A total of 24 breaches were found and analysed resulting in 14,282,547 leaked accounts containing a total of 28 different data types. The breaches found publicly and freely available included White Pages [2], Wife Lovers, Qraved, Stealer Log 0501 and CentraCare. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

Europol has taken action against 27 “stressor” services—slang for DDoS-for-hire platforms—through an operation dubbed Operation Power Off. As part of the operation, Europol arrested three operators and identified 300 users. Europol stated that actions were taken against the 300 identified users. These users, likely low-level offenders such as script kiddies with poor operational security (OSINT), were probably sent warning letters rather than facing legal proceedings. It’s speculated that these individuals were targeting small-scale platforms like Minecraft servers or WordPress websites.

Beyond seizing stressor services, Operation Power Off is pressuring Google to block ads promoting such services. Instead, Europol is encouraging ads designed to dissuade potential users from engaging with these illegal tools.

The dark web landscape has experienced notable disruptions as law enforcement and rival threat actors have taken down several forums. Forums like Breach Forums have faced repeated takedown attempts by the FBI, creating a temporary vacuum where smaller dark-net forums vied for dominance in the scene—what mainstream media refers to as "COM" (the community). For now, relative stability seems to have returned, but the future remains uncertain.

Meanwhile, law enforcement agencies are focusing on high-value targets. For example, Dutch and French authorities recently dismantled a Matrix-like messenger service used by organised crime networks, including arms dealers, human traffickers, and hitmen. The service, which cost users up to $280 per month, was compromised, leading to the arrest of an operator in Lithuania. This service should not be confused with the legitimate Matrix EE2E messenger. The takedown highlights a recurring lesson: if you're paying top dollar for a supposedly secure service, it's likely already compromised. Criminals may want to reconsider their methods—or their careers—if avoiding law enforcement scrutiny proves too challenging.

Elsewhere, an Eastern Arabic hacking group has issued a call for new recruits. The group, seeking "spy agents" for an "intelligence collection wing," appeals to high-level threat actors. Their recruitment pitch includes religious and nationalist messaging: “We call upon those whose purpose is to work for the religion of Allah and the welfare of the people and country.” However, skepticism abounds, with many suspecting the recruitment campaign is a honeypot operation orchestrated by the CIA.

VULNERABILITY CHAT

SHARP has issued a security advisory regarding multiple vulnerabilities identified in several of its router models. These flaws could allow attackers to perform malicious actions, ranging from gaining root privileges to executing denial-of-service (DoS) attacks.

A critical vulnerability in Apache Struts 2, patched last week, is now being actively exploited using publicly available proof-of-concept (PoC) code. Attackers can manipulate file upload parameters to enable path traversal, allowing malicious files to be uploaded into restricted directories. Under certain conditions, this can lead to remote code execution (RCE).

A zero-day vulnerability in the WordPress plugin *Hunk Companion* is being actively exploited. Threat actors are leveraging this flaw to compromise websites by exploiting vulnerabilities such as remote code execution, SQL injection, and cross-site scripting through subsequently installed plugins.

BeyondTrust has released patches for a critical vulnerability in its Privileged Remote Access (PRA) and Remote Support (RS) products. The flaw allows unauthenticated remote attackers to execute arbitrary operating system commands within the context of the site user. BeyondTrust strongly advises customers to update their systems promptly.

The Androxgh0st botnet has become significantly more dangerous with the integration of techniques from the Mozi botnet. According to a report by CloudSEK Threat Research, the upgraded botnet now employs advanced methods to infect and spread across a diverse array of networked devices.

Researchers have identified a vulnerability in Craft CMS, a widely used PHP-based content management system. The flaw allows unauthenticated remote code execution (RCE) under default configurations, enabling attackers to gain control over file paths and potentially execute arbitrary code.

Critical vulnerabilities in Apache Tomcat have been discovered, allowing attackers to execute remote code and cause denial-of-service (DoS). Exploitation involves a race condition during concurrent read and upload operations when the default servlet is configured with write permissions on a case-insensitive file system.

8 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Adobe (ColdFusion). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 655 vulnerabilities last week, making the 2024 total 39,273. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Italy’s data protection authority has fined OpenAI €15 million over ChatGPT’s handling of personal data. The authority cited OpenAI’s failure to notify it of a March 2023 security breach and its lack of a legal basis for processing personal information to train the generative AI application.

The Dutch privacy regulator has fined Netflix €4.75 million for insufficiently informing consumers about how their data is used. The fine follows a 2019 complaint by the Austrian privacy nonprofit None of Your Business (Noyb).

The Irish Data Protection Commission (DPC) has imposed a €251 million fine on Meta for failing to comply with GDPR. The breach stemmed from a vulnerability in Facebook’s code that allowed unauthorised users to exploit scripts and view profiles they should not have had access to.

Meta Platforms has reached a A$50 million settlement with Australia’s privacy watchdog, resolving a prolonged legal battle over the Cambridge Analytica scandal. The breaches, initially reported in 2018, have previously led to fines from US and UK regulators.

Noyb has filed a complaint with Italy's data protection authority (DPA) against Ryanair over its facial recognition-based verification process. This follows a similar GDPR complaint filed with Spain’s DPA in July 2023.

The Bavarian State Office for Data Protection Supervision (BayLDA) has completed an investigation into Worldcoin’s identification procedures, citing significant GDPR compliance issues. The regulator found the methods posed fundamental data protection risks and ordered Worldcoin to initiate a data deletion process.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan