Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Data Theft. Show all posts

Connor Moucka Extradited to U.S. for Snowflake Data Breaches Targeting 165 Companies

 

Connor Moucka, a Canadian citizen accused of orchestrating large-scale data breaches affecting 165 companies using Snowflake’s cloud storage services, has agreed to be extradited to the United States to face multiple federal charges. The breaches, which targeted high-profile companies like AT&T and Ticketmaster, resulted in the exposure of hundreds of millions of sensitive records. 

Moucka, also known by online aliases such as “Waifu,” “Judische,” and “Ellyel8,” was arrested in Kitchener, Ontario, on October 30, 2024, at the request of U.S. authorities. Last Friday, he signed a written agreement before the Superior Court of Justice in Kitchener, consenting to his extradition without the standard 30-day waiting period. The 26-year-old faces 20 charges in the U.S., including conspiracy to commit computer fraud, unauthorized access to protected systems, wire fraud, and aggravated identity theft. Prosecutors allege that Moucka, along with co-conspirator John Binns, extorted over $2.5 million from victims by stealing and threatening to expose their sensitive information. 

The data breaches tied to this cybercrime operation have had widespread consequences. In May 2024, Ticketmaster’s parent company, Live Nation, confirmed that data from 560 million users had been compromised and put up for sale on hacking forums. Other companies affected include Santander Bank, Advance Auto Parts, and AT&T, among others. Moucka and Binns are believed to be linked to “The Com,” a cybercriminal network involved in various illicit activities, including cyber fraud, extortion, and violent crimes. 

Another alleged associate, Cameron Wagenius, a 21-year-old U.S. Army soldier, was arrested in December for attempting to sell stolen classified information to foreign intelligence agencies. Wagenius has since indicated his intent to plead guilty. U.S. prosecutors claim Moucka and his associates launched a series of cyberattacks on Snowflake customers, gaining unauthorized access to corporate environments and exfiltrating confidential data. 
These breaches, described as among the most extensive cyberattacks in recent history, compromised sensitive 
records from numerous enterprises. While the exact date of Moucka’s extradition remains undisclosed, his case underscores the growing threat of cyber extortion and the increasing international cooperation in tackling cybercrime. His legal representatives have not yet issued a statement regarding the extradition or upcoming trial proceedings.

Oracle Denies Claim of Server Breach

 

Following a threat actor's claim to be selling 6 million data records allegedly stolen from Oracle Cloud's federated SSO login servers, Oracle denies that it was compromised. 

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company noted. 

This accusation follows the release of many text files yesterday by a threat actor going by the moniker rose87168, which included a sample database, LDAP details, and a list of the businesses they said were pilfered from Oracle Clouds' SSO platform.

The threat actor provided BleepingComputer with this URL as additional evidence that they were able to access Oracle Cloud servers. It displays an Internet Archive URL indicating that they submitted a.txt file to the login.us2.oraclecloud.com server that contained their ProtonMail email address.

The attackers uploaded a text file with their email address without having access to Oracle Cloud servers, as BleepingComputer explained when they got in touch with Oracle once more. 

Alleged Oracle data leak 

Rose87168 is currently offering the allegedly stolen data from Oracle Cloud's SSO service for an undisclosed fee or in exchange for zero-day exploits on the BreachForums hacking community. The information, which included enterprise manager JPS keys, Java Keystore (JKS) files, and encrypted SSO passwords, was allegedly stolen during an intrusion into Oracle servers based in 'login.(region-name).oraclecloud.com'.

"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.” 

They've also promised to share part of the data with anyone who can help decrypt the SSO or LDAP credentials. The threat actor told BleepingComputer that they acquired access to Oracle Cloud servers about 40 days ago and claimed to have emailed the firm after exfiltrating data from the US2 and EM2 regions.

In the email conversation, rose87168 said that they asked Oracle to pay 100,000 XMR for information on how they infiltrated the systems, but the company allegedly refused to pay after requesting for "all information needed for fix and patch.” 

When questioned how they breached the servers, the attackers stated that all Oracle Cloud servers are running a vulnerable version with a public CVE (flaw) that does not yet have a public PoC or exploit. However, BleepingComputer was unable to independently verify whether this was the case.

Western Alliance Bank Data Breach Exposes Nearly 22,000 Customers’ Personal Information

 

Western Alliance Bank has alerted nearly 22,000 customers that their personal information was compromised following a cyberattack in October. The breach stemmed from a vulnerability in a third-party vendor’s secure file transfer software, which allowed attackers to gain unauthorized access to the bank’s systems and extract sensitive customer data. 

Western Alliance, a subsidiary of Western Alliance Bancorporation with over $80 billion in assets, first disclosed the incident in a February SEC filing. The bank revealed that hackers exploited a zero-day vulnerability in the software, which was officially disclosed on October 27, 2024. However, unauthorized access to the bank’s systems had already occurred between October 12 and October 24. The breach was only confirmed after the attackers leaked stolen files online. 

According to breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the stolen data includes names, Social Security numbers, birth dates, financial account details, driver’s license numbers, tax identification numbers, and passport information if previously provided to the bank. Despite the exposure, Western Alliance stated there is no evidence of fraud or identity theft resulting from the breach. 

To support affected customers, the bank is offering one year of free identity protection services through Experian IdentityWorks Credit 3B. Although Western Alliance did not disclose the name of the compromised software in its SEC filing or customer notifications, the Clop ransomware gang has claimed responsibility for the attack. In January, Clop listed the bank among 58 companies targeted in a campaign that exploited a critical zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software. 

The ransomware group had previously leveraged similar security flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA to conduct large-scale data theft operations. Further investigations revealed that Clop exploited an additional zero-day vulnerability (CVE-2024-55956) in Cleo software in December. This allowed them to deploy a Java-based backdoor, dubbed “Malichus,” enabling deeper infiltration into victims’ networks. Cleo, which serves over 4,000 organizations worldwide, confirmed the vulnerability had been used to install malicious backdoor code in affected instances of its Harmony, VLTrader, and LexiCom software. 

