The Breach News

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Chinese Hackers Exploit CloudScout Toolset to Steal Session Cookies from Cloud Services On October 28, 2024, reports surfaced highlighting the cyber operations of a China-linked threat actor known as Evasive Panda. This group targeted a governmental entity and a religious organization in Taiwan, deploying a previously undocumented post-compromise toolset identified…

Read More

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Unsolved Crime Wave Hits National Guard Equipment Locations

A series of previously unreported break-ins at Tennessee National Guard armories last fall highlights escalating security vulnerabilities across U.S. military facilities, igniting serious concerns over the susceptibility of these sites to theft and unauthorized access. Confidential information obtained from the Tennessee Fusion Center reveals that four break-ins occurred at various…

Read MoreUnsolved Crime Wave Hits National Guard Equipment Locations

Pediatric Practice and IT Vendor Reach $5.15M Settlement in Breach Lawsuit

Data Privacy, Data Security, Fraud Management & Cybercrime More Than 918,000 Individuals Impacted by 2024 BianLian Data Theft Incident Marianne Kolbasuk McGee (HealthInfoSec) • August 11, 2025 Boston Children’s Health Physicians and its vendor ATSG have reached a settlement in a class action lawsuit linked to a data breach in…

Read MorePediatric Practice and IT Vendor Reach $5.15M Settlement in Breach Lawsuit

Rethinking Manufacturing Security: The Case Against Default Passwords

Date: July 7, 2025
Categories: IoT Security / Cyber Resilience

The recent breach by Iranian hackers at U.S. water facilities serves as a stark reminder of the vulnerabilities lurking within our systems. Though they only accessed a single pressure station serving 7,000 residents, their method was alarmingly simple: they exploited the factory-set password “1111.” This incident highlights a pressing issue that the Cybersecurity and Infrastructure Security Agency (CISA) has been vocal about— the urgent need for manufacturers to eliminate default credentials, which have consistently proven to be a major security flaw.

As we await improved security protocols from manufacturers, the onus is on IT teams to take action. Whether overseeing critical infrastructure or standard business networks, allowing unchanged default passwords creates an open invitation for cyber attackers. This article explores why default passwords remain widespread, the business and technical implications they carry, and the steps manufacturers must take to enhance security measures.

Manufacturing Security: The Necessity of Eliminating Default Passwords On July 7, 2025, the cybersecurity landscape faced renewed scrutiny following a breach at U.S. water facilities orchestrated by Iranian hackers. While the attack resulted in the hackers gaining control over a single pressure station servicing approximately 7,000 individuals, it highlighted a…

Read More

Rethinking Manufacturing Security: The Case Against Default Passwords

Date: July 7, 2025
Categories: IoT Security / Cyber Resilience

The recent breach by Iranian hackers at U.S. water facilities serves as a stark reminder of the vulnerabilities lurking within our systems. Though they only accessed a single pressure station serving 7,000 residents, their method was alarmingly simple: they exploited the factory-set password “1111.” This incident highlights a pressing issue that the Cybersecurity and Infrastructure Security Agency (CISA) has been vocal about— the urgent need for manufacturers to eliminate default credentials, which have consistently proven to be a major security flaw.

As we await improved security protocols from manufacturers, the onus is on IT teams to take action. Whether overseeing critical infrastructure or standard business networks, allowing unchanged default passwords creates an open invitation for cyber attackers. This article explores why default passwords remain widespread, the business and technical implications they carry, and the steps manufacturers must take to enhance security measures.

How to Claim Your Share of the $177 Million AT&T Data Breach Settlement – PCMag

Title: Navigating the AT&T Data Breach Settlement: What Business Owners Need to Know In recent developments, AT&T has reached a landmark settlement of $177 million related to a significant data breach that exposed sensitive customer information. This breach, which primarily affected customers who had entrusted their data to AT&T, underscores…

Read MoreHow to Claim Your Share of the $177 Million AT&T Data Breach Settlement – PCMag

CISA Adds Four High-Risk Vulnerabilities to KEV Catalog Amid Ongoing Exploitation

July 8, 2025
Cyber Attacks / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included four critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The identified vulnerabilities are as follows:

