Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
WordPress
Cyber Attacks gravity forms Plugin Supply Chain Attack WordPress

WordPress Plugin Breach: Hackers Gain Control Through Manual Downloads

 



A serious cyberattack recently targeted Gravity Forms, a widely used plugin for WordPress websites. This incident, believed to be part of a supply chain compromise, resulted in infected versions of the plugin being distributed through manual installation methods.

What is Gravity Forms and Who Uses It?

Gravity Forms is a paid plugin that helps website owners create online forms for tasks like registrations, contact submissions, and payments. According to the developer, it powers around a million websites, including those of well-known global companies and organizations.

What Went Wrong?

Cybersecurity researchers from a security firm reported suspicious activity tied to the plugin’s installation files downloaded from the developer’s website. Upon inspection, they discovered that the file named common.php had been tampered with. Instead of functioning as expected, the file secretly sent a request to an unfamiliar domain, gravityapi.org/sites.

Further investigation showed that the altered plugin version quietly collected sensitive data from the infected websites. This included website URLs, admin login paths, installed plugins, themes, and details about the PHP and WordPress versions in use. All this information was then sent to the attackers’ server.

The attack didn’t stop there. The malicious file also downloaded more harmful code disguised as a legitimate WordPress file, storing it in a folder used by the platform’s core features. This hidden code allowed hackers to run commands on the server without needing to log in, essentially giving them full access to the website.

How Did This Affect Site Owners?

The threat mainly impacted those who manually downloaded Gravity Forms versions 2.9.11.1 and 2.9.12 between July 10 and July 11. Developers confirmed that websites which installed the plugin using automated updates from within WordPress were not affected.

In the infected versions, the malware not only blocked future update attempts but also communicated with a remote server to bring in more malicious code. In some cases, the attack even created a secret admin account giving the hackers complete control over the website.

What Should Website Admins Do Now?

The plugin's developer has released a statement acknowledging the issue and has provided instructions to help website owners detect and remove any signs of infection. Users who downloaded the plugin manually during the affected timeframe are strongly advised to reinstall a clean version and scan their websites thoroughly.

Cybersecurity experts also recommend checking for suspicious files and unknown administrator accounts. The domains used in this attack were registered on July 8, suggesting that this breach was carefully planned.

This incident highlights the growing risk of supply chain attacks in the digital world. It serves as a reminder for website administrators to rely on trusted update channels and monitor their sites regularly for any unusual activity.
Read more »
Malicious Campaign
Columbia University Cyber Attacks Data Leak Hacktivist Malicious Campaign

Politically Motivated Hacktivist Stole Data of 2.5 Million Columbia University Students And Employees

 

In a targeted cyberattack that investigators suspect was politically motivated, a seasoned "hacktivist" allegedly acquired private data from over two million Columbia University students, applicants, and staff.

The savvy hacktivist stole social security numbers, citizenship status, university-issued ID numbers, application choices, employee wages, and other private details on June 24 after taking down the Ivy League's systems for several hours, according to Bloomberg News. A university insider told The Post that the astute hacker appeared to target specific documents to serve their political purpose. 

“We immediately began an investigation with the assistance of leading cybersecurity experts and after substantial analysis determined that the outage was caused by an unauthorized party,” Columbia said in a statement Tuesday. “We now have initial indications that the unauthorized actor also unlawfully stole data from a limited portion of our network. We are investigating the scope of the apparent theft and will share our findings with the University community as well as anyone whose personal information was compromised.”

The lone intruder responsible for the major disruption later admitted to the breach in an anonymous message to Bloomberg News, which said it had investigated the 1.6-gigabyte haul of stolen material. The suspected hacker, who refuses to reveal their name to the site, claimed they targeted the struggling Manhattan university to locate documents revealing the use of affirmative action in admissions, a practice prohibited by the Supreme Court last year. 

The trove of extracted documents allegedly comprised 2.5 million applications stretching back decades, as well as financial help packages, the outlet reported. 

A university official said Columbia’s admissions processes are compliant with the high court’s ruling. The cyber trespasser told Bloomberg they were able to infiltrate Columbia’s classified information after spending more than two months gaining access to the university’s servers. The hours-long incident temporarily locked students and faculty out of university systems and caused bizarre images to appear on screens across campus. 

The university also reassured the Columbia community that the Irving Medical Centre was unaffected. Officials said they identified the hacker's tactics and signature and haven't seen any malicious activity since. The attack occurred during the top school's ongoing dispute with the Trump administration, which revoked over $400 million in grants and contracts for the institution's failure to eradicate antisemitism on campus.
Read more »
SafePay ransomware
Cyber Attacks Cyber Outage Global IT Outage IT system Palo Alto Palo Alto Networks Ransomware attack Ransomwares SafePay ransomware

Ingram Micro Confirms SafePay Ransomware Attack and Global IT System Outage

 

Ingram Micro, one of the world’s largest IT distribution and services companies, has confirmed it was targeted in a ransomware attack by the SafePay group, causing major operational disruptions across its global network. The cyberattack, which began early on July 4, 2025, forced the company to take critical internal systems offline and suspend access to platforms such as its AI-powered Xvantage distribution system and the Impulse license provisioning platform. 

The attack came to light after employees discovered ransom notes on their devices. According to cybersecurity outlet BleepingComputer, the notes were linked to the SafePay ransomware operation—an increasingly active threat actor that has claimed over 220 victims since emerging in late 2024. Although the extent of data encryption remains unclear, sources suggest that the attackers likely accessed Ingram Micro’s network via compromised credentials on the company’s GlobalProtect VPN gateway. Initially, 

Ingram Micro refrained from publicly acknowledging the attack, stating only that it was experiencing “IT issues.” Employees in some regions were instructed to work from home, and the company advised against using the VPN service believed to be involved in the breach. 

On July 6, Ingram Micro officially confirmed the ransomware incident. In a statement, the company said it took immediate steps to secure affected systems, brought in cybersecurity experts to investigate, and notified law enforcement agencies. It also assured customers and partners that it was working urgently to restore operations and minimize further disruption. 