The full extent of the breach remains unclear, but it highlights the growing risks posed by vulnerabilities in third-party software. Organizations relying on such solutions must remain vigilant, promptly apply security patches, and implement robust defenses to prevent similar incidents.

The Growing Threat of Infostealer Malware: What You Need to Know

 

Infostealer malware is becoming one of the most alarming cybersecurity threats, silently stealing sensitive data from individuals and organizations. This type of malware operates stealthily, often going undetected for long periods while extracting valuable information such as login credentials, financial details, and personal data. As cybercriminals refine their tactics, infostealer attacks have become more frequent and sophisticated, making it crucial for users to stay informed and take preventive measures. 

A significant reason for concern is the sheer scale of data theft caused by infostealers. In 2024 alone, security firm KELA reported that infostealer malware was responsible for leaking 3.9 billion passwords and infecting over 4.3 million devices worldwide. Similarly, Huntress’ 2025 Cyber Threat Report revealed that these threats accounted for 25% of all cyberattacks in the previous year. This data highlights the growing reliance of cybercriminals on infostealers as an effective method of gathering personal and corporate information for financial gain. 

Infostealers operate by quietly collecting various forms of sensitive data. This includes login credentials, browser cookies, email conversations, banking details, and even clipboard content. Some variants incorporate keylogging capabilities to capture every keystroke a victim types, while others take screenshots or exfiltrate files. Cybercriminals often use the stolen data for identity theft, unauthorized financial transactions, and large-scale corporate breaches. Because these attacks do not immediately disrupt a victim’s system, they are harder to detect, allowing attackers to extract vast amounts of information over time. Hackers distribute infostealer malware through multiple channels, making it a widespread threat. 

Phishing emails remain one of the most common methods, tricking victims into downloading infected attachments or clicking malicious links. However, attackers also embed infostealers in pirated software, fake browser extensions, and even legitimate platforms. For example, in February 2025, a game called PirateFi was uploaded to Steam and later found to contain infostealer malware, compromising hundreds of devices before it was removed. Social media platforms, such as YouTube and LinkedIn, are also being exploited to spread malicious files disguised as helpful tools or software updates. 

Beyond stealing data, infostealers serve as an entry point for larger cyberattacks. Hackers often use stolen credentials to gain unauthorized access to corporate networks, paving the way for ransomware attacks, espionage, and large-scale financial fraud. Once inside a system, attackers can escalate their access, install additional malware, and compromise more critical assets. This makes infostealer infections not just an individual threat but a major risk to businesses and entire industries.  

The prevalence of infostealer malware is expected to grow, with attackers leveraging AI to improve phishing campaigns and developing more advanced evasion techniques. According to Check Point’s 2025 Cybersecurity Report, infostealer infections surged by 58% globally, with Europe, the Middle East, and Africa experiencing some of the highest increases. The SYS01 InfoStealer campaign, for instance, impacted millions across multiple continents, showing how widespread the issue has become. 

To mitigate the risks of infostealer malware, individuals and organizations must adopt strong security practices. This includes using reliable antivirus software, enabling multi-factor authentication (MFA), and avoiding downloads from untrusted sources. Regularly updating software and monitoring network activity can also help detect and prevent infections. Given the growing threat, cybersecurity awareness and proactive defense strategies are more important than ever.

Tata Technologies Cyberattack: Hunters International Ransomware Gang Claims Responsibility for 1.4TB Data Theft

 

Hunters International, a ransomware group known for high-profile cyberattacks, has claimed responsibility for a January 2025 cyberattack on Tata Technologies. The group alleges it stole 1.4TB of sensitive data from the company and has issued a threat to release the stolen files if its ransom demands are not met. Tata Technologies, a Pune-based global provider of engineering and digital solutions, reported the cyberattack in January. 

The company, which operates in 27 countries with over 12,500 employees, offers services across the automotive, aerospace, and industrial sectors. At the time of the breach, Tata Technologies confirmed that the attack had caused disruptions to certain IT systems but stated that client delivery services remained unaffected. The company also assured stakeholders that it was actively restoring impacted systems and conducting an internal investigation with cybersecurity experts. 

However, more than a month later, Hunters International listed Tata Technologies on its dark web extortion page, taking responsibility for the attack. The group claims to have exfiltrated 730,000 files, totaling 1.4TB of data. While the ransomware gang has threatened to publish the stolen files within a week if a ransom is not paid, it has not provided any samples or disclosed the nature of the compromised documents. Tata Technologies has yet to release an update regarding the breach or respond to the hackers’ claims. 

BleepingComputer, a cybersecurity news platform, attempted to contact the company for a statement but did not receive an immediate response. Hunters International emerged in late 2023, suspected to be a rebranded version of the Hive ransomware group. Since then, it has carried out multiple high-profile attacks, including breaches of Austal USA, a U.S. Navy contractor, and Japanese optics company Hoya. 

The group has gained notoriety for targeting various organizations without ethical restraint, even engaging in extortion schemes against individuals, such as cancer patients from Fred Hutchinson Cancer Center. Although many of the gang’s claims have been verified, some remain disputed. For example, in August 2024, the U.S. Marshals Service denied that its systems had been compromised, despite Hunters International’s assertions.  

With cybercriminals continuing to exploit vulnerabilities, the Tata Technologies breach serves as another reminder of the persistent and evolving threats posed by ransomware groups.

Sophisticated BEC Attack Exploits Business Trust to Steal Funds


A recent Business Email Compromise (BEC) investigation has uncovered a highly sophisticated attack that went beyond traditional email fraud. Instead of simply sending fraudulent emails in hopes of deceiving victims, cybercriminals strategically exploited the implicit trust between three business partners—Partner A, Partner B, and Partner C. 

