Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Social Engineering. Show all posts
User Security
ClickFix Cyber Fraud phishing Social Engineering User Security

ClickFix Attack Tricks Users into Infecting Their Own Devices

 

Cybercriminals are increasingly using a social engineering attack called ClickFix, which manipulates victims into unknowingly initiating cyberattacks on their own systems. According to Microsoft’s 2025 Digital Defense Report, ClickFix has become the most common initial access technique, recorded in 47% of attacks tracked by Microsoft Defender Experts over the past year. This rise is largely attributed to attackers’ growing ability to bypass traditional anti-phishing protections and successfully exploit human behavior.

What is ClickFix?

ClickFix is a deceptive tactic that capitalizes on users' desire to solve perceived simple technical problems. It typically starts with a phishing email or fraudulent website designed to look like a legitimate service—one notable example was seen in spoofed Booking.com emails during the 2024 holiday season. 

The victim is prompted through a fake notification to resolve an issue, often by copying and pasting a code snippet or clicking through a sequence mimicking technical support instructions. Unbeknownst to the user, these instructions result in executing malicious PowerShell or mshta.exe commands, which launch malware directly into system memory—bypassing the need for a downloaded file and evading common antivirus solutions.

Changing threat landscape

ClickFix is especially concerning because it reflects a broader shift in cybercriminal tactics: exploiting human psychology over technical vulnerabilities. Security vendors highlight that this trend is amplified by the use of artificial intelligence, which enables attackers to craft highly convincing phishing lures and even simulate full conversation threads for business email compromise schemes. 

The payloads delivered through ClickFix attacks are diverse and dangerous, including ransomware, information stealers, remote access trojans (RATs), and worms such as Xorm, Danabot, and NetSupport RAT. Reports from security vendors indicate a 500% surge in ClickFix incidents in the first half of 2025, making up an estimated 8% of all attacks during that period.

Defense strategies and user awareness

Traditional defenses based on blocking suspicious attachments, network traffic, or sender domains cannot reliably stop ClickFix. Instead, organizations and individuals must focus on behavioral change: never follow unsolicited technical instructions without independent verification, and always treat requests for manual intervention—like pasting unfamiliar code—with skepticism.

Security awareness training and updated incident response plans are crucial for combating this new wave of attacks. As threat actors continue to refine their methods, education and skepticism remain the frontline defenses against self-induced cyber threats.
Read more »
WhatsApp Malware
Banking Trojan Cyber Threats Cybersecurity Data Breach Fileless Attack Financial Security Malware Campaign Social Engineering WhatsApp Malware

WhatsApp Worm Infects Devices and Compromises User Banking Information

 


There has been a troubling revelation in the cybersecurity community that cybercriminals continue to weaponise trusted digital ecosystems by deploying highly sophisticated malware campaigns that use WhatsApp's messaging platform to infiltrate users throughout Brazil, demonstrating that cybercriminals continue to use trusted digital ecosystems to their advantage. 

This large-scale operation, which was detected on September 29, 2025, exhibits unprecedented technical precision and social engineering skills, manipulating user trust in order to achieve rapid and silent propagation of the virus. There has been an increased use of WhatsApp Web by the attackers in attempts to propagate malicious LNK and ZIP files disguised as harmless attachments sent from compromised contacts. 

The attackers have chosen to send misleading messages that convincingly mimic genuine communication to lure their victims into execution. The moment that an unsuspecting recipient opens a file that contains malware on a desktop system, the malware stealthily executes a fileless infection chain, which is designed to steal credentials from financial institutions as well as cryptocurrency exchanges as they conduct their transactions. 

Researchers have determined that the campaign was linked to a broader operation known as "Water Saci," which shows a level of sophistication and scale not typically seen in regional cybercrime. There is evidence in the code of the malware, Maverick and Sorvepotel, that is code-like to the notorious Coyote Trojan, pointing to a new evolution of Brazilian cybercrime tools that target the thriving ecosystem of digital finance in the country. 

In contrast to typical attacks that are primarily focused on data theft and ransomware deployment, this particular operation places a high value on rapid self-propagation and wide infiltration. 

By cleverly leveraging social relationships, the infection process distributes malicious files through the accounts of already infected users to embed itself deeper into trusted networks as a result. It is estimated that over 400 corporate environments have already been compromised by this threat, and more than 1,000 endpoints have been affected, proving that the campaign's aggressive reach and operational efficiency are evident because command-and-control servers validate each download to ensure that it comes directly from the malware. 

Nevertheless, this technique complicates automated security analysis and network defence, making it significantly more difficult to detect and deter the threat. The malware was written primarily in Portuguese and distributed by localised URLs. As a result of its design, it suggests that a deliberate effort was made to target the individual consumer as well as corporate users in Brazil's rapidly growing cryptocurrency and financial sectors.

Besides the campaign's regional implications, this campaign serves as a stark reminder of the convergence that has been taking place in modern cyberattacks between social manipulation and advanced technical execution. 

With this new wave of WhatsApp-targeted malware exploiting trust, automation, and the interconnectedness of messaging platforms, people are witnessing a concerning shift in the cyber threat landscape, one where they can no longer assume the familiar is safe. It has been reported that the Sorvepotel malware has impacted many sectors throughout Brazil, not just individual users. The malware has penetrated a wide range of sectors throughout the country.

A Trend Micro cybersecurity researcher stated that public and government service organisations have been the most severely affected, followed by manufacturing, technology, education, and construction organisations. However, as attackers continue to refine and expand their tactics, other Latin American countries may soon have to face similar threats. 

Although the current campaign is focusing primarily on Brazil, experts warn that similar threats may soon impact other Latin American countries. There is no doubt that the Sovepotel infection chain is extremely deceptive. It spreads mainly through phishing messages sent via compromised contacts' WhatsApp accounts. It is common for these messages, which appear to come from trusted friends or colleagues, to contain malicious ZIP files, which appear as if they were legitimate files-such as receipts, budget documents, or health-related documents, written in Portuguese. 

These files are aimed at attracting enterprise users rather than casual mobile users, as they are urged to open them on desktop computers. Once the malware has been executed, it will spread automatically through WhatsApp Web, sending mass messages which will not only expedite its spread but will also lead to the suspension of infected accounts for excessive spam activity, as well as the spreading of the malware. 

