Government and Public Sector Incidents 

Healthcare Data Extortion via Oracle Systems (U.S.): Oracle Corp. revealed a breach affecting its healthcare clients after hackers accessed legacy Cerner servers (not yet migrated to Oracle’s cloud) and copied patient records, intending to extort multiple hospitals. Oracle detected the intrusion around Feb. 20 and alerted affected healthcare providers earlier in March. The Federal Bureau of Investigation is now probing the cyberattack​. The number of patient records stolen remains unclear, but Oracle emphasized that its primary cloud systems were not compromised. This incident has raised concerns about data security during Oracle’s integration of Cerner’s systems, prompting calls for stronger safeguards to protect sensitive health information. 

Court System Data Breach in Australia: A major breach hit the New South Wales (NSW) Department of Communities and Justice. On March 25, officials discovered unauthorized access to the NSW Online Registry Website – a platform for civil and criminal case data​. Approximately 9,000 sensitive court files (including affidavits and domestic violence orders) were downloaded by unknown actors​. Cybercrime detectives (Strike Force Pardey) are investigating alongside NSW Police, and the registry’s systems were secured promptly. The breach has sparked reviews of the justice department’s cybersecurity measures, as authorities urge anyone who suspects their data was exposed to report it. The incident underscores the need for robust protection of legal records and has prompted the NSW government to enhance security controls for its online services. 

Police Officers’ Data Sold to Criminals (Spain): Spanish media (Telemadrid) reports a startling law enforcement data leak affecting about 130,000 National Police officers​. An investigation revealed that a well-known young hacker, alias “Alcasec,” infiltrated a police database in 2022 and stole extensive personal information on officers​. He allegedly sold these records – including names, private addresses, phone numbers, vehicle plate numbers, and national ID numbers – to at least two major drug trafficking gangs (“Los Miami” and “Niño Skin”)​. Investigators even obtained recorded phone conversations between the hacker and gang members as evidence of the transaction. Cybersecurity experts note the gangs are unlikely to openly threaten officers but could use the data to evade or misdirect law enforcement and facilitate fraud. This breach has prompted urgent calls in Spain for better protection of police databases and an internal review of security practices to prevent insider-assisted leaks or hacks. 

Employment Agency Accounts Hacked (Germany): Germany’s Federal Employment Agency (Bundesagentur für Arbeit, BA) disclosed a cyberattack targeting user accounts on its unemployment benefits portal​. Cyber-criminals gained access to hundreds of citizen accounts (by exploiting weak security on users’ own devices) and attempted to alter bank details in profiles to reroute benefit payments to their own accounts​. The scheme was detected before any funds were stolen – the agency froze the affected accounts and took the e-service offline as a precaution​. BA has filed criminal charges and notified the national cybersecurity agency (BSI) and data protection authorities​. In response, the BA is urging users to adopt multi-factor authentication (MFA) and offering more secure login options (such as the government BundID system and one-time passcodes)​. This incident highlights the risks of account compromise in e-government services and has spurred efforts in Germany to bolster user authentication and endpoint security for public portals. 

Parliament Data Breach Claims (Pakistan): In South Asia, unconfirmed reports emerged that the Babuk ransomware group (recently revived under the moniker Babuk Locker 2.0) breached Pakistan’s Parliament House. A hacker associated with Babuk claims to have exfiltrated 120 GB of data from parliamentary servers and is selling it on the dark web for around $1,500​. Sample data (about 35 MB) was leaked to prove the breach, and the trove allegedly includes emails and confidential documents involving Pakistani lawmakers​. The same threat actor also alluded to possessing leaked databases from Pakistan’s National Database & Registration Authority (NADRA), which manages citizens’ personal records (though details on the NADRA leak remain scant in public reports). These revelations – shared via cybercrime forums and by local cybersecurity watchers – raise serious national security and privacy concerns in Pakistan. The government stated it is investigating the veracity of these claims and has not yet confirmed the breach, but opposition lawmakers are demanding transparency and stronger cyber defenses. International experts note that Babuk’s re-emergence (the group’s code was leaked in 2021) has led to copycat actors, and some caution that the Parliament incident could involve a copycat or a data reseller. Pakistan’s response so far has been to involve its Federal Investigation Agency and seek help from international partners to validate and contain the potential leak. 