By infiltrating an email server, they gained full visibility into ongoing transactions and used this access to manipulate communications and divert funds into their own accounts. The attack unfolded in two distinct phases. Initially, the threat actors gained control of a compromised third-party email server, which they used to send fraudulent messages. 

Unlike typical phishing scams, this attack was highly calculated. The attackers carefully studied the writing styles of their targets, replicating common phrases, salutations, and email footers to make their messages appear authentic. A key tactic in this attack was the gradual replacement of legitimate email recipients with addresses controlled by the attackers. 
Over time, they subtly altered the email chain by replacing the intended recipients with fake accounts while keeping email headers intact. This tricked both Partner A and Partner B into believing they were corresponding with the right individuals when, in reality, their messages were being intercepted and manipulated. The attackers also manipulated email authentication protocols to evade detection. 

By misconfiguring the third-party email server, they ensured that fraudulent emails passed Sender Policy Framework (SPF) checks, making them appear legitimate. Additionally, they altered the “Reply-To” field while maintaining the sender’s name in the “From” field, making it difficult for recipients to detect the fraud. A significant aspect of the attack was the patience and planning involved. 

When the initial fraudulent email was rejected by Partner B’s system, the attackers waited 4.5 hours before resending it, ensuring that it blended seamlessly into the conversation. As a result, when Partner B received updated wiring instructions, they assumed it was a genuine request from Partner A and proceeded with the transfer. 

The scam was only discovered when Partner A followed up for payment confirmation—12 days after the initial invoice reminder. By then, the funds had already been moved, making recovery nearly impossible. This case underscores the evolving complexity of BEC scams, highlighting the urgent need for stronger cybersecurity measures and awareness training to prevent such costly attacks.

Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach

 

The Lee Enterprises attack that caused disruptions on February 3 has been linked to the Qilin ransomware group, which has released samples of data they claim were stolen from the enterprise. The ransomware actors have now threatened to release all of the allegedly stolen material unless a ransom demand is fulfilled.

The US-based media firm Lee Enterprises owns and runs 350 magazines, 77 daily newspapers, digital media platforms, and marketing services. The company's internet viewership reaches tens of millions each month, and its main concentration is local news and advertising.

In a report with the Securities and Exchange Commission (SEC) earlier this month, the company disclosed that it was subjected to a cyberattack on February 3, 2025, resulting in major operational disruption. Threat analysts discovered that the outage created serious issues, including lost access to internal systems and cloud storage, as well as non-functioning corporate VPNs.

A week later, Lee Enterprises filed a new statement with the SEC, stating that the attackers "encrypted critical applications and exfiltrated certain files," implying that they had been targeted by ransomware. 

Earlier this week, Qilin ransomware added Lee Enterprises to its dark web extortion site, publishing samples of allegedly stolen data such as government ID scans, non-disclosure agreements, financial spreadsheets, contracts/agreements, and other private papers reportedly stolen from the company. 

Evolution of Qilin ransomware

Despite not being one of the most active ransomware groups, Qilin has advanced significantly since being introduced in August 2022 under the alias "Agenda.”

In the years that followed, the cybercriminals claimed hundreds of victims, with prominent examples including automotive manufacturer Yangfeng, Australia's Court Services Victoria, and many major NHS hospitals in London. 

In terms of technical evolution, Qilin delivered a Linux (VMware ESXi) variation in December 2023, began deploying a custom Chrome credentials stealer in August 2024, and launched a Rust-based data locker with stronger encryption and better evasion in October. 

Microsoft released a report last year claiming that the infamous members of the hacking group known as "Scattered Spider" had started using the Qilin ransomware in their attacks.

U.S. Soldier Who Hacked AT&T and Verizon Sought to Sell Stolen Data to Foreign Intelligence, Prosecutors Say


A U.S. soldier who pleaded guilty to hacking AT&T and Verizon attempted to sell stolen data to what he believed was a foreign military intelligence service, according to newly filed court records reviewed by Media. 

The documents also reveal that the soldier, Cameron John Wagenius, searched online for “U.S. military personnel defecting to Russia” and “can hacking be treason.” Wagenius, who operated under the online aliases “kiberphant0m” and “cyb3rph4nt0m,” unlawfully obtained and transferred confidential phone records, including those of high-ranking public officials. 

Prosecutors allege that he posted these records for sale in November 2024 and demanded $500,000 from AT&T in exchange for deleting the stolen information, all while on active duty at Fort Cavazos. His activities were part of a larger cyberattack against multiple Snowflake customers during the summer of 2024, impacting at least ten organizations, including Live Nation Entertainment Inc. and Advance Auto Parts Inc. 

Court documents state that hackers linked to the AT&T breach targeted records associated with prominent figures, including former First Lady Melania Trump, Ivanka Trump, Vice President Kamala Harris, and the wife of Senator Marco Rubio. However, it remains unclear what specific data Wagenius attempted to sell to the foreign intelligence service.  
Prosecutors have described the extortion attempt as “only a small part of Wagenius’ malicious activity.” According to a government memorandum filed Wednesday, Wagenius allegedly communicated with an email address he believed was linked to a foreign intelligence agency and, days later, searched for information about countries that do not extradite to the U.S. 

The memorandum states, “Wagenius conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service.” Authorities have also uncovered thousands of stolen identification documents, including passports and driver’s licenses, on Wagenius’ devices, along with access to large amounts of cryptocurrency. 

Additionally, he researched the Russian embassy in Washington, D.C., raising further concerns about his intentions. Wagenius’ co-conspirator, Connor Moucka, a Canadian citizen, is set to face an extradition hearing in Canada on charges of stealing AT&T and Snowflake customer data. Another alleged accomplice, John Binns, an American living in Turkey, was reportedly fearful of being tracked by U.S. intelligence agencies. 

The extensive hacking operation, which prosecutors say resulted in millions of dollars in ransom payments, has prompted warnings from the FBI about potential risks to national security. The agency has cautioned that the breach could compromise communications between FBI agents and confidential sources.