Several researchers have noticed that, in addition to parallel phishing campaigns through email, attackers may also distribute ZIP files containing similar content from seemingly legitimate corporate addresses, increasing the likelihood of infection. There is already a substantial scale of operation, with over 400 customer environments reported as compromised, which is an indication that the worm has spread rapidly and is extremely effective in its operational aspects. 

By targeting Brazilian financial institutions and cryptocurrency exchanges, the group illustrates a deliberate effort to monetise itself by stealing credentials and gaining unauthorised access to financial resources, even though analysts warn that the same techniques can be adapted to other countries as well. Depending on the severity of the attack, financial consequences can range from immediate unauthorised withdrawals to long-term identity theft and the loss of a victim's reputation. 

Cybersecurity experts, for this reason, emphasise the need to adopt multilayered defence strategies. Educating users and organisations on how to keep them safe requires them to avoid suspicious links, even those shared by familiar contacts, as well as verify their authenticity by using alternative channels for communications. It is crucial to maintain an updated application base, enable two-factor authentication across financial and communication platforms, and keep reputable antivirus software in place to minimise exposure. 

Additionally, it is important to monitor financial accounts for unusual activity and conduct frequent data backups to prevent future losses. It is important to note that research indicates that awareness and education remain the best defences, as they ensure both individuals and organisations are prepared to recognise, resist, and report emerging social engineering threats as soon as they emerge, so they are not caught by surprise.

Based on the technical analysis of the campaign, people have discovered that the infection mechanism in the campaign was highly sophisticated and stealthy in order to evade detection and achieve persistence without leaving any traditional forensic evidence. During the first stage of infection, a victim receives a malicious ZIP archive through WhatsApp Web, which contains a malicious LNK file disguised as a legitimate document. 

These LNK files are often presented by generic names, or they are branded to resemble correspondence from a bank. In the accompanying Portuguese language message, the recipient is advised to open the file on a computer, as it specifies that "visualisations can be performed only on computers," and even suggests Chrome users select the "keep file" option due to the ZIP format of the file. 

When the LNK file has been executed, it launches cmd.exe with embedded commands that trigger a PowerShell script, which is responsible for contacting a remote command and control server via a PowerShell script. Using this server, each request is meticulously verified, allowing downloads only if the "User-Agent" header is detected to be unique to the PowerShell process. 

By doing so, the server effectively blocks unauthorised access and automated analysis attempts, blocking common attacks. Using PowerShell, the embedded .NET file will be decoded and executed as a live assembly by using byte-level manipulation, thereby making the infection completely fileless, because it will be performed entirely in memory.

It is quite hard to reverse engineer this initial loader because it is heavily obfuscated by controlling flow flattening, indirect function calls, and randomised naming conventions. A key part of the malware's function is to download and decrypt two encrypted shellcodes from the C2 server, authenticated by a cryptographic HMAC signature. 

The attacker's custom key — "MaverickZapBot2025SecretKey12345"— generates an API token that allows it to fetch these payloads only. Additionally, the campaign is further protected from external scrutiny by the custom key. 

The decrypted data contains a Doughnut-based loader that is responsible for initiating two distinct execution paths: the first delivers the “MaverickBanker” Trojan, while the second targets the WhatsApp infector module. Subsequent stages continue along this elaborate path. Secondary loaders are responsible for retrieving a .NET assembly named "Maverick.StageOne," a component that will download and execute the WhatsApp infector, a self-propagating component intended to hijack a victim's session and automate the delivery of messages, in an attempt to hijack their data. 

By using open-source automation tools like WPPConnect and Selenium browser drivers, this module can detect an active WhatsApp Web window and begin sending malicious files to the victim's contacts in order to maintain infection. During this stage in Brazilian culture, WhatsApp is referred to as the “ZAP,” a colloquial term referring to its localised development and social engineering techniques. 

Despite the multiple layers of obfuscation used in the malware, analysts have been able to reconstruct the malware's workflow, confirming that the malware has a modular structure, reuses shared functions, and intends to maintain a large-scale self-replication network across multiple interconnected networks, confirming its intent to be able to replicate itself. 

With an intricate combination of automation, encryption, and behavioural evasion, large-scale cybercrime operations are being carried out using everyday communication tools in a manner that represents a new frontier in weaponising these tools. A technical analysis of the Water Saci campaign has demonstrated that an advanced and meticulously engineered infrastructure was used to ensure persistence, propagation, and stealth of the campaign.

During the first stage of the PowerShell script, an Explorer process is secretly launched, which will be used to retrieve further payloads from multiple command-and-control (C2) servers, including the ones hosting zapgrande.com, expansiveuser.com, and sorvetenopote.com. As can be seen from embedded Portuguese-language comments embedded within the code, the threat actor intentionally attempted to weaken the system’s defences by executing commands in Microsoft Defender to disable User Account Control (UAC). 

As a result of the deliberate security modifications, the malware can perform privileged operations uninterrupted, creating an environment where subsequent payloads are not detected. In addition, the campaign delivers one of two distinct payloads, depending on the system profile of the victim: a legitimate Selenium browser automation framework, which is coupled with ChromeDriver, or the more destructive Maverick banking Trojan. 

A Selenium component is used to simulate active browser sessions, enabling attackers to hijack WhatsApp Web accounts for the purpose of distributing malicious files to new victims, leading to the propagation of the worm's self-propagation cycle. Maverick, on the other hand, focuses on credential theft, monitoring user browsing activity to determine how to gain access to Brazilian financial institutions and cryptocurrency exchanges before deploying additional. NET-based malwaretoo harvest sensitive information about their customers. 

Despite the fact that the campaign is quite adaptable to the dual payload mechanism, the researchers from Trend Micro point out that, combined with the campaign's ability to spread independently, this represents a significant escalation in regional cyber threats, and if left unchecked, can easily spread beyond Latin America. 

It is particularly challenging due to the campaign's worm-like nature: after the initial infection, the malware sends further malicious messages to the victim's WhatsApp contacts, creating a fast and exponential infection network based on the social trust that has been established. Because recipients are much more likely to open attachments from familiar sources, this strategy has a dramatic impact on the success rate of the malware. 

In an effort to make the world a more secure place, cybercriminals are increasingly exploiting widely used communication platforms to deliver fileless and evasive attacks, according to experts, which marks a significant change in the global threat landscape. WhatsApp is used extensively across Brazil for personal and professional purposes and is therefore a lucrative target for cybercriminals. Despite the growing threat, researchers have urged organisations to take proactive defensive measures to reduce risks.

