CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

UK Serial Hacker Sentenced for 3,000 Website Intrusions

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A 26-year-old UK resident, Al-Tahery Al-Mashriky, was sentenced to 20 months in prison for hacking over 3,000 websites. The intrusions, which occurred between 2022 and 2025, targeted government and private organizations in Yemen, Israel, Canada, and the U.S. Al-Mashriky, linked to extremist groups, stole personal data from millions of Facebook users and defaced websites to spread political messages. The hacker was arrested in August 2022 based on information from U.S. law enforcement and pleaded guilty to nine charges under the Computer Misuse Act. The intrusions caused significant disruption and potential fraud risks. The Yemen Cyber Army, with which Al-Mashriky is affiliated, supports the Houthis, an Islamist political and military organization.

Timeline

  1. 18.08.2025 19:36 📰 2 articles · ⏱ 29d ago

    UK Serial Hacker Sentenced for 3,000 Website Intrusions

    Al-Tahery Al-Mashriky, a 26-year-old UK resident, was sentenced to 20 months in prison for hacking over 3,000 websites. The intrusions, which occurred between 2022 and 2025, targeted government and private organizations in Yemen, Israel, Canada, and the U.S. Al-Mashriky, linked to extremist groups, stole personal data from millions of Facebook users and defaced websites to spread political messages. The hacker was arrested in August 2022 based on information from U.S. law enforcement and pleaded guilty to nine charges under the Computer Misuse Act. The intrusions caused significant disruption and potential fraud risks. The Yemen Cyber Army, with which Al-Mashriky is affiliated, supports the Houthis, an Islamist political and military organization. The NCA identified Al-Mashriky through his social media activity and emails. Al-Mashriky targeted websites with low security to gain kudos in the hacking community. Al-Mashriky boasted of hacking 3,000 websites in 2022 over the course of three months.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased browser targeting by threat actors

Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.

Open in new tab

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

APT28 Exploits Microsoft Outlook with NotDoor Backdoor Malware

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. NotDoor leverages Outlook as a covert communication, data exfiltration, and malware delivery channel. The malware is deployed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The backdoor is triggered by specific strings in incoming emails, allowing attackers to execute commands, exfiltrate data, and upload files. NotDoor illustrates APT28's continued evolution in bypassing established defense mechanisms. The malware has been observed targeting multiple companies from different sectors in NATO member countries. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives. The malware supports four different commands: cmd, cmdno, dwn, and upl. Files exfiltrated by the malware are saved in the folder, encoded using the malware's custom encryption, sent via email, and then deleted from the system. The attacks are notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms) as C2 domains for added stealth. Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads.

Open in new tab

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials

A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.

Open in new tab

Chinese State-Sponsored Actors Targeting Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

Open in new tab