DM Clinical Research Database Exposed Online, Leaking 1.6M Patient Records

 

A clinical research database containing over 1.6 million patient records was discovered publicly accessible online without encryption or password protection. Security researcher Jeremiah Fowler found the dataset, linked to DM Clinical Research, exposing sensitive information such as names, medical histories, phone numbers, email addresses, medications, and health conditions. 

The unprotected database, totaling 2TB of data, put those affected at risk of identity theft, fraud, and social engineering scams. While the database name suggests it belongs to DM Clinical Research, it remains unclear whether the firm directly managed it or if a third party was responsible. Fowler immediately sent a disclosure notice, and the database was taken offline within hours. 

However, it is unknown how long it remained exposed or whether threat actors accessed the data before its removal. Only a thorough forensic audit can determine the extent of the breach. DM Clinical Research responded to the disclosure, stating that they are reviewing the findings to ensure a swift resolution. They emphasized their commitment to data security and compliance with legal regulations, highlighting the importance of protecting sensitive patient information. 

However, this incident underscores the growing risks facing the healthcare industry, which remains a prime target for cyberattacks, including ransomware and data breaches. Healthcare data is among the most valuable for cybercriminals, as it contains detailed personal and medical information that cannot be easily changed, unlike financial data. 

In recent years, hackers have aggressively targeted medical institutions. In 2024, a cyberattack compromised the records of 190 million Americans, and UnitedHealth suffered a ransomware attack that leaked customer information onto the dark web. The exposure of sensitive medical conditions—such as psychiatric disorders, HIV status, or cancer—could lead to discrimination, scams, or blackmail. Attackers often use exposed medical data to craft convincing social engineering scams, posing as doctors, insurance companies, or medical professionals to manipulate victims. 

Fowler warns that health records, unlike financial data, remain relevant for a lifetime, making breaches particularly dangerous. Organizations handling sensitive data must take proactive measures to protect their systems. Encryption is critical to safeguarding customer information, as unprotected datasets could lead to legal consequences and financial losses. Real-time threat detection, such as endpoint security software, helps identify intrusions and suspicious activity before damage is done. 

In the event of a breach, transparency is essential to maintaining consumer trust and mitigating reputational harm. For individuals affected by data breaches, vigilance is key. Regularly monitoring financial accounts and bank statements for suspicious transactions can help detect fraudulent activity early. Social engineering attacks are also a major risk, as scammers may exploit exposed medical data to impersonate trusted professionals. 

Be cautious of unexpected emails, phone calls, or messages requesting personal information, and avoid opening attachments from unfamiliar sources. Using strong, unique passwords—especially for financial and healthcare accounts—adds an extra layer of security. 

This breach is yet another reminder of the urgent need for stronger cybersecurity measures in the healthcare sector. As cybercriminals continue to exploit vulnerabilities, both organizations and individuals must remain proactive in safeguarding sensitive data.

Italian Spyware Firm SIO Linked to Malicious Android Apps Targeting WhatsApp Users

 

SIO, an Italian spyware company known for selling surveillance tools to government agencies, has been linked to a series of malicious Android apps designed to mimic WhatsApp and other popular services while secretly stealing private data, TechCrunch has revealed. Late last year, a security researcher provided TechCrunch with three Android apps, alleging they were government spyware used in Italy. 

Upon investigation, Google and cybersecurity firm Lookout confirmed that these apps were indeed spyware. This discovery highlights the expanding landscape of government surveillance, with numerous companies employing varied methods to target individuals. Italy is already embroiled in a separate spyware scandal involving Israeli firm Paragon, whose sophisticated surveillance tool allegedly targeted journalists and NGO founders. 

In contrast, the SIO-linked spyware campaign relied on a more straightforward approach—disguising malicious Android apps as well-known communication and customer service applications. Lookout researchers identified the malware as Spyrtacus, a spyware capable of stealing text messages, chats from WhatsApp, Signal, and Facebook Messenger, recording calls, capturing ambient audio and camera images, and extracting contact information. 

Their analysis confirmed that SIO was responsible for creating and distributing Spyrtacus, with samples dating back to 2019. Some variants impersonated apps from Italian telecom providers TIM, Vodafone, and WINDTRE. Google stated that none of the infected apps were available on the Play Store, asserting that Android security measures have protected users from this malware since 2022. 

However, a 2024 Kaspersky report suggested that earlier versions of Spyrtacus were distributed via Google Play in 2018 before shifting to fake websites mimicking major Italian internet providers. Italy has a long history of government spyware development, with companies such as Hacking Team, Cy4Gate, and RCS Lab selling surveillance tools to international law enforcement agencies. Spyrtacus is the latest example of this trend, with Lookout identifying command-and-control servers registered to ASIGINT, an SIO subsidiary specializing in wiretapping software. 

The SIO, Italian government and the Ministry of Justice have reportedly declined to comment. Lookout has also discovered references to Naples in the malware’s source code, suggesting a possible connection to developers from the region. 

Hackers Exploit ThinkPHP and ownCloud Vulnerabilities from 2022 and 2023

 

Hackers are increasingly exploiting outdated security flaws in poorly maintained systems, with vulnerabilities from 2022 and 2023 seeing a surge in attacks. According to threat intelligence platform GreyNoise, malicious actors are actively targeting CVE-2022-47945 and CVE-2023-49103, affecting the ThinkPHP Framework and the open-source ownCloud file-sharing solution. 

Both vulnerabilities are critical, allowing attackers to execute arbitrary commands or steal sensitive data, such as admin credentials and license keys. CVE-2022-47945 is a local file inclusion (LFI) flaw in ThinkPHP versions before 6.0.14. If the language pack feature is enabled, unauthenticated attackers can remotely execute operating system commands. 

Akamai reported that Chinese threat groups have exploited this flaw since late 2023, and GreyNoise recently detected 572 unique IPs actively attacking vulnerable systems. Despite having a low Exploit Prediction Scoring System (EPSS) rating of just 7% and not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVE-2022-47945 remains under heavy assault. 

