The Breach News

China-Linked Cyber Espionage Group Targets Over 70 Organizations Across Diverse Sectors

June 9, 2025
Government Security / Cyber Espionage

Recent reconnaissance efforts against American cybersecurity firm SentinelOne are part of a larger wave of intrusions affecting various targets between July 2024 and March 2025. “The victims include a South Asian government agency, a European media outlet, and over 70 organizations spanning numerous sectors,” noted SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel in a recent report. Affected sectors include manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics firm was compromised while managing equipment logistics for SentinelOne staff during the breach in early 2025. This malicious activity has been confidently linked to threat actors associated with China, with some attacks attributed to a cluster known as PurpleHaze, which overlaps with recognized Chinese cyber espionage groups labeled APT15.

Over 70 Organizations Affected by Cyber Espionage Linked to China June 9, 2025 Government Security / Cyber Espionage A recent report has unveiled significant cyber espionage activities against a diverse range of organizations, orchestrated by a group with ties to China. This campaign, which targeted over 70 entities across various…

Read More

China-Linked Cyber Espionage Group Targets Over 70 Organizations Across Diverse Sectors

June 9, 2025
Government Security / Cyber Espionage

Recent reconnaissance efforts against American cybersecurity firm SentinelOne are part of a larger wave of intrusions affecting various targets between July 2024 and March 2025. “The victims include a South Asian government agency, a European media outlet, and over 70 organizations spanning numerous sectors,” noted SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel in a recent report. Affected sectors include manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics firm was compromised while managing equipment logistics for SentinelOne staff during the breach in early 2025. This malicious activity has been confidently linked to threat actors associated with China, with some attacks attributed to a cluster known as PurpleHaze, which overlaps with recognized Chinese cyber espionage groups labeled APT15.

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

Mustang Panda Hackers Target European Foreign Affairs with TP-Link Router Exploit On May 16, 2023, it was reported that the Chinese state-sponsored hacking group, known as Mustang Panda, has orchestrated a series of sophisticated and targeted attacks against European foreign affairs organizations since January 2023. This alarming development highlights the…

Read More

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

Michigan Rural Health System Alerts 140,000 of Cybersecurity Breach

Data Breach Notification, Data Security, Fraud Management & Cybercrime Threat Actors Breached a Rural Michigan Health System for Approximately Two Months; BianLian Claims Responsibility Marianne Kolbasuk McGee (HealthInfoSec) • August 22, 2025 Image: Aspire Rural Health System A rural health system in Michigan has reported a significant data breach affecting…

Read MoreMichigan Rural Health System Alerts 140,000 of Cybersecurity Breach

Commvault Acknowledges Zero-Day Exploitation of CVE-2025-3928 by Hackers in Azure Incident

May 01, 2025
Zero-Day / Threat Intelligence

Commvault, an enterprise data backup platform, has confirmed that a nation-state threat actor compromised its Microsoft Azure environment by exploiting the zero-day vulnerability CVE-2025-3928. However, the company reassured that there is no evidence of unauthorized access to customer data. “The incident has impacted a limited number of customers shared with Microsoft, and we are providing them with support,” Commvault stated in its update. They emphasized that customer backup data remains secure, with no significant effects on business operations or service delivery. According to an advisory issued on March 7, 2025, Commvault was alerted by Microsoft on February 20 regarding unauthorized activities, and has since rotated affected credentials and strengthened security measures. This disclosure follows recent reports from the U.S. Cybersecurity…

Commvault Confirms Breach Linked to CVE-2025-3928 Exploitation in Azure Environment May 1, 2025 Threat Intelligence Commvault, a leader in enterprise data backup solutions, has disclosed that its Microsoft Azure environment was compromised by an unidentified nation-state threat actor exploiting the recently identified vulnerability, CVE-2025-3928. In a statement, the company assured…

Read More

Commvault Acknowledges Zero-Day Exploitation of CVE-2025-3928 by Hackers in Azure Incident

May 01, 2025
Zero-Day / Threat Intelligence

Commvault, an enterprise data backup platform, has confirmed that a nation-state threat actor compromised its Microsoft Azure environment by exploiting the zero-day vulnerability CVE-2025-3928. However, the company reassured that there is no evidence of unauthorized access to customer data. “The incident has impacted a limited number of customers shared with Microsoft, and we are providing them with support,” Commvault stated in its update. They emphasized that customer backup data remains secure, with no significant effects on business operations or service delivery. According to an advisory issued on March 7, 2025, Commvault was alerted by Microsoft on February 20 regarding unauthorized activities, and has since rotated affected credentials and strengthened security measures. This disclosure follows recent reports from the U.S. Cybersecurity…

Computer Merchant Data Breach Reveals SSNs; Legal Actions Underway

The Computer Merchant Data Breach: Lawsuit Investigation Attorneys associated with ClassAction.org are currently investigating the possibility of initiating a class action lawsuit in response to The Computer Merchant data breach. In the context of this investigation, they seek to connect with individuals who received notifications indicating that their information was…

Read MoreComputer Merchant Data Breach Reveals SSNs; Legal Actions Underway

CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

CISA Updates KEV Catalog with Critical Vulnerabilities in Erlang SSH and Roundcube On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, both of which are currently being actively exploited. These vulnerabilities pertain to…

Read More

CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

Rising China-Taiwan Tensions Ignite Sharp Increase in Cyber Attacks

May 18, 2023
Cyber Warfare / Threat Intelligence

Recent geopolitical strains between China and Taiwan have led to a significant rise in cyber attacks targeting the island nation. According to a report from the Trellix Advanced Research Center, “The conflict stemming from China’s claim over Taiwan, combined with Taiwan’s push for independence, has resulted in a troubling escalation of cyber threats.” These attacks, aimed at various sectors, primarily focus on deploying malware and stealing sensitive data. The cybersecurity firm noted a staggering four-fold increase in malicious emails between April 7 and April 10, 2023, with sectors such as networking, manufacturing, and logistics being particularly affected. Following this surge, the region saw a 15x spike in PlugX detections between April 10 and April 12, 2023.

Rising China-Taiwan Tensions Ignite Surge in Cyber Attacks May 18, 2023 Recent months have witnessed a significant escalation in tensions between China and Taiwan, resulting in a marked increase in cyber attacks aimed at the East Asian island nation. According to a new report from the Trellix Advanced Research Center,…

Read More

Rising China-Taiwan Tensions Ignite Sharp Increase in Cyber Attacks

May 18, 2023
Cyber Warfare / Threat Intelligence

Recent geopolitical strains between China and Taiwan have led to a significant rise in cyber attacks targeting the island nation. According to a report from the Trellix Advanced Research Center, “The conflict stemming from China’s claim over Taiwan, combined with Taiwan’s push for independence, has resulted in a troubling escalation of cyber threats.” These attacks, aimed at various sectors, primarily focus on deploying malware and stealing sensitive data. The cybersecurity firm noted a staggering four-fold increase in malicious emails between April 7 and April 10, 2023, with sectors such as networking, manufacturing, and logistics being particularly affected. Following this surge, the region saw a 15x spike in PlugX detections between April 10 and April 12, 2023.

CISA Requests Feedback on SBOM Updates to Address Real-World Gaps

Software Bill of Materials (SBOM), Standards, Regulations & Compliance US Cyber Defense Agency Advocates for Automation and Machine-Readable SBOMs Chris Riotta (@chrisriotta) • August 22, 2025 Image: CISA The Cybersecurity and Infrastructure Security Agency (CISA) is intensifying efforts to develop Software Bills of Materials (SBOMs) as part of its new…

Read MoreCISA Requests Feedback on SBOM Updates to Address Real-World Gaps

U.S. Charges Yemeni Hacker in Black Kingdom Ransomware Attack Affecting 1,500 Systems

May 03, 2025
Cybercrime / Malware

The U.S. Department of Justice (DoJ) announced charges against Rami Khaled Ahmed, a 36-year-old Yemeni national, for allegedly deploying the Black Kingdom ransomware against numerous global targets, including businesses, schools, and hospitals in the United States. Ahmed, currently believed to be residing in Sana’a, Yemen, faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.

According to the DoJ, from March 2021 to June 2023, Ahmed and accomplices compromised the computer networks of several U.S.-based victims, including a medical billing service in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. Ahmed is accused of creating and launching the ransomware by exploiting a known vulnerability in Microsoft Exchange Server referred to as ProxyLogon. The ransomware operation involved encrypting data from targeted systems…

U.S. Charges Yemeni Hacker Linked to Black Kingdom Ransomware Affecting 1,500 Systems On May 3, 2025, the U.S. Department of Justice (DoJ) revealed charges against Rami Khaled Ahmed, a 36-year-old national from Yemen, for allegedly deploying the notorious Black Kingdom ransomware. This malicious software targeted a wide array of entities…

Read More

U.S. Charges Yemeni Hacker in Black Kingdom Ransomware Attack Affecting 1,500 Systems

May 03, 2025
Cybercrime / Malware

The U.S. Department of Justice (DoJ) announced charges against Rami Khaled Ahmed, a 36-year-old Yemeni national, for allegedly deploying the Black Kingdom ransomware against numerous global targets, including businesses, schools, and hospitals in the United States. Ahmed, currently believed to be residing in Sana’a, Yemen, faces charges of conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.

According to the DoJ, from March 2021 to June 2023, Ahmed and accomplices compromised the computer networks of several U.S.-based victims, including a medical billing service in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. Ahmed is accused of creating and launching the ransomware by exploiting a known vulnerability in Microsoft Exchange Server referred to as ProxyLogon. The ransomware operation involved encrypting data from targeted systems…