By July 8, the company had made significant progress in recovery. Subscription orders—including renewals and modifications—were once again being processed globally, with additional support for phone and email orders reinstated in key markets such as the UK, Germany, Brazil, India, and China. However, some hardware order functions remain limited. 

Palo Alto Network issued a clarification stating that none of its products were the source of the breach. The company emphasized that attackers likely exploited misconfigurations or stolen credentials, not any inherent flaws in the VPN software. 

This breach highlights the increasing sophistication of ransomware groups like SafePay and the risks faced by large IT infrastructure providers. Ingram Micro’s swift containment and recovery response may help mitigate long-term impacts, but the incident serves as a critical reminder of the importance of proactive cybersecurity measures, especially in environments reliant on remote access technologies.
Read more »
Ransomware
Cyber Attacks Cybersecurity Hypervisor News Ransomware

Hypervisor Ransomware Threat Grows: MITRE ATT&CK v17 Puts C-Suite on Alert

 

The latest update to the MITRE ATT&CK framework—version 17—has brought hypervisor security into sharp focus, prompting a necessary shift in how organizations view the core of their virtualized infrastructure. For the first time, VMware ESXi hypervisors have received a dedicated matrix within the widely adopted framework, underscoring their growing vulnerability to targeted cyberattacks. This move serves as a wake-up call for executive leadership: hypervisor security is no longer just a technical concern, but a strategic imperative. 

As enterprises increasingly rely on virtual machines to run mission-critical workloads and store sensitive data, any compromise at the hypervisor level can have devastating consequences. A single attack could trigger operational downtime, lead to failed audits, and expose the organization to compliance violations and regulatory scrutiny. Experts warn that unaddressed ESXi vulnerabilities may even be classified as preventable lapses in due diligence. 

Compounding the issue is the fact that many organizations still lack defined incident response playbooks tailored to hypervisor attacks. With MITRE ATT&CK now mapping tactics used to breach, move laterally, and deploy ransomware within hypervisors, the risks are no longer theoretical—they are measurable and real. 

To mitigate them, leadership must champion a security strategy that includes robust access controls such as multi-factor authentication, role-based permissions, lockdown policies, and virtual patching to cover unpatched or zero-day vulnerabilities. Additionally, organizations are urged to deploy runtime monitoring and align defences with the MITRE ATT&CK framework to improve security posture and audit readiness. Failing to address this blind spot could cost companies more than just operational delays—it could lead to loss of customer trust and reputational damage. 

As threat actors grow more sophisticated, overlooking the hypervisor layer is no longer an acceptable risk. The inclusion of ESXi in ATT&CK v17 represents a broader industry recognition that hypervisors must be part of the core cybersecurity conversation. For the C-suite, this means embracing their role in driving hypervisor resilience across security, infrastructure, and governance functions before an attack makes that decision for them.
Read more »
Malicious Attack
crypto news Cyber Attacks Cybersecurity malicious Malicious Attack

Over 40 Malicious Crypto Wallet Extensions Found on Firefox Add-Ons Store

 

In a disturbing cybersecurity development, researchers at Koi Security have uncovered more than 40 malicious Firefox browser extensions impersonating popular cryptocurrency wallets. These extensions, found on Mozilla’s official add-ons store, are designed to steal sensitive wallet credentials and recovery phrases from unsuspecting users. The deceptive add-ons pose as legitimate wallets from major crypto service providers including Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero. 

By cloning the open-source versions of these tools and embedding malicious code, the attackers aim to harvest users’ seed phrases—sensitive keys that grant full access to cryptocurrency funds. According to Koi Security’s report shared with BleepingComputer, the malicious extensions include event listeners that monitor users' activity in the browser. These scripts specifically look for text inputs longer than 30 characters—a common trait of seed phrases—and quietly send the captured data to attacker-controlled servers. Error messages that could potentially alert users are cleverly hidden using CSS tricks that make the alerts invisible. 

The theft of a seed phrase enables full access to a user's crypto wallet and is often irreversible, with the fraudulent transaction appearing legitimate on the blockchain. The campaign has reportedly been active since at least April, and new extensions continue to surface on the Firefox store, with the latest additions detected just last week. Many of the fraudulent extensions use authentic logos of trusted brands and are bolstered by fake five-star reviews to enhance credibility. 

However, some also display one-star warnings from users who likely fell victim to the scam. Mozilla has acknowledged the issue, confirming it is part of a broader trend targeting the Firefox add-ons ecosystem. The company says it has deployed an early detection system that flags risky extensions based on automated risk indicators, triggering manual reviews for further action. 

In a statement to BleepingComputer, a Mozilla spokesperson said, “We are aware of attempts to exploit Firefox’s add-ons ecosystem using malicious crypto-stealing extensions. Through improved tooling and process, we have taken steps to identify and take down such add-ons quickly.” Mozilla noted that many of the add-ons highlighted by Koi Security had already been removed before the publication of the report. However, the company continues to review remaining flagged extensions and has reaffirmed its commitment to user safety. 

Despite Mozilla's efforts, Koi Security says several of the fake extensions remain live on the platform. The cybersecurity firm used Mozilla’s official reporting tools to alert the company but stresses that more action is needed. 
Read more »
North Korea cyberattack
Apple Apple MacOS Blockchain Blockchain Technology Crypto Attack crypto community cryptocurrency Cyber Attacks data security Data Theft Mac Mac Malware Malware Attack Malwares North Korea cyberattack

North Korean Malware Targets Mac Users in Crypto Sector via Calendly and Telegram

 

Cybersecurity researchers have identified a sophisticated malware campaign targeting Mac users involved in blockchain technologies. According to SentinelLabs, the attack has been linked to North Korean threat actors, based on an investigation conducted by Huntabil.IT. 