The second vulnerability, CVE-2023-49103, impacts ownCloud’s file-sharing software. It stems from a third-party library that leaks PHP environment details through a public URL. After its disclosure in November 2023, hackers began exploiting the flaw to steal sensitive data. A year later, it was named one of the FBI, CISA, and NSA’s top 15 most exploited vulnerabilities. 

Even though a patch was released over two years ago, many ownCloud systems remain unpatched and exposed. GreyNoise recently observed malicious activity from 484 unique IPs targeting this vulnerability. To defend against these active threats, users are strongly advised to upgrade to ThinkPHP 6.0.14 or later and ownCloud GraphAPI 0.3.1 or newer. 

Taking vulnerable systems offline or placing them behind a firewall can significantly reduce the attack surface and prevent exploitation. As hackers continue to leverage older, unpatched vulnerabilities, staying vigilant with timely updates and robust security practices remains crucial in protecting critical systems and sensitive data.

Ransomware Tactics Evolve as Hackers Shift Focus to Data Theft

 

Ransomware groups are adapting their strategies to outsmart stronger cybersecurity defenses and increasing law enforcement pressure, according to the Huntress 2025 Cyber Threat Report. The findings reveal that attackers are moving beyond traditional encryption-based ransomware, instead focusing on data theft and extortion to bypass modern protections. 

In 2024, 75% of ransomware cases Huntress investigated involved remote access Trojans (RATs), allowing hackers to infiltrate systems discreetly. Additionally, 17.3% of incidents featured the misuse of legitimate remote management tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn. This shift reflects a growing reliance on “living off the land” techniques, where attackers use trusted administrative tools to avoid detection. 

A significant trend noted in the report is that sophisticated tactics once reserved for targeting large enterprises are now common across businesses of all sizes. Huntress observed that cybercriminals are increasingly disabling or tampering with security software to maintain access and avoid detection, effectively closing the gap between attacks on major corporations and smaller organizations.  

Huntress’ analysis of over 3 million endpoints also revealed that nearly 24% of ransomware incidents in 2024 involved infostealer malware, while malicious scripts designed to automate attacks and evade security tools appeared in 22% of cases. Greg Linares, principal threat intelligence analyst at Huntress, states that ransomware groups must constantly evolve to survive in the competitive cybercrime landscape.

“If malware isn’t staying ahead of detection techniques, it becomes obsolete fast,” Linares explained. Another key insight from the report was the speed of modern ransomware campaigns. On average, the time from initial access to the delivery of a ransom demand — known as time-to-ransom (TTR) — was just 17 hours. Some groups, including Play, Akira, and Dharma/Crysis, were even faster, with TTRs averaging around six hours.  

Interestingly, Huntress noted a clear shift in ransomware tactics: rather than encrypting data, many attackers now opt to exfiltrate sensitive information and threaten to leak it unless a ransom is paid. This change is seen as a direct response to stronger ransomware defenses and increased law enforcement efforts, which led to the takedown of major groups like Lockbit. 

However, this shift presents new challenges for companies. While endpoint detection and ransomware protections have improved, the report points out that data loss prevention (DLP) measures remain underdeveloped. Linares noted that DLP solutions are often overlooked, especially in organizations with remote work and bring-your-own-device (BYOD) policies. These environments, he said, often lack the comprehensive monitoring and control needed to prevent data exfiltration. 

To stay ahead of these evolving threats, Huntress recommends that businesses not only strengthen their ransomware defenses but also implement more robust DLP strategies to protect sensitive data. As ransomware gangs continue to adapt, companies must be proactive in addressing both encryption and data theft risks.

Sophisticated Malware Bypasses Chrome App-Bound Encryption Using Dual Injection

 

Researchers at Cyble have identified a highly advanced malware attack that successfully bypasses Google Chrome’s App-Bound Encryption. This security feature was designed to prevent infostealer malware from accessing user data, particularly cookies. 

However, the newly discovered malware employs dual injection techniques to circumvent these defenses, allowing cybercriminals to extract sensitive credentials. The attack begins with a deceptive file distribution method. The malware is embedded within a ZIP file disguised as a PDF document. 

When opened, it executes a malicious LNK shortcut file that creates a scheduled task, running every 15 minutes. Another component of the attack is an XML project file, which is designed to appear as a PNG image, further tricking users into engaging with the malicious content.  

To execute its payload, the malware exploits MSBuild.exe, a legitimate Microsoft development tool. This enables it to run directly in system memory without creating detectable files on the disk, making it much harder for traditional security solutions to identify and stop the attack. The use of fileless execution techniques ensures that the malware operates stealthily while maintaining persistence on an infected system. 

A key aspect of this attack is its dual injection approach. The malware employs both Process Injection and Reflective DLL Injection to execute malicious code within legitimate system processes. This method allows it to blend in with normal activity while avoiding detection. By targeting Chrome’s security framework, the malware can extract encrypted login data, cookies, and other sensitive browser-stored information. 

The malware also leverages the Telegram Web API for command and control communications. This connection enables threat actors to issue remote commands, modify bot configurations, and control infected systems with minimal interference. The dynamic bot ID switching feature adds an additional layer of stealth, ensuring continued access even if parts of the attack infrastructure are disrupted. Cyble researchers noted that the malware appears to be specifically targeting organizations in Vietnam, particularly those in the telemarketing and sales industries.

However, the method it uses could be adapted for broader campaigns, posing a risk to businesses and individuals globally. The initial infection method remains unclear, but it likely involves phishing emails or malicious downloads.  

To mitigate the risk of such attacks, Cyble recommends implementing strict email attachment filtering, restricting the execution of unverified files, and enhancing user awareness about phishing threats. 

Organizations should also deploy advanced security solutions capable of detecting fileless malware attacks. The research highlights the evolving nature of cyber threats and the need for proactive cybersecurity measures to safeguard sensitive data.

