Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Breach. Show all posts
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
Ransomware
Breach Compliance Cybersecurity Data Breach DaVita dialysis Healthcare Hospital incident ITsecurity patientcare Ransomware

DaVita Faces Ransomware Attack, Disrupting Some Operations but Patient Care Continues

 

Denver-headquartered DaVita Inc., a leading provider of kidney care and dialysis services with more than 3,100 facilities across the U.S. and 13 countries, has reported a ransomware attack that is currently affecting parts of its network. The incident, disclosed to the U.S. Securities and Exchange Commission (SEC), occurred over the weekend and encrypted select portions of its systems.

"Upon discovery, we activated our response protocols and implemented containment measures, including proactively isolating impacted systems," DaVita stated in its SEC filing.

The company is working with third-party cybersecurity specialists to assess and resolve the situation, and has also involved law enforcement authorities. Despite the breach, DaVita emphasized that patient care remains ongoing.

"We have implemented our contingency plans, and we continue to provide patient care," the company noted. "However, the incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time," the company said.

With the investigation still underway, DaVita acknowledged that "the full scope, nature and potential ultimate impact on the company are not yet known."

Founded 25 years ago, DaVita reported $12.82 billion in revenue in 2024. The healthcare giant served over 281,000 patients last year across 3,166 outpatient centers, including 750+ hospital partnerships. Of these, 2,657 centers are in the U.S., with the remaining 509 located in countries such as Brazil, Germany, Saudi Arabia, Singapore, and the United Kingdom, among others. DaVita also offers home dialysis services.

Security experts warn that the scale of the incident could have serious implications.

"There is potential for a very large impact, given DaVita’s scale of operations," said Scott Weinberg, CEO of cybersecurity firm Neovera. "If patient records were encrypted, sensitive data like medical histories and personal identifiers might be at risk. DaVita has not reported data exfiltration, so it’s not clear if data was stolen or not."

Weinberg added, "For dialysis patients needing regular treatments to survive, this attack is extremely serious. Because of disrupted scheduling or inaccessible records, this could lead to health complications. Ransomware disruptions in healthcare may lead to an increase in mortality rates, especially for time-sensitive treatments such as dialysis."

The breach may also bring regulatory challenges due to DaVita’s international footprint.

"Regulations can differ with respect to penalties and reporting requirements after a breach based on the country and even the state in which the patients live or were treated," said Erich Kron, security awareness advocate at KnowBe4.

"A serious cybersecurity incident that affects individuals in multiple countries can be a legal nightmare for some organizations," Kron said. "However, this is something that organizations should plan for and be prepared for prior to an event ever happening. They should already know what will be required to meet regulatory standards for the regions in which they operate."

In a separate statement to Information Security Media Group, DaVita added, "We have activated backup systems and manual processes to ensure there's no disruption to patient care. Our teams, along with external cybersecurity experts, are actively investigating this matter and working to restore systems as quickly as possible."

This cyberattack mirrors similar recent disruptions within the healthcare industry, which continues to be a frequent target.

"The healthcare sector is always considered a lucrative target because of the serious sense of urgency whenever IT operations are disrupted, not to mention potentially disabled," said Jeff Wichman, director of incident response at Semperis. "In case of ransomware attacks, this serves as another means to pressure the victim into paying a ransom."

He added, "At this time, if any systems administering dialysis have been disrupted, the clinics and hospitals within DaVita’s network are most certainly operating machines manually as a last resort and staff are working extremely hard to ensure patient care doesn’t suffer. If any electronic machines in their network are down, the diligence of staff will fill the gaps until electronic equipment is restored."

DaVita joins a growing list of specialized healthcare providers facing cybersecurity breaches in 2025. Notably, Community Care Alliance in Rhode Island recently reported a hack that impacted 115,000 individuals.

