Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Mazda Reports Limited Data Exposure After Warehouse System Breach

  Early reports indicate Mazda Motor Corporation faced a data leak following suspicious activity uncovered in its systems during December 20...

All the recent news you need to know
Ransomware
ClickFix Cyber Attacks Deno LeakNet Ransomware

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks

 

LeakNet ransomware has changed its approach by pairing ClickFix social-engineering lures with a Deno-based loader, making its intrusion chain harder to spot. The group is using compromised websites to trick users into running malicious commands, then executing payloads in memory to reduce obvious traces on disk. 

Security researchers say this is a notable shift because ClickFix replaces older access methods like stolen credentials with a user-triggered infection path. Once the victim interacts with the fake prompt, scripts such as PowerShell and VBS can launch the next stage, often with misleading file names that look routine rather than malicious. 

The Deno runtime is the second major piece of the campaign. Deno is a legitimate JavaScript and TypeScript runtime, but LeakNet is abusing it in a “bring your own runtime” style so it can run Base64-encoded code directly in memory, fingerprint the host, contact command-and-control servers, and repeatedly fetch additional code. 

That design helps the attackers stay stealthy because it minimizes the amount of malware written to disk and can blend in with normal software activity better than a custom loader might. Researchers also note that LeakNet is building a repeatable post-exploitation flow that can include lateral movement, payload staging, and eventually ransomware deployment. 

For organizations, the primary threat is that traditional file-based detection may miss the earliest stages of the attack. A campaign that starts with a convincing browser prompt or a fake verification page can quickly turn into an internal breach if users are not trained to question unexpected instructions. 

Safety recommendations 

To mitigate threat, companies should train users to avoid following browser-based “fix” prompts, especially on unfamiliar or compromised sites. They should also restrict PowerShell, VBS, and other script interpreters where possible, monitor for Deno running outside developer workflows, watch for unusual PsExec or DLL sideloading activity, and segment networks so one compromised host cannot easily spread access. Finally, maintain tested offline backups and keep a playbook for rapid isolation, because fast containment is often the difference between a blocked intrusion and a full ransomware incident.
Read more »
Token Minting Flaw
Blockchain Security Crypto Hack Cyber Attacks Decentralized Finance DeFi Risk Digital Asset Theft Smart Contract Vulnerability Stablecoin Exploit Token Minting Flaw

24.5 Million Dollar Hack Exposes Vulnerabilities in Resolv DeFi


 

The concept of stability is fundamental to the architecture of decentralized finance - it is the foundation upon which trust is built. A stablecoin brings parity with the dollar to the decentralized finance system, providing a quiet assurance that one token will reliably mirror one unit of currency. 

The premise of this proposition has been severely undercut with the case of Resolv, where the USR token now trades at less than a third of its intended peg and hovers around 27 cents, clearly demonstrating a structural breakdown that cannot be rectified by simple recalibration. 

During the early hours of Sunday morning, at approximately 2:21 a.m. UTC, an attacker exploited a vulnerability within the protocol's minting contract, fabricating nearly 80 million tokens without backing. A swift and systematic unwinding of value followed-those artificially created assets were funneled through decentralized exchanges, exchanged for more liquid stablecoins, and eventually consolidated into Ether. 

After completing the activity, the attacker had obtained digital assets worth approximately $25 million, leaving behind not only a depegged token, but also a stark reminder of how confidence can rapidly erode when mathematical foundations of financial systems fail to hold up. It is evident from the mechanics of the breach that there was a deeper architectural weakness rather than a momentary lapse that led to the breach. 

A capital injection of $100,000 to $200,000 in USDC was sufficient to engage the protocol's minting interface under normal conditions at the beginning of the sequence. However, what occurred afterward diverged significantly from what was expected. By exploiting a flaw in the authorization flow, the adversary was able to generate approximately 80 million USR tokens, a number that is significantly greater than the initial collateral provided. 

Ultimately, this breakdown occurred as a result of an off-chain signing service entrusted with a privileged private key that authorised the minting of mint quantities. The contract verified the presence of a valid cryptographic signature, but failed to impose any intrinsic ceiling on issuance. Therefore, a critical control was externalized without being enforced on the blockchain. 