Massive Mobile Malware Campaign Targets Indian Banks, Steals Financial Data

 

Zimperium's zLabs research team has uncovered a significant mobile malware campaign that targets Indian banks. First reported on February 5, 2025, this threat was orchestrated by a threat actor called FatBoyPanel. Nearly 900 malware samples are used in the campaign, which is distributed via WhatsApp and uses malicious apps that impersonate banking or government apps to steal private and sensitive financial data from unsuspecting users.  

Once installed, the malicious apps steal the users data, such as credit and debit card information, ATM PINs, Aadhaar card details, PAN card numbers, and mobile banking information. Additionally, the malware uses sophisticated stealth techniques to conceal itself and avoid detection or removal by intercepting SMS messages that contain OTPs. 

By using the reputation and legitimacy of Indian banks and government agencies to trick users into thinking the apps are authentic, this cyberattack is a clear illustration of how threat actors have advanced to a new level. These cybercriminals are deceiving users into downloading malicious apps intended to drain accounts and compromise sensitive data by posing as trustworthy organizations. 

Upon closer examination, the malware can be divided into three different types: hybrid, firebase-exfiltration, and SMS forwarding. Different exfiltration techniques are used by each variant to steal confidential information. By employing live phone numbers to intercept and reroute SMS messages in real time, these Trojan Bankers go beyond standard attacks. By hiding its icon, the malware makes itself even more difficult to remove. 

According to a Zimperium report, more than 1,000 malicious applications were created with the intention of stealing banking credentials. An estimated 50,000 victims were impacted by the campaign, which revealed 2.5GB of financial and personal data kept in 222 unprotected Firebase buckets. Attackers have been able to trick users into divulging extremely sensitive information by using phony government and banking apps that are distributed via WhatsApp. 

This breach has serious repercussions, including the possibility of identity theft, financial loss, and privacy violations for impacted users. In order to assist authorities in locating the cybercriminals responsible for FatBoyPanel, Zimperium has shared the gathered data with them. Users should use security software to identify and eliminate malware, update their devices frequently, and refrain from downloading apps from unidentified sources in order to protect themselves. 

On Thursday, Feb. 20, Zimperium, the global leader in mobile security, will release new research highlighting the evolving landscape of mobile phishing attacks.

As organizations increasingly rely on mobile devices for business operations including BYOD, multi-factor authentication, cloud applications, and mobile-first workflows, mobile phishing is becoming one of the most severe threats to enterprise security. Adversaries are exploiting security gaps in mobile and cloud-based business applications, expanding the attack surface and increasing exposure to credential theft and data compromise.

Zimperium’s latest research provides a data-driven look at how attackers are evolving their tactics to evade detection and why businesses must rethink their security strategies to stay ahead. 

Key findings from the report include: Mishing surge: Activity peaked in August 2024, with over 1,000 daily attack records. Smishing (SMS/text based phishing) attacks dominate globally with 37% in India, 16% in the U.S., and 9% in Brazil. Quishing (QR code phishing) is gaining traction, with notable activity in Japan (17%), the U.S. (15%), and India (11%). Stealthy phishing techniques: 3% of phishing sites use device-specific detection to display harmless content on desktops while delivering malicious phishing payloads exclusively to mobile users. Zimperium’s research emphasizes that traditional anti-phishing solutions designed for desktops are proving inadequate against this shift, making mobile threat defense a critical necessity for organizations worldwide.

The FatBoyPanel campaign emphasizes the need for increased vigilance in an increasingly digital world and the increasing sophistication of cyber threats. Keeping up with online security best practices is crucial to reducing risks and protecting financial and personal information as cybercriminals improve their tactics.

Amazon Faces Lawsuit Over Alleged Secret Collection and Sale of User Location Data

 

A new class action lawsuit accuses Amazon of secretly gathering and monetizing location data from millions of California residents without their consent. The legal complaint, filed in a U.S. District Court, alleges that Amazon used its Amazon Ads software development kit (SDK) to extract sensitive geolocation information from mobile apps. According to the lawsuit, plaintiff Felix Kolotinsky of San Mateo claims 

Amazon embedded its SDK into numerous mobile applications, allowing the company to collect precise, timestamped location details. Users were reportedly unaware that their movements were being tracked and stored. Kolotinsky states that his own data was accessed through the widely used “Speedtest by Ookla” app. The lawsuit contends that Amazon’s data collection practices could reveal personal details such as users’ home addresses, workplaces, shopping habits, and frequented locations. 

It also raises concerns that this data might expose sensitive aspects of users’ lives, including religious practices, medical visits, and sexual orientation. Furthermore, the complaint alleges that Amazon leveraged this information to build detailed consumer profiles for targeted advertising, violating California’s privacy and computer access laws. This case is part of a broader legal pushback against tech companies and data brokers accused of misusing location tracking technologies. 

In a similar instance, the state of Texas recently filed a lawsuit against Allstate, alleging the insurance company monitored drivers’ locations via mobile SDKs and sold the data to other insurers. Another legal challenge in 2024 targeted Twilio, claiming its SDK unlawfully harvested private user data. Amazon has faced multiple privacy-related controversies in recent years. In 2020, it terminated several employees for leaking customer data, including email addresses and phone numbers, to third parties. 

More recently, in June 2023, Amazon agreed to a $31 million settlement over privacy violations tied to its Alexa voice assistant and Ring doorbell products. That lawsuit accused the company of storing children’s voice recordings indefinitely and using them to refine its artificial intelligence, breaching federal child privacy laws. 

Amazon has not yet issued a response to the latest allegations. The lawsuit, Kolotinsky v. Amazon.com Inc., seeks compensation for affected California residents and calls for an end to the company’s alleged unauthorized data collection practices.

New 'Browser Syncjacking' Attack Exploits Chrome Extensions for Full Device Takeover

 

'Browser Syncjacking,' which allows threat actors to hijack Google profiles, compromise browsers, and eventually gain full control over a victim's device—all through a seemingly harmless Chrome extension.

