Microsoft and Cloudflare shut down RaccoonO365, a notorious phishing-as-a-service operation that helped cybercriminals steal Microsoft 365 credentials with little technical skill required. Using a court order, Microsoft seized 338 websites tied to the service, which had stolen at least 5,000 credentials from 94 countries since July 2024.

The operation, run by Nigerian mastermind Joshua Ogundipe, offered subscription-based phishing kits for $600 annually. These kits used Microsoft branding to create convincing fake emails and websites, targeting over 2,300 US organizations and 20 healthcare facilities.

Microsoft identified Ogundipe through a cryptocurrency wallet security lapse and sent a criminal referral to international law enforcement. The takedown represents a significant blow to the growing phishing-as-a-service industry.

Source: Dark Reading

The Orleans Parish Sheriff's Office has been hit by a ransomware attack from international cybercrime group Qilin, who breached systems three weeks ago and are demanding payment. The hackers obtained 842 gigabytes of data including contracts, inmate documents, and expense records, though no sensitive information appears compromised.

The attack has disrupted the DocketMaster system that handles inmate transfers and releases, forcing families like one woman whose husband remains jailed despite paying bond to wait longer. "I have two sons, four and six years old. They miss their dad," she told local news.

Officials are using manual workarounds and refuse to pay the ransom. The malware reportedly came through email from another law enforcement agency.

Source: CBS News

SonicWall confirmed attackers breached its MySonicWall.com platform through brute force attacks, accessing firewall configuration files from less than 5% of its customer base. The stolen files contained encrypted passwords and network details that could help attackers exploit customer firewalls more effectively.

This marks a troubling shift from previous SonicWall vulnerabilities, which targeted customer-deployed devices. This time, attackers hit SonicWall's own infrastructure, raising questions about the company's internal security practices.

SonicWall disabled the backup feature and launched an investigation. Affected customers should reset credentials and monitor for unusual activity. The breach adds to SonicWall's security woes—CISA lists 14 exploited vulnerabilities since 2021, including nine used in ransomware attacks.

Source: CyberScoop

A sophisticated new phishing campaign using the "FileFix" technique has spread across 16 countries, from the US to Serbia. The attack impersonates Facebook security warnings, claiming accounts will be suspended unless users take action.

When victims click to "appeal," they're tricked into pasting malicious PowerShell code into Windows File Explorer's address bar under the guise of opening a PDF file. This executes hidden malware that downloads AI-generated images containing steganographically hidden code, ultimately deploying StealC infostealer to harvest passwords and sensitive data.

FileFix builds on the earlier "ClickFix" technique but uses the more familiar File Explorer instead of the Run dialog, making it harder for organizations to block and more likely to fool users unfamiliar with command execution.

Source: Dark Reading

Luxury fashion conglomerate Kering confirmed hackers breached their systems in June, stealing personal data from potentially millions of customers across brands including Gucci, Balenciaga and Alexander McQueen. The ransomware group Shiny Hunters accessed names, phone numbers, email addresses and purchase histories—some customers spent up to $86,000. No financial information like credit cards or bank details were compromised.

Samples of stolen Gucci customer data appeared on Telegram channels last month. This follows similar attacks on Louis Vuitton in July and British retailers M&S, Co-op and Harrods. Meanwhile, Jaguar Land Rover factories remain shut for three weeks after their own cyber-attack.

Source: The Guardian

Attackers compromised 18 popular npm packages with over 2.6 billion weekly downloads through a simple phishing email targeting a maintainer. The breach began when the maintainer clicked a fake npm support email requesting two-factor authentication updates, giving attackers access to publish malicious versions of packages like chalk and debug.

The malware targeted cryptocurrency transactions by hijacking browser APIs and wallet interfaces. While detected within minutes and causing minimal financial damage (around $20 in stolen crypto), the incident exposed millions of developers to compromised code.

Experts warn against dismissing this as low-impact, emphasizing that the real cost lies in cleanup efforts and the fragility of open-source infrastructure that powers modern software development.

Source: CyberScoop

The FBI is warning about two threat groups targeting Salesforce customers through sophisticated social engineering attacks. UNC6040 (also known as ShinyHunters) has been calling company help desks since October 2024, posing as IT support to trick employees into sharing login credentials or installing malicious apps that steal customer data.

UNC6395 previously exploited stolen OAuth tokens from Salesloft's Drift application to access hundreds of Salesforce environments earlier this year. Salesforce and Salesloft revoked all Drift tokens in August, but the threat remains active through other integrations.

Some victims have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI recommends training call center staff, implementing phishing-resistant multi-factor authentication, and monitoring network activity to defend against these ongoing campaigns.

Source: Dark Reading

Cybercriminals calling themselves Shiny Hunters have stolen personal data from potentially 7.4 million customers of luxury brands Gucci, Balenciaga, and Alexander McQueen. The April breach exposed names, email addresses, phone numbers, home addresses, and total spending amounts—with some customers having spent $30,000-$86,000 at these stores.

Parent company Kering confirmed the attack but says no financial information like credit card details were compromised. The hackers demanded a Bitcoin ransom in June, which Kering refused to pay following law enforcement advice.

The spending data is particularly concerning as it could make high-value customers targets for future scams. This attack was part of a broader wave hitting luxury brands including Cartier and Louis Vuitton.

Source: BBC

Two critical vulnerabilities have been discovered in Linux's Common Unix Printing System (CUPS), affecting virtually all Linux distributions. CVE-2025-58364 allows attackers to crash printing services through crafted printer responses, while CVE-2025-58060 enables authentication bypass on systems using non-Basic authentication methods like Kerberos or LDAP.

The DoS vulnerability targets the libcups library and can disrupt entire network printing services. The authentication bypass is more severe, letting attackers gain admin access by sending Basic auth headers when other authentication types are configured.

No patches are currently available for CUPS versions below 2.4.12. Network administrators should immediately restrict IPP port 631 access, disable cups-browsed service, and temporarily revert to Basic authentication with strong passwords until fixes arrive.

Source: Cyber Security News

Cybercriminals are running a sophisticated malvertising campaign that tricks users into downloading fake GitHub Desktop clients loaded with malware. The attackers exploit GitHub's trusted reputation by creating compromised repositories with hidden malicious code that appears legitimate.

When users search for GitHub Desktop through infected ads, they're redirected to these fake repositories. Once downloaded, the malware performs extensive system reconnaissance, collecting operating system details and network configurations before connecting to command servers.

The campaign uses advanced evasion techniques, including PowerShell payloads that deploy NetSupport Remote Access Trojan and AutoIT interpreters disguised as COM files. Unit 42 researchers discovered the threat through behavioral analysis of suspicious repository activities.

Source: Cybersecurity News