Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybercriminal group. Show all posts
Phishing Attack
Cyber Security cybercriminal group Europol Fake Accounts Fake SIM Card Fraud Interpol Phishing Attack

Europol Dismantles SIMCARTEL Network Behind Global Phishing and SIM Box Fraud Scheme

 

Europol has taken down a vast international cybercrime network responsible for orchestrating large-scale phishing, fraud, and identity theft operations through mobile network systems. The coordinated crackdown, codenamed “SIMCARTEL,” led to multiple arrests and the seizure of a massive infrastructure used to fuel telecom-based criminal activity across more than 80 countries. 

Investigators from Austria, Estonia, and Latvia spearheaded the probe, linking the criminal network to over 3,200 cases of fraud, including fake investment scams and emergency call frauds designed for quick financial gain. The financial toll of the operation reached approximately $5.3 million in Austria and $490,000 in Latvia, highlighting the global scale of the scheme. 

The coordinated action, conducted primarily on October 10 in Latvia, resulted in the arrest of seven suspects and the seizure of 1,200 SIM box devices loaded with nearly 40,000 active SIM cards. Authorities also discovered hundreds of thousands of unused SIM cards, along with five servers, two websites, and several luxury vehicles. Around $833,000 in funds across bank and cryptocurrency accounts were also frozen during the operation. 

According to Europol, the infrastructure was designed to mask the true identities and locations of perpetrators, allowing them to create fake social media and communication accounts for cybercrimes. “The network enabled criminals to establish fraudulent online profiles that concealed their real identity and were then used to carry out phishing and financial scams,” Europol said in a statement. 

Investigators have traced the network to over 49 million fake accounts believed to have been created and distributed by the suspects. These accounts were used in a range of crimes, including extortion, smuggling, and online marketplace scams, as well as fake investment and e-commerce schemes. 

The operation highlights the growing global threat of SIM farms—collections of SIM boxes that allow cybercriminals to automate scams, send spam, and commit fraud while remaining undetected by telecom providers. These systems have become a preferred tool for large-scale phishing and social engineering attacks worldwide. 

Just weeks earlier, the U.S. Secret Service dismantled a similar network in New York City, seizing over 300 servers and 100,000 SIM cards spread across several locations. 

Cybersecurity intelligence firm Unit 221B also issued a warning that SIM farms are rapidly multiplying and putting telecom providers, banks, and consumers at risk. “We’ve identified at least 200 SIM boxes operating across dozens of U.S. sites,” said Ben Coon, Chief Intelligence Officer at Unit 221B. 

While the SIMCARTEL takedown marks a major victory for law enforcement, Europol noted that investigations are still underway to uncover the full extent of the criminal infrastructure. Authorities emphasize that combating SIM box networks is essential to defending users against phishing, identity fraud, and telecom-based cyberattacks that continue to grow in sophistication and scale.
Read more »
leaked sensitive data
Asahi Beer Cyber Attacks Cyberattacks cybercriminal group CyberSecurity Ransomware Attacks Data Leak Data protection data security leaked sensitive data

Asahi Group Confirms Ransomware Attack Disrupting Operations and Leaking Data

 

Japanese food and beverage conglomerate Asahi Group Holdings has confirmed that a ransomware attack severely disrupted its operations and potentially exposed sensitive data, including employee and financial information. The cyberattack, which occurred on September 29, 2025, forced the company to delay releasing its January–September financial results, originally scheduled for November 12. 

The attack paralyzed Asahi’s domestic order and shipment systems, halting automated operations across Japan. Despite the disruption, the company implemented manual order processing and resumed partial shipments to ensure a continued supply of its popular beverages and food products. 

The Qilin ransomware group has claimed responsibility for the breach, asserting that it stole over 9,300 files containing personal and financial data. On October 8, Asahi confirmed that some of the stolen data was found online, prompting a detailed investigation into the scope and type of compromised information. In a public statement, the company said it is working to identify affected individuals and will issue notifications once the investigation confirms unauthorized data transfer.  