This stealthy multi-stage attack requires minimal permissions and almost no user interaction beyond installing a malicious Chrome extension. The attack begins with:

1. Fake Google Workspace Setup – Attackers create a fraudulent Google Workspace domain with pre-configured user profiles where security features like multi-factor authentication are disabled.

2. Publishing a Malicious Extension – A Chrome extension, disguised as a useful tool, is uploaded to the Chrome Web Store.

3. Social Engineering Trap – Victims are tricked into installing the extension, which then secretly logs them into an attacker's managed Google Workspace profile via a hidden browser session.

4. Sync Activation – The extension opens a legitimate Google support page and injects content instructing users to enable Chrome Sync. Once activated, attackers gain access to stored credentials, browsing history, and other sensitive data.

5. Full Browser Takeover – Using deceptive tactics, such as a fake Zoom update prompt, the extension delivers an executable file containing an enrollment token. This grants attackers full control over the browser.

"Once enrolled, the attacker gains full control over the victim's browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, monitor/modify file downloads, and many more," explains SquareX researchers.

By leveraging Chrome's Native Messaging API, attackers establish a direct communication channel between the malicious extension and the victim's operating system. This enables them to:
  • Browse directories
  • Modify files
  • Install malware
  • Execute commands
  • Capture keystrokes
  • Extract sensitive data
  • Activate the webcam and microphone
The Browser Syncjacking attack is difficult to detect. Unlike traditional extension-based threats that require extensive social engineering, this method operates with minimal user interaction.

"Unless the victim is extremely security paranoid and is technically savvy enough to constantly navigate the Chrome settings to look for managed browser labels, there is no real visual indication that a browser has been hijacked," the report warns.

Recent incidents, including hijacks of legitimate Chrome extensions, have demonstrated that browser extensions pose significant cybersecurity risks.

BleepingComputer has reached out to Google for comments on this new attack and will provide updates as soon as a response is received.

ENGlobal Corporation Hit by Ransomware Attack: Sensitive Data Exposed

 

ENGlobal Corporation, a prominent contractor in the energy sector, has disclosed that a ransomware attack in November 2024 led to the exposure of sensitive personal data. The incident, which occurred on November 25, forced the company to take certain systems offline as a containment measure, limiting access to only critical business processes.

Details of the Attack and Response

In early December, ENGlobal reported the incident to the U.S. Securities and Exchange Commission (SEC), stating that some data on its systems had been encrypted during the attack. However, at the time, the company did not confirm whether any data had been stolen. In a subsequent regulatory filing, ENGlobal revealed that the attackers had indeed accessed sensitive personal information stored on its systems, though it did not provide specific details about the nature or scope of the breach. 

“The cybersecurity incident involved the threat actor’s access to a portion of the company’s IT system that contained sensitive personal information. The company intends to provide notifications to affected and potentially affected parties and applicable regulatory agencies as required by federal and state law,” ENGlobal stated.

ENGlobal assured stakeholders that the threat actor had been removed from its network and that all systems had been fully restored. The company also confirmed that its business operations and functions have resumed as usual. However, the attack significantly disrupted the company’s operations for approximately six weeks, limiting access to critical business applications, including financial and operating reporting systems.

Despite the disruption, ENGlobal stated that the incident is not expected to have a material impact on its financial position or operational results. The company emphasized its commitment to notifying affected individuals and regulatory agencies in compliance with federal and state laws.

The Growing Threat of Ransomware and Mitigation Strategies

The ENGlobal incident highlights the escalating threat of ransomware attacks, particularly against critical infrastructure and energy sector companies. Ransomware attacks not only disrupt operations but also expose sensitive data, putting individuals and organizations at risk of identity theft, financial fraud, and other cybercrimes.

To mitigate such risks, cybersecurity experts recommend the following measures:

  1. Regular Backups: Maintain frequent and secure backups of critical data to ensure quick recovery in case of an attack.
  2. Employee Training: Educate employees on recognizing phishing attempts and other common attack vectors.
  3. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security to accounts and systems.
  4. Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and effective response to cyberattacks.
  5. Network Segmentation: Divide networks into smaller segments to limit the spread of ransomware in case of a breach.

As of now, no known ransomware group has claimed responsibility for the attack, and ENGlobal has not disclosed any information about the threat actor behind the incident. This lack of attribution is not uncommon in ransomware cases, as attackers often operate anonymously to avoid legal repercussions.

The ransomware attack on ENGlobal Corporation serves as a stark reminder of the vulnerabilities faced by organizations in the energy sector and beyond. While the company has managed to restore its systems and resume operations, the incident underscores the importance of robust cybersecurity measures and proactive threat mitigation strategies. As ransomware attacks continue to evolve, organizations must remain vigilant and prepared to defend against increasingly sophisticated threats.

Hackers Exploit Ivanti VPN Flaw to Install New Malware

 



A newly discovered vulnerability in Ivanti Connect Secure VPN systems, called CVE-2025-0282, has been actively exploited by hackers to deploy custom malware. This critical security flaw affects older versions of Ivanti’s VPN appliances, including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Despite the wide impact, Ivanti has clarified that the attacks are currently limited to a small number of users.

The problem was a stack-based buffer overflow that could be exploited by hackers using specially crafted requests to breach systems. The breaches were reported to have started in December 2024 by Mandiant, a leading cybersecurity firm. Hackers accessed the compromised devices using this flaw, disabled all important security settings, and installed malicious software.

New Malware Families Identified

During the course of the investigation, two other malware variants, Dryhook and Phasejam, were discovered on infected systems. There is no established connection between these malware families and any known hacking groups. In addition, hackers utilized a toolkit named Spawn, which is also used by suspected Chinese espionage groups. 

Dryhook: This malware captures login credentials, such as usernames and passwords, during the authentication process.

Phasejam: A dropper that installs malicious web shells, allowing hackers to execute commands remotely.  