The attack method is designed to appear as a legitimate interaction. Victims are contacted via Telegram, where the attacker impersonates a known associate or business contact. They are then sent a meeting invite using Calendly, a widely-used scheduling platform. The Calendly message includes a link that falsely claims to be a “Zoom SDK update script.” Instead, this link downloads malware specifically designed to infiltrate macOS systems. 

The malware uses a combination of AppleScript, C++, and the Nim programming language to evade detection. This mix is relatively novel, especially the use of Nim in macOS attacks. Once installed, the malware gathers a broad range of data from the infected device. This includes system information, browser activity, and chat logs from Telegram. It also attempts to extract login credentials, macOS Keychain passwords, and data stored in browsers like Arc, Brave, Firefox, Chrome, and Microsoft Edge. Interestingly, Safari does not appear to be among the targeted applications. 

While the campaign focuses primarily on a niche audience—Mac users engaged in crypto-related work who use Calendly and Telegram—SentinelLabs warns that the tactics employed could signal broader threats on the horizon. The use of obscure programming combinations to bypass security measures is a red flag for potential future campaigns targeting a wider user base. 

To safeguard against such malware, users are advised to avoid downloading software from public code repositories or unofficial websites. While the Mac App Store is considered the safest source for macOS applications, software downloaded directly from reputable developers’ websites is generally secure. Users who rely on pirated or cracked applications remain at significantly higher risk of infection. 

Cyber hygiene remains essential. Never click on suspicious links received via email, text, or social platforms, especially from unknown or unverified sources. Always verify URLs by copying and pasting them into a text editor to see their true destination before visiting. It’s also crucial to install macOS security updates promptly, as these patches address known vulnerabilities.  

For additional protection, consider using trusted antivirus software. Guides from Macworld suggest that while macOS has built-in security, third-party tools like Intego can offer enhanced protection. As malware campaigns evolve in complexity and scope, staying vigilant is the best defense.
Read more »
Qantas Airways
Australia Cyber Attacks Data Leak OAIC Personal Data Qantas Airways

Qantas Investigates Cyber Attack That May Have Affected Millions of Customers

 



Qantas Airways has revealed that a cyber attack on one of its third-party service platforms may have compromised the personal data of up to six million customers. The breach was linked to a customer service tool used by a Qantas-operated call centre, and the airline confirmed that suspicious activity was detected earlier this week.

In an official statement, Qantas said a malicious actor gained access to this external platform, but the intrusion has since been contained. Investigations are ongoing to determine how much customer data was exposed, though initial findings suggest the impact could be significant.

The company confirmed that the exposed information may include customer names, contact numbers, email addresses, dates of birth, and frequent flyer membership numbers. However, Qantas clarified that no financial data—such as credit card details, bank information, or passport numbers—was stored on the affected system.

The airline also confirmed that sensitive account credentials, such as passwords, login PINs, and security information, were not accessed. Flight operations and the safety of air travel have not been affected by this breach.

Qantas Group CEO Vanessa Hudson addressed the incident, expressing regret over the situation. “Our customers place their trust in us to protect their personal data, and we deeply regret that this has occurred. We are contacting affected individuals directly and are committed to offering them full support,” she said.

To assist impacted customers, Qantas has launched a dedicated help centre offering expert guidance on identity protection. The support service is reachable at 1800 971 541 or +61 2 8028 0534 for international callers. Customers with upcoming flights have been assured that they do not need to take any action regarding their bookings.

Australian authorities have been notified, including the Australian Cyber Security Centre, the Office of the Australian Information Commissioner (OAIC), and the Australian Federal Police. Qantas has pledged full cooperation with the agencies involved in the investigation.

Shadow Minister for Cyber Security Melissa Price commented on the breach during an interview with ABC, calling it a serious wake-up call for all Australian companies. She emphasized the need for transparency and continuous updates to the public when incidents of this scale occur.

This breach adds to a growing list of cybersecurity incidents in Australia. Other major organizations, including AustralianSuper and Nine Media, have also suffered data leaks in recent months.

Earlier this year, the OAIC reported that 2024 saw the highest number of recorded data breaches since tracking began in 2018. Australian Privacy Commissioner Carly Kind warned that the risks posed by cyber threats are growing and called on both private companies and public agencies to strengthen their defences.

As data breaches become more frequent and complex, cybersecurity remains a critical issue for businesses and consumers alike.

Read more »
Scattered Spider ransomware
airline industry Cyber Attacks cyberattacks on airline FBI Hacker attack Hawaii MFA Palo Alto Networks Scattered Spider Scattered Spider ransomware

Scattered Spider Hackers Target Airline Industry Amid FBI and Cybersecurity Warnings

 

The FBI has issued a new warning about the cybercriminal group known as Scattered Spider, which is now actively targeting the airline industry. Recent cyber incidents at Hawaiian Airlines and Canadian carrier WestJet underscore the growing threat. 

According to the FBI’s advisory released late last week, Scattered Spider is known for using advanced social engineering tactics, often posing as employees or contractors. Their goal is to manipulate IT help desk teams into granting unauthorized access—frequently by requesting the addition of rogue multi-factor authentication (MFA) devices to compromised accounts.  

The group’s typical targets include large enterprises and their third-party service providers. “That puts the entire aviation supply chain at risk,” the FBI noted. Once they gain entry, the hackers typically exfiltrate sensitive information for extortion purposes and sometimes deploy ransomware as part of their attacks. The agency confirmed that it is working closely with industry partners to contain the threat and support affected organizations.  

Hawaiian Airlines reported late last week that it had detected suspicious activity in some of its IT systems. While full flight operations were not disrupted, the airline stated it was taking protective steps. “We’ve engaged with authorities and cybersecurity experts to investigate and remediate the incident,” the company said in a statement, adding that it’s focused on restoring systems and will share further updates as the situation evolves. 

Earlier in June, WestJet disclosed that it had experienced a cybersecurity event, which led to restricted access for certain users. The airline has brought in third-party experts and digital forensic analysts to investigate the breach. 

