Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacker group. Show all posts
protecting sensitive data
Cyber Security Data Leak Data protection data security Hacker group hacking groups protecting sensitive data

Telegram Blocks Black Mirror Hacker Group and Data Leak Channels

 

Telegram has stepped up its efforts to curb the spread of sensitive information by blocking several channels accused of leaking private data, with the high-profile Black Mirror hacker group being among the most prominent targets. The platform accused Black Mirror of engaging in activities such as “doxxing and extortion,” according to Novaya Europe. Known for publishing the private correspondence and documents of Russian government officials and influential businessmen, the group often attempted to monetize its activities by offering archives of stolen material to interested buyers. Telegram has gone further by deleting content associated with Black Mirror that had been shared by users in private conversations or added to their favourites, indicating a broad effort to erase the group’s digital footprint. 

The move follows a statement from Telegram’s founder, Pavel Durov, who recently revealed that he had received hundreds of reports about scams, blackmail, and extortion schemes running on the platform. Based on this feedback, he confirmed that numerous channels would be banned for similar violations by the end of the week. According to Durov, Telegram had collected clear evidence that some administrators published damaging content only to later remove it in exchange for money. Others were accused of selling “protection blocks,” where victims were forced to pay to avoid further targeting. Such practices, he noted, amounted to clear violations of Telegram’s rules and could not be tolerated. 

The crackdown comes at a time when Telegram is facing growing suspicion over its relationship with Russian authorities. Reports indicate that the platform deleted more than 373,000 posts and channels in April 2025 alone at the request of Roskomnadzor, Russia’s state censorship body. In late June, at least 10 channels dedicated to open-source investigations, all with “OSINT” in their names, were also blocked. These actions have sparked concerns among journalists, researchers, and independent outlets who rely on Telegram as a primary communication tool to reach Russian audiences, especially since traditional media channels have come under stricter state control following the invasion of Ukraine. 

Adding to user frustration, disruptions have been reported across the service in recent days. Some users complained of difficulties making voice calls through Telegram, which coincided with reports that Russian mobile operators may block calls made via foreign-owned messaging platforms. Analysts suggest this could be part of a broader push by Russian security agencies to limit access to external communication services. For many independent voices in Russia, Telegram has remained one of the few accessible outlets to distribute information freely. With mounting restrictions and targeted bans on influential channels, the future of open dialogue on the platform now appears increasingly uncertain.
Read more »
protecting sensitive data
Chinese Hackers Cyber Attacks cyber espionage cybercriminal group Cyberthreatm Salt Typhoon Hacks data security Data Theft DHS Hacker attack Hacker group protecting sensitive data

Chinese Hacker Group Salt Typhoon Breaches U.S. National Guard Network for Nine Months

 

An elite Chinese cyber-espionage group known as Salt Typhoon infiltrated a U.S. state’s Army National Guard network for nearly nine months, according to a classified Pentagon report revealed in a June Department of Homeland Security (DHS) memo. The memo, obtained by the nonprofit Property of the People through a freedom of information request, indicates the hackers had deep access between March and December 2024, raising alarms about compromised military or law enforcement data. 

Salt Typhoon has previously been linked to some of the most expansive cyber-intrusions into American infrastructure. This latest revelation suggests their reach was even broader than earlier believed. Authorities are still investigating the full extent of data accessed, including sensitive internal documents, personal information of service members, and network architecture diagrams. The affected state’s identity remains undisclosed. 

The Department of Defense declined to comment on the matter, while a spokesperson from the National Guard Bureau confirmed the breach but assured that the incident did not hinder any ongoing state or federal missions. Investigations are ongoing to determine the scope and potential long-term impact of the breach. 

China’s embassy in Washington did not directly deny the allegations but claimed the U.S. had not provided concrete evidence linking Salt Typhoon to the Chinese government. They reiterated that cyberattacks are a global threat and that China also faces similar risks. 

Salt Typhoon is particularly notorious for its ability to infiltrate and pivot across different networks. In a prior campaign, the group was linked to breaches at major telecom companies, including AT&T and Verizon, where hackers allegedly monitored text messages and calls tied to U.S. political figures, including both Trump and Harris campaigns and Senate Majority Leader Chuck Schumer’s office.

The hybrid structure of the National Guard — functioning under both federal and state authority — may have provided a wider attack surface. According to the DHS memo, the group may have obtained intelligence that could be used to compromise other states’ National Guard units and their local cybersecurity partners. Fourteen state National Guard units reportedly share intelligence with local fusion centers, potentially magnifying the risk. 

In January 2025, the U.S. Treasury Department sanctioned a company in Sichuan believed to be facilitating Salt Typhoon operations for China’s Ministry of State Security. Past incidents have shown that Salt Typhoon can maintain access for years, making complete removal and defense particularly challenging.
Read more »
Scattered Spider
Cyber Attacks Cyber Breach DragonForce DragonForce Ransomware Group Hacker group Hacking Attack M&S Ransom Demand Ransomware attack Ransomwares Scattered Spider

M&S Faces £300M Loss After Cyberattack Involving DragonForce and Scattered Spider

 

Marks & Spencer has resumed its online services after a serious cyberattack earlier this year that disrupted its operations and is expected to slash profits by £300 million. The British retail giant’s digital operations were hit hard, and recent developments suggest the breach may have been orchestrated by multiple hacker groups. 

A hacking group known as DragonForce is now linked to the incident. According to reports by the BBC, the group sent an email to M&S CEO Stuart Machin shortly after the attack, boasting about their success and demanding ransom. The message, written in aggressive and alarming language, implied the group had encrypted the retailer’s servers. DragonForce, which has rebranded itself as a “Ransomware Cartel,” operates by offering malware tools to affiliates in exchange for a percentage of ransom earnings. 

Originally emerging in 2023, the group has become increasingly active on major dark web forums in recent months. While some cybersecurity experts believe the group is based in Malaysia, others speculate ties to Russia. They have also been linked to a similar attack on the Co-op. Meanwhile, another group, Scattered Spider, had earlier been suspected of executing the attack. Known for its advanced social engineering techniques, the group is composed primarily of young hackers from the US and UK. They have previously impersonated IT personnel and used SIM swapping tactics to breach organizations. 

In 2023, they gained notoriety after cyberattacks on major US casino operators like Caesars Entertainment and MGM Resorts, resulting in multi-million-dollar ransoms. The M&S cyberattack, disclosed on April 22, disrupted online orders and even stopped contactless payments in physical stores. As a result, hundreds of agency workers were temporarily relieved from duty. The company confirmed that customer data—including names, email addresses, addresses, and birth dates—was compromised during the breach. The cause, according to Machin, was human error by a third-party service provider. 

In response to the growing threat, the UK’s National Cyber Security Centre (NCSC) issued industry-wide guidance. Law enforcement agencies, including the National Crime Agency (NCA), are actively investigating the case and considering whether the incidents involving these hacker groups are interconnected. The financial impact has been significant. M&S’s market value dropped by £650 million in the days following the attack. Despite these setbacks, the company has now reopened its standard delivery service in England, Scotland, and Wales, with additional services like click-and-collect and international orders expected to follow soon. 

In a recent statement, M&S emphasized its commitment to restoring customer trust and maintaining high service standards. The company said, “Our stores have remained operational, and we’re now focused on delivering the quality and service our customers expect as we recover from this disruption.”
Read more »
MirrorFace
Cyber Defence Cyber Security DDoS Hacker attack Hacker group Japan Japan Cyber Security MirrorFace

Japan’s New Active Cyber Defence Strategy to Counter Growing Threats

 

Japan is taking decisive steps to enhance its cybersecurity through a new strategy of “active cyber defence.” This approach enables authorized hackers working for the police or Self-Defence Forces (SDF) to infiltrate servers and neutralize cyber-attack sources before they cause significant damage. The ruling Liberal Democratic Party (LDP), led by Prime Minister Shigeru Ishiba, plans to introduce relevant legislation during the current parliamentary session. The urgency for stronger cybersecurity measures has escalated due to recent attacks. 

The National Police Agency (NPA) revealed that the Chinese state-linked hacking group MirrorFace was responsible for over 200 cyberattacks targeting Japan’s foreign ministries and semiconductor industry between 2019 and 2024. Additionally, cyber incursions since late December 2024 disrupted financial services, delayed flights, and exposed vulnerabilities in Japan’s critical infrastructure. Japan’s revised 2022 National Security Strategy identifies cyberattacks as a growing threat, likening cross-border hacks of civilian infrastructure to intimidation tactics that stop short of war. 

This has prompted Japan to expand its SDF cyber unit from 620 members in March 2024 to about 2,400 today, with plans to reach 4,000 personnel by 2028. However, this remains small compared to China’s estimated 30,000-member cyber-attack force. The proposed active defence strategy aims to bolster cooperation between public and private sectors, focusing on safeguarding critical infrastructure, such as energy, transportation, finance, and telecommunications. Japan also plans to establish a National Cyber Security Office in 2025 to coordinate cybersecurity policy, identify vulnerabilities, and advise private sector organizations. 

To prevent misuse, strict safeguards will accompany the strategy. Hackers will need prior approval to break into servers unless immediate action is required during active attacks. Penalties will address excessive monitoring or personal data leaks, ensuring transparency and public trust. Trend Micro’s recent findings underscore the importance of these measures. The security firm attributed recent cyberattacks to distributed denial-of-service (DDoS) campaigns launched by botnets. These attacks overwhelmed network servers with data, causing widespread disruptions to services like Japan Airlines and major banks. 

While Japan’s proactive approach is a significant step forward, experts like Professor Kazuto Suzuki caution that it may not deter all attackers. He notes that cyber deterrence is challenging due to the unpredictability of attackers’ methods. However, this strategy is expected to instill some fear of retaliation among hackers and strengthen Japan’s cybersecurity posture. As cyber threats evolve, Japan’s active defence initiative represents a critical effort to protect its infrastructure, economy, and national security from escalating digital risks.
Read more »
server access
Black Suit hackers Cyber Data Breach Hacker group KADOKAWA cyberattack Ransomware Threat server access

Hackers Warn of Further Attacks on KADOKAWA, Claim Ongoing Access to Servers

 

KADOKAWA is on high alert for potential cyberattacks from the Russian hacker group Black Suit after failed negotiations aimed at resolving a previous major cyber incident. Black Suit, known for its ransomware operations, has warned of further attacks following KADOKAWA's refusal to pay an $8 million ransom (around 1.1 billion yen).

In a recent update to Kyodo News, the hackers disclosed that discussions with the company had broken down.

“We demanded $8 million, but KADOKAWA did not comply,” Black Suit stated, cautioning that the company “will face the same problem repeatedly” as they still have access to KADOKAWA’s systems.

Cybersecurity specialist Katsuji Okamoto from Trend Micro commented on the matter, stressing the severity of the threat.

“Even if this is a bluff, KADOKAWA must reassess its systems and prepare for the worst. Black Suit is notorious for their persistence and thorough execution of attacks, typically carrying them out from start to finish independently.”

KADOKAWA, however, has chosen not to disclose specific details about the incident, citing an active police investigation.

“This is a matter under police investigation, and we cannot comment,” a company spokesperson said.

The company initially reported the cyberattack in early June, noting disruptions across multiple websites and services. Since then, KADOKAWA has provided regular updates on its progress in system restoration and investigation efforts.

On June 27, 2024, Black Suit reportedly revealed the full scale of the breach, claiming they had stolen 1.5 terabytes of sensitive data, including business plans, user information, contracts, and financial records.

The group alleged they exploited vulnerabilities within KADOKAWA’s network infrastructure, gaining access to a “control center” that enabled them to encrypt the entire network, impacting subsidiaries like Dwango and NicoNico.

They threatened to release the stolen data if the ransom was not paid by July 1, 2024.

