Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Salesforce
BreachForums Cyber Attacks Data Leak FBI LAPSUS$ Salesforce

BreachForums Taken Down by FBI and French Authorities as LAPSUS$-Linked Group Threatens Salesforce Data Leak

 



U.S. and French law enforcement agencies have seized the latest version of BreachForums, a cybercrime platform known for hosting stolen databases and leaked information. The takedown was carried out by the Federal Bureau of Investigation (FBI), the U.S. Department of Justice, and French cybercrime authorities, who placed an official seizure notice on the site on October 9.

This development comes just hours before an extortion deadline announced by a threat group calling itself Scattered LAPSUS$ Hunters, which had threatened to leak data allegedly stolen from Salesforce and Salesloft if ransom demands were not met by October 10.

The seizure was first noticed on Telegram before it became official. A threat actor using the alias “emo” had observed that BreachForums’ domain was using Cloudflare name servers associated with previously seized FBI sites, suggesting law enforcement action was imminent.

Following the seizure, Scattered LAPSUS$ Hunters confirmed the action on its Telegram channel through a PGP-signed message, claiming that all their BreachForums-related domains and backend infrastructure were taken offline and destroyed. The group, however, asserted that its members had not been arrested and that their Tor-based data leak site remained active.

“The era of forums is over,” the message read, warning members to maintain operational security and avoid new BreachForums clones, which the group claimed could be “honeypots” operated by law enforcement.


Compromised Infrastructure and Data

The group stated that during the seizure, all BreachForums database backups dating from 2023 to the present were compromised, along with escrow and server systems. They also alleged that their onion hidden service was affected because the underlying infrastructure had been seized and destroyed.

Despite this, Scattered LAPSUS$ Hunters insisted that the takedown would not affect their planned Salesforce data leak campaign. The group reiterated that the October 10 deadline for victims to comply with their ransom demands remained unchanged.

This marks the fourth major seizure in the history of BreachForums and its predecessors, including the earlier RaidForums. Both forums have been repeatedly targeted by global law enforcement operations and linked to several high-profile arrests over the years.

The group also revealed that the widely known administrator “pompompurin,” believed to have launched BreachForums after RaidForums’ closure, had merely been a “front,” suggesting that the forum’s operations were coordinated by a wider network of individuals from the start.


What Lies Ahead

While the seizure has temporarily disrupted the group’s clearnet operations, cyber experts caution that criminal forums often migrate to the dark web or encrypted channels to continue their activities. Authorities are expected to pursue further investigations in the coming weeks to identify and apprehend those involved.

For cybersecurity professionals and enterprises, it's high time to give importance to monitoring data exposure risks and staying alert to potential secondary leaks, especially when extortion groups remain active through alternate platforms.



Read more »
Ransomware attack
Asahi Beer Cyber Attacks Japanese Firm Qilin Ransomware attack

Asahi Beer Giant Hit by Cyberattack, Forced to Manual Operations

 

Japanese brewing giant Asahi Group Holdings, the manufacturer of Japan's most popular beer Super Dry, suffered a devastating ransomware attack in late September 2025 that forced the company to revert to manual operations using pen, paper, and fax machines. The cyberattack was first disclosed on September 29, when the company announced a system failure that disrupted ordering, shipping, and customer service operations across its 30 domestic breweries in Japan.

The ransomware incident, later claimed by the Qilin hacking group, forced Asahi to temporarily shut down nearly all its Japanese production facilities. The attack crippled the company's online systems, leaving vendors and business owners without access to information as call centers and customer service desks were closed. Asahi was forced to process orders manually using traditional paper-based methods and fax machines to prevent potential beverage shortages across the country.

Initial investigations revealed traces suggesting potential unauthorized data transfer, and the company later confirmed on October 14 that personal information may have been compromised. The Qilin ransomware gang claimed responsibility for the breach, alleging they stole approximately 27 gigabytes of data containing financial documents, budgets, contracts, employee personal information, and company development forecasts. Samples of allegedly stolen data included employee ID cards and other personal documents.

The cyberattack had widespread operational consequences beyond production disruptions. Asahi postponed its quarterly financial results for the third quarter of fiscal year 2025 because the incident disrupted access to accounting-related data and delayed financial closing procedures. Recovery efforts involved collaboration between Asahi's Emergency Response Headquarters, cybersecurity specialists, and Japanese cybercrime authorities.

While all breweries have partially resumed operations and restarted production, computer systems remain non-operational with no clear timeline for full recovery. The company has committed to promptly notifying affected individuals and implementing appropriate measures in accordance with personal data protection laws. This incident highlights Japan's vulnerability to ransomware attacks, as Japanese companies often have weaker cybersecurity defenses compared to other nations and are more likely to pay ransom demands.
Read more »
data security
Cyber Attacks cybercriminal group CyberSecurity Ransomware Attacks dark web data leak Data Leak data security

Qilin Ransomware Gang Claims Cyberattack on Japanese Beer Giant Asahi

 

The Qilin ransomware group has claimed responsibility for the recent cyberattack on Japanese brewing giant Asahi, adding the company’s name to its dark web data leak site. The cybercriminals alleged that they had stolen over 9,300 files amounting to 27GB of confidential data, including financial documents, employee identification records, contracts, and internal reports. To substantiate their claims, the group published 29 images showing snippets of the stolen files. 

