bleepingcomputer.com By Bill Toulas
September 8, 2025
American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident.
Lovesac is a furniture designer, manufacturer, and retailer, operating 267 showrooms across the United States, and having annual net sales of $750 million.
They are best known for their modular couch systems called 'sactionals,' as well as their bean bags called 'sacs.'
According to the notices sent to impacted individuals, between February 12, 2025, and March 3, 2025, hackers gained unauthorized access to the company's internal systems and stole data hosted on those systems.
Lovesac discovered the breach on February 28, 2025, which means it took them three days to fully remediate the situation and block the threat actor's access to its network.
The data that has been stolen includes full names and other personal information that hasn't been disclosed in the notice sample shared with the Attorney General's offices.
The company has not clarified whether the incident impacts customers, employees, or contractors, and neither has it disclosed the exact number of individuals affected.
Enclosed in the notification letter, recipients will find instructions on enrolling in 24 24-month credit monitoring service through Experian, redeemable until November 28, 2025.
The company noted that it currently has no indication that the stolen information has been misused, but urges impacted individuals to remain vigilant against phishing attempts.
Ransomware gang claimed attack on Lovesac
Although Lovesac does not name the attackers and didn't mention data encryption in the letters, the RansomHub ransomware gang claimed an attack on March 3, 2025.
The threat actors added Lovesac onto their extortion portal, announcing the breach, indicating plans to leak the stolen data if a ransom payment isn't made. We were unable to determine if they followed up with this threat.
The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has since amassed a roster of high-profile victims, including staffing firm Manpower, oilfield services giant Halliburton, the Rite Aid pharmacy chain, Kawasaki's European division, the Christie's auction house, U.S. telecom provider Frontier Communications, the Planned Parenthood healthcare nonprofit, and Italy's Bologna Football Club.
The ransomware operation quietly shut down in April 2025, with many of their affiliates moving to DragonForce.
BleepingComputer has contacted Lovesac to learn more about the incident, its impact, and how many customers were impacted, and will update this post if we receive a response.
therecord.media The Record from Recorded Future News, Jonathan Greig
September 9th, 2025
New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.
One of the largest independent blood centers serving over 75 million people across the U.S. began sending data breach notification letters to victims this week after suffering a ransomware attack in January.
New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.
The organization left blank sections of the form in Maine that says how many total victims were affected by the attack but told regulators in Texas that 10,557 people from the state were impacted. In a letter on its website, New York Blood Center said the information stolen included some patient data as well as employee information.
The information stolen during the cyberattack includes names, health information and test results. For some current and former employees, Social Security numbers, driver’s licenses or government ID cards and financial account information were also leaked.
An investigation into the attack found that hackers accessed New York Blood Center’s network between January 20 and 26, making copies of some files before launching the ransomware.
Founded in 1964, New York Blood Center controls multiple blood-related entities that collect about 4,000 units of blood products each day and serve more than 400 hospitals across dozens of states.
The organization also provides clinical services, apheresis, cell therapy, and diagnostic blood testing — much of which requires receiving clinical information from healthcare providers. The organization said some of this information was accessed by the hackers during the cyber incident.
The investigation into the ransomware attack was completed on June 30 and a final list of victims that needed to be notified was compiled by August 12.
New York Blood Center began mailing notification letters on September 5 but also posted a notice on its website and created a call center for those with questions.
Multiple blood donation and testing companies were attacked by ransomware gangs over the last year including OneBlood, Synnovis and South Africa’s national lab service.
therecord.media Alexander Martin
August 27th, 2025
A suspected ransomware attack on a Swedish software provider is believed to have impacted around 200 of the country’s municipal governments.
A suspected ransomware attack on Miljödata, a Swedish software provider used for managing sick leave and similar HR reports, is believed to have impacted around 200 of the country’s municipal governments.
The attack was detected on Saturday, according to the company’s chief executive Erik Hallén. The attackers are attempting to extort Miljödata, police told local newspaper BLT.
Swedish Minister for Civil Defence Carl-Oskar Bohlin wrote in a short update on social media: “The scope of the incident has not yet been clarified, and it is too early to determine the actual consequences.”
Hallén told Swedish press agency TT that around 200 municipalities and regions were affected by the incident. Sweden has 290 municipalities and 21 regions.
Several regional governments have confirmed using Miljödata systems to handle employee data, including “for example, medical certificates, rehabilitation plans, work-related injuries, and more,” according to the local government of the island of Gotland.
Hallén reportedly said Miljödata was “working very intensively with external experts to investigate what happened, what and who was affected, and to restore system functionality.”
“The government is receiving ongoing information about the incident and is in close contact with the relevant authorities,” Bohlin, the civil defense minister, said.
“CERT-SE, which has the task of supporting Swedish society in handling and preventing IT security incidents, has offered advice and support to both the company in question and the affected customers,” the minister added. “The national cybersecurity center is coordinating the measures of the relevant authorities. A police investigation is also underway.”
He stressed the incident underscored the need for high levels of cybersecurity throughout society, and said the Swedish government planned to present a new cybersecurity bill to the Swedish parliament in the near future “that will impose increased requirements on a wide range of actors.”
techradar.com 22.08.2025
Qilin claims another victim, threatens to release valuable information online.
Given the nature of Creative Box’s work, the stolen data could hurt the company and dull its competitive blade, if released to the wild, experts have said.
The company is a specialized satellite design studio forming part of Nissan’s global design network. Established in 1987 to be a creative sandbox for emerging designers, where they can create bold concepts that usually stray away from mainstream car design, it is often described as Nissan’s “design think tank”, as it does not churn out large volumes of visible work, but still retains a significant role within the network.
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced.
Beneath its disguise, PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Once deployed, it can dynamically execute payloads while maintaining robust command-and-control (C2) communication via a dedicated networking module. As the malware receives and loads payload modules from C2, it grants the threat actor granular control over code execution on the compromised host. By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). We attributed PipeMagic to the financially motivated threat actor Storm-2460, who leveraged the backdoor in targeted attacks to exploit this zero-day vulnerability and deploy ransomware. The observed targets of Storm-2460 span multiple sectors and geographies, including the information technology (IT), financial, and real estate sectors in the United States, Europe, South America, and Middle East. While the impacted organizations remain limited, the use of a zero-day exploit, paired with a sophisticated modular backdoor for ransomware deployment, makes this threat particularly notable.
This blog provides a comprehensive technical deep dive that adds to public reporting, including by ESET Research and Kaspersky. Our analysis reveals the wide-ranging scope of PipeMagic’s internal architecture, modular payload delivery and execution mechanisms, and encrypted inter-process communication via named pipes.
The blog aims to equip defenders and incident responders with the knowledge needed to detect, analyze, and respond to this threat with confidence. As malware continues to evolve and become more sophisticated, we believe that understanding threats such as PipeMagic is essential for building resilient defenses for any organization. By exposing the inner workings of this malware, we also aim to disrupt adversary tooling and increase the operational cost for the threat actor, making it more difficult and expensive for them to sustain their campaigns.
canadianrecycler.ca - Toronto, Ontario -- Businesses across North America are reeling after a serious cyber attack threatened the data of 300 auto recycling businesses, including at least four based in Canada.
The attack, which occured on the evening of August 6, targeted businesses using SimpleHelp, a program that allows remote access to computer facilities. Those businesses that were caught up in the attack were locked out of their own databases and sent ransom notes demanding payment for the return of access.
Plazek Auto Recycling, near Hamilton, Ontario, was one of the businesses affected by the incident. According to Marc Plazek, employees only discovered the situation when they arrived at work to discover they were locked out of their computers — and discovered 30 copies of an identical ransom note on the printer.
