Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
new ransomware actors
cyber resilience Cyber Security Cyber Security Ransomware Attacks Cybersecurity measures Cybersecurity Policy new ransomware actors

UK May Enforce Partial Ransomware Payment Ban as Cyber Reforms Advance

Governments across the globe test varied methods to reduce cybercrime, yet outlawing ransomware payouts stands out as especially controversial. A move toward limiting such payments gains traction in the United Kingdom, suggests Jen Ellis, an expert immersed in shaping national responses to ransomware threats.  

Banning ransom payments might come soon in Britain, according to Ellis, who shares leadership of the Ransomware Task Force at the Institute for Security and Technology. While she expects this step, she warns against seeing it as a fix-all move. From her point of view, curbing victim payouts does little to reduce how often hackers strike - since offenders operate beyond such rules. Still, paying ransoms brings moral weight: those funds flow into networks built on digital crime. Though impact may be narrow, letting money change hands rewards illegal behavior. 

Now comes the part where Ellis anticipates UK authorities will boost their overall cybersecurity setup before touching payment rules. Lately, an upgraded Cyber Action Plan has emerged - this one reshapes goals meant to sharpen how the country prepares for and reacts to digital threats. Out in the open now, this document hints at a fresh push to overhaul national defenses online. 

A key new law now moving forward is the Cyber Security and Resilience Bill, having just reached its second parliamentary debate stage. Should it become law, stricter rules on disclosing breaches will apply, while monitoring weak points in supplier networks becomes compulsory for many businesses outside government. With these steps, clearer insight into digital threats emerges - alongside fewer large-scale dangers tied to external vendors. Though details remain under review, accountability shifts noticeably toward proactive defense. 

After advances in these efforts, according to Ellis, officials might consider limiting ransomware payments. Though unclear when or how broadly such limits would take effect, she anticipates they would not apply uniformly. It remains undecided if constraints would affect solely major entities, focus on particular sectors, or permit exceptions based on set conditions. Whether groups allowed to make payments must first gain authorization - especially to align with sanction rules - is also unsettled. 

In talking with the Information Security Media Group lately, Ellis touched on shifts in how ransomware groups operate. Not every group follows the same pattern - some now avoid extreme disruption, though outfits like Scattered Spider still stand out by acting boldly and unpredictably. Payment restrictions came up too, since they might reshape what both hackers and targeted organizations expect from these incidents. 

Working alongside security chiefs and tech firms, Ellis leads NextJenSecurity to deepen insight into digital threats. Her involvement extends beyond the private sector - advising UK government units like the Cabinet Office’s cyber panel. Institutions ranging from the Royal United Services Institute to the CVE Program include her in key functions. Engagement with policy experts and advocacy groups forms part of her broader effort to reshape how online risks are understood.
Read more »
North Korea
AI tools Cyber Security Google Lazarus Group North Korea

State-Backed Hackers Are Turning to AI Tools to Plan, Build, and Scale Cyber Attacks

 



Cybersecurity investigators at Google have confirmed that state-sponsored hacking groups are actively relying on generative artificial intelligence to improve how they research targets, prepare cyber campaigns, and develop malicious tools. According to the company’s threat intelligence teams, North Korea–linked attackers were observed using the firm’s AI platform, Gemini, to collect and summarize publicly available information about organizations and employees they intended to target. This type of intelligence gathering allows attackers to better understand who works at sensitive companies, what technical roles exist, and how to approach victims in a convincing way.

Investigators explained that the attackers searched for details about leading cybersecurity and defense companies, along with information about specific job positions and salary ranges. These insights help threat actors craft more realistic fake identities and messages, often impersonating recruiters or professionals to gain the trust of their targets. Security experts warned that this activity closely resembles legitimate professional research, which makes it harder for defenders to distinguish normal online behavior from hostile preparation.

The hacking group involved, tracked as UNC2970, is linked to North Korea and overlaps with a network widely known as Lazarus Group. This group has previously run a long-term operation in which attackers pretended to offer job opportunities to professionals in aerospace, defense, and energy companies, only to deliver malware instead. Researchers say this group continues to focus heavily on defense-related targets and regularly impersonates corporate recruiters to begin contact with victims.

The misuse of AI is not limited to one actor. Multiple hacking groups connected to China and Iran were also found using AI tools to support different phases of their operations. Some groups used AI to gather targeted intelligence, including collecting email addresses and account details. Others relied on AI to analyze software weaknesses, prepare technical testing plans, interpret documentation from open-source tools, and debug exploit code. Certain actors used AI to build scanning tools and malicious web shells, while others created fake online identities to manipulate individuals into interacting with them. In several cases, attackers claimed to be security researchers or competition participants in order to bypass safety restrictions built into AI systems.

Researchers also identified malware that directly communicates with AI services to generate harmful code during an attack. One such tool, HONESTCUE, requests programming instructions from AI platforms and receives source code that is used to build additional malicious components on the victim’s system. Instead of storing files on disk, this malware compiles and runs code directly in memory using legitimate system tools, making detection and forensic analysis more difficult. Separately, investigators uncovered phishing kits designed to look like cryptocurrency exchanges. These fake platforms were built using automated website creation tools from Lovable AI and were used to trick victims into handing over login credentials. Parts of this activity were linked to a financially motivated group known as UNC5356.

Security teams also reported an increase in so-called ClickFix campaigns. In these schemes, attackers use public sharing features on AI platforms to publish convincing step-by-step guides that appear to fix common computer problems. In reality, these instructions lead users to install malware that steals personal and financial data. This trend was first flagged in late 2025 by Huntress.

Another growing threat involves model extraction attacks. In these cases, adversaries repeatedly query proprietary AI systems in order to observe how they respond and then train their own models to imitate the same behavior. In one large campaign, attackers sent more than 100,000 prompts to replicate how an AI model reasons across many tasks in different languages. Researchers at Praetorian demonstrated that a functional replica could be built using a relatively small number of queries and limited training time. Experts warned that keeping AI model parameters secret is not enough, because every response an AI system provides can be used as training data for attackers.

Google, which launched its AI Cyber Defense Initiative in 2024, stated that artificial intelligence is increasingly amplifying the capabilities of cybercriminals by improving their efficiency and speed. Company representatives cautioned that as attackers integrate AI into routine operations, the volume and sophistication of attacks will continue to rise. Security specialists argue that defenders must adopt similar AI-powered tools to automate threat detection, accelerate response times, and operate at the same machine-level speed as modern attacks.


Read more »
Exposed Servers
breach servers Bypass Flaw CISA Cyber Security Cyber Vulnerabilities Data exposed data security email servers Exposed Servers

Shadowserver Finds 6,000 Exposed SmarterMail Servers Hit by Critical Flaw

 

Over six thousand SmarterMail systems sit reachable online, possibly at risk due to a serious login vulnerability, found by the nonprofit cybersecurity group Shadowserver. Attention grows as hackers increasingly aim for outdated corporate mail setups left unprotected.  


On January 8, watchTowr informed SmarterTools about the security weakness. Released one week later, the patch arrived before an official CVE number appeared. Later named CVE-2026-23760, its severity earned a top-tier rating because of how deeply intruders could penetrate systems. Critical access capabilities made this bug especially dangerous. 

A security notice logged in the NIST National Vulnerability Database points to an issue in earlier releases of SmarterMail - versions before build 9511. This flaw sits within the password reset API, where access control does not function properly. Instead of blocking unknown users, the force-reset-password feature accepts input without requiring proof of identity. Missing checks on both token validity and current login details create an open door. Without needing prior access, threat actors may trigger resets for admin accounts using only known usernames. Such exploitation grants complete takeover of affected systems. 

