Rankteo Cyber Security Incidents

Microsoft: Hackers Exploit Microsoft Teams to Breach Organizations While Posing as IT Helpdesk Staff

Rankiteo.com — Fri, 24 Apr 2026 00:00:00 +0000

UNC6692 Threat Group Exploits Microsoft Teams in Sophisticated Social Engineering Attack A newly identified cyber threat group, UNC6692, is targeting enterprises through a multi-stage attack combining social engineering and custom malware, leveraging Microsoft Teams and cloud services to evade detection. The attack begins with an email bombing campaign, flooding victims with spam to create confusion. While targets are distracted, attackers impersonate IT helpdesk staff via Microsoft Teams, using external accounts to offer a fake "local patch" as a solution. Victims are directed to a spoofed "Mailbox Repair Utility" page, where they are prompted to enter credentials intentionally rejected on the first attempt to ensure password capture before exfiltration to an attacker-controlled AWS server. Once credentials are stolen, the attack deploys a modular malware toolkit dubbed the SNOW ecosystem, including: - SNOWBELT: A malicious Chromium extension for persistent access. - SNOWGLAZE: A Python-based tunneling tool for encrypted communication. - SNOWBASIN: A remote access tool enabling command execution, screenshots, and data theft. After gaining a foothold, UNC6692 moves laterally across the network using Python scripts to scan systems, targeting backup servers and dumping LSASS memory to extract password hashes. These hashes are cracked offline and used in Pass-the-Hash attacks to compromise domain controllers. Attackers then exfiltrate the Active Directory database using legitimate forensic tools like FTK Imager, delivered via Microsoft Edge, and transfer data via platforms such as LimeWire. The campaign exemplifies "living off the cloud" tactics, abusing trusted services like Microsoft Teams and AWS to bypass traditional security measures. Indicators of compromise (IoCs) include: - Phishing/payload delivery: `service-page-25144-30466-outlook.s3.us-west-2.amazonaws[.]com` - SNOWBELT C2: `cloudfront-021.s3.us-west-2.amazonaws[.]com` - SNOWGLAZE WebSocket: `wss://sad4w7h913-b4a57f9c36eb.herokuapp[.]com/ws` - Data exfiltration: `service-page-11369-28315-outlook.s3.us-west-2.amazonaws[.]com` The attack underscores the risks of external Teams communications and the need for enhanced monitoring of browser-based activity and cloud service abuse.

Ollama: Hackers Exploit Ollama Model Uploads to Leak Server Data

Rankiteo.com — Fri, 24 Apr 2026 00:00:00 +0000

Critical Unpatched Vulnerability in Ollama Exposes Sensitive Data to Attackers Cybersecurity researchers have identified a severe, unpatched vulnerability in Ollama, a widely used open-source platform for running large language models (LLMs) locally. Tracked as CVE-2026-5757, the flaw resides in Ollama’s model quantization engine and allows unauthenticated attackers to steal sensitive server data by uploading a maliciously crafted AI model file. ### How the Exploit Works Ollama’s quantization process designed to optimize model performance by reducing numerical precision contains an out-of-bounds memory vulnerability in its handling of GPT-Generated Unified Format (GGUF) files. When an attacker uploads a specially crafted GGUF file and triggers quantization, the engine reads beyond safe memory limits due to three critical flaws: 1. Unchecked file metadata – The engine trusts user-provided metadata without verifying its alignment with the actual data size. 2. Unsafe memory operations – A Go-based memory slice extends into the application’s heap, enabling unauthorized access. 3. Data exfiltration via API – Stolen memory (including sensitive data) is written to a new model layer and can be extracted through Ollama’s registry API. ### Potential Impact Since the vulnerability grants access to the server’s heap memory, attackers can silently extract highly sensitive data processed during normal operations, including: - API keys - Private user data - Proprietary intellectual property Worse, the exploit could enable full server compromise, allowing attackers to move laterally within a network, establish persistence, and evade detection by standard security tools. ### Discovery & Current Status The flaw was uncovered by security researcher Jeremy Brown, who employed AI-assisted vulnerability research techniques. As of late April 2026, the CERT Coordination Center has been unable to contact Ollama’s vendor, leaving the vulnerability unpatched. ### Mitigation Measures Until an official fix is released, organizations running Ollama are advised to: - Disable or restrict model upload functionality on exposed servers. - Limit deployments to isolated or trusted networks. - Only use AI models from verified sources. - Enforce strict network controls to block unauthorized data exfiltration. The incident underscores the growing risks of supply chain attacks in AI infrastructure, particularly in open-source tools with widespread adoption.

