Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

MSG Data Breach: Hackers Leak Facial Recognition Records of 26 Million Visitors

  A massive data breach at Madison Square Garden has exposed the facial recognition and personal records of millions of visitors, sparking o...

All the recent news you need to know

Google Targets NetNut Residential Proxy Network Operating Across Two Million Devices


 

Several international authorities have coordinated operations to disrupt the infrastructure behind a large residential proxy network, also known as Popa, after Google dealt a significant blow to one of the internet's largest residential proxy ecosystems. 

Through the action, which was conducted in collaboration with Lumen Technologies, the FBI, and other industry partners, millions of compromised Android-powered devices, including smart TVs, streaming boxes, and other internet-connected consumer hardware, were prevented from accessing the network. This significantly reduced the network's operational capacity. 

In the network, ordinary household devices were covertly transformed into proxy relays that permitted cybercriminals and state-linked threat actors to route malicious activity through legitimate residential IP addresses while masking their identities while provoking suspicions among unsuspecting individuals. 

According to security researchers, there are at least two million compromised devices worldwide comprised of the botnet, indicating both its scope and the growing misuse of consumer IoT infrastructure in modern cyber campaigns. In addition to its sheer scale, NetNut has become an integral component of the underground residential proxy market, providing infrastructure to hundreds of cybercriminals and espionage-linked threat actors. 

Several domains were used to conduct the operations of the service, including netnut.com, seized as a result of the FBI's disruption efforts. Researchers at the Google Threat Intelligence Group (GTIG) observed 316 distinct threat clusters that leveraged suspected NetNut exit nodes during one week last month, illustrating the platform's substantial operational reach. 

As a result of the analysis, attackers were not only able to hide access to their own infrastructure, but also were able to conduct password-spreading campaigns and establish covert connections into targeted environments by using trusted residential IP addresses. NetNut operators are dependent on Google to provide malware command-and-control (C2) services, so Google disabled their accounts and cloud services, effectively cutting them off from their critical backend infrastructure. 

The company notified affected Android users and deactivated malicious applications associated with the botnet simultaneously through Google Play Protect, and it distributed technical intelligence on NetNut's software development kits (SDKs) and C2 architecture to platform providers, law enforcement agencies, and cybersecurity researchers in order to strengthen coordination in detection and mitigation. 

Moreover, Google emphasized that the disruption is likely to spread beyond a single botnet, as NetNut's reseller model has provided infrastructure to multiple residential proxy providers for many years, making the operation potentially significant for the entire illicit proxy ecosystem. Investigations into the operation have also highlighted the commercial infrastructure that underpins the proxy network. 

A report from Qurium, Synthient, Nokia Deepfield, and Spur in June linked the Popa botnet to NetNut, an Israeli public company owned by Alarum Technologies. During controlled testing, Synthient demonstrated that traffic routed through NetNut's commercial gateway originated from a device that was intentionally enrolled in the Popa network, providing evidence that the commercial proxy service was directly connected to compromised endpoints. 

In addition to the researchers refraining from attribution of intent or operational knowledge to Google, Google stated that its own threat intelligence was consistent with the public findings, treating NetNut and Popa as components of the same network and supporting the research team's assessment of proxy infrastructure construction. 

In contrast, Alarum has firmly rejected those conclusions, rejecting the categorization of NetNut as a botnet, and stating that the research is based on "unverified facts, as opposed to demonstrably inaccurate assertions and flawed deductions." In addition to maintaining that its platform operates as a legitimate, consent-based bandwidth-sharing service, the company maintains that it does not compromise user devices or function without authorization. 

Synthient's analysis challenged that position, revealing that none of the twenty examined applications related to the ecosystem provided meaningful consent prompts before enrolling users' devices in bandwidth sharing operations, raising further questions about transparency in the software distribution process. 

Aside from cautioning that removing NetNut represents only the first phase of a much larger effort, Google also stressed that the company operates a large white-label reseller program that allows third parties to market access to the same residential proxy infrastructure under a variety of brand names. As the company points out, a number of residential proxy services which appear to be independent ultimately draw connectivity from the NetNut device pool, so disruptions can affect multiple brands simultaneously if one provider is disrupted. 