Attackers can take over admin accounts by abusing this weakness, gaining full access to vulnerable SmarterMail systems through remote code execution. Knowing just one administrator username is enough, according to watchTowr, making it much easier to carry out such attacks. 

More than six thousand SmarterMail servers are now under watch by Shadowserver, each marked as probably exposed. Across North America, over four thousand two hundred sit in this group. Almost a thousand others appear in Asia. Widespread risk emerges where patches remain unused. Organizations slow to update face higher chances of compromise. 

Scans showing over 8,550 vulnerable SmarterMail systems came to light through data provided by Macnica analyst Yutaka Sejiyama, reported to BleepingComputer. Though attackers continue targeting the flaw, response levels across networks vary widely - this uneven pace only adds weight to ongoing worries about delayed fixes.  

On January 21, watchTowr noted it had detected active exploitation attempts. The next day, confirmation came through Huntress, a cybersecurity company spotting similar incidents. Rather than isolated cases, what they saw pointed to broad, automated attacks aimed at exposed servers. 

Early warnings prompted CISA to list CVE-2026-23760 in its active threat database, requiring federal bodies across the U.S. to fix it before February 16. Because flaws like this often become entry points, security teams face rising pressure - especially when hostile groups exploit them quickly. Government systems, along with corporate networks, stand at higher risk once these weaknesses go public. 

On its own, Shadowserver noted close to 800,000 IP addresses showing open Telnet signatures during incidents tied to a serious authentication loophole in GNU Inetutils' telnetd - highlighting how outdated systems still connected to the web can widen security exposure.
Read more »
FIIG Securities
ASIC enforcement Cyber Security cybersecurity failures data breach Australia Federal Court penalty FIIG Securities

Federal Court Fines FIIG $2.5 Million for Major Cybersecurity Breaches; Schools Push Phone-Free Policies

 


Fixed income manager FIIG Securities has been ordered by the Federal Court to pay $2.5 million in penalties over serious cybersecurity shortcomings. The ruling follows findings that the firm failed to adequately safeguard client data over a four-year period, culminating in a significant cyberattack in 2023.

The breach impacted approximately 18,000 clients and resulted in the theft of around 385 gigabytes of sensitive data. Information exposed on the dark web included driver’s licences, passport details, bank account information and tax file numbers.

According to the court, between 13 March 2019 and 8 June 2023, FIIG failed to implement essential cybersecurity safeguards. These failures included insufficient allocation of financial and technological resources, lack of qualified cybersecurity personnel, absence of multi-factor authentication for remote access, weak password and privileged account controls, inadequate firewall and software configurations, and failure to conduct regular penetration testing and vulnerability scans.

The firm also lacked a structured software update process to address security vulnerabilities, did not have properly trained IT staff monitoring threat alerts, failed to provide mandatory cybersecurity awareness training to employees, and did not maintain or regularly test an appropriate cyber incident response plan.

In addition to the $2.5 million penalty, the court ordered FIIG to contribute $500,000 toward ASIC’s legal costs. The company must also undertake a compliance program, including appointing an independent expert to review and strengthen its cybersecurity and cyber resilience frameworks.

This marks the first instance in which the Federal Court has imposed civil penalties for cybersecurity breaches under general Australian Financial Services (AFS) licence obligations.

“FIIG admitted that it failed to comply with its AFS licence obligations and that adequate cyber security measures – suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner.

“It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.”

ASIC deputy chair Sarah Court emphasised the regulator’s stance on cybersecurity compliance: “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.

“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.

“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”

Responding to the ruling, FIIG stated: “FIIG accepts the Federal Court’s ruling related to a cybersecurity incident that occurred in 2023 and will comply with all obligations. We cooperated fully throughout the process and have continued to strengthen our systems, governance and controls. No client funds were impacted, and we remain focused on supporting our clients and maintaining the highest standards of information security.”

ASIC Steps Up Cyber Enforcement

The case underscores ASIC’s growing focus on cybersecurity enforcement within the financial services sector.

In July 2025, ASIC initiated civil proceedings against Fortnum Private Wealth Limited, alleging failures to appropriately manage and mitigate cybersecurity risks. Earlier, in May 2022, the Federal Court determined that AFS licensee RI Advice had breached its obligations by failing to maintain adequate risk management systems to address cybersecurity threats.

The Court stated: “Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.”

In its 2026 key priorities document, ASIC identified cyberattacks, data breaches and weak operational resilience as major risks capable of undermining market integrity and harming consumers.

“Digitisation, legacy systems, reliance on third parties, and evolving threat actor capability continue to elevate cyber risk in ASIC’s view. ASIC is urging directors and financial services license holders to maintain robust risk management frameworks, test their operational resilience and crisis responses, and address vulnerabilities with their third-party service providers.”

Smartphone Restrictions Gain Momentum in Schools

Separately, debate over smartphone use in schools continues to intensify as institutions adopt phone-free policies to improve learning outcomes and student wellbeing.

Addressing concerns about the cost and necessity of phone restrictions, one advocate explained:

"Yes it can seem an expensive way of keeping phones out of schools, and some people question why they can't just insist phones remain in a student's bag," he explains.

"But smartphones create anxiety, fixation, and FOMO - a fear of missing out. The only way to genuinely allow children to concentrate in lessons, and to enjoy break time, is to lock them away."

Supporters argue that schools introducing phone-free systems have seen tangible improvements.

"There have been notable improvements in academic performance, and headteachers also report reductions in bullying," he explains.

Vale of York Academy implemented phone pouches in November. Headteacher Gillian Mills told the BBC:

"It's given us an extra level of confidence that students aren't having their learning interrupted.

"We're not seeing phone confiscations now, which took up time, or the arguments about handing phones over, but also teachers are saying that they are able to teach."

The political landscape is also responding. Conservative leader Kemi Badenoch has pledged to enforce a nationwide smartphone ban in schools if elected, while the Labour government has opted to leave decisions to headteachers and launched a consultation on limiting social media access for under-16s.

As part of broader measures, Ofsted will gain authority to assess school phone policies, with ministers signalling expectations that schools become “phone-free by default”.

Some parents, however, prefer their children to carry phones for safety during travel.

"The first week or so after we install the system is a nightmare," he adds. "Kids refuse, or try and break the pouches open. But once they realise no-one else has a phone, most of them embrace it as a kind of freedom."

The broader societal debate continues as smartphone use expands alongside social media and AI-driven content ecosystems.

"We're getting so many enquiries now. People want to ban phones at weddings, in theatres, and even on film sets," he says.

"Effectively carrying a computer around in your hand has many benefits, but smartphones also open us up to a lot of misdirection and misinformation.

"Enforcing a break, especially for young people, has so many positives, not least for their mental health."

Dugoni believes society may be approaching a critical moment:

"We're getting close to threatening the root of what makes us human, in terms of social interaction, critical thinking faculties, and developing the skills to operate in the modern world," he explains.

Read more »
Network Attacks
AI technology AI threats Cyber Security Cyberattacks Digital Security Identity Theft Network Attacks

AI and Network Attacks Redefine Cybersecurity Risks on Safer Internet Day 2026

 

As Safer Internet Day 2026 approaches, expanding AI capabilities and a rise in network-based attacks are reshaping digital risk. Automated systems now drive both legitimate platforms and criminal activity, prompting leaders at Ping Identity, Cloudflare, KnowBe4, and WatchGuard to call for updated approaches to identity management, network security, and user education. Traditional defences are struggling against faster, more adaptive threats, pushing organisations to rethink protections across access, infrastructure, and human behaviour. While innovation delivers clear benefits, it also equips attackers with powerful tools, increasing risks for businesses, schools, and policymakers who fail to adapt.  

