All news with #data leak tag

EVALUSION ClickFix Campaign Delivers Amatera, NetSupport

🔒 Researchers identified a ClickFix-based EVALUSION campaign deploying Amatera Stealer and NetSupport RAT, observed in November 2025. The campaign abuses the Windows Run dialog and mshta.exe to launch a PowerShell script that downloads a .NET DLL hosted on MediaFire; the Amatera DLL, packed with PureCrypter, is injected into MSBuild.exe to exfiltrate data. eSentire highlights Amatera's WoW64 SysCalls evasion and conditional NetSupport deployment when domain membership or valuable files are detected.

Kraken Uses Benchmarking to Optimize Ransomware Attacks

🔒 Cisco Talos reported August 2025 activity by Kraken, a Russian‑speaking ransomware operation linked to the remnants of HelloKitty. The group exploits SMB flaws for initial access, uses Cloudflare for persistence and SSHFS to exfiltrate data, then deploys cross‑platform encryptors across Windows, Linux and VMware ESXi. Notably, Kraken benchmarks victim machines to tune encryption speed and reduce detection and instability. Victims span multiple countries and attackers operate a new leak forum called Last Haven Board.

Pennsylvania AG Data Breach After INC Ransom Attack

🔒 The Pennsylvania Office of the Attorney General (OAG) confirmed that files containing personal and medical information were accessed during an August 9 ransomware attack and that the office refused to pay the ransom. The incident encrypted systems and disrupted the OAG website, employee email accounts, and landline phones. Researcher Kevin Beaumont identified public-facing Citrix NetScaler appliances vulnerable to CVE-2025-5777 (Citrix Bleed 2) that may have been exploited. The threat actor INC Ransom later claimed responsibility and posted about 5.7TB of alleged stolen data.

Five Plead Guilty to Enabling DPRK Remote IT and Hacks

🔒 Five individuals have pleaded guilty to serving as facilitators for North Korean cyber operations, the US Department of Justice said. They used false or stolen identities and hosted employer laptops in US residences to create the appearance of domestic remote IT workers, aiding APT38-linked efforts. The DoJ said the activity impacted more than 136 US organizations, generated over $2.2m for Pyongyang and compromised the identities of 18 US residents, and authorities seized $15m in Tether tied to related heists.

When Romantic AI Chatbots Can't Keep Your Secrets Safe

🤖 AI companion apps can feel intimate and conversational, but many collect, retain, and sometimes inadvertently expose highly sensitive information. Recent breaches — including a misconfigured Kafka broker that leaked hundreds of thousands of photos and millions of private conversations — underline real dangers. Users should avoid sharing personal, financial or intimate material, enable two-factor authentication, review privacy policies, and opt out of data retention or training when possible. Parents should supervise teen use and insist on robust age verification and moderation.

Jaguar Land Rover Cyberattack Costs Company Over $220M

📰 Jaguar Land Rover reported a cyberattack cost of £196 million ($220 million) for the July–September quarter after the incident forced production shutdowns and staff to be sent home. The breach, announced on 2 September 2025, involved confirmed data theft and was claimed on Telegram by the group Scattered Lapsus$ Hunters. Following a UK government-backed £1.5 billion loan guarantee, JLR says operations, wholesale and supplier financing have been restored and production has resumed under a phased restart.

Five Americans Plead Guilty to Enabling North Korea IT Fraud

⚖️ The U.S. Department of Justice announced five U.S. citizens pleaded guilty for facilitating North Korea’s illicit IT worker and revenue-generation schemes. The defendants hosted company-issued laptops, supplied or sold U.S. identities, and helped overseas IT workers pass vetting to obtain jobs at American firms. DOJ says the schemes impacted more than 136 U.S. companies, generated over $2.2 million for the DPRK, and compromised the identities of more than 18 U.S. persons.

Logitech Confirms Data Breach After Clop Extortion Campaign

🚨 Logitech International S.A. confirmed a data breach claimed by the extortion gang Clop and disclosed the incident in a Form 8‑K filing with the U.S. SEC. The company says data was exfiltrated but that the incident has not impacted its products, business operations, or manufacturing, and that highly sensitive fields such as national ID numbers and credit card data were not stored or accessed. Logitech engaged external cybersecurity firms, attributes the intrusion to a third‑party zero‑day that was patched, and Clop has posted nearly 1.8 TB of alleged stolen data.