It is recommended that administrators disable auto-downloads of media and documents on WhatsApp, implement firewall and endpoint policies restricting file transfers from personal applications, and enforce application whitelisting or containerization in BYOD environments to prevent malicious attacks. 

The importance of employee awareness programs cannot be overstated - users need to be trained in recognising and reporting suspicious attachments and links, even those sent by trusted contacts. Responding quickly to PowerShell execution alerts as well as maintaining updated endpoint security tools can help further contain infections in their earliest stages. 

Experts warn that to be able to fight these kinds of threats, companies must maintain vigilance, implement layers of defences, and foster an organisational culture that fosters awareness -- elements that have become increasingly important as malicious software that thrives on trust and connectivity spreads.

WhatsApp's "Water Saci" operation illustrates how cyber tactics are rapidly transforming the way people manage digital risk in everyday communication due to their rapid advancement. The attackers continue to exploit the familiarity of trusted platforms, so the user and organisation alike must adopt a more comprehensive protective framework that combines technology, awareness, and behavioural caution to protect themselves.

By implementing robust defences such as endpoint monitoring, adaptive threat detection, and strict file transfer controls, it may be possible to reduce exposure to such fileless and socially engineered threats. The reduction of infection rates can also be drastically reduced when the workplace culture is rooted in cybersecurity mindfulness-where verification precedes action.

The strategic collaboration between cybersecurity companies, financial institutions, and policy regulators will be crucial if people are to identify early signs of compromise and neutralise threats before they become a problem. It is important that individuals as well as organisations embed proactive vigilance and shared accountability as part of their digital habits, ensuring that trust in modern communication tools remains a strength instead of a weakness for both parties.

Read more »
Social Engineering
Cyber Crime Ransom Payment Ransomware Scattered Spider Social Engineering

Teens Arrested Over Scattered Spider’s $115M Hacking Spree

 

Law enforcement authorities in the United States and United Kingdom have arrested two teenagers connected to the notorious Scattered Spider hacking collective, charging them with executing an extensive cybercrime operation that netted over $115 million in ransom payments.

The UK's National Crime Agency arrested 19-year-old Thalha Jubair of East London and 18-year-old Owen Flowers of Walsall, West Midlands, at their homes on Tuesday. Both suspects appeared in London court on Thursday to face charges related to their alleged involvement in a cyberattack against Transport for London (TfL) in August 2024 .

Scale of criminal activity

The US Justice Department has charged Jubair with participating in at least 120 computer network intrusions and extortion attempts targeting 47 US organizations from May 2022 to September 2025. Federal authorities allege these attacks caused victims to pay more than $115 million in ransom payments, with the malicious activities causing significant disruptions to US enterprises, critical infrastructure, and the federal judicial system.

Timeline of offenses

Investigators believe Jubair began his cybercriminal activities at age 14, with the hacking spree spanning from 2022 until last month. Flowers was initially arrested in September 2024 for the TfL attack but was released on bail before being rearrested l. Both suspects had previously been detained in July for data theft incidents targeting UK retailers including Marks & Spencer, Harrods, and Co-op Group.

Scattered Spider distinguishes itself from other cybercriminal organizations through the notably young age of its members and their English-speaking proficiency. The group employs sophisticated social engineering tactics, frequently impersonating IT support personnel to deceive employees into revealing passwords or installing remote access software. Their attacks have disrupted major organizations including MGM Resorts and Caesars Entertainment in Las Vegas during 2023.

Legal consequences 

Jubair faces multiple charges related to computer fraud and money laundering, with prosecutors indicating he could receive a maximum sentence of 95 years in prison if convicted. Investigators linked the breaches to Jubair through evidence showing he managed servers hosting cryptocurrency wallets used for receiving ransom payments. 

Flowers faces additional charges for conspiring to infiltrate and damage networks of US healthcare companies SSM Health Care Corporation and Sutter Health.
Read more »
Social Engineering
Corporate data Data Breach Extortion Scheme FBI Hackers Salesforce Social Engineering

FBI Warns of Hackers Exploiting Salesforce to Steal Corporate Data

 



The Federal Bureau of Investigation (FBI) has issued a pressing security alert regarding two cybercriminal groups that are breaking into corporate Salesforce systems to steal information and demand ransoms. The groups, tracked as UNC6040 and UNC6395, have been carrying out separate but related operations, each using different methods to compromise accounts.

In its official advisory, the FBI explained that attackers are exploiting weaknesses in how companies connect third-party tools to Salesforce. To help organizations defend themselves, the agency released a list of warning signs, including suspicious internet addresses, user activity patterns, and malicious websites linked to the breaches.


How the Attacks took place 

The first campaign, attributed to UNC6040, came to light in mid-2024. According to threat intelligence researchers, the attackers relied on social engineering, particularly through fraudulent phone calls to employees. In these calls, criminals pretended to be IT support staff and convinced workers to link fake Salesforce apps to company accounts. One such application was disguised under the name “My Ticket Portal.” Once connected, the attackers gained access to sensitive databases and downloaded large amounts of customer-related records, especially tables containing account and contact details. The stolen data was later used in extortion schemes by criminal groups.

A newer wave of incidents, tied to UNC6395, was detected a few months later. This group relied on stolen digital tokens from tools such as Salesloft Drift, which normally allow companies to integrate external platforms with Salesforce. With these tokens, the hackers were able to enter Salesforce systems and search through customer support case files. These cases often contained confidential information, including cloud service credentials, passwords, and access keys. Possessing such details gave the attackers the ability to break into additional company systems and steal more data.

Investigations revealed that the compromise of these tokens originated months earlier, when attackers infiltrated the software provider’s code repositories. From there, they stole authentication tokens and expanded their reach, showing how one breach in the supply chain can spread to many organizations.


The Scale of this Campaign 

The campaigns have had far-reaching consequences, affecting a wide range of businesses across different industries. In response, the software vendors involved worked with Salesforce to disable the stolen tokens and forced customers to reauthenticate. Despite these steps, the stolen data and credentials may still pose long-term risks if reused elsewhere.

According to industry reports, the campaigns are believed to have impacted a number of well-known organizations across sectors, including technology firms such as Cloudflare, Zscaler, Tenable, and Palo Alto Networks, as well as companies in finance, retail, and enterprise software. Although the FBI has not officially attributed the intrusions, external researchers have linked the activity to criminal collectives with ties to groups known as ShinyHunters, Lapsus$, and Scattered Spider.