Although the culprits haven’t been officially named, recent analysis from security firm Halcyon indicates that Scattered Spider has broadened its scope, now targeting not only aviation but also sectors like food production and manufacturing. 

“These attacks are fast-moving and devastating,” Halcyon warned. “They can cripple an entire organization in just a few hours, with impacts on everything from operations to consumer trust.”

Other experts echoed these concerns. Palo Alto Networks’ Unit 42 recently advised aviation companies to be extra cautious, particularly regarding suspicious MFA reset requests and socially engineered phishing attempts.  

Darren Williams, founder and CEO of cybersecurity company BlackFog, emphasized the high value of the airline sector for cybercriminals. “Airlines manage immense volumes of sensitive customer data, making them an extremely attractive target,” he said. “With international travel surging, attackers are exploiting this pressure point.” 

Williams added that the disruptions caused by such attacks can ripple across the globe, affecting travelers, business continuity, and public confidence. “These incidents show that airlines need to invest more heavily in cybersecurity infrastructure that can protect passenger data and maintain operational integrity.”
Read more »
North Korea
AI Bybit Crypto cryptocurrency Cyber Attacks Ethereum Internet North Korea

ByBit Crypto Heist: First Half of 2025 Records All-time High Crypto Theft

ByBit Crypto Heist: First Half of 2025 Records All-time High Crypto Theft

2025 H1 records all-time crypto theft

In the first half of 2025, hackers stole a record $2.1 billion in cryptocurrency, marking an all-time high. The data highlights the vulnerable state of the cryptocurrency industry. North Korean state-sponsored hackers accounted for 70% of the losses, responsible for USD 1.6 billion, rising as the most notorious nation-state actor in the crypto space, according to a report by TRM Labs

This indicates a significant increase in illegal operations, surpassing the 2022 H1 record by 10% and nearly matching the total amount stolen for the entire 2022 year, highlighting the danger to digital assets. 

Implications of nation-state actors in crypto attacks

The biggest cryptocurrency attack has redefined the H1 2025 narrative, the attack on Dubai-based crypto exchange Bybit. TRM believes the attack highlights a rising effort by the Democratic People’s Republic of Korea (DPRK) for cryptocurrency profits that can help them escape sanctions and fund strategic aims like nuclear weapons programs, besides being a crucial component of their statecraft. 

“Although North Korea remains the dominant force in this arena, incidents such as reportedly Israel-linked group Gonjeshke Darande (also known as Predatory Sparrow) hacking Iran’s largest crypto exchange, Nobitex, on June 18, 2025, for over USD 90 million, suggest other state actors may increasingly leverage crypto hacks for geopolitical ends,” TRM said in a blog post. 

Mode of operation

"Infrastructure attacks — such as private key and seed phrase thefts, and front-end compromises — accounted for over 80% of stolen funds in H1 2025 and were, on average, ten times larger than other attack types," reports TRM. These attacks target the technical spine of the digital asset system to get illicit access, reroute assets, and mislead users. Infrastructure attacks are done via social engineering or insider access and expose fractures in the cryptosecurity foundation.

Takeaways 

H1 2025 has shown a shift towards crypto hacking, attacks from state-sponsored hackers, and geopolitically motivated groups are rising. Large-scale breaches related to nation-state attacks have trespassed traditional cybersecurity. The industry must adopt advanced, effective measures to prevent such breaches. Global collaboration through information sharing and teamed efforts can help in the prosecution of such cyber criminals. 

Read more »
Zero-day Flaw
Chinese Hacker Cyber Attacks French Infrastructure UNC5174 Zero-day Flaw

Chinese Attackers Target France Infrastructure in Ivanti Zero-Day Exploit Campaign

 

The French cybersecurity agency stated in a study released Tuesday that three zero-day flaws impacting Ivanti Cloud Services Appliance devices triggered an attack spree in France last year that affected several critical infrastructure sectors.

The French National Agency for the Security of Information Systems reports that from early September to late November 2024, widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 affected government agencies and organisations in the media, finance, transportation, and telecommunications sectors.

According to Mandiant, the attacks were carried out by UNC5174, a former member of Chinese hacktivist collectives who was probably working as a contractor for China's Ministry of State Security. The attacker, known as "Uteus," has previously targeted edge device flaws in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linux kernel, and the Zyxel firewall. 

Authorities in France discovered that UNC5174 employed a unique intrusion set known as "Houken," which included zero-day vulnerabilities, a sophisticated rootkit, numerous open-source tools, commercial VPNs, and dedicated servers. Officials believe Houken and UNC5174 are operated by the same threat actor, an initial access broker who steals credentials and implements methods to gain persistent access to target networks. 

“Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency noted in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”

Earlier this year in January, the Cybersecurity and Infrastructure Security Agency said that threat actors used the three Ivanti zero-days in a chain to get credentials, execute remote code, establish initial access, and install webshells on victim networks. In April, Sysdig researchers said that they had observed the China state-sponsored hacker organisation UNC5174 use open-source offensive security techniques like WebSockets and VShell to blend in with more common cybercriminal activities. 

Numerous attackers have frequently taken advantage of long-standing flaws in Ivanti products, including espionage outfits with ties to China. Since 2021, Ivanti has shipped software with a high number of vulnerabilities across at least ten different product lines, more than any other vendor in this market since the start of last year. According to cyber authorities, cybercriminals have exploited seven flaws in Ivanti products so far this year, and 30 Ivanti faults have been discovered over the past four years in CISA's known exploited vulnerabilities catalogue. 

“We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected,” a spokesperson for Ivanti noted in a statement. “Ivanti released a patch in 2024 and strongly urged all customers to upgrade to CSA version 5.0, which was not affected by this vulnerability. The security and protection of our customers remain our top priority, and we are committed to supporting them.”
Read more »
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
trending news
Cyber Attacks cybersecurity news Ransomware trending news

Encryption Drops While Extortion-Only Attacks Surge

 

Ransomware remains a persistent threat to organisations worldwide, but new findings suggest cybercriminals are shifting their methods. According to the latest report by Sophos, only half of ransomware attacks involved data encryption this year, a sharp decline from 70 per cent in 2023.  
The report suggests that improved cybersecurity measures may be helping organisations stop attacks before ransomware payloads are deployed. However, larger organisations with 3,001 to 5,000 employees still reported encryption in 65 per cent of attacks, possibly due to the challenges of monitoring vast IT infrastructures. 

