Breach Roundup: Microsoft Tries to Mend Researcher Bridges
Data Breach TodayArchived Jun 05, 2026✓ Full text saved
Also: Gas Station Monitoring Systems Under Attack, Spanish Teen Doxer Arrested This week, more happened than fits here: Microsoft tried to make nice with researchers, gas tank gauges under attack in the United States, fake FIFA websites are everywhere. Russia cried cyberespionage, Spanish police arrested a teenaged doxer, a Oracle Weblogic flaw was actively exploited.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Microsoft Tries to Mend Researcher Bridges
Also: Gas Station Monitoring Systems Under Attack, Spanish Teen Doxer Arrested
Pooja Tikekar (@PoojaTikekar) • June 4, 2026
Credit Eligible
Get Permission
Image: Shutterstock/ISMG
Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Microsoft tried to make up with researchers, gas tank gauges under attack in the United States, fake FIFA websites are everywhere. Scammers spoofed the North Ireland police. Russia said it uncovered a cyberespionage operation on mobile devices. The Dutch police took down a big botnet and Spanish police arrested a teenage hacker with a taste for doxing. A Oracle Weblogic flaw was actively exploited and a new Russian hacking group spotted.
See Also: Know Thy Enemy: Threats to Cyber Resilience
Microsoft Calls Vulnerability Disclosure Saga a 'Misunderstanding'
Microsoft attempted an about-face on legal threats against security researchers after facing backlash from the security community over threatening legal action against a researcher who disclosed the operating system zero-days.
The technology giant said it will not sue researchers and will learn from interactions that "have fallen short". It said sometimes there will be misunderstandings.
"To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research," Microsoft Security Response Center said on X.
"When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate," Microsoft said.
Many researchers were outraged by the company's May 27 statement responding to a series of uncoordinated vulnerabilities disclosures from a disgruntled bounty hunter, who said Microsoft ignored his reports first and then deleted his code-sharing accounts when he published proofs of concept on his own (see: Microsoft Threatens Legal Action Over Zero-Day Leaks).
Going by the name Nightmare Eclipse or Chaotic Eclipse, the researcher disclosed six Windows vulnerabilities on GitHub. Many of them ended up being exploited in the wild before Microsoft could release a patch.
The company's latest attempt to settle the matter met mixed response. Some felt that it was a first step to acknowledge and solve disagreements, while others said the broken trust will take years to recover and an ambiguous statement is not enough.
One security researcher disclosed Tuesday a Microsoft VS Code proof-of-concept exploit alongside a missive stating that his interaction with the Microsoft reporting process has been "a horrible experience."
"I’m sure the VSCode team would have appreciated a longer heads up on this to come up with solutions," wrote Ammar Askar. "Finding and fully developing security bugs into proof-of-concepts like this takes time and effort on the part of security researchers that should not be disrespected or taken for granted."
Gas Station Monitoring Systems Face Hacker Attack, Warn US Agencies
Internet-facing monitoring systems for gas tanks are being attacked by unidentified hacking groups, U.S. authorities warned Tuesday, attacks that could potentially blind operators to leaks or other problems with tank systems like those used at gas stations across America.
"Components operating incorrectly could create a denial of view condition of tank fill levels," warned the advisory published by the Cybersecurity and Infrastructure Security agency. Such interference "increases the risk of environmental or physical hazards from incidents such as leaks or relay failures."
The advisory does not suggest hackers would be able to control the flow into or out of gas tanks, only that they could alter or interfere with operators' knowledge or understanding of what was happening in the tanks.
Commentators on social media noted that the vulnerability of internet-facing ATGs had been well understood for years, but that they offered very little to hackers by way of sabotage opportunities (see: Zero-Day Vulnerabilities in Automatic Tank Gauge Systems).
The advisory says the United States has not yet attributed the attacks to a nation-state or threat actor group, but it follows a CNN report from May stating that U.S. intelligence considered Iran the top suspect.
An anonymous source cautioned CNN that it might never be possible to technically attribute the attacks owing to a lack of forensic artefacts captured by the targeted systems.
FBI Warns of Fake FIFA Websites Ahead of 2026 World Cup
Cybercriminals are using fake FIFA World Cup websites to steal personal and financial information from fans seeking tickets and hospitality packages for the 2026 tournament, the FBI warned.
The fraudulent sites mimic FIFA's official website and use lookalike domains, typo-squatting techniques and deceptive subdomains to appear legitimate. Victims may be tricked into providing payment details, account credentials and other sensitive information while attempting to purchase tickets.
The FBI said it expects cybercriminal activity tied to the World Cup to increase as the tournament approaches and that compromised information could be used for identity theft, account fraud and other financial crimes.
Cybersecurity firm Fortinet in a Thursday blog post warned that more than 13,000 new World Cup-themed domains have come online since January, of which roughly 10% appear malicious or suspicious.
"Assume any World Cup deal that reached you through a social media ad or search result is suspect until proven otherwise. Go direct, go official and treat any countdown clock or 'limited seats remaining' message as the manipulation tactic it almost certainly is," said Chris Olson, CEO of The Media Trust, in an emailed statement.
Scammers Spoof Northern Ireland Police Number
Northern Ireland police are warning the public after what they described as a "very concerning" incident in which scammers spoofed the Police Service of Northern Ireland's official switchboard number to steal financial information.
The incident involved a resident in South Belfast who received a call appearing to originate from the PSNI switchboard. The caller falsely claimed the victim was under investigation for money transfers linked to narcotics-related countries and requested bank card details.
The scammer also instructed the victim to purchase gift cards and share the redemption codes, claiming the money would later be refunded as part of the investigation. The victim became suspicious and ended the call without disclosing any information.
Anytime that a putative government employee starts demanding gift cards, it's a scammer.
Russia Alleges Foreign Spy Agencies Used Malware to Spy on Top Officials
Russia's principal internal security and counterintelligence agency uncovered what it described as a large-scale cyberespionage operation targeting the mobile devices of senior government officials.
The Federal Security Service in a statement published Tuesday alleged that foreign intelligence agencies deployed malware capable of stealing stored data, intercepting conversations and covertly activating device microphones and cameras to monitor targets and their surroundings.
The agency said the operation relied on the technical capabilities of major international IT companies and mobile communications infrastructure to collect data from compromised devices.
Foreign intelligence agencies used the operation to gather information on officials' contacts, plans and internal deliberations, bypassing traditional intermediaries such as NGOs, an FSB official told Russian state news agency TASS. Officials whose devices were compromised were subsequently added to U.S. and EU sanctions lists, the official claimed, with the collected material then used to pressure them.
The allegations echo previous Russian claims about foreign mobile-device espionage. In 2023, the FSB accused the U.S. National Security Agency of exploiting Apple iPhones in a large-scale surveillance campaign targeting Russian officials and organizations. The disclosure was linked to the discovery of the "Operation Triangulation" spyware platform, which security researchers said was designed for intelligence collection on infected devices.
Dutch Police Take Down 17M-Device Botnet
Dutch police, with the help of cyber defenders, dismantled a botnet comprising at least 17 million infected devices and backed by more than 200 servers hosted in the Netherlands.
The infrastructure was used to control compromised computers, smartphones, tablets, routers and other internet-connected devices for cybercriminal operations. Police in The Hague seized multiple servers for forensic analysis. A hosting provider disabled remaining infrastructure tied to cyberattacks and other criminal activities.
Local media reports linked the disrupted infrastructure to Asocks, a residential proxy service previously associated with proxyware and cybercrime.
Spanish Police Arrest Teen in Mass Doxing Campaign Targeting State Institutions
Spanish National Police arrested a 16-year-old in Granada over a campaign to expose the personal data belonging to members of several sensitive state institutions.
The suspect is accused of publishing private information belonging to the staff at the National Cybersecurity Institute, the National Security Council, the National Police, the Civil Guard, the Attorney General's Office and Spain's tax agency. Police raided his home and seized computers and other electronic devices.
The arrest follows a February incident in which personal data attributed to current and former employees of the Spanish National Cybersecurity Institute - known as INCIBE for its Spanish acronym - appeared on doxing platforms. At the time, INCIBE said it had not suffered a cyberattack, and that such posts are often compiled from previously leaked datasets circulating online rather than obtained through a new network intrusion.
A threat group calling itself "Police-ESP-Doxed" has been linked to the campaign, which later expanded to include the personal data of hundreds of Spanish judges and prosecutors published on Doxbin.
Oracle WebLogic Flaw Under Active Exploitation
A high-severity Oracle WebLogic Server vulnerability that allows unauthenticated attackers to access sensitive data is being actively exploited in the wild, nearly two years after Oracle released patches for the flaw.
The vulnerability, tracked as CVE-2024-21182, received a patch in July 2024, with Oracle warning that a remote attacker could exploit it over TP and IIOP protocols without authentication or user interaction.
WebLogic Server has long been a favored target for both cybercriminal and state-sponsored threat groups for its widespread deployment in enterprise environments. Attackers have repeatedly exploited vulnerabilities in the middleware platform to gain initial access, deploy malware and move laterally within victim networks.
The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog.
Russia-Linked GreyVibe Uses AI Across Cyberattack Life Cycle
A previously undocumented Russia-linked threat group dubbed GreyVibe is using generative artificial intelligence tools including ChatGPT, Google Gemini and Ideogram AI to support cyberespionage campaigns targeting Ukraine, according to research released by cybersecurity company WithSecure.
The group has targeted Ukrainian military and government, as well as business since at least August 2025 through spear-phishing campaigns, fake CAPTCHA pages, fraudulent Ukrainian adult-club websites and custom malware, researchers said.
GreyVibe used large language models to create phishing lures, generate images, develop malware, build backend infrastructure and produce post-compromise tooling. The group's malware arsenal includes PhantomRelay, a PowerShell-based remote access Trojan; FallSpy, an Android spyware tool; and LegionRelay, a custom backdoor that researchers believe was likely developed with LLM assistance.
Other Stories From This Week
Anthropic Submits Pre-IPO SEC Filing, Leads Market Cap Fight
China Using LinkedIn to Recruit Government Insiders
Musk's X Asks US FTC to Nullify Data Security Order
Report: US Military Needs a Standalone Cyber Force
Mayo Clinic, Microsoft Team Up on AI for Doctors, Patients
With reporting from ISMG's Tiffany Wang in New York and freelancer Shaun Waterman in Washington, D.C.