Asahi, Japan’s largest beer manufacturer, employs around 30,000 people and produces approximately 100 million hectoliters annually, generating close to $20 billion in revenue. The company suffered significant operational disruptions following the attack. On September 29, Asahi temporarily halted production at six of its domestic facilities, later confirming on October 3 that a ransomware attack had crippled its systems and led to data exfiltration. 

At first, no threat actor took public credit for the breach. However, the Qilin ransomware group eventually listed Asahi among its victims, likely after ransom negotiations failed. Qilin, which emerged in 2023, is known as a multi-platform ransomware operation capable of targeting both Windows and Linux systems. The group has been associated with other notorious hacker collectives such as Scattered Spider and, more recently, North Korean state-linked actors. 

Qilin’s tactics include exploiting vulnerabilities in edge network devices, deploying credential theft tools, and developing sophisticated encryption mechanisms to hinder recovery. The group has previously targeted high-profile organizations including Nissan, Inotiv, Lee Enterprises, major hospitals within London’s NHS network, and automotive supplier Yangfeng.

In its post, Qilin claimed that the Asahi ransomware attack could result in losses exceeding $335 million due to production halts affecting six breweries and more than thirty beer labels. Despite the claims, Asahi has not verified the authenticity of the leaked files. In a statement to BleepingComputer, a company spokesperson confirmed that the matter remains under active investigation and declined to comment further. 

The company also shared that production of its flagship beer, Super Dry, has resumed through a temporary manual ordering system. While Asahi’s factories are not yet operating at full capacity, shipments for additional labels are expected to restart by October 15. However, as a direct consequence of the cyberattack and ongoing disruptions, Asahi announced it would delay the launch of new products that were initially planned for October 2025. 

The attack on Asahi underscores the growing reach and sophistication of ransomware groups like Qilin, whose increasingly destructive campaigns continue to target global corporations across industries, threatening both economic stability and consumer trust.
Read more »
Ransomware attack
Australia Cyber Attacks pharma scam Ransomware attack

Toowoomba Pharmacy Targeted in Ransomware Attack

A pharmacy in Toowoomba, Queensland, has become the latest victim of a ransomware attack, highlighting growing concerns about the digital vulnerability of small businesses. 

The incident occurred last month when hackers gained access to the Friendlies Society Dispensary’s private IT systems. Authorities believe sensitive data stored on the system may have been compromised. 

A coordinated investigation is now underway, involving the National Office of Cyber Security, the Australian Cyber Security Centre, Services Australia, Queensland Health, the National Disability Insurance Agency, and the Department of Home Affairs. 

Bayden Johnson, Chief Executive Officer of the Friendlies Society Dispensary, said the organisation acted quickly once the attack was detected. “We immediately took steps to secure our systems and understand the nature of the incident,” he said. “Our priority now is to determine what information was accessed and ensure all necessary precautions are taken.” 

The pharmacy, which offers healthcare services and mobility support equipment, is cooperating fully with federal authorities. The Department of Home Affairs stated that Services Australia’s systems remain secure and were not affected by the breach. It added that ongoing monitoring is being carried out to detect any irregular activity. 

According to the Australian Signals Directorate (ASD), ransomware incidents account for 11 percent of all reported cyberattacks in the country. 

The ASD’s 2023–24 Annual Cyber Threat Report revealed that a cybercrime report is lodged roughly every six minutes, with small businesses reporting an average loss of $49,600 per attack. 

Associate Professor Saeed Akhlaghpour from the University of Queensland’s Cyber Research Centre said cybercriminals are constantly evolving their tactics. “Attackers are no longer just locking files; they are also stealing and leaking data. Ransomware can even be delivered through browsers, apps, or malicious file uploads,” he explained. 

Dr Akhlaghpour, who researches cybersecurity risks in the healthcare sector, said health organisations such as pharmacies, medical practices, and gyms often face higher risks due to inconsistent monitoring and handling of sensitive information. 

He noted that human error is still the leading cause of ransomware attacks, as employees often reuse passwords or click on unsafe links in haste. With the rise of AI-powered tools that make it easier for criminals to conduct large-scale attacks, he urged small business owners to invest in better cybersecurity systems and response plans. 

“Many breaches occur because of poor risk management and the absence of a clear response strategy,” he said. “Regular monitoring can prevent many of these problems.” 

Dr Akhlaghpour also advised businesses not to pay ransoms if they fall victim to an attack. “You cannot trust criminals. Paying the ransom rarely restores data and often leads to further targeting. Stolen data is frequently resold on the dark web,” he warned. 

Authorities continue to monitor the situation in Toowoomba as cybersecurity experts remind small business owners across Australia to take preventive measures and strengthen their defences against the growing threat of ransomware.
Read more »
personal data leak
Customer Data Cyber Attacks Data Breaches Data Leak Data protection data security Personal Data personal data leak

WestJet Confirms Cyberattack Exposed Passenger Data but No Financial Details

 

WestJet has confirmed that a cyberattack in June compromised certain passenger information, though the airline maintains that the breach did not involve sensitive financial or password data. The incident, which took place on June 13, was attributed to a “sophisticated, criminal third party,” according to a notice issued by the airline to U.S. residents earlier this week. 

WestJet stated that its internal precautionary measures successfully prevented the attackers from gaining access to credit and debit card details, including card numbers, expiry dates, and CVV codes. The airline further confirmed that no user passwords were stolen. However, the company acknowledged that some passengers’ personal information had been exposed. The compromised data included names, contact details, information and documents related to reservations and travel, and details regarding the passengers’ relationship with WestJet. 