FBI Recommendations

The FBI is urging organizations to take immediate action by reviewing connected third-party applications, monitoring login activity, and rotating any keys or tokens that may have been exposed. Security teams are encouraged to rely on the technical indicators shared in the advisory to detect and block malicious activity.

Although the identity of the hackers remains uncertain, the scale of the attacks highlights how valuable cloud-based platforms like Salesforce have become for criminals. The FBI has not confirmed the groups’ claims about further breaches and has declined to comment on ongoing investigations.

For businesses, the message is clear: protecting cloud environments requires not only technical defenses but also vigilance against social engineering tactics that exploit human trust.



Read more »
Social Engineering
Clorox Cognizant Data Breach Lawsuit Social Engineering

Clorox Blames $380M Breach on Service Desk Social Engineering, Sues Cognizant

 

In August 2023, the Scattered Spider group orchestrated a devastating social engineering attack against Clorox that resulted in approximately $380 million in damages, demonstrating how a simple phone call can lead to catastrophic business disruption . 

Modus operandi 

The attackers bypassed sophisticated cybersecurity measures through old-fashioned social engineering, repeatedly calling Cognizant's service desk and impersonating locked-out Clorox employees . Rather than exploiting technical vulnerabilities, they manipulated human psychology, using calm, scripted conversations to convince frontline agents to reset passwords and multi-factor authentication without proper verification . 

According to court filings, the attackers conducted thorough reconnaissance, collecting employee names, titles, recent hires, and internal ticket references to make their impersonation attempts more convincing . The legal complaint alleges that Cognizant agents violated agreed procedures by resetting credentials without properly authenticating callers first . 

Devastating impact 

The breach caused operational paralysis at Clorox, with production systems taken offline, manufacturing paused, and manual order processing implemented . The company experienced significant shipment delays that depressed sales volumes, with the total financial impact reaching roughly $380 million, including $49 million in direct remedial costs and hundreds of millions in business-interruption losses . 

Why outsourcing amplified risk

Outsourced help desks present unique vulnerabilities due to their broad cross-tenant privileges and high-volume workflows that can lead to shortcuts in verification processes . Large vendors handling numerous calls may experience "process drift," where agents prioritize getting users working over strict security verification . Additionally, third-party systems often create visibility gaps, with actions logged in separate systems that aren't fully integrated into customers' security monitoring . 

Defense recommendations 

Security experts recommend treating help-desk resets as privileged operations requiring out-of-band verification through company-owned phone callbacks or emailed tokens . High-risk resets should mandate two-person approval and automatic manager notifications . 

Organizations should implement automated telemetry to log every reset with immutable audit trails and alert on suspicious patterns like multiple resets from the same external number . Contract language with vendors must require technical controls, auditability, and regular social-engineering simulations to measure and improve verification processes .
Read more »
TransUnion
Consumer Protection Cybersecurity Data Breach Identity Theft Social Engineering third-party risk TransUnion

Credit Bureau TransUnion Confirms Breach Impacting Millions


 

In the apparent wake of growing threats to consumers' personal information, credit reporting giant TransUnion has recently announced a cybersecurity incident that exposed personal information from more than 4.4 million Americans. Several regulators and state attorneys general have confirmed that the breach took place on July 28, 2025, and was discovered just two days later by investigators. 

Among the data exposed was sensitive information such as names, Social Security numbers, and dates of birth, which were linked to a third-party application that was used by TransUnion in its U.S. consumer operations. In its statement, TransUnion clarified that the breach was limited in scope, clarifying that its internal systems and core credit reporting databases were not impacted by the breach. 

The company also stated that no credit reports or core financial records - information that could be highly valuable to fraudsters - were accessed by anyone. TransUnion filed notifications in Maine and Texas indicating that the incident was related to a third-party platform that was reportedly linked to Salesforce, rather than TransUnion's own infrastructure. 

Despite the company’s description of the exposure, which was limited to “some limited personal data”, the magnitude of the breach underscores the ongoing risks associated with external service providers in the financial services industry. 

Recent years have seen a growing concern for credit bureaus as consumer information has become increasingly attractive to cybercriminals as a target. This latest security incident is another in a long string of security incidents that have impacted major financial institutions in recent years, highlighting the difficulty of safeguarding sensitive information across a complex digital ecosystem. 

In addition to Experian and Equifax, TransUnion is one of the nation's "big three" credit reporting agencies, and together with them, they play an important role in shaping our nation's financial system by compiling detailed credit histories on nearly every consumer who has an active credit history. These files are used to create credit reports that lenders, landlords, and employers use in order to gauge a person's financial security, and they are also used to build widely known scoring models like FICO. 

This is the method by which lenders, landlords, and employers use to calculate a credit score that is composed of three digits. It is therefore natural for breaches involving such institutions to have such a significant impact on consumers and the economy as a whole. Taking a step in response to the latest incident, TransUnion has begun to send out letters to affected individuals directly and has urged consumers to contact the fraud helpline at 1-800-516-4700, which is open on weekdays, to find out if they are in good standing. 

In addition, experts suggest that consumers periodically review their credit reports across the three credit bureaus—which can be accessed for free once a week by visiting AnnualCreditReport.com.com—to see if there are any inaccuracies or if there are signs that something is amiss. As a measure of further security, paid services, like MyFico, can track FICO scores in real time and monitor fraud, while platforms like Credit Karma and WalletHub offer free VantageScore reports to subscribers who enrol in them. 

The TransUnion company initially stated that there had been no compromise of credit files; however, subsequent disclosures told a much more troubling story. According to regulatory filings filed with the Texas Attorney General’s office, among the exposed data set were names, dates of birth, and Social Security numbers, which are some of the most sensitive identifiers in the world today. 

There is no way to monitor or reset Social Security numbers, unlike credit information, which can be monitored or reset, and it may serve as a gateway to long-term identity theft and fraud. Several financial security experts warn that such information can be used for a number of purposes, including opening unauthorised credit lines, applying for loans or government benefits under stolen identities, submitting false tax returns, and other financial crimes. 

Considering that TransUnion is among the largest credit bureaus in the nation and holds records on over 260 million Americans, this breach raises serious concerns about the resilience of institutions that safeguard some of the country’s most critical consumer information. As a consequence of the breach, which was detected on July 28  and contained within hours, affected individuals have now been notified about it. 

