Dissent@DataBreaches.Net
//
Pearson, the global education and publishing giant, has confirmed it suffered a cyberattack resulting in the theft of corporate data and customer information. The breach was discovered by BleepingComputer, who reported that the attackers gained unauthorized access to Pearson's systems. Pearson, a UK-based company, is a major player in academic publishing, digital learning tools, and standardized assessments, serving schools, universities, and individuals across over 70 countries.
Pearson stated that after discovering the unauthorized access, they acted to stop the breach, investigate the incident, and ascertain what data was affected with forensics experts. They also supported law enforcements investigation. Furthermore, Pearson said they've taken steps to deploy additional security measures onto their systems, including enhanced security monitoring and authentication. BleepingComputer was tipped off that someone used an exposed GitLab Personal Access token to compromise Pearson’s development environment in January 2025. The token was found in a public .git/config file, with the attackers using this access to find even more login credentials, hardcoded in the source code, which they then used to infiltrate the company’s network and steal corporate and customer information. The company downplayed the significance of the breach, suggesting the stolen data was largely outdated, referring to it as "legacy data." Pearson has not disclosed the number of individuals affected, nor the specific types of information exposed. There was no employee information among the stolen files, it was confirmed. Recommended read:
References :
Dissent@DataBreaches.Net
//
Hackers claiming affiliation with Anonymous have targeted GlobalX Airlines, an airline reportedly used by the Trump administration for deportations to El Salvador. The hacktivists defaced the airline's website, leaving a message aimed at former President Trump. They also claimed to have stolen sensitive data, including flight records and passenger manifests, potentially exposing details about deportees. The attackers asserted that they were acting because GlobalX was ignoring lawful orders against what they called "fascist plans."
The leaked data, as reported by 404 Media, provides granular insight into who was deported on GlobalX flights, when, and to where. The breached information includes flight logs, passenger lists, and itinerary details spanning from January to May 2025. Concerns have been raised about the potential impact on individuals deported, especially those whose whereabouts were previously unknown, with at least one case showing the hacked data held more accurate records than official government lists. The hack exposed vulnerabilities in GlobalX's cybersecurity, as the hackers claim to have accessed the company's AWS cloud infrastructure and GitHub account through a developer token. They also claimed to have sent messages to pilots through a flight operations tool. As of this report, neither GlobalX nor the U.S. immigration authorities have issued an official response to the security breach. Recommended read:
References :
Mayura Kathir@gbhackers.com
//
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.
This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups. Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns. Recommended read:
References :
Jacob Santos@feeds.trendmicro.com
//
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.
The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts. Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide. Recommended read:
References :
Dissent@DataBreaches.Net
//
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.
The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure. Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack. Recommended read:
References :
Dissent@DataBreaches.Net
//
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.
Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement. Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future. Recommended read:
References :
@cyble.com
//
Recent cyberattacks have targeted major UK retailers, prompting a call for increased vigilance and stronger defenses from the National Cyber Security Centre (NCSC). High-profile organizations such as Harrods, Marks & Spencer (M&S), and Co-op have been affected, causing significant operational disruptions. These attacks have led to restricted internet access, pauses in online order processing, and in some instances, potential data extraction, highlighting the severity and broad impact of these cyber incidents on the retail sector.
The NCSC has issued an urgent warning to UK firms, emphasizing the escalating risk of ransomware attacks, particularly within the retail industry. The agency anticipates a potential increase in similar attacks in the coming days. In response, the NCSC has released a comprehensive set of guidelines designed to assist businesses in bolstering their defenses against these threats and minimizing potential financial losses. This includes reviewing password reset policies, being cautious of senior employees with escalated priviledges such as Domain Admin, Enterprise Admin and Cloud Admin accounts. The NCSC's guidelines emphasize proactive measures such as isolating and containing threats quickly by severing internet connectivity to prevent malware spread and ensuring backup servers remain unaffected. It also highlights leveraging backup systems for recovery and implementing multi-factor authentication (MFA) across the board. The NCSC advises businesses to constantly be on the look out for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. Furthermore, the agency urges organizations to assess their cyber resilience and adopt best practices for both prevention and recovery to mitigate future attacks. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
The Hive0117 group, linked to DarkWatchman, is reportedly targeting Russian critical infrastructure in a broad cyber campaign. According to F6 Threat Intelligence, the group is conducting a large-scale phishing campaign aimed at Russian companies across various industries, including media, tourism, finance, insurance, manufacturing, retail, energy, telecommunications, transport, and biotechnology. The attacks, which have been ongoing since February 2022, involve mass mailings disguised as legitimate organizations, using registered infrastructure for managing domains and often reusing domains.
