CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Inotiv ransomware attack disrupts operations

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Inotiv, a U.S.-based pharmaceutical company, experienced a ransomware attack on August 8, 2025, claimed by the Qilin ransomware group. The incident encrypted certain systems and data, disrupting business operations. The company is working to restore affected systems and mitigate the impact. The Qilin ransomware group has been active, also targeting Creative Box Inc. (CBI), a subsidiary of Nissan, on August 16, 2025, stealing four terabytes of data, including 3D vehicle design models and internal reports. The attack involved unauthorized access and encryption of systems, with the Qilin ransomware gang claiming to have stolen approximately 162,000 files totaling 176GB from Inotiv. The company has engaged external security experts and notified law enforcement. The disruption affects databases and internal applications used in business processes, with no estimated timeline for full recovery.

Timeline

  1. 26.08.2025 16:48 1 articles · 1mo ago

    Qilin ransomware targets Nissan subsidiary Creative Box Inc.

    On August 16, 2025, the Qilin ransomware group detected suspicious access to a server of Creative Box Inc. (CBI), a subsidiary of Nissan, stealing four terabytes of data, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. CBI implemented emergency measures and reported the incident to the police. The Qilin ransomware group added CBI to its extortion portal on August 20, 2025, threatening to make the stolen data public. Nissan confirmed the data breach and is conducting an investigation. The leaked data only impacts Nissan, as it is the sole customer of CBI.

    Show sources
    Open in new tab
  2. 19.08.2025 17:25 1 articles · 1mo ago

    Inotiv hit by Qilin ransomware attack

    On August 8, 2025, the Qilin ransomware group attacked Inotiv, encrypting critical systems and data. The incident disrupted business operations, affecting databases and internal applications. The company has engaged external security experts and notified law enforcement. The Qilin ransomware group claims to have stolen approximately 162,000 files totaling 176GB. Inotiv is working to restore affected systems and mitigate the impact, but no timeline for full recovery has been provided.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

Open in new tab

Jaguar Land Rover Production Disrupted by Cyberattack

Jaguar Land Rover (JLR) has extended the production shutdown for another week following a cyberattack that severely disrupted its operations. The UK government has announced a £1.5 billion ($2 billion) loan guarantee for JLR to support its supply chain, which has been greatly impacted by the shutdown. The incident, which occurred over the weekend, forced the shutdown of several systems, including those at the Solihull production plant. Customer data appears unaffected, but some data was stolen during the breach. This is the second cyberattack JLR has experienced this year, following a previous incident in March. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, with a revenue exceeding $38 billion. The attack impacted the ability to register new cars and supply parts at service points in the UK. The specific type of attack and timeline for recovery remain unspecified. A group identifying as "Scattered Lapsus$ Hunters" has claimed responsibility for the attack, posting screenshots of an internal JLR SAP system on a Telegram channel and stating that they deployed ransomware on the company's compromised systems.

Open in new tab

Pennsylvania Attorney General's Office Hit by Ransomware Attack

The Pennsylvania Attorney General's Office has confirmed a ransomware attack that began on August 11, 2025, lasting three weeks. The attack resulted in a service outage affecting the AG's website, email, and phone systems. The AG office refused to pay the ransom and is currently investigating the incident with other agencies. The impact includes disruptions to court proceedings, though the AG office assures that criminal prosecutions and investigations will not be affected. The extent of data exfiltration, if any, remains unknown. The AG's office has confirmed the use of file-encrypting ransomware and that the attack was carried out by an outsider attempting to extort payment. The AG office has not disclosed any details about the ransomware group responsible. Partial recovery of email and phone services has been achieved, with staff operating through alternate methods.

Open in new tab

Supply Chain Attack Targets npm Packages with Over 2.6 Billion Weekly Downloads

A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The attack impacted roughly 10% of all cloud environments, but the attackers made little profit. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.

Open in new tab