There has been no compromise of TransUnion's core credit database or consumer credit reports, a company that is among the nation's three primary credit bureaus, along with Equifax and Experian. Rather, the intrusion was traced back to a third-party application supporting U.S. consumer operations, where unauthorised access allowed for the publication of limited personal information. According to court filings in Maine and Texas, however, names, birthdates, and Social Security numbers were among the data that had been compromised. 

In order to assess the full scope of this incident, TransUnion has engaged an independent cybersecurity expert to conduct a forensic analysis. The incident occurred in the midst of a large wave of cyberattacks targeting Salesforce-connected software. In June, Google revealed that hackers were using modified versions of Salesforce-related tools for infiltration and stealing large amounts of sensitive data from cloud systems. ShinyHunters, a cybercriminal organisation suspected of being involved in such campaigns, has been accused of using extortion tactics against employees of victim companies.

Security researchers have noted that some of the biggest corporations in the world have been breached in similar ways in recent months, including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas. This highlights the importance of supply-chain vulnerabilities in a wide range of popular platforms as well as the dangers they pose. 

According to Salesforce, social engineering attacks against users, and not flaws in Salesforce's platform, were at fault, as it has maintained. A comparison is inevitably drawn with Equifax's 2017 data breach, one of the biggest in U.S. history, in which 147 million Americans' personal data was exposed, costing the company nearly $700 million in settlements and fines, and ultimately causing the company to lose millions of dollars. 

In the wake of this incident, congressional hearings were held and scrutiny of the credit reporting industry heightened, which led to state and federal government reforms aimed at strengthening consumer data protection. As a result of the TransUnion breach, security experts are once again urging the affected to be vigilant, reviewing their credit reports, setting up fraud alerts, and monitoring their accounts to ensure that unusual activity does not occur. 

As of right now, AnnualCreditReport.com is providing free weekly credit reports from all three major credit bureaus. Additional monitoring services may also provide a means of detecting signs of fraud, while in the meantime, Schubert Jonckheer & Kolbe has announced an investigation into the TransUnion incident, signalling the possibility of further litigation. 

TransUnion has yet to provide any details regarding the new safeguards that TransUnion intends to implement, nor has it specified whether financial restitution will be provided to victims. There have been a growing number of high-profile breaches involving third-party providers, which have been attributed to vulnerabilities in those third parties during the last few years.

For example, in June 2025, a cyberattack against chains IQ chain exposed proprietary data and banking information of the banking giant UBS. The following month, Allianz Life announced that a compromised cloud-based customer relationship management system had been used to obtain personal information regarding the majority of the company's 1.4 million American customers. That same month, Qantas confirmed that approximately six million customer records were exposed after hackers breached a third-party customer service platform on which Qantas had relied. 

Researchers have identified many of these incidents as related to cybercriminal groups such as ShinyHunters and Scattered Spider, both of which specialise in exploiting third-party information technology and cloud providers, and both of which specialise in using advanced social engineering tactics to do so. A number of these groups are thought to be associated with "The Com," a sprawling, loosely organised, cybercriminal community comprised of thousands of English-speaking actors who have collaborated on data theft, extortion, and fraud campaigns across a wide range of industries. 

A number of recent incidents have highlighted the persistent vulnerability of third-party platforms, as well as the increasing sophistication of cybercriminal groups attacking the financial services industry. As consumers are reminded by the breach, even when core systems remain intact, the theft of identifying information like Social Security numbers can result in long-term impacts that go beyond the initial intrusion, even if the original intrusion is not detected. 

It is highly recommended that individuals do more than simply review their credit reports—by freezing their credit with all three credit bureaus, a person is preventing the opening of a new account in their name by criminals, while a fraud alert can assist in making it more difficult for the criminals to take advantage of stolen information. 

Moreover, consumers should also consider employing identity monitoring tools that can provide them with the ability to scan the dark web for compromised information before potential misuse turns into financial damage. 

There is also a clear lesson to be learned from reliance on third-party applications: organisations need not only contractual protection but also continuous monitoring, rigorous vetting, and layers of defence to prevent unauthorised access to their systems. Increasingly, supply chain attacks will be a growing problem, and resilience will be dependent upon proactive investment in security as well as consumer awareness of the threats.
Read more »
Workday
Data Breach Salesforce ShinyHunters Social Engineering Workday

Workday Suffers Data Breach in Broader Salesforce Campaign

 

Workday, a major player in the human resources sector, has disclosed a recent data breach caused by a social engineering attack targeting a third-party customer relationship management (CRM) system—specifically, a Salesforce instance.

Although Workday, headquartered in Pleasanton, California, provides services to over 11,000 organizations worldwide (including over 60% of the Fortune 500), the company reports that its main customer data environments known as "customer tenants" were not accessed or impacted by the breach. 

The breach, uncovered nearly two weeks before disclosure, exposed business contact information such as names, emails, and phone numbers contained in the compromised CRM. 

Workday clarified that the compromised data was mostly publicly available information frequently used for business contact purposes, but acknowledged that this exposure could still facilitate further social engineering or phishing attempts by malicious parties. Employees were alerted that attackers may attempt to contact them, impersonating HR or IT staff, to extract sensitive details or credentials. 

This incident is part of a larger ongoing campaign allegedly orchestrated by the ShinyHunters extortion group. BleepingComputer reports that this group specializes in targeting Salesforce CRM instances at major firms through tactics like voice phishing and social engineering. 

Their modus operandi often involves convincing employees to link a fraudulent OAuth application to the company's Salesforce environment, granting attackers access to download vital company databases. Subsequently, stolen data is used for extortion, and the attack group’s ransom notes have consistently identified themselves as ShinyHunters. 

Several other global corporations—including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google—have fallen victim to similar attacks over the past few months, with activity believed to have started at the beginning of the year. 

Although Workday didn't confirm direct involvement with Salesforce in their public statement, a company spokesperson indicated the breach was associated with business contact data in the Salesforce platform. The attackers primarily leveraged social engineering, not technical vulnerabilities, to obtain unauthorized access. This breach highlights the increasing effectiveness of well-crafted social engineering attacks targeting SaaS platforms and the persistent threat posed by organized groups such as ShinyHunters. While the compromise did not reach more sensitive internal systems, Workday and similar organizations face ongoing risks of secondary attacks fueled by the exposed contact data.
Read more »
Vulnerabilities
Cyber CyberCrime Cybersecurity CyberThreat Data Breach Digital Transformation Mark&Spencer Ransomware Breach Social Engineering Vulnerabilities

Social Engineering Identified as Catalyst for M&S Ransomware Breach

 


Marks & Spencer (M&S), one of the largest and most established retailers in the United Kingdom, has confirmed that a highly targeted social engineering operation triggered the ransomware attack in April 2025. This breach, which is associated with DragonForce ransomware, points to a disturbing trend in the cybersecurity landscape, namely that human manipulations are increasingly becoming a way to access large-scale digital networks.