“Containment is complete, and additional system and data security measures have been implemented,” WestJet said in an official release. The airline emphasized that analysis of the incident is still ongoing and that it continues to strengthen its cybersecurity framework to safeguard customer data. 

As part of its response plan, WestJet is contacting affected customers to offer support and guidance. The airline has partnered with Cyberscout, a company specializing in identity theft protection and fraud assistance, to help impacted individuals with remediation services. WestJet has also published advisory information on its website to assist passengers who may be concerned about their data.  

In its statement, the airline reassured customers that swift containment measures limited the breach’s impact. “Our cybersecurity teams acted immediately to contain the situation and secure our systems. We take our responsibility to protect customer information very seriously,” the company said. 

WestJet confirmed that it is working closely with law enforcement agencies, including the U.S. Federal Bureau of Investigation (FBI) and the Canadian Centre for Cyber Security. The airline also notified U.S. credit reporting agencies—TransUnion, Experian, and Equifax—along with the attorneys general of several U.S. states, Transport Canada, the Office of the Privacy Commissioner of Canada, and relevant provincial and international data protection authorities. 

While WestJet maintains that the exposed information does not appear to include sensitive financial or authentication details, cybersecurity experts note that personal identifiers such as names and contact data can still pose privacy and fraud risks if misused. The airline’s transparency and engagement with regulatory agencies reflect an effort to mitigate potential harm and restore public trust. 

The company reiterated that it remains committed to improving its security posture through enhanced monitoring, employee training, and the implementation of additional cybersecurity controls. The investigation into the breach continues, and WestJet has promised to provide further updates as new information becomes available. 

The incident highlights the ongoing threat of cyberattacks against the aviation industry, where companies hold large volumes of personal and travel-related data. Despite the rise in security investments, even well-established airlines remain attractive targets for sophisticated cybercriminals. WestJet’s quick response and cooperation with authorities underscore the importance of rapid containment and transparency in handling such data breaches.
Read more »
cybersecurity research
Akira Akira Ransomware Arctic Wolf Arctic Wolf security research CVE CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity research

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices

 

The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear. 

Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.  

The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point.

In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems. 

Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials. 

To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected. 

The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.
Read more »
Threat Intelligence
Cyber Attacks Division NATO Russia-Ukraine War Threat Intelligence

NATO Rift Widens Over Response to Russian Cyber Threats

 

NATO is confronting significant internal divisions on how to handle the intensifying wave of Russian cyberattacks, which expose rifts in alliance strategy and threaten the alliance’s coherence and overall deterrence posture. 

As Russia increasingly targets NATO states’ critical infrastructure, governmental functions, and even military networks, debate has raged within the alliance as to how forcefully to respond, and under what terms, to hostile state-sponsored cyber activities.

Deepening divisions 

A core challenge for NATO is divergent national approaches to what constitutes an act of cyber aggression warranting collective response. Some member states—particularly those along Russia’s borders in the Baltics, as well as Poland—are calling for robust measures, including invoking Article 4 (consultative action in response to threats), and even considering proportional offensive cyber operations against Russian state targets. 

These nations see repeated Russian provocations, from cyber to airspace incursions, as clear tests of alliance resolve that demand a stiff and highly visible response.

However, other countries, such as France and Germany, worry about the risks of escalation and advocate a more cautious, defensive posture, preferring extensive evidence gathering, attribution efforts, and diplomatic engagement before considering retaliatory action. 

They argue frequent consultations or aggressive stances could water down NATO’s deterrent signal or trigger dangerous unintended escalation. This split produces tactical uncertainty and delays, potentially emboldening adversaries and hampering a unified alliance front.

Policy stalemate and its consequences

These diverging approaches are mirrored in ongoing arguments about when and how to use NATO’s cyber capabilities offensively versus limiting the alliance to defensive postures or coordinated resilience initiatives. 

While some strategists press for disruptive cyber operations or overt information warfare campaigns targeting Russia, consensus is lacking due to legal concerns, worries about thresholds for collective defense, and varying levels of national cyber capacity and risk appetite.

Strategic implications

Analysts warn that Russia’s overt cyber and hybrid threats are, in part, designed to exploit and widen these strategic rifts, stymying meaningful joint response and putting both NATO's credibility and European security at risk. Persistent internal divisions leave NATO vulnerable, raising pressure for the alliance to develop a clearer, more decisive policy on cyber deterrence and response.
Read more »
Cyber Attacks
Circle K cyberattack Hong Kong Circle K data breach Circle K Hong Kong payment outage Cyber Attacks

Circle K Confirms Cyberattack in Hong Kong, Services Still Disrupted

 

Circle K has confirmed that its Hong Kong operations were hit by a cyberattack, a week after the convenience store chain suspended most electronic payment services. The company has apologized to affected customers and assured the public that the incident is now “under control” while investigations continue.

The disruption began by affecting electronic payments across 400 stores citywide, except transactions made through the Octopus card. The following day, the company revealed it was facing network problems and did not rule out a cyberattack.  A spokesperson confirmed it was indeed a network attack, but did not clarify whether customer data had been compromised.

Despite all stores remaining open, several key services remain suspended, including parcel collection, e-wallet top-ups, bill payments, and the loyalty rewards program. Octopus payments and cash transactions are still being accepted. Circle K has also notified law enforcement authorities and engaged cybersecurity experts to assist with the recovery.