Although the incident primarily impacted systems within Japan, Asahi stated there is no evidence of compromise affecting its global operations. 

Recovery efforts are steadily progressing. Asahi Breweries resumed production at all six of its factories by October 2, restoring shipments of Asahi Super Dry, with other product lines following soon after. Asahi Soft Drinks restarted production at six of its seven plants by October 8, while Asahi Group Foods has also resumed partial operations at all seven domestic facilities.  

However, Asahi’s systems have not yet been fully restored, and the company has not provided a definite recovery timeline. The ongoing disruption has delayed access to critical accounting systems, forcing a postponement of quarterly financial reporting. 

In its official statement, Asahi explained that the financial disclosure delay is necessary to ensure accuracy and compliance amid system recovery. The company issued an apology to shareholders and stakeholders for the inconvenience caused and promised transparent updates as investigations and remediation progress. 

The Asahi Group cyberattack serves as another reminder of the rising frequency and impact of ransomware incidents targeting major corporations worldwide.
Read more »
data security
Cyber Attacks cybercriminal group CyberSecurity Ransomware Attacks dark web data leak Data Leak data security

Qilin Ransomware Gang Claims Cyberattack on Japanese Beer Giant Asahi

 

The Qilin ransomware group has claimed responsibility for the recent cyberattack on Japanese brewing giant Asahi, adding the company’s name to its dark web data leak site. The cybercriminals alleged that they had stolen over 9,300 files amounting to 27GB of confidential data, including financial documents, employee identification records, contracts, and internal reports. To substantiate their claims, the group published 29 images showing snippets of the stolen files. 

Asahi, Japan’s largest beer manufacturer, employs around 30,000 people and produces approximately 100 million hectoliters annually, generating close to $20 billion in revenue. The company suffered significant operational disruptions following the attack. On September 29, Asahi temporarily halted production at six of its domestic facilities, later confirming on October 3 that a ransomware attack had crippled its systems and led to data exfiltration. 

At first, no threat actor took public credit for the breach. However, the Qilin ransomware group eventually listed Asahi among its victims, likely after ransom negotiations failed. Qilin, which emerged in 2023, is known as a multi-platform ransomware operation capable of targeting both Windows and Linux systems. The group has been associated with other notorious hacker collectives such as Scattered Spider and, more recently, North Korean state-linked actors. 

Qilin’s tactics include exploiting vulnerabilities in edge network devices, deploying credential theft tools, and developing sophisticated encryption mechanisms to hinder recovery. The group has previously targeted high-profile organizations including Nissan, Inotiv, Lee Enterprises, major hospitals within London’s NHS network, and automotive supplier Yangfeng.

In its post, Qilin claimed that the Asahi ransomware attack could result in losses exceeding $335 million due to production halts affecting six breweries and more than thirty beer labels. Despite the claims, Asahi has not verified the authenticity of the leaked files. In a statement to BleepingComputer, a company spokesperson confirmed that the matter remains under active investigation and declined to comment further. 

The company also shared that production of its flagship beer, Super Dry, has resumed through a temporary manual ordering system. While Asahi’s factories are not yet operating at full capacity, shipments for additional labels are expected to restart by October 15. However, as a direct consequence of the cyberattack and ongoing disruptions, Asahi announced it would delay the launch of new products that were initially planned for October 2025. 

The attack on Asahi underscores the growing reach and sophistication of ransomware groups like Qilin, whose increasingly destructive campaigns continue to target global corporations across industries, threatening both economic stability and consumer trust.
Read more »
protecting sensitive data
Chinese Hackers Cyber Attacks cyber espionage cybercriminal group Cyberthreatm Salt Typhoon Hacks data security Data Theft DHS Hacker attack Hacker group protecting sensitive data

Chinese Hacker Group Salt Typhoon Breaches U.S. National Guard Network for Nine Months

 

An elite Chinese cyber-espionage group known as Salt Typhoon infiltrated a U.S. state’s Army National Guard network for nearly nine months, according to a classified Pentagon report revealed in a June Department of Homeland Security (DHS) memo. The memo, obtained by the nonprofit Property of the People through a freedom of information request, indicates the hackers had deep access between March and December 2024, raising alarms about compromised military or law enforcement data. 