Telegram: Hackers Use Pastebin-Hosted PowerShell Script to Steal Telegram Sessions

Rankiteo.com — Fri, 24 Apr 2026 00:00:00 +0000

New Telegram Session-Stealing PowerShell Script Discovered on Pastebin Cybersecurity researchers at Flare have identified a malicious PowerShell script hosted on Pastebin, designed to steal Telegram session data from both desktop and web-based clients. The script, titled "Windows Telemetry Update," masquerades as a legitimate Windows system update to deceive users into executing it. Upon execution, the script first gathers host metadata including the victim’s username, computer name, and public IP address before targeting Telegram’s session files in directories like `%APPDATA%\Telegram Desktop` and `%APPDATA%\Telegram Desktop Beta`. These files are compressed into a temporary diag.zip archive and exfiltrated via the Telegram Bot API. Two versions of the script were found on Pastebin under the same account. The initial version (v1) contained a broken multipart upload implementation, preventing successful data exfiltration. The operator later released a corrected version (v2), which properly transmits the stolen data using the `sendDocument` endpoint. The debugging process, visible in the Pastebin post history, offers rare insight into the development of session-stealing tools. The script forcibly terminates the Telegram process to bypass file locks before compressing session data. If the primary exfiltration method fails, a fallback `WebClient UploadFile` ensures the archive reaches the attacker. The script then deletes diag.zip to minimize forensic traces. A separate web-based stealer component, sharing the same bot infrastructure, captures Telegram Web’s `localStorage` session keys, allowing attackers to reconstruct authenticated sessions without passwords or SMS verification. Flare’s analysis suggests the script was still in testing rather than active deployment. However, the functional v2 variant and shared infrastructure with the web-based stealer indicate the capability is now validated and could be scaled for broader use. The lack of obfuscation, persistence, or automated delivery mechanisms further supports this assessment.

Udemy, McGraw-Hill, Vercel and Harvard University: Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records

Rankiteo.com — Fri, 24 Apr 2026 00:00:00 +0000

ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records On April 24, 2026, the cybercriminal group ShinyHunters announced a data breach targeting Udemy, one of the world’s largest online learning platforms, alleging the theft of over 1.4 million records containing personally identifiable information (PII) and internal corporate data. The group issued a "Pay or Leak" ultimatum, demanding a response from Udemy by April 27, 2026, or risk public exposure of the stolen data. ShinyHunters, a financially motivated extortion group active since 2019, has built a reputation for high-profile breaches, including the 2020 theft of 200 million records from 13 companies. In 2026 alone, the group has intensified attacks on SaaS platforms and the education sector, with recent victims including Vercel, McGraw-Hill, and Harvard University (where 115,000 alumni records were exposed). Google Threat Intelligence tracks the group under the designation UNC6240, noting its shift from traditional network exploitation to social engineering, MFA bypass, and credential harvesting. ShinyHunters often exploits third-party integrations and compromised vendor credentials, as seen in the Vercel breach, where a third-party vendor (Context.ai) served as the entry point. The education sector remains a prime target, with ShinyHunters previously breaching India’s Unacademy, stealing over 10 million user accounts. As of publication, Udemy has not confirmed or denied the breach, and researchers continue monitoring the group’s leak site for potential data release following the deadline. The incident underscores the group’s evolving tactics and persistent focus on high-value targets.

