Cyber spies linked to the Chinese government exploited a Windows shortcut vulnerability disclosed in March – but that Microsoft hasn’t fixed yet – to target European diplomats in an effort to steal defense and national security details.

Security firm Arctic Wolf attributed the espionage campaign to UNC6384 (aka Mustang Panda, Twill Typhoon), and in research published Thursday detailed how the suspected PRC spies used social engineering and the Windows flaw to deploy PlugX malware against personnel attending diplomatic conferences in September and October.

“This campaign demonstrates UNC6384’s capability for rapid vulnerability adoption within six months of public disclosure, advanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and operational expansion from traditional Southeast Asia targeting to European diplomatic entities,” the Arctic Wolf Labs threat research team said.

[…]

Zero Day Initiative threat hunter Peter Girnus discovered and reported this flaw to Microsoft in March, and said it had been abused as a zero-day as far back as 2017, with 11 state-sponsored groups from North Korea, Iran, Russia, and China abusing ZDI-CAN-25373 for cyber espionage and data theft purposes.

Blame ZDI-CAN-25373

The attacks begin with phishing emails using very specific themed lures around European defense and security cooperation and cross-border infrastructure development. Those emails delivered a weaponized LNK file which exploited ZDI-CAN-25373 (aka CVE-2025-9491), a Windows shortcut vulnerability, to let the attackers secretly execute commands by adding whitespace padding within the LNK file’s COMMAND_LINE_ARGUMENTS structure.

The malicious files, such as one named Agenda_Meeting 26 Sep Brussels.lnk, use diplomatic conference themes as lures along with a decoy PDF document, in this case displaying a real European Commission meeting agenda on facilitating the free movement of goods at border crossing points between the EU and Western Balkan countries.

The LNK file, when executed, invokes PowerShell to decode and extract a tar (tape archive) archive containing three files to enable the attack chain via DLL side-loading, a malware delivery technique favored by several Chinese government crews, including Salt Typhoon.

DLL sideloading exploits the Windows DLL search order by tricking an application into loading a malicious DLL instead of the legitimate one.

The three files include a legitimate, but expired, Canon printer assistant utility with a valid digital signature issued by Symantec. Although the certificate expired in April 2018, Windows trusts binaries whose signatures include a valid timestamp, so this allows the attackers to bypass security tools and deliver malware using DLL sideloading.

The malicious DLL functions as a loader to decrypt and execute the third file in the archive, cnmplog.dat, which contains the encrypted PlugX payload.

PlugX, which has been around since at least 2008, is a Remote Access Trojan (RAT) that gives attackers all the remote access capabilities including command execution, keylogging, file uploading and downloading, persistent access, and system reconnaissance.

“This three-stage execution flow completes the deployment of PlugX malware running stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions,” the researchers wrote.

[…]

Source: Suspected Chinese snoops weaponize unpatched Windows flaw • The Register

[…] Software provider AppZen said fake AI receipts accounted for about 14 per cent of fraudulent documents submitted in September, compared with none last year. Fintech group Ramp said its new software flagged more than $1mn in fraudulent invoices within 90 days.

About 30 per cent of US and UK financial professionals surveyed by expense management platform Medius reported they had seen a rise in falsified receipts following the launch of OpenAI’s GPT-4o last year.

“These receipts have become so good, we tell our customers, ‘do not trust your eyes’,” said Chris Juneau, senior vice-president and head of product marketing for SAP Concur, one of the world’s leading expense platforms, which processes more than 80mn compliance checks monthly using AI.

Several platforms attributed a significant jump in the number of AI-generated receipts after OpenAI launched GPT-4o’s improved image generation model in March.

[…]

Source: ‘Do not trust your eyes’: AI generates surge in expense fraud

[…] a technique called EtherHiding, hiding malware inside blockchain smart contracts to sneak past detection and ultimately swipe victims’ crypto and credentials, according to Google’s Threat Intelligence team.

A Pyongyang goon squad that GTIG tracks as UNC5342 has been using this method since February in its Contagious Interview campaign, we’re told.

The criminals pose as recruiters, posting fake profiles on social media along the lines of Lazarus Group’s Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the Norks target software developers, especially those working in cryptocurrency and tech, trick them into downloading malware disguised as a coding test, and ultimately steal sensitive information and cryptocurrency, while gaining long-term access to corporate networks.

