CybserSecurity News

Tag: Breach

  • China’s “King of Vulnerabilities” Hacked: Knownsec Leak Exposes Zero-Day Flaws

    A data leak at the Chinese company Knownsec—long heralded as one of the flagships of the nation’s cybersecurity industry—has dealt the firm a reputational blow and forced an unexpected admission of internal weaknesses. In early November, unknown actors published a trove of the company’s internal documents online, revealing that the so-called “king of vulnerabilities” had failed to protect its own infrastructure: attackers had exploited three zero-day flaws to infiltrate Knownsec’s systems back in 2023. The company offered an unusually detailed account of the incident—rare transparency for China’s corporate sector—yet many questions remain unanswered.

    On 5 November, the Chinese blog Mrxn’s Blog reported what it called the “largest leak” in Knownsec’s history, claiming that around 12,000 confidential documents had surfaced—ranging from tools and internal systems to lists of targets. It was later discovered that the data had first appeared on GitHub, from which it was removed for policy violations. The English-language outlet NETASKARI was among the first to analyze the available fragments, finding only promotional materials, monitoring data lists, and a corporate profile—nothing resembling “offensive cyberweapons” of state-hacker caliber. Still, the journalist noted that Knownsec remains a company capable of developing intrusion tools for clients and, potentially, conducting offensive operations.

    Yet neither researchers nor journalists—including NETASKARI and Natto Team—have seen the full archive. Nonetheless, Western media quickly circulated dramatic headlines about a “massive leak of China’s cyber arsenal.” Amid the noise surrounding Natto Team’s tools, the outlet sought to examine the incident from Knownsec’s perspective, shedding light on the role major private firms play in shaping China’s cyber power.

    Founded in 2007, Knownsec stands among the industry’s most influential and technologically sophisticated companies. In 2024, the research group RoarTalk ranked it among the twenty key “comprehensive” players in the market. Its founders and current CSO hail from the first generation of China’s “patriotic hackers,” pioneers of the country’s late-1990s hacking scene. Particularly prominent is CSO Zhou Jinping—better known as SuperHei—who has dominated global vulnerability-discovery rankings for years, identifying flaws in products ranging from Microsoft to Tencent.

    Among Knownsec’s investors are Baidu and Tencent, and in 2018 the company appeared on the Nasdaq billboard as part of CCTV’s “National Brand” initiative. With more than 1,500 employees and dozens of divisions across the country, Knownsec has long served as a showcase for China’s cyber industry.

    Its response to the leak was immediate. On the same day the reports appeared, the company issued a notice to clients, explaining that the breach had actually occurred in August 2023, when unknown attackers exploited three zero-day vulnerabilities to infiltrate the firm’s cloud-based office system. Although the attempt to expand the attack was thwarted, the company was unable to determine the scope of the theft—its adversaries’ methods were too sophisticated.

    After the leaked data resurfaced on dark-web forums, Knownsec confirmed that it originated from that earlier intrusion. Upon reviewing the published fragments, the firm concluded that they consisted of partial lists of employees and clients, as well as data from its own dark-web monitoring system. Knownsec emphasized that no user accounts, passwords, or critical client assets had been stolen. It nevertheless acknowledged the two-year gap between the attack and the public disclosure, attributing it to the fact that the company itself had never seen the full contents of the stolen archive.

    In its notice, the company apologized to its clients, describing the incident as “deeply regrettable and embarrassing” for any cybersecurity organization. It also criticized media outlets for exaggerating the scale of the event.

    The controversy was further fueled by the involvement of blogger Mrxn, who for more than a decade has published cybersecurity incident reports and pentesting tools on GitHub. His motives remain unclear: an attempt to damage Knownsec’s reputation, a desire to “teach the company a lesson” akin to the infamous TCL case, or simply an effort to profit from already stolen data.

    The incident revived debate about which Chinese companies are deemed “replaceable” and which are considered “too big to fail.” Many drew comparisons to the 2024 scandal involving i-SOON—a firm that never acknowledged its leak, vanished from public view, and, according to investigations, barely remains afloat. Knownsec, by contrast, is a national brand, a major investment target, and—judging by official actions—an entity the state intends to support.

    This also informs the international dimension. As far back as 2021, the United States designated Knownsec a “Chinese military company” and restricted the export of U.S. technologies to it—an honor shared with only one other cyber firm, the giant Qihoo 360. On Chinese forums, the rationale is stated bluntly: Knownsec allegedly represents “the greatest threat to U.S. dominance in cyberspace.”

    Yet the 2025 leak illustrates a paradox: even industry leaders who scour the world’s software for vulnerabilities can overlook critical flaws within their own systems—and must confront the consequences when long-forgotten breaches resurface two years later.

  • The ShinyHunters Salesforce Attack: Vishing & OAuth Abuse Blamed for Qantas, Allianz, LVMH Breaches

    Threat actors operating under the name ShinyHunters have orchestrated a series of cyberattacks targeting major corporations, including Qantas, Allianz Life, LVMH, and Adidas. Each incident centers around attempts to infiltrate client Salesforce environments through sophisticated social engineering tactics—most notably, voice phishing (vishing).

    According to Google’s Threat Intelligence Group (GTIG), the cybercriminals—tracked as UNC6040—posed as IT support personnel, calling employees and directing them to a Salesforce-connected apps configuration page. There, victims were urged to enter a so-called “connection code,” effectively linking a malicious application—disguised as a legitimate tool such as “Data Loader” or “My Ticket Portal”—to the target’s Salesforce infrastructure.