“It was as if they arrived at our front gate, locked us in and said ‘we’ve got the only key.’ Except it was all done online.”
The ransomware software, LockBit Blpack, was developed by LockBit, a sophisticated cybercriminal organization. The group employs a dual-threat approach: it not only encrypt victims’ critical data and demand ransom payments for decryption keys, but also threaten to publicly leak sensitive information if its demands aren’t met – a tactic known as double extortion. First appearing on shadowy Russian forums in early 2020, LockBit has quickly established itself as a dominant force in the global ransomware landscape.
Like the other Canadian businesses affected by the hack, Plazek Auto Recycling did not respond to the threat. According to Marc Plazek, the company didn’t even entertain the idea of paying.
“We had a similar thing happen in 2019. We spoke with our insurance company who told us not to pay. They said there would be no reason for the hackers to bother living up to their word anyway.”
Because of the previous incident, Plazek Auto Recycling’s team had set up security measures and backed-up the computer system. The company was able to scrub its system of the malware and save all but a few hours worth of its records.
Other Canadian businesses known to have been affected include Millers Auto Recycling in Fort Erie, Ontario and Marks Parts in Ottawa. Fortunately, these companies were also able to restore access to data.
Other auto recyclers received assistance from the technical departments of Car-Part and Hollander. According to the Automotive Recyclers of Canada, most of the businesses affected by the attack had been
In response to the cyberattack, the executive director of the ARC, Wally Dingman, authored a column discussing the incident for this website.
bleepingcomputer.com - Cybersecurity firm Profero cracked the encryption of the DarkBit ransomware gang's encryptors, allowing them to recover a victim's files for free without paying a ransom.
This occurred in 2023 during an incident response handled by Profero experts, who were brought in to investigate a ransomware attack on one of their clients, which had encrypted multiple VMware ESXi servers.
The timing of the cyberattack suggests that it was in retaliation for the 2023 drone strikes in Iran that targeted an ammunition factory belonging to the Iranian Defence Ministry.
In the ransomware attack, the threat actors claimed to be from DarkBit, who previously posed as pro-Iranian hacktivists, targeting educational institutes in Israel. The attackers included anti-Israel statements in their ransom notes, demanding ransom payments of 80 Bitcoin.
Israel's National Cyber Command linked DarkBit attacks to the Iranian state-sponsored APT hacking group known as MuddyWater, who have a history of conducting cyberespionage attacks.
In the case investigated by Profero, the attackers did not engage in ransom payment negotiations, but instead appeared to be more interested in causing operational disruption.
Instead, the attackers launched an influence campaign to maximize reputational damage to the victim, which is a tactic associated with nation-state actors posing as hacktivists.
Decrypting DarkBit
At the time of the attack, no decryptor existed for DarkBit ransomware, so Profero researchers decided to analyze the malware for potential weaknesses.
DarkBit uses a unique AES-128-CBC key and Initialization Vector (IV) generated at runtime for each file, encrypted with RSA-2048, and appended to the locked file.
Profero found that the key generation method used by DarkBit is low entropy. When combined with the encryption timestamp, which can be inferred from file modification times, the total keyspace is reduced to a few billion possibilities.
Moreover, they found that Virtual Machine Disk (VMDK) files on ESXi servers have known header bytes, so they only had to brute force the first 16 bytes to see if the header matched, instead of the entire file.
Profero built a tool to try all possible seeds, generate candidate key/IV pairs, and check against VMDK headers, which they ran in a high-performance computing environment, recovering valid decryption keys.
In parallel, the researchers discovered that much of the VMDK file content hadn't been impacted by DarkBit's intermittent encryption, as those files are sparse and many encrypted chunks fall onto empty space.
This allowed them to retrieve significant amounts of valuable data without having to decrypt it by brute-forcing keys.
"As we began to work on speeding up our brute force, one of our engineers/team members? had an interesting idea," explained Profero.