Ping Identity highlights a widening gap between legacy security models and modern AI operations. Systems designed for static environments are ill-suited to dynamic AI applications that operate independently and make real-time decisions. Alex Laurie, the company’s go-to-market CTO, explained that AI agents now behave like active users, initiating processes, accessing sensitive data, and choosing next steps without human prompts. Because their actions closely resemble those of real people, distinguishing between human and machine activity is increasingly difficult. Without proper oversight, these agents can introduce unpredictable risks and expand organisational attack surfaces. 

Laurie advocates moving beyond static credentials toward continuous, verified trust. Instead of assuming legitimacy after login, organisations should validate identity, intent, and context at every interaction. Access decisions must adapt in real time, guided by behaviour and current risk conditions. This approach enables AI innovation while protecting data and users in an environment filled with autonomous digital actors. 

Cloudflare also warns of AI’s dual-use nature. While it boosts efficiency, it accelerates cybercrime by making attacks faster, cheaper, and harder to detect. Pat Breen cited Australian data from 2024–25, when more than 1,200 cyber incidents required response, including a sharp rise in denial-of-service attacks. Such disruptions immediately impact essential services like healthcare, banking, education, transport, and government systems. Whether AI ultimately increases safety or risk depends on how quickly cyber defences evolve. 

KnowBe4’s Erich Kron stresses the importance of digital mindfulness as AI-generated content and deepfakes spread. Identifying fake content is no longer a technical skill but a basic life skill. Verifying information, protecting personal data, using strong authentication, and keeping software updated are critical habits for reducing harm. WatchGuard Technologies reports a shift away from malware toward network-focused attacks. 

Anthony Daniel notes that this trend reinforces the need for Zero Trust strategies that verify every connection. Safer Internet Day underscores that cybersecurity is a shared responsibility, strengthened through consistent, everyday actions.
Read more »
Offline Security
Air Gaps Black hat Cyber Security Data Leak Offline Security

Black Hat Researcher Proves Air Gaps Fail to Secure Data

 

Air gaps, long hailed as the ultimate defense for sensitive data, are under siege according to Black Hat researcher Mordechai Guri. In a compelling presentation, Guri demonstrated multiple innovative methods to exfiltrate information from supposedly isolated computers, shattering the myth of complete offline security. These techniques exploit everyday hardware components, proving that physical disconnection alone cannot guarantee protection in high-stakes environments like government and military networks.

Guri's BeatCoin malware turns computer speakers into covert transmitters, emitting near-ultrasonic sounds inaudible to humans but detectable by nearby smartphones up to 10 meters away. This allows private keys or other secrets to leak out effortlessly. Even disabling speakers fails, as Fansmitter modulates fan speeds to alter blade frequencies, creating acoustic signals receivable by listening devices within 8 meters. For scenarios without microphones, the Mosquito attack repurposes speakers as rudimentary microphones via GPIO manipulation, enabling ultrasonic data transmission between air-gapped machines.

Electromagnetic exploits further erode air-gap defenses. AirHopper manipulates monitor cables to radiate FM-band signals, capturable by a smartphone's built-in receiver. GSMem leverages CPU-RAM pathways to generate cellular-like transmissions detectable by basic feature phones, while USBee transforms USB ports into antennas for broad leakage. These methods highlight how standard peripherals become unwitting conduits for data escape.

Faraday cages, designed to block electromagnetic waves, offer no sanctuary either. Guri's ODINI attack generates low-frequency magnetic fields from CPU cores, penetrating these shields.PowerHammer goes further by inducing parasitic signals on building power lines, tappable by attackers monitoring electrical infrastructure.Such persistence underscores the vulnerability of even fortified setups.

While these attacks assume initial malware infection—often via USB or insiders—real-world precedents like Stuxnet validate the threat. Organizations must layer defenses with anomaly detection, hardware restrictions, and continuous monitoring beyond mere air-gapping. Guri's work urges a reevaluation of "secure" isolation strategies in an era of sophisticated side-channel threats.
Read more »
Solar Winds
Cloud Cyber Security Data RCE Solar Winds

SolarWinds Web Help Desk Compromised for RCE Multi Stage


SolarWinds compromised 

The threat actors used internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access and then proceed laterally across the organization's network to other high-value assets, according to Microsoft's disclosure of a multi-stage attack. 

However, it is unclear if the activity used a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8) or recently revealed vulnerabilities (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), according to the Microsoft Defender Security Research Team.

"Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold," the company said in the report. 

About the exploit

CVE-2025-40551 and CVE-2025-26399 both relate to untrusted data deserialization vulnerabilities that could result in remote code execution, and CVE-2025-400536 is a security control bypass vulnerability that might enable an unauthenticated attacker to access some restricted functionality.

Citing proof of active exploitation in the field, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its list of known exploited vulnerabilities (KEVs) last week. By February 6, 2026, agencies of the Federal Civilian Executive Branch (FCEB) were required to implement the solutions for the defect. 

The impact 

The successful exploitation of the exposed SolarWinds WHD instance in the attacks that Microsoft discovered gave the attackers the ability to execute arbitrary commands within the WHD application environment and accomplish unauthenticated remote code execution.

Microsoft claimed that in at least one instance, the threat actors used a DCSync attack, in which they impersonated a Domain Controller (DC) and asked an Active Directory (AD) database for password hashes and other private data. 

What can users do?

Users are recommended to update WHD instances, identify and eliminate any unauthorized RMM tools, rotate admin and service accounts, and isolate vulnerable workstations to minimize the breach in order to combat the attack. 

"This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," the creator of Windows stated.

Read more »
Smart TV Security
Android TV botnet Cyber Security IoT device hacking Ireland cyberattack warning Kimwolf botnet Smart TV Security

Urgent Alert for Irish Homes as Massive Cyberattacks Exploit Smart TVs and IoT Devices

 

An urgent cybersecurity alert has been issued to households across Ireland amid warnings of “large scale” cyberattacks that could compromise everyday home devices.

Grant Thornton Ireland has cautioned that devices such as Android TV boxes and TV streaming hardware are increasingly being leveraged in cyberattacks on a daily basis. The warning follows one of the largest Distributed Denial of Service (DDoS) attacks ever recorded, which occurred in November 2025.

Although the attack lasted only 35 seconds, it reached an unprecedented peak of 31.4 terabits per second. Investigations revealed that the assault was carried out by a botnet known as Kimwolf, largely made up of hijacked Android-powered televisions and TV streaming devices.

The attack was identified and mitigated by cybersecurity firm Cloudflare. However, security specialists warn that millions of low-cost, poorly secured devices remain vulnerable to infection and remote control by cybercriminals.

Experts at Grant Thornton highlighted that cyber risks are no longer limited to workplace systems. Instead, individuals are increasingly being targeted through commonly used household technology.

Once compromised, devices such as smart TVs or even smart lightbulbs can provide attackers with a gateway into a home network. From there, cybercriminals can gather personal information and launch more tailored phishing campaigns. Devices lacking proper security protections are considered the most vulnerable.

Cybersecurity Partner at Grant Thornton Ireland, Howard Shortt, said:
“Many people don’t realise that a low-cost Android TV box in their sitting room or a cheap smart lightbulb can be compromised in seconds.