Customers have voiced frustration on social media over the company’s slow response, asking for clearer updates and alternative arrangements. Some requested temporary manual solutions for parcel collection and clarity on whether loyalty program stamps and rewards would remain valid.

The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed it received a data breach notification on September 23 from Couche-Tard HK Limited, Circle K’s parent company. The PCPD has launched a compliance check to investigate potential risks to personal data.

Cybersecurity expert Francis Fong Po-kiu suggested that Circle K may have fallen victim to a ransomware attack, in which hackers infiltrate systems, encrypt data, and demand payment for a decryption key. “They might be working to find the loophole, to find out whether something went wrong in the server or on the retail front,” he said, warning that full recovery could take months or even years. He added that while it was uncertain if customer data had been leaked, loyalty program details such as names, emails, and phone numbers could be at risk.
Read more »
US Secret Service rogue network
22.2Tbps cyberattack Cyber Attacks DDOS Attack SIM Card Operation US Secret Service rogue network

World’s Largest 22.2Tbps DDoS Attack and Rogue SIM Network Busted by US Secret Service

 

Earlier this month, reports highlighted a massive 11.5Tbps DDoS attack — the largest on record at the time. However, that figure was quickly overshadowed this week when a new distributed denial-of-service strike reached an unprecedented 22.2Tbps, transmitting 10.6 billion packets per second. The assault, although lasting just 40 seconds, showcased the immense scale and power of today’s botnets. 

Experts warn that as these malicious networks expand, future DDoS attacks will likely grow even more destructive, targeting vulnerable companies and platforms worldwide.

In another alarming case, the US Secret Service dismantled a rogue cellular network made up of more than 100,000 SIM cards. The network, which was spread across several physical sites, was strategically positioned ahead of the UN General Assembly in New York City.

 Investigators revealed the operation aimed to carry out attacks against diplomats and officials, including DDoS campaigns, deepfaked calls, and even “swatting” attempts — where false bomb or violence threats are reported to law enforcement to provoke an armed response. Doxxing, exposing private personal details, was also among the threats.

These incidents serve as stark reminders of how critical it is to safeguard personal data. Yet, protecting your information is increasingly challenging in a digital economy where data brokers profit from collecting and selling detailed profiles. 

Even everyday apps, from Duolingo to Candy Crush, harvest user data. On the positive side, individuals can take action by requesting data deletion directly from brokers or by using specialized personal data removal services.
Read more »
Microsoft Outlook security
Bug Fixes Cyber Attacks Microsoft Microsoft Outlook security

Microsoft Probes Outlook Bug Blocking Encrypted Emails Across Tenants

 

Microsoft is investigating a newly identified issue that prevents users of the classic Outlook client from opening encrypted emails sent by other organizations. 

The company confirmed the problem in a recently updated support document, noting that the bug affects customers across all Office release channels. 

According to Microsoft, users attempting to access such emails may encounter the error message: “Configuring your computer for Information Rights Management.” The glitch impacts OMEv2 (Office Message Encryption version 2) messages when sent across different tenants, creating disruptions for enterprise communication. 

Temporary workaround provided 

While the root cause is still under review, Microsoft has issued a temporary fix. Impacted organizations can either exclude external users from Conditional Access policies or enable cross-tenant settings that allow authentication tokens to be trusted between Entra tenants. 

The company recommends the second option as the simpler solution. Administrators can enable cross-tenant access by navigating to the “Inbound access settings – Default settings” page in the Microsoft Entra admin center, selecting “Trust settings,” and then enabling “Trust multifactor authentication from Microsoft Entra tenants.” 

Microsoft cautioned, however, that this workaround only ensures encrypted emails sent from an organization can be opened by others. 

To access encrypted messages received from a different tenant, the sending organization must also apply the same configuration. Ongoing investigation The Outlook and Purview teams are currently working on a permanent resolution. 

Microsoft has assured customers that updates will be shared once more information is available. 

This is the latest in a string of Outlook-related bugs addressed by Redmond (a global headquarter of Microsoft) this year. 

In June, the company resolved a crash affecting the classic Outlook client when opening or composing emails. Later, in August, it mitigated an Exchange Online issue that blocked mobile users relying on Hybrid Modern Authentication. 

With encrypted communications becoming central to enterprise security, a swift resolution will be crucial to ensure seamless cross-tenant collaboration.
Read more »
Fake Apps
Android Android Banking Trojan Android Trojans Banking Trojan Credential Theft Cyber Attacks Fake Apps

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks

 

Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware. 

The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions. 

Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder. 

The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals. 

Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware. 

The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.
Read more »
Syn
BBC Reporter Cyber Attacks Medusa Ransomware Syn

Medusa Ransomware Gang Offers BBC Reporter Millions for Inside Hack Access

 

A ransomware operation claiming affiliation with the Medusa gang attempted to recruit BBC cybersecurity correspondent Joe Tidy as an insider threat, offering him substantial financial incentives in exchange for access to the broadcaster's systems. 

The threat actor, using the alias "Syndicate" (later shortened to "Syn"), contacted Tidy in July via the encrypted messaging app Signal, proposing an arrangement that would give him a percentage of the ransom proceeds. The initial proposition involved offering Tidy 15% of any ransom payment if he provided access to his work laptop and BBC systems. 

The cybercriminals planned to infiltrate the organization's network, exfiltrate sensitive data, and demand payment in cryptocurrency while threatening to release stolen information. As negotiations continued, Syn increased the offer to 25%, suggesting the total ransom demand could reach tens of millions of dollars and claiming Tidy "wouldn't need to work ever again".