However, Google characterized the latest actions as degradation, not a complete takedown, pointing out that operators have previously restored capacity through the use of competing proxy providers to source infrastructure. As evidence of the resilience of these interconnected ecosystems, the company cited its disruption of the China-linked IPIDEA residential proxy network in January and its subsequent legal action against the operators of the BadBox 2.0 botnet, whose Android TV infrastructure is similar to Popa, which was launched in July 2025. 

In order to create long-term impact, sustained, coordinated disruption across multiple providers must be undertaken. According to researchers, consumers' access to residential proxy networks is most commonly facilitated by applications that offer financial rewards for "unused bandwidth" or "sharing internet access." It is highly recommended that security teams only install apps from trusted app stores, carefully review VPN and proxy software permission requests, enable protections such as Google Play Protect, and purchase smart TVs and streaming devices from reputable manufacturers to minimize the risk of preloaded or malicious software being installed. 

Additionally, the report warns that residential IP addresses will not be in short supply in the cybercriminal ecosystem following NetNut's disruption. In order to identify any reemergence of NetNut-related traffic, continued monitoring of reseller brands and successor infrastructure is essential. 

According to Alarum's corporate legal counsel, Omer Weiss, a statement following the operation was issued by the company in which it was made aware of the FBI's seizure of certain NetNut-related domains on July 2, 2026. According to Weiss, Alarum is seriously concerned about the matter and will work closely with law enforcement authorities to investigate any misuse of its infrastructure and support the pursuit of accountability for those responsible. 

 As a result of NetNut's disruption, an important step in challenging the growing abuse of residential proxy infrastructure has been achieved, but the disruption also underscores the increasingly interconnected nature of commercial services, compromised consumer devices, and cybercriminal operations as well.

In a rapidly evolving proxy ecosystem characterized by reseller networks and shared infrastructure, sustained collaboration between technology providers, law enforcement agencies, and cybersecurity professionals will remain crucial. Maintaining trusted software sources, enforcing built-in security protections, and monitoring for unauthorized network activity remain practical safeguards against a threat landscape that is becoming increasingly adaptable.

Apple Expands AI in iOS 27 with Smarter Everyday Features Beyond Siri

 

Apple is expanding its artificial intelligence strategy beyond Siri with iOS 27 by integrating AI across its apps and services instead of relying on a standalone chatbot. The new features are designed to simplify everyday tasks through automation while giving users control and maintaining Apple’s privacy-first approach. 

One of the key additions is Bill Splitting, which uses Apple Cash to divide restaurant bills. After scanning or uploading a receipt, Apple Intelligence identifies ordered items, quantities, taxes, tips, and the total amount. Through Messages, users can select what they ordered, allowing everyone to pay their share without manually calculating costs. Apple is also enhancing account security with its Passwords app. 

The feature can detect compromised or weak credentials exposed in data breaches, recommend stronger passwords, and securely update them on supported websites without requiring users to manually log in and change each password. The Messages app is gaining AI-powered suggestions that help users complete common tasks. It can recommend photos when someone asks about a past event, suggest creating reminders when someone requests an item, and prompt users to add meetings or dinner plans to their Calendar without leaving the conversation. 

A new Call Context feature will display useful information, such as booking confirmation numbers stored in Mail, during customer service calls. Apple says all processing happens on the device, ensuring personal information remains private. The Shortcuts app is also becoming easier to use by allowing users to create automations using natural language. Instead of manually building workflows, users can simply describe what they want, such as updating their calendar, controlling smart home devices, or sharing their ETA with family members.  

Additional iOS 27 features include AI-powered tab organization in Safari, which groups related webpages by topic, and smarter Home app notifications that combine multiple smart home events into a single alert. Apple has also improved search within the Home app to help users quickly find important camera clips, such as package deliveries. Together, these updates highlight Apple’s broader AI vision of embedding intelligence throughout its software rather than limiting it to Siri. 

By integrating AI into familiar apps, the company aims to make daily tasks faster, simpler, and more secure while continuing to prioritize user privacy.

Anubis Ransomware Gang Attacks Again, Exploit Remote Access


Hackers linked with Anubis ransomware operation were found abusing the Citrix Bleed 2 (CVE-2025-5777) flaw to find initial access. 

According to Arctic Wolf, the techniques vary among different affiliates, and few patterns surfaced in tradecraft via authentic Remote Management and Monitoring (RMM) tooling, hands-on-keyboard procedures and credential access. 

