Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Crimes Extorting Ransoms by Manipulating Online Photos

  It is estimated that there are more than 1,000 sophisticated virtual kidnapping scams being perpetrated right now, prompting fresh warning...

All the recent news you need to know
Cyberspace Threats
Check Point research cyber attack Cyber Attacks Cyberspace Threats

Initial Access Brokers Now Central to Cyberattacks: Report

 

The market for initial access brokers has expanded rapidly over the past two years, creating a system that allows advanced threat actors to outsource the early stages of an intrusion, according to new research from Check Point. The report says this growth has made it easier for both nation-state groups and criminal actors to breach a larger number of targets. 

Check Point notes that the rise of the IAB economy coincides with the growing use of cyberspace by governments as a tool for projecting power. The firm is urging policymakers and businesses to strengthen identity security, secure software supply chains and improve the resilience of operational technology systems. 

“Once considered peripheral players, IABs have become a critical node in the cyber-criminal supply chain, lowering barriers to entry for sophisticated operations and enabling rapid campaign scaling,” Check Point said. 

By paying IABs to handle initial access at scale, threat actors can move faster and avoid the risks associated with the early stages of an attack. According to the report, “state-backed groups and sophisticated criminal actors can reduce operational risk, accelerate execution timelines, and scale their campaigns across dozens of targets simultaneously.” 

This growing reliance on brokers also complicates attribution. When an IAB is involved, IT teams and investigators often struggle to determine whether an attack was carried out by a government-backed group or by a criminal operation. 

For this reason, Check Point says that “IAB activity is no longer a peripheral criminal phenomenon but a force multiplier in the broader offensive ecosystem, one that directly supports espionage, coercive operations, and potential disruption of U.S. government and critical infrastructure networks.” 

The report also highlights a sharp rise in IAB activity targeting essential sectors. Healthcare saw nearly 600 percent more IAB-related attacks in 2024 compared with 2023. Government, education and transportation networks were also significantly affected. 

Check Point says these increases reflect both higher demand from adversaries for access to sensitive environments and the growing professionalisation of the IAB marketplace, where access to critical systems is treated as a commodity. 

The research links this broader trend to rising geopolitical tensions and the changing role of nation-state hacking. “Cyber operations have evolved from opportunistic disruptions and intelligence-gathering into deliberate, coordinated campaigns designed to achieve political, economic, and strategic outcomes,” the report says. 

According to Check Point, the line between geopolitics and cyber activity has largely disappeared. State-aligned groups are using digital operations to shape crises, signal intent and impose costs on rivals, often below the threshold of open conflict. 

The firm notes that spikes in geopolitical risk are closely followed by spikes in targeted cyberattacks against U.S. government systems. “Cybersecurity is no longer just a technical issue; it is a strategic imperative,” Check Point said. The report argues that resilience, deterrence and rapid recovery must now be treated as national security priorities on the same level as traditional defence planning.
Read more »
Web security
Browser Vulnerability cross-origin data leak CSS security flaw Lyra Rebane research SVG clickjacking Vulnerabilities and Exploits Web security

New SVG-Based Clickjacking Technique Exposes Cross-Origin Data Through CSS Filters

 

Security researcher Lyra Rebane has developed a new type of clickjacking attack that cleverly exploits Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to bypass traditional web protections.

Rebane first showcased this discovery during BSides Tallinn in October and has since released a technical breakdown of the method. The attack takes advantage of a little-known behavior where SVG filters can inadvertently expose cross-origin information—directly undermining the web’s same-origin policy.

Clickjacking, also known as a user interface redress attack, involves deceiving users into performing unintended actions by visually manipulating interface elements. The concept, introduced in 2008 by security researchers Jeremiah Grossman and Robert Hansen, was originally described as a technique for redirecting mouse clicks to malicious targets such as hidden buttons or form inputs.

Over the years, browsers have implemented numerous defenses to prevent such attacks. OWASP highlights common safeguards such as blocking page rendering within frames via X-Frame-Options or CSP frame-ancestors, limiting cookie access inside frames, and using JavaScript frame-busting scripts. Even with these protections, new variants continue to appear—most recently, last year’s cross-window forgery technique.

Rebane’s discovery began while she was experimenting with recreating Apple’s Liquid Glass distortion effect using SVG filters and CSS. Once she successfully replicated the effect, she noticed that when embedded inside an iframe, her SVG/CSS implementation could detect pixel data from the page beneath it—effectively accessing information from another origin.

She told The Register that previous attempts using SVG for cross-origin attacks exist, citing Paul Stone’s “Perfect Pixel Timing Attacks With HTML” and Ron Masas’s “The Human Side Channel”. But, as Rebane stated, "I don't think anyone else has run logic on cross-origin data the way I have."

Her write-up details how she used SVG filters to construct logic gates capable of processing webpage pixels using arbitrary computation—enabling a clickjacking method that would be extremely difficult to achieve with other tools.

According to Rebane, "By using feBlend and feComposite, we can recreate all logic gates and make SVG filters functionally complete. This means that we can program anything we want, as long as it is not timing-based and doesn't take up too many resources."

To demonstrate the risks, Rebane created a proof-of-concept that extracts text from Google Docs. Her attack overlays a “Generate Document” button on a popup. When clicked, the underlying script identifies the popup and shows a CAPTCHA-style textbox. Once submitted, the attacker-controlled interface secretly feeds a suggested Google Docs file name into a hidden textbox. While typical framing restrictions would prevent this, Google Docs allows itself to be embedded, making the attack viable.

Rebane noted that this is common among services intended for embedding—such as YouTube videos, social widgets, maps, payment systems, comment modules, and advertisements. Some services also unintentionally permit framing by failing to include protective headers, which is frequently seen in API endpoints.

Beyond iframe scenarios, Rebane explained that the technique can also be adapted for sites vulnerable to HTML injection.

She said, "There's a vulnerability class known as XSS which involves injecting HTML on websites through various means to execute malicious JavaScript." With CSP now blocking many forms of unsafe JavaScript, attackers look for alternatives. In such cases, "CSS is the next best thing to use, and it can be used for many kinds of interesting attacks," she added, arguing that CSS itself behaves like a programming language. "SVG clickjacking is one of the many attacks that could be used there."

Although the method does not fundamentally overhaul existing web security principles, it significantly lowers the complexity required to execute advanced attack chains.

Google awarded Rebane a $3,133.70 bug bounty for reporting the flaw. She noted that the issue remains unresolved and may not even be classified as a browser bug, adding that Firefox and other browsers are affected as well.

Rebane also pointed out potential mitigations—highlighting the Intersection Observer v2 API, which can detect when an SVG filter is positioned above an iframe.

Google has yet to comment on the matter. A related Chromium bug originating from earlier timing attacks has been closed with a “won’t fix” status.
Read more »
third party access
CAPTCHA Credential Stuffing Cyber Security MFA Online Retailers Passwords third party access

How Retailers Should Harden Accounts Before the Holiday Rush




Retailers rely heavily on the year-end shopping season, but it also happens to be the period when online threats rise faster than most organizations can respond. During the rush, digital systems handle far more traffic than usual, and internal teams operate under tighter timelines. This combination creates a perfect opening for attackers who intentionally prepare their campaigns weeks in advance and deploy automated tools when stores are at their busiest.

Security analysts consistently report that fraudulent bot traffic, password-testing attempts, and customer account intrusions grow sharply during the weeks surrounding Black Friday, festive sales, and year-end shopping events. Attackers time their operations carefully because the chance of slipping through undetected is higher when systems are strained and retailers are focused on maintaining performance rather than investigating anomalies.

A critical reason criminals favor this season is the widespread reuse of passwords. Large collections of leaked usernames and passwords circulate on criminal forums, and attackers use automated software to test these combinations across retail login pages. These tools can attempt thousands of logins per minute. When one match succeeds, the attacker gains access to stored payment information, saved addresses, shopping histories, loyalty points, and in some cases stored tokenized payment methods. All of these can be exploited immediately, which makes the attack both low-effort and highly profitable.

Another layer of risk arises from the credentials of external partners. Many retailers depend on vendors for services ranging from maintenance to inventory support, which means third-party accounts often hold access to internal systems. Past retail breaches have shown that attackers frequently begin their intrusion not through the company itself but through a partner whose login rights were not secured with strong authentication or strict access controls. This amplifies the impact far beyond a single compromised account, highlighting the need for retailers to treat vendor and contractor credentials with the same seriousness as internal workforce accounts.

Balancing security with customer experience becomes especially challenging during peak seasons. Retailers cannot introduce so much friction that shoppers abandon their carts, yet they also cannot ignore the fact that most account takeovers begin with weak, reused, or compromised passwords.

Modern authentication frameworks recommend focusing on password length, screening new passwords against known breach data, and reducing reliance on outdated complexity rules that frustrate users without meaningfully improving security. Adaptive multi-factor authentication is viewed as the most practical solution. It triggers an additional verification step only when something unusual is detected, such as a login from an unfamiliar device, a significant change to account settings, or a suspicious location. This approach strengthens security without slowing down legitimate customers.