As encryption-based tactics decrease, attackers are increasingly relying on extortion-only methods. These attacks, which involve threats to release stolen data without encrypting systems, have doubled to 6 per cent this year. Smaller businesses were disproportionately affected 13 per cent of firms with 100 to 250 employees reported facing such attacks, compared to just 3 per cent among larger enterprises.  

While Sophos highlighted software vulnerabilities as the most common entry point for attackers, this finding contrasts with other industry data. Allan Liska, a ransomware expert at Recorded Future, said leaked or stolen credentials remain the most frequently reported initial attack vector. Sophos, however, reported a drop in attacks starting with credential compromise from 29 per cent last year to 23 per cent in 2024 suggesting variations in data visibility between firms. 

The report also underscored the human cost of cyberattacks. About 41 per cent of IT and security professionals said they experienced increased stress or anxiety after handling a ransomware incident. Liska noted that while emotional tolls are predictable, they are often overlooked in incident response planning.
Read more »
Polymorphic
AI Powered Cyber Attacks cybercriminals Cyberhackers Cybersecurity Cyberthreats malware Polymorphic

Polymorphic Security Approaches for the Next Generation of Cyber Threats


 

Considering the rapid evolution of cybersecurity today, organisations and security professionals must continue to contend with increasingly sophisticated adversaries in an ever-increasing contest. There is one class of malware known as polymorphic malware, which is capable of continuously changing the code of a piece of software to evade traditional detection methods and remain undetectable. It is among the most formidable threats to emerge. 

Although conventional malware is often recognisable by consistent patterns or signatures, polymorphic variants are dynamic in nature and dynamically change their appearance whenever they are infected or spread across networks. Due to their adaptive nature, cybercriminals are able to get around a number of established security controls and prolong the life of their attacks for many years to come. 

In an age when artificial intelligence and machine learning are becoming increasingly powerful tools for defending as well as for criminals, detecting and neutralising these shape-shifting threats has become more difficult than ever. It has never been clearer that the pressing need to develop agile, intelligent, and resilient defence strategies has increased in recent years, highlighting that innovation and vigilance are crucial to protecting digital assets. 

In today's world, enterprises are facing a wide range of cyber threats, including ransomware attacks that are highly disruptive, deceptive phishing campaigns that are highly sophisticated, covert insider breaches, and sophisticated advanced persistent threats. Due to the profound transformation of the digital battlefield, traditional defence measures have become inadequate to combat the speed and complexity of modern cyber threats in the 21st century. 

To address this escalating threat, forward-looking companies are increasingly incorporating artificial intelligence into the fabric of their cybersecurity strategies, as a result. When businesses integrate artificial intelligence-powered capabilities into their security architecture, they are able to monitor massive amounts of data in real time, identify anomalies with remarkable accuracy, and evaluate vulnerabilities at a level of precision that cannot be matched by manual processes alone, due to the ability to embed AI-powered capabilities. 

As a result of the technological advancements in cybersecurity, security teams are now able to shift from reactive incident management to proactive and predictive defence postures that can counteract threats before they develop into large-scale breaches. Furthermore, this paradigm shift involves more than simply improving existing tools; it involves a fundamental reimagining of cybersecurity operations as a whole. 

Several layers of defence are being redefined by artificial intelligence, including automated threat detection, streamlining response workflows, as well as enabling smart analytics to inform strategic decisions. The result of this is that organisations have a better chance of remaining resilient in an environment where cyber adversaries are leveraging advanced tactics to exploit even the tiniest vulnerabilities to gain a competitive edge. 

Amidst the relentless digital disruption that people are experiencing today, adopting artificial intelligence-driven cybersecurity has become an essential imperative to safeguard sensitive assets and ensure operational continuity. As a result of its remarkable ability to constantly modify its own code while maintaining its malicious intent, polymorphic malware has emerged as one of the most formidable challenges to modern cybersecurity. 

As opposed to conventional threats that can be detected by their static signatures and predictable behaviours, polymorphic malware is deliberately designed in order to conceal itself by generating a multitude of unique iterations of itself in order to conceal its presence. As a result of its inherent adaptability, it is easily able to evade traditional security tools that are based on static detection techniques. 

Mutation engines are a key tool for enabling polymorphism, as they are able to alter the code of a malware program every time it is replicated or executed. This results in each instance appearing to be distinct to signature-based antivirus software, which effectively neutralises the value of predefined detection rules for those instances. Furthermore, polymorphic threats are often disguised through encryption techniques as a means of concealing their code and payloads, in addition to mutation capabilities.

It is common for malware to apply a different cryptographic key when it spreads, so that it is difficult for security scanners to recognise the components. Further complicating analysis is the use of packing and obfuscation methods, which are typically applied. Obfuscating a code structure makes it difficult for analysts to understand it, while packing is the process of compressing or encrypting an executable to prevent static inspection without revealing the hidden contents. 

As a result of these techniques, even mature security environments are frequently overwhelmed by a constantly shifting threat landscape that can be challenging. There are profound implications associated with polymorphic malware because it consistently evades detection. This makes the chances of a successful compromise even greater, thus giving attackers a longer window of opportunity to exploit systems, steal sensitive information, or disrupt operations. 

In order to defend against such threats, it is essential to employ more than conventional security measures. A layering of defence strategy should be adopted by organisations that combines behavioural analytics, machine learning, and real-time monitoring in order to identify subtle indicators of compromise that static approaches are likely to miss. 