As of August 5, KADOKAWA confirmed a data leak affecting 254,241 individuals, following an investigation by third-party experts.
Read more »
Threat Management
Bypass Tool Cyber Security Data Privacy Hacker group Threat Management

New EDR Bypass Tool Advertised by FIN7 Hacking Group

 

SentinelOne researchers warn that the financially motivated group FIN7 is utilising various pseudonyms to promote a security evasion tool on several criminal underground forums. FIN7 created a tool called AvNeutralizer (also known as AuKill) that can circumvent safety measures. The researchers discovered that the tool was employed by multiple ransomware operations, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. 

The researchers identified a new version of AvNeutralizer that uses a novel way to interfere with and bypass security mechanisms, exploiting the Windows driver ProcLaunchMon.sys. 

“New evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its criminal operations in the underground market,” the researchers explained . “FIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting public-facing applications.” 

Last year in November, SentinelOne reported a potential link between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta group. 

The cybersecurity firm's analysis revealed that the "AvNeutralizer" tool (also known as AuKill) targeted several endpoint security solutions and was utilised exclusively by one group for six months. This supported the hypothesis that the FIN7 group and the Black Basta gang had a close relationship.

Starting in January 2023, the experts detected the deployment of upgraded versions of AvNeutralizer by multiple ransomware gangs, implying that the programme was made available to multiple threat actors through underground forums. The researchers discovered numerous adverts on underground forums encouraging the sale of AvNeutralizer.

On May 19, 2022, a user named "goodsoft" advertised an AV killing tool for $4,000 on the exploit[.]in forum. Later, on June 14th, 2022, a person named "lefroggy" placed a similar ad on the xss[.]is forum for $15,000. A week later, on June 21st, a user known as "killerAV" advertised the tool on the RAMP forum for $8,000. 

SentinelOne researchers focused on the tool's innovative technique for disabling endpoint security solutions. The unpacked AvNeutralizer payload employs ten approaches to compromise system security systems. While multiple strategies have been reported, such as removing PPL protection using the RTCore64.sys driver and the Restart Manager API, a recently discovered technique includes utilising a Windows built-in driver capability that was previously unknown in the wild. 

“Our investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks,” the researchers concluded. “Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.”
Read more »
Hacker group
Breach Forums Cyber Crime Dark Web Domain FBI Hacker group

Breach Forums Plans Dark Web Return Despite FBI Crackdown

 

Breach Forums, the infamous cybercrime and hacker forum, is all set to return to the dark web under a new Onion label, Hackread reported. While the exact timing for the resuscitation of its clearnet domain is unknown, officials are trying to revive it this week. 

ShinyHunters, a hacker and Breach Forums administrator, confirmed the latest developments to a local media outlet . According to the hacker, the new Onion domain for Breach Forums is preparing for a comeback, which is scheduled for the following week. 

"The onion is ready, it's not public yet, but it will probably be launched this week." When asked about the status of the clearnet domain, the hacker just stated that "the clearnet will come back," without providing a specific timeline. 

Notably, on May 15th, 2024, the FBI seized Breach Forums V2, apparently after apprehending two admins, one known by the moniker Baphomet. ShinyHunters told Hackread.com that they believe Baphomet may have handed up backend credentials to the FBI, resulting in the entire seizure of the forum's Escrow, as well as its dark web and clearnet domains. 

However, recent developments have taken an unexpected turn, with ShinyHunters announcement last week that they had retrieved access to the seized clearnet domain for Breach Forums from the FBI using an unspecified technique. 

Interestingly, neither the FBI nor the Department of Justice has issued a statement on the seizure or any of the linked events. While the FBI has recognised the seizure and requested victims of data breaches on Breach Forums to come forward and fill out a form to help with further investigations, official statements from authorities are still waiting. 

With ShinyHunters' revelation that they had regained access to the confiscated clearnet domain, the narrative develops, leaving many doubts regarding the forum's future and the role of law enforcement authorities. However, it is clear that Breach Forums is undergoing a huge transition. From its confiscation by the FBI to its probable resurrection with a new Onion domain, the story depicts the dangerous and strange world of cybercrime.
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
Subscribe to: Comments (Atom)