Hiding on the blockchain

To do this, they use EtherHiding, which involves embedding malicious code into a smart contract on a public blockchain, turning the blockchain into a decentralized and stealthy command-and-control server.

Because it’s decentralized, there isn’t a central server for law enforcement to take down, and the blockchain makes it difficult to trace the identity of whoever deployed the smart contract. This also allows attackers to retrieve malicious payloads using read-only calls with no visible transaction history on the blockchain.

“In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google’s threat hunters Blas Kojusner, Robert Wallace, and Joseph Dobson said in a Thursday report.

[…]

“EtherHiding presents new challenges as traditional campaigns have usually been halted by blocking known domains and IPs,” the security researchers wrote. “Malware authors may leverage the blockchain to perform further malware propagation stages since smart contracts operate autonomously and cannot be shut down.”

The good news: there are steps administrators can take to prevent EtherHiding attacks, with the first – and most direct – being to block malicious downloads. This typically involves setting policy to block certain types of files including .exe, .msi, .bat, and .dll.

Admins can also set policy to block access to known malicious websites and URLs of blockchain nodes, and enforce safe browsing via policies that use real-time threat intelligence to warn users of phishing sites and suspicious downloads.

Source: Norks abuse blockchains to scam job seekers, steal wallets • The Register

Hackers stole the personal information of over 17.6 million people after breaching the systems of financial services company Prosper.

Prosper operates as a peer-to-peer lending marketplace that has helped over 2 million customers secure more than $30 billion in loans since its founding in 2005.

As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.

However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn’t shared what information was exposed beyond Social Security numbers because it’s still investigating what data was affected.

[…]

“We have evidence that confidential, proprietary, and personal information, including Social Security Numbers, was obtained, including through unauthorized queries made on Company databases that store customer information and applicant data.

[…]

While Prosper didn’t share how many customers were affected by this data breach, data breach notification service Have I Been Pwned revealed the extent of the incident on Thursday, reporting that it affected 17.6 million unique email addresses.

The stolen information also includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details.

[…]

Source: Have I Been Pwned: Prosper data breach impacts 17.6 million accounts

Also no mention of how easy it was to perform these “unauthorised queries” on the database, or why the difference between 2m customers and 17.6m records.

Microsoft’s Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.

In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.

The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation “payroll pirate,” a nod to the way crooks plunder staff wages without touching the employer’s systems directly.

Storm-2657’s campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them.

Microsoft stresses that the attacks don’t exploit a flaw in Workday itself. The weak points are poor MFA hygiene and sloppy configurations, with Redmond warning that organizations still relying on legacy or easily-phished MFA are sitting ducks.

“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained. It says these lures were crafted with academic precision: fake HR updates, reports of faculty misconduct, or notes about illness clusters, often linked through shared Google Docs to bypass filtering and appear routine.

In one instance, a phishing message urging recipients to “check their illness exposure status” was sent to 500 people within a single university, and only about 10 percent flagged it as suspicious, according to Microsoft.

[…]

Source: Microsoft warns of ‘payroll pirate’ attacks against US unis • The Register

The US Air Force confirmed it’s investigating a “privacy-related issue” amid reports of a Microsoft SharePoint-related breach and subsequent service-wide shutdown, rendering mission files and other critical tools potentially unavailable to service members.

“The Department of the Air Force is aware of a privacy-related issue,” an Air Force spokesperson told The Register on Wednesday, while declining to answer specific questions about the alleged digital intrusion.

Sign in to sound off

Register for The Register’s Forums here.

The Air Force’s confirmation follows what looks like a breach notification, shared with The Register and on social media, that purports to come from the Air Force Personnel Center Directorate of Technology and Information.

“This message is to inform you of a critical Personally Identifiable Information (PII) and Protected Health Information (PHI) exposure related to USAF SharePoint Permissions,” the notice says. “As a result of this breach, all USAF SharePoints will be blocked Air Force-wide to protect sensitive information.”

Two other Microsoft services, Teams and Power BI dashboards, will also allegedly be blocked because both access SharePoint, the alert continued, adding that restoration may take up to two weeks.