Internal systems require equal attention. Administrative dashboards, point-of-sale backends, vendor portals, and remote-access platforms usually hold higher levels of authority, which means they must follow a stricter standard. Mandatory MFA, centralized identity management, unique employee credentials, and secure vaulting of privileged passwords significantly reduce the blast radius of any single compromised account.

Holiday preparedness also requires a layered approach to blocking automated abuse. Retailers can deploy tools that differentiate real human activity from bots by studying device behavior, interaction patterns, and risk signals. Rate limits, behavioral monitoring for credential stuffing, and intelligence-based blocking of known malicious sources help limit abuse without overwhelming the customer experience. Invisible or background challenge mechanisms are often more effective than traditional CAPTCHAs, which can hinder sales during peak traffic.

A final but critical aspect of resilience is operational continuity. Authentication providers, SMS delivery routes, and verification systems can fail under heavy demand, and outages during peak shopping hours can have direct financial consequences. Retailers should run rehearsals before the season begins, including testing failover paths for sign-in systems, defining emergency access methods that are short-lived and fully auditable, and ensuring there is a manual verification process that stores can rely on if digital systems lag or fail. Running load tests and tabletop exercises helps confirm that backup procedures will hold under real stress.

Strengthening password policies and monitoring for compromised credentials also plays a vital role. Tools that enforce password screenings against known breach databases, encourage passphrases, restrict predictable patterns, and integrate directly with directory services allow retailers to apply consistent controls across both customer-facing and internal systems. Telemetry from these tools can reveal early signs of suspicious behavior, providing opportunities to intervene before attackers escalate their actions.

With attackers preparing earlier each year and using highly automated methods, retailers must enter the holiday season with defenses that are both proactive and adaptable. By tightening access controls, reinforcing authentication, preparing for system failures, and using layered detection methods, retailers can significantly reduce the likelihood of account takeovers and fraud, all while maintaining smooth and reliable shopping experiences for their customers.


Read more »
cybersecurity risks
Apache Apache Vulnerability Critical security flaw CVE CVE vulnerability CVEs Cyber Attacks cybersecurity risks

Critical CVE-2025-66516 Exposes Apache Tika to XXE Attacks Across Core and Parser Modules

 

A newly disclosed vulnerability in Apache Tika has had the cybersecurity community seriously concerned because researchers have confirmed that it holds a maximum CVSS severity score of 10.0. Labeled as CVE-2025-66516, the vulnerability facilitates XXE attacks and may allow attackers to gain access to internal systems along with sensitive data by taking advantage of how Tika processes certain PDF files. 

Apache Tika is an open-source, highly-used framework for extracting text, metadata, and structured content from a wide array of file formats. It is commonly used within enterprise workflows including compliance systems, document ingestion pipelines, Elasticsearch and Apache Solr indexing, search engines, and automated content scanning processes. Because of its broad use, any severe issue within the platform has wide-ranging consequences.  

According to the advisory for the project, the vulnerability exists in several modules, such as tika-core, tika-parsers, and the tika-pdf-module, on different versions, from 1.13 to 3.2.1. The issue allows an attacker to embed malicious XFA -- a technology that enables XML Forms Architecture -- content inside PDF files. Upon processing, Tika may execute unwanted calls to embedded external XML entities, thus providing a way to fetch restricted files or gain access to internal resources.  

The advisory points out that CVE-2025-66516 concerns an issue that was previously disclosed as CVE-2025-54988, but its scope is considerably broader. Whereas the initial advisory indicated the bug was limited to the PDF parser, subsequent analysis indicated that the root cause of the bug-and therefore the fix-represented in tika-core, not solely its parser component. Consequently, any organization that has patched only the parser without updating tika-core to version 3.2.2 or newer remains vulnerable. 

Researchers also provided some clarification to note that earlier 1.x releases contained the vulnerable PDF parser in the tika-parsers module, so the number of affected systems is higher than initial reporting indicated. 

XXE vulnerabilities arise when software processes XML input without required restrictions, permitting an attacker to use external entities (these are references that can point to either remote URLs or local files). Successfully exploited, this can lead to unauthorized access, SSRF, disclosure of confidential files, or even an escalation of this attack chain into broader compromise. 