Several preliminary findings suggest that the attackers deceived individuals within or connected to the organisation, possibly by posing as trusted employees or partners, to gain unauthorised access to M&S's internal systems. Once they gained access, the attackers deployed ransomware that crippled the organisation's operations and led to the theft of approximately 150 GB of sensitive information.

It is important to note that not only did the attack disrupt critical business functions, but it also exposed the weakness in the company's dependence on third-party vendors, whose vulnerabilities may have contributed to the intrusion. While the company is actively regaining control of its infrastructure as a result of the breach, the incident is a clear warning to organisations across many sectors about the growing threat of social engineering as well as the urgent need for more robust human-centred cybersecurity defences to protect against it.

A public hearing was held on July 8, held at Parliament, in which Archie Norman, Chairman of Marks & Spencer (M&S), gave further insight into the cyberattack in April 2025 that disrupted the retailer's operations. Norman acknowledged that the incident was indeed a ransomware attack, but he declined to divulge whether the company had negotiated anything with the threat actors involved or negotiated a financial settlement. 

According to Norman, who addressed the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls at the UK Parliament, the experience was one of the most disruptive and complex crises he had experienced in his considerable career in business and retail before this one.

As part of the presentation, he stressed the severity and unprecedented nature of the attack that, as it has been discovered, was carried out by the Scattered Spider cyber criminal collective, which is well known for attacking major corporations using DragonForce ransomware infrastructure as a means of extortion and ransom.

It is clear from Norman's testimony that cybercriminal groups have become more bold and technically sophisticated over the last few years, particularly those that employ social engineering as a way to circumvent protocols of conventional security and bypass them.

Aside from acknowledging the considerable operational challenges the company faced in responding to the incident, the chairman pointed out that businesses must strengthen their digital resilience and make themselves more resilient in a rapidly evolving threat landscape, which is difficult to predict. Even though Archie Norman did not disclose specific details about the operation, he did reveal that initially, the attackers were successful in gaining access by exploiting the impersonation scheme devised by an expert security expert.

According to him, the threat actors posed as some of the approximately 50,000 Marks & Spencer employees and successfully deceived a third-party service provider into resetting a legitimate employee's password after posing as one of these employees. As a result of the attackers' seemingly simple deception, they were able to bypass identity verification protocols and gain unauthorised access to the retailer's internal systems, resulting in the attackers gaining access to the retailer's internal network.

In addition, the tactic represents a growing trend in cybercrime in which attackers exploit the trust that large, distributed organisations place in their internal and external vendors to gain access to their networks. The perpetrators were able to manipulate routine IT processes, such as password resets, and then move laterally within the network, setting the stage for a wider deployment of ransomware.

There is an important lesson to be learned from the incident regarding the importance of stringent verification procedures when working with external partners who can become weak links in your security chain, particularly when engaging with external partners. As reported in the Financial Times in May, Tata Consultancy Services (TCS) allegedly initiated an internal investigation to determine whether the company unknowingly played a role in the cyberattack on Marks & Spencer by facilitating the cyberattack.

In the case of TCS, which provides M&S's help desk support, it has been suspected that the threat actors have manipulated the company into resetting the password of an employee, enabling the attackers to gain access to the retailer's internal network. The threat actors are alleged to have done this through the manipulation of TCS. This potential compromise highlights the broader risks associated with outsourcing IT operations and the increasing reliance on third parties to handle critical business functions, as well. 

As a first step towards the resolution of the breach, M&S has publicly identified the DragonForce ransomware infrastructure as how the attack was carried out, revealing that the perpetrators are suspected of operating from Asia. The acknowledgement comes as the company continues to recover, witha phased return to its online retail services being phased in.

 With the introduction of limited home delivery options on June 10, M&S has made it possible for select fashion products to be delivered to customers across England, Wales, and Scotland. Currently, the service is only available to customers in England, Wales, and Scotland. As part of its commitment to managing operational strain and ensuring service reliability, M&S has temporarily extended its standard delivery window to 10 days to ensure service reliability.

 In terms of customer impact, M&S confirmed that certain personal data was compromised during the breach, but that click-and-collect services, which are still suspended as part of the recovery process following the attack, will also be reinstated shortly. As a matter of fact, M&S confirmed that certain personal data had been compromised. Among the information exposed are names, home addresses, phone numbers, email addresses, dates of birth, and information about online orders, which is often exposed.

Despite this, the company has assured the public that no usable information, such as payment information, credit card numbers, or passwords, has been compromised. As a precautionary measure, M&S will ask customers to reset their passwords to ensure that their personal information remains safe. Customers are advised to remain vigilant to be aware of possible phishing attempts or fraudulent activity involving their personal information.

While speculation continues to abound on the possible financial resolution of the ransomware attack, Marks & Spencer has chosen not to disclose whether they have made a ransom payment in the first place. Chairman Archie Norman's testimony made reference to professional ransomware negotiation firms in his testimony. These firms, which are usually specialised intermediaries that assist victim organisations to engage threat actors and facilitate cryptocurrency payments, typically using Bitcoin, are often used by these firms to help victims resolve these threats.

In response to a direct question regarding whether M&S had met the ransom demand, Norman declined to provide a definitive answer. He stated that the company had "not discussed those details publicly" as they believed it was not in the public interest to do so. However, he emphasised that the National Crime Agency (NCA) and other law enforcement authorities had been notified of the full extent of the investigation.

Many experts on the subject of cybersecurity warn that ransomware groups rarely cease extortion efforts without compensation. Because the stolen data has not yet been disclosed publicly, experts believe a ransom might have been paid quietly or negotiations may still be ongoing with the attackers.

Regardless of the outcome of the M&S breach, it serves as a sobering reminder that cybersecurity failures have evolved beyond technical vulnerabilities and are now a result of failures across people, processes, and technological safeguards as well. Despite the rapid evolution of the threat environment in today's world, traditional security tools such as antivirus software are no longer sufficient to deal with the growing number of malware groups that are becoming increasingly agile.