It’s unclear what services, if any, are offline right now. A DAF spokesperson said that the military branch “cannot confirm” that SharePoint and Teams have been disabled. Another person we spoke to on the phone claimed that they were “using it right now” when asked about SharePoint on Tuesday.

A Microsoft spokesperson told The Register that Redmond “has nothing to share at this time,” and declined to answer our specific questions including if the Air Force security snafu is related to July’s SharePoint fiasco.

Chinese government spies, data thieves, and at least one ransomware gang exploited a couple of SharePoint vulnerabilities over the summer, allowing them to hijack on-premises SharePoint servers belonging to more than 400 organizations and remotely execute code.

[…]

Source: Air Force admits SharePoint privacy issue; reports of breach • The Register

Chinese hackers breached email servers of foreign ministers as part of a years-long effort targeting the communications of diplomats around the world, according to researchers at the cybersecurity firm Palo Alto Networks Inc.

Attackers accessed Microsoft Exchange email servers, gaining the ability to search for information at some foreign ministries, said the team at Unit 42, the threat intelligence division of Palo Alto Networks, which has been tracking the group for nearly three years.

Hackers specifically searched in the email servers for key terms related to a China-Arab summit in Riyadh, Saudi Arabia, in 2022, said Lior Rochberger, senior researcher at the company. They also searched for names such as including Chinese President Xi Jinping and his wife, Peng Liyuan, in the context of that summit, the researchers said.

The researchers declined to specifically identify which countries had their systems breached in the hacking campaign, but wrote in the report that the group’s targeting patterns “align consistently with the People’s Republic of China (PRC) economic and geopolitical interests.”

[…]

“When I found them searching for specific diplomatic keywords and then exfiltrating emails from embassies and military operations, I realized this was a serious intelligence collection effort,” Rochberger said.

[…]

Source: Chinese Hackers Breached Foreign Ministers’ Email Servers

So that sounds like it was the Cloud version of Exchange was targeted. You would think that countries would have some respect for their own security and not have their data in the US on a US company servers. But no, their procurement departments are led by idiots who are now complaining that there are no alternatives – probably because they didn’t fund the alternatives that do exist.

The UK government is stepping in with financial support for Jaguar Land Rover, providing it with a hefty loan as it continues to battle the fallout from a cyberattack.

A government-backed loan to the tune of £1.5 billion ($2 billion) will be made available to the carmaker to support its recovery and the companies in its extensive supply chain struggling as JLR brings its invoicing systems back online.

Business secretary Peter Kyle said: “This cyberattack was not only an assault on an iconic British brand, but on our world-leading automotive sector and the men and women whose livelihoods depend on it.

“Following our decisive action, this loan guarantee will help support the supply chain and protect skilled jobs in the West Midlands, Merseyside, and throughout the UK.

“We’re backing our automotive sector for the long term through our modern Industrial Strategy and the landmark trade deals we’ve signed to boost exports, as part of our Plan for Change.”

[…]

JLR’s production plants have remained closed since August 31, and the impact on its suppliers – and local communities – is said to be severe.

Workers and their families fear for their jobs after seeing suppliers, many of which rely on their big JLR contracts, already initiate redundancy proceedings.

Then there are the smaller businesses that serve local communities. With JLR’s main production plants being based in Solihull and Halewood – employing roughly 9,000 and 3,000 workers respectively – businesses such as sandwich shops and cafes have seen a significant loss in revenue.

When these businesses lose out, so do their suppliers, such as bakers and butchers, meaning the impact of JLR’s attack extends far beyond what is typical for such cases.

[…]

It is estimated that the impact of the cyberattack threatens around 120,000 jobs at JLR and companies across its supply chain.

David Bailey, professor of business economics at the University of Birmingham, said JLR could be hemorrhaging between £5-10 million ($6-13 million) for every day that production remains halted.

He estimated that JLR could ultimately lose out on £2.2 billion ($2.9 billion) in revenue and £150 million ($202 million) in profit.

[…]

Source: UK offers JLR landmark £1.5B loan to safeguard suppliers • The Register

A team of suspected Chinese hackers has infiltrated US software developers and law firms in a sophisticated campaign to collect intelligence that could help Beijing in its ongoing trade fight with Washington, cybersecurity firm Mandiant said Wednesday.