“Once attackers gain access, they can use that device as part of a botnet or quietly profile the household to support more targeted and convincing phishing attacks.

“Attackers typically exploit default passwords, outdated software, or unpatched vulnerabilities in internet-connected devices and once inside a home network, can observe traffic patterns and build a profile of the household.

“That information allows criminals to engineer highly believable phishing messages.

“For example, posing as a streaming provider with a prompt to review a show you have just watched.

“At that point, the scam is no longer random and much more believable.”

Grant Thornton stressed that “the risk extends beyond TV devices” and warned that low-cost Internet of Things (IoT) gadgets are becoming increasingly common in Irish homes, often with minimal built-in security.

Shortt urged households to take a proactive stance on home cybersecurity, recommending “basic steps such as changing default passwords on all smart devices and routers”.

He also advised consumers to purchase devices only from reputable brands and trusted vendors to reduce the risk of compromise.

Read more »
Online Payments
Blockchain Blockchain Payments Blockchain Technology Cyber Security Digital Payment Digital payment system Online Payments

How HesabPay and Algorand Are Enabling Humanitarian Aid and Financial Inclusion in Afghanistan

A sudden shift unfolded across Afghanistan once American and NATO troops left in August 2021. Power structures backed by Washington vanished almost overnight; chaos spread quickly through regions. Instead, authority shifted back into the hands of the Taliban - two decades after their last rule ended. Hardship deepened ever since, turning daily life into struggle for millions. Among the worst humanitarian emergencies today, the nation battles crippling poverty, hunger that reaches far, along with frozen financial systems. 

Right now, about 97 out of every 100 people in Afghanistan survive on less than what is considered a basic living standard. Close to twenty million individuals - half the country's residents - face severe shortages in reliable access to meals, reports the UN’s food aid agency. Over a million kids younger than five endure ongoing lack of proper nutrition, their growth stunted by months without balanced diets. While some manage to stay alive, future well-being frequently remains compromised due to lasting physical strain. When circumstances reach this level, outside help isn’t just helpful - it becomes something people depend on simply to continue breathing. 

Hardship deepens as economic strains mount. Drought drags on, world food costs climb, while aid linked to departing troops vanishes overnight - wrecking ways people earn a living. Few jobs exist; instead, each day brings another test just to stay alive for countless Afghan families. 

With sanctions in place, overseas funds locked up, banks barely functioning, yet cash hard to find, money flows have shrunk sharply nationwide. Because of these pressures, large numbers rely on support from global bodies like the WFP, UNICEF, along with key NGOs. Even so, amid ongoing challenges, a local tech venture named HesabPay introduced a digital payment system using Algorand's blockchain, aiming to send assistance straight to people. 

A digital form of the Afghan Afghani, supported by real money held in bank accounts, is released by HesabPay. Built on the Algorand blockchain, it handles transfers efficiently. Even without smartphones, people move money thanks to compatibility with basic handsets. Payments happen daily - for food, phone credit, power charges - without delays. Changing paper notes into electronic value takes place at local centers run by HesabPay. These spots stretch across every province, reaching distant regions others miss. Access stays open regardless of location because of this spread. 

A single QR card connects each user to their account, helping those without phones join easily. When someone pays, shops scan the code while confirmation comes via text message - no tech skills needed. Backing it up, checks grow stricter step by step: identity verified, banned parties screened, transactions watched using shared ledger tracking to block fraud before it spreads. With a network now reaching 400,000 individuals and 3,000 businesses across the country, HesabPay has handled close to 4.5 million transactions so far. 

Running on Algorand’s blockchain technology, it keeps transaction costs minimal - often zero - for consumers at storefronts. When assistance flows straight into the hands of women, results shift noticeably; household stability strengthens, community wellbeing rises. Efficiency isn’t the only outcome here. 

Now imagine a tool that quietly reshapes aid delivery - HesabPay does exactly that by using blockchain to build systems that grow easily, stay clear, and include more people. Where banks vanish or never existed, alternatives like this prove digital setups can reopen doors to basic needs while returning respect to those often left behind.
Read more »
Data Theft
Business Cyber Breaches Cyber Security Cybersecurity Data Theft

Cybersecurity Breaches Emerge as top Business Risk for Indian Companies

 


Cybersecurity breaches and attacks have become the leading threat to business performance for Indian companies, with 51% of senior executives identifying them as their primary risk, according to a new survey released by FICCI and EY. 

The FICCI-EY Risk Survey 2026 ranked changing customer expectations and geopolitical developments as the next most significant risks, flagged by 49% and 48% of respondents respectively. 

The findings point to a business environment where technology, regulation and external shocks are increasingly interconnected. 

The survey, conducted through a web-based questionnaire, gathered responses from 137 senior decision-makers, including CXOs, across multiple sectors. 

Technology firms accounted for the largest share of respondents, followed by professional services companies. According to the report, technology-related risks are now closely tied to operational continuity and resilience. 

About 61% of respondents said rapid technological change and digital disruption are affecting their competitive position, while an equal proportion cited cyber-attacks and data breaches as major financial and reputational threats. 

More than half of those surveyed, 57%, flagged risks related to data theft and insider fraud, and 47% said they face difficulties in countering increasingly sophisticated cyber threats. 

Artificial intelligence emerged as a dual risk area. While 60% of executives said inadequate adoption of emerging technologies, including AI, could weaken operational effectiveness, 54% said risks linked to AI ethics and governance are not being managed effectively. 

“In a business environment shaped by volatility, the ability to anticipate, absorb and adapt to risk is emerging as a defining capability for sustained growth,” said Rajeev Sharma, chair of the FICCI Committee on Corporate Security and Disaster Risk Reduction. 

He added that organisations are increasingly embedding risk considerations into strategic decision-making rather than treating them as isolated events. 

The survey also highlighted workforce-related concerns. Nearly two-thirds of respondents said talent shortages and skill gaps could hurt organisational performance, while 59% pointed to weak succession planning as a risk to long-term stability. 

Regulatory change remains another pressure point. About 67% of executives said regulatory developments need to be addressed proactively, while 40% acknowledged that existing compliance frameworks struggle to keep pace with evolving rules. 

Climate and environmental, social and governance risks are also translating into financial exposure. Around 45% of respondents cited climate-related financial impacts as a critical operational risk, and 44% said non-compliance with ESG disclosure requirements could significantly affect business outcomes. 

Supply chain disruptions continue to weigh on corporate planning, with 54% of leaders identifying them as a risk to operational and business continuity. 

“Organisations are navigating a phase where multiple risks are converging rather than occurring in isolation,” said Sudhakar Rajendran, risk consulting leader at EY India, pointing to the combined impact of inflation, cyber threats, AI governance, climate exposure and regulatory change on corporate resilience.
Read more »
Students
AI Cyber Security entrepreneurs founders Healthcare new startup Stanford University Students

Student Founders Establish Backed Program to Help Peers Build Startups

 



Two students affiliated with Stanford University have raised $2 million to expand an accelerator program designed for entrepreneurs who are still in college or who have recently graduated. The initiative, called Breakthrough Ventures, focuses on helping early-stage founders move from rough ideas to viable businesses by providing capital, guidance, and access to professional networks.

The program was created by Roman Scott, a recent graduate, and Itbaan Nafi, a current master’s student. Their work began with small-scale demo days held at Stanford in 2024, where student teams presented early concepts and received feedback. Interest from participants and observers revealed a clear gap. Many students had promising ideas but lacked practical support, legal guidance, and introductions to investors. The founders then formalized the effort into a structured accelerator and raised funding to scale it.

Breakthrough Ventures aims to address two common obstacles faced by student founders. First, early funding is difficult to access before a product or revenue exists. Second, students often do not have reliable access to mentors and industry networks. The program responds to both challenges through a combination of financial support and hands-on assistance.

Selected teams receive grant funding of up to $10,000 without giving up ownership in their companies. Participants also gain access to legal support and structured mentorship from experienced professionals. The program includes technical resources such as compute credits from technology partners, which can lower early development costs for startups building software or data-driven products. At the end of the program, founders who demonstrate progress may be considered for additional investment of up to $50,000.

The accelerator operates through a hybrid format. Founders participate in a mix of online sessions and in-person meetups, and the program concludes with a demo day at Stanford, where teams present their progress to potential investors and collaborators. This structure is intended to keep participation accessible while still offering in-person exposure to the startup ecosystem.

Over the next three years, the organizers plan to deploy the $2 million fund to support at least 100 student-led companies across areas such as artificial intelligence, healthcare, consumer products, sustainability, and deep technology. By targeting founders at an early stage, the program aims to reduce the friction between having an idea and building a credible company, while promoting responsible, well-supported innovation within the student community.

Read more »
Cyberspace Threats
AI Security AI technology Cyber Protection Cyber Security Cybersecurity Strategy Cyberspace Cyberspace Threats

US Cybersecurity Strategy Shifts Toward Prevention and AI Security

 

Early next month, changes to how cyber breaches are reported will begin to surface, alongside a broader shift in national cybersecurity planning. Under current leadership, federal teams are advancing a more proactive approach to digital defense, focusing on risks posed by hostile governments and increasingly complex cyber threats. Central to this effort is stronger coordination across agencies, updated procedures, and shared responsibility models rather than reliance on technology upgrades alone. Officials emphasize resilience, faster implementation timelines, and adapting safeguards to keep pace with rapidly evolving technologies. 

At the Information Technology Industry Council’s Intersect Summit, White House National Cyber Director Sean Cairncross previewed an upcoming national cybersecurity strategy expected to be released soon. While details remain limited, the strategy is built around six pillars, including shaping adversary behavior in cyberspace. The aim is to move away from reactive responses and toward reducing incentives for cybercrime and state-backed attacks. Prevention, rather than damage control, is driving the update, with layered actions and long-term thinking guiding near-term decisions. Much of the work happens behind the scenes, with success measured by systems that remain secure. 

Cairncross noted that cyber harm often occurs before responses begin. The updated approach targets a wide range of threats, including nation states, state-linked criminal groups, ransomware actors, and fraud operations. By reshaping the digital environment, officials hope to make cybercrime less profitable and less attractive. This philosophy now sits at the core of federal cybersecurity policy. 

Another pillar focuses on refining the regulatory environment through closer collaboration with industry. Instead of rigid compliance checklists, officials want cybersecurity rules aligned with real-world threats and operational realities. According to Cairncross, effective oversight depends on adaptability and practicality, ensuring regulations support security outcomes rather than burden organizations unnecessarily. 

Additional priorities include modernizing and securing federal IT systems, protecting critical infrastructure such as power and transportation networks, maintaining leadership in emerging technologies like artificial intelligence, and addressing shortages in skilled cyber professionals. Officials are under pressure to deliver visible progress quickly, given political time constraints. Meanwhile, the Cybersecurity and Infrastructure Security Agency is preparing updates to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Although Congress passed the law in 2022, it will not take effect until final rules are issued. 

Once implemented, organizations across 16 critical infrastructure sectors must report significant cyber incidents to CISA within 72 hours. Nick Andersen, CISA’s executive assistant director for cybersecurity, said clarification on the rules could arrive within weeks. Until then, reporting remains voluntary. CISA released a proposed CIRCIA rule in early 2024, estimating it would apply to roughly 316,000 entities. Industry groups and some lawmakers criticized the proposal as overly broad and raised concerns about overlapping reporting requirements. They have urged CISA to better align CIRCIA with existing federal and sector-specific disclosure mandates. 

Originally expected in October 2025, the final rules are now delayed until May 2026. Some Republicans, including House Homeland Security Committee Chairman Andrew Garbarino, are calling for an ex parte process to allow direct industry feedback. Andersen also discussed progress on establishing an AI Information Sharing and Analysis Center, or AI-ISAC, outlined in the administration’s AI Action Plan. The proposed group would facilitate sharing AI-related threat intelligence across critical infrastructure sectors. He stressed the importance of avoiding fragmented public and private efforts and ensuring coordination from the outset as AI adoption accelerates. 

Separately, the Office of the National Cyber Director is developing an AI security policy framework. Cairncross emphasized that security must be built into AI systems from the start, not added later, as AI becomes embedded in essential services and daily life. Uncertainty remains around a replacement for the Critical Infrastructure Partnership Advisory Council, which DHS disbanded last year. A successor body, potentially called the Alliance of National Councils for Homeland Operational Resilience, or ANCHOR, is under consideration. Andersen said the redesign aims to address past shortcomings, including limited focus on cybersecurity and inflexible structures that restricted targeted collaboration.
Read more »
Unit 42 report
cyber espionage Cyber Security government network breach Shadow Campaigns state-sponsored cyber attack Unit 42 report

Shadow Campaigns: Asia-Linked Espionage Group Breaches Government and Critical Infrastructure Networks Worldwide

 

A state-backed cyber espionage group has infiltrated dozens of government and critical infrastructure networks across 37 countries as part of a global operation known as “Shadow Campaigns.”

During November and December of last year, the threat actor also carried out large-scale reconnaissance against government-linked entities spanning 155 countries, significantly expanding its intelligence-gathering footprint.

Researchers from Palo Alto Networks’ Unit 42 report that the group has been operational since at least January 2024 and is believed, with high confidence, to be based in Asia. Until firm attribution is established, the actor is being tracked under the identifiers TGR-STA-1030/UNC6619.

The Shadow Campaigns activity has primarily targeted government ministries and agencies involved in law enforcement, border security, finance, trade, energy, mining, immigration, and diplomacy. Unit 42 confirmed successful compromises of at least 70 government and critical infrastructure organizations across 37 nations.

Impacted entities include organizations handling trade policy, geopolitical affairs, and election-related matters in the Americas; ministries and parliamentary bodies across several European countries; Australia’s Treasury Department; and multiple government and infrastructure organizations in Taiwan. Researchers noted that the selection of targets and timing appeared to align closely with region-specific political or economic events.

According to Unit 42, the group intensified scanning activity during the U.S. government shutdown in October 2025, focusing on entities across North, Central, and South America, including Brazil, Canada, the Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago.

Particularly notable was extensive reconnaissance against “at least 200 IP addresses hosting Government of Honduras infrastructure” just one month ahead of the country’s national elections, a period marked by political discussions around restoring diplomatic relations with Taiwan.

Unit 42 assessed that confirmed compromises included Brazil’s Ministry of Mines and Energy, a Bolivian mining-related entity, two Mexican ministries, government infrastructure in Panama, and an IP address linked to a Venezolana de Industria Tecnológica facility. Additional victims spanned government entities across Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia, along with an Indonesian airline, several Malaysian ministries, a Mongolian law enforcement organization, a major Taiwanese power equipment supplier, and a Thai government department likely associated with economic and trade data. Critical infrastructure organizations across multiple African nations were also affected.

The researchers further believe the actor attempted SSH connections to systems associated with Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers. Beyond confirmed breaches, evidence suggests widespread reconnaissance and intrusion attempts in numerous other countries.

Unit 42 also observed scanning of Czech government infrastructure, including systems tied to the army, police, parliament, and several ministries. The group attempted to access European Union infrastructure as well, targeting over 600 IP addresses hosting *.europa.eu domains. In July 2025, Germany was a focal point, with connection attempts made to more than 490 government-hosted IP addresses.

Early stages of the campaign relied heavily on spear-phishing emails crafted specifically for government officials. These messages often referenced internal ministry restructuring to increase credibility.

The phishing emails contained links to malicious archives hosted on Mega.nz, using localized file names. Inside the archives were a malware loader called Diaoyu and a zero-byte PNG file named pic1.png. Unit 42 found that Diaoyu could retrieve Cobalt Strike payloads and the VShell framework for command-and-control operations, but only after passing several analysis-evasion checks.

“Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory,” the researchers say.

They explained that the empty image file acts as an integrity check, causing the malware to terminate if the file is missing. To further avoid detection, the loader scans for active processes linked to security tools such as Kaspersky, Avira, Bitdefender, Sentinel One, and Norton.

In addition to phishing, the group exploited at least 15 known vulnerabilities to gain initial access, targeting flaws in SAP Solution Manager, Microsoft Exchange Server, D-Link products, and Microsoft Windows.

New Linux Rootkit Discovered


The Shadow Campaigns toolkit includes multiple webshells—such as Behinder, Godzilla, and Neo-reGeorg—as well as tunneling tools like GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.

Researchers also uncovered a previously undocumented Linux kernel eBPF rootkit named ShadowGuard, believed to be exclusive to TGR-STA-1030/UNC6619.

“eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space,” the researchers explain.
“This allows them to manipulate core system functions and audit logs before security tools or system monitoring applications can see the true data.”

ShadowGuard hides malicious processes at the kernel level, concealing up to 32 process IDs from standard Linux monitoring utilities through syscall interception. It can also obscure files and directories named swsecret, while allowing operators to specify which processes remain visible.

The campaign’s infrastructure relies on victim-facing servers hosted with legitimate VPS providers in the U.S., Singapore, and the UK, combined with relay servers, residential proxies, and Tor for traffic obfuscation. Researchers noted the use of deceptive command-and-control domains designed to appear familiar to targets, including region-specific top-level domains.

"It’s possible that the domain name could be a reference to 'DOGE Jr,' which has several meanings in a Western context, such as the U.S. Department of Government Efficiency or the name of a cryptocurrency," the researchers explain.

Unit 42 concludes that TGR-STA-1030/UNC6619 is a highly capable espionage actor focused on gathering strategic, economic, and political intelligence, with a proven record of impacting government entities worldwide. The full report includes indicators of compromise (IoCs) to assist defenders in identifying and blocking related activity.
Read more »
Software
cyber espionage Cyber Phishing Cyber Security Government Linux Kernel organisations Software

Dozens of Government and Infrastructure Networks Breached in Global Espionage Campaign



Security researchers have identified a previously undocumented cyber espionage group that infiltrated at least 70 government and critical infrastructure organizations across 37 countries within the past year. The same activity cluster also conducted wide-scale scanning and probing of government-related systems connected to 155 countries between November and December 2025, indicating a broad intelligence collection effort rather than isolated attacks.

The group is tracked as TGR-STA-1030, a temporary designation used for actors assessed to operate with state-backed intent. Investigators report evidence of activity dating back to January 2024. While no specific country has been publicly confirmed as the sponsor, technical indicators suggest an Asian operational footprint. These indicators include the services and tools used, language and configuration preferences, targeting patterns tied to regional interests, and working hours consistent with the GMT+8 time zone.


Who was targeted and what was taken

Confirmed victims include national law enforcement and border agencies, finance ministries, and departments responsible for trade, natural resources, and diplomatic affairs. In several intrusions, attackers maintained access for months. During these periods, sensitive data was taken from compromised email servers, including financial negotiations, contract material, banking information, and operational details linked to military or security functions.


How the intrusions worked

The initial entry point commonly involved phishing messages that led recipients to download files hosted on a legitimate cloud storage service. The downloaded archive contained a custom loader and a decoy file. The malware was engineered to avoid automated analysis by refusing to run unless specific environmental conditions were met, including a required screen resolution and the presence of the decoy file. It also checked for the presence of selected security products before proceeding.

Once active, the loader retrieved additional components disguised as image files from a public code repository. These components were used to deploy a well known command and control framework to manage compromised systems. The repository linked to this activity has since been taken down.

Beyond phishing, the group relied on known vulnerabilities in widely used enterprise and network software to gain initial access. There is no indication that previously unknown flaws were used. After entry, the attackers employed a mix of command and control tools, web shells for remote access, and tunneling utilities to move traffic through intermediary servers.

Researchers also observed a Linux kernel level implant that hides processes, files, and network activity by manipulating low level system functions. This tool concealed directories with a specific name to avoid detection. To mask their operations, the attackers rented infrastructure from legitimate hosting providers and routed traffic through additional relay servers.

Analysts assess that the campaign focuses on countries with active or emerging economic partnerships of interest to the attackers. The scale, persistence, and technical depth of these operations highlight ongoing risks to national security and essential public services, and reinforce the need for timely patching, email security controls, and continuous monitoring across government networks. 

Read more »
Orchid security
Audit Cyber Security IAM identity Online Authentication Orchid security

Orchid Security Launches Tool to Monitor Identity Behavior Across Business Applications

 



Modern organizations rely on a wide range of software systems to run daily operations. While identity and access management tools were originally designed to control users and directory services, much of today’s identity activity no longer sits inside those centralized platforms. Access decisions increasingly happen inside application code, application programming interfaces, service accounts, and custom login mechanisms. In many environments, credentials are stored within applications, permissions are enforced locally, and usage patterns evolve without formal review.

As a result, substantial portions of identity activity operate beyond the visibility of traditional identity, privileged access, and governance tools. This creates a persistent blind spot for security teams. The unseen portion of identity behavior represents risk that cannot be directly monitored or governed using configuration-based controls alone.

Conventional identity programs depend on predefined policies and system settings. These approaches work for centrally managed user accounts, but they do not adequately address custom-built software, legacy authentication processes, embedded secrets, non-human identities such as service accounts, or access routes that bypass identity providers. When these conditions exist, teams are often forced to reconstruct how access occurred after an incident or during an audit. This reactive process is labor-intensive and does not scale in complex enterprise environments.

Orchid Security positions its platform as a way to close this visibility gap through continuous identity observability across applications. The platform follows a four-part operational model designed to align with how security teams work in practice.

First, the platform identifies applications and examines how identity is implemented within them. Lightweight inspection techniques review authentication methods, authorization logic, and credential usage across both managed and unmanaged systems. This produces an inventory of applications, identity types, access flows, and embedded credentials, establishing a baseline of how identity functions in the environment.

Second, observed identity activity is evaluated in context. By linking identities, applications, and access paths, the platform highlights risks such as shared or hardcoded secrets, unused service accounts, privileged access that exists outside centralized controls, and differences between intended access design and real usage. This assessment is grounded in what is actually happening, not in what policies assume should happen.

Third, the platform supports remediation by integrating with existing identity and security processes. Teams can rank risks by potential impact, assign ownership to the appropriate control teams, and monitor progress as issues are addressed. The goal is coordination across current controls rather than replacement.

Finally, because discovery and analysis operate continuously, evidence for governance and compliance is available at all times. Current application inventories, records of identity usage, and documentation of control gaps and corrective actions are maintained on an ongoing basis. This shifts audits from periodic, manual exercises to a continuous readiness model.

As identity increasingly moves into application layers, sustained visibility into how access actually functions becomes essential for reducing unmanaged exposure, improving audit preparedness, and enabling decisions based on verified operational data rather than assumptions.

Read more »
Liquidity Pool
Cyber Security Finance Sector Financial Loss Flash Loan Flash Loan Attack Illicit Trade Liquidity Pool

Makina Finance Loses $4M in ETH After Flash Loan Price Manipulation Exploit

 

One moment it was operating normally - then suddenly, price feeds went haywire. About 1,299 ETH vanished during what looked like routine activity. That sum now exceeds four million dollars in value. The trigger? A flash loan attack targeting Makina Finance, built on Ethereum. Not a hack of code - but an economic twist inside the system. Security teams such as PeckShield traced moves across the DUSD–DUSDC liquidity pool. Borrowed funds flooded in, shifting valuations without breaking access rules. Prices bent under pressure from artificial trades. Afterward, profits drained off-chain. What stayed behind were distorted reserves and puzzled users. No stolen keys. No failed signatures. Just manipulation riding allowed functions too far. 

The exploit started, researchers say, with a $280 million flash loan taken in USDC. Of that amount, roughly $170 million went toward distorting data from the MachineShareOracle, which sets values for the targeted liquidity pool. With prices artificially raised, trades worth around $110 million passed through the system - leaving over 1,000 ETH missing afterward. What happened fits a known pattern: manipulating value via temporary shifts in market depth. Since Makina's setup depended on immediate price points, sudden influxes of borrowed funds were enough to warp them. Inserting capital, pushing valuations up, then pulling assets out while gains lasted exposed a flaw built into how prices are calculated.  

Even though the exploit worked, the hacker did not receive most of the stolen money. A different actor, an MEV builder, stepped in ahead during the draining transaction and took nearly all the ETH pulled out. According to PeckShield, this twist could make getting back the assets more likely. Yet, there has been no public word from Makina on whether they have reached out to - or even found - the MEV searcher responsible. 

After reviewing what happened, Makina explained the vulnerability only touched its DUSD–DUSDC Curve pool, leaving everything else untouched. Security measures kicked in across all Machines - its smart vault network - as checks continue into how deep the effects go. To stay safe, users putting liquidity in that specific pool got a heads-up to pull out whatever they had left. More details will come once the team learns more through their ongoing review. 

Not long ago, flash loan attacks started showing up more often in DeFi. By October, the Bunni exchange closed for good following one such incident - $8.4 million vanished fast. Its team said restarting safely would mean spending too much on checks and oversight. Just weeks before, another hit struck Shibarium, a layer-two system. That breach pulled out $2.4 million in value almost instantly. 

Even so, wider trends hint at slow progress. Chainalysis notes that losses tied to DeFi stayed modest in 2025, though value held in decentralized systems climbed back near earlier peaks. Despite lingering dangers from flash loans, safeguards within the space seem to be growing more resilient over time.
Read more »
Zero Trust Security
authentication failure authorization systems cloud outages cloud resilience Cyber Security Identity Security Zero Trust Security

Why Cloud Outages Turn Identity Systems into a Critical Business Risk

 

Recent large-scale cloud outages have become increasingly visible. Incidents involving major providers like AWS, Azure, and Cloudflare have disrupted vast portions of the internet, knocking critical websites and services offline. Because so many digital platforms are interconnected, these failures often cascade, stopping applications and workflows that organizations depend on daily.

For everyday users, the impact usually feels like a temporary annoyance—difficulty ordering food, streaming shows, or accessing online tools. For enterprises, the consequences are far more damaging. If an airline’s reservation platform goes down, every minute of downtime can mean lost bookings, revenue leakage, reputational harm, and operational chaos.

These events make it clear that cloud failures go well beyond compute and networking issues. One of the most vulnerable—and business-critical—areas affected is identity. When authentication or authorization systems fail, the problem is no longer simple downtime; it becomes a fundamental operational and security crisis.

Cloud Infrastructure as a Shared Failure Point

Cloud providers are not identity platforms themselves, but modern identity architectures rely heavily on cloud-hosted infrastructure and shared services. Even if an identity provider remains technically operational, disruptions elsewhere in the stack can break identity flows entirely.
  • Organizations commonly depend on the cloud for essential identity components such as:
  • Databases storing directory and user attribute information
  • Policy and authorization data stores
  • Load balancers, control planes, and DNS services
Because these elements are shared, a failure in any one of them can completely block authentication or authorization—even when the identity service appears healthy. This creates a concealed single point of failure that many teams only become aware of during an outage.

Identity as the Universal Gatekeeper

Authentication and authorization are not limited to login screens. They continuously control access for users, applications, APIs, and services. Modern Zero Trust architectures are built on the principle of “never trust, always verify,” and that verification is entirely dependent on identity system availability.

This applies equally to people and machines. Applications authenticate repeatedly, APIs validate every request, and services constantly request tokens to communicate with each other. When identity systems are unavailable, entire digital ecosystems grind to a halt.

As a result, identity-related outages pose a direct threat to business continuity. They warrant the highest level of incident response, supported by proactive monitoring across all dependent systems. Treating identity downtime as a secondary technical issue significantly underestimates its business impact.

Modern authentication goes far beyond checking a username and password—or even a passkey, as passwordless adoption grows. A single login attempt often initiates a sophisticated chain of backend operations.

Typically, identity systems must:
  • Retrieve user attributes from directories or databases
  • Maintain session state
  • Generate access tokens with specific scopes, claims, and attributes
  • Enforce fine-grained authorization through policy engines
Authorization decisions may occur both when tokens are issued and later, when APIs are accessed. In many architectures, APIs must also authenticate themselves before calling downstream services.

Each step relies on underlying infrastructure components such as datastores, policy engines, token services, and external integrations. If any part of this chain fails, access can be completely blocked—impacting users, applications, and critical business processes.

Why High Availability Alone Falls Short

High availability is essential, but on its own it is often insufficient for identity systems. Traditional designs usually rely on regional redundancy, with a primary deployment backed up by a secondary region. When one region fails, traffic shifts to the other.

This strategy offers limited protection when outages affect shared or global services. If multiple regions depend on the same control plane, DNS service, or managed database, a regional failover does little to improve resilience. In such cases, both primary and backup systems can fail simultaneously.

The result is an identity architecture that looks robust in theory but collapses during widespread cloud or platform-level disruptions.

True resilience requires intentional design. For identity systems, this may involve reducing reliance on a single provider or failure domain through multi-cloud deployments or carefully managed on-premises options that remain reachable during cloud degradation.

Planning for partial failure is equally important. Completely denying access during outages causes maximum business disruption. Allowing constrained access—using cached attributes, precomputed authorization decisions, or limited functionality—can significantly reduce operational and reputational damage.

Not all identity data demands identical availability guarantees. Some attributes or authorization sources may tolerate lower resilience, as long as those decisions are made deliberately and aligned with business risk.

Ultimately, identity platforms must be built to fail gracefully. Infrastructure outages are unavoidable; access control should degrade in a controlled, predictable manner rather than collapse entirely.
Read more »
Zero Trust Identity
Cyber Security Cybersecurity Risk Management Enterprise Identity Management IAM Security Identity Control Plane Identity Dark Matter Identity First Security Identity Observability Zero Trust Identity

Orchid Security Debuts Continuous Identity Observability Platform


 

Over the past two decades, organizations have steadily expanded their identity security portfolios, layering IAM, IGA, and PAM to deploy access control at scale. However, identity-driven breaches continue to grow in both frequency and impact despite this sustained investment.