    Additional tactics included phishing websites mimicking Okta login interfaces, designed to harvest credentials and multi-factor authentication tokens. This strategy granted attackers unfettered access to company databases containing sensitive client and contact information.

    In rapid succession, several companies disclosed breaches involving their cloud-based CRM systems. Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to platforms managing customer data. Tiffany’s South Korean branch notified clients of a breach involving a third-party provider. Allianz Life acknowledged that an attacker accessed their CRM environment on July 16, 2025. While Qantas declined to name the affected platform, local media confidently reported Salesforce as the system in question. Court documents revealed breaches in the “Accounts” and “Contacts” tables—hallmarks of a typical Salesforce environment.

    As of publication, no data leaks or public ransom demands have surfaced. However, journalists report that the attackers, identifying themselves as ShinyHunters, have reached out to victims via email, threatening to release stolen data unless compensated—a tactic reminiscent of their previous Snowflake attacks.

    The situation is further complicated by the blurred lines between ShinyHunters and Scattered Spider (UNC3944), another group active in aviation, retail, and insurance sectors. However, while Scattered Spider conducts full-scale intrusions and deploys ransomware, ShinyHunters focus on targeted attacks against cloud platforms followed by extortion.

    Some experts speculate an overlap between the groups: they may frequent the same cybercrime forums or even share members. Certain analysts trace their roots to the now-defunct Lapsus$ gang. Another theory posits that ShinyHunters operate as extortion-as-a-service providers—demanding ransoms on behalf of other hackers and taking a cut. They’ve allegedly employed this model in attacks on Oracle Cloud, PowerSchool, NitroPDF, Wattpad, MathWay, and others.

    Despite arrests linked to ShinyHunters and the Breached v2 operation, the attacks persist. More companies are receiving emails that begin with a chilling declaration: “We are ShinyHunters,” underscoring the group’s collective—and resilient—nature.

    Salesforce, for its part, has issued a formal statement asserting that the platform itself was neither breached nor vulnerable. Responsibility for security, they emphasized, rests with customers—who must actively defend against social engineering. Recommended safeguards include IP allowlisting, enforcing multi-factor authentication, restricting third-party app permissions, and leveraging Salesforce Shield for activity monitoring. Assigning a dedicated security officer is also advised to expedite incident response.

    The ShinyHunters campaign marks a new chapter in the evolution of cyber threats: one where hybrid social engineering methods exploit not code, but human psychology and access mismanagement.

  • Hacker Pleads Guilty: Breached Orgs to Promote Cybersecurity Services, Faces Prison

    Nicholas Michael Kloster, a resident of Kansas City, has found himself at the center of a high-profile criminal case, culminating in his guilty plea to a series of cybercrimes. According to the U.S. Department of Justice, the 32-year-old man breached at least three organizations in 2024, allegedly with the intention of offering them his cybersecurity services. However, the methods he employed to capture the attention of prospective clients were in clear violation of the law.

    Investigators report that Kloster’s first target was a fitness company operating a network of gyms across Missouri. He infiltrated a restricted area and gained unauthorized access to the company’s internal systems. Shortly thereafter, he emailed one of the owners to boast about bypassing their security and promptly offered his services as a cybersecurity consultant.

    In his email, Kloster detailed how he accessed the gym surveillance system via publicly exposed camera IP addresses and manipulated settings in the GoogleFiber router. This allowed him to view user accounts associated with the company’s domain. According to him, his ability to reach user files was evidence of critical vulnerabilities demanding immediate remediation.

    Kloster further claimed to have assisted over 30 small and mid-sized industrial firms in Kansas City in enhancing their digital security. Yet, his actions extended far beyond a mere unsolicited proposal. He altered his profile photo in the gym’s membership database, reduced his subscription fee to a symbolic one dollar, and stole an employee’s access badge.

    Weeks after the intrusion, Kloster shared a screenshot of the gym’s surveillance system on social media, showcasing his total control over it—continuing to promote his services while flagrantly violating federal law.

    His next target was a Missouri-based nonprofit organization. On May 20, Kloster unlawfully entered a restricted area within the foundation and used a bootable disk to circumvent authentication protocols on several computers. He exfiltrated sensitive data from a device legally designated by the Justice Department as a “protected computer” due to its involvement in interstate or international communications.

    After breaching the foundation’s systems, Kloster installed a VPN service and changed passwords for multiple user accounts, effectively seizing complete control over the organization’s digital infrastructure. This too appeared to be an effort to showcase his “professional capabilities” in cybersecurity.

    Another charge stems from an incident involving Kloster’s former employer, whose name remains undisclosed. After his termination on April 30, 2024, Kloster used stolen corporate credit cards to purchase specialized USB devices commonly employed in cyberattacks. These so-called “hacker flash drives” are designed to bypass basic security defenses and facilitate swift, unauthorized access to networks.

    Kloster now faces up to five years in federal prison without the possibility of parole. In addition, the court may impose a fine of up to $250,000, a mandatory three-year supervised release, and restitution payments to the affected organizations.

    The case has sparked considerable discussion within the cybersecurity community. Law enforcement officials emphasize that the emerging trend of using cybercrime as a self-promotional “portfolio” remains unequivocally criminal—regardless of any altruistic justification offered by perpetrators.