The hackers have been rampant in recent weeks, hitting the cloud-computing firms that numerous American companies rely on to store key data, Mandiant, which is owned by Google, said. In a sign of how important China’s hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms’ proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

The FBI is investigating the intrusions and US officials are still trying to understand the full scope of the hacks, sources told CNN.

It’s a fresh five-alarm fire for the FBI’s cyber experts, who at any given time are investigating multiple sophisticated Chinese cyber-espionage campaigns aimed at US government and corporate secrets.

In some cases, the hackers have lurked undetected in the US corporate networks for over a year, quietly collecting intelligence, Mandiant said.

The disclosure comes after the Trump administration escalated America’s trade war with China this spring by slapping unprecedented tariffs on Chinese exports to the United States. The tit-for-tat tariffs set off a scramble in both governments to understand each other’s positions.

[…]

Source: Chinese hackers breach US software and law firms amid trade fight, experts say | CNN Politics

Google confirmed that miscreants created a fraudulent account in its Law Enforcement Request System (LERS) portal, which police and other government agencies use to ask for data about Google users.

“We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account,” a Google spokesperson told The Register on Tuesday. “No requests were made with this fraudulent account, and no data was accessed.”

Google’s admission follows BreachForums posts by Scattered Lapsus$ Hunters – this is the gang allegedly made up of members from three other notorious cybercrime crews, Scattered Spider, ShinyHunters, and Lapsus$. Shortly after announcing their retirement from the ransomware biz, they indicated via screenshots that they had access to Google LERS, as well as the FBI’s National Instant Criminal Background Check System (NICS), a federal system that provides background checks on would-be gun buyers to ensure they aren’t prohibited from owning a firearm. The FBI declined to comment on the extortionists’ claims.

[…]

Source: Google confirms crims accessed its law enforcement portal • The Register

Scammers are extorting small businesses worldwide by threatening to flood their Google Maps profiles with fake one-star reviews or demanding payment to remove reviews already posted, according to The New York Times. Fraudsters target service businesses dependent on online ratings — movers, roofers, contractors — demanding hundreds of dollars per incident. The Times story documents many cases, including of one Los Angeles contractor Natalia Piper, who paid $250 to multiple scammers after her rating plummeted from 5.0 to 3.6 stars.

Industry watchdog Fake Review Watch documented over 150 affected businesses globally. The scammers typically operate from Pakistan and Bangladesh using WhatsApp to contact victims.

Source: Small Businesses Face a New Threat: Pay Up or Be Flooded With Bad Reviews

NB The article says that Google will remove fake reviews, but my experience is that there is a non-transparent review process that takes over half a year and then ends up with no removal (despite all the reviews placed by the reviewers being negative and repetitive, eg. saying things like “does not pay bills”) with absolutely no recourse.

Popular media streaming platform Plex has informed its users of yet another data breach, urging them to change their passwords as soon as possible. 

Criminals often target media streaming platforms because they deal with sensitive information. Plex has fallen victim to a similar intrusion in the past, and a couple of years ago went through a very similar situation.

Now, Plex has revealed that an unauthorized third party gained access to one of its databases, exposing information on a limited number of customers.

The compromised data may include email addresses, usernames, securely hashed passwords, and authentication information. The company underlines that no credit card information has been affected because that type of information is not stored on those kinds of servers.

It’s a relief that the passwords are hashed because it means they are not readable, but it’s still a good idea to change the Plex passwords as quickly as possible.

Containment and response

 

According to Plex, the breach was contained quickly, and the method the attacker used was identified and addressed.

“We sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring,” said the company.

Plex has outlined two actions users must take, depending on their sign-in methods:

Password-based login: Users have to reset their Plex account password immediately via ‘https://plex.tv/reset’. The company recommends checking the option to “Sign out connected devices after password change,” which will log out all devices and require reauthentication with the new password.

SSO login: Users should log out of all active sessions through ‘https://plex.tv/security’ and sign back in as normal.

Plex is also strongly encouraging users to enable two-factor authentication (2FA) for added protection if they haven’t already done so.

Source: Plex tells users to reset passwords after new data breach

Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance.

Marc Benoit, chief information security officer at PAN, confirmed in a note to clients – seen by The Register – that it was informed on August 25 that the “compromise of a third-party application, Salesloft’s Drift, resulted in the access and exfiltration of data stored in our Salesforce environment.”

It immediately disconnected the third-party application from its Salesforce CRM, he said. “The investigation [by the Unit 42 team] confirms that the event was isolated to our Salesforce environment and did not affect any Palo Alto Networks products, systems or services.”

Benoit said it “further confirmed that the data involved includes primarily customer business contact information, such as names and contact info, company attributes, and basic customer support case information. It is important to note that no tech support files or attachments to any customer support cases were part of the exfiltration.”

[…]

The breach of the Drift application has led to supply chain attacks at “hundreds” of organizations, including PAN, said Benoit in a blog post. He said the “incident” was “isolated to our CRM platform.”

Google said last week that it didn’t have enough signs to confirm that the recent spate of Salesforce data thefts claimed by ShinyHunters on Google itself, Workday, Allianz, Quantas and LVMH brand Dior were connected to the same group that masterminded the Salesloft attack.

The Unit 42 team at PAN advised organizations to monitor Salesforce and Salesloft updates, and take steps such as token revocation to secure platforms. It recommends conducting a review of all Drift integrations and all authentication activity with third-party systems for evidence of “suspicious connections, credential harvesting and data exfiltration.”

Unit 42 also recommends that you probe your Salesforce log-in history, audit trail, and API access logs from August 8 – when Salesloft says attackers first used “OAuth credentials to exfiltrate data from our customers’ Salesforce instances” – to the present day. It also advises combing over Identity Provider Logs and Network Logs. ®

Source: Stolen OAuth tokens expose Palo Alto customer data • The Register

Credit reporting giant TransUnion has disclosed a data breach affecting more than 4.4 million customers’ personal information.

In a filing with Maine’s attorney general’s office on Thursday, TransUnion attributed the July 28 breach to unauthorized access of a third-party application storing customers’ personal data for its U.S. consumer support operations.

TransUnion claimed “no credit information was accessed,” but provided no immediate evidence for its claim. The data breach notice did not specify what specific types of personal data were stolen.

In a separate data breach disclosure filed later on Thursday with Texas’ attorney general’s office, TransUnion confirmed that the stolen personal information includes customers’ names, dates of birth, and Social Security numbers.

[…]

TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. It’s the latest U.S. corporate giant to have been hacked in recent weeks following a wave of hacks targeting the insurance, retail, and transportation and airline industries.

[…]

Source: TransUnion says hackers stole 4.4 million customers’ personal information | TechCrunch

Well done Transunion. In 2023 it lost a massive data dump (which they accept and then say no, wasn’t us) and in 2017 it got it’s customers to download malware (and again said, yes it was us but it wasn’t). You would think that at some point they would learn, but the penalties are apparently too small to care.

And considering it actually says that they verify personal identities, and sell identity protection services – and who knows if those “customers” actually know that that they are customers – the quantity and scale of these breaches is simply unacceptable. The company can obviously not handle it’s tasking and should by now be broken down.

China’s Salt Typhoon cyberspies hoovered up information belonging to millions of people in the United States over the course of the years-long intrusion into telecommunications networks, according to a top FBI cyber official.

“There’s a good chance this espionage campaign has stolen information from nearly every American,” Michael Machtinger, deputy assistant director for the FBI’s cyber division, told The Register.

[…]

The Beijing-backed spying campaign began at least in 2019 but wasn’t uncovered by US authorities until last fall. On Wednesday, US law enforcement and intelligence agencies along with those from 12 other countries warned the ongoing espionage activity expanded far beyond nine American telcos and government networks. According to Machtinger, at least 80 countries were hit by the digital intrusions.

Around 200 American organizations were compromised by the espionage activity, Machtinger said, including the previously disclosed telecommunications firms such as Verizon and AT&T.

Yesterday’s joint security alert also pointed the allies’ collective finger at three China-based entities affiliated with Salt Typhoon: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. These companies, and likely others, provide cyber products and services to China’s Ministry of State Security and People’s Liberation Army, the governments said.

[…]

This indiscriminate targeting, as the FBI and White House security officials have previously noted, allowed Beijing’s snoops to geo-locate millions of mobile phone users, monitor their internet traffic, and, in some cases, record their phone calls. Victims reportedly included President Donald Trump and Vice President JD Vance.

Machtinger declined to confirm whether Trump and Vance were among those surveilled, but did say that victims included more than 100 current and former presidential administration officials.

[…]

Source: FBI cyber cop: Salt Typhoon pwned ‘nearly every American’ • The Register

It’s quite telling that you only have to breach 200 organisations to gain information on 350 million Americans.

Shoppers and merchants in Germany found themselves dealing with billions of euros in frozen transactions this week, thanks to an apparent failure in PayPal’s fraud-detection systems.

According to the Association of German Banks, the problem hit on Monday when banks noticed a slew of recent unauthorized direct debits from PayPal. The body said the banks responded in various ways, which is one way of putting it – the Süddeutsche Zeitung reported that some stopped all PayPal transactions, with the total number of frozen payments likely to be around €10 billion.

A spokesperson for the German Savings Banks Association (DSGV), which represents hundreds of regional banks across the country, confirmed the issue to The Register. The DSGV said PayPal had assured it the problem was resolved, adding that PayPal payments had been running smoothly since Tuesday morning and the US payments platform was informing affected customers “directly.”

The DSGV said the unauthorized payments had a “significant impact on transactions throughout Europe, particularly in Germany.” However, there have been no confirmed reports of the incident being felt outside Germany. Austrian media reported that the banks there had seen no problems.

[…]

PayPal’s reputational hit in Germany is likely to be exacerbated by last week’s reports of hackers offering millions of PayPal credentials that they claimed PayPal had recently exposed in plaintext. The hackers’ claims appear dubious, with PayPal denying any recent breach, but the reports gained significant traction in Germany.

“It’s possible that the data is incorrect or outdated,” read a Wednesday advisory from the German consumer organization Stiftung Warentest, which bundled the leak report with this week’s snafu. “Nonetheless, PayPal users should change their passwords as a precaution.” ®

Source: Euro banks block ‘unauthorized’ PayPal direct debits • The Register

U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks.

Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide.

The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025.

“On May 30, 2025, one of Farmers’ third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor’s databases containing Farmers customer information (the “Incident”),” reads the data breach notification on its website.

[…]

The company says that its investigation determined that customers’ names, addresses, dates of birth, driver’s license numbers, and/or last four digits of Social Security numbers were stolen during the breach.

Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General’s Office, stating that a combined total of 1,111,386 customers were impacted.

[…]

Source: Farmers Insurance data breach impacts 1.1M people after Salesforce attack

“Sni5Gect [is] a framework that sniffs messages from pre-authentication 5G communication in real-time,” the researchers from the Singapore University of Technology and Design explained of their work, presented this week at the 34th USENIX security bash, “and injects targeted attack payload in downlink communication towards the UE [User Equipment, i.e. a phone].”

Designed to take advantage of the period just after a device connects to a 5G network and is still in the process of handshaking and authentication – which, the team points out, can occur when entering or leaving a lift, disembarking a plane and turning aeroplane mode off, or even passing through a tunnel or parking garage – Sni5Gect takes advantage of unencrypted messaging between the base station and a target handset.

“Since messages exchanged between the gNB [Next-Generation Node B, the base station] and the UE are not encrypted before the security context is established (pre-authentication state),” the researchers wrote, “an attacker does not require knowledge of the UE’s credentials to sniff uplink/downlink [traffic] nor to inject messages without integrity protection throughout the UE connection procedure.”

That’s a flaw, and one the framework is designed to exploit. The team’s testing showed it capable of sniffing both uplink and downlink traffic with more than 80 percent accuracy, at ranges of up to 20 meters between an off-the-shelf software-defined radio and the target mobile. For packet injection, the success rate varied between 70-90 percent – and delivered, among other things, proof of a novel downgrade attack by which a ne’er-do-well equipped with Sni5Gect could downgrade a connection from 5G to 4G to reduce its security and carry out further surveillance and attacks.

As Sni5Gect works in real-time, its creators have claimed, and can inject attack payloads, including multi-stage attacks, based on protocol state, it’s suited to fingerprinting, denial-of-service attacks, and downgrading.

“To the best of our knowledge,” they wrote in their paper’s introduction [PDF], “Sni5Gect is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB [base station].”

