Labels

LIVE: Global Cyber Incidents — Week of Aug 12–18, 2025 (IST) Editor: CyberDudeBivash ThreatWire | Date: Aug 18, 2025 (IST)



Top headlines at a glance

  • Critical infrastructure: Norway formally attributes an April dam hack to pro-Russian actors; floodgate was opened remotely for ~4 hours. ReutersAP News

  • Immigration at risk: Ongoing Home Office SMS phishing can let criminals issue fake UK work/student visas. MimecastTechRadar

  • Insurance mega-breach: Allianz Life data (2.8M records) leaked after a Salesforce-focused social engineering campaign; SSNs exposed. ReutersBleepingComputerTechRadar

  • Defense supply chain: UK MoD-linked contractor breach exposes data of ~3,700 Afghans and others tied to resettlement flights. AP NewsFinancial Times

  • India watch: Coordinated hacktivist & APT activity around Independence Day; thousands of nuisance attacks & phishing lures observed. cloudsek.com

  • India crypto update: CoinDCX confirms ~$44M theft from an internal ops wallet; user funds safe; recovery actions ongoing. CoinDCX+1

1) Norway hydropower dam hack (attribution update)

What’s new: Norway’s PST chief publicly blamed pro-Russian hackers for the April 7 breach that remotely opened a floodgate for ~4 hours. No injuries, but it’s a rare, confirmed cyber-physical manipulation on European infrastructure. Risk: copycat OT intrusions. ReutersAP News

Defender moves (OT/ICS):

  • Remove/public-internet exposure of HMIs/PLCs; enforce VPN with device posture checks.

  • Rotate/disable default creds; mandate hardware keys for remote ops.

  • Implement network allow-listing between IT↔OT; alert on valve/open setpoint changes outside change windows.

2) UK Home Office sponsorship portal phishing (live campaign)

What’s happening: Criminals impersonate Home Office emails, funneling targets through CAPTCHA-gated lookalike pages to steal SMS (Sponsorship Management System) credentials. Access could be sold to issue fake Certificates of Sponsorship and visas. MimecastTechRadar

Defender moves (enterprises & sponsors):

  • Lock SMS behind SSO with FIDO2 only; geo/ASN conditional access.

  • Add high-friction approvals for CoS issuance (4-eye rule, just-in-time roles).

  • Strip QR/HTML redirects; banner external senders; simulate & train for urgent-tone phish.

3) Allianz Life: Salesforce-focused social engineering → mass leak

What’s confirmed: Attackers abused a third-party cloud CRM via social engineering; data on the majority of 1.4M customers was accessed (U.S.). On Aug 12, actors leaked ~2.8M records; SSNs exposure confirmed. ReutersBleepingComputerTechRadar

Defender moves (SaaS hardening):

  • Enforce per-app MFA + phishing-resistant keys; disable phone/SMS resets.

  • SaaS least privilege & customer-managed keys; continuous export-log monitoring for large object reads.

  • Third-party CRM B2B risk reviews, breach clauses, and automated off-boarding of stale users.

4) MoD-linked contractor breach (UK Afghan resettlement flights)

What’s new: Inflite The Jet Centre reported unauthorized email access exposing ~3,700 people’s data tied to Stansted flights (Jan–Mar 2024), including Afghan refugees and some officials. Government systems weren’t breached; fallout and safety concerns persist. AP NewsFinancial Times

Defender moves (suppliers & gov’t):

  • Supplier segmentation; DLP on email; block auto-forwarding rules.

  • Rapid breach notifications, protective monitoring for at-risk individuals; coordinate with ICO & law enforcement.

  • Mandate SPF/DKIM/DMARC and JIT privileged access for contractor mail.

5) India focus: Independence Day surge in nuisance ops

What’s reported: Researchers tracked thousands of low-to-mid-grade attacks (DDoS, phishing, fake sites) targeting Indian gov/finance/defense around Aug 15; some lures tied to recent terror headlines. Treat as noisy but persistent opportunistic pressure. cloudsek.com

Defender moves (CII & BFSI):

  • Anycast DDoS protection; WAF rule-packs for HTTP/2 abuse patterns.

  • Brand-monitoring; takedown playbooks for lookalike domains; anti-fraud MFA policies at scale.

6) India crypto: CoinDCX post-incident status

Status: CoinDCX says a server/partner-exchange-linked compromise drained ~$44M from an internal ops wallet; customer funds remained in cold storage, operations restored, and recovery/bounty efforts are underway. CoinDCX+1

Defender moves (exchanges & fintech):

  • Separate market-making ops from core; per-function wallets with withdraw allow-lists.

  • Real-time withdrawal anomaly models; session binding to hardware keys.

  • Tier-0 admin access via PAWs (privileged access workstations) and outbound egress allow-lists only.

Rapid triage checklist (map to MITRE)

  • T1566 (Phishing): block HTML-smuggling/QR; FIDO2 across staff and partners.

  • TA0005 (Defense Evasion): detect mailbox rules & OAuth token grants to rogue apps.

  • ICS: alert on engineering workstation logins out of hours; baseline setpoint writes.

  • SaaS exfil (T1537): watch bulk API pulls and report exports from CRM/ERP.


#CyberDudeBivash #ThreatIntel #Infosec #Ransomware #DataBreach #SaaSSecurity #OTSecurity #ZeroTrust #IndiaCyber #Phishing

Labels:

Comments

Post a Comment