Five Plead Guilty Aiding North Korea Infiltrate US Firms

🔒 Five individuals pleaded guilty to facilitating North Korea’s placement of overseas IT workers at U.S. firms using false, stolen, or brokered identities, a scheme that affected 136 companies and generated over $2.2 million for the DPRK. The DOJ also filed civil forfeiture actions to recover more than $15 million in cryptocurrency tied to APT38 thefts that were part of $382 million stolen in 2023. One defendant, Oleksandr Didenko, agreed to forfeit $570,000 in cash and about $830,000 worth of cryptocurrency.

Shadow IT and Shadow AI: Risks Across Every Industry

🔍 Shadow IT — any software, hardware, or resource introduced without formal IT, procurement, or compliance approval — is now pervasive and evolving into Shadow AI, where unsanctioned generative AI tools expand the attack surface. The article outlines how these practices drive operational, security, and regulatory risk, citing IBM’s 2025 breach-cost data and industry examples in healthcare, finance, airlines, insurance, and utilities. It recommends shifting from elimination to smarter control by improving continuous visibility through real‑time network analysis and vendor integrations that turn hidden activity into actionable intelligence.

Checkout.com Refuses Ransom After ShinyHunters Breach

🔒 Checkout.com confirmed that the criminal group ShinyHunters accessed a legacy third-party cloud file storage system used in 2020 and earlier and is attempting to extort the company. The exposed materials reportedly include merchant onboarding documents and internal operational files, and Checkout estimates the data affects less than 25% of its current merchant base while also touching former customers. Rather than paying, the firm said it will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center and invest in strengthening its security.

Akira ransomware linked to $244M in illicit proceeds

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.

Ransomware Fragmentation Peaks as LockBit Re-emerges

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.

DoorDash Discloses October Data Breach Affecting Users

🔔 DoorDash disclosed a data breach discovered on October 25, 2025, after an unauthorized third party gained access to certain user contact information when a DoorDash employee fell victim to a social engineering scam. Affected information varied by individual and may have included first and last names, physical addresses, phone numbers, and email addresses. DoorDash says no Social Security Numbers or other highly sensitive data were accessed, and the company engaged a forensic firm, notified law enforcement, and deployed additional security measures. Initial notifications appear focused on Canada, though the advisory suggests the incident could affect users in other regions.

Kraken Ransomware Benchmarks Hosts to Choose Encryption

🔒 The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues big‑game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.

Russian Phishing Campaign Creates 4,300 Fake Travel Sites

💳 A Russian-speaking threat actor has registered more than 4,300 domains since early 2025 to host convincing fake travel and hotel booking pages that harvest payment card data. According to Netcraft researcher Andrew Brandt, the campaign—active since February—uses a customizable phishing kit that serves branded pages for platforms like Booking, Expedia, and Airbnb and supports 43 languages. The kit requires a unique AD_CODE in the URL to render targeted branding (otherwise visitors see a blank page), employs fake Cloudflare-style CAPTCHA, and persists state in a cookie so subsequent pages maintain consistent impersonation. Victims are prompted to pay a deposit; entered card numbers, expiry and CVV are processed in the background while a bogus support chat guides users through a sham 3D Secure step to complete the theft.

Washington Post Oracle Breach Exposes Nearly 10,000

🔒 The Washington Post says a zero-day in Oracle E-Business Suite was used to access parts of its network, exposing personal and financial records for 9,720 employees and contractors. The intrusion occurred between July 10 and August 22, and attackers attempted extortion in late September. The activity has been tied to the Clop group exploiting CVE-2025-61884, and impacted individuals are being offered 12 months of identity protection and advised to consider credit freezes.

Microsoft deploys Teams screen-capture prevention rollout

🔒 Microsoft is rolling out a new Teams Premium setting that blocks screenshots and recordings in meetings on Windows desktop and Android devices. The feature, called 'Prevent screen capture', was announced for July 2025 but the rollout was delayed and is being introduced in late November 2025. The control is off by default and must be enabled per meeting by organizers or co-organizers; unsupported clients will join audio-only.

Operation Endgame Takedown Disrupts Major Malware Campaign

🛡️ Investigators disrupted the infrastructure for the Rhadamanthys credential stealer and targeted the VenomRAT remote‑access trojan as part of Operation Endgame. Authorities secured data linked to more than 650,000 victims and published it on information platforms so people can verify exposure. A suspect was arrested in Greece, 11 premises were searched and over $200 million in cryptocurrency assets were frozen.

Kraken Ransomware: Cross-Platform Big-Game Hunting

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.