[…]

Not all of the capabilities claimed in the team’s paper have been fully disclosed, however. The team has kept private “other serious exploits leveraging the framework,” in order to “avoid abusing SNI5Gect to launch attacks against people’s smartphones[s].” These exploits, it is claimed, will be made available only to “trusted institutions like universities and research institutions” upon application and verification of their legitimate interest.

[…]

More information, including a link to the open-access paper, is available on the project website.

Source: Boffins release 5G traffic sniffing tool • The Register

Find the git repository here

[…] Zveare, who has found bugs in carmakers’ customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.

He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.

The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.

When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States, he told TechCrunch.

“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” said Zveare, in describing the access.

Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of that carmaker.

In one real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. Zveare said the tool could be used to look up someone using only a customer’s first and last name.

With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars’ functions from an app, such as unlocking their cars.

Zveare said he tried this out in a real-world example using a friend’s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate.

“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name — which kind of freaks me out a bit — or I could just look up a car in the parking lots.”

[…]

Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023.

“They’re just security nightmares waiting to happen,” said Zveare, speaking of the user-impersonation feature.

Once in the portal Zveare found personally identifiable customer data, some financial information, and telematics systems that allowed the real-time location tracking of rental or courtesy cars, as well as cars being shipped across the country, and the option to cancel them — though, Zveare didn’t try.

Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker.

[…]

Source: Security flaws in a carmaker’s web portal let one hacker remotely unlock cars from anywhere | TechCrunch

However he won’t identify the car maker – which is a real problem with bad responsible disclosure rules.

Russian hackers took control of a Norwegian dam this year, opening a floodgate and allowing water to flow unnoticed for four hours, Norway’s intelligence service has said.

The admission, by the Norwegian Police Security Service (PST), marks the first time that Oslo has formally attributed the cyber-attack in April on Bremanger, western Norway, to Moscow.

The attack on the dam, which which is used for farming fish, released 500 litres (132 gallons) of water a second for four hours until the incident was detected and stopped.

The head of PST, Beate Gangås, said on Wednesday: “Over the past year, we have seen a change in activity from pro-Russian cyber actors.” The Bremanger incident was an example of such an attack, she added.

“The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbour has become more dangerous.”

[…]

Intelligence services in Norway, which produces the majority of its electricity using hydropower dams, had previously warned of the potential risk of such attacks on energy infrastructure.

Norway and Russia share a 123-mile (198km) border, with a crossing at Storskog, Europe’s only open Schengen border with Russia.

The Russian embassy in Oslo said Gangås’s statements were “unfounded and politically motivated”.

It told Reuters news agency: “It is obvious that the PST is unsuccessfully trying to substantiate the mythical threat of Russian sabotage against Norwegian infrastructure this year, which it itself invented in its February (annual) report.”

Last year, Richard Moore, the head of Britain’s Secret Intelligence Service, MI6, accused Russia of a “staggeringly reckless campaign” of sabotage in Europe, in part to frighten countries from helping Ukraine. Moscow denies the allegation.

Source: Russian hackers seized control of Norwegian dam, spy chief says | Russia | The Guardian

European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers’ data stolen by way of a break-in at a third party org.

The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they “detected unusual activity on an external platform we use for customer service,” which led to attackers accessing customer data.

“Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access,” the statement read. “Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.

“No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen.”

The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.

However, customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.

[…]

The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.

In recent weeks, luxury retailers Dior, Chanel, and Pandora all reported similar leaks at third party providers, as did Google, Qantas, and Allianz.

All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.

[…]

Source: KLM, Air France latest major orgs to have data looted • The Register

It’s pretty clear that the customer service portal was looted.

A cyberattack on Russian state-owned flagship carrier Aeroflot caused a mass outage to the company’s computer systems on Monday, Russia’s prosecutor’s office said, forcing the airline to cancel more than 100 flights and delay others.

Ukrainian hacker group Silent Crow and Belarusian hacker activist group the Belarus Cyber-Partisans, which opposes the rule of Belarusian President Alexander Lukashenko, claimed responsibility for the cyberattack.

[…]

Kremlin spokesperson Dmitry Peskov called reports of the cyberattack “quite alarming,” adding that “the hacker threat is a threat that remains for all large companies providing services to the general public.”