In addition, DaVita has previously disclosed multiple health data breaches. The largest, in July 2024, affected over 67,000 individuals due to unauthorized server access linked to the use of tracking pixels in its patient-facing platforms.
Read more »
VPN
Breach Cyber Security DomainControllers Hackers Ransomware Reconnaissance VPN

Majority of Human-Operated Cyberattacks Target Domain Controllers, Warns Microsoft

 

Microsoft has revealed that nearly 80% of human-operated cyberattacks involve compromised domain controllers, according to a recent blog post published on Wednesday. Alarmingly, in over 30% of these incidents, attackers use the domain controller—a central system in corporate IT networks—to spread ransomware across the organization.

A breached domain controller can give hackers access to password hashes for every user in the system. With these credentials, cybercriminals can identify and exploit privileged accounts, including those held by IT administrators. Gaining control of these accounts allows attackers to escalate their access levels.

"This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack," Microsoft stated.

One such attack, observed by the tech giant, involved a group known as Storm-0300. The hackers infiltrated a company’s systems by exploiting its virtual private network (VPN). After acquiring administrator credentials, they tried to access the domain controller through the remote desktop protocol (RDP). Once inside, they carried out a series of actions including reconnaissance, bypassing security measures, and escalating their privileges.

Despite the growing frequency of attacks, Microsoft emphasized the difficulty in protecting domain controllers due to their critical role in network management and authentication.

Defenders often face the challenge of “striking the right balance between security and operational functionality,” the blog noted.

To improve protection, Microsoft suggested enhancing domain controllers’ ability to differentiate between legitimate and malicious activity—an essential step toward minimizing server compromises.

Jason Soroko, senior fellow at cybersecurity firm Sectigo, stressed the importance of proactive security measures.

"Ultimately, even the most advanced defense mechanisms may falter if misconfigured or if legacy systems create vulnerabilities. Hence, vigilant customer-side security practices are critical to fortifying these systems against modern cyberthreats," Sectigo said.

While Microsoft offers strong protective tools, their success hinges on users maintaining up-to-date systems and activating features like multifactor authentication.


Read more »
SparkCat
Android app removal Apple Breach Cyber Security Cybersecurity Data Google iOS malware SparkCat

Apple and Google Remove 20 Apps Infected with Data-Stealing Malware


Apple and Google have removed 20 apps from their respective app stores after cybersecurity researchers discovered that they had been infected with data-stealing malware for nearly a year.

According to Kaspersky, the malware, named SparkCat, has been active since March 2024. Researchers first detected it in a food delivery app used in the United Arab Emirates and Indonesia before uncovering its presence in 19 additional apps. Collectively, these infected apps had been downloaded over 242,000 times from Google Play Store.

The malware uses optical character recognition (OCR) technology to scan text displayed on a device’s screen. Researchers found that it targeted image galleries to identify keywords associated with cryptocurrency wallet recovery phrases in multiple languages, including English, Chinese, Japanese, and Korean. 

By capturing these recovery phrases, attackers could gain complete control over victims' wallets and steal their funds. Additionally, the malware could extract sensitive data from screenshots, such as messages and passwords.

Following Kaspersky’s report, Apple removed the infected apps from the App Store last week, and Google followed soon after.

Google spokesperson Ed Fernandez confirmed to TechCrunch: "All of the identified apps have been removed from Google Play, and the developers have been banned."

Google also assured that Android users were protected from known versions of this malware through its built-in Google Play Protect security system. Apple has not responded to requests for comment.

Despite the apps being taken down from official stores, Kaspersky spokesperson Rosemarie Gonzales revealed that the malware is still accessible through third-party websites and unauthorized app stores, posing a continued threat to users.
Read more »
Ransomware
Breach Cyber Attacks CyberCrime Cybersecurity Data Hacking Insider Threat Ransom note Ransomware

Cybercriminals Entice Insiders with Ransomware Recruitment Ads

 

Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.

Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.

A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:

"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In another instance, the ransom note offers financial incentives:

"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."