The malicious emails contain password-protected archives which, when opened, trigger a chain reaction leading to system infection by a modified version of the DarkWatchman VPO. This variant is designed to operate stealthily and evade detection by traditional security tools. Analysis reveals that the domains used in these attacks share registration data with domains previously used by the group in 2023, indicating a persistent and evolving threat. The DarkWatchman malware itself is a JavaScript-based remote access trojan capable of keylogging, collecting system information, and deploying secondary payloads. The financially motivated Hive0117 group has previously targeted users in Lithuania, Estonia, and Russia in sectors like telecom, electronics, and industry. Past campaigns have also used courier delivery-themed lures to target Russian banks, retailers, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms. The DarkWatchman malware's fileless nature, use of JavaScript and a C#-based keylogger, and ability to remove traces of its existence highlight its sophisticated capabilities, posing a significant risk to targeted organizations. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Ryan Kramer, a 25-year-old from California, has pleaded guilty to two criminal charges related to a significant data breach at Disney. Kramer, operating under the alias "NullBulge," admitted to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of confidential data. The stolen data included internal communications, sensitive information, images, source code, and credentials. The breach led Disney to switch from Slack to Microsoft Teams following the incident, which impacted over 10,000 Slack channels.
He distributed a malicious program, disguised as an AI-powered image generation tool, on platforms like GitHub. This program contained a backdoor that allowed him to access the computers of those who downloaded and executed it. According to prosecutors, a Disney employee fell victim to this poisoned project between April and May of 2024, inadvertently granting Kramer access to their network and online credentials. This initial breach then allowed Kramer to move laterally within Disney's systems, compromising various platforms and confidential data storage areas. Armed with the stolen data, Kramer, falsely claiming affiliation with the Russian hacking group NullBulge, attempted to extort the victim. When the victim did not respond, Kramer proceeded to release their personal information, including bank, medical, and other sensitive details, across multiple platforms. While Kramer awaits sentencing, he faces a maximum of five years in federal prison for each felony count of accessing a computer to obtain information and threatening to damage a protected computer. The FBI is also investigating the extent to which data from at least two other victims who downloaded Kramer's malicious GitHub project may have been compromised. Recommended read:
References :
@cyble.com
//
UK retailers have been targeted by a series of cyberattacks, prompting a national alert from the National Cyber Security Centre (NCSC). These attacks involved ransomware tactics and social engineering, leading to system disruptions and data breaches at several high-profile retail chains. The NCSC has issued a wake-up call to organizations, urging them to bolster their cybersecurity posture amid the growing threats. Attackers have also been impersonating IT helpdesks, tricking employees into handing over login credentials and security codes to gain access to company systems.
Marks & Spencer, Co-op, and Harrods have all been targeted recently, with DragonForce, an infamous ransomware group, claiming responsibility for the disruptions. The initial breach occurred at M&S, followed by an attempted hack at Harrods just days after the Co-op breach. Co-op revealed that its recent breach was more serious than initially reported, with a significant amount of data from current and former customers stolen. Attackers stole names and contact information in the Co-op breach but did not access passwords, payment data, or transaction histories. M&S has suspended online orders and is working to restore affected systems. Mandiant has linked the DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub. UNC3944, also known as Scattered Spider, is a financially motivated threat actor known for its persistent use of social engineering and bold interactions with victims. DragonForce operates under a ransomware-as-a-service (RaaS) model, where affiliates carry out the attacks, keeping most of the ransom, while the group provides the tools and hosts leak sites. The NCSC warns organizations to remain vigilant, with DragonForce hinting at more attacks in the near future. Recommended read:
References :
@cyble.com
//
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.
The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges. To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Attackers are increasingly turning to trusted services like Gmail and Google APIs to create stealthy command-and-control (C2) channels. This tactic allows them to mask malicious activities within legitimate network traffic, making detection and mitigation significantly harder. By leveraging platforms like Gmail and Google Drive, threat actors can embed their communications within encrypted channels provided by reputable services, bypassing many traditional security measures. These communications are encrypted by Gmail’s TLS, further complicating detection efforts.
A recent investigation by Socket's Threat Research Team uncovered a campaign using malicious Python packages to establish covert tunnels via Gmail’s SMTP protocol, enabling attackers to exfiltrate data and execute remote commands undetected. Seven malicious PyPI packages, operating under the "Coffin Codes" theme, were found abusing Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. These packages, once installed, establish an encrypted connection to Gmail’s SMTP server using hardcoded credentials, sending signals and critical information to attacker-controlled email addresses. The identified packages include Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave, and cfc-bsb. While the packages have been removed from PyPI, one of them was downloaded over 18,000 times before removal. The most advanced variants of the packages also establish outbound WebSocket connections, enabling attackers to issue commands, transfer files, and potentially gain deeper access into the victim's network. This highlights the ongoing risks posed by supply chain attacks and the exploitation of trusted cloud services. Recommended read:
References :
@industrialcyber.co
//
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.
Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean. The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business. Recommended read:
References :
Swagath Bandhakavi@Tech Monitor
//
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.
France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm. France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks. Recommended read:
References :
|