How the Attack Works  

The attack process involves several steps:  

1. Identifying Targets: Hackers scan devices using specialized HTTP requests to identify vulnerable systems.  

2. Exploitation: They exploit the CVE-2025-0282 flaw to bypass security.

3. Malware Deployment: They disable protections, modify system files, and install tools such as backdoors and tunneling utilities once inside.  

4. Data Theft: They steal sensitive information, including session details and credentials. This data is often archived and staged for transfer via public servers.  

5. Maintaining Access: Hackers alter upgrade processes, making their changes persist even after system updates.

When the vulnerability was discovered, more than 3,600 Ivanti VPN devices were exposed online. Although the number decreased to around 2,800 after the software patch, most systems are still exposed to this threat.

What Can Be Done? 

To defend against this threat, Ivanti advises doing the following:

  • Update Software: Install the latest version of Ivanti Connect Secure, version 22.7R2.5 or newer.
  • Factory Reset: That would erase the entire malware infection by resetting the device.  
  • Monitor for Signs of Attack: That would use Mandiant's shared IoCs and detection rules to identify malicious activity.  

Why it Matters

This makes it strongly essential for organizations to pay much heed to their cybersecurity. Hackers have become really intricate in operation, where they steal the most sensitive data from widely used systems such as VPNs. Businesses need to be alert and update their system with frequent revisions in the security policies to curb these threats.




ICAO Investigates Potential Data Breach Amid Cybersecurity Concerns

 

The International Civil Aviation Organization (ICAO), a United Nations agency tasked with creating global aviation standards, has disclosed an investigation into a potential cybersecurity incident. Established in 1944, ICAO works with 193 member states to develop and implement aviation-related technical guidelines. The agency announced its inquiry on Monday, following reports of unauthorized access linked to a well-known cybercriminal group targeting international organizations.  

In its statement, ICAO confirmed it is examining allegations of a security breach and has already implemented precautionary measures to address the issue. While the organization did not provide specific details, it assured the public that a comprehensive investigation is underway. Additional updates will be shared once the preliminary analysis is complete. The investigation coincides with claims by a hacker using the alias “natohub,” who posted on BreachForums, a well-known hacking forum, alleging they had accessed and leaked ICAO’s data. 

According to the claims, the leak comprises 42,000 documents containing sensitive personal information, including names, dates of birth, addresses, phone numbers, email addresses, and employment records. Another source suggested the leaked archive is approximately 2GB and contains data linked to 57,240 unique email accounts. ICAO has not verified the authenticity of these claims but has emphasized the seriousness with which it is handling the situation. 

This development follows a pattern of cyberattacks on United Nations agencies in recent years. In April 2024, the United Nations Development Programme (UNDP) launched an investigation into a ransomware attack reportedly orchestrated by the 8Base group. Similarly, in January 2021, the United Nations Environment Programme (UNEP) experienced a breach that exposed over 100,000 records containing personally identifiable information. Earlier, in July 2019, UN networks in Vienna and Geneva suffered a significant breach through a SharePoint exploit. 

That attack compromised sensitive data, including staff records, health insurance details, and commercial contracts. A senior UN official later described the incident as a “major meltdown.” These recurring incidents highlight the increasing vulnerability of global organizations to cyber threats. Despite their critical roles in international operations, such institutions remain frequent targets for cybercriminals. 

This underscores the urgent need for robust cybersecurity measures to protect sensitive data from exploitation. As ICAO continues its investigation, it serves as a reminder of the evolving threats facing international organizations in a rapidly digitizing world. Enhanced vigilance and collaboration are essential to safeguarding global systems against future cyberattacks.

Fortinet Researchers Discover Two Malicious Python Packages

 

A new research published earlier this week by Fortinet Inc.'s FortiGuard Labs warns of two newly found malicious Python packages that indicate a major threat of credential theft, data exfiltration, and unauthorised system access.

The first flaw, Zebo-0.1.0, was discovered to exhibit sophisticated malware behaviour, including obfuscation tactics to hide its functionality and make it difficult for security tools to detect as malicious. The malware supports keylogging, screen capture, and the exfiltration of critical data to remote servers, posing a serious threat to user privacy and system integrity.

Zebo-0.1.0 makes use of libraries like pynput for keylogging and ImageGrab to take screenshots. This enables the malware to record every keystroke and regularly capture screenshots of the user's desktop, possibly exposing passwords, bank information, and other sensitive data. The malware stores the data locally before sending it to a Firebase database via obfuscated HTTP calls, allowing attackers to retrieve the stolen information undetected.

The malware also has a persistence technique to ensure that it is re-executed each time the infected system boots up. It accomplishes this by creating scripts and batch files in the Windows starting directory. They allow it to remain on the system without the user's knowledge, making it difficult to delete and enabling long-term data theft.

The second flaw, Cometlogger-0.1, includes a variety of malicious functionalities that target system credentials and user data. The virus dynamically injects webhooks into code during execution, allowing it to relay sensitive data, such as passwords and tokens, to remote attacker-controlled servers. 

Cometlogger-0.1 was also discovered to have features meant to evade discovery and disrupt analysis. One function, anti-virtual machine detection, looks for traces of sandbox environments, which are frequently employed by security researchers, and if it finds VM indicators, the malware stops running, allowing it to evade analysis and go unnoticed in live environments.

Though both types of malware have been flagged as dangerous, FortiGuard Lab experts state Cometlogger-0.1 takes things a step further by stealing a wide range of user data, including session cookies, saved passwords, and browsing history. It can also target data from services like Discord, X, and Steam, potentially leading to account hijacking and impersonation.

“The script (Cometlogger-0.1) exhibits several hallmarks of malicious intent, including dynamic file manipulation, webhook injection, steal information, ANTI-VM,” the researchers explained. “While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute.” 

The researchers believe that the most effective strategy to avoid infection is to always examine third-party scripts and executables before launching them. Organisations should also set up firewalls and intrusion detection systems to detect strange network activity, and personnel should be trained to recognise phishing attempts and avoid running unverified scripts.