In such a situation, organisations need to continuously adjust their security posture in order to maintain a resilient security posture. With polymorphic techniques becoming increasingly sophisticated, organisations must constantly innovate their defences, invest in intelligent detection solutions, and cultivate the expertise required to recognise and combat these evolving threats to meet the demands of these rapidly changing threats.

In an era when threats no longer stay static, the need for proactive, adaptive security has become critical to ensuring the protection of critical infrastructure and maintaining business continuity. The modern concept of cybersecurity is inspired by a centuries-old Russian military doctrine known as Maskirovka. This doctrine emphasises the strategic use of deception, concealment, and deliberate misinformation to confound adversaries. This philosophy has been adopted in the digital realm as well. 

Maskirovka created illusions on the battlefield in order to make it incomprehensible for the adversary to take action, just like polymorphic defence utilises the same philosophy that Maskirovka used to create a constantly changing digital environment to confuse and outmanoeuvre attackers. Cyber-polymorphism is a paradigm emerging that will enable future defence systems to create an almost limitless variety of dynamic decoys and false artefacts. 

As a result, adversaries will be diverted to elaborate traps, and they will be required to devote substantial amounts of their time and energy to chasing the illusions. By creating sophisticated mirages that ensure that a clear or consistent target remains hidden from an attacker, these sophisticated mirages aim to undermine the attacker's resolve and diminish the attacker's operational effectiveness. 

It is important, however, for organisations to understand that, as the stakes grow higher, the contest will be more determined by the extent to which they invest, how capable the computers are, and how sophisticated the algorithms are. The success of critical assets is not just determined by technological innovation but also by the capability to deploy substantial resources to sustain adaptive defences in scenarios where critical assets are at risk. 

Obtaining this level of agility and resilience requires the implementation of autonomous, orchestrated artificial intelligence systems able to make decisions and execute countermeasures in real time as a result of real-time data. It will become untenable if humans are reliant on manual intervention or human oversight during critical moments during an attack, as modern threats are fast and complex, leaving no room for error. 

It can be argued in this vision of cybersecurity's future that putting a human decision-maker amid defensive responses effectively concedes to the attacker's advantage. A hybrid cyber defence is an advancement of a concept that is referred to as moving target defence by the U.S. Department of Defence. 

It advances the concept a great deal further, however. This approach is much more advanced than mere rotation of system configurations to shrink the attack surface, since it systematically transforms every layer of an organisation’s digital ecosystem through intelligent, continuous transformation. By doing so, we are not just reducing predictability, but actively disrupting the ability of the attacker to map, exploit, and persist within the network environment by actively disrupting it. 

By doing so, it signals a significant move away from static, reactive security strategies to proactive, AI-driven strategies that can anticipate and counter even the most sophisticated threats as they happen. In a world where digital transformation has continued to accelerate across all sectors, integrating artificial intelligence into cybersecurity frameworks has evolved from merely an enhancement to a necessity that cannot be ignored anymore. 

The utilisation of intelligent, AI-driven security capabilities is demonstrated to be a better way for organisations to manage risks, safeguard data integrity, and maintain operational continuity as adversaries become increasingly sophisticated. The core advantage of artificial intelligence lies in its ability to provide actionable intelligence and strategic foresight, regardless of whether it is integrated into an organisation's internal infrastructure or delivered as part of managed security services. 

Cyber threats in today's hyperconnected world are not just possible, but practically guaranteed, so relying on reactive measures is no longer a feasible approach. Today, it is imperative to be aware of potential compromises before they escalate into significant disruptions, so that they can be predicted, detected, and contained in advance.

It is no secret that artificial intelligence has revolutionised the parameters of cybersecurity. It has enabled organisations to gain real-time visibility into their threat environment, prioritise risks based on data-driven insights and deploy automated responses in a matter of hours. Rather than being just another incremental improvement, there is a shift in the conceptualisation and operationalisation of security that constitutes more than an incremental improvement. 

There has been a dramatic increase in cyber attacks in recent years, with severe financial and reputational damage being the consequence of a successful attack. The adoption of proactive, adaptive defences is no longer just a competitive advantage; it has become a key component of business resilience. As businesses integrate AI-enabled security solutions, they are able to stay ahead of evolving threats while keeping stakeholder confidence and trust intact. 

A vital requirement for long-term success for modern enterprises concerned about their ability to cope with digital threats and thrive in the digital age is to develop an intelligent, anticipatory cyber ddefence A growing number of cyber threats and threats are becoming more volatile and complex than ever before, so it has become increasingly important for leaders to adopt a mindset that emphasises relentless adaptation and innovation, rather than simply acquiring advanced technologies. 

They should also establish clear strategies for integrating intelligent automation into their security ecosystems and aligning these capabilities with broader business objectives to gain a competitive advantage. Having said that, it will be imperative to rethink governance to enable faster, decentralised response, develop specialised talent pipelines for emerging technologies and implement continuous validation to ensure that defences remain effective against evolving threat patterns. 

In the age of automating operations and implementing increasingly sophisticated tactics, the true differentiator will be the ability for organisations to evolve at a similar rate and precision as their adversaries. An organisation that is looking ahead will prioritise a comprehensive risk model, invest in resilient architectures that can self-heal when attacked, and leverage AI in order to build dynamic defences that can be used to counter threats before they impact critical operations. 

In a climate like this, protecting digital assets is not just a one-time project. It is a recurring strategic imperative that requires constant vigilance, discipline, and the ability to act decisively when necessary. As a result, organisations that will succeed in the future will be those that embrace cybersecurity as a constant journey-one that combines foresight, adaptability, and an unwavering commitment to remain one step ahead of adversaries who are only going to keep improving.
Read more »
trending cybersecurity news
cyber attack Cyber Attacks cybersecurity news Russian APT28 trending cybersecurity news

Russian APT28 Targets Ukraine Using Signal to Deliver New Malware Families

 

The Russian state-sponsored threat group APT28, also known as UAC-0001, has been linked to a fresh wave of cyberattacks against Ukrainian government targets, using Signal messenger chats to distribute two previously undocumented malware strains—BeardShell and SlimAgent. 

While the Signal platform itself remains uncompromised, its rising adoption among government personnel has made it a popular delivery vector for phishing attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) initially discovered these attacks in March 2024, though critical infection vector details only surfaced after ESET notified the agency in May 2025 of unauthorised access to a “gov.ua” email account. 

Investigations revealed that APT28 used Signal to send a macro-laced Microsoft Word document titled "Акт.doc." Once opened, it initiates a macro that drops two payloads—a malicious DLL file (“ctec.dll”) and a disguised PNG file (“windows.png”)—while modifying the Windows Registry to enable persistence via COM-hijacking. 

These payloads execute a memory-resident malware framework named Covenant, which subsequently deploys BeardShell. BeardShell, written in C++, is capable of downloading and executing encrypted PowerShell scripts, with execution results exfiltrated via the Icedrive API. The malware maintains stealth by encrypting communications using the ChaCha20-Poly1305 algorithm. 

Alongside BeardShell, CERT-UA identified another tool dubbed SlimAgent. This lightweight screenshot grabber captures images using multiple Windows API calls, then encrypts them with a combination of AES and RSA before local storage. These are presumed to be extracted later by an auxiliary tool. 

APT28’s involvement was further corroborated through their exploitation of vulnerabilities in Roundcube and other webmail software, using phishing emails mimicking Ukrainian news publications to exploit flaws like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641. These emails injected malicious JavaScript files—q.js, e.js, and c.js—to hijack inboxes, redirect emails, and extract credentials from over 40 Ukrainian entities. CERT-UA recommends organisations monitor traffic linked to suspicious domains such as “app.koofr.net” and “api.icedrive.net” to detect any signs of compromise.
Read more »
U.S. steel production
Cyber Attacks Cybersecurity Nucor cyberattack Nucor earnings forecast steel manufacturing recovery U.S. steel production

Nucor Restores Operations After May Cyberattack, Expects Strong Q2 Earnings

 

Nucor, the largest steel producer in the United States, announced it has resumed normal operations after a cyberattack in May that exposed a limited amount of data.

According to a filing with the Securities and Exchange Commission, the company believes it has successfully removed the hackers from its systems and does not anticipate any material impact on its financial results or operations.

“The incident temporarily limited our ability to access certain functions and some facilities,” Nucor stated. To investigate and recover from the breach, the company engaged external forensic specialists. 

As part of its response, Nucor temporarily shut down its systems and restored portions of its data using backup files. The company has since collaborated with outside experts to strengthen its IT infrastructure against future intrusions.

Headquartered in Charlotte, North Carolina, Nucor produces approximately 25% of the nation’s raw steel. Last week, the company said it expects second-quarter earnings per share to range between $2.55 and $2.65 for the fiscal period ending July 5. Earnings are projected to grow across all three operating segments, with the most significant gains anticipated in its steel mills business, driven by higher average selling prices for sheet and plate products.

Nucor has not shared specific details about the financial consequences of the cyberattack. The company plans to release its earnings report on July 28, followed by a conference call on July 29.
Read more »
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
North Korean Hackers
BitoPro hack crypto theft 2025 Cyber Attacks Lazarus Group cyberattack North Korean Hackers

BitoPro Blames North Korea’s Lazarus Group for $11 Million Crypto Theft During Hot Wallet Update

 

Taiwanese cryptocurrency exchange BitoPro has attributed a major cyberattack that resulted in the theft of approximately $11 million in digital assets to the infamous North Korean hacking group Lazarus. The breach occurred on May 8, 2025, when attackers exploited vulnerabilities during a hot wallet system upgrade.

According to BitoPro, its internal investigation uncovered evidence linking the incident to Lazarus, citing similarities in techniques and tactics observed in previous large-scale intrusions.

“The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges,” reads the company’s announcement.

BitoPro, which serves primarily Taiwanese customers and offers fiat currency transactions in TWD alongside various crypto assets, has over 800,000 registered users and processes nearly $30 million in trading volume each day.

During the attack, unauthorized withdrawals were conducted from an older hot wallet across multiple blockchains, including Ethereum, Tron, Solana, and Polygon. The stolen funds were subsequently funneled through decentralized exchanges and mixing services such as Tornado Cash, ThorChain, and Wasabi Wallet to obscure their origin.

Although the breach took place in early May, BitoPro publicly acknowledged the incident only on June 2, assuring users that platform operations remained unaffected and that impacted wallets were replenished using reserves.

The subsequent investigation concluded there was no evidence of insider involvement. Instead, attackers had carried out a sophisticated social engineering campaign that compromised an employee’s device responsible for managing cloud operations. Through this infection, they hijacked AWS session tokens, effectively bypassing multi-factor authentication protections to gain access to BitoPro’s cloud infrastructure.

The hackers’ command-and-control server then issued instructions to implant malicious scripts into the hot wallet host in preparation for the heist. By carefully simulating legitimate activity, they were able to transfer assets undetected when the wallet upgrade took place.

Once BitoPro became aware of the unauthorized activity, it deactivated the hot wallet system and rotated cryptographic keys, though by that point, roughly $11 million had already been drained.

The exchange has notified relevant authorities and collaborated with external cybersecurity specialists to conduct a thorough review, which concluded on June 11.

The Lazarus Group has developed a notorious reputation for targeting cryptocurrency platforms and decentralized finance ecosystems, with previous operations including a record-setting $1.5 billion theft from Bybit.
Read more »
Malware Attack
Crypto Platform cryptocurrency cryptocurrency security cryptocurrency theft Cyber Attacks Digital Assets Lazarus Group Lazarus Group attack Malware Attack

Lazarus Group Suspected in $11M Crypto Heist Targeting Taiwan’s BitoPro Exchange

 

Taiwanese cryptocurrency platform BitoPro has blamed North Korea’s Lazarus Group for a cyberattack that resulted in $11 million in stolen digital assets. The breach occurred on May 8, 2025, during an upgrade to the exchange’s hot wallet system. 