Sri Lankan Finance Ministry: Sri Lankan government hack sees $3.7m destined for Australia stolen

Rankiteo.com — Fri, 24 Apr 2026 00:00:00 +0000

Sri Lankan Finance Ministry Hit by $3.7 Million Cyber Heist Targeting Debt Payments The Sri Lankan government has confirmed a cyber attack on its Finance Ministry, resulting in the theft of over $3.7 million the largest sum ever stolen by hackers from a Sri Lankan state institution. The funds, earmarked for debt repayments to Australia, were diverted after attackers breached the ministry’s email servers and computer systems. Australian High Commissioner to Sri Lanka, Matthew Duckworth, acknowledged the incident, stating that both governments were aware of "irregularities" in the payments. While Sri Lankan authorities have not disclosed the nature of the attack or identified the perpetrators, Finance Ministry Secretary Harshana Suriyapperuma revealed that hackers altered payment details to redirect the funds. The Criminal Investigation Department (CID) and the Financial Intelligence Unit of the Central Bank of Sri Lanka have been notified, and a formal investigation led by a committee including two deputy Treasury secretaries has been launched. The breach was discovered after officials detected unauthorized access to the ministry’s email servers. Sri Lanka, still recovering from its 2022 economic crisis and default on $46 billion in external debt, remains under scrutiny as authorities work with Australian officials to trace the stolen funds. Australia has reaffirmed its commitment to supporting Sri Lanka’s debt sustainability efforts amid the ongoing probe.

Coupang: South Korea says Coupang data breach probe affects US security talks

Rankiteo.com — Fri, 24 Apr 2026 00:00:00 +0000

South Korea’s Coupang Data Breach Complicates US Security Talks South Korea’s National Security Adviser, Wi Sung-lac, confirmed on Friday that an ongoing investigation into a major data breach at e-commerce giant Coupang is creating friction in security negotiations with the United States. The government has emphasized that the probe should proceed independently of broader security discussions, as linking the two could undermine diplomatic progress. The breach, which has drawn regulatory scrutiny, has raised concerns about its potential impact on sensitive bilateral talks. While South Korea maintains that private sector issues should not derail strategic cooperation, the incident has introduced complications in high-level consultations. Details on the scope of the breach, including the number of affected users or the nature of exposed data, remain undisclosed. The situation underscores the growing intersection of cybersecurity incidents and geopolitical relations, particularly as digital threats increasingly influence national security priorities.

Innovative Scientific Solutions and LLC: Innovative Scientific Solutions Data Breach Exposes Personal Information: Murphy Law Firm Investigates Legal Claims

Rankiteo.com — Thu, 23 Apr 2026 00:00:00 +0000

Innovative Scientific Solutions Suffers Major Data Breach, Exposing Sensitive Personal Information On April 23, 2026, Oklahoma-based Innovative Scientific Solutions, LLC disclosed a significant data breach after detecting suspicious activity on its network. A forensic investigation revealed that cybercriminals had infiltrated the company’s inadequately secured systems, gaining access to files containing sensitive personal data belonging to thousands of individuals. The exposed information includes names, Social Security numbers, driver’s license numbers, financial account details, credit/debit card information, medical treatment records, and health insurance data. The breach raises serious concerns about potential identity theft, fraud, and the sale of compromised data on the dark web. Murphy Law Firm has launched an investigation into the incident and is exploring legal action, including a potential class action lawsuit, on behalf of affected individuals. The firm specializes in data breach litigation and has previously secured favorable outcomes for clients in similar cases. No further details on the breach’s origin, the number of impacted individuals, or the timeline of the attack have been released. The incident underscores the ongoing risks posed by inadequate cybersecurity measures in safeguarding sensitive personal information.

Mozilla: Privacy Vulnerability in Firefox and TOR Browsers

Rankiteo.com — Thu, 23 Apr 2026 00:00:00 +0000

Firefox and Tor Browsers Affected by Privacy-Tracking Vulnerability Security firm Fingerprint uncovered a privacy flaw in Firefox and the Tor Browser that could allow websites to track users even in private browsing or anonymity-focused modes. The vulnerability, stemming from low entropy in how browsers retrieve non-sensitive metadata, created unique system fingerprints that persisted despite privacy protections. Mozilla addressed the issue in Firefox 150, released on April 21, 2026, after Fingerprint responsibly disclosed the flaw. The weakness exploited inconsistencies in database metadata retrieval, enabling tracking across sessions undermining the privacy assurances of private browsing and Tor’s anonymity features. The discovery highlights broader risks in browser security, particularly as AI-driven tools like Anthropic’s Claude Mythos may uncover similar vulnerabilities in the future. While the patch resolves the immediate threat, the incident underscores the ongoing challenges in maintaining robust privacy protections.

Centreon: KARE 11

Rankiteo.com — Thu, 23 Apr 2026 00:00:00 +0000

Cyberattack Targets French Government Agencies via Compromised Software Update A sophisticated cyberattack recently disrupted operations across multiple French government agencies after attackers exploited a compromised software update. The incident, detected in early June 2024, involved malicious actors infiltrating the supply chain of a widely used administrative software provider, Centreon, to distribute malware to its clients. The attack primarily affected agencies relying on Centreon’s IT monitoring tools, with initial reports indicating disruptions in data access and system functionality. French cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) confirmed the breach stemmed from a trojanized update pushed to users, allowing threat actors to gain persistent access to internal networks. While the full scope of the compromise remains under investigation, early findings suggest the attackers sought to exfiltrate sensitive administrative data rather than deploy ransomware. ANSSI has attributed the attack to a state-sponsored group, citing tactics consistent with advanced persistent threat (APT) actors. No specific nation-state has been publicly named. The incident underscores the growing risk of supply chain attacks, where trusted software vendors become unwitting vectors for cyber espionage. French authorities have since issued emergency patches and urged affected agencies to isolate compromised systems, though the long-term impact on government operations is still being assessed.

UK’s National Cyber Security Centre and Volt Typhoon: Chinese hackers are using everyday devices to hack UK firms, warns watchdog

Rankiteo.com — Thu, 23 Apr 2026 00:00:00 +0000

China-Linked Hackers Exploit Everyday Devices in Global Espionage Campaign The UK’s National Cyber Security Centre (NCSC), alongside cybersecurity agencies from nine other countries including the U.S., Australia, Canada, and Germany has issued a warning about a sophisticated cyber-espionage campaign tied to China. The threat involves the hijacking of common internet-connected devices, such as Wi-Fi routers, printers, and webcams, to create covert networks (or "botnets") for surveillance and data theft. These botnets primarily target outdated or unpatched devices, using them as launchpads for attacks while obscuring the attackers' origins. The NCSC’s CEO, Richard Horne, described China’s cyber capabilities as "eye-watering," emphasizing that Beijing’s intelligence and military agencies now operate as a "peer competitor" in cyberspace. The shift in tactics leveraging compromised consumer and small office devices marks a significant evolution in China-linked cyber operations. The advisory highlights that these covert networks are often maintained by private Chinese firms, with one example involving a company that infected 200,000 devices worldwide. A notable group, Volt Typhoon, has been linked to infiltrations of critical U.S. infrastructure, including rail, aviation, and water systems. The NCSC warns that multiple threat actors may share a single botnet, making attribution and defense more challenging. To mitigate risks, the NCSC recommends organizations map their IT systems including connections to consumer broadband networks enforce multi-factor authentication for remote access, and restrict external device connections. While the guidance is aimed at businesses, the widespread use of compromised household devices underscores the broader threat landscape. Earlier this year, Google disrupted a similar "residential proxy" network, demonstrating the global scale of these operations. The NCSC’s advisory, published on Thursday, confirms that China-backed hackers continue to refine their methods, posing a persistent and evolving risk to cybersecurity.

Asurion, npm and GitHub: Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

Rankiteo.com — Wed, 22 Apr 2026 17:33:00 +0000

New Supply Chain Worm Targets npm and PyPI, Stealing Developer Credentials Cybersecurity researchers from Socket and StepSecurity have uncovered a self-propagating supply chain worm, dubbed CanisterSprawl, that exploits compromised npm packages to steal developer credentials and spread malicious updates. The campaign, active in recent weeks, leverages an ICP canister for data exfiltration a tactic previously used by TeamPCP to evade takedowns. ### Affected Packages The following npm packages were found to contain malicious postinstall hooks that trigger the worm during installation: - `@automagik/genie` (v4.260421.33–4.260421.40) - `@fairwords/loopback-connector-es` (v1.4.3–1.4.4) - `@fairwords/websocket` (v1.0.38–1.0.39) - `@openwebconcept/design-tokens` (v1.0.1–1.0.3) - `@openwebconcept/theme-owc` (v1.0.1–1.0.3) - `pgserve` (v1.1.11–1.1.14) ### Attack Mechanics Once executed, the malware harvests sensitive data from developer environments, including: - npm tokens (used to publish poisoned package versions) - SSH keys, `.git-credentials`, and `.netrc` files - Cloud credentials (AWS, Google Cloud, Azure) - Kubernetes, Docker, Terraform, and Vault configurations - Local `.env` files and shell history - Browser-stored credentials (Chromium-based browsers) - Cryptocurrency wallet extensions Stolen data is exfiltrated to: - An HTTPS webhook (`telemetry.api-monitor[.]com`) - An ICP canister (`cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io`) The worm also includes PyPI propagation logic, generating malicious Python packages via Twine if credentials are present, effectively turning one compromised environment into multiple package infections. ### Additional Threats in Open-Source Ecosystems - Compromised PyPI Package: Versions 2.6.0–2.6.2 of the legitimate `xinference` package were altered to include a Base64-encoded payload, fetching a second-stage credential harvester. While the payload includes the marker "# hacked by teampcp," the group denied involvement, suggesting a copycat attack. - Fake Kubernetes Tools: Malicious npm (`kube-health-tools`) and PyPI (`kube-node-health`) packages disguised as Kubernetes utilities deploy a Go-based binary that sets up: - A SOCKS5 proxy - A reverse proxy - An SFTP server - An LLM proxy (routing requests to Chinese LLM APIs, enabling secret exfiltration and malicious payload injection). - Asurion-Themed npm Attack: Between April 1–8, 2026, threat actors published fake npm packages (`sbxapps`, `asurion-hub-web`, `soluto-home-web`, `asurion-core`) impersonating Asurion and its subsidiaries. Stolen credentials were first sent to a Slack webhook, then to an AWS API Gateway endpoint, later obfuscated with XOR encoding. - GitHub Actions Exploitation: A campaign dubbed prt-scan, active since March 11, 2026, abuses the `pull_request_target` GitHub Actions trigger to steal secrets. Attackers: - Fork repositories using the trigger - Inject malicious payloads into CI workflows - Open pull requests to trigger credential theft - Publish malicious npm packages if tokens are found While the campaign had a <10% success rate, most victims were small projects, though a few exposed cloud credentials and persistent API keys. ### Impact & Trends These incidents highlight the growing sophistication of supply chain attacks, with threat actors increasingly targeting npm, PyPI, and CI/CD pipelines to propagate malware. The use of resilient exfiltration methods (ICP canisters, obfuscated endpoints) and multi-stage credential theft underscores the need for heightened scrutiny in open-source dependency management.

Bitwarden: Bitwarden CLI npm package compromised to steal developer credentials