SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefMonday, June 29, 2026 INTEL CONFIDENCE 88% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY KDDI Email System Data Breach | CRITICAL |
|
5 C2 IPs | 48 OTX IOCs | 3 ARTICLES |
|
■ ANALYST TLDR Threat actors breached KDDI Corporation's email system, exposing up to 14.2 million email logins across six Japanese ISPs. This critical data breach poses a significant risk for credential stuffing attacks and further account compromise for affected users. Security teams should also note the release of YARA-X versions 1.18.0 and 1.19.0, which bring detection improvements and bug fixes. |
|
■ CRITICAL STORIES Data breach exposes up to 14.2 million email logins at six ISPs This breach exposed sensitive login credentials for millions of users across multiple Japanese ISPs, posing a significant risk for credential stuffing and further account compromise. Immediate user action and system remediation are required. |
YARA-X 1.18.0 and 1.19.0 Release Updates to the YARA-X detection engine provide improved capabilities and bug fixes for security analysts, enhancing threat detection and rule development. |
ISC Stormcast For Monday, June 29th, 2026 General daily security update from SANS, providing timely insights into current threats and vulnerabilities, though specific details are not provided in this summary. |
|
■ CVEs IDENTIFIED [CVE-TBD] KDDI Corporation Email System — Data breach exposing 14.2 million email logins |
|
■ THREAT ACTORS Unspecified Threat Actors | Cybercriminal/State-sponsored (generic) |
Gained unauthorized access to KDDI's email system and exfiltrated 14.2 million email logins. |
|
|
|
■ ATT&CK TTPs | T1078 | | Valid Accounts | Threat actors likely used or gained valid accounts to access KDDI's email system. |
| T1530 | | Data from Local System | Collection of email logins from the compromised email system. |
| T1041 | | Exfiltration Over C2 Channel | Implied exfiltration of 14.2 million email logins from the compromised system. |
| T1589.002 | | Gather Victim Identity Information: Email Addresses | Collection of email addresses and associated logins during the breach. |
|
■ PATCH PRIORITY KDDI Corporation Email System — Remediation of root cause for data breach and hardening against future unauthorized access — BC article |
YARA-X — Update to latest version for improved detection capabilities and bug fixes — SANS article |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Advise users of KDDI Corporation and associated ISPs to immediately change their email passwords and enable multi-factor authentication where available, due to the exposed logins from the KDDI email system breach. |
| 2 | [P1] Organizations operating similar email systems to KDDI Corporation's compromised platform should conduct immediate security audits, review access logs for suspicious activity, and enforce robust credential management policies. |
| 3 | [P2] Security teams should update their YARA-X instances to versions 1.18.0 or 1.19.0 to leverage improved detection capabilities and bug fixes. |
| 4 | [P3] Implement credential stuffing detection mechanisms and monitor for anomalous login attempts targeting all external-facing authentication systems. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |