CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Breach Roundup: US Troops Tracked With Cell Phone Data

Data Breach Today Archived May 29, 2026 ✓ Full text saved

Also, Kali365 Bypasses MFA, Silent Ransom Group Makes Office Calls This week, active duty troops tracked, Kali365 bypassed MFA, Australian lawmakers phished on WhatsApp, Silent Ransom escalated IT scams, Lithuania and German hospitals disclosed breaches, pro-Russian infrastructure providers arrested, CISA warned of active LiteSpeed exploitation.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response Breach Roundup: US Troops Tracked With Cell Phone Data Also, Kali365 Bypasses MFA, Silent Ransom Group Makes Office Calls Pooja Tikekar (@PoojaTikekar) • May 28, 2026     Credit Eligible Get Permission Image: Shutterstock/ISMG Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, U.S. troops in active warzone tracked using cellphone geolocation data, the FBI warned that the Kali365 phishing platform is bypassing Microsoft 365 multifactor authentication and Australian officials linked a WhatsApp compromise targeting parliament staffers to a suspected foreign state actor. Probably Russia. The Silent Ransom group escalated fake IT help desk attacks, Lithuania probed unauthorized access affecting 600,000 state records and hackers breached a German billing provider impacting more than 100,000 hospital patients. Attackers spoofed CERT-UA in a malware campaign, Dutch authorities arrested suspects linked to pro-Russian cyber infrastructure and CISA warned of active exploitation targeting LiteSpeed servers. See Also: Know Thy Enemy: Threats to Cyber Resilience Active Duty US Troops Tracked Via Smartphone Cellphone Data Sold by Data Brokers Foreign governments tracked U.S. military personnel active in operations against Iran through cell phone geolocation data collected by data brokers, U.S. lawmakers said Thursday in a letter citing intelligence from Central Command. Foreign governments taking advantage of America's mostly unregulated data broker industry - buoyed by lack of a national privacy law - is not new. But "this is the first time DoD has confirmed that adversaries are using commercial location data to target U.S. military personnel in an active war zone," more than a dozen lawmakers said in a letter addressed to Department of Defense CIO Kirsten Davis. "That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DoD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts," the bipartisan group said. The letter places some blame on the Pentagon itself for the broker industry's flourishing trade in geolocation data, stating that defense officials have transacted with it by buying data location sourced from Muslim prayer and dating apps. The letter, led by Sen. Ron Wyden (D-Ore.), advised the Pentagon to eschew any browser on unclassified computers and smartphones that facilitates data collection by Google or other advertising companies - including the Chrome browser. Military-issued smartphones should automatically have their advertising ID disabled, and any Defense personnel carrying a personal device should disable the ID while on base or deployed overseas, the lawmakers said. Kali365 Service Enables MFA Bypass Attacks on Microsoft 365 A phishing-as-a-service platform dubbed Kali365 is helping attackers hijack Microsoft 365 accounts by stealing OAuth tokens and bypassing multifactor authentication protections, the FBI warned. The platform lets users hijack Microsoft's device code authentication flow - a legitimate mechanism designed for smart TVs, printers and IoT devices - to capture access and refresh tokens tied to Microsoft 365 accounts. Security researchers first spotted Kali365 in April. It's distributed largely through Telegram. Victims receive phishing emails impersonating cloud productivity or document-sharing services and are prompted to enter a device code on a legitimate Microsoft verification page. Once entered, the code authorizes the attacker's device, enabling access to Outlook, Teams and OneDrive without requiring a password or additional multifactor prompts. The FBI said Kali365 lowers the barrier for less-skilled attackers by offering artificial intelligence-generated phishing lures, automated campaign templates, real-time victim tracking dashboards and token capture capabilities. Security firm Arctic Wolf observed hundreds of attacks in April alone, hitting organizations in manufacturing, education, government, insurance, financial services and healthcare across North America, Europe, the Middle East and Africa. Australian Parliament WhatsApp Hack Linked to Suspected State Actor A suspected foreign state actor compromised the WhatsApp accounts of an Australian member of parliament and three staffers through a targeted phishing campaign. "My WhatsApp account was targeted as part of a broader cyber incident affecting parliamentarians and staff," said Independent MP Zali Steggall, the Sydney Morning Herald reported Monday. Department of Parliamentary Services CIO Mike Webb said the March 6 attack involved hackers tricking victims into sharing WhatsApp verification codes. The accounts were tied to personal and DPS-managed devices. Officials temporarily blocked WhatsApp Web across Parliament House from March 9 to March 13 while responding to the incident. Webb said evidence pointed to a foreign state actor and similar state-backed WhatsApp phishing campaigns have targeted government officials in Germany, the Netherlands and the United States. Parliamentary sources told the Herald that the actor is widely suspected of originating in Russia. The Kremlin for years now has launched social engineering attacks against users of end-to-end encrypted chat apps including WhatsApp (see: Breach Roundup: Russian State Actors Target Signal, WhatsApp). Silent Ransom Group Uses Fake IT Help Desk Calls to Breach Firms