"VMDK files are sparse, which means they are mostly empty, and therefore, the chunks encrypted by the ransomware in each file are also mostly empty. Statistically, most files contained within the VMDK filesystems won't be encrypted, and most files inside these file systems were anyways not relevant to us/our task/our investigation."
"So, we realized we could walk the file system to extract what was left of the internal VMDK filesystems... and it worked! Most of the files we needed could simply be recovered without decryption."
cbc.ca - The insurance company did not cover any of the city’s claims totalling about $5 million. City staff say they've learned from their mistakes and are taking accountability for the cybersecurity breach.
Many City of Hamilton departments didn't have multi-factor authentication in place before cyber criminals launched a massive ransomware attack in February 2024, paralysing nearly all municipal services for weeks.
Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging into a system like their email accounts. They're required to verify their identity using more than one method, such as entering a code texted to their phone.
It's been used by corporations and technology companies for years. Google, for example, launched its two-step log-in system in 2011.
While not the only reason the attackers were successful, the city's lack of multi-factor authentication was a "root cause" of the breach, as determined by the city's insurance company, said a staff report to the general issues committee Wednesday.
As a result, the insurance company did not cover any of the city's claims totalling about $5 million.
"This has been a test of our system and a test of our leadership," said Mayor Andrea Horwath at a news conference Wednesday. "We are not sweeping this under the rug. We are owning it, we're fixing it and we're learning from it."
The lack of multi-factor authentication, and no insurance coverage, was reported publicly for the first time this month.
The staff report said: "According to the policy, no coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach."
Solicitor Lisa Shields told councillors Wednesday that staff were aware of the multi-factor authentication requirement in their insurance policy in the fall of 2022 and began rolling out a pilot program the following year, but for only a few departments.
In early 2024, the city was preparing to fully implement multi-factor authentication, but then the ransomware attack took place on Feb. 25, said Cyrus Tehrani, acting chief information officer.
He told reporters that — contrary to what the insurance company found — the breach would've happened even with multi-factor authentication in place. The city also told CBC Hamilton in an email that it was a "highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems."
Attackers demanded $18.5M in ransom
About 80 per cent of city systems were impacted and the attackers demanded the city pay $18.5 million to unlock it — a massive crisis and among the most significant in Canada, city manager Marnie Cluckie told councillors.
Based on advice from outside experts, the city decided not to pay the ransom and instead recover what it could and rebuild everything else. The police investigation is ongoing, Cluckie said.
To date, the city has spent $18.4 million and will continue to pay nearly $400,000 a month until November 2026 to rebuild its systems, said Mike Zegarac, general manager of finance.
san.com - Data stolen by a ransomware gang has exposed highly sensitive information from a Louisiana sheriff’s office, including the names, telephone numbers and Social Security numbers of confidential informants in criminal investigations. Straight Arrow News obtained a copy of the data from DDoSecrets, a non-profit that archives hacked and leaked documents in the public interest.
Medusa, a suspected Russian cybercrime group, said on its Dark Web blog in April 2024 that it had pilfered more than 90 gigabytes of data from the East Baton Rouge Sheriff’s Office.
The sheriff’s office initially claimed the intrusion had been quickly detected and stopped, allowing the hackers to obtain only a limited amount of data, such as “screenshots of file folders and still images from video files, WBRZ-TV reported.
65,000 files
A sample of the stolen files shared at the time by Medusa included payroll information, showing that the breach was more substantial than first claimed by the sheriff’s office. Medusa threatened to release all of the data, which contains over 65,000 files, unless the sheriff’s office paid $300,000. There’s no indication the ransom was ever paid.
The East Baton Rouge Sheriff’s Office did not respond to a request for comment from SAN.
SAN’s analysis of the full data cache provides an insight into just how damaging the breach was. Given the sensitivity of the data, DDoSecrets is only sharing it with approved journalists, researchers and defense attorneys practicing in Baton Rouge.
The data covers both the banal day-to-day operations of a law enforcement agency and the potentially life-and-death details of drug cases and other criminal investigations.
“The East Baton Rouge Sheriff’s Office data is an extraordinary example of the inner workings of a police department, down to Internal Affairs investigations and details about the use of confidential informants,” DDoSecrets co-founder Emma Best told SAN. “While the police are obviously of public interest and deserve no privacy, their targets and victims do. With that in mind, we’re refraining from republishing the full data to the public while encouraging journalists and civil rights advocates to engage with it.”
Best said the data cache was posted by Medusa to the messaging app Telegram, but that their channels were repeatedly shut down. The contents of the breach have not been extensively reported on until now.
Law enforcement entities are common targets for ransomware gangs. In 2021, the Metropolitan Police Department in Washington, D.C., was hacked by a Russian-speaking ransomware group known as Babuk, resulting in the leak of 250 gigabytes of data after the department refused to pay a ransom. The data also included sensitive information on informants and police officers.
Confidential informants
Contracts signed by 34 confidential informants in 2023 are among the exposed data from Louisiana.
A document titled “CI Information” lists the names, dates of birth and Social Security numbers of 200 confidential informants involved in narcotics investigations. Names of deputies overseeing informants and case numbers are included, as well as whether the informants are still active. Deactivation dates, indicating when an informant’s work ended, range from 2020 to 2023.
A folder titled “C.I. G.P.S. routes” contains numerous images of maps detailing the movements of informants across Baton Rouge.
Seized devices
A document last edited in August 2023 lists devices seized by the sheriff’s office, primarily mobile phones. The document notes whether a warrant had been requested or obtained, as well as additional steps that may have been needed to access a device’s contents.
Several phones were turned over to the FBI, the data indicates. Some files mention that cellphone hacking tools were needed to pull data from the devices. Files refer to both Cellebrite, an Israeli company that produces tools for extracting data from mobile devices, and GrayKey, a mobile forensics tool developed by the US-based company Grayshift that similarly unlocks and extracts data from phones.
The data also shows that the Drug Enforcement Agency sought access to historical location data and other information from a target’s cell phone.
Cell phone surveillance
Pen trap and trace search warrants — court orders that allow law enforcement to collect cell phone metadata such as numbers dialed — were issued to cellular service providers T-Mobile, AT&T and Verizon.
Many of the warrants mention the use of a “cell site simulator,” also known as an IMSI catcher, to reveal a suspect’s whereabouts. Cell site simulators, commonly referred to as Stingrays, are devices that mimic cell phone towers and can be used to pinpoint the location of specific phones.
Sock puppet accounts
A presentation about online investigations advises officers to create “sock puppet accounts,” a term used to describe a false online identity created to conceal an individual’s real one.
For instance, deputies were told to use a free VPN browser add-on for Google Chrome to hide their IP addresses. The website thisxdoesnotexist.com is also listed as a resource for deputies to create AI-generated images of everything from fake people to resumes.
Hidden cameras and drones
A folder titled “Tech” includes brochures listing an array of surveillance technology, such as GPS trackers and hidden cameras that can be placed inside items such as clothing, vape pens and Newport menthol cigarette packs.
A list of hidden cameras contains IP addresses, login credentials for remote access and identifying information for both the devices and SIM cards used.
One list shows 19 drones operated by the sheriff’s office, the majority of which are made by the Chinese manufacturer DJI. The drones are used by several divisions of the sheriff’s office, including SWAT and narcotics, for suspect apprehension and search and rescue missions.
A PowerPoint presentation in the data cache shows the default password used to access the internal system for logging drone usage. A folder titled “Operation Photos & Videos” shows both surveillance of criminal suspects as well as overhead images of sheriff’s deputies at a shooting range.
Internal affairs
Internal affairs data, including complaints made against the sheriff’s office, accuse deputies of racial profiling, unwarranted searches and excessive force.
Incidents range from a deputy being reprimanded for letting his 10- and 12-year-old children drive his patrol vehicle to another being arrested for battery and suspended for 30 days after being involved in a “road rage-type” episode.
Polygraph results
Other files detail the results of polygraph tests given to both deputies and suspects.
One file graphically details an alleged sexual assault and concludes that the person being tested had been deceitful. A deputy was also accused of being deceitful after being asked whether he’d referred to homosexuals as “disgusting” when discussing a fellow deputy believed to be gay.
thedfirreport.com - Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a campaign using this method again, impersonating various IT tools. We observed a similar campaign in July in which a download of an IT management tool ended with Akira ransomware.
In July 2025, we observed a threat actor compromise an organization through this SEO poisoning campaign. A user searching for “ManageEngine OpManager” was directed to a malicious website, which delivered a trojanized software installer. This action led to the deployment of the Bumblebee malware, granting the threat actor initial access to the environment. The intrusion quickly escalated from a single infected host to a full-scale network compromise.
Following initial access, the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client. The intrusion culminated in the deployment of Akira ransomware across the root domain. The threat actor returned two days later to repeat the process, encrypting systems within a child domain and causing significant operational disruption across the enterprise.
This campaign affected multiple organizations during July as we received confirmation of a similar intrusion responded to by the Swisscom B2B CSIRT in which a malicious IT tool dropped Bumblebee and also ended with Akira ransomware deployment.
therecord.media - Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations.
Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.
SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign.
The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said.
SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found.
The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.
At least 20 incidents
Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.
“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.
The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.
When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”
Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”
Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.
A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment.
“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said.
He confirmed that the incidents Huntress examined also involved Akira ransomware.
'This isn't isolated'
Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.
“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained.
“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”
SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.
Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.
tomshardware.com - A leading mobile device insurance and service network has initiated insolvency proceedings in the wake of a cyberattack. Selling properties and cutting staff numbers wasn't enough to save the business.
The Einhaus Group was once a familiar name, with its services available through 5,000 retail outlets in Germany and an annual revenue of around 70 million Euros.
A leading mobile device insurance and service network has initiated insolvency proceedings in the wake of a cyberattack. Germany’s Einhaus Group was targeted by hackers in March 2023 and is understood to have paid a ransom(ware) fee of around $230,000 at the time, according to Wa.de and Golem.de (machine translations). However, the once large and successful company, with partnerships including Cyberport, 1&1, and Deutsche Telekom, struggled to recover from the service interruption and the obvious financial strains, which now appear to be fatal.
The ides of March
In mid-March 2023, Wilhelm Einhaus, founder of the Einhaus Group, recalls coming into the office in the morning to witness a ‘horrific’ greeting. On the output tray of every printer in the office was a page announcing, “We've hacked you. All further information can be found on the dark web.” Further investigations revealed that the hack group 'Royal' was the culprit. They had encrypted all of Einhaus Group’s systems, which were essential for the day-to-day running of the business. 'Royal' demanded a ransom payment, thought to be around $230,000 in Bitcoins, to return access to the computers.
Of course, with operational systems down, there was an immediate impact on Einhaus. The police were involved promptly. However, the affected firm seems to have decided to pay the ransom, as it could see business losses/damages piling up – meaning continuing without the computer systems was untenable. Einhaus estimated that the hacker-inflicted damage to its business was in the mid-seven-figure range.
nltimes.nl - Several major government institutions across the Caribbean part of the Kingdom of the Netherlands were hit by cyberattacks last week, including a ransomware attack on Curaçao’s Tax and Customs Administration that temporarily disabled critical services, NOS reports.
According to Curaçao’s Minister of Finance, ransomware was used in the attack on the tax authority. After the breach was discovered by staff, one of the agency’s systems was taken offline as a precaution. An investigation into the origin and impact of the attack is ongoing. The Ministry of Finance stated that no confidential information was compromised.
Despite the breach, the online platform for filing and paying taxes remained operational. However, both the telephone customer service and in-person assistance were unavailable for several days. All services were restored by Monday, the ministry confirmed.
Meanwhile, the Court of Justice — which operates across all six Caribbean islands of the Kingdom — was also affected by a cyber incident. A virus was detected in the court’s IT system, prompting officials to shut down the entire computer network out of caution. Several court cases scheduled for last week were postponed, although most hearings continued as planned. Restoration efforts are still underway.
In Aruba, hackers also gained unauthorized access to official email accounts belonging to members of parliament. The extent of the breach and potential consequences remain unclear.
In response to the string of incidents, authorities on Sint-Maarten issued a public alert urging businesses and institutions on the islands to increase their cybersecurity vigilance.
The wave of cyberattacks follows a separate hacking incident in the Netherlands just two weeks ago, when the national Public Prosecution Service (Openbaar Ministerie) disconnected all its systems from the internet after detecting a breach. The disruption continues to have major consequences. Defense attorneys have reported significant difficulty accessing essential information, hindering their ability to represent clients.
bleepingcomputer.com - Law enforcement has seized the dark web leak sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
Earlier today, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang's sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.
"This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation," the banner reads.
Other law enforcement authorities that joined this joint operation include the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others.
Romanian cybersecurity company Bitdefender was also involved in the action, but a spokesperson has yet to reply after BleepingComputer reached out for more details earlier today.
Chaos ransomware rebrand
On Thursday, the Cisco Talos threat intelligence research group reported that it had found evidence suggesting the BlackSuit ransomware gang is likely to rebrand itself once again as Chaos ransomware.
"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the researchers said.
"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."
BlackSuit started as Quantum ransomware in January 2022 and is believed to be a direct successor to the notorious Conti cybercrime syndicate. While they initially used encryptors from other gangs (such as ALPHV/BlackCat), they deployed their own Zeon encryptor soon after and rebranded as Royal ransomware in September 2022.
In June 2023, after targeting the City of Dallas, Texas, the Royal ransomware gang began working under the BlackSuit name, following the testing of a new encryptor called BlackSuit amid rumors of a rebranding.
CISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share similar tactics, while their encryptors exhibit obvious coding overlaps. The same advisory linked the Royal ransomware gang to attacks targeting over 350 organizations worldwide since September 2022, resulting in ransom demands exceeding $275 million.
The two agencies confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over $500 million from victims since surfacing more than two years prior.
microsoft.com - July 23, 2025 update – Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware. Based on new information, we have updated the Attribution, Indicators of compromise, extended and clarified Mitigation and protection guidance (including raising Step 6: Restart IIS for emphasis), Detections, and Hunting sections.
On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.
These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.
Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode as detailed in Mitigations section below. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.
BBC - Transport company KNP forced to shut down after international hacker gangs target thousands of UK businesses.
One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.
KNP - a Northamptonshire transport company - is just one of tens of thousands of UK businesses that have been hit by such attacks.
Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen.
In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems.
KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.
"Would you want to know if it was you?" he asks.
"We need organisations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) - where Panorama has been given exclusive access to the team battling international ransomware gangs.
One small mistake
In 2023, KNP was running 500 lorries – most under the brand name Knights of Old.
The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.
But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay
Cyberattack disrupted UNFI’s operations in June; company estimates $50–$60 million net income hit but anticipates insurance will cover most losses.
United Natural Foods, Inc. (NYSE: UNFI), the main distributor for Amazon’s Whole Foods, said the June 2025 cyberattack that caused disruptions to business operations will impact fiscal 2025 net sales by an estimated $350 to $400 million.
In an update on Wednesday, the Rhode Island-based natural food products giant said “anticipated insurance” proceeds would significantly offset those loses.
“The Company estimates that the cyber incident will impact fiscal 2025 net sales by approximately $350 to $400 million, net (loss) income by $50 to $60 million, which includes the estimated tax impact, and adjusted EBITDA by approximately $40 to $50 million,” the company said in a business update on July 16th. “These estimates do not reflect the benefit of anticipated insurance proceeds, which the Company expects will be adequate for the incident. The Company does not currently expect a meaningful operational or financial impact beyond the fourth quarter of fiscal 2025 aside from insurance reimbursement.”
The company revealed in a filing with the SEC on June 9 that it had detected unauthorized activity on some IT systems on June 5. In response to the intrusion, certain systems were taken offline, which impacted its ability to fulfill and distribute customer orders.
UNFI advertises itself as the largest full-service grocery partner in North America, delivering products to over 30,000 locations, including natural product superstores, conventional supermarket chains, e-commerce providers, and independent retailers. With more than $30 billion in annual revenue, the company offers more than 250,000 natural, organic and conventional SKUs through its more than 50 distribution centers.
“We are grateful to our customers, suppliers, and associates for their resilience and collaboration as we worked through a challenging period for all of us. With our operations returning to more normalized levels, we remain focused on adding value for our customers and suppliers while becoming a more efficient and effective partner,” said Sandy Douglas, UNFI’s CEO.
The Company updated its full-year outlook to reflect its strong performance for the first three fiscal quarters of 2025 and the estimated costs and charges associated with the June cyber incident.
koreaherald.com - Seoul Guarantee Insurance, South Korea's largest provider of guarantee insurance, has been crippled by a ransomware attack, with its core systems offline for a third straight day.
The incident began early Monday, when SGI reported an “abnormal symptom” in its database system. By Tuesday afternoon, a joint investigation by the Financial Supervisory Service and the Financial Security Institute confirmed it was caused by a ransomware breach.
As a pivotal player in Korea’s guarantee insurance industry, SGI’s disruption is generating widespread confusion and inconvenience. The insurer provides guarantees for both individuals and corporations, with a guarantee balance of 478 trillion won ($344.4 billion) as of end-2024.
The impact is particularly severe in the housing market, where many rely on guarantee insurance for the “jeonse” rental system, where renters pay a large, refundable deposit in exchange for no monthly rent. SGI is one of the leading providers in this space, offering the highest cap on jeonse loan guarantees at 500 million won, compared to 200 million to 400 million won from other institutions.
While some services have been restored through cooperation with financial institutions, SGI’s main data system remains inoperative as of Wednesday morning. In urgent cases, the company has resorted to issuing handwritten guarantee certificates to minimize disruption.
Starting Wednesday, the insurer is operating an emergency center to collect reports of consumer damage and support recovery. “We vow full compensation and are planning responsible follow-up measures,” said SGI President and CEO Lee Myung-soon.
This is the first full-system disruption at a Korean financial institution caused by a ransomware attack and a second such case involving a Korean company this year. In June, major online bookstore Yes24 experienced a five-day outage and an estimated 10 billion won in lost sales due to a similar breach.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Update 7/6/25: Added Ingram Micro's confirmation it suffered a ransomware attack below. Also updated ransom note with clearer version.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide.
Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues.
BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices.
The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack.
It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023.
Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, HVAC systems, and fire safety equipment for buildings. The company employs over 100,000 people through its corporate operations and subsidiaries across 150 countries, reporting sales of $27.4 billion in 2024.
As BleepingComputer first reported, Johnson Controls was hit by a ransomware attack in September 2023, following a breach of the company's Asian offices in February 2023 and subsequent lateral movement through its network.
"Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems," the company says in data breach notification letters filed with California's Attorney General, redacted to conceal what information was stolen in the attack.
"After becoming aware of the incident, we terminated the unauthorized actor's access to the affected systems. In addition, we engaged third-party cybersecurity specialists to further investigate and resolve the incident. We also notified law enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023."