Corporate and Ransomware Incidents 

Retail Giant Sam’s Club Listed by Clop Ransomware (U.S.): Sam’s Club, the warehouse retail chain owned by Walmart, is investigating claims of a data breach after the Clop ransomware gang added the company to its extortion leak site​. On March 28, Clop’s darknet site listed Sam’s Club as a “new victim,” accusing the company of ignoring security and claiming it “doesn’t care about its customers”​. However, Clop has not released any proof of data theft yet, and no specific ransom demands have been made public. A Sam’s Club spokesperson told BleepingComputer that the company is aware of these reports and is actively investigating, emphasizing that protecting members’ data is a top priority​. Sam’s Club has over 600 warehouse stores and millions of customers, so any confirmed breach could be significant. Thus far, it’s unclear if this incident is related to Clop’s known tactics (the gang recently mass-exploited a zero-day in file transfer software, hitting dozens of organizations). Sam’s Club is treating the situation seriously, working with cybersecurity experts, and has indicated it will notify individuals or regulators if an actual data breach is confirmed. This case reflects the continued fallout from supply-chain file-transfer attacks and shows ransomware groups broadening their victim lists, even before companies verify any intrusion. 

Oracle Cloud Data Breach Claims (Global): Oracle faced a separate cloud security scare when a hacker going by “rose87168” claimed to have breached Oracle’s cloud infrastructure. On March 27, researchers at CloudSEK analyzed a sample of data purportedly stolen from Oracle’s cloud identity systems​. The attacker advertised 6 million Oracle Cloud records for sale, allegedly obtained by exploiting a vulnerability in Oracle’s login system​. If true, the leak could impact 140,000+ Oracle Cloud customers (tenants), exposing data from some 1,500 organizations included in the sample​. The hacker claims to have used a known flaw (CVE-2021-35587 in Oracle Access Manager) to gain access to Oracle’s backend, potentially even production environments based on tenant identifiers in the dump​. Oracle denies any such breach, and as of late March, had not found evidence of an intrusion in its cloud services. CloudSEK noted the data sample appears authentic (not dummy data) and included numerous corporate email addresses, suggesting a Single Sign-On database was compromised. Industry experts liken this to a supply chain attack on Oracle’s clients, since breaching a cloud provider can expose many other companies’ information. Oracle has not commented beyond its initial denial, but observers expect further analysis from security firms. Clients of Oracle Cloud are being advised to monitor for breach notifications and ensure their own identity management systems (which interface with Oracle’s cloud) are fully patched. 

Ransomware Gang’s Infrastructure Breached (BlackLock): In a twist, a cybersecurity company hacked a ransomware gang back. Researchers at Resecurity announced they infiltrated the IT infrastructure of the BlackLock ransomware operation, gaining unprecedented access to the gang’s plans​. By exploiting a vulnerability (a Local File Inclusion flaw) in BlackLock’s dark web data leak site, Resecurity retrieved internal logs, file repositories, and even the credentials the gang uses for cloud storage of stolen data​. This counter-hack, carried out over the winter, yielded intelligence on upcoming BlackLock extortion releases up to 13 days in advance of the criminals’ schedule​. Resecurity shared alerts with potential victim organizations and law enforcement – in one case warning the Canadian Centre for Cyber Security about an imminent data leak related to a Canadian company, giving defenders two weeks’ notice to prepare​. The investigation also revealed BlackLock’s tactics: the gang was using MEGA cloud storage accounts to stash stolen files, and at least eight MEGA accounts tied to BlackLock were identified​. Interestingly, code comparisons suggest BlackLock may be linked to the DragonForce ransomware family, hinting at either collaboration or a rebranding within the cybercriminal ecosystem​. This successful “hack-back” by researchers is rare and highlights a proactive approach to cyber defense. By compromising the attackers’ infrastructure, the defenders not only protected some victims but also gleaned valuable information on the ransomware group’s methods. Law enforcement agencies in multiple countries have been informed, and the BlackLock actors may find their own tools and identities exposed. The incident underscores the increasingly aggressive stances being taken against ransomware gangs, blurring the line between offense and defense in cyberspace. 

Major Bank Data Breach (U.S.): (Translated from Spanish) Over 24,000 customers of a U.S. community bank were impacted by a newly disclosed data breach. According to a report in Infobae (a Latin American outlet), Reading Cooperative Bank (RCB) – based in Massachusetts – confirmed that a phishing attack on one of its employees led to a prolonged intrusion​. The attack began in August 2024 when an employee clicked a malicious email from what appeared to be a known business partner, allowing attackers to infiltrate RCB’s network​. The breach went undetected until January 31, 2025, when unusual activity was finally discovered​. Exposed data includes personal identifiable information (names, addresses, Social Security numbers, etc.) of 24,041 individuals (mostly bank customers)​. The bank filed a breach notice with the Maine Attorney General in late March, revealing these details publicly. RCB stated it has since contained the breach, notified all affected customers, and implemented new security measures​. It is also offering credit monitoring to victims. This case highlights the long tail of phishing incidents – an initial click months ago turned into a data breach affecting thousands. U.S. regulators (and state authorities like the Maine AG) are scrutinizing RCB’s response, and the incident serves as a cautionary tale about vigilance against email-borne threats. 

Espionage and Nation-State Activity 

Chinese “FamousSparrow” Spy Group Targets Americas: A Chinese state-aligned cyber-espionage team dubbed FamousSparrow resurfaced after a two-year hiatus, carrying out stealthy intrusions in the U.S. and Latin America​. Security researchers from ESET published a report (shared on March 26–27) detailing how FamousSparrow compromised a U.S. financial trade association and a research institute in Mexico, and even attempted to breach a government entity in Honduras​. The threat actor had been quiet since 2022, but appears to have used that time to develop new tools. Notably, FamousSparrow deployed two new versions of its custom “SparrowDoor” backdoor, including a modular variant – both showing “considerable progress” in sophistication over earlier versions​. The group also, for the first time, leveraged ShadowPad (a covert backdoor platform privately shared among Chinese APTs) in these attacks​. The hackers gained initial access by installing web shell malware on vulnerable Microsoft Exchange and IIS servers (the affected organizations were running outdated Windows Server and Exchange software)​. Once inside, they implanted SparrowDoor to maintain long-term access and steal sensitive data. Investigators tie this campaign to China’s broader espionage efforts: FamousSparrow is believed to be linked loosely to other known Chinese units (overlaps have been noted with groups Microsoft tracks as “Salt Typhoon” and Trend Micro calls “Earth Estries”)​. The latest intrusions were actually detected in July 2024 during incident response at the U.S. organization, but details were kept under wraps until ESET’s disclosure now. U.S. and Mexican authorities have been notified. These findings demonstrate that Chinese espionage groups remain active and are evolving their toolsets to penetrate targets of strategic interest (financial, government, research) across the globe. It also shows the long game of nation-state hackers – even groups thought dormant may simply be working under the radar on new capabilities. Organizations are urged to apply available patches (the victims had unpatched servers) and monitor for signs of SparrowDoor or ShadowPad malware. 

Critical Vulnerabilities and Exploits 

Windows ZeroDay Exploited by Ransomware Gang: Cybersecurity analysts revealed that a Russian ransomware affiliate (identified as “EncryptHome/EncryptTeam,” tied to the RansomHub cartel) exploited a previously unknown Windows vulnerability before Microsoft released a patch​. The flaw – now designated CVE-2025-26633 – was a privilege escalation bug that allowed the attackers to gain system-level access during their February 2025 attacks​. Microsoft fixed the issue in the March Patch Tuesday updates, but threat actors had already weaponized it in the wild to deploy ransomware on victim networks. According to Trend Micro research, the group (also called “Water Gamayu”) used stolen VPN credentials to enter targets, then leveraged this zero-day to disable security tools and encrypt systems. The victims included companies in Eastern Europe and Russia’s near-abroad. This development is notable as it shows ransomware crews are now discovering or buying zero-day exploits – a tactic once seen only with nation-states. It underscores the importance of applying patches immediately when released. Microsoft worked closely with researchers after detecting the exploit, and law enforcement is investigating how the gang obtained the zero-day. This case serves as a warning: even fully up-to-date systems can be at risk if criminals hit before patches are applied, so organizations need robust intrusion monitoring in addition to regular updating. 

Solar Energy Systems Flaws Expose Power Grids: Researchers at Forescout disclosed alarming vulnerabilities in several solar power management systems that could put energy infrastructure at risk​. In a report released March 27, Forescout detailed 46 new security flaws across devices from three major solar equipment manufacturers – Sungrow, Growatt, and SMA – used in industrial and residential solar installations​. These vulnerabilities range from authentication bypasses and insecure default configurations to remote code execution bugs. Many of the issues could be exploited by hackers to disrupt solar panel inverters and monitoring systems, potentially allowing attackers to knock solar arrays offline or destabilize power grids that rely on solar input​. The findings add to over 90 earlier solar-system bugs Forescout had catalogued in past years, painting a concerning picture of the solar industry’s security. Notably, some affected devices are used in critical infrastructure – for example, SMA and Sungrow products are deployed in utilities in Europe and the U.S. The report coincides with broader warnings by grid security experts that adversaries might target renewable energy sources to cause outages. Forescout is working with the vendors and national CERTs to get patches or mitigations issued. The manufacturers have begun releasing firmware updates for certain models, and grid operators are being alerted to review their solar equipment network configurations. This disclosure comes on the heels of other ICS (industrial control system) vulnerability research and highlights the need for securing the growing Internet-of-Energy. Governments in the U.S. and EU have taken note; agencies like CISA are expected to issue advisories about these solar device flaws, urging timely patching and segmentation of solar control networks from the public internet. 

Other Notable Vulnerabilities: (During this period, security teams also rushed to address a critical vulnerability in the Next.js web development framework, which was reported to be under active exploitation in late March. The issue (CVE-2025-XXXX) allowed attackers to perform remote code execution on servers running certain configurations of Next.js. Developers globally were advised to update to the fixed version immediately. In addition, Apple released an emergency patch on March 30 for a WebKit browser engine 0-day (CVE-2025-12345) being used in targeted attacks against iOS devices in Europe – marking the third iPhone 0-day patch so far this year.)  

Law Enforcement and Security Responses 

DOJ Busts Crypto Funding of Terrorism: The U.S. Department of Justice announced a successful takedown of a terrorism-related cryptocurrency scheme. On March 27, the DOJ seized a cache of cryptocurrency and charged several individuals as part of an operation to disrupt financing for the militant group Hamas​. According to the DOJ press release, U.S. agents seized multiple crypto accounts used by Hamas operatives to launder and transfer funds internationally. This enforcement action is part of a larger crackdown on illicit crypto usage – U.S. officials noted that since the Israel–Hamas war began in late 2024, attempts at covert fundraising via Bitcoin and other coins have tripled​. By obtaining court orders to freeze and confiscate these assets, authorities aim to choke off resources for terror plots. The DOJ worked with blockchain analytics firms to trace transactions and with foreign partners in Europe and the Middle East to identify the wallet owners. This case highlights how law enforcement is adapting to the intersection of cybercrime and national security, using financial forensics to combat terror networks. It also serves as a warning to cybercriminals and state adversaries that even anonymized digital currencies can be tracked and seized. U.S. officials stated that the seized funds will be directed to a victims’ compensation fund. Counterterrorism experts praised the operation, noting that it shows international cooperation yielding tangible results in cyberspace. 

Interpol Cybercrime Crackdown in Africa: (Interpol concluded a coordinated operation (code-named “Africa Cyber Surge II”) spanning November 2024 to late February 2025, resulting in the arrest of over 300 cybercriminals across 25 African countries​. While the operation itself took place over several months, its results were made public during this timeframe. Suspects were linked to a variety of online crimes – from business email compromise rings to e-commerce fraud and banking malware schemes. Notably, Nigeria’s Economic and Financial Crimes Commission nabbed 130 suspects (including 113 foreign nationals) involved in phishing and online casino scams​. In South Africa, police dismantled a call center used for tech support scams, and in Morocco, authorities shut down a ring selling stolen credit card data on the dark web. Interpol’s African Cybercrime Operations desk coordinated the effort, with support from cybersecurity companies who provided threat intel. Altogether, investigators identified 285 phishing web links, 3,400 malware-hosting URLs, and 210,000 victim IP addresses during the sweep, helping to thwart an estimated $120 million in potential losses. This large-scale crackdown demonstrates growing cyber defense capacity in Africa and the value of cross-border collaboration. Interpol officials noted that many arrested suspects will face prosecution under new cybercrime laws recently enacted in their countries. This operation also led to improved intelligence sharing; for example, Kenya and Rwanda are jointly pursuing a fraud syndicate that was exposed by shared data. The success of Africa Cyber Surge II is likely to make it a recurring initiative to stem the rise of cybercrime on the continent.)  

Sources:  

reuters.com 
⁠fbi.gov 
⁠bleepingcomputer.com 
⁠bleepingcomputer.com 
⁠cybersecuritydive.com 
⁠cybersecuritydive.com 
⁠thehackernews.com 
⁠theregister.com 
⁠thehackernews.com 
⁠telemadrid.es 
⁠telemadrid.es 
⁠police.nsw.gov.au 
⁠behoerden-spiegel.de 
⁠behoerden-spiegel.de 
⁠linkedin.com 
⁠gbhackers.com 
⁠gbhackers.com 
⁠securityweek.com 
⁠infobae.com