Silent Crow claimed it had accessed Aeroflot’s corporate network for a year, copying customer and internal data, including audio recordings of phone calls, data from the company’s own surveillance on employees and other intercepted communications.

“All of these resources are now inaccessible or destroyed and restoring them will possibly require tens of millions of dollars. The damage is strategic,” the channel purporting to be the Silent Crow group wrote on Telegram. There was no way to independently verify its claims.

The same channel also shared screenshots that appeared to show Aeroflot’s internal IT systems, and insinuated that Silent Crow could begin sharing the data it had seized in the coming days.

“The personal data of all Russians who have ever flown with Aeroflot have now also gone on a trip — albeit without luggage and to the same destination,” it said.

[…]

Source: Cyberattack on Russian airline Aeroflot causes the cancellation of more than 100 flights – POLITICO

Financial services biz Allianz says the majority of customers of one of its North American subsidiaries had their data stolen in a cyberattack.

Lawyers acting on behalf of US-based Allianz Life filed a breach notification with Maine’s attorney general on Saturday, saying the intrusion began on July 16 and was detected a day later.

Official filings did not state how many people were affected, or what data was compromised, although in a statement to The Register, Allianz said the majority of its 1.4 million customers were impacted.

“The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees, using a social engineering technique,” a spokesperson said.

Allianz went on to say that the attacker or attackers gained access to Allianz Life’s third-party, cloud-based CRM system, although it did not confirm the vendor supplying that system.

[…]

Source: Majority of 1.4M customers caught in Allianz Life data heist • The Register

What is most amazing is that nowadays 1.4m people affected feels like a small hack.

Hacking is hard. Well, sometimes.

Other times, you just call up a company’s IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset… and it’s done. Without even verifying your identity.

So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.

So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the “debilitating” breach was not its fault. It had outsourced the “service desk” part of its IT security operations to the massive services company Cognizant—and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk.

In the words of a new Clorox lawsuit, Cognizant’s behavior was “all a devastating lie,” it “failed to show even scant care,” and it was “aware that its employees were not adequately trained.”

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” says the lawsuit, using italics to indicate outrage emphasis. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.”

I can has password reset?

From 2013 through 2023, Cognizant had helped “guard the proverbial front door” to Clorox’s network by running a “service desk” that handled common access requests around passwords, VPNs, and multifactor authentication (MFA) such as SMS codes.

When a purported Clorox employee called the service desk, protocol demanded that the employee use an internal verification and self-reset password tool called MyID. If that wasn’t possible, the service desk should have verified the person’s identity using their manager’s name and the user’s MyID username, after which the password could be reset but the manager and employee would both be notified by email.

Instead, says Clorox, this happened on August 11, 2023:

Cybercriminal: I don’t have a password, so I can’t connect.
Cognizant Agent: Oh, ok. Ok. So let me provide the password to you ok?
Cybercriminal: Alright. Yep. Yeah, what’s the password?
Cognizant Agent: Just a minute. So it starts with the word “Welcome”…

When this worked, and the caller had a working password, he moved on to asking about an MFA reset:

Cybercriminal: My Microsoft MFA isn’t working.
Cognizant Agent: Oh, ok…
Cybercriminal: Can you reset my MFA? It’s on my old phone … [inaudible] old phone.
Cognizant Agent: [Following a brief hold]. So thanks for being on hold, Alex. So multifactor authentication reset has been done now. Ok. So can you check if you’re able to login …
Cybercriminal: Alright. It let me sign in now. Thank you.

After adopting the ID of a second Clorox user in IT security and calling back later that same day, the hacker tried all the same tricks again. And they worked, even across multiple Cognizant agents.

Cognizant Agent: How can I help you today?
Cybercriminal: Um my password on Okta was not working …
Cognizant Agent: I’m going to have your password reset from my end right away. Ok. And we’ll see how it’s going to work. Ok. [Following a brief hold] Thank you … I’m extremely sorry for the long hold. So … password is going to be Clorox@123.
Cybercriminal: What’s that?
Cognizant Agent: Yeah it was Clorox@123…Ok.
Cybercriminal: Yep.
Cognizant Agent: Want me to wait over the phone while you are trying it?
Cybercriminal: Yes, yes, please.
Cognizant Agent: Sure … sure.

[…]

Source: After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords – Ars Technica