Having created the unbacked tokens, the attacker moved with calculated precision to convert USR into its staked derivative, wstUSR, and unwind the position using decentralized liquidity pools. Upon incremental exchange of the assets for stablecoins and then consolidation of Ether, the proceeds could be absorbed into deeper market liquidity, thereby providing a greater level of market liquidity. 

Parallel to the sudden injection of uncollateralized supply, USR's market equilibrium was destabilized, resulting in a rapid depreciation of almost 80 percent. As a result of establishing the sequence of events, the incident demonstrates the importance of investigating the minting architecture and implicit trust assumptions that enabled such a breach to occur.

Rather than limiting themselves to Resolv's immediate ecosystem, the repercussions of the exploit have been emitted across interconnected DeFi infrastructure protocols. A detailed internal assessment has now been initiated to determine the extent of exposure for organizations that integrated USR into shared liquidity pools, accepted it as collateral, or relied on its yield mechanisms. 

Decentralized finance is based on the premise that it can be layered, enhancing efficiency as well as reducing risk, and this chain reaction is indicative of this. As a result of the sudden depegging of USR, platforms upstream have encountered balance sheet inconsistencies. 

As a precautionary measure, select operations were suspended, withdrawals and deposits were restricted, and governance-driven responses were initiated to mitigate potential deficits. This requires a more detailed audit of smart contract states and liquidity positions to reconcile the impact of a compromised asset than surface-level accounting.

As a result of the episode, DeFi remains aware of a persistent structural reality: vulnerabilities at a foundational layer can lead to instability throughout the entire stack, thereby exposing even indirectly exposed participants to disruption. There has been an increase in attention on the post-exploit environment, where the trajectory of stolen assets may influence recovery prospects. 

On-chain observations indicate that the majority of the approximately $25 million extracted remains consolidated within wallets controlled by the attacker, with no visible signs of obfuscation by mixing or crossing chains. It has historically been observed that such inactivity precedes negotiation attempts, as demonstrated in prior incidents involving attackers engaging with protocol teams under whitehat or quasi-whitehat frameworks to return funds in exchange for incentives. 

In addition to unclear whether Resolv's operators have initiated similar outreach or structured a formal bounty, no confirmation regarding direct communication with the attacker has been released to date. While blockchain analytics firms are actively tracing transaction flows, no parallel involvement by law enforcement agencies has been reported. 

Near-term, the focus is on transparency and remediation for affected users and counterpart protocols monitoring official disclosures, evaluating exposure statements, and waiting for comprehensive post-incident analyses along with compensation frameworks. 

Decentralized finance continues to gain momentum as it moves toward broader adoption; however, the incident once again illustrates that there is still a significant gap between innovation and security assurance in systems where trust is distributed but accountability can become muddled.

A number of factors contribute to the shift in focus from attribution to prevention in the aftermath of the incident, underlining the need for more resilient design principles across decentralized systems. Consequently, security in DeFi cannot be partially delegated to off-chain mechanisms or implicit trust models; critical controls must be enforced at the protocol level by ensuring deterministic safeguards, limiting minting logic, and continuously validating changes to the state. 

During this conference, protocol architects and developers are reminded of the importance of minimizing privileged dependencies, implementing rigorous audit layers, and stress testing composability risks under adversarial conditions. 

Participants are reminded that it is imperative that not only yield opportunities are evaluated, but that underlying mechanisms are also examined for structural integrity. It is expected that sustained credibility will be dependent less on the speed at which innovations are implemented, and more on the discipline with which security assumptions are developed, verified, and communicated transparently.
Read more »
Xbox One
Cyber Security glitch Hacking Hardware Microsoft Operating system ROM Xbox One

“Unhackable” No More: Researcher Demonstrates Hardware-Level Exploit on Xbox One







For years, the Xbox One was widely viewed as one of the few gaming systems that had resisted successful hacking. That perception has now changed after a new hardware-based attack method was publicly demonstrated.

At the RE//verse 2026 event, security researcher Markus Gaasedelen introduced a technique called the “Bliss” double glitch. This method relies on manipulating electrical voltage at precise moments to interfere with the console’s startup process, effectively bypassing its built-in protections.