Anubis also exploited authentic remote access and admin tools such as MeshAgent, Total Software Deployment, ScreenConnect, UltraVNC, and Zoho Assist to merge with usual IT operations while handling control of target systems.

About Anubis 

Anubis is a RaaS gang that first surfaced in late 2024 as a spinoff of Sphinx ransomware. The ransomware campaign was first disclosed on the Ransomware and Advanced Malware Protection (RAMP) darkweb forum in February last year. As per the data from Ransomware.Live, the cybercrime gang has taken responsibility for 91 victims on its data leak website, with 11 targets in June 2026.

Areas impacted

Some significant areas attacked are business services, technology, financial services, healthcare, and technology. Above 50% of the targets are based in the U.S, then U.K, Australia, France, and Canada.

Rubrik Zero Labs published a report in July 2025 which said Anubis promotes promising profit splits, which offers 80% of the ransom paid, and combines it with a data wiping (irresistible) feature to further blackmail the victims to pay upfront.

Experts at Rubrik said that “when Anubis's /WIPEMODE module is activated, files remain in directories but are reduced to a 0 KB size regardless of ransom payment.” The experts added that when “Anubis changes ransomware’s traditional strategic calculus, it creates powerful incentives for motivated threat actors to deploy Anubis in pursuit of lucrative returns.”

The impact

Commenting on the severity of the attack, Rubrik said that, “Knowing threat actors can revert victims' environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated.”

The ransomware incidents in 2026 consist both exploitation of CVE-2025-5777 (CVSS score: 9.3), a severe flaw affecting Citrix Net and valid VPN credential use.

The source of VPN credentials in these attacks is unknown, but experts say that they are likely to be collected after the first compromise, or via credential stuffing, initial access brokers (IABs), or information stealer operations.  

Nissan Confirms Employee Data Breach Following Oracle PeopleSoft Zero-Day Cyberattack

 

Nissan has confirmed that it fell victim to a third-party cyberattack after being targeted as an Oracle PeopleSoft user, making it the latest company to suffer an attack due to a yet-revealed vulnerability. The breach is currently under investigation, with Nissan reporting that the attackers could have accessed the personal data of thousands of employees worldwide. 

Based on the breach notification sent to the California Department of Consumer Affairs, Nissan Americas uses Oracle PeopleSoft to perform essential employee management functions, including payroll, taxes, and record-keeping. The attack relied on a zero-day flaw, CVE-2026-35273, which was patched later, with the vulnerability already being actively exploited. There breached data is reported to affect current and former employees in the United States, Canada, Mexico, and Brazil. 

Notably, the data includes social security, banking, financial, and tax information. Nissan is currently investigating the scope of the damage, with the company yet to conclude its research. Researchers report that ShinyHunters extortion gang is behind the identified Oracle PeopleSoft-related attacks, with over 100 companies already reportedly identified as victims of the zero-day flaw. 

Although Nissan was not found on the ShinyHunters data leak site, reports suggest that the cybercriminals might still use the data for extortion. It remains unclear whether the breached data would be published or utilized in ransomware attacks by the threat actors. The vulnerability affecting Oracle PeopleSoft, which has been reported to affect thousands of enterprise users worldwide, continues to raise concerns. 

Since the affected software is designed for critical data, including employee management, the security flaw may have severe implications. Besides Nissan, several companies have been reported to fall victim to the vulnerability, with Everest Ransomware Group recently claiming to have stolen customer data from the car manufacturer. Cybercriminals seem to target major manufacturers, including those based in the United States and threatening to expose the data for extortion. 

Although only a handful of companies have officially confirmed to be victims of the Oracle PeopleSoft cyberattack, others are likely to suffer due to the scale of the problem. National Association of Insurance Commissioners recently confirmed being a victim of the attack, with the University of Nottingham also reportedly being among the affected institutions. 

The most significant damage, however, seems to be related to the education sector, with Illinois Central College and Moody Bible Institute being the only two confirmed victims at the time of the publication. According to cybersecurity analysts, the sector has suffered the largest fallout from the PeopleSoft attack, with several universities reportedly being targeted by the ShinyHunters extortion gang. 

Another PeopleSoft cyberattack serves as a reminder of the constant security challenges facing enterprise users relying on the application to protect sensitive employee data. With investigations into the breach underway, more companies may be identified as victims of the attack in the coming weeks.

