Latest Cyber News

A hacking group targeted an international nursery chain, stealing sensitive data on thousands of children and posting it on the darknet. The criminals demanded a ransom and contacted parents directly with threats to pressure the school into paying. Following intense public backlash and alleged threats from other cybercriminals, the group abruptly removed the stolen information. They have since taken all the data offline and issued an apology for the attack. This incident serves as a stark reminder for organizations to secure sensitive data and for individuals to remain vigilant against phishing attempts following a breach.

A major beverage company has suffered a significant cyberattack, leading to a widespread system failure and production halt. The incident crippled its logistics network, forcing the suspension of orders, shipments, and operations at dozens of its factories. This disruption has raised concerns about potential shortages of its top-selling beer and has delayed new product launches. While the company has not detected any leak of customer data, it is investigating the attack, which is suspected to be ransomware. There is currently no timeline for the full restoration of services, though international operations remain unaffected.

A cybercrime group known as the Crimson Collective has claimed responsibility for breaching Red Hat's private GitHub repositories. The group alleges it stole 570GB of data, including 28,000 internal projects and hundreds of sensitive Customer Engagement Reports (CERs). These CERs contain detailed infrastructure information and configurations for major clients across banking, telecom, and government sectors. Red Hat has confirmed a security incident related to its consulting business but has not verified the full extent of the attackers' claims. The company stated the breach does not impact its products or software supply chain, though the attackers claim to have accessed some client infrastructure.

A new phishing campaign is using ZIP archives disguised as sensitive documents like passports and payment files to deliver malware. Inside the archives are malicious Windows shortcut (.lnk) files that, when clicked, execute a hidden PowerShell script. This script downloads a malicious DLL, cleverly mislabeled as a presentation file, from a remote server. The attack employs a "living-off-the-land" technique by using the legitimate Windows tool `rundll32.exe` to run the malware, helping it evade detection. The malware also checks for common antivirus programs to deploy a stealthier variant if needed before establishing a command-and-control connection.

Two new Android spyware campaigns, dubbed ProSpy and ToSpy, are targeting users by impersonating popular messaging apps. Attackers distribute malicious APKs through fake websites that mimic official app stores and plugin pages for Signal and ToTok. Once installed, the spyware steals sensitive data including contacts, SMS messages, files, and chat backups. The malware uses stealth techniques, such as hiding its icon and launching the legitimate app, to avoid detection. These campaigns, which appear to be regionally focused, use multiple methods to maintain persistence on infected devices.

A cybercrime group is targeting vulnerable Internet Information Services (IIS) servers for SEO fraud and data theft. The group, tracked as UAT-8099, uses custom BadIIS malware, web shells, and Cobalt Strike to gain and maintain access. They manipulate search engine results to redirect users to malicious sites and also steal high-value credentials and certificates. The campaign affects organizations like universities and tech companies across multiple regions. Researchers have identified new variants of the BadIIS malware with low detection rates and specific language debug strings.

Splunk has addressed six security vulnerabilities affecting its Enterprise and Cloud Platform products. The flaws range from medium to high severity and include cross-site scripting (XSS), improper access control, and denial-of-service risks. The most critical vulnerability is an unauthenticated blind server-side request forgery (SSRF) flaw that could allow an attacker to perform API calls on behalf of a high-privileged user. These vulnerabilities could be exploited to compromise system integrity or access unauthorized data. Splunk has released patches, and customers are strongly urged to upgrade their deployments to mitigate these threats.

A widespread extortion campaign is targeting executives at companies that use Oracle E-Business Suite. Attackers are sending high-volume emails from compromised accounts, claiming to have stolen sensitive data from the organizations' systems. While the data theft claims have not yet been verified, security researchers have linked the campaign's tactics and contact information to the notorious Clop extortion group. The group is known for exploiting vulnerabilities to steal data and then demanding ransom payments. Organizations receiving these threatening emails are advised to investigate their Oracle environments for any signs of unauthorized access.

A critical authentication bypass vulnerability has been found in the official Termix Docker image. The flaw allows unauthenticated attackers to access an internal API endpoint and retrieve sensitive SSH credentials, including host addresses, usernames, and passwords. This issue is caused by a misconfiguration in the Nginx reverse proxy, which makes the application treat all incoming requests as local. Attackers can easily exploit this by sending a simple GET request to the vulnerable endpoint on any exposed Termix instance. Users are urged to upgrade to the patched version immediately and rotate any potentially exposed SSH credentials.

Two major companies have disclosed data breaches affecting over two million individuals. An insurance company confirmed that a security incident involving a third-party system exposed the personal information of nearly 1.5 million customers, including Social Security numbers. Separately, a software provider for vehicle dealers suffered a ransomware attack that compromised the sensitive data of over 766,000 people. The attackers stole names, addresses, and driver's license numbers before encrypting the company's servers. These incidents highlight ongoing threats to sensitive customer data held by large enterprises and their partners.