It has been argued that the failure of this system is not the result of weak policy design or inadequate standards, but rather of the widening gap between how the identity system is governed on paper and how access actually works in reality. 

Currently, enterprise environments contain a large number of unmanaged identity artifacts, including local system accounts, legacy authentication mechanisms, orphaned service principals, embedded API keys, and application-specific entitlements, that are inaccessible to centralized controls or cannot be accessed. 

These factors constitute Identity Dark Matter, an attack surface that adversaries increasingly exploit to bypass SSO, sidestep MFA, move laterally across systems, and escalate privileges without triggering conventional identity alerts. As a result of this work, Identity Dark Matter is not merely viewed as a risk category, but as a structural defect in existing identity architectures as a whole.

The new identity control plane proposes a method of reconciling intended access policies with effective, real-world authorization by correlating runtime telemetry with contextual identity signals and automating remediation across managed and unmanaged identities. 

Amidst this shift toward identity-centered security models, Orchid Security has been formally recognized as a Cool Vendor by Gartner in its 2025 report on Cool Vendors in Identity-First Security, highlighting its growing significance in redefining enterprise identity infrastructure.

Orchid has been recognized as one of a select group of vendors that address real-time security exposure and threat mitigation in increasingly perimeterless environments while maintaining compatibility with existing IAM infrastructures. As cloud adoption and API-driven architectures increase, network-bound security models become obsolete, elevating identity as the primary control plane for modern security architectures, according to Gartner's analysis.

Orchid is positioned as an innovative identity infrastructure provider by utilizing artificial intelligence and machine learning analytics to continuously correlate identity data, identify coverage gaps that are often overlooked during traditional IAM deployments and onboardings, and provide comprehensive observability across the application ecosystems. 

Moreover, Gartner reports that Orchid's emphasis on orchestration and fabric-level visibility enables enterprises to enhance their security posture while simultaneously supporting automated operations, positioning the platform as a unique solution capable of ensuring identity risk compliance across diverse and evolving enterprise environments with precision, scalability, and compliance. 

The traditional identity platforms are mainly designed around static configuration data and predefined policy models, which allows them to be implemented in a very limited number of domains, however their effectiveness is usually limited to well-governed, human-centric identities. 

When applied to the realities of modern enterprise environments, where custom applications are being developed, legacy authentication mechanisms are being used, credentials are embedded, non-human identity is still prevalent, and access paths do not bypass centralized identity providers, these approaches fall short. In consequence, security teams are often forced to conduct reactive analysis, reconstructing identity behavior retrospectively during audits or investigations conducted as a result of these incidents. 

It is inherently unsustainable at scale, as it relies on inference instead of continuous visibility into the utilization of identities within applications and services. To address this structural gap, Orchid Security has developed an identity observability model that aligns with the real-world security operations environment. A four-stage platform consists of four stages: discovery, analysis, orchestration, and auditing. 

The platform begins by identifying how identities are used inside applications in a direct manner, followed by an audit. With Orchid's lightweight instrumentation, we examine both managed and unmanaged environments at a high level in regards to authentication methods, authorization logic and credential handling. The goal of this process is to produce a comprehensive, runtime-driven inventory of applications, services, identity types, authentication flows, and embedded credentials that enables us to create an accurate baseline of identity activity. 

By correlating identities, applications, and access paths, Orchid analyzes identity behavior in context, identifying material risk indicators such as shared or hardcoded credentials, orphaned service accounts, privileged access outside the realm of Identity and Access Controls, as well as drift between desired policy and effective access. 


Identity-centric defense has evolved in alignment with Gartner's assessment that the accelerated adoption of digital transformation, cloud computing, remote work, API-driven architectures, and API-driven architectures have fundamentally undermined perimeter-based security, requiring the adoption of identity-first security as an integral part of enterprise protection.

With the advent of artificial intelligence and large language models within this emerging paradigm for identity and access management, a more dynamic and context-aware approach is now possible, capable of identifying systemic blind spots, latent exposure, and misconfigurations that are normally missed by static, rule-based systems. This technology enables stronger security outcomes while reducing operational friction through automation by continuously analyzing identity flows and enforcing policy according to real-time context. 

The orchestration-centric identity infrastructure offered by Orchid Security reflects this shift by extending beyond traditional IAM limitations associated with manual application onboarding and partial visibility of managed systems that have already been deployed. 

By enabling continuous evaluation of identity behavior, contextual gap analysis, and risk-based remediation enforced through automated orchestration, the platform provides a more comprehensive approach to identity governance than static roles and fragmented insights. In addition to providing consistent governance across distributed environments, Orchid aligns identity operations with business objectives as well as security objectives by embedding observability and intelligence directly into the identity fabric. 


Through continuous discovery, analysis and evaluation of enterprise applications at runtime, the platform supports evidence-driven prioritization by analyzing authentication and authorization paths and comparing them to regulatory requirements and established cybersecurity frameworks. 

In addition to augmenting native controls, the remediation process is simplified by integrating with existing Identity and Access Management systems, often without requiring custom development. It is through this approach that Orchid assists organizations in addressing the increasing presence of unmanaged identity exposure, commonly known as identity dark matter. 

In addition to reducing systemic risk, improving compliance posture, and reducing operational overhead, Orchid has already deployed its platform across Fortune 500 and Global 2000 enterprises, supporting Orchid's role in operationalizing identity-first security. It has been proven that adopting Orchid's platform yields measurable improvements in governance and accountability, in addition to incremental security improvements. 

By providing a detailed understanding of application-level identity usage, the platform reduces exposure caused by unmanaged access paths and helps security teams prepare for audits in a more timely and confident manner. The identification risk is no longer inferred or distributed between fragmented tools, but rather clearly attributed and supported by verifiable, runtime-derived evidence. 

In complex enterprise environments, it is imperative for organizations to shift from assumption-driven decision-making to evidence-based control, reinforcing the core objective of identity-first security. Increasingly, identity is fragmenting beyond traditional control points and centralized directories, making continuous, application-aware governance increasingly important. 

Providing persistent identity observability across modern application ecosystems, Orchid Security addresses this challenge by enabling organizations to discover identity usage, assess risk in context, coordinate remediation, and maintain audit-ready evidence through continuous, application-aware governance. 

There is no doubt that the operating model reflects the actual ways in which contemporary enterprise environments function, where access is dynamic, distributed, and deeply embedded within the logic of the applications. As a result of his leadership's experience in both advanced AI research and large-scale security engineering, the company has designed its identity infrastructure using practical knowledge from companies like Google DeepMind and Square, who are now part of Block. 

The rapid adoption of artificial intelligence throughout enterprise and adversarial domains has also raised the stakes for identity security, as threat actors increasingly automate reconnaissance, exploitation, and lateral movements. An Identity Control Plane, Orchid offers its platform as a means to converge managed and unmanaged identities into an authoritative view derived directly from application developers. 

The benefits of this approach include not only strengthening enterprise security postures, but also creating new opportunities for global systems integrators and managed service providers. As a result, they are able to provide additional value-added services such as continuous application security assessment, identity governance, audit readiness, incident response, and identity risk management. 

Using Orchid, organizations can accelerate the onboarding of applications, prioritize remediation according to observed risk, and monitor compliance continuously, thereby enabling the development of a new level of identity governance that minimizes organizational risk, lowers operating costs, and allows for consistent control of both human and machine identities in increasingly AI-driven organizations.
Read more »
Subscribe to: Comments (Atom)