The Breach News

U.S. Charges Yemeni Hacker in Black Kingdom Ransomware Attack Affecting 1,500 Systems

May 03, 2025
Cybercrime / Malware

The U.S. Department of Justice (DoJ) announced charges against Rami Khaled Ahmed, a 36-year-old Yemeni national, for allegedly deploying the Black Kingdom ransomware against numerous global targets, including businesses, schools, and hospitals in the United States. Ahmed, currently believed to be residing in Sana’a, Yemen, faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.

According to the DoJ, from March 2021 to June 2023, Ahmed and accomplices compromised the computer networks of several U.S.-based victims, including a medical billing service in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. Ahmed is accused of creating and launching the ransomware by exploiting a known vulnerability in Microsoft Exchange Server referred to as ProxyLogon. The ransomware operation involved encrypting data from targeted systems…

U.S. Charges Yemeni Hacker Linked to Black Kingdom Ransomware Affecting 1,500 Systems On May 3, 2025, the U.S. Department of Justice (DoJ) revealed charges against Rami Khaled Ahmed, a 36-year-old national from Yemen, for allegedly deploying the notorious Black Kingdom ransomware. This malicious software targeted a wide array of entities…

Read More

U.S. Charges Yemeni Hacker in Black Kingdom Ransomware Attack Affecting 1,500 Systems

May 03, 2025
Cybercrime / Malware

The U.S. Department of Justice (DoJ) announced charges against Rami Khaled Ahmed, a 36-year-old Yemeni national, for allegedly deploying the Black Kingdom ransomware against numerous global targets, including businesses, schools, and hospitals in the United States. Ahmed, currently believed to be residing in Sana’a, Yemen, faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.

According to the DoJ, from March 2021 to June 2023, Ahmed and accomplices compromised the computer networks of several U.S.-based victims, including a medical billing service in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. Ahmed is accused of creating and launching the ransomware by exploiting a known vulnerability in Microsoft Exchange Server referred to as ProxyLogon. The ransomware operation involved encrypting data from targeted systems…

Edelson Lechtzin LLP Investigates Potential Data Breach Affecting Customers of The Aspire Rural Health System

LANSING, Mich., Aug. 22, 2025 /PRNewswire/ — The Philadelphia-based law firm Edelson Lechtzin LLP has initiated an investigation into data privacy violations stemming from a significant data breach at Aspire Rural Health System (“Aspire”). This breach, which reportedly began on or around February 13, 2025, has raised alarms regarding the…

Read MoreEdelson Lechtzin LLP Investigates Potential Data Breach Affecting Customers of The Aspire Rural Health System

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Security Flaw Discovered in Google Account Recovery Process Exposes User Privacy On June 10, 2025, a significant security vulnerability was identified in Google’s account recovery system, raising concerns about potential risks to user privacy and security. The flaw, discovered by Singaporean security researcher known as “brutecat,” allows for the brute-force…

Read More

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Beware the ZIP File: Phishers Exploit .ZIP Domains to Deceive Victims

May 29, 2023
Cyber Threat / Online Security

A new phishing technique dubbed “file archiver in the browser” is being used to imitate file archiver software, such as WinRAR, within web browsers when victims visit a .ZIP domain. Security researcher mr.d0x revealed that this phishing attack involves creating a realistic landing page using HTML and CSS to mimic genuine file archive software, hosted on a .ZIP domain to enhance its legitimacy.

In a typical attack, cybercriminals can redirect users to a credential theft page when they click on a file that appears to be included within the fake ZIP archive. Another alarming tactic involves listing a harmless non-executable file, only for the actual download to be an executable file instead, as noted by mr.d0x…

Beware of ZIP Files: New Phishing Technique Exploited via .ZIP Domains In recent developments, a concerning phishing tactic has emerged, leveraging a method referred to as “file archiver in the browser.” This approach mimics the functionality of legitimate file archiving software within a web browser, specifically when users navigate to…

Read More

Beware the ZIP File: Phishers Exploit .ZIP Domains to Deceive Victims

May 29, 2023
Cyber Threat / Online Security

A new phishing technique dubbed “file archiver in the browser” is being used to imitate file archiver software, such as WinRAR, within web browsers when victims visit a .ZIP domain. Security researcher mr.d0x revealed that this phishing attack involves creating a realistic landing page using HTML and CSS to mimic genuine file archive software, hosted on a .ZIP domain to enhance its legitimacy.

In a typical attack, cybercriminals can redirect users to a credential theft page when they click on a file that appears to be included within the fake ZIP archive. Another alarming tactic involves listing a harmless non-executable file, only for the actual download to be an executable file instead, as noted by mr.d0x…

Netskope’s IPO Filing Shows Soaring Sales and Reduced Losses

AI-Powered SASE, Governance & Risk Management, Security Service Edge (SSE) Netskope Files for Second Cybersecurity IPO of 2025, Emphasizing Channel Partnership Dependency Michael Novinson (MichaelNovinson) • August 22, 2025 Sanjay Beri, Netskope co-founder and CEO (Image: Netskope) Netskope has marked its position as the second cybersecurity entity to initiate an…

Read MoreNetskope’s IPO Filing Shows Soaring Sales and Reduced Losses

The Role of Third Parties and Machine Credentials in 2025’s Major Data Breaches

May 06, 2025
AI Security / Enterprise IT

In the 2025 Verizon Data Breach Investigations Report (DBIR), it wasn’t just ransomware or zero-day exploits that caught attention; rather, it was the underlying factors that enabled these incidents. Two significant contributors to this year’s most severe breaches emerged: third-party vulnerabilities and machine credential misuse. The report revealed that third-party involvement in breaches surged from 15% to 30% year-over-year. Simultaneously, cybercriminals increasingly leveraged machine credentials and unmanaged machine accounts to infiltrate systems, escalate privileges, and steal sensitive data. The takeaway is clear: protecting only employee accounts is no longer sufficient. To effectively combat modern threats, organizations must implement a comprehensive security strategy that encompasses all identities—human, non-employee, and machine.