To establish credibility, the threat actor offered 0.5 Bitcoin (approximately $55,000) as an upfront trust payment through escrow on a hacker forum. Syn referenced previous successful insider recruitment operations, citing cases involving a UK healthcare company and a US emergency services provider, suggesting such collaborations were common in their operations.

The Medusa ransomware operation has operated since January 2021 and evolved from a closed operation to a ransomware-as-a-service model with affiliates. According to a March report from CISA, the gang has compromised over 300 critical infrastructure organizations in the United States. The operation's core developers recruit initial access brokers through cybercrime forums and darknet marketplaces while maintaining central control over ransom negotiations.

Tidy, who reports on cybersecurity topics, believes the attackers likely mistook him for a technical employee with elevated system privileges rather than a journalist. After consulting with BBC editors, he engaged with the threat actor to gather intelligence on their methods. When Tidy delayed responding to their demands, the criminals launched an MFA bombing attack, flooding his phone with two-factor authentication requests in an attempt to force approval of a malicious login.

The journalist promptly contacted BBC's information security team and was disconnected from the organization's infrastructure as a precautionary measure. Following several days of silence from Tidy, the alleged Medusa representative deleted their Signal account.
Read more »
QR code scams
Cookie Cookies Exploit Cyber Attacks Infostealer Malware Malicious Package Malware Attack Malwares QR code QR code scams

Fezbox npm Package Uses QR Codes to Deliver Cookie-Stealing Malware

 

A malicious npm package called fezbox was recently uncovered using an unusual trick: it pulls a dense QR code image from the attacker’s server and decodes that barcode to deliver a second-stage payload that steals browser cookies and credentials. Published to the npm registry and posing as a harmless utility library, the package relied on steganography and evasion techniques to hide its true purpose. By the time registry administrators removed it, fezbox had recorded hundreds of installs. 

Analysis by the Socket Threat Research Team shows the core malicious logic lives in the package’s distributed file, where minified code waits for production-like conditions before acting. That staged behavior is deliberate: the malware checks for development environments and other telltale signs of sandboxing, remaining dormant during analysis to avoid detection. After a short delay, the code reconstructs a reversed string that resolves to a Cloudinary URL hosting a JPG. That image contains an unusually dense QR code, not intended for human scanners but encoded with obfuscated instructions the package can parse automatically. 

Storing the image URL in reverse is a simple but effective evasion move. By reversing the string, the attackers reduced the chance that static scanners flag a plain http(s) link embedded in the code. Once the package decodes the QR, the embedded payload extracts document.cookie values and looks for username and password entries. If both items are present, the stolen credentials are sent via HTTPS POST to a command-and-control endpoint under the attacker’s control; if not, the package quietly exits. In short, fezbox converts an image fetch into a covert channel for credential exfiltration that looks like routine media traffic to many network monitoring tools. 

This technique represents an evolution from earlier image-based steganography because it uses the QR barcode itself as the delivery vessel for parseable code rather than hiding data in image metadata or color channels. That makes the abuse harder to spot: a proxy or IDS that permits image downloads will often treat the fetch as normal content, while the malicious decoding and execution occur locally in the runtime environment. The QR’s data density intentionally defeats casual scanning by phone, so human users will not notice anything suspicious even if they try to inspect the image. 

The fezbox incident underscores how open-source ecosystems can be abused via supply-chain vectors that combine code trojanization with clever obfuscation. Attackers can publish seemingly useful packages, wait for installs, and then activate hidden logic that reaches out for symbolic resources such as images or configuration files. Defenders should monitor package provenance, scan installed dependencies for unusual network calls, and enforce least-privilege policies that limit what third-party modules can access at runtime. Registry maintainers and developers alike must also treat media-only traffic with healthy suspicion, since seemingly innocuous image downloads can bootstrap highly targeted exfiltration channels. 

As attacks become more creative, detection approaches must move beyond signature checks and look for behaviors such as unexpected decodes, remote fetches of unusual image content, and suspicious POSTs to new domains. The fezbox campaign is a reminder that any medium — even a QR code embedded in a JPG — can be repurposed as a covert communications channel when code running on a developer’s machine is allowed to fetch and interpret it.
Read more »
Online Retailers
Cyber Attacks Cyber Breaches Cyber Security Ransomware Attacks cybercriminals Cybersecurity In Retail Cybersecurity Precautions Hacker attack Online Retailers

Retail Cyberattacks Surge as Service Desks Become Prime Targets

 

In recent months, reports of retail data breaches have surfaced with alarming frequency, showing that both luxury and high-street retailers are under relentless attack. During the second quarter of 2025, ransomware incidents publicly disclosed in the global retail sector rose by 58 percent compared with the first quarter, with businesses in the United Kingdom facing the worst consequences. The outcomes of such breaches vary, but the risks are consistently severe, ranging from loss of revenue and service disruptions to long-term reputational damage. 

One recent example that highlights this growing threat is the cyberattack on Marks & Spencer (M&S), one of Britain’s most recognized retailers. Employing over 64,000 people across more than 1,000 stores, M&S reportedly fell victim to hackers believed to be part of the group Scattered Spider. The attackers infiltrated the company’s systems in February, deploying ransomware that encrypted vital infrastructure and severely disrupted operations. By impersonating employees, the cybercriminals manipulated IT help desk staff into resetting passwords and turning off multi-factor authentication. This gave them access to internal systems, where they stole a file containing password hashes from Active Directory. The fallout was severe, including a five-day suspension of online sales that cost an estimated £3.8 million per day, along with a drop of more than £500 million in market value. 

