reuters.com - Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.

WASHINGTON, July 22 (Reuters) - Bleach maker Clorox (CLX.N), opens new tab said Tuesday that it has sued information technology provider Cognizant (CTSH.O), opens new tab over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.
Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.

The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them.
"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit, opens new tab reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over."
Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services.

An unsecured server has exposed hundreds of millions of detailed records on Swedish citizens and companies, offering a data goldmine for anyone who stumbles on it.

A misconfigured Elasticsearch server has exposed a goldmine of business intelligence data with hundreds of millions of highly detailed records tied to Swedish individuals and organizations.

Cybernews researchers identified the unsecured database, which did not require any authentication and was fully accessible to the public internet.

The leaked data consisted of over 100 million records dated from 2019 to 2024, spread across 25 separate indices, with some datasets ballooning to more than 200GB in size.

What was leaked?
Many leaked records contained highly sensitive personal and organizational information, including:

Full legal names, including history of previous names
Swedish personal identity numbers
Date of birth and gender
Address history, both in Sweden and abroad
Civil status and information about deceased individuals
Foreign addresses for emigrants
Debt records, payment remarks, bankruptcy history, property ownership indicators
Income tax data spanning several years (2019–2023)
Activity and event logs (including income statement submissions, migration status, and address updates)

UpGuard discovered an unauthenticated Elasticsearch database containing 22 million records of user traffic for hacking forum leakzone.net.

On Friday, July 18 UpGuard discovered an unauthenticated Elasticsearch database containing about 22 million objects. Each of the objects was a record of a web request containing the domain to which the request was sent, the user’s IP address, and metadata like their location and internet provider. In this case, 95% of the requests were sent to leakzone.net, a “leaking and cracking forum” in the tradition of Raid Forums. This sizeable data set can thus give us an inside view of visitor activity to a very active website used for the distribution of hacking tools, exploits, and compromised accounts.

About Leakzone
Leakzone is part of a long line of forum sites that trade in illicit cyber materials like lists of usernames and passwords, pornography collections, and hacking tools. While law enforcement has shut down many other clearweb leak sites in that time period– the original Raid Forums was seized in 2022, and the founder of its replacement, Breach Forums, was arrested in 2023–Leakzone has survived. Archive.org shows the site beginning to take off in the second half of 2020 and continuing on to the present.

Attribution
On initial inspection of the exposed data, we saw that “leakzone.net” was mentioned very frequently in the “domain” field of the database schema. After downloading the available data, we were able to confirm that 95% of records named leakzone.net, making this data almost entirely about traffic to that site. The second most common domain, mentioned in 2.7% of records, was accountbot.io, a site for selling compromised accounts. In all, there are 281 unique values, though the other sites have only a fraction of the traffic and include mainstream sports and news sites– unaffiliated sites that may have been mentioned in the logs as part of redirects from Leakzone.
...
Significance
The IP addresses, and what they tell us about visitors to Leakzone and its ilk, are the most interesting part of the collection. GDPR even classifies client IP addresses as PII because of their utility for identifying a person across web properties.

Public Proxies
The data set contained 185k unique IP addresses– more than Leakzone’s entire user base of 109k, which certainly wouldn’t have all been using the site during this time period. (If they had 100% of their users active during a three week period they would be the most successful website of all time). The most likely explanation for the number of unique IPs is that some users were routing traffic through servers with dynamic IP addresses to hide their real IP addresses.

theregister.com - Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin

Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers.

The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.

Talking on June 18 before a Senate inquiry into public procurement and the role it plays in European digital sovereignty, Microsoft France's Anton Carniaux, director of public and legal affairs, along with Pierre Lagarde, technical director of the public sector, were quizzed by local politicians.

Asked of any technical or legal mechanisms that could prevent this access under the Cloud Act, Carniaux said it had "contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded."

"We have implemented a very rigorous system, initiated during the Obama era by legal actions against requests from the authorities, which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded."

He said that Microsoft asks the US administration to redirect it to the client.

"When this proves impossible, we respond in extremely specific and limited cases. I would like to point out that the government cannot make requests that are not precisely defined."