  • CVE-2014-3931 (CVSS score: 9.8): A buffer overflow flaw in Multi-Router Looking Glass (MRLG) allowing remote attackers to perform arbitrary memory writes and cause memory corruption.
  • CVE-2016-10033 (CVSS score: 9.8): A command injection vulnerability in PHPMailer enabling attackers to execute arbitrary code within the application or trigger a denial-of-service (DoS) condition.
  • CVE-2019-5418 (CVSS score: 7.5): A path traversal vulnerability in Ruby on Rails’ Action View that may expose the contents of arbitrary files on the target system’s filesystem.
  • CVE-2019-9621 (CVSS score: 7.5): A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could…

CISA Expands KEV Catalog with Four Newly Identified Vulnerabilities Amid Active Exploitation On July 8, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This update comes in response to new evidence indicating that these vulnerabilities…

Read More

CISA Adds Four High-Risk Vulnerabilities to KEV Catalog Amid Ongoing Exploitation

July 8, 2025
Cyber Attacks / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included four critical vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The identified vulnerabilities are as follows:

  • CVE-2014-3931 (CVSS score: 9.8): A buffer overflow flaw in Multi-Router Looking Glass (MRLG) allowing remote attackers to perform arbitrary memory writes and cause memory corruption.
  • CVE-2016-10033 (CVSS score: 9.8): A command injection vulnerability in PHPMailer enabling attackers to execute arbitrary code within the application or trigger a denial-of-service (DoS) condition.
  • CVE-2019-5418 (CVSS score: 7.5): A path traversal vulnerability in Ruby on Rails’ Action View that may expose the contents of arbitrary files on the target system’s filesystem.
  • CVE-2019-9621 (CVSS score: 7.5): A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could…

North Korean Group Partners with Play Ransomware in Major Cyber Attack

Oct 30, 2024
Ransomware / Threat Intelligence

Threat actors associated with North Korea have been linked to a recent cyber incident involving the notorious Play ransomware, highlighting their financial motives. This activity, which took place between May and September 2024, is connected to a group known as Jumpy Pisces, also referred to as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. According to a new report from Palo Alto Networks’ Unit 42, “We have moderate confidence that Jumpy Pisces, or a segment of this group, is now collaborating with the Play ransomware collective.” This incident is particularly significant as it represents the first documented partnership between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware operation. Active since at least 2009, Andariel is associated with North Korea’s Reconnaissance General Bureau (RGB) and has a history of deploying various cyber tactics.

Significant Cyber Attack Involves North Korean Collaboration with Play Ransomware Group October 30, 2024 In a notable development in the realm of cybersecurity, threat actors associated with North Korea have been identified as key players in a recent attack utilizing the Play ransomware variant. This collaboration highlights the increasing intersection…

Read More

North Korean Group Partners with Play Ransomware in Major Cyber Attack

Oct 30, 2024
Ransomware / Threat Intelligence

Threat actors associated with North Korea have been linked to a recent cyber incident involving the notorious Play ransomware, highlighting their financial motives. This activity, which took place between May and September 2024, is connected to a group known as Jumpy Pisces, also referred to as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. According to a new report from Palo Alto Networks’ Unit 42, “We have moderate confidence that Jumpy Pisces, or a segment of this group, is now collaborating with the Play ransomware collective.” This incident is particularly significant as it represents the first documented partnership between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware operation. Active since at least 2009, Andariel is associated with North Korea’s Reconnaissance General Bureau (RGB) and has a history of deploying various cyber tactics.

Critical WinRAR 0-Day Vulnerability Exploited for Weeks by Two Groups

In recent reports, cybersecurity firm BI.ZONE disclosed that the threat actor known as Paper Werewolf has launched a series of attacks leveraging exploits delivered via email attachments. These emails masqueraded as communications from employees at the All-Russian Research Institute, with the malicious aim of installing malware to gain unauthorized access…

Read MoreCritical WinRAR 0-Day Vulnerability Exploited for Weeks by Two Groups

Dutch Investigators Attribute Hacks to Multiple Threat Actors

Critical Infrastructure Security, Cybercrime, Fraud Management & Cybercrime NCSC-NL Reports Citrix NetScaler Vulnerability Targeted Critical Infrastructure Akshaya Asokan (asokan_akshaya) • August 11, 2025 Dutch authorities indicate a suspected Russian hacking campaign utilized multiple groups to exploit a flaw in Citrix NetScaler, targeting the nation’s law enforcement network. (Image: Shutterstock) The…

Read MoreDutch Investigators Attribute Hacks to Multiple Threat Actors