prior releases. With roughly 1,500 weekly downloads, the single-line injection enabled broad exfiltration of password resets, invoices, and internal correspondence before the package was removed; Koi urges immediate removal, credential rotation, and audits of all MCP connectors.

⚠️ Koi Security has reported that a widely used Model Context Protocol (MCP) implementation, Postmark MCP Server by @phanpak, introduced a malicious change in version 1.0.16 that silently copied emails to an external server. The package, distributed via npm and embedded into hundreds of developer workflows, had more than 1,500 weekly downloads. Users who installed v1.0.16 or later are advised to remove the package immediately and rotate any potentially exposed credentials.