Schneider Electric said it is investigating a breach after a threat actor claimed they stole 40 GB of data from the company.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment,” the digital automation and energy management company said. “Our Global Incident Response team has been immediately mobilized to respond to the incident. Schneider Electric’s products and services remain unaffected.”

A threat actor known as Grep told BleepingComputer that they breached Schneider Electric’s Jira server using exposed credentials. “This breach has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data, totaling more than 40GB Compressed Data,” the threat actor alleges.

Grep said they recently formed a new hacking group called International Contract Agency (ICA) and that the group does not extort the companies they breach. According to Grep, if a company does not acknowledge a breach within 48 hours, ICA will leak any stolen data.

Google engineers working on an AI-powered agent called Big Sleep (aka Naptime) to find exploitable vulnerabilities have claimed what they have described as “the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software.”

To find the flaw, the team trained the agent by providing details of previously fixed vulnerabilities to the large language model (LLM), and then directed it to review a number of recent code commits to the SQLite repository that had been cleaned up to remove trivial and documentation changes.

From this process, the agent discovered an unhandled edge case due to the improper handling of a special sentinel iColumn field in the sqlite3_index_constraint structure when the value is negative allowing an attacker to overwrite parts of a pointer in the code, which the researchers believe could be exploitable.

The flaw was reported to SQLite who fixed the issue promptly in early October.

Digital signing services are being used more frequently by businesses to provide legal documents and contracts for customers to sign business deals in a more efficient manner. However, scammers have also caught on to how they could be abused.

According to reports, scammers are signing up for a paid-for DocuSign account to gain access to the legitimate document signing and emailing workflow services. They then employ a range of specially crafted templates that are designed to look like they come from legitimate brands such as Norton to generate fake invoices and send them to targeted organizations.

The fake invoices are typically made up for relatively small sums of money, typically purported for license activation or renewals, so that recipients would likely be more inclined to accept and sign as requested. The fake invoices are then sent via DocuSign’s Envelope API, which sends the email from the docusign.net domain helping to make the email look legitimate.

If the fake invoices are signed, the scammers may then forward them to the finance department of the targeted organization for payment.

Reports suggest that attackers are using automated techniques to send large volumes of these scam emails and that this scam has been going on for some time. Employees of organizations should be wary of unexpected invoices sent to them for signing even if they look like they come from a legitimate source.

The Washington State Administrative Office of the Courts (AOC) announced that a statewide “data systems outage” is causing limited disruption to court operations due to what it has described in the media as “unauthorized activity” in its computer systems.

Due to the detection of a cybersecurity incident, the organization said it had “taken immediate action to secure critical systems and [is] working to safely restore service.” For reasons of security, the courts declined to share any specific details about the nature of the incident but are said to be working with security experts to recover and restore full services.

In the meantime, customer services, the superior court, and various other court-run programs remain in service and are said to be operating with minimal disruption. Services that use Washington state’s case management systems are said to be the most impacted by the disruptions. This remains a developing story and further updates are likely to be provided by the Pierce County Court soon.

Memorial Hospital and Manor, a prominent hospital in the U.S. town of Bainbridge, southwest Georgia, suffered a ransomware attack that knocked out access to its electronic health record system.

In a message posted on Sunday (November 3), the hospital warned patients that its IT team had discovered a ransomware attack on November 2. “This impacts access to our Electronic Health Record system. While we believe this issue will not impact either the level or the quality of care we provide to our patients, we want to be fully transparent regarding this situation,” the hospital said.

Patients were informed that they might experience longer wait times when visiting the hospital or physician offices as hospital staff “are working on a paper based process.”

The Embargo ransomware gang claimed the attack on November 5, threatening to leak 1.15 TB of purportedly stolen data if a ransom is not paid by November 8.

Researchers have discovered a malicious Python package called “fabrice” on PyPI, the official Python Package repository. The name of the malicious package is a typosquat of the real package called “fabric”, a popular package (over 202 million downloads) designed to enable remote execution of shell commands over SSH.

The fake package has been downloaded over 37,000 times since March 2021 when it was first published on the repository, meaning it was installed by unsuspecting users for over three years before it was finally taken offline in November 2024.

When installed on Windows systems, the fake package drops and runs a Visual Basic file (p.vbs) and a Python script (d.py) to provide access for the attackers to the compromised computer and establish persistence.

On Linux computers, the malware downloads and executes additional shell scripts from a remote server at 89.44.9[.]227.

The malware installed are designed to facilitate information stealing using the boto3 library, particularly targeting AWS keys, which are collected and sent via VPN to the aforementioned IP address.

The U.S. government’s Consumer Financial Protection Bureau (CFPB) is requesting that employees minimize the use of cell phones for work-related activities, following the recent news that the China state-linked threat actor known as Salt Typhoon has been targeting a number of U.S. telecommunications companies.

According to reports, CFPB sent an email to all employees and contractors with a simple directive: “Do NOT conduct CFPB work using mobile voice calls or text messages.”

“While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” the CFPB said in the email.

According to a report by the Wall Street Journal, CFPB’s security leadership requested that staff avoid discussing nonpublic data via voice calls or text messages on either work-issued or personal phones. Employees were instructed to use secure platforms like Microsoft Teams and Cisco WebEx to mitigate risks.

Attackers have been seen concatenating their malware onto archive files in an effort to help hide the malware from detection on computers running on Windows. The technique exploits inconsistencies in how various ZIP file readers handle the extra data in an archive file to trick users and security software. Attackers take advantage of this by appending extra ZIP files containing malware into a single archive file making it appear as one.

When opened in different ZIP file readers, the results may vary. In the popular 7zip software, it displays only the benign contents of the first archive, but careful users may notice a warning that there is extra data in the file. Windows File Explorer may refuse to open the file if it has a .zip file extension, but if renamed with a .rar extension it will display the contents of the concatenated archive and not the first. However, WinRAR successfully shows the full contents of the archives within the archive.

Recent email-based attacks were seen using this technique to help evade detection. The emails may purport to be shipping or package delivery notices with a .rar file attachment that contains concatenated archives within it. Recipients who use certain archiving software may be tricked into opening what appears to be a harmless PDF file when in fact they are executing malware.