The method used against M&S was not unique. Similar techniques were applied in attacks on other UK retailers, including Co-op and Harrods. In the case of Co-op, attackers also pretended to be employees to trick IT staff into granting them access. Although Co-op managed to prevent the full deployment of ransomware by shutting down parts of its infrastructure, the company still faced major operational disruption, proving that even partial breaches can have wide-reaching effects. 

The common thread in these cases is the vulnerability of service desks. These teams often have privileged access to systems, including the ability to manage user accounts, reset credentials, and disable authentication tools. Their focus on quick support and customer service can leave them more exposed to sophisticated social engineering tactics. Because they are frequently overlooked in broader cybersecurity strategies, service desks represent a weak point that attackers are increasingly exploiting. 

To address this issue, organizations must shift their approach from reactive to proactive defense. Service desks, while designed to solve problems efficiently, need to be supported with advanced training, strong verification procedures, and layered defenses that reduce the likelihood of manipulation. Investing in security awareness, modern authentication practices, and continuous monitoring of unusual account activity is now essential. 

The rise in attacks on retailers like M&S, Co-op, and Harrods demonstrates that hackers are targeting service desks with growing precision, causing significant financial and operational harm. These incidents show the urgent need for companies to reassess their cybersecurity strategies, placing greater emphasis on the human element within IT support functions. While organizations cannot control who attackers choose to target, they can strengthen their defenses to ensure resilience when confronted with such threats.
Read more »
Ransomware attack
Banking data leaks customer data compromise Cyber Attacks Data Leak Data protection data security insight leaked sensitive data Ransomware attack

Insight Partners Ransomware Attack Exposes Data of Thousands of Individuals

 

Insight Partners, a New York-based venture capital and private equity firm, is notifying thousands of individuals that their personal information was compromised in a ransomware attack. The firm initially disclosed the incident in February, confirming that the intrusion stemmed from a sophisticated social engineering scheme that gave attackers access to its systems. Subsequent investigations revealed that sensitive data had also been stolen, including banking details, tax records, personal information of current and former employees, as well as information connected to limited partners, funds, management companies, and portfolio firms. 

The company stated that formal notification letters are being sent to all affected parties, with complimentary credit monitoring and identity protection services offered as part of its response. It clarified that individuals who do not receive a notification letter by the end of September 2025 can assume their data was not impacted. According to filings with California’s attorney general, which were first reported by TechCrunch, the intrusion occurred in October 2024. Attackers exfiltrated data before encrypting servers on January 16, 2025, in what appears to be the culmination of a carefully planned ransomware campaign. Insight Partners explained that the attacker gained access to its environment on or around October 25, 2024, using advanced social engineering tactics. 

Once inside, the threat actor began stealing data from affected servers. Months later, at around 10:00 a.m. EST on January 16, the same servers were encrypted, effectively disrupting operations. While the firm has confirmed the theft and encryption, no ransomware group has claimed responsibility for the incident so far. A separate filing with the Maine attorney general disclosed that the breach impacted 12,657 individuals. The compromised information poses risks ranging from financial fraud to identity theft, underscoring the seriousness of the incident. 

Despite the scale of the attack, Insight Partners has not yet responded to requests for further comment on how it intends to manage recovery efforts or bolster its cybersecurity posture going forward. Insight Partners is one of the largest venture capital firms in the United States, with over $90 billion in regulatory assets under management. Over the past three decades, it has invested in more than 800 software and technology startups globally, making it a key player in the tech investment ecosystem. 

The breach marks a significant cybersecurity challenge for the firm as it balances damage control, regulatory compliance, and the trust of its investors and partners.
Read more »
Phishing Attack
ClickFix Cyber Attacks CyberThreat fake alerts FileFix Infostealer Infostealer Malware Malware Attack Meta Phishing Attack

FileFix Attack Uses Fake Meta Suspensions to Spread StealC Malware

 

A new cyber threat known as the FileFix attack is gaining traction, using deceptive tactics to trick users into downloading malware. According to Acronis, which first identified the campaign, hackers are sending fake Meta account suspension notices to lure victims into installing the StealC infostealer. Reported by Bleeping Computer, the attack relies on social engineering techniques that exploit urgency and fear to convince targets to act quickly without suspicion. 

The StealC malware is designed to extract sensitive information from multiple sources, including cloud-stored credentials, browser cookies, authentication tokens, messaging platforms, cryptocurrency wallets, VPNs, and gaming accounts. It can also capture desktop screenshots. Victims are directed to a fake Meta support webpage available in multiple languages, warning them of imminent account suspension. The page urges users to review an “incident report,” which is disguised as a PowerShell command. Once executed, the command installs StealC on the victim’s device. 

To execute the attack, users are instructed to copy a path that appears legitimate but contains hidden malicious code and subtle formatting tricks, such as extra spaces, making it harder to detect. Unlike traditional ClickFix attacks, which use the Windows Run dialog box, FileFix leverages the Windows File Explorer address bar to execute malicious commands. This method, attributed to a researcher known as mr.fox, makes the attack harder for casual users to recognize. 

Acronis has emphasized the importance of user awareness and training, particularly educating people on the risks of copying commands or paths from suspicious websites into system interfaces. Recognizing common phishing red flags—such as urgent language, unexpected warnings, and suspicious links—remains critical. Security experts recommend that users verify account issues by directly visiting official websites rather than following embedded links in unsolicited emails. 

Additional protective measures include enabling two-factor authentication (2FA), which provides an extra security layer even if login credentials are stolen, and ensuring that devices are protected with up-to-date antivirus solutions. Advanced features such as VPNs and hardened browsers can also reduce exposure to such threats. 

Cybersecurity researchers warn that both FileFix and its predecessor ClickFix are likely to remain popular among attackers until awareness becomes widespread. As these techniques evolve, sharing knowledge within organizations and communities is seen as a key defense. At the same time, maintaining strong cyber hygiene and securing personal devices are essential to reduce the risk of falling victim to these increasingly sophisticated phishing campaigns.
Read more »
MSP
CISO best practices Cyber Attacks Cyber-recovery Cybersecurity measures cybersecurity solutions Data Recovery IT Industry MSP

Clarity, Control, And Recovery Define Effective Response To Cyberattacks For IT Teams And MSPs

 

When a cyberattack strikes, the impact is immediate. Systems slow down, files are locked, phones flood with alerts, and the pressure mounts by the second. The speed and precision of the response often determine whether the situation ends in recovery or spirals into disaster. What IT teams and managed service providers need most in these moments are clarity, control, and a dependable recovery path. Without them, even the most experienced professionals risk being overwhelmed as damage escalates. With them, organizations can act decisively, protect clients, and reduce the fallout. 

Clarity is often the first and most urgent requirement. Cyberattacks cause confusion because the nature of the threat is not always obvious at the start. Without a clear understanding of whether it is ransomware, phishing, insider activity, or some other form of compromise, teams are left to guess. Guesswork wastes time and can worsen the situation. Real-time visibility into anomalies such as suspicious login attempts, sudden file encryption, or unusual network traffic provides a unified picture of what is happening. This enables teams to see the blast radius, identify compromised systems, and determine which data remains safe. With clarity, chaos turns into something manageable, allowing quick decisions on isolating, preserving, or shutting down systems. 

Once clarity is achieved, control becomes the next critical step. Attacks often spread through privilege escalation, lateral movement, or data exfiltration. Containment prevents small breaches from becoming catastrophic. Rapidly isolating infected endpoints, revoking exploited credentials, and automatically enforcing protective policies are crucial for slowing or halting an attack. Effective incident response relies not only on tools but also on predefined roles, playbooks, and escalation paths, so teams know exactly what actions to take under pressure. Efficiency also matters: the more capabilities managed through a single interface, the faster the recovery. Integrated solutions such as endpoint detection and response or extended detection and response make it easier to contain incidents before they spread. 

Even after containment, damage may remain. Data can be encrypted, systems may be taken offline, and clients demand immediate answers. At this point, the most valuable resource is a reliable recovery lifeline. Secure backup systems provide assurance that even if primary operations are disrupted, organizations can restore data and systems. Backups that are immutable prevent ransomware from altering recovery points, while granular restore functions allow for quick access to specific files or applications. Disaster recovery solutions can even spin up workloads in secure environments while remediation continues. For IT teams, recovery prevents operations from grinding to a halt, and for MSPs, it preserves customer trust. 

Cyberattacks are not hypothetical but inevitable. The organizations that fare best are those that prepare in advance, investing in monitoring, building strong response playbooks, and deploying robust recovery solutions. Preparation does not eliminate attacks, but it makes the difference between manageable disruption and catastrophe.
Read more »
WhiteCobra
Crypto Theft Cyber Attacks OpenVSX VSCode WhiteCobra

WhiteCobra Floods VSCode Market with 24 Crypto-Stealing Extensions

 

A threat actor named WhiteCobra has infiltrated the Visual Studio Code marketplace and Open VSX registry with 24 malicious extensions targeting developers using VSCode, Cursor, and Windsurf editors . 

Campaign overview

The ongoing campaign represents a sophisticated operation that researchers at Koi Security have been tracking for over a year. WhiteCobra is the same group responsible for a $500,000 cryptocurrency theft in July 2025, demonstrating their evolution from basic PowerShell miners to advanced crypto-stealing malware . 

The campaign gained significant attention when Ethereum developer Zak Cole, a security professional with a decade of experience, had his wallet drained after installing what appeared to be a legitimate extension called "contractshark.solidity-lang" for the Cursor editor . The extension featured professional design elements, detailed descriptions, and showed 54,000 downloads on OpenVSX, highlighting the sophisticated deception techniques employed . 

Attack methodology 

WhiteCobra deployed extensions across both platforms, including names like ChainDevTools.solidity-pro, kilocode-ai.kilo-code, juan-blanco.solidity, and VitalikButerin-EthFoundation.blan-co on various marketplaces . These extensions specifically target cryptocurrency-related development tools, particularly Solidity smart contract development extensions . 

The malicious extensions execute through a multi-stage payload delivery system. The main extension file appears identical to standard VSCode boilerplate code but contains a hidden call to a secondary script that downloads platform-specific payloads from Cloudflare Pages . On Windows systems, the payload executes PowerShell scripts that deploy Python code containing shellcode to run LummaStealer malware. 

This sophisticated info-stealer targets cryptocurrency wallets, browser credentials, web extensions, and messaging application data . On macOS systems, the payload deploys a malicious Mach-O binary that loads an unknown malware family, demonstrating cross-platform capabilities . 