81 Million Login Attempts Linked to Azure CLI Password Spray Attack

 


A large-scale password spraying campaign targeting Microsoft 365 environments through Microsoft’s Azure Command-Line Interface (Azure CLI) generated more than 81 million authentication attempts and compromised at least 78 user accounts across 64 organizations, according to cybersecurity firm Huntress.

Huntress said the activity was observed between June 12 and June 21, with attackers typically compromising two to four accounts per day before activity surged around June 22, when 23 organizations were affected. Most of the login attempts originated from AS32167, an autonomous system associated with hosting provider LSHIY LLC.

The company said the campaign formed part of a larger wave of credential-spraying attacks spanning multiple autonomous systems and noted that the volume of such attacks across its customer base has increased more than 155-fold during the past six months. Investigators believe the operation relied primarily on previously exposed username-and-password combinations obtained from credential leak collections.

A key element of the campaign was the use of the OAuth Resource Owner Password Credentials (ROPC) flow through Azure CLI. Although ROPC has been deprecated in OAuth 2.1, it can still exchange valid usernames and passwords directly for access tokens without an interactive sign-in prompt. Huntress said this allowed attackers to authenticate successfully in environments where multi-factor authentication policies did not fully cover that authentication flow.

The investigation identified several configuration gaps among affected organizations, including MFA policies applied only to certain cloud applications or user groups, enforcement limited to non-trusted locations, and policies that had been configured but never enforced. Huntress also found that eight impacted organizations had no MFA policy enabled.

Huntress emphasized that the findings should not be interpreted as evidence that MFA is ineffective. Instead, organizations should review Conditional Access policies, eliminate deprecated authentication methods where possible, ensure MFA protections apply to all supported sign-in flows, and monitor Azure CLI authentication activity for unusual login patterns.

The IPv6 address range used in the campaign belongs to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Huntress said it reported the activity through the provider’s abuse-reporting channel but had not received a response.

BioSchocking Attacks Tricked AI-powered Browsers into Data Theft


A new prompt injection termed “BioShocking” can manipulate AI-based browsers into treating malicious actions as a video game, and give away your login credentials. The technique was discovered by experts at security firm LayerX. The experts tricked six AI-powered browsers and assistants into recording users’ credentials and sending them to the threat actor. 

The browsers include:

ChatGPT Atlas from OpenAI

Comet from Perplexity

Anthropic’s Claude browser

Fellou

Genspark browser

Sigma browser

LayerX experts made a proof-of-concept (PoC), which was tested against these agentic AI browser products. The findings revealed that only one browser addressed the issue after receiving the report.

What is an AI browser?

An AI browser can streamline the entire workflow for the users. If you switch it to agent mode, it can click type, and visit sites that the user has already logged into. Access is the key point hare, which also becomes the problem.

BioShocking attack tactic

Experts made a (PoC) in which an infected webpage showed a BioShock-themed puzzle that rewards wrong answers. This tricks the browser that normal rules are not applicable. 

The trap works because of how these AI-powered browsers read. The webpage and instruction surface as a single stream of text, which allows a malicious page access in commands mimicking ordinary content or game rules. The agent can not tell which is which. Experts have termed this indirect prompt injection.

Tricking the browser

For instance, the compromise starts with a web page made as a puzzle. 3+4+=9 is a wrong answer but the browser rewards it. When the agent accepts that wrong answer is the reward, it follows game puzzle logic not security logic. Following this, the puzzle asks the browser to record login credentials. All six browsers could not flag it as something malicious. To win the game, the agent is commanded to go to a GitHub repository and share the data in the code, such as sensitive data like passwords.

When the link is sent to the target's GitHub repository, it retrieves SSH login credentials and sends them to the hackers. The main issue here is that browsers can’t differentiate between real scenarios and malicious fictional ones. 

According to LayerX, “Once the agents figured out the rules and learned that 'incorrect' actions are acceptable, they were no longer tied to reality.” “When tasked with the final step of the puzzle – compromising user credentials – all 6 agents failed to identify it as going against their safety guardrails,” the experts continued.

The PoC did not execute any malicious commands but warned that it could do so.

AI vendors’ response

According to experts, only OpenAI implemented a working patch for BioShocking in its browser.

Anthropic tried to fix the issue on its chrome login, but the patch was not working against the PoC. Perplexity did not fix the issue, and closed the report. 

LayerX advises that AI vendors should add specific user acknowledgement for sensitive work, and stronger security checks.

Featured