The Escalating Threat of Third-Party Risks
Today’s enterprises operate within a complex network of partnerships, including contractors, vendors, and more.

Third Parties and Machine Credentials: Key Contributors to 2025’s Security Breaches May 06, 2025 AI Security / Enterprise IT The 2025 Verizon Data Breach Investigations Report (DBIR) revealed that the most pressing issues in this year’s data breaches weren’t the sensational headlines of ransomware attacks or zero-day vulnerabilities, but rather…

Read More

The Role of Third Parties and Machine Credentials in 2025’s Major Data Breaches

May 06, 2025
AI Security / Enterprise IT

In the 2025 Verizon Data Breach Investigations Report (DBIR), it wasn’t just ransomware or zero-day exploits that caught attention; rather, it was the underlying factors that enabled these incidents. Two significant contributors to this year’s most severe breaches emerged: third-party vulnerabilities and machine credential misuse. The report revealed that third-party involvement in breaches surged from 15% to 30% year-over-year. Simultaneously, cybercriminals increasingly leveraged machine credentials and unmanaged machine accounts to infiltrate systems, escalate privileges, and steal sensitive data. The takeaway is clear: protecting only employee accounts is no longer sufficient. To effectively combat modern threats, organizations must implement a comprehensive security strategy that encompasses all identities—human, non-employee, and machine.

The Escalating Threat of Third-Party Risks
Today’s enterprises operate within a complex network of partnerships, including contractors, vendors, and more.

African Authorities Break Up Major Cybercrime and Fraud Rings, Seize Millions – DataBreaches.Net

INTERPOL’s Operation Results in 1,209 Arrests in Cybercrime Crackdown LYON, France – A coordinated effort by INTERPOL, dubbed Operation Serengeti 2.0, has led to the arrest of 1,209 cybercriminals across Africa, targeting nearly 88,000 victims. This extensive operation highlights the pervasive nature of cybercrime and emphasizes the necessity for international…

Read MoreAfrican Authorities Break Up Major Cybercrime and Fraud Rings, Seize Millions – DataBreaches.Net

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.

Cybersecurity Researchers Identify Over 20 Configuration Vulnerabilities in Salesforce Industry Cloud June 10, 2025 Recent investigations by cybersecurity experts have revealed more than 20 configuration vulnerabilities within Salesforce Industry Cloud, also known as Salesforce Industries. These security weaknesses pose significant risks, as they could potentially expose sensitive data to unauthorized…

Read More

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.

Dark Pink APT Group Utilizes TelePowerBot and KamiKakaBot in Complex Campaigns

On May 31, 2023, it was reported that the Advanced Persistent Threat (APT) group known as Dark Pink has launched five new attacks targeting various organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. The targets include educational institutions, government agencies, military organizations, and non-profit entities, highlighting the group’s ongoing focus on high-value assets. Also referred to as the Saaiwc Group, Dark Pink is believed to originate from the Asia-Pacific region, primarily directing its attacks towards East Asia, with some activity observed in Europe. The group employs a variety of custom malware tools, including TelePowerBot and KamiKakaBot, to facilitate the exfiltration of sensitive data from compromised systems. “The group uses a range of sophisticated custom tools and deploys multiple kill chains, often leveraging spear-phishing emails,” noted Andrey Polovinkin, a security researcher at Group-IB, in a technical report.

Dark Pink APT Group Executes Targeted Attacks Using TelePowerBot and KamiKakaBot May 31, 2023 Recent cybersecurity analyses have revealed that the APT group known as Dark Pink has been involved in a series of five sophisticated cyber attacks across multiple countries, including Belgium, Brunei, Indonesia, Thailand, and Vietnam, from February…

Read More

Dark Pink APT Group Utilizes TelePowerBot and KamiKakaBot in Complex Campaigns

On May 31, 2023, it was reported that the Advanced Persistent Threat (APT) group known as Dark Pink has launched five new attacks targeting various organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. The targets include educational institutions, government agencies, military organizations, and non-profit entities, highlighting the group’s ongoing focus on high-value assets. Also referred to as the Saaiwc Group, Dark Pink is believed to originate from the Asia-Pacific region, primarily directing its attacks towards East Asia, with some activity observed in Europe. The group employs a variety of custom malware tools, including TelePowerBot and KamiKakaBot, to facilitate the exfiltration of sensitive data from compromised systems. “The group uses a range of sophisticated custom tools and deploys multiple kill chains, often leveraging spear-phishing emails,” noted Andrey Polovinkin, a security researcher at Group-IB, in a technical report.