It's rare for hackers to care enough to make office calls, but the group that makes up the Silent Ransom Group has been spotted visiting victim offices while posing as IT personnel responding to phishing incidents, the FBI warned Tuesday. Hackers used USB devices or external hard drives to exfiltrate data directly from company computers. Also tracked as Luna Moth, Chatty Spider and UNC3753, the extortion group more often uses phone calls and phishing emails to convince employees to join remote desktop sessions using legitimate tools such as Quick Assist, AnyDesk and Splashtop. The attackers steal sensitive corporate data and threaten victims with public leaks unless ransom demands are paid. The FBI said the group has targeted U.S. law firms since 2023, although organizations in healthcare, insurance and financial services have also reported incidents. The group has been active since at least 2022. The group typically eschews file encryption, preferring to concentrate on data theft and extortion. Attackers use tools such as WinSCP and Rclone to move stolen data to external servers, and have also been observed exfiltrating files to cloud platforms including Google Drive and Microsoft OneDrive. The reliance on legitimate administration tools makes detection more difficult. Lithuania Probes Unauthorized Access to State Databases Affecting 600,000 Records Lithuanian prosecutors are investigating "illegal access to state information systems" that may have exposed more than 600,000 records from national registries. The Prosecutor General's Office said hackers used credentials belonging to Lithuania's Migration Department, a government agency with legitimate access to the databases. Authorities say the credentials were used to make large volumes of queries from an unidentified foreign country over an extended period. Officials said the compromised data primarily came from the Real Estate Register and the Register of Legal Entities. Exposed records may include personal identification numbers and property-related information. Phone numbers, email addresses, bank account details and payment information were not affected. Third-Party Breach Impacts 100,000 Patients at German University Hospitals Hackers stole sensitive data pertaining to more than 100,000 patients after breaching an external billing service used by multiple German university hospitals, including Freiburg, Heidelberg, Ulm, Mannheim and Tübingen, German daily SWR Aktuell reported Saturday. Hospitals said their internal clinical systems and patient care operations were not impacted. The attack targeted Unimed, a third-party provider that handles billing for privately insured and self-paying patients. The breach occurred in mid-April. Compromised data included names, birth dates and addresses, and in some cases, attackers also accessed invoices, diagnosis details, treatment information and bank account data. Freiburg University Hospital accounted for the bulk of the stolen data, reporting the breach affected 54,000 of its patients, including billing data in about 900 cases. Heidelberg reported around 11,000 affected patients, including approximately 2,700 whose billing information may also have been exposed. Attackers Spoof CERT-UA in Malware Email Campaign Hackers are impersonating Ukraine's cybersecurity agency CERT-UA and the State Service of Special Communications and Information Protection in phishing emails falsely warning of an "unprecedented cyberattack." CERT-UA said the messages falsely claim that government information systems have been targeted using malware called DEAFTICKv2. The cybersecurity agency is telling recipients not to click on the email's links. Dutch Arrests in Pro-Russian Cyber Hosting Probe Dutch police arrested two men accused of violating European sanctions by providing hosting infrastructure used in pro-Russian cyberattacks and disinformation campaigns. The Dutch Fiscal Information and Investigation Service said the suspects - a 57-year-old from Amsterdam and a 39-year-old from The Hague - operated companies whose servers supported cyberattacks, interference operations and disinformation activities. Investigators searched three business sites in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk, seizing records, devices and more than 800 servers. The probe centers on a hosting company founded shortly before Russia's 2022 invasion of Ukraine and sanctioned by the EU in May 2025. Reports by Correctiv and de Volkskrant identified the firms as MIRhosting and WorkTitans, linking them to sanctioned hosting provider Stark Industries. European investigative media outlets reported the infrastructure hosted websites tied to the Russian-linked Doppelgänger campaign and DDoS attacks by the pro-Russian hacker group NoName057(16). CISA Warns of Active LiteSpeed Exploitation The U.S. Cybersecurity and Infrastructure Security Agency ordered federal agencies to secure vulnerable LiteSpeed servers within four days after attackers began actively exploiting a critical flaw in the LiteSpeed cPanel user-end plugin. The vulnerability, tracked as CVE-2026-48172, is a privilege escalation flaw caused by improper handling of Redis enable and disable functions in the lsws.redisAble component. The issue enables unauthenticated remote attackers to execute arbitrary scripts with root privileges. CISA added the flaw to its Known Exploited Vulnerabilities catalog. Other Stories From This Week Chinese Phishers Use Live MFA Interception for Digital Wallet Fraud Glassworm Group: Software Supply-Chain Attackers Disrupted Oncology Firm Says Vendor Hack Compromised Patient Data Microsoft Code Editor Flaw Lets Attackers Hijack Developer PCs Responding to Breaches With AI? Beware Cross-Contamination With reporting from ISMG's Anviksha More in Mumbai and David Perera in Northern Virginia.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