According to BitoPro, the tactics and methods used by the hackers closely resemble those seen in other global incidents tied to the Lazarus Group, including high-profile thefts via SWIFT banking systems and other major crypto platforms. BitoPro serves a primarily Taiwanese customer base, offering fiat transactions in TWD alongside various cryptocurrencies. 

The exchange currently supports over 800,000 users and processes approximately $30 million in daily trades. The attack exploited vulnerabilities during a system update, enabling the unauthorized withdrawal of funds from a legacy hot wallet spread across several blockchain networks, including Ethereum, Tron, Solana, and Polygon. The stolen cryptocurrency was then quickly laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain, making recovery and tracing more difficult. 

Despite the attack taking place in early May, BitoPro only publicly acknowledged the breach on June 2. At that time, the exchange assured users that daily operations remained unaffected and that the compromised hot wallet had been replenished from its reserve funds. Following a thorough investigation, the exchange confirmed that no internal staff were involved. 

However, the attackers used social engineering tactics to infect a cloud administrator’s device with malware. This allowed them to steal AWS session tokens, bypass multi-factor authentication, and gain unauthorized access to BitoPro’s cloud infrastructure. From there, they were able to insert scripts directly into the hot wallet system and carry out the theft while mimicking legitimate activity to avoid early detection. 

After discovering the breach, BitoPro deactivated the affected wallet system and rotated its cryptographic keys, though the damage had already been done. The company reported the incident to authorities and brought in a third-party cybersecurity firm to conduct an independent review, which concluded on June 11. 

The Lazarus Group has a long history of targeting cryptocurrency and decentralized finance platforms. This attack on BitoPro adds to their growing list of cyber heists, including the recent $1.5 billion digital asset theft from the Bybit exchange.
Read more »
US Federal Agencies
Cyber Attacks Krispy Kreme US Federal Agencies

Krispy Kreme Confirms Cyberattack Affected Over 160,000 People

 



Popular U.S.-based doughnut chain Krispy Kreme has confirmed that a cyberattack last year compromised the personal data of more than 160,000 individuals.

According to a notification filed with the Maine Attorney General's Office, the company stated that the breach took place in late November 2024. However, affected individuals were informed only in May 2025, after the company completed its internal investigation.

In letters sent to those impacted, Krispy Kreme explained that while they currently have no evidence of misuse, sensitive data may have been accessed during the breach. The company has not publicly confirmed all the types of information that were exposed, but a separate disclosure in Massachusetts revealed that documents containing Social Security numbers, banking details, and driver's license information were among those compromised.

Further updates posted on Krispy Kreme's official website in June added that other personal records may have also been involved. These include medical and health data, credit card numbers, passport details, digital signatures, and even login credentials for financial and email accounts. The extent of exposure varied depending on the individual.

The breach first came to light on November 29, 2024, when Krispy Kreme discovered unusual activity on its internal systems. The incident disrupted its online ordering services and was reported in a regulatory filing on December 11. To manage the situation, the company brought in independent cybersecurity specialists and took steps to secure its systems.

While the company has not commented on the source of the attack, a ransomware group known as “Play” claimed responsibility in late December. The group has a history of targeting organizations around the world and is known for stealing data and demanding ransom by threatening to publish stolen information online—a tactic known as double extortion. However, their claims about the stolen data have not been verified by Krispy Kreme.

The Play ransomware operation has been linked to hundreds of cyberattacks globally, including incidents involving governments, corporations, and local authorities. U.S. federal agencies, along with international partners, issued a security advisory in late 2023 warning organizations about the group’s growing threat.

Krispy Kreme, which operates in over 40 countries and runs thousands of sales points including through a partnership with McDonald’s is continuing to investigate the full impact of the incident. The company is urging those affected to stay alert for signs of identity theft and take steps to protect their financial and personal accounts.

Read more »
UBS
Cyber Attacks Employee Data swiss media UBS

UBS Acknowledges Employee Data Leak Following Third-Party Cyberattack

 



Swiss financial institution UBS has confirmed that some of its employee data was compromised and leaked online due to a cybersecurity breach at one of its external service providers. The incident did not impact client information, according to the bank.

The breach came to light after reports surfaced from Swiss media suggesting that data belonging to roughly 130,000 UBS staff members had been exposed online for several days. The compromised records reportedly include employee names, job titles, email addresses, phone numbers, workplace locations, and spoken languages.

UBS stated that it responded immediately upon learning of the breach, taking necessary steps to secure its operations and limit potential risks.

The cyberattack did not directly target UBS but rather a company it works with for procurement and administrative services. This supplier, identified as a former UBS spin-off, confirmed that it had been targeted but did not specify the extent of the data breach or name all affected clients.

A threat group believed to be behind the breach is known for using a form of cyber extortion that involves stealing sensitive data and threatening to publish it unless a ransom is paid. Unlike traditional ransomware attacks, this group reportedly skips the step of encrypting files and focuses solely on the theft and public exposure of stolen information.

So far, only one other company besides UBS has confirmed being impacted by this incident, though the service provider involved works with several major international firms, raising concerns that others could be affected as well.

Cybersecurity experts warn that the exposure of employee data, even without customer information can still lead to serious risks. Such data can be misused in fraud, phishing attempts, and impersonation scams. In today’s digital age, tools powered by artificial intelligence can mimic voices or even create fake videos, making such scams increasingly convincing.

There are also fears that exposed information could be used to pressure or manipulate employees, or to facilitate financial crimes through social engineering.

This breach serves as a reminder of how cyber threats are not limited to the primary organization alone. When suppliers and vendors handle sensitive internal information, their security practices become a critical part of the larger cybersecurity ecosystem. Threat actors increasingly target third-party providers to bypass more heavily secured institutions and gain access to valuable data.

As investigations continue, the focus remains on understanding the full scope of the incident and taking steps to prevent similar attacks in the future.

Read more »
Subscribe to: Posts (Atom)