Project maintainers strongly recommend immediate updates for all deployments. As no temporary configuration workaround has been confirmed, one can only install patched versions.
Read more »
Ransomware
BlackCat Cyber Attacks Extortion FinCEN LockBit Ransomware

FinCEN: Ransomware Gangs Extorted Over $2.1B from 2022 to 2024

 

FinCEN’s most recent report has revealed that ransomware activity reached a new peak in 2023, accumulating over $1.1 billion in payments before a decline in 2024, as law enforcement pursued major gangs such as ALPHV/BlackCat, LockBit. In general, FinCEN data reveals $2.1 billion in ransoms paid from 2022 through 2024, and about $4.5 billion from 2013 to 2024. 

FinCEN’s findings draw on thousands of Bank Secrecy Act reports, that registered 4,194 ransomware incidents between January 2022 and December 2024. Ransomware earnings peaked 2023 with 1,512 incidents and a 77% increase in payouts from 2022, but dropped to nearly $734 million in 1,476 incidents during 2024, decrease attributed to the global disruption of the BlackCat and LockBit operations. These takedowns left affiliates to either transition to other ransomware brands or try to rebuild. 

The report does note that most single ransom amounts were under $250,000, although some sectors consistently took the biggest hits. By number of incidents, manufacturing, financial services, healthcare, retail, and legal services were the most frequently targeted industries from 2022 to 2024. By total losses, financial services led with about $365.6 million paid, followed by healthcare, manufacturing, science and technology, and retail, each suffering hundreds of millions in extorted funds.

Over the period under review, FinCEN counted 267 unique ransomware families; however, a handful caused the majority of distraught. Akira accounted for the most reports (376), followed by ALPHV/BlackCat with the highest earnings at close to $395 million, and LockBit with $252.4 million. As for the top 10 most active groups, they were a combined $1.5 billion between 2022 and 2024, featuring Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. 

The flow of money is still largely in cryptocurrency, with around 97% of ransom payments in Bitcoin and the remainder in Monero, Ether, Litecoin and Tether. Notification of Ransomware Incident to FBI FinCEN stressed that routine, detailed reporting of ransomware incidents to the FBI and ransom payments to FinCEN continues to be critical to enable tracking of funds, further disrupting them, and sustaining the pressure that resulted in the decline noted in 2024.
Read more »
SeedSnatcher
Android ClayRat FvncBot malware SeedSnatcher

New Android Malware SeedSnatcher and FvncBot Found By Experts


New Android malware found

Researchers have revealed details of two Android malware strains called SeedSnatcher and FvncBot. Upgraded version of ClayRat was also found in the wild. 

About the malware 

FvncBot works as a security app built by mBank and attacks mobile banking users in Poland. The malware is written from scratch and is different from other banking trojans such as ERMAC whose source codes have been leaked.

According to Intel 471, the malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud."

Like the Albiriox banking malware, this trojan is shielded by a service called apk0day that Golden Crypt offers.

Attack tactic 

After the dropper app is launched, users are asked to download a Google Play component for security of the app. But in reality, it deploys the malware via session-based approach which other actors adopt to escape accessibility restrictions on Android devices version 13 and above.

According to Intel 471, "During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot." After this, the malware asks victims for accessibility services permission, it then gets privileges and connects to an external server. 

Malware capabilities 

FvncBot also triggers a text mode to analyze the device screen layout and content even in cases where an app doesn't allow screenshots by setting the FLAG_SECURE option. 

Experts don't yet know how FvncBot is getting widespread, but Android banking trojans leverage third-party app stores and SMS phishing as a distribution vector. 

According to Intel 471, "Android's accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen's display." 

The firm added that the sample was built to "target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions."


Beyond the immediate threat to banking and cryptocurrency users, the emergence of FvncBot, SeedSnatcher, and the upgraded ClayRat underscores a troubling evolution in mobile-malware design: an increasing shift toward “full-device takeover” rather than mere credential theft. By exploiting legitimate features, such as Android’s accessibility services, screen-streaming APIs, and overlay permissions, these trojans can invisibly hijack almost every function of a smartphone: logging keystrokes, intercepting SMS-delivered 2FA codes, capturing screen contents even when apps try to block screenshots, and executing arbitrary commands as though the real user were interacting with the device. 

This marks a new class of threat in which a compromised phone becomes a proxy tool for remote attackers: they don’t just steal data, they can impersonate the user, conduct fraudulent transactions, or monitor every digital activity. Hence, users worldwide, not only in Poland or crypto-heavy regions, must remain vigilant: the architecture these threats use is platform-wide, not region-specific, and could easily be repurposed for broader global campaigns.
Read more »
Subscribe to: Comments (Atom)

Featured