This marks the first known instance where the Xbox One’s hardware defenses have been broken in a way that others can replicate. The achievement is being compared to the Reset Glitch Hack that affected the Xbox 360, although this newer approach operates at a deeper level. Instead of targeting software vulnerabilities, it directly interferes with the boot ROM, a core component embedded in the console’s chip. By doing so, the exploit grants complete control over the system, including its most secure layers such as the hypervisor.

When the Xbox One was introduced in 2013, Microsoft designed it with an unusually strong security model. The system relied on multiple layers of encryption and authentication, linking firmware, the operating system, and game files into a tightly controlled verification chain. Within the company, it was even described as one of the most secure products Microsoft had ever built.

A substantial part of this design was its secure boot process. Unlike the Xbox 360, which was compromised through reset-line manipulation, the Xbox One removed such external entry points. It also incorporated a dedicated ARM-based security processor responsible for verifying every stage of the startup sequence. Without valid cryptographic signatures, no code was allowed to run. For many years, this approach appeared highly effective.

Rather than attacking these higher-level protections, the researcher focused on the physical behavior of the hardware itself. Traditional glitching techniques rely on disrupting timing signals, but the Xbox One’s architecture left little opportunity for that. Instead, the method used here involves voltage glitching, where the power supplied to the processor is briefly disrupted.

These momentary drops in voltage can cause the processor to behave unpredictably, such as skipping instructions or misreading operations. However, the timing must be extremely precise, as even a tiny variation can result in failure or system crashes.

To achieve this level of accuracy, specialized hardware tools were developed to monitor and control electrical signals within the system. This allowed the researcher to closely observe how the console behaves at the silicon level and identify the exact points where interference would be effective.

The resulting “Bliss” technique uses two carefully timed voltage disruptions during the startup process. The first interferes with memory protection mechanisms managed by the ARM Cortex subsystem. The second targets a memory-copy operation that occurs while the system is loading initial data. If both steps are executed correctly, the system is redirected to run code chosen by the attacker, effectively taking control of the boot process.

Unlike many modern exploits, this method does not depend on software flaws that can be corrected through updates. Instead, it targets the boot ROM, which is permanently embedded in the chip during manufacturing. Because this code cannot be modified, the vulnerability cannot be patched. As a result, the exploit allows unauthorized code execution across all system layers, including protected components.

With this level of access, it becomes possible to run alternative operating systems, extract encrypted firmware, and analyze internal system data. This has implications for both security research and digital preservation, as it enables deeper understanding of the console’s architecture and may support efforts to emulate its environment in the future.

Beyond research applications, the findings may also lead to practical tools. There is speculation that the technique could be adapted into hardware modifications similar to modchips, which automate the precise electrical conditions needed for the exploit. Such developments could revive longstanding debates around console modification and software control.

From a security perspective, the immediate impact on Microsoft may be limited, as the Xbox One is no longer the company’s latest platform. Newer systems have adopted updated security designs based on similar principles. However, the discovery serves a lesson for the industry: no system can be considered permanently secure, especially when attacks target the underlying hardware itself.

Read more »
data security
AI Phishing Threats AI-Driven Phishing Biometric Biometric data Credential Theft Cyber Security data security

AI-Driven Phishing Campaign Exploits Device Permissions to Steal Biometric and Personal Data

 

A fresh wave of digital deception, driven by machine learning tools, shifts how hackers grab personal information — no longer relying on password theft but diving into deeper system controls. Spotted by analysts at Cyble Research & Intelligence Labs (CRIL) in early 2026, this operation uses psychological manipulation to unlock powerful device settings usually protected. Rather than brute force, it deploys crafted messages that trick users into handing over trust. 

While earlier scams relied on fake login pages, this one adapts in real time, mimicking legitimate requests so closely they blend into routine tasks. Behind each message lies software trained to mirror human timing and phrasing. Because it evolves with user responses, static defenses struggle to catch it. Access grows step by step — first a small permission, then another, until full control emerges without alarms sounding. What sets it apart isn’t raw power but patience: an attacker that waits, learns, then moves only when ready, staying hidden far longer than expected. 

Unlike typical scams using fake sign-in screens, this operation uses misleading prompts — account confirmations or service warnings — to coax users into granting camera, microphone, and system access. Once authorized, harmful code quietly collects photos, clips, audio files, device specs, contact lists, and location data. Everything is transmitted in real time to attacker-controlled Telegram bots, enabling fast exfiltration without complex backend infrastructure. 

