Fog ransomware attacks use employee monitoring tool to break into business networks
Fog ransomware operators have expanded their arsenal to include legitimate and open source tools. This is, most likely, to avoid being detected before deploying the encryptor. Security researchers from Symantec were recently brought in to investigate a Fog ransomware infection, and determined the hackers used Syteca, a legitimate employee monitoring tool, during the attack. This program, previously known as Ekran, records screen activity and keystrokes, and hasn’t been seen abused in attacks before now.
Account compromise leads to crash records data breach
A compromise of an account has led to improper downloads of a large number of crash records, and the Texas Department of Transportation (TxDOT) is working to notify those affected. On May 12, 2025, TxDOT identified unusual activity in its Crash Records Information System (CRIS). Further investigation revealed the activity originated from an account that was compromised and used to improperly access and download nearly 300,000 crash reports. TxDOT immediately disabled access from the compromised account. Personal information included in crash records may contain: first and last name, mailing and/or physical address, driver license number, license plate number, car insurance policy number and other information. Notification, in this case, is not required by law, but TxDOT has taken proactive steps to inform the public by sending letters to notify the impacted individuals whose information was included in the crash reports.
Washington Post investigating cyberattack on journalists’ email accounts, source says
The Washington Post is investigating a cyberattack on email accounts of some of its journalists, according to a source familiar with the matter and an internal memo reviewed by Reuters. The memo sent to Post employees by Executive Editor Matt Murray said the intrusion was discovered on Thursday and the newspaper immediately initiated an investigation. All Post employees had their passwords reset on Friday as a precaution, Murray said in the memo, adding that the intrusion was not thought to have had any impact on any additional Post systems or on customers.
Introducing: GitHub Device Code Phishing
What if all it took to compromise a GitHub organization–and thus, the organization’s supply chain–was an eight-digit code and a phone call?Introducing: GitHub Device Code Phishing. While security teams have been battling Azure Active Directory device code phishing attacks for years, threat actors have overlooked GitHub’s OAuth2 device flow as an attack vector. At Praetorian, our Red Team works to identify creative initial access vectors that could have immediate, widespread impact. Given the recent increase in GitHub-related attacks, we feel obligated to share these techniques with the community so Blue Teams can be prepared.
Got a new password manager? How to clean up the credential mess you left in the cloud
Every modern web browser has tools for tracking the passwords you use with secure online services. Those features are often turned on by default, which means you probably have a random collection of passwords saved in the cloud along with your bookmarks and settings for your default browser. Those built-in utilities might have been good enough for an earlier era, but they aren’t good enough for our complex, multi-platform world. (For more on the pros and cons of those built-in tools, see “Apple, Google, and Microsoft offer free password managers – but should you use them?”)
Hackers have recently shared a new database they claim contains sensitive customer information stolen from the American telecommunications giant, T-Mobile. However, the company denied any connection to the archive, saying it had nothing to do with it, or its clients. A Cybernews report claims the unnamed cybercriminals leaked a database containing fresh intel (obtained as early as June 1, 2025). The database contained 64 million lines, holding valuable customer information such as full names, dates of birth, tax IDs, postal addresses, phone numbers, email addresses, device IDs, cookie IDs, and IP addresses.