The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.

Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.

For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.
Read more »
UnitedHealth cyberattack
Breach Change Healthcare data Data Breach Healthcare cybersecurity Medical Data breach Ransomware attack UnitedHealth cyberattack

UnitedHealth Confirms Change Healthcare Cyberattack Impacted 190 Million People

 

UnitedHealth Group has officially disclosed that the February ransomware attack on its subsidiary, Change Healthcare, affected approximately 190 million individuals in the U.S.—nearly twice the previously estimated figure.

The healthcare giant confirmed the revised number in a statement to TechCrunch on Friday, after market hours.

“Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million,” said Tyler Mason, a UnitedHealth spokesperson, in an email to TechCrunch. “The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.”

UnitedHealth also stated that there is no evidence suggesting the stolen data has been misused. “The company is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis,” the spokesperson added.

The cyberattack, which occurred in February 2024, stands as the most significant medical data breach in U.S. history. It led to prolonged disruptions across the healthcare sector. Change Healthcare, a leading health tech provider and claims processor, handles vast amounts of patient data, medical records, and insurance information.

Hackers behind the attack stole an extensive volume of sensitive health and insurance data, some of which was leaked online. Reports indicate that Change Healthcare paid at least two ransom payments to prevent further exposure of the compromised files.

Initially, UnitedHealth estimated the number of impacted individuals to be around 100 million when it filed a preliminary report with the Office for Civil Rights, a division of the U.S. Department of Health and Human Services that oversees data breaches.

According to Change Healthcare’s breach notification, the cybercriminals accessed and stole:

  • Names, addresses, phone numbers, and email addresses
  • Dates of birth and government-issued ID numbers (Social Security, driver’s license, passport)
  • Medical diagnoses, prescriptions, lab results, imaging, and treatment plans
  • Health insurance details
  • Financial and banking data related to patient claims
The breach has been attributed to the ALPHV ransomware group, a Russian-language cybercrime network. During congressional testimony, UnitedHealth CEO Andrew Witty revealed that attackers gained access through a stolen credential that lacked multi-factor authentication, highlighting a critical security lapse.

As the healthcare industry grapples with the aftermath, this breach underscores the urgent need for enhanced cybersecurity measures to safeguard sensitive medical data.


Read more »
Unauthorized
Breach Casio Cyber Attacks Cyberattack Cybersecurity Data Disruption losses restructuring services Unauthorized

Casio Hit by Cyberattack Causing Service Disruption Amid Financial Challenges

 

Japanese tech giant Casio recently experienced a cyberattack on October 5, when an unauthorized individual accessed its internal networks, leading to disruptions in some of its services.

The breach was confirmed by Casio Computer, the parent company behind the iconic Casio brand, recognized for its watches, calculators, musical instruments, cameras, and other electronic products.

"Casio Computer Co., Ltd. has confirmed that on October 5, its network was accessed by an unauthorized third party," the company revealed in a statement today. Following an internal review, the company discovered the unauthorized access led to system disruptions, which have caused some services to be temporarily unavailable. Casio mentioned it cannot provide further details at this stage, as investigations are still ongoing. The company is working closely with external specialists to assess whether personal data or confidential information was compromised during the attack.

Although the breach has disrupted services, Casio has yet to specify which services have been impacted.

The company reported the cyber incident to the relevant data protection authorities and quickly implemented measures to prevent further unauthorized access. BleepingComputer reached out to Casio for more information, but a response has not yet been provided.

So far, no ransomware group has claimed responsibility for the attack on Casio.

This attack comes nearly a year after a previous data breach involving Casio's ClassPad education platform, which exposed customer data from 149 countries, including names, email addresses, and other personal information.

The recent cyberattack adds to the company's challenges, as Casio recently informed shareholders of an expected $50 million financial loss due to significant personnel restructuring.
Read more »
Subscribe to: Posts (Atom)