CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Qilin ransomware attack on Inotiv disrupts operations

First reported
Last updated
πŸ“° 1 unique sources, 2 articles

Summary

Hide β–²

Inotiv, a pharmaceutical contract research organization, experienced a ransomware attack on August 8, 2025, which encrypted some of its systems and data. The Qilin ransomware gang claimed responsibility, alleging to have stolen 162,000 files totaling 176GB. The incident impacted Inotiv's business operations, including databases and internal applications, and is expected to cause disruptions for an extended period. The company has engaged external security experts and notified law enforcement. Inotiv specializes in drug development, discovery, and safety assessment, employing around 2,000 specialists and generating over $500 million in annual revenue. The attack affected networks and systems crucial to business processes, with some operations migrated to offline alternatives to mitigate outages. Additionally, Qilin ransomware has targeted Nissan's subsidiary, Creative Box Inc. (CBI), stealing four terabytes of data, including 3D vehicle design models and internal reports.

Timeline

  1. 26.08.2025 16:48 πŸ“° 1 articles Β· ⏱ 21d ago

    Qilin ransomware targets Nissan's Creative Box Inc.

    On August 16, 2025, Nissan Japan confirmed a data breach at its subsidiary, Creative Box Inc. (CBI), due to unauthorized access. Qilin ransomware claimed responsibility, stating they stole four terabytes of data, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. CBI implemented emergency measures and reported the incident to the police. Qilin ransomware added CBI to its extortion portal, threatening to make the stolen data public. Nissan confirmed that the leaked data impacts only Nissan, as CBI is its sole customer.

    Show sources
    Open in new tab
  2. 19.08.2025 17:25 πŸ“° 2 articles Β· ⏱ 28d ago

    Qilin ransomware attack on Inotiv disrupts operations

    On August 8, 2025, Inotiv, a pharmaceutical contract research organization, experienced a ransomware attack that encrypted some of its systems and data. The Qilin ransomware gang claimed responsibility, alleging to have stolen 162,000 files totaling 176GB. The incident impacted Inotiv's business operations, including databases and internal applications. The company has engaged external security experts and notified law enforcement. The attack affected networks and systems crucial to business processes, with some operations migrated to offline alternatives to mitigate outages. Additionally, Qilin ransomware has targeted Nissan's subsidiary, Creative Box Inc. (CBI), stealing four terabytes of data, including 3D vehicle design models and internal reports.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials

A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.

Open in new tab

UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.

Open in new tab

Data breach at Auchan exposes personal information of hundreds of thousands of customers

French retailer Auchan has disclosed a data breach affecting hundreds of thousands of customers. The breach exposed personal information associated with loyalty accounts, including names, addresses, email addresses, phone numbers, and loyalty card numbers. No bank data, passwords, or PINs were compromised. The incident has been reported to the French Data Protection Authority (CNIL). The company is advising customers to be vigilant against potential phishing attacks using the stolen information. The breach follows similar incidents involving other large French entities, but no evidence suggests a coordinated campaign. This is the second data breach Auchan has disclosed over the past year.

Open in new tab

Interpol-led Operation Serengeti 2.0 arrests over 1,200 cybercriminals in Africa

Interpol coordinated Operation Serengeti 2.0, an extensive anti-cybercrime operation across Africa, leading to the arrest of 1,209 suspects. The operation, conducted from June to August 2025, targeted high-harm and high-impact cybercrimes including ransomware, online scams, and business email compromise (BEC). The coordinated effort involved 18 African countries and the United Kingdom, resulting in the seizure of $97.4 million and the dismantling of 11,432 malicious infrastructures. These actions targeted 87,858 victims worldwide. The operation was part of the African Joint Operation against Cybercrime, funded by the United Kingdom's Foreign, Commonwealth, and Development Office. Data from private sector partners, including Cybercrime Atlas, Fortinet, Kaspersky, Group-IB, and TRM Labs, were utilized to enhance the operation's effectiveness. Significant actions included the dismantling of 25 cryptocurrency mining centers in Angola, an online investment fraud operation in Zambia, and a transnational inheritance scam originating in Germany. Additionally, Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. 45 illegal power stations and $37 million worth of mining and IT equipment were seized in Angola. A human trafficking network was disrupted in Zambia, and evidence including mobile numbers, domains, and bank accounts were seized. CΓ΄te d'Ivoire dismantled a transnational inheritance scam originating in Germany, seizing assets including electronics, jewellery, cash, vehicles, and documents.

Open in new tab

Static Tundra Exploits Cisco IOS Flaw for Cyber Espionage

The Russian state-sponsored cyber espionage group Static Tundra, also known as Berserk Bear, Blue Kraken, Castle, Crouching Yeti, Dragonfly, Ghost Blizzard, and Koala Team, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to target networks. The attacks target organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. The vulnerability, CVE-2018-0171, allows unauthenticated, remote attackers to execute arbitrary code or trigger a denial-of-service condition. The group, linked to the FSB's Center 16 unit, focuses on long-term intelligence gathering operations. The FBI and Cisco Talos have issued advisories warning about the ongoing exploitation of CVE-2018-0171 by Static Tundra. The FBI has observed FSB cyber actors exploiting SNMP and end-of-life networking devices running the unpatched vulnerability to target entities in the United States and globally. The attackers collect configuration files for thousands of networking devices and modify them to facilitate unauthorized access. They use custom tools like SYNful Knock to maintain persistence within victim networks. Static Tundra uses publicly-available scan data to identify systems of interest and sets up GRE tunnels to redirect traffic to attacker-controlled infrastructure. The group's activities are primarily focused on unpatched, end-of-life network devices to establish access on primary targets and facilitate secondary operations. The ongoing campaign highlights the importance of maintaining a current inventory of network infrastructure and prioritizing patching for end-of-life devices. The FBI has also warned about the group targeting US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State is offering up to $10 million for information on three FSB officers involved in cyberattacks targeting U.S. critical infrastructure.

Open in new tab