This week’s cybersecurity and dark web news stories discuss Russian hackers exposing UK government logins, the C++ macOS infostealer posing as crash reporter, and Accenture breach.
UK Government Credentials Up for Sale at £44,000
The National Cyber Security Centre issued an urgent alert on July 5 confirming that the campaign, which has compromised more than 80,000 Fortinet firewalls across 194 countries, has reached the UK public sector infrastructure, with stolen credentials from the Foreign Office, NHS organisations, pharmacies, and local councils now circulating on dark web forums.
A seller operating under the handle “SantaAd” is offering the full dataset for $60,000, including IT staff accounts at British embassies in Thailand and Mauritius, and local government workers in Derbyshire and Waltham Forest.
Credentials belonging to NHS trusts, pharmacies, labs, and medicine suppliers feature in the exposed data. Former NHS doctor and cybersecurity expert Dr Saif Abed put the risk plainly: “This is precisely the kind of initial access that precedes catastrophic ransomware attacks on healthcare.”
Fortinet has confirmed that FortiBleed is not the result of a new product vulnerability. Attackers recycled credentials from previous breaches and ran brute-force techniques against devices without multi-factor authentication. The underlying code is written in Russian, though no direct state involvement has been established.
C++ macOS Infostealer Posing as Crash Reporter
CrashStealer, a newly documented infostealer was uncovered this week. First spotted on VirusTotal in early May while still in development, CrashStealer moved into active deployment by early July. Its delivery chain is more considered than most commodity Mac malware. Victims receive what appears to be a meeting or collaboration tool called Werkbit, distributed through werkbit[.]io, a domain registered in late June, with downloads gated behind a meeting PIN, ensuring the installer only reaches intended targets and stays hidden from automated scanners. The Werkbit app is signed with a valid Apple Developer ID and carries Apple’s notarization ticket, meaning it clears Gatekeeper without any warning. Apple has since revoked the signing credentials after Jamf reported them.
Once launched, CrashStealer displays a password prompt that looks exactly like a standard macOS system dialog. The password isn’t sent anywhere immediately, it’s validated locally using Apple’s own `dscl` command, which means the malware keeps prompting until the user enters their correct credentials. Once validated, those credentials unlock the login Keychain, which is then copied into a hidden staging folder. From there the malware collects broadly: Chrome, Edge, Brave, Firefox, Opera, and Vivaldi browser profiles and saved credentials; roughly 80 cryptocurrency wallet browser extensions spanning MetaMask, Phantom, Coinbase Wallet and others; 14 password managers including 1Password, Bitwarden, LastPass, and Keeper; and a sweep of Documents and Downloads folders.
What distinguishes CrashStealer technically is what happens to the data before it leaves the machine. Collected files are encrypted individually with AES-256-GCM as they are staged, meaning the stolen data is never sitting in plaintext on disk, then packaged into hidden ZIP archives and exfiltrated to a command-and-control server. The malware also profiles installed security and endpoint detection tools, persists via a LaunchAgent that reinstalls itself after login, and layers in control-flow flattening, encrypted strings, and multiple anti-debugging checks to slow down analysis.
Jamf linked the campaign to additional operator infrastructure and backend domains, suggesting CrashStealer is one component of a larger operation rather than a standalone tool.
Accenture Confirms Breach
On July 7th, threat actor “888” posted an anouncement: “Today I am selling the Accenture Data Breach.” The listing claimed that 35 GB of data had been stolen from the global IT services giant, including source code, RSA keys, SSH keys, Azure Personal Access Tokens, Azure Storage access keys, and configuration files.
Accenture confirmed the breach to BleepingComputer the same day, saying: “We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery.” The company declined to detail how access was gained, how much data was taken, or whether any client data was among the material stolen.
The threat actor shared a screenshot appearing to show the cloning of an Azure DevOps repository named “121123_AtriasTalentAcademy” hosted on an Accenture subdomain as evidence of the breach. Whether that repository is representative of the full dataset remains unverified.
This is not the first time “888” has targeted Accenture. The same actor attempted to sell Accenture employee data following a third-party breach in 2024. Nor is it Accenture’s first major incident. In 2021 the LockBit ransomware gang hit the company and exfiltrated data before encrypting systems.