First it looked like Clinical Diagnostics (Eurofins) had paid Nova ransomware gang not to leak the Dutch patient data for 485k women in cancer screening program. Nova even confirmed they got paid to a news outlet (which in and of itself is weird, as most gangs will not acknowledge payment).

But then yesterday, Nova changed the listing and seems to now be demanding more payment because the police got involved?

It's very hard to figure out what Nova is saying in their broken English and translations of where they now write in Russian. See what you think:

https://databreaches.net/2025/08/19/when-a-deal-is-not-a-done-deal-nova-demands-higher-payment-from-clinical-diagnostics/

Ny brist i WinRAR utnyttjas av minst två olika hackergrupper. Läs mer på bloggen:

https://kryptera.se/ny-brist-i-winrar-utnyttjas-av-minst-tva-hotaktorer/

25% of security leaders replaced after ransomware attack – Source: www.csoonline.com https://ciso2ciso.com/25-of-security-leaders-replaced-after-ransomware-attack-source-www-csoonline-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #CSOandCISO #ransomware #CSOonline #CSOOnline

Let's talk about APTs (advanced persistent threats). An APT can gain access to your company’s systems and networks then hide within, and wait to complete objectives at a later time. Since they can cause long-term damage to sensitive systems and data, understanding what they are and why they matter will enable you to better protect your org.

Read our latest blog to learn about:
The key characteristics of APTs
The 3 stages of an APT attack
The main motives and targets of an APT attack
How to detect an advanced persistent threat
Best practices for mitigating, detecting, and responding to APTs

https://graylog.org/post/advanced-persistent-threat-what-they-are-and-why-they-matter/ #cybersecurity #cyberattack #TDIR #threatdetection #incidentresponse

Was sharing this with a friend today, my description of a game called "Wheel of Expertise" that helps teams dig into deep specifics of their systems:

https://www.popg.xyz/2024/05/23/wheelofexpertise/

#Brazil: 121,981 files were exposed without security on a server containing health documents.

*I contacted the Acqua Institute via email reporting their server being compromised, attaching this email with CERT BR; none of these entities responded to my email*

-The server was blocked on July 16th-

-I tried to contact the ANPD (National Data Protection Authority) but never received a response.

-I contacted a data protection expert who answered my questions that the ANPD couldn't answer via email.

-The data controller may have informed the ANPD, we don't know...

Read more:

https://medium.com/@newschu.substack.com/brazil-121-981-files-were-exposed-without-security-on-a-server-containing-health-documents-50dee9f31bb1

#cybersecurity #databreach #dataleak #incidentresponse

@PogoWasRight

25% of security leaders replaced after ransomware attack https://www.csoonline.com/article/4040156/25-of-security-leaders-replaced-after-ransomware-attack.html #IncidentResponse #CSOandCISO #Ransomware

Caught in the cyber crosshairs: A candy manufacturer’s 2025 ransomware ordeal – Source: www.csoonline.com https://ciso2ciso.com/caught-in-the-cyber-crosshairs-a-candy-manufacturers-2025-ransomware-ordeal-source-www-csoonline-com/ #rssfeedpostgeneratorecho #AgricultureIndustry #CyberSecurityNews #IncidentResponse #cyberattacks #Cybercrime #DataBreach #CSOonline #CSOOnline #hacking

hey friends, still me, still sharing roles even in the full of summer. someone i know is the SOC lead for a MSSP and is looking for a DFIR person for a weekend 4/10 shift. anyone interested? hmu with your linkedin and i’ll pass along

So as a quick update on the issue of two state courts that we know of exposing sealed records:

Last night, those of us still trying to figure out who was responsible figured it out -- it is a vendor (third-party) who is responsible for the exposed shares.

With the researcher's cooperation and input, I sent a detailed email last night to the only email address that vendor has on their website.

No reply was received, of course.

So I just called their main number... and started to tell them why I was calling, and they hung up on me.

I just called back. They didn't answer the phone, so I left a VM on their administrative offices' extension.

If the firm doesn't call me back or lock down those shares today, expect me to say more here tomorrow.

It is now 1 month since people started trying to get these shares secured. None of us are paid to do this. And getting hung up on should get the company a #CID from the #FTC in a more perfect world -- to ask what their procedures and policies are for receiving a security alert from an external (third) party.

Caught in the cyber crosshairs: A candy manufacturer’s 2025 ransomware ordeal https://www.csoonline.com/article/4038381/caught-in-the-cyber-crosshairs-a-candy-manufacturers-2025-ransomware-ordeal.html #AgricultureIndustry #IncidentResponse #Cyberattacks #Cybercrime #DataBreach #Hacking

How military leadership prepares veterans for cybersecurity success https://www.helpnetsecurity.com/2025/08/15/warren-odriscoll-ntt-data-veterans-cybersecurity-leadership/ #incidentresponse #skilldevelopment #cybersecurity #Don'tmiss #Features #Hotstuff #training #threats #News #NTT

If they're gonna use "post-mortem" then I say use "postmortem". Make it a different word, refuse to align it with death.

Post-Incident Review is always better.

Learning Review isn't always the same thing for a lot of companies, sometimes you need both.

But whatever you call it, just do it.

PLoB: A Behavioral Fingerprinting Framework to Hunt for Malicious Logins – Source: www.securityweek.com https://ciso2ciso.com/plob-a-behavioral-fingerprinting-framework-to-hunt-for-malicious-logins-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #Identity&Access #securityweekcom #securityweek #Splunk #PLoB

Google Breached in Salesforce Data Theft Wave!

Google has confirmed it was impacted by the same Salesforce data breach campaign targeting major global brands, including Cisco, Adidas, and Louis Vuitton. The ShinyHunters extortion group reportedly accessed one of Google’s CRM instances and stole SMB contact data during a brief window in June.

This breach is part of a broader attack campaign exploiting Salesforce and using vishing to target employees. At least one company has already paid a $400K ransom to prevent data leaks.

Read the details: https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/

Promises, promises.

Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.

A researcher found a misconfigured backup with -- yes, you guessed it -- everything in plaintext instead of encrypted.

Some entities that used the service are medical entities that were actually mentioning protected health information or attaching files with #PHI in the chat.

There were almost 5k Allstate employees using the service and sharing customer #PII in files.

And oh yeah, I found one company gossiping about me and plotting against me after I notified them they were leaking tons of #PHI. I've done them a favor by not publishing all their chat logs about me. :)

There also appeared to be some "dodgy" stuff on the backup, too.

Read the details about the exposed backup in my post at https://databreaches.net/2025/08/05/exclusive-brosix-and-chatox-promised-to-keep-your-chats-secured-they-didnt/

#infosec #encryption #databreach #incidentresponse #chatox #brosix #dataleak

@zackwhittaker

Search for software, end up getting ransomware!

The DFIR Report has observed SEO driven #Bumblebee malware campaigns occurring over the month of July. This initial access lead to full domain compromise, data exfiltration, and deployment of Akira Ransomware.

Attack Chain

Search for IT software in search engine > Click SEO hijacking domain > Download Trojaned installer MSI > Installer executes Bumblebee Malware

Other Tools Dropped

AdaptixC2 - Command and Control

Netscan - Discovery

Additional Discovery

Windows Uiltities - systeminfo, nltest, whoami, net

Persistence & Privilege Escalation

Created domain user accounts and added to "Enterprise Administrators"

Exfiltration

SFTP via Filezilla

Impact

Akira Ransomware

Full Report:

https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/

Missed one of my past conference talks? Let’s fix that.

I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.

“Incident Response for Devs” - And #DevOps folks too!
https://twp.ai/4ioL7f