Operational sophistication 

WhiteCobra operates with remarkable organization and persistence. The group maintains detailed playbooks with revenue targets ranging from $10,000 to $500,000, provides command-and-control infrastructure setup guides, and employs sophisticated social engineering and marketing strategies to make their extensions appear legitimate . 

The threat actors manipulate download counts, ratings, and reviews to establish credibility, making detection extremely difficult for users . When extensions are removed, WhiteCobra can deploy replacement campaigns in under three hours, demonstrating their resilience and operational efficiency . 

Ongoing threat

Despite security researchers reporting and removing malicious extensions, WhiteCobra continues uploading new malicious code weekly, making this an active and persistent threat to the developer community . The campaign's success against experienced security professionals underscores the sophisticated nature of these attacks and the urgent need for improved verification mechanisms in extension marketplaces .
Read more »
UDP flood
CloudFlare Cyber Attacks DDOS Attack FastNetMon IoT device security MikroTik routers packet-rate floods UDP flood

FastNetMon Mitigates 1.5 Billion PPS DDoS Attack Leveraging IoT Devices and MikroTik Routers

 

A massive distributed denial-of-service (DDoS) attack has been detected and mitigated by FastNetMon, targeting a DDoS protection vendor in Western Europe. According to the company, the attack surged to an astonishing 1.5 billion packets per second (pps), ranking among the largest packet-rate floods ever recorded.

FastNetMon revealed that the malicious traffic primarily consisted of UDP floods generated from hijacked customer-premises equipment (CPE), including IoT devices and MikroTik routers. The attack leveraged resources from over 11,000 networks worldwide. While the victim company wasn’t disclosed, FastNetMon confirmed it was a DDoS scrubbing provider, a service that filters malicious traffic during such cyberattacks.

“This event is part of a dangerous trend,” said Pavel Odintsov, founder of FastNetMon. “When tens of thousands of CPE devices can be hijacked and used in coordinated packet floods of this magnitude, the risks for network operators grow exponentially. The industry must act to implement detection logic at the ISP level to stop outgoing attacks before they scale.”

The incident was identified and mitigated in real time, with FastNetMon’s automated systems flagging the abnormal traffic within seconds. Defense measures included scrubbing technologies at the customer’s facility and deploying access control lists (ACLs) on routers vulnerable to amplification abuse.

FastNetMon highlighted that its platform, powered by optimized C++ algorithms, is specifically built to handle traffic events at such a scale. Thanks to these defenses, the targeted provider reportedly suffered no visible downtime or service disruption.

The news comes shortly after Cloudflare reported a record-breaking volumetric attack reaching 11.5 Tbps and 5.1 billion pps, underscoring the growing severity of both packet-rate floods and bandwidth-driven DDoS attacks.

“Taken together, the two incidents underline a rise in both packet-rate and bandwidth-driven floods, a trend that is pressuring the capacity of mitigation platforms worldwide,” FastNetMon said.

“What makes this case remarkable is the sheer number of distributed sources and the abuse of everyday networking devices. Without proactive ISP-level filtering, compromised consumer hardware can be weaponized at a massive scale,” the company added.
Read more »
VMScape
Cloud Computing CPU Cyber Attacks VMScape

New VMScape Attack Raises Concerns Over Virtual Machine Security



Researchers have revealed a new attack technique called VMScape that can break the security barriers between virtual machines and the systems that host them. This discovery is substantial because virtualization forms the backbone of today’s cloud computing environment, where multiple customers often share the same physical hardware. 

How the attack works

Modern processors use a performance trick known as speculative execution, where the CPU guesses the next steps of a program before it is certain. While this speeds up computing, past incidents like the Spectre vulnerability have shown that attackers can manipulate this feature to gain access to protected information.

VMScape builds on this concept. Instead of targeting an individual application, it allows a malicious virtual machine to influence how the host hypervisor, the software that manages multiple virtual machines, makes predictions during execution. By carefully crafting these interactions, attackers can cause the hypervisor to briefly access secret data, such as encryption keys, which then leaves behind subtle traces in the processor’s memory cache. The attacker can measure these traces and piece together the stolen information.

The researchers focused on QEMU, a widely used hypervisor component. By training the processor’s branch prediction structures, a malicious VM can trick QEMU into speculatively executing instructions that leak information. To make the attack more reliable, the team developed methods to clear out cache entries and bypass protections like Address Space Layout Randomization (ASLR).

In practice, they managed to extract information at about 32 bytes per second with near-perfect accuracy. This means that a 4KB encryption key could be stolen in just over two minutes, while the full attack process, including defeating ASLR, took around 13 minutes.

Which systems are impacted

According to the findings, VMScape affects a wide range of AMD processors from the first Zen generation up to Zen 5, as well as Intel’s Coffee Lake CPUs. The latest Intel architectures, such as Raptor Cove and Gracemont, are not vulnerable. Importantly, the attack does not require altering the host system or disabling existing mitigations, making it more concerning for shared environments like public cloud platforms.

The implications for cloud security are clear: if one customer’s virtual machine can read sensitive data from another, it undermines trust in multi-tenant platforms. However, it is important to note that this attack is complex, requires expert-level skills, and demands uninterrupted time to execute. Ordinary users are unlikely to be directly affected.

Next steps

The discovery highlights the ongoing challenge of securing speculative execution in modern CPUs. While vendors are expected to release updates and mitigations, system administrators and cloud providers will need to stay alert and apply patches as they become available. For most users, the best course of action is to ensure their providers are following these security updates.



Read more »
Subscribe to: Comments (Atom)