CyberSecurity news

FlagThis - #datatheft

Kaspersky@Securelist //

Librarian Ghouls APT Steals Data at Night - The Librarian Ghouls APT group (Rare Werewolf) targets Russian entities with RAR archives, BAT scripts, and legitimate software via email, Facebook, and Telegram to deliver malicious payloads during night hours.
References: Securelist , Catalin Cimpanu
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.

The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner.

Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m.

Recommended read:
References :
  • Securelist: Sleep with one eye open: how Librarian Ghouls steal data by night
  • Catalin Cimpanu: Mastodon post mentioning Librarian Ghouls Stealing data at night
@cyberpress.org //

Marks (and) Spencer Hit by DragonForce Ransomware - Marks & Spencer (M&S) suffered a ransomware attack by the DragonForce hacker group, disrupting online ordering and causing significant financial losses.
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.

An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales.

DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident.

Recommended read:
References :
  • www.bitdefender.com: Marks & Spencer’s ransomware nightmare – more details emerge
  • bsky.app: EXCLUSIVE: "We have mercilessly raped your company and encrypted all the servers" - the aggressive extortion email sent to the CEO of M&S has been revealed. The offensive blackmail note reveals lots of things about the nature of the attack, the timeline and the hackers
  • cyberpress.org: Reports over 120 victims have been compromised in the last year.
  • The Register - Security: M&S online ordering system operational 46 days after cyber shutdown
  • www.techradar.com: M&S online orders are back following cyberattack - here's what you need to know
  • www.cybersecuritydive.com: Marks & Spencer restores some online-order operations following cyberattack
  • www.techdigest.tv: M&S resumes online orders weeks after cyber attack
  • www.tripwire.com: Report on DragonForce's email to M&S CEO about taking responsibility for the attack.
  • bsky.app: DragonForce has started posting new victims to its darknet site. Two new orgs now being publicly extorted. Nothing yet on Co-op/M&S/ Harrods.
  • www.infosecworrier.dk: Details regarding the significant data breach and the ransomware attack targeting Marks & Spencer.
@cyberinsider.com //

Adidas Confirms Data Breach Via Third-Party Provider - Adidas has confirmed a data breach impacting customer data via a third-party customer service provider, compromising contact details of customers.
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.

Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law.

This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident.

Recommended read:
References :
  • cyberinsider.com: Adidas Hit by Third Customer Data Breach Linked to Support Systems
  • The Register - Security: Adidas confirms criminals stole data from customer service provider
  • The420.in: Adidas Falls Victim to Cyberattack Amid Retail Industry Wave
  • BleepingComputer: Adidas warns of data breach after customer service provider hack
  • www.it-daily.net: Data leak at Adidas: contact data tapped via third-party providers
  • bsky.app: German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers' data.
  • Graham Cluley: Adidas customers’ personal information at risk after data breach
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • www.bleepingcomputer.com: Adidas warns of data breach after customer service provider hack
  • Graham Cluley: Adidas customers' personal information at risk after third-party data breach.
  • bsky.app: Adidas customers' personal information at risk after third-party data breach.
  • techinformed.com: Adidas becomes latest consumer brand to be hit with a cyber breach
  • www.techradar.com: Adidas confirms customer data stolen in worrying cyberattack
  • www.techdigest.tv: Adidas customer data stolen in latest retail cyber attack
  • PCMag UK security: Adidas Confirms Data Breach, Customer Contact Details Exposed
  • Rescana: April 2025 Adidas Data Breach: Supply Chain Attack via Third-Party Customer Service Provider
  • ComputerWeekly.com: Adidas confirms customer data was accessed during cyber attack
MalBot@malware.news //

Fake DigiYatra Apps Target Indian Users - A fake website, digiyatra[.]in, is targeting Indian air travelers to steal financial data by impersonating the official DigiYatra Foundation.
A fraudulent website, digiyatra[.]in, is actively targeting Indian air travelers by impersonating the official DigiYatra Foundation. Threat actors are exploiting the trust placed in India's digital infrastructure by setting up this deceptive phishing site. The website, which remains live at the time of reporting, is designed to harvest personal user data under the guise of providing official services for air travelers, mirroring a legitimate flight booking portal with a flight search box and user forms requesting names, phone numbers, and email addresses.

Despite the appearance of a genuine booking platform, the website does not facilitate any actual ticket sales or transactions. Instead, its sole purpose is data harvesting, enticing users to input Personally Identifiable Information (PII) by imitating a legitimate service experience. The site uses a free SSL certificate from Let's Encrypt to enhance its perceived legitimacy, further deceiving unsuspecting users. The domain was registered under the name Ali Sajil from Kerala, India, and is accessible through both its domain name and IP address (167[.]172[.]151[.]164).

The discovery of this phishing site poses significant risks, including unauthorized data collection, public deception, and potential reputational damage to the DigiYatra initiative. The site's ability to deceive users stems from its strategic use of keywords and the appearance of security through HTTPS. In response to this threat, ThreatWatch360 has taken immediate action, escalating the matter to CERT-In and submitting a takedown request to the domain registrar. Furthermore, alerts have been shared with brand protection clients, and monitoring for similar fraudulent attempts is ongoing, with DNS-level blocks advised for the domain and its IP address to prevent further abuse.

Recommended read:
References :
  • gbhackers.com: Fake DigiYatra Apps Target Indian Users to Steal Financial Data
  • infosecwriteups.com: Fake DigiYatra Website Was Targeting Indian Flyers With Lookalike Portal
  • malware.news: Fake DigiYatra Apps Target Indian Users to Steal Financial Data

Posts

Blogs

Research Tools