Inside the campaign’s code, signs of AI involvement emerge. Annotations appear too neatly organized — almost machine-taught. Deliberate emoji sequences scatter through script comments. These markers suggest generative models were used repeatedly, making phishing systems faster and more systematic to build. Scale appears larger than manual effort alone would allow. Most of the operation runs counterfeit websites through services including EdgeOne, making it cheap to launch many fraudulent pages quickly. 

These copies mimic well-known apps — TikTok, Instagram, Telegram, even Google Chrome — to appear familiar and safe. The method exploits browser interfaces meant for web functions. When someone engages with a harmful webpage, scripts trigger access requests automatically. If granted, the code activates the webcam, capturing frames as image files. Audio and video are logged simultaneously, transmitting everything directly to the attackers. Fingerprinting then builds a detailed profile: operating system, browser specifics, memory size, CPU benchmarks, network behavior, battery levels, IP address, and physical location. 

Occasionally, the operation attempts to pull contact details — names, numbers, emails — via browser interfaces, widening exposure to connected circles. Fake login screens display progress cues like “photo captured” or “identity confirmed” to appear legitimate. When collection ends, the code shuts down quietly, restoring the screen with traces nearly vanished. 

Security specialists warn that combining personal traits with behavioral patterns gives intruders tools to mimic identities effortlessly, making manipulation precise and nearly invisible. As AI tools grow more accessible, such advanced, layered intrusions are becoming increasingly common.​​​​​​​​​​​​​​​​
Read more »
War Communications Telegram Ban
Cyber Security Kremlin Crackdown Russian Telegram Russian Troops War Communications Telegram Ban

Russian Troops Rage Over Telegram Crackdown

 

Russian soldiers are increasingly frustrated as the Kremlin tightens control on Telegram, which has become the backbone of military communication, logistics and morale. The restrictions have sparked some unusual criticism from pro-war commentators, who argue that the move risks undermining battlefield coordination and adding to the burden faced by soldiers already stretched thin.

Telegram has become much more than just a messaging app for Russian troops. Front-line units use it to swap maps and coordinates, request supplies, organize fundraising and funnel information to military bloggers, who further publicize combat updates and help collect cash for equipment. 

Russian soldiers and commanders have relied on Telegram for rapid, informal communications that avoid the slower official channels, and some analysts have warned that severing those connections could lead to a diminution of their situational awareness and slower reactions in combat. Some reports also say troops were told to uninstall the app or risk punishment, deepening anger among users who see it as essential.

The Kremlin says the restrictions are meant to curb fraud, illegal content, and security threats, but many observers see a broader effort to tighten control over the digital space. Analysts and opposition-leaning commentators argue that the move fits Moscow’s push toward a more isolated “sovereign internet” and reflects anxiety about military bloggers who have used Telegram to criticize battlefield failures. 

The backlash is notable because it comes from within Putin’s own support base. Even some pro-Kremlin figures have warned that undermining Telegram could damage troop effectiveness rather than protect it, especially as Russian soldiers already face communication strain on the front line. In practice, the dispute shows how deeply the war has fused digital platforms with military operations, propaganda, and daily survival.
Read more »
Threat Intelligence
Cyber Warfare Cybersecurity Data Breach Endpoint Management Enterprise security identity-based attacks Microsoft Intune supply chain security Threat Intelligence

Stryker Attack Prompts Scrutiny of Enterprise Device Management Tools



A significant shift has occurred in the strategic calculus behind destructive cyber operations in recent years, expanding beyond the confines of traditional critical infrastructures into lesser-noticed yet equally vital ecosystems underpinning modern economies. 

State-aligned threat actors are increasingly focusing their efforts on organizations embedded within logistics and supply chain frameworks that support entire industries through their operational continuity. A single, well-placed intrusion at these junctions can have a far-reaching impact on interconnected networks, reverberating across multiple interconnected networks with minimal direct involvement. 

Healthcare supply chains, however, stand out as especially vulnerable in this context. As central channels of delivery of care, medical technology companies, pharmaceutical distributors, and logistics companies operate as central hubs for the delivery of care, providing support for large healthcare networks. 

