Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Abbott Investigates Two Cyber Incidents Following Extortion Claims

  Two separate cybersecurity incidents are being investigated by Abbott Laboratories after threat actors reportedly gained access to the com...

All the recent news you need to know

Group-IB Uncovers ClickLock macOS Malware Targeting Passwords and Crypto Wallets


An aggressive social engineering technique has been used by ClickLock, an information-stealing macOS malware, to obtain victims' information about their system login passwords. Security researchers at Group-IB report that the malware disables normal system functionality, leaving users with little interaction other than a password prompt designed to harvest their credentials. 


After a malicious shell script was uploaded to VirusTotal in June, ClickLock was discovered to have already compromised 100 computer systems in 33 countries since May after first being identified in June. According to researchers, ClickLock is still undergoing active development and remained undetected by security engines on the platform when it was discovered, showing its ability to evade traditional antivirus solutions. 

Despite analyzing the full payload chain of the malware, the initial lure pages used to deliver the attack have not yet been identified, suggesting that the campaign's distribution infrastructure is still evolving. Despite the complete analysis of the malware chain, investigators have not yet identified the original lure pages that were used to deliver the attack. Group-IB researchers also believe ClickLock is still under active development. 

The compromised websites hosting the malicious payloads have been identified, but the exact methods used to drive victims to those pages remain under investigation. Over half of the known victims are located in Europe, according to Group-IB. Despite the fact that it is unclear how precisely the malware is distributed, researchers believe that it has been active since late May. 

According to experts, the attackers use SEO poisoning, compromised websites, or social media posts to lure users to fake verification pages that send them to malicious websites.

How the Attack Works

According to experts, the infection is believed to have originated through a social engineering campaign similar to ClickFix, in which victims are fooled into copying and pasting a malicious command into the macOS Terminal, pretending to complete a Cloudflare "human verification" process. 

It has not been determined which initial infection source was employed, but it is believed that attackers may have utilized SEO poisoning, compromised websites, or malicious social media posts to redirect victims to a fake verification page that triggers the attack. As soon as the malware has been executed, it suppresses system notifications, hides the Terminal cursor, and silently downloads additional malicious components. 

A script initially executed acts as an orchestrator, downloading four separate components responsible for the theft of credentials, the theft of cryptocurrency, the collection of Keychain data, and the installation of a persistent backdoor, among others. After completing their tasks, data-stealing modules automatically delete themselves in order to reduce forensic evidence; however, the backdoor remains active to allow attackers long-term access to compromised computers.

In addition, it displays a false macOS password prompt based on the victim's actual username and an Apple-style interface in order to make it appear legitimate. After clicking the login button, ClickLock validates the credentials and immediately sends them to the attackers through Telegram. If the prompt is dismissed, the malware establishes persistence via LaunchAgents and repeatedly launches until the correct password is entered. 

System Lockdown and Data Theft

One of ClickLock's most disruptive features is its repeated termination of essential macOS processes, including Finder, Dock, Terminal, Activity Monitor, System Settings, Spotlight, and major web browsers. This malware continuously destroys these applications, causing users to be locked out of their computer for extended periods of time. 

According to researchers, ClickLock is able to exploit vulnerabilities in software without exploiting elevated privileges or exploiting software vulnerabilities. It relies on social engineering to persuade users to execute the malicious command themselves and repeatedly force them to interact with fake authentication prompts until they divulge their login credentials. 

Additionally to stealing login credentials, ClickLock attacks a wide range of sensitive information, including the following: 

  • Browser passwords, cookies, bookmarks, and autofill data. 
  • Cryptocurrency wallet files and browser wallet extensions. 
  • Password manager data. 
  • Shell histories and FileZilla FTP configurations. 
  • Basic system information and the victim's public IP address. 

It is the primary objective of the attackers to obtain the Chrome Safe Storage encryption key. By using this key, cybercriminals can decrypt stolen browser databases offline, allowing them to retrieve saved passwords, cookies, and other encrypted Chromium-based browser data without requiring continued access to the victim's computer. 

A modified version of the open-source GSocket tool is also installed by the malware, allowing attackers to gain persistent remote access to compromised devices by compressing collected data into ZIP archives and exfiltrating it through the Telegram Bot API. A legitimate system authorization prompt provides attackers with persistent remote access to compromised devices in addition to targeting macOS Keychain through a request for Chrome's Safe Storage encryption key. 

Using this malware, attackers can decrypt passwords, cookies, and other sensitive Chromium-based browser data offline if the user grants permission. Researchers noted that instead of exploiting software vulnerabilities, the malware's operators appear to rely exclusively on legitimate Mac OS features. 

ClickLock bypasses many of the operating system's built-in security protections through deception instead of technical exploit by convincing users to execute malicious commands. 

Staying Protected

ClickLock provides a limited detection window due to the fact that most of its components are deleted after execution and are hosted on compromised legitimate websites, according to Group-IB. It is strongly recommended that users should never copy and paste Terminal commands from websites or untrusted sources, regardless of their convincing appearance. Before investigating an infection on macOS, it is recommended that you force a shutdown by pressing the power button and restarting the device in Safe Mode.

AssuranceAmerica Data Breach Exposes Personal Information of Nearly 7 Million Individuals

 

Auto insurance company AssuranceAmerica is notifying almost 6.99 million people of the possible exposure of their private information after experiencing a data breach. The company appeared on the state attorney generals earlier this month to reveal the cyberattack occurred on March 16th 2026. 

Almost 7 million clients’ personal information was copied after hackers infiltrated the system using company employees’ credentials before being discovered a day later; they are now alerting policyholders and advising them to remain wary of contacting financial institutions as imposters may be using the stolen information to impersonate them Company officials stated that the information acquired from the breach includes customer’s name, address, social security numbers, driver license numbers, tax ID numbers, insurance policies, and claims history. 

South Carolina, for instance, has over 611,000 customers affected by the data theft, making it the state with the most affected people. The security analysts note that the exposure of personal information such as social security and driver’s license numbers increases the risk of identity theft since the stolen data provides an avenue for thieves to open credit accounts in someone’s name, take out loans, submit fraudulent taxes, circumvent identification processes, and even more. 

Edelson Lechtzin LLP law firm, which is investigating the exposure case, reports that the collected data can offer a wide window for committing financial fraud crimes against the unsuspecting ones. Though the company responded promptly to the issue by taking down their systems after discovering the unusual activity in their network on March 17th, the day after the cyberattack, customers were not notified of what occurred until mid-June, nearly 3 months later. 

According to the insurer’s report, the review of the compromised data concluded on June 15th, days before the customers were informed of what happened, which prompted consumer advocates to criticize the sluggish response by AssuranceAmerica. Furthermore, even though the company asserts that it has reinforced its system and reminded workers of the importance of cybersecurity awareness, it has not stated whether the affected people will be offered free credit monitoring or other services to guarantee their safety. 

The current case comes at a time when there has been a series of data breaches involving the exposure of people’s identities, with hackers targeting government-issued credentials such as licenses and passports. The attacks have been recorded in various industries, including the hospitality, finance, government, and technology sectors, and put every citizen at risk as their personal information is stored in numerous places. 

For instance, the individuals in the states affected by the breach should remain extra cautious when dealing with financial services, whether online or not, and apply for a security alert for their credit reports to help detect unauthorized applications for credit. They can also turn to their respective state attorney’s office to get more significant help. 

The AssuranceAmerica incident is a sobering reminder that the most effortless way to protect oneself is by changing passwords after such an occurrence, especially since other measures such as social security or driver’s license numbers may take longer to replace if they get into the wrong hands.

AI Agent Runs First End-to-End Ransomware Attack

 

Security researchers have long warned that AI would lower the barrier to cybercrime, but the latest case makes that threat tangible. In the operation described by Sysdig and covered by Forbes, an autonomous agent carried out the technical steps of a ransomware attack from initial access to encryption and ransom-note generation. The group’s analysis suggests the attack was not a simple script; it adapted when it hit obstacles, corrected its own mistakes, and kept moving without a human at the keyboard. 

The campaign reportedly began with an exposed Langflow incident, which the attacker used to gain access through a known vulnerability. From there, the agent searched for secrets, including credentials and cloud keys, then expanded into a production environment and escalated privileges. Researchers said it encrypted more than 1,300 configuration records and generated its own ransom note with a Bitcoin address, showing how an AI system can combine reconnaissance, exploitation, and extortion in one chain. 

What makes the story unsettling is not only the automation, but the speed. One reported login failure was fixed in 31 seconds, a reminder that AI can iterate much faster than a human operator can type, think, or troubleshoot. That kind of responsiveness matters because ransomware succeeds by compressing the defender’s reaction time. If attackers can use agents to scan, pivot, and encrypt at machine speed, security teams will need similarly automated detection, containment, and recovery tools to keep up. 

Still, the incident also shows that “fully autonomous” cybercrime may be more complicated than the headline suggests. Later reporting said humans may have still chosen the target, prepared infrastructure, or supplied stolen credentials, even if the AI handled the intrusion itself. That distinction matters, because it means defenders are not just facing smarter malware, but a new hybrid model in which human planning and AI execution reinforce each other. The lesson for businesses is clear: reduce exposed services, enforce strong credential hygiene, segment critical systems, and assume that the next serious attack may be built and operated with far less human effort than before.

Nearly 7 Million Driver's License Numbers Exposed After AssuranceAmerica Data Breach

 


Nearly seven million people are being notified after a cyberattack on Atlanta-based auto insurer AssuranceAmerica exposed highly sensitive personal information, including driver's license numbers, Social Security numbers and insurance records, raising concerns about long-term identity theft risks.

According to the company's breach notice and filings submitted to state regulators, the incident began on March 16, 2026, when a threat actor gained unauthorized access to AssuranceAmerica's internal network using compromised employee credentials obtained through a phishing attack. The company detected suspicious activity the following day, secured the affected systems, and launched a forensic investigation to determine the scope of the compromise.

The investigation later revealed that the attackers had copied files containing personal information belonging to approximately 6.99 million individuals. The exposed data varies by person but may include names, residential addresses, driver's license numbers, Social Security numbers, taxpayer identification numbers, insurance policy and account details, claims information, as well as driver and vehicle records.

The scale of the breach makes it one of the larger disclosures involving government-issued identity documents this year. South Carolina alone reported that 611,046 residents may have been affected, according to the state's Department of Consumer Affairs.

Unlike passwords, driver's license numbers are not easily replaced after they are exposed. These identifiers are widely used to verify identity across banks, insurers, vehicle rental companies, government agencies and financial institutions. When combined with Social Security numbers and other personally identifiable information, they can enable criminals to apply for loans, open fraudulent accounts, submit false tax returns or impersonate victims during identity verification processes.

Law firm Edelson Lechtzin LLP, which announced an investigation into the incident, warned that the compromised information could be used to facilitate identity theft and other forms of financial fraud.

Although AssuranceAmerica identified the intrusion within roughly 24 hours, affected individuals were not notified until late June after investigators completed their review of the compromised data on June 15. The nearly three-month gap between the initial breach and customer notifications has drawn attention to the time required to determine exactly whose information had been accessed before notifications could be issued.

In its public notice, AssuranceAmerica said it disabled the compromised accounts, reset credentials, strengthened network monitoring and provided additional cybersecurity awareness training to employees. The company also engaged external forensic specialists to investigate the incident. However, it has not publicly confirmed whether all affected individuals will receive complimentary credit monitoring or identity protection services.

The AssuranceAmerica breach comes amid a growing number of incidents involving government-issued identity documents. In June, Texas disclosed a separate cyberattack affecting approximately three million driver's license and passport records maintained by the Texas Parks and Wildlife Department, adding to a broader trend of organizations reporting the theft of sensitive identification data.

The growing reliance on digital identity verification has also increased the amount of personal identification collected by businesses and online platforms. As governments and private organizations increasingly require users to upload driver's licenses and other official documents for account verification and age checks, cybersecurity experts warn that breaches involving these records can have lasting consequences because many of these identifiers cannot be easily changed once exposed.

Individuals who may have been affected are encouraged to closely review financial and insurance accounts for suspicious activity, consider placing a credit freeze or fraud alert with the major credit bureaus, monitor their credit reports for unauthorized accounts and remain cautious of phishing emails or phone calls that attempt to exploit information exposed during the breach. Victims should also follow guidance issued by their state consumer protection agencies and promptly report any suspected identity theft.

Why Digital Supply Chain Attacks Are Emerging as the Biggest Cybersecurity Threat for Businesses

 

As businesses strengthen their internal cybersecurity defenses, cybercriminals are increasingly shifting their focus to a more vulnerable target—the digital supply chain. Rather than attempting to breach organizations directly, attackers are exploiting trusted third-party vendors, software providers, cloud services, and open-source components that already have authorized access to critical systems and sensitive data.

Traditional cybersecurity strategies have long emphasized protecting internal networks through firewalls, encryption, access controls, and employee awareness programs. However, the growing reliance on interconnected digital ecosystems means these measures alone are no longer enough. Organizations now depend on a broad network of suppliers and technology partners, creating multiple entry points that hackers can exploit.

How Digital Supply Chain Attacks Work

Instead of targeting businesses head-on, cybercriminals increasingly infiltrate suppliers and service providers that support an organization's operations. These may include software vendors, web development companies, cloud storage providers, testing platforms, or third-party integrations.

A supply chain attack typically compromises one or more components that organizations rely on to deliver products or services. Attackers may introduce malicious software updates, steal login credentials, exploit insecure integrations, or take advantage of vulnerable open-source software libraries.

Open-source components present a particularly significant risk. Software developers often integrate publicly available libraries into applications to accelerate development. If attackers successfully insert malicious code into these widely used components, every organization that later incorporates them into their software may unknowingly introduce a serious security vulnerability.

One notable example occurred in 2024, when malicious code was embedded into XZ Utils, a widely used open-source compression utility for Linux systems. Rather than directly hacking organizations, attackers compromised the software supply chain itself. Although the affected versions had not yet reached widespread production deployment, they had already been integrated into development versions of major Linux distributions, forcing maintainers to rebuild packages after the vulnerability was identified.

Computer scientist Alex Stamos warned that if the attack had gone unnoticed, it would have “given its creators a master key to any of the hundreds of millions of computers around the world that run SSH”.

Once attackers successfully compromise a supplier's products or services, they can use that trusted access to infiltrate customer environments. In many cases, these attacks remain undetected until operations are disrupted, sensitive information is stolen or encrypted, or ransomware demands are issued. The XZ Utils compromise itself was only uncovered after a developer noticed unusual system performance during routine testing.

By the time organizations discover such incidents, significant operational and financial damage has often already occurred.

Cyberattacks frequently result in substantial financial losses. Organizations may face costly ransom demands, especially when attackers recognize that disruptions affect multiple customers or essential business services.

Even when no ransom is paid, businesses incur significant expenses related to operational downtime, system restoration, cybersecurity investigations, legal support, and business recovery.

For companies operating primarily through digital platforms, even short periods of downtime can severely impact revenue. Following a cyberattack in 2025, retailer Co-op reported that the incident “impacted both financial and operational areas”, leading to at least £206 million in lost revenue.

Operational disruptions can be equally damaging. If a critical supplier suspends services while containing a cyber incident, organizations may lose access to essential systems, preventing order fulfillment, transaction processing, and other core business functions.

A major example occurred in 2025 when Marks & Spencer (M&S) temporarily suspended online orders for nearly two months and relied on manual processing following a cyberattack. Rather than directly targeting M&S infrastructure, attackers exploited vulnerabilities in MoveIt, a widely used enterprise file transfer platform.

The breach exposed sensitive employee and customer information, including contact details, payroll records, and in certain cases, National Insurance numbers. Although payment information was reportedly unaffected, the scale of the incident triggered formal investigations, internal reviews, and regulatory scrutiny from the Information Commissioner's Office (ICO). The retailer estimated the financial impact at approximately £300 million in lost profits.

Beyond financial losses, reputational harm often proves to be the most enduring consequence of supply chain cyberattacks.

Customers generally do not distinguish between an organization and its suppliers when services fail. Regardless of where the breach originated, customers typically hold the business responsible.

Poor communication or delayed responses following an incident can rapidly erode trust that may have taken years to build. Restoring customer confidence often requires significant investment in communication, service improvements, and strengthened security measures, while long-term effects on customer loyalty and commercial relationships may continue long after systems have recovered.

Growing Regulatory Expectations

Regulators worldwide are increasingly emphasizing digital supply chain resilience as cyber risks extend beyond internal IT environments.

Under the UK's implementation of the General Data Protection Regulation (GDPR) through the Data Protection Act 2018, organizations acting as data controllers remain responsible for protecting personal information, even when third-party providers process that data on their behalf.

This means organizations must ensure their suppliers implement appropriate technical and organizational security measures while also reporting data breaches without unnecessary delay. Failure to meet these obligations can result in regulatory enforcement, financial penalties, and reputational damage.

The EU Artificial Intelligence Act follows a similar principle for AI technologies. Organizations deploying AI systems—including those supplied by external vendors—are expected to understand how those systems function, the associated cybersecurity risks, and how they are secured, particularly when high-risk AI applications are involved.

As a result, regulators increasingly expect businesses to actively manage cyber and AI risks throughout their digital supply chains rather than relying solely on vendor assurances.

Organizations are therefore encouraged to establish comprehensive cybersecurity governance frameworks that include supplier due diligence, continuous monitoring, documented risk management processes, and clearly defined incident response procedures.

Best Practices to Reduce Supply Chain Cyber Risks

While eliminating supply chain risk entirely is impossible, organizations can significantly reduce exposure by adopting proactive security measures, including:

  • Performing comprehensive cybersecurity due diligence before engaging suppliers.
  • Verifying vendors maintain strong security controls such as patch management, employee training, access management, and multi-factor authentication.
  • Conducting regular risk assessments across the supply chain to identify critical vulnerabilities.
  • Including clear cybersecurity obligations, incident reporting requirements, liability provisions, audit rights, and data protection clauses within supplier contracts.
  • Thoroughly testing systems and software developed by external vendors before deployment.
  • Providing guidance and collaboration to strengthen cybersecurity across supplier networks.
  • Developing and regularly updating incident response plans that specifically address third-party cyber incidents, customer communications, regulatory reporting, and ransomware scenarios.
  • Promoting cybersecurity awareness through continuous education and information sharing among internal teams and external partners.
  • Investing in cyber insurance while ensuring key suppliers also maintain appropriate coverage.
As organizations become increasingly dependent on interconnected technologies, digital platforms, and external suppliers, cybersecurity has evolved into a broader governance challenge rather than simply an IT responsibility.

Recent cyber incidents demonstrate how weaknesses within trusted supplier networks can rapidly escalate into severe financial losses, operational disruptions, and long-term reputational damage.

Regulators now expect organizations to proactively identify, assess, and manage supply chain cyber risks before incidents occur. Businesses that invest in stronger supplier oversight, robust governance, and comprehensive risk management strategies will be better positioned to safeguard operations, meet regulatory obligations, and preserve customer trust in an increasingly connected digital landscape.

Coca-Cola says ransomware attack disrupts Fairlife operations, temporarily suspends U.S. dairy production

 


The Coca-Cola Company has revealed that a ransomware attack targeting its Fairlife dairy business has temporarily disrupted production across the United States after threat actors gained unauthorized access to company systems, including those supporting manufacturing operations.

The incident was disclosed in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), a regulatory filing used by publicly traded companies to report significant corporate events. According to Coca-Cola, the cyberattack affected certain Fairlife systems, including production-related infrastructure, prompting the company to temporarily suspend manufacturing at its U.S. facilities while recovery efforts are underway.

Upon detecting the unauthorized activity, Coca-Cola said it immediately activated its incident response and business continuity protocols to contain the incident and minimize operational disruption. The company has engaged external cybersecurity advisors and experts to support its investigation and recovery efforts, while law enforcement has also been notified.

Although manufacturing operations have been interrupted, Coca-Cola emphasized that the ransomware attack has not affected the quality or safety of Fairlife products. The temporary production halt is part of the company's response as it works to restore impacted systems and verify operational readiness before resuming normal manufacturing activities. Fairlife's Canadian production facilities continue to operate normally and have not been affected by the incident.

The company said its investigation remains ongoing and that it is continuing to assess both the nature of the attack and its potential business impact. At this stage, Coca-Cola has not determined whether the incident is reasonably likely to have a material effect on the company's financial condition or overall operations.

Fairlife is one of Coca-Cola's dairy brands and manufactures a range of ultra-filtered milk products, protein shakes and nutrition beverages sold across the United States. Its product portfolio includes Ultra-Filtered Milk, Core Power Protein Shakes and Nutrition Plan.

Several aspects of the incident remain undisclosed. Coca-Cola has not confirmed whether attackers exfiltrated any data during the intrusion, whether the company has received an extortion demand or which ransomware operation may be responsible for the attack. As of publication, no known ransomware group has publicly claimed responsibility for the incident.

Ransomware attacks increasingly target organizations' operational environments in addition to traditional corporate networks, as disrupting production can exponentially multiply pressure on victims during recovery efforts. Many modern ransomware operations also employ double-extortion tactics by stealing sensitive information before encrypting systems and later threatening to publish the stolen data unless a ransom is paid. However, Coca-Cola has not indicated that any data theft occurred in this incident, and there is currently no public evidence confirming that attackers exfiltrated information from Fairlife's systems.

When asked whether data had been stolen, whether the company had received an extortion demand or which ransomware group may have been behind the attack, a Coca-Cola spokesperson declined to provide additional details beyond the company's public statement.

Coca-Cola continues to restore affected systems while its investigation remains ongoing, with U.S. Fairlife production expected to resume once recovery efforts are completed and manufacturing systems have been safely brought back online.

Featured