Emerging ThreatsMalware & Ransomware

Anubis Ransomware Targets Adriatic Port, Exposes Maritime Security Gaps

Analyst 207||Source: InfoSecMag
Bustling Adriatic port with cargo yard and trucks, foreground shows blurred computer system.

The breach dated back to December 11, 2025.

The Adriatic Port Authority breach: scope and timeline

The Adriatic Port Authority (Autorità di Sistema Portuale del Mare Adriatico Centrale), which runs the Italian port of Ancona, reported a breach that it says began on December 11, 2025 and was attributed to the Anubis ransomware group in January 2026, when the group claimed responsibility and posted data on its leak site. The authority estimated roughly 2% of its data was lost; backups preserved the remainder. It described most of the stolen material as public or soon-to-be-public, but acknowledged employee records reached the dark web.

Resecurity's June 11 analysis: operational impact and extortion

Threat intelligence firm Resecurity published an analysis on June 11 that broadened the picture beyond the authority’s initial public accounting. Resecurity said operations had been crippled, vessels were rerouted, and that the attackers issued a reported $10 million Bitcoin ransom demand. According to Resecurity, the stolen set included contracts, employee records and, more sensitively, port safety plans and details of security operations—information the firm said could be valuable to smuggling groups or for recruiting insiders.

Anubis' model: RaaS, affiliates and earnings

Resecurity traced the toolset to Anubis, which surfaced in December 2024 and launched an affiliate program in February 2025. The group operates a ransomware-as-a-service model built around double extortion and, according to Resecurity, is unrelated to an older Android banking malware of the same name. Anubis’ affiliate economics are explicit: affiliates receive 80% for deploying ransomware, 60% for data extortion and 50% for initial access brokers. The group boasts a model that has earned more than $20 million and lists victims across healthcare, construction and engineering.

Exploit vectors: spear‑phishing, insecure cloud accounts and known CVEs

Resecurity’s account identifies an initial intrusion via a spear‑phishing email sent to staff at the company that manages the port; the attackers then moved laterally into core systems. The firm emphasized that the attack did not require targeting operational technology (OT) but succeeded through IT weaknesses—specifically insecure cloud accounts managing Office 365 and Azure. Resecurity also tied Anubis to mass exploitation of internet‑facing systems via known but unpatched flaws, naming problem areas such as SonicWall VPNs left without multi‑factor authentication, SolarWinds Web Help Desk (CVE‑2025‑26399), Cisco SSL VPNs and the CitrixBleed 2 flaw (CVE‑2025‑5777).

What this means for port operators, security teams, and procurement leaders

  • Port operators: The Adriatic Port Authority’s admission that backups preserved most data but that employee records were exposed, combined with Resecurity’s report of crippled operations and rerouted vessels, makes clear that ports face both reputational and operational damage even when data loss is quantified as a small percentage.
  • Technologists and security teams: Resecurity’s reconstruction points to familiar, actionable vectors—spear‑phishing, lateral movement, insecure cloud accounts for Office 365 and Azure, and exploitation of known CVEs including CVE‑2025‑26399 and CVE‑2025‑5777—underscoring the role of patch management, MFA on VPNs, and cloud account hygiene.
  • Procurement leaders and IT buyers: Resecurity framed the attack in a run of ransomware hits on ports—from Maersk to Japan’s Nagoya—and warned that outdated port IT and thin cyber maturity leave the sector increasingly exposed as digitization widens the attack surface, a maritime security concern it expects to deepen through 2030. That places pressure on procurement decisions tied to lifecycle support, vendor patch cadence and resilience planning.

The Ancona incident, as laid out by the port authority and by Resecurity, is not an abstract vulnerability exercise: it combines a dated intrusion (December 11, 2025), a public claim and leak (January 2026), a small quantified data loss alongside exposed personnel files, and a reported multimillion‑dollar extortion attempt. Resecurity’s linkage of the attack to an affiliate‑driven RaaS and to specific unpatched CVEs crystallizes a practical question the record leaves: will port operators and their supply chains prioritize the basic mitigations—patching known CVEs, enforcing MFA on VPNs, and hardening cloud accounts—that the attack narrative identifies as the initial and avoidable failures?

Source: https://www.infosecurity-magazine.com/news/anubis-ransomware-adriatic-port/

Data BreachEmerging ThreatsMaritime SecurityNation-State ActorsSupply ChainAnubis RansomwareTransportation SectorRansomware AttackAdriatic Port AuthorityItalian Ports
Related Intelligence

Continue Reading

Server room with rows of blinking equipment, indicating a compromised network setup.

OptinMonster Plugin Compromised in Supply-Chain Attack

A critical security breach has hit the popular OptinMonster plugin, used by over 1.2 million websites, which delivered malicious JavaScript to unsuspecting users via a compromised content distribution network. The attack, detected by ecommerce security firm Sansec, injected harmful code into websites for a brief but perilous window of time.

Analyst 207
Government office interior with computer screen displaying abstract database representation.

ShinyHunters Breach Council of Europe in Oracle PeopleSoft Heist

The Council of Europe has fallen victim to a massive data breach, with hackers claiming to have stolen a whopping 297 GB of sensitive information, including HR records, payslips, and medical data, by exploiting a zero-day flaw in Oracle PeopleSoft. The ShinyHunters extortion group is behind the breach, boasting a haul of 429,000 files from the attack.

Analyst 207
Network management system interface on a laptop screen in a modern office space.

Cisco Patches SD-WAN Flaw Exploited in Zero-Day Attacks

Cisco has patched a high-risk SD-WAN flaw, known as CVE-2026-20262, that was being exploited in zero-day attacks to gain root privileges. The vulnerability allowed attackers to create or overwrite files on affected systems, and Cisco has now released security updates to fix the issue.

Analyst 207
WordPress plugin developer's workspace with code on screen, coffee, and notes on a minimalist wooden desk.

Malicious Code Infiltrates WordPress Plugins, Creates Rogue Admin Accounts

Over 1.2 million WordPress sites are at risk after attackers infiltrated a trusted vendor's network, injecting malicious code into popular plugins like OptinMonster, TrustPulse, and PushEngage. This sneaky hack creates rogue admin accounts, putting sites at risk of takeover - all without ordinary visitors even noticing.

Analyst 207