It is imperative that businesses adopt adaptive security architectures that are policy-driven and capable of detecting and neutralising threats before they escalate. In light of the M&S incident, there is an urgent need to develop an approach to cyber resilience that anticipates human error, strengthens digital ecosystems, and minimises the operational and reputational costs associated with an attack.

 In this era of cyber-threats, an incident such as Marks & Spencer's ransomware is often referred to as a case study since it exemplifies how human nature has become as vital as technological defences in combating cyber-attacks.

In an era where organisations are accelerating their digital transformation and increasingly relying on distributed teams, cloud infrastructure, and third-party vendors, this attack reinforces the importance of implementing an integrated cybersecurity strategy that focuses on more than just system hardening; it also emphasises employee awareness, vendor accountability, and continuous risk management.

The most effective way for a company to protect itself is to adopt a proactive, intelligence-driven security posture rather than a reactive, reactive approach; to embed cybersecurity into every aspect of the business, governance, and culture. The deployment of behavioural analytics, third-party audits of identities, and enhancement of identity verifications are no longer optional components of modern cybersecurity frameworks, but rather essential components.

 In the face of increasing threats that are both swift and complex, resilience is not only a one-time fix but a continuous discipline that must be engineered. The M&S breach is more than just a cautionary tale. It is a call to action for enterprises to redesign their security strategies so that they can remain competitive, agile, and forward-thinking.

Read more »
Social Engineering
Cyber Attacks Extortion FBI Luna Moth Ransomware attack Social Engineering

FBI Warns of Luna Moth Ransomware Attacks Targeting U.S. Law Firms

 

The FBI said that over the last two years, an extortion group known as the Silent Ransom Group has targeted U.S. law firms through callback phishing and social engineering tactics. 

This threat outfit, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since 2022. It was also responsible for BazarCall campaigns, which provided initial access to corporate networks for Ryuk and Conti ransomware assaults. Following Conti's shutdown in March 2022, the threat actors broke away from the cybercrime syndicate and created their own operation known as the Silent Ransom Group.

In recent attacks, SRG mimics the targets' IT help via email, bogus websites, and phone conversations, gaining access to their networks via social engineering tactics. This extortion group does not encrypt victims' systems and is infamous for demanding ransoms in order to keep sensitive information stolen from hacked devices from being leaked online. 

"SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight," the FBI stated in a private industry notification.

"Once in the victim's device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'” 

After acquiring the victims' data, they use ransom emails to blackmail them, threatening to sell or publish the information. They frequently call employees of breached organisations and force them into ransom negotiations. While they have a dedicated website for disclosing their victims' data, the FBI claims the extortion ring does not always followup on its data leak promises. 

To guard against these attacks, the FBI recommends adopting strong passwords, activating two-factor authentication for all employees, performing regular data backups, and teaching personnel on recognising phishing efforts.

The FBI's warning follows a recent EclecticIQ report detailing SRG attacks targeting legal and financial institutions in the United States, with attackers observed registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”

A recent EclecticIQ report about SRG attacks against American legal and financial institutions revealed that the attackers were registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." The FBI issued the warning in response to this information. 

Malicious emails with fake helpdesk numbers are being sent to victims, prompting them to call in order to fix a variety of non-existent issues. On the other hand, Luna Moth operators would try to deceive employees of targeted firms into installing remote monitoring & management (RMM) software via phoney IT help desk websites by posing as IT staff.

Once the RMM tool is installed and started, the threat actors have direct keyboard access, allowing them to search for valuable documents on compromised devices and shared drivers, which will then be exfiltrated via Rclone (cloud syncing) or WinSCP (SFTP). According to EclecticIQ, the Silent Ransom Group sends ransom demands ranging from one to eight million USD, depending on the size of the hacked company.
Read more »
User Privacy
Cyber Fraud IT Help Desk Marks & Spencer Social Engineering User Privacy

M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems

 

Hackers who attacked Marks & Spencer and the Co-op duped IT professionals into giving them access to their companies' networks, according to a report.

The "social engineering" attack on the Co-op allowed fraudsters to reset an employee's password before infiltrating the network, and a similar method was employed against M&S, insiders told BleepingComputer. 

Hundreds of agency workers at Marks & Spencer were advised not to come to work as the retailer grappled with the aftermath of a hack that cost the business £650 million in a matter of days. 

The disruption started in April when click-and-collect orders and contactless payments were impacted. Stuart Machin, the CEO of M&S, confirmed the issue in a message to customers, stating that the retailer would be making "minor, temporary changes" to in-store operations while it dealt with the ongoing "cyber incident.” 

In order to counter the "social engineering" tactic employed by the hackers from the Scattered Spider network against the UK supermarkets, the National Cyber Security Centre (NCSC) has released new guidelines. 

“Criminal activity online — including, but not limited to, ransomware and data extortion — is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared,” noted Jonathon Ellison, NCSC’s national resilience director, and Ollie Whitehouse, its chief technology officer, in a blog post. 

They have recommended firms to "review help desk password reset processes" and pay special attention to "admin" accounts, which typically have more access to a company's network. 

The Scattered Spider network is a group of young guys from the UK and the United States who gained popularity in September 2023 when they broke into and locked up the networks of casino companies Caesars Entertainment and MGM Resorts International, demanding large ransoms. 

Caesars paid approximately $15 million to rebuild its network. It specialises in "breaking down the front door" of networks before passing control to a "ransomware" group, which cripples the network and extorts its owner, according to the Times. 

Tyler Buchanan, a Scottish man accused of being a key member of the organisation, was extradited to the United States from Spain last month after being charged with attempting to hack into hundreds of companies, Bloomberg News reported, citing a US Justice Department official.

At the time of the assault, M&S stated that it is "working extremely hard to restart online and app shopping" and apologies for the inconvenience to customers. It has already been unable to process click and collect orders in stores due to the "cyber incident".
Read more »
Social Engineering
Bots Gaming GitHub malware Redox Stealer Social Engineering

GitHub Scam: Fake Game Mods Steal User Credentials and Data


An advanced malware campaign exploiting GitHub repositories masked as game mods (and cracked software) has been found, revealing a risky blend of automated credential harvesting and social engineering tactics. 

While going through articles on social engineering, cybersecurity expert Tim found “a relatively new scam scheme” that shocked him. “People create thousands of GitHub repositories with all sorts of things - from Roblox and Fortnite mods to "cracked" FL Studio and Photoshop,” says Tim. 

About Redox stealer

Experts have found more than 1,100 dangerous repositories spreading versions of Redox stealer, a python-based malware built to extract important data, browser cookies, gaming platform credentials, and cryptocurrency wallet keys.

When we download and run this software, the data collected from our systems is sent to some Discord server, according to Tim, where “hundreds of people crawl through the data searching for crypto wallet private keys, bank accounts and social media credentials, and even Steam and Riot Games accounts.” 

Redox Stealer Details

Redox runs via a multi-stage data harvesting process that starts with system surveillance. Talking about the technical architecture of the redox stealer, cybersecurity news portal GB Hackers says, “Initial execution triggers a globalInfo() function that collects the victim’s IP address, geolocation via the geolocation-db.com API, and Windows username using os.getenv(‘USERNAME’).”

Issues with Mitigation and GitHub’s Response

Even with GitHub’s malware detection systems, repositories stay functional because:

  1. Activities look real: Accounts with star counts and realistic commit histories escape heuristic analysis. 
  2. Encrypted Payloads: RAR passwords like “cheats4u” stop static code analysis. 
  3. Slow Takedowns: Threat actors rebuild banned repositories via automated topic permutations. 

According to GB Hackers, “The researcher’s spreadsheet of confirmed malicious repos has not yet triggered bulk takedowns, highlighting gaps in proactive monitoring.” 

Conclusion

The GitHub campaign has exposed a significant rise in exploitation of open-source forums for large-scale social engineering. “It's been a long journey and it's barely over - but I think it's more than enough to summarise and discuss the problem,” says Tim. He finds it shocking how easily the information can be accessed online for free “without Tor, without invite, without anyone's approval.”

The information is cleverly disguised as something such as “telegram bot” that sends us offers (scams) or other lucrative baits. 

Read more »
tailgating
baiting Cyber Attacks Cybersecurity awareness hacking tactics phishing pretexting quid pro quo Social Engineering tailgating

Understanding Social Engineering: Methods and Tactics Used by Cybercriminals

 

Social engineering is a term often mentioned alongside phishing. While phishing typically involves digital methods like fraudulent emails or messages aimed at stealing personal data, social engineering is a broader concept. It refers to techniques used by malicious actors to manipulate individuals into revealing sensitive information or granting access that can be exploited for harmful purposes.

This manipulation can take various forms, including pretexting, baiting, tailgating, or quid pro quo. The primary goal is to persuade the target to comply with the attacker’s demands — whether it involves sharing confidential details or providing unauthorized physical access to a secured area.

  • Pretexting
Pretexting involves creating a fabricated story, or "pretext," to deceive the victim into divulging personal or organizational information, downloading malware, or transferring money. This tactic often targets emotions or trust, making it a common method for attackers.

  • Baiting
In baiting attacks, the attacker tempts the victim with enticing offers or items. These may include physical objects, such as malware-infected USB drives left in public spaces, or digital schemes, like deceptive advertisements leading to malicious websites or applications.

  • Tailgating
Known as piggybacking, tailgating is a physical breach of security where an attacker gains access to a restricted area by following an authorized individual. For instance, an attacker might persuade an employee to hold the door open or slip in unnoticed, enabling access to confidential documents or computer systems for further exploitation.

  • Quid Pro Quo
This method involves the attacker offering a seemingly valuable service in exchange for sensitive information or access. A common example is a scammer posing as IT support to resolve a technical issue, then requesting login credentials or remote access. Similarly, attackers may impersonate bank representatives, asking for account details to "verify" suspicious activity.

By understanding these techniques, individuals and organizations can better prepare to recognize and counter social engineering attempts. As cybersecurity threats evolve, awareness remains a crucial defense.
Read more »
White House
CISA Cyber Security data security Google Mandiant Mandiant Threat Intelligence ransomware attacks Social Engineering White House

Rising Ransomware Attacks Highlight Persistent Cybersecurity Challenges

 


Despite global law enforcement efforts and heightened attention from the White House, ransomware incidents continue to rise unabated, according to a new report from cybersecurity firm Mandiant. Researchers at the Google-owned company identified 50 new ransomware variants in 2023, with about a third branching off existing malware. This underscores the pervasive nature of the problem and the challenges in curbing cyber extortion. 

In 2023 alone, cybercriminals amassed over $1 billion from victim ransom payments, highlighting the lucrative nature of these attacks. The healthcare sector has been particularly hard-hit, with hospitals experiencing significant disruptions. The report noted that Ascension, one of the nation's largest healthcare systems with 140 hospitals across 19 states, was recently impacted by the Black Basta ransomware variant. The ongoing outage is raising concerns about patient safety and the potential risk to lives. Mandiant's findings align with a recent White House report on national cybersecurity, which also noted an increase in ransomware attacks. 

However, one significant issue is that reporting ransomware incidents is largely voluntary. This means assessments of ransomware prevalence often rely on data from cybersecurity companies, whose understanding is based on their customer base and the cybercriminal communities they monitor. To address this, the Cybersecurity and Infrastructure Security Agency (CISA) is finalizing a mandate requiring critical infrastructure owners and operators to report ransomware payments within 24 hours. This mandate aims to provide a more comprehensive view of ransomware activity and enhance response efforts. 

Mandiant's assessment highlights a 75% year-over-year increase in posts on data leak sites, which extortionists use to pressure companies into paying ransoms. The firm noted that 2023 saw the highest number of data-leak site posts since tracking began in 2020. Additionally, there was a 20% increase in the number of investigations led by Mandiant, indicating a significant rise in ransomware activities. The most prolific ransomware variants observed were ALPHV and LOCKBIT, each accounting for 17% of all activity. The surge in ransomware attacks in 2023 followed a slight dip in extortion activities in the previous year. Mandiant researchers suggested that the dip in 2022 might have been an anomaly caused by external factors such as the Russian invasion of Ukraine or the leaked Conti chats, which may have temporarily disrupted cybercriminal operations. 

As law enforcement agencies continue to conduct global operations against ransomware gangs, the evolving tactics and persistent nature of these cybercriminals highlight the need for continuous vigilance and enhanced cybersecurity measures. The collaboration between government agencies, cybersecurity firms, and critical infrastructure operators is crucial in building a robust defense against the relentless threat of ransomware.
Read more »
Subscribe to: Comments (Atom)