Salt Typhoon has previously been linked to some of the most expansive cyber-intrusions into American infrastructure. This latest revelation suggests their reach was even broader than earlier believed. Authorities are still investigating the full extent of data accessed, including sensitive internal documents, personal information of service members, and network architecture diagrams. The affected state’s identity remains undisclosed. 

The Department of Defense declined to comment on the matter, while a spokesperson from the National Guard Bureau confirmed the breach but assured that the incident did not hinder any ongoing state or federal missions. Investigations are ongoing to determine the scope and potential long-term impact of the breach. 

China’s embassy in Washington did not directly deny the allegations but claimed the U.S. had not provided concrete evidence linking Salt Typhoon to the Chinese government. They reiterated that cyberattacks are a global threat and that China also faces similar risks. 

Salt Typhoon is particularly notorious for its ability to infiltrate and pivot across different networks. In a prior campaign, the group was linked to breaches at major telecom companies, including AT&T and Verizon, where hackers allegedly monitored text messages and calls tied to U.S. political figures, including both Trump and Harris campaigns and Senate Majority Leader Chuck Schumer’s office.

The hybrid structure of the National Guard — functioning under both federal and state authority — may have provided a wider attack surface. According to the DHS memo, the group may have obtained intelligence that could be used to compromise other states’ National Guard units and their local cybersecurity partners. Fourteen state National Guard units reportedly share intelligence with local fusion centers, potentially magnifying the risk. 

In January 2025, the U.S. Treasury Department sanctioned a company in Sichuan believed to be facilitating Salt Typhoon operations for China’s Ministry of State Security. Past incidents have shown that Salt Typhoon can maintain access for years, making complete removal and defense particularly challenging.
Read more »
Ransomwares
cryptocurrency Cyber Attacks CyberCriminal cybercriminal group data security Ransom Demands ransomware attacks Ransomware Groups Ransomwares

Romanian Arrested in Diskstation Ransomware Operation Targeting Synology NAS Devices

 

A 44-year-old Romanian national has been arrested as part of a coordinated international law enforcement effort to take down the cybercriminal group behind the Diskstation ransomware campaign. This group is known for targeting Synology Network-Attached Storage (NAS) devices, which are widely used by businesses and organizations for centralized file storage, data backups, and hosting. These attacks have primarily affected entities operating in enterprise environments, where NAS systems are critical to daily operations. 

The Diskstation ransomware group has operated under several aliases, including DiskStation Security, Quick Security, 7even Security, Umbrella Security, and LegendaryDisk Security. Since its emergence in 2021, the group has engaged in multiple ransomware campaigns, encrypting data on NAS devices and demanding cryptocurrency payments in exchange for decryption keys. 

Victims have included international organizations involved in civil rights advocacy, film production, and event management. These attacks left many victims unable to continue operations unless they agreed to pay substantial ransoms. Authorities in Italy launched an investigation after numerous companies in the Lombardy region reported ransomware attacks that rendered their data inaccessible. 

The attackers demanded payments in cryptocurrency, prompting investigators to analyze the affected systems and blockchain transactions. This digital trail eventually led police across borders, uncovering connections in both France and Romania. The operation, dubbed “Elicius,” was coordinated by Europol and culminated in a series of raids in Bucharest in June 2024. During these raids, several individuals believed to be involved in the Diskstation campaign were identified. One suspect was caught in the act of committing a cybercrime. 

The 44-year-old man who was arrested is now in custody and faces charges including unauthorized access to computer systems and extortion. While the Diskstation name is often associated with Synology’s NAS products, this specific campaign received little attention from mainstream cybersecurity outlets. 

However, it caused significant disruption to organizations worldwide. The ransomware gang reportedly demanded payments ranging from $10,000 to several hundred thousand dollars, depending on the organization’s size and data sensitivity. Law enforcement agencies continue to investigate the broader network behind the Diskstation operation. 

The case underscores the growing threat of ransomware campaigns targeting critical infrastructure and storage solutions. As attackers evolve their methods and target widely used systems like Synology NAS, cybersecurity vigilance remains crucial for all organizations, regardless of size or industry.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
Ticketmaster data breach
BreachForums cybercriminal group Data Breach NC5537 Ransomware Gang Santander Bank data theft Scattered Spider ShinyHunters Ticketmaster data breach

Cybercriminal Group UNC5537 Strikes with Major Data Breaches

 

In recent weeks, the cybercriminal group UNC5537 has made significant waves. This ransomware gang, potentially linked to ShinyHunters or Scattered Spider, stole over 560 million customer records from Ticketmaster. On May 28, they listed this data for sale on their revamped leak site, BreachForums, with a price tag of $500,000. Just two days later, the group claimed to have obtained 30 million account records from Santander Bank in Spain, demanding $2 million for the data. Both companies confirmed the breaches after these announcements.

A June 10 analysis by Mandiant, an incident-response firm now part of Google, revealed that these data leaks, along with at least 163 other breaches, were not due to system vulnerabilities but rather the exploitation of stolen credentials and inadequate multifactor authentication (MFA) controls. According to Mandiant, no evidence indicates that the breaches stemmed from Snowflake's enterprise environment. Instead, all incidents are traced back to compromised customer credentials.

While implementing MFA could have prevented the data theft from Snowflake's systems, the companies involved have broader issues beyond this single control. Businesses must ensure visibility into their attack surfaces, promptly disable accounts of former employees and contractors, and minimize entry points for attackers. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, emphasizes that attackers often exploit basic security lapses. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities," he notes.

Key Lessons from Recent Cloud Breaches

1. Start With MFA and Then Go Beyond

There is significant room for improvement in MFA adoption. Despite reports showing that 64% of workers and 90% of administrators use MFA, over 60% of organizations still have at least one root user or administrator without MFA enabled. According to Ofer Maor, co-founder and CTO at Mitiga, achieving consistent and verifiable MFA implementation is crucial. He suggests that companies enforce and require MFA, disable non-SSO logins, and enhance security measures with device- or hardware-based authentication for sensitive infrastructure.

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should implement access control lists (ACLs) to restrict user access to cloud services or at least review access logs daily for anomalies. Jake Williams, a faculty analyst at IANS Research, recommends restricting IP addresses for cloud infrastructure access and emphasizes the importance of access reviews to identify unexpected access points.

3. Maximize Visibility Into Cloud Services

Continuous monitoring of applications, log data, access activity, and data aggregation services is essential for detecting and preventing attacks. Organizations need to alert on specific behaviors or threats, which could have identified the cybercriminals' attempts to access cloud data, says Brian Soby, CTO and co-founder at AppOmni.

4. Don't Rely on Your Cloud Providers' Defaults

Cloud providers often prioritize usability over security, so relying solely on their default settings can be risky. For example, Snowflake's default settings do not require MFA, making it easier for attackers with compromised credentials to gain full access. Companies must go beyond these defaults and enforce higher security standards.

5. Check Your Third Parties

Even if a company does not directly use Snowflake or another cloud service, third-party providers might, exposing their data to risk. Ensuring that all service providers handling company data follow proper security measures is essential, as highlighted by IANS Research's Williams. Reaching out to service providers to confirm their security practices is crucial in protecting data in today's complex supply chain environment.
Read more »
Subscribe to: Comments (Atom)