The scale of these organizations, their interdependence, and their operational criticality make them high-value targets, which allows adversaries to inflict widespread damage indirectly, without exposing themselves to the immediate impact and consequences associated with attacking frontline healthcare organizations. It is against this backdrop that a less examined yet increasingly consequential risk is becoming increasingly evident one that is not related to adversaries' offensive tooling, but rather to the systems organizations use to orchestrate and secure their own environments. 

As part of the evolving force multipliers role of device and endpoint management platforms, designed to provide centralized control, visibility, and resilience at scale, these platforms are now emerging as force multipliers. Several recent cyber incidents have provided urgency to this issue, including the recent incident involving Stryker Corporation, where an intrusion into its Microsoft-based environment caused rapid operational disruptions across the company's global footprint. 

In response to the company's disclosure of the breach approximately a week later, the Cybersecurity and Infrastructure Security Agency issued a formal alert stating that malicious activity was targeting endpoint management systems within U.S. organizations. 

A broader investigation was initiated after the Stryker event triggered it. Through coordination with the Federal Bureau of Investigation, the agency has undertaken efforts to determine the scope of the threat and identify potential affected entities. As illustrated in mid-March, such access can provide a systemic leverage. 

An incident occurred on March 11, 2019, causing Stryker's order processing functions to be interrupted, its manufacturing throughput to be restricted, and outbound shipments to be delayed. These effects are consistent with interference at the management level as opposed to a single, isolated system compromise. 

The subsequent reporting indicated the incident may have involved the wiping of about 200,000 managed devices as well as the exfiltration of approximately 50 terabytes of data, indicating that both destructive and intelligence-gathering objectives were involved. 

A later claim of responsibility was made by Handala, which described the operation as retaliatory in nature after a strike in southern Iran, emphasizing the growing intersection between geopolitical signaling and supply chain disruption in contemporary cyber campaigns. 

During the course of the incident, it became increasingly evident that such a compromise would have practical consequences. Several key operational capabilities, including order processing, manufacturing execution, and distribution, were lost as a result of the intrusion, effectively limiting Stryker Corporation's ability to service demand across a globally distributed network. As a result of this disruption, traceable to Microsoft's environment, supply chain processes were immediately slowed down, creating bottlenecks beyond internal systems that led to downstream delivery commitments. 

Consequently, the organization initiated its incident response protocol, undertaking containment and forensic analysis, assisted by external cybersecurity specialists, in order to determine the scope, entry vectors, and persistence mechanisms of the incident. Observations from industry observers indicate that Microsoft Intune may be misused as an integral part of a network attack chain, based on preliminary assessments. 

Apparently, Lucie Cardiet of Vectra AI has found that threat actors may have exploited the platform's legitimate administration capabilities to remotely wipe managed endpoints, triggering large-scale factory resets on corporate laptops and mobile devices. The implementation of such an approach is technically straightforward, but operationally disruptive at scale, particularly in environments where endpoint integrity is a primary component of production systems and logistics operations. 

As a result of these device resets, widespread reconfiguration efforts were necessary, interrupting the availability of inventory management systems, production scheduling platforms, and coordination tools crucial to ensuring supply continuity. 

Applied cumulatively, these disruptions delayed manufacturing cycles and affected the timely processing and fulfillment of orders across multiple facilities, demonstrating the rapid occurrence of tangible operational paralysis that can be caused by control-plane compromises. There is evidence from the incident that the pattern of advanced enterprise intrusions is increasingly characterized by the convergence of compromised privileged identities, trusted management infrastructure, and intentional misuse of administrative functions, resulting in disruption of the enterprise. 

In the field of security, this alignment is often referred to as a "lethal trifecta," a technique that enables adversaries to inflict systemic damage without using conventional malware techniques. According to investigators, Stryker Corporation was compromised as a result of an intrusion centered on administrative access to its Microsoft Identity and Device Management stack, allowing attackers to utilize enterprise-approved tools in their operations. 

Intune platforms, such as Microsoft's, which provide centralized control over device fleets, are naturally equipped with high-impact capabilities. These capabilities can range from the enforcement of policies to the provision of remote wipe functions that can be repurposed into mechanisms for disruption if commandