Breach Roundup: the Qilin Hack That Wasn’t

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Qilin didn’t actually hack a Spanish tax agency, a Nexperia standoff could affect car production, Envoy Air confirmed an Oracle data compromise, Experian Netherlands fined 2.7 million euros for privacy violations, ToolShell exploited to breach global networks, critical flaws found in TP-Link Omada and Festa VPN routers and a New York accounting firm settled a cybersecurity investigation.

See Also: On Demand | Global Incident Response Report 2025

ADVERTISEMENT

A review by Information Security Media Group of the posted data shows Qilin does appear to have captured personal tax forms and a letter from the tax agency to a third-party business management firm located in the city of Valladolid regarding the receipt of informational advisories.

The ransomware group also posted what appears to be an email sent to the Valladolid firm by an insurer.

This wouldn’t be the first time that Russian-speaking ransomware hackers mistook the identity of a hacking victim. LockBit in mid-2024 claimed to have hacked the U.S. Federal Reserve after likely having spotted in a breached data set a document that said “United States Federal Reserve” (see: Bogus: LockBit’s Claimed Federal Reserve Ransomware Hit).

As a reminder: criminal hackers are often stupid.

Carmakers across the globe are warning a standoff between the Dutch government and the Chinese owners of Netherlands-based chipmaker Nexperia may spark a production shutdown.

The Japan Automobile Manufacturers Association said it received notification from Nexperia that it may not be able to guarantee deliveries.

The Dutch government earlier this month invoked an economic security statute to lock out the Chinese owners of the semiconductor chipmaker and impose domestic control. A major consumer of Nexperia’s low-end chips are automobile manufacturers (see: Chinese Owners Locked Out of Dutch Chip Maker Nexperia).

“We have teams working around the clock with our supply chain partners to minimize possible disruptions. The situation is very fluid,” said Mary Barra of General Motors to investors on Tuesday.

Nexperia produces semiconductor wafers in Germany and the United Kingdom, but 80% of its final products are processed in China, The Financial Times reported.

German’s Volkswagen will proceed with normal production during the coming weeks but afterward faces uncertainty.

“I think there will be some factories shut down,” Volvo Cars CEO Håkan Samuelsson said.

American Airlines owned Envoy Air confirmed a security incident affecting its Oracle E-Business Suite application after the Clop ransomware gang listed American Airlines on its data leak site. Envoy Air operates under the American Eagle brand.

Envoy operates as a separate entity but is integrated into American Airlines’ network for ticketing, scheduling and passenger services. Clop began leaking what it says is stolen Envoy data, posting messages accusing the airline of neglecting customer security. The airline said that no sensitive customer data was exposed, though a limited amount of business information and commercial contacts may have been compromised.

This incident is part of a broader Clop campaign initiated in August that targets Oracle customers. Initial reports suggested the attackers exploited patched vulnerabilities, but Oracle later confirmed the use of a zero-day flaw now tracked as CVE-2025-61882.

Experian Netherlands must pay a fine of 2.7 million euros – $3.2 million – levied by the Dutch Data Protection Authority for multiple violations of the General Data Protection Regulation.

An investigation found that the credit reporting and analytics firm collected personal data from a variety of public and private sources, including the Chamber of Commerce, telecoms and energy companies, without informing individuals or obtaining their consent. Experian used the data to generate credit scores for service providers and sellers, influencing loan interest rates, deposits and other financial decisions.

The regulator concluded that Experian failed to justify the data collection, inform consumers, or secure proper consent, violating European privacy law.

Experian, one of the world’s largest credit reporting firms, said it will not appeal the decision. The company also announced it will cease all operations in the Netherlands and delete its entire database of personal information by the end of 2025.

Threat actors tied to China exploited the ToolShell vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, to breach multiple high-profile targets after the flaw became public knowledge in July. Among the roster of victims were a Middle Eastern telecom, government departments in an African country, government agencies in South America and a U.S. university, researchers from Symantec and Carbon Black said Wednesday.

Other likely victims include a state technology agency in Africa, a government department in the Middle East and a European finance company.

Microsoft in July warned that it knew of two Chinese nation-state actors tracked as Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. A Chinese ransomware threat actor Microsoft tracks as Storm-2603 also exploited ToolShell. Sino hackers weaponized the vulnerability to deploy malware such as Zingdoor, ShadowPad and KrustyLoader, the latter linked to espionage campaigns targeting Ivanti EPMM and SAP NetWeaver systems.

Other incidents involved exploitation of SQL servers, Apache HTTP and Adobe ColdFusion using DLL side-loading techniques, with privilege escalation via PetitPotam, tracked as CVE-2021-36942, and living-off-the-land tools to harvest credentials and maintain persistent access.

Symantec found overlaps with previous campaigns by hackers tracked as Glowworm, Earth Estries and FamousSparrow, but could not attribute all activity to a single group. Evidence indicates attackers aimed to steal credentials and establish stealthy, persistent network access, likely for espionage purposes.

Researchers at Forescout discovered two vulnerabilities in TP-Link Omada and Festa VPN routers that could enable attackers to execute arbitrary commands and gain unauthorized root access. The flaws, CVE-2025-7850 – CVSS 9.3; and CVE-2025-7851, stem from an incomplete 2024 patch for CVE-2024-21827, which left debug functionality accessible and created alternate attack paths.

After analyzing the Omada ER605v2 router, researchers found the 2024 patch addressed CVE-2024-21827 but that residual debug code allowed root access via CVE-2025-7851. They also identified a command injection flaw in the Web UI’s WireGuard VPN settings, where a private key field was improperly sanitized, allowing authenticated users to execute OS commands as root. Certain deployments could be exploited even without credentials, expanding the potential attack surface.

Forescout said TP-Link’s version of LuCI, a Lua scripting language-based device framework, has a history of vulnerabilities. Both flaws have been reported to TP-Link, which released firmware updates.

New York accounting firm Wojeski & Company will pay $60,000 and implement stronger cybersecurity measures following two data breaches that exposed the personal information of over 4,700 New Yorkers.

New York Attorney General Letitia James announced the settlement after investigators found the firm failed to adequately safeguard client data and delayed notifying victims of a ransomware attack for more than a year. The breaches, in 2023 and 2024, exposed names, Social Security numbers, driver’s licenses and other sensitive details.

As part of the settlement, Wojeski must encrypt sensitive data, enhance employee access controls, provide cybersecurity training and offer free credit monitoring to affected individuals.

Other Stories From Last Week

With reporting from Information Security Media Group’s Gregory Sirico in New Jersey and David Perera in Northern Virginia.