Carniaux added: "If we must communicate, we ask to be able to notify the client concerned." He said that under the former Obama administration, Microsoft took cases to the US Supreme Court and as such ensured requests are "more focused, precise, justified and legally sound."

bleepingcomputer.com - Law enforcement has seized the dark web leak sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.

The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.

Earlier today, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang's sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.

"This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation," the banner reads.

Other law enforcement authorities that joined this joint operation include the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others.

Romanian cybersecurity company Bitdefender was also involved in the action, but a spokesperson has yet to reply after BleepingComputer reached out for more details earlier today.

Chaos ransomware rebrand
On Thursday, the Cisco Talos threat intelligence research group reported that it had found evidence suggesting the BlackSuit ransomware gang is likely to rebrand itself once again as Chaos ransomware.

"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the researchers said.

"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."

BlackSuit started as Quantum ransomware in January 2022 and is believed to be a direct successor to the notorious Conti cybercrime syndicate. While they initially used encryptors from other gangs (such as ALPHV/BlackCat), they deployed their own Zeon encryptor soon after and rebranded as Royal ransomware in September 2022.

In June 2023, after targeting the City of Dallas, Texas, the Royal ransomware gang began working under the BlackSuit name, following the testing of a new encryptor called BlackSuit amid rumors of a rebranding.

CISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share similar tactics, while their encryptors exhibit obvious coding overlaps. The same advisory linked the Royal ransomware gang to attacks targeting over 350 organizations worldwide since September 2022, resulting in ransom demands exceeding $275 million.

The two agencies confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over $500 million from victims since surfacing more than two years prior.

microsoft.com - July 23, 2025 update – Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware. Based on new information, we have updated the Attribution, Indicators of compromise, extended and clarified Mitigation and protection guidance (including raising Step 6: Restart IIS for emphasis), Detections, and Hunting sections.

On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.

These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.

As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.

Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode as detailed in Mitigations section below. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.

Mitel phone firmware analysis lead to the discovery of two vulnerabilities (CVE-2025-47187 & CVE-2025-47188). Exploiting them leads to unauthenticated code execution on the phone itself.

While on an internal attack simulation engagement, a customer asked us: “Is an attacker able to listen in on our meeting room conversations?”. Motivated by this question, we scanned their internal network and discovered Mitel VoIP phone web management interfaces.

While playing around with the login functionality of the management interface, we accidentally rediscovered CVE-2020-13617 on our own - and since the phone firmware was old enough, it allowed us to leak memory in the failed login response. While we didn’t have enough time to analyze the phone during this engagement, my interest in the phone and its firmware did not vanish.

As part of the R&D team at InfoGuard Labs, I decided to take a closer look at the phone as a research project. This lead to the discovery of two new vulnerabilities:

CVE-2025-47188: Unauthenticated command injection vulnerability
CVE-2025-47187: Unauthenticated .wav file upload vulnerability
These vulnerabilities are present in Mitel 6800 Series, 6900 Series and 6900w Series SIP Phones, including the 6970 Conference Unit with firmware version R6.4.0.SP4 and earlier. Mitel has published the MISA-2025-0004 security advisory informing about these vulnerabilities, the affected devices as well as remediation measures.

Discover how NoName057(16) targeted 3,700+ hosts across Europe using its DDoSia platform. This in-depth report reveals multi-tiered C2 infrastructure, attack patterns, and strategic geopolitical motivations behind the hacktivist-led campaign.

BBC - Transport company KNP forced to shut down after international hacker gangs target thousands of UK businesses.
One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.

KNP - a Northamptonshire transport company - is just one of tens of thousands of UK businesses that have been hit by such attacks.

Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen.

In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems.

KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.

"Would you want to know if it was you?" he asks.

"We need organisations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) - where Panorama has been given exclusive access to the team battling international ransomware gangs.

One small mistake
In 2023, KNP was running 500 lorries – most under the brand name Knights of Old.

The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.

But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay

clubic.com - L'administrateur russophone d'un des plus influents forums cybercriminels mondiaux, XSS.is, vient d'être arrêté. L'opération est le fruit d'une enquête franco-ukrainienne de longue haleine.
Les autorités ukrainiennes ont interpellé à Kiev, mardi 22 juillet, le cerveau présumé de XSS.is, une plateforme défavorablement réputée, puisque lieu incontournable de la cybercriminalité russophone. L'arrestation couronne une investigation française lancée il y a quatre ans maintenant, et qui révèle aujourd'hui l'ampleur considérable des gains amassés par l'administrateur du forum, estimés à sept millions d'euros.

XSS.is cachait 50 000 cybercriminels derrière ses serveurs chiffrés
Actif depuis 2013 tout de même, XSS.is, autrefois connu sous le nom de DaMaGeLab, constituait l'un des principaux carrefours de la cybercriminalité mondiale. La plateforme russophone rassemblait plus de 50 000 utilisateurs enregistrés, autrement dit un vrai supermarché du piratage informatique, même si beaucoup moins fréquenté que feu BreachForums, tombé en avril. Sur XSS.is, les malwares, les données personnelles et des accès à des systèmes compromis se négociaient dans l'ombre du dark web.

Le forum proposait aussi des services liés aux ransomwares, ces programmes malveillants qui bloquent les données d'un ordinateur jusqu'au paiement d'une rançon. Un serveur de messagerie chiffrée, « thesecure.biz », complétait l'arsenal en facilitant les échanges anonymes entre cybercriminels. L'infrastructure offrait ainsi un environnement sécurisé pour leurs activités illégales.

L'administrateur ne se contentait pas d'un rôle technique passif. Tel un chef d'orchestre du crime numérique, il arbitrait les disputes entre hackers et garantissait la sécurité des transactions frauduleuses. Un homme aux multiples casquettes, en somme. Toujours est-il que cette position centrale lui permettait de prélever des commissions substantielles sur chaque échange.

Une coopération internationale exemplaire, portée par la France
L'enquête préliminaire française, ouverte le 2 juillet 2021 par la section cybercriminalité du parquet de Paris, a mobilisé la Brigade de lutte contre la cybercriminalité. Les investigations ont révélé des bénéfices criminels d'au moins 7 millions d'euros, dévoilés grâce aux captations judiciaires effectuées sur les serveurs de messagerie.

Outre la France et les autorités ukrainiennes, Europol a joué un rôle déterminant dans cette opération d'envergure internationale. L'agence européenne a facilité la coordination complexe entre les autorités françaises et ukrainiennes, déployant même un bureau mobile à Kiev pour faciliter l'arrestation.

Voilà en tout cas une arrestation de plus contre les réseaux cybercriminels. Souvenez-vous, il y a quelques jours, les mêmes agences avaient déjà démantelé le groupe de hackers prorusses NoName057(16). Des succès successifs qui témoignent d'une intensification bienvenue dans la lutte contre les menaces et les hackers, alors que les cyberattaques se multiplient contre les infrastructures critiques européennes.

Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.

NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad.

A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week.

"On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA," Department of Energy Press Secretary Ben Dietderich told BleepingComputer. "The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems."

Dietderich added that only "a very small number of systems were impacted" and that "all impacted systems are being restored."

As first reported by Bloomberg, sources within the agency also noted that there's no evidence of sensitive or classified information compromised in the breach.

The APT29 Russian state-sponsored threat group, the hacking division of the Russian Foreign Intelligence Service (SVR), also breached the U.S. nuclear weapons agency in 2019 using a trojanized SolarWinds Orion update.
Attacks linked to Chinese state hackers, over 400 servers breached
On Tuesday, Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups.

"Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said.

"In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing."

Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies.

Cybersecurity firm Check Point later revealed that it had spotted signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.

bleepingcomputer.com -
npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package.

A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world's largest software registry primarily used for JavaScript and Node.js development.

But that isn't quite the case for Stylus: a legitimate "revolutionary" library receiving 3 million weekly downloads and providing an expressive way for devs to generate CSS.

Stylus 'accidentally banned by npmjs'
As of a few hours ago, npmjs has removed all versions of the Stylus package and published a "security holding package" page in its place.
"Stylus was accidentally banned by npmjs," earlier stated Stylus developer Lei Chen in a GitHub issue. The project maintainer is "currently waiting for npmjs to restore access to Stylus."

"I am the current maintainer of Stylus. The Stylus library has been flagged as malicious..., which has caused many [libraries] and frameworks that depend on Stylus to fail to install," also posted Chen on X (formerly Twitter). "Please help me retweet this msg in the hope that the npmjs official team will take notice of this issue."

next.ink - France Travail a envoyé, mardi 22 juillet au soir, un courrier d'information à certains des usagers inscrits à son service, alertant d'un acte de cyber malveillance susceptible d'avoir entrainé la consultation illégitime de leurs données personnelles. Dans son email, que Next reproduit ci-dessous, l'ex Pole Emploi indique que la fuite est survenue au niveau « du portail emploi destiné à [ses] partenaires ».

Nom, prénom, adresses, téléphone et statut France Travail
L'agence affirme par ailleurs avoir immédiatement fermé le service concerné, lancé des analyses pour déterminer l'origine de l'attaque, et rempli ses obligations de signalement en informant la CNIL dès le 13 juillet, date de la découverte de cet incident.

« Les données compromises sont vos nom, prénom, adresses postale et électronique, numéro de téléphone, identifiant France Travail et statut (inscrit, radié). Vos données bancaires ou vos mots de passe ne sont pas concernés par cet incident », informe France Travail.

Comme toujours en de telles circonstances, l'agence invite les utilisateurs concernés à la prudence, notamment vis à vis des risques de phishing (hameçonnage).

Une application de suivi des formations mise en cause
Contactée par Next, la direction de France Travail apporte quelques précisions sur la nature de l'incident et surtout sur son périmètre. L'alerte est d'abord partie du CERT-FR de l'ANSSI, le 12 juillet. Son traitement a permis aux équipes internes de France Travail d'identifier le service par lequel est intervenue la fuite.

« Il s’agit de l’application Kairos permettant aux organismes de formation d'agir sur le suivi des formations des demandeurs d'emploi. Le service a été immédiatement fermé ainsi que tous les autres services hébergés sur le portail Emploi destiné à nos partenaires », explique France Travail. La fuite aurait été rendue possible grâce à la compromission, via un malware de type infostealer (logiciel spécialisé dans le vol d'informations personnelles) d'un compte utilisateur rattaché à un organisme de formation basé dans l'Isère.

bleepingcomputer.com - The Lumma infostealer malware operation is gradually resuming activities following a massive law enforcement operation in May, which resulted in the seizure of 2,300 domains and parts of its infrastructure.

Although the Lumma malware-as-a-service (MaaS) platform suffered significant disruption from the law enforcement action, as confirmed by early June reports on infostealer activity, it didn't shut down.

The operators immediately acknowledged the situation on XSS forums, but claimed that their central server had not been seized (although it had been remotely wiped), and restoration efforts were already underway.

Gradually, the MaaS built up again and regained trust within the cybercrime community, and is now facilitating infostealing operations on multiple platforms again.

According to Trend Micro analysts, Lumma has almost returned to pre-takedown activity levels, with the cybersecurity firm's telemetry indicating a rapid rebuilding of infrastructure.

"Following the law enforcement action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in Lumma's operations," reads the Trend Micro report.

"Network telemetry indicates that Lumma's infrastructure began ramping up again within weeks of the takedown."

Weekend attacks compromised about 100 organisations
May hacker contest uncovered SharePoint weak spot
Initial Microsoft patch did not fully fix flaw

LONDON, July 22 (Reuters) - A security patch Microsoft (MSFT.O), opens new tab released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort, a timeline reviewed by Reuters shows.
On Tuesday, a Microsoft spokesperson confirmed that its initial solution to the flaw, identified at a hacker competition in May, did not work, but added that it released further patches that resolved the issue.
It remains unclear who is behind the spy effort, which targeted about 100 organisations over the weekend, and is expected to spread as other hackers join the fray.
In a blog post Microsoft said two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the weaknesses, along with a third, also based in China.
Microsoft and Alphabet's (GOOGL.O), opens new tab Google have said China-linked hackers were probably behind the first wave of hacks.
Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies such hacking operations.
In an emailed statement, its embassy in Washington said China opposed all forms of cyberattacks, and "smearing others without solid evidence."

The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition, opens new tab organised by cybersecurity firm Trend Micro (4704.T), opens new tab that offered cash bounties for finding computer bugs in popular software.
It offered a $100,000 prize for so-called "zero-day" exploits that leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform.
The U.S. National Nuclear Security Administration, charged with maintaining and designing the nation's cache of nuclear weapons, was among the agencies breached, Bloomberg News said on Tuesday, citing a person with knowledge of the matter.

iranintl.com - A cyberattack during the 12-day Iran-Israel war destroyed banking data at major Iranian banks Sepah and Pasargad, halting services nationwide and triggering a high-stakes emergency response by an Iranian banking software firm, a senior engineer said.
“Nothing was accessible. Nothing was visible,” wrote Hamidreza Amouzegar, deputy head of product development at the software firm Dotin, in a LinkedIn post recounting the June 17 breach.

“We tried the backup site—same story there.”

The internet banking, mobile banking, and ATMs of the two banks remained largely non-functional until recently.

Dotin, a major provider of digital systems to Iranian banks, found itself at the center of the crisis.

“Sepah Bank’s primary data center had gone dark, with monitoring dashboards frozen and all stored data apparently corrupted,” he added.

When engineers attempted to switch over to the disaster recovery site, they found that it too had failed, with matching damage reported.

“At that point, the priority was no longer identifying the culprit or mapping the technical details,” Amouzegar wrote. “It was about getting public banking services back online—fast.”

To that end, he wrote, teams turned to Samsonite, a portable data center in a suitcase developed by Dotin following service disruptions in 2022. The system was designed to provide core banking functions—particularly card transactions—for short periods without reliance on the main network.

Nobitex, Iran’s largest cryptocurrency exchange, had also confirmed cyberattacks against its systems during the war.

The pro-Israel hacker group Predatory Sparrow, known for prior cyberattacks on Iran’s fuel infrastructure, claimed responsibility for "paralyzing" Sepah Bank and draining more than $90 million from Nobitex.

Sepah Bank is responsible for processing the payments of military personnel.

Pasargad Bank had already deployed Samsonite, allowing it to restore limited services by the early hours of June 19. Sepah, which had not yet installed the system, remained offline longer, Amouzegar added.

Basic card functionality there was only restored by June 20 after a full system rebuild from partial offline backups, he wrote.

“For a bank processing over a billion transactions monthly, losing just one day meant more than 30 million transactions vanished,” Amouzegar said.

Sepah’s full recovery took until June 27, during which time Samsonite processed more than 60 million transactions.

“The cyber war ended three days after the ceasefire,” he added. “But recovery will take months. What I’ve shared here is only a fragment of the story.”

therecord.media - Novabev Group, the Russian maker of Beluga Vodka and other brands, had to stop shipments and temporarily close stores in its WineLab subsidiary after a ransomware attack.

More than 2,000 WineLab liquor stores across Russia have remained shut for three days following a ransomware attack on their parent company, one of Russia’s largest alcohol producers. Signs on WineLab doors said the stores were closed due to “technical issues.”

The attack crippled parts of the Novabev Group’s infrastructure, affecting WineLab’s point-of-sale systems and online services. The company confirmed that the attackers had demanded a ransom but said it refused to negotiate.

“The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands,” Novabev Group said in a statement on Wednesday. There is no indication so far that customer data has been compromised, though an investigation is ongoing, the company added.
The identity of the attackers remains unknown. No ransomware group has claimed responsibility for the incident, and Novabev has not publicly attributed the attack.

Novabev Group is a major Russian producer and distributor of spirits, including the Beluga and Belenkaya vodka brands.

The cyberattack has halted product shipments from Novabev for at least two days, according to local retailers quoted by Russian media outlet Vedomosti. Customers also reported being unable to pick up orders from retail locations or parcel lockers, with customer service offering to extend storage periods for online purchases.

WineLab’s stores are currently closed in major cities, including Moscow, St. Petersburg and surrounding regions, according to location data from Yandex Maps. Novabev’s website and mobile app also remain offline.

Forbes Russia estimated that each day of downtime could cost WineLab 200 million to 300 million rubles ($2.6 million to $3.8 million) in lost revenue. Cybersecurity experts interviewed by Forbes said they could not recall a comparable case in which a major Russian retail chain was forced to shut down entirely due to a cyberattack.

Novabev said its internal IT team is working “around the clock” with external specialists to restore operations and strengthen defenses against future threats.

kyivindependent.com - The cyberattack allegedly destroyed large volumes of data and installed custom software designed to further damage the company's information systems.

Cyber specialists from Ukraine's military intelligence agency (HUR) carried out a large-scale cyberattack against the network infrastructure of Russian energy giant Gazprom, causing significant disruptions, a HUR source told the Kyiv Independent on July 18.

The Kyiv Independent could not independently verify these claims. Gazprom and Russian authorities have not publicly commented on the reported incident.

The alleged operation took place on July 17 and targeted systems used by Gazprom and its subsidiaries, which Ukraine's intelligence claims are directly involved in supporting Russia's war effort.

Gazprom is Russia's state-owned energy company, one of the world's largest gas producers and exporters.

The cyberattack allegedly destroyed large volumes of data and installed custom software designed to further damage the company's information systems.

"The degradation of Russian information systems to the technological Middle Ages continues," the source within the HUR told the Kyiv Independent.

"We congratulate Russian 'cyber specialists' on this new achievement and recommend they gradually replace their mice and keyboards with hammers and pincers."

404media.co - Infostealer data can include passwords, email and billing addresses, and the embarrassing websites you use. Farnsworth Intelligence is selling to divorce lawyers and other industries.

When your laptop is infected with infostealing malware, it’s not just hackers that might get your passwords, billing and email addresses, and a list of sites or services you’ve created accounts on, potentially including some embarrassing ones. A private intelligence company run by a young founder is now taking that hacked data from what it says are more than 50 million computers, and reselling it for profit to a wide range of different industries, including debt collectors; couples in divorce proceedings; and even companies looking to poach their rivals’ customers. Essentially, the company is presenting itself as a legitimate, legal business, but is selling the same sort of data that was previously typically sold by anonymous criminals on shady forums or underground channels.

Multiple experts 404 Media spoke to called the practice deeply unethical, and in some cases the use of that data probably illegal. The company is also selling access to a subset of the data to anyone for as little as $50, and 404 Media used it to uncover unsuspecting victims’ addresses.

The activities of the company, called Farnsworth Intelligence, show a dramatic shift in the bevvy of companies that collect and sell access to so-called open source intelligence, or OSINT. Historically, OSINT has included things like public social media profiles or flight data. Now, companies increasingly see data extracted from peoples’ personal or corporate machines and then posted online as fair game not just to use in their own investigations, but to repackage and sell too.

“To put it plainly this company is profiting off of selling stolen data, re-victimizing people who have already had their personal devices compromised and their data stolen,” Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF), told 404 Media. “This data will likely be used to further harm people by police using it for surveillance without a warrant, stalkers using it to gather information on their targets, high level scams, and other damaging motives.”

Infostealers are pieces of malware, often stealthily bundled in a piece of pirated software, that steal a victim’s cookies, login credentials, and often more information stored in their browser too. On its website, Farnsworth lays out several potential uses for that stolen data. This includes “skip tacing,” presumably a typo of skip tracing, which is where a private individual or company tracks someone down who owes a debt. The website says users can “find debtors up-to-date addresses.” Another use case is to “Find high impact evidence that can make/break the case of million dollar lawsuits, high value divorce cases, etc.” A third is to “generate lead lists of customers/users from competitors [sic] companies,” because the data could show which competing products they have login credentials for, and, presumably, use.

bleepingcomputer.com - The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information.
The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information.

Dior is a French luxury fashion house, part of the LVMH (Moët Hennessy Louis Vuitton) group, which is the world's largest luxury conglomerate.

The Dior brand alone generates an annual revenue of over $12 billion, operating hundreds of boutiques worldwide.

The security incident occurred on January 26, 2025, but the company only became aware of it on May 7, 2025, launching internal investigations to determine its scope and impact.

"Our investigation determined that an unauthorized party was able to gain access to a Dior database that contained information about Dior clients on January 26, 2025," reads the notice sent to affected individuals.

"Dior promptly took steps to contain the incident, and we have no evidence of subsequent unauthorized access to Dior systems."

Based on the findings of the investigation, the following information has been exposed:

Full names
Contact details
Physical address
Date of birth
Passport or government ID number (in some cases)
Social Security Number (in some cases)
The company clarifies that no payment details, such as bank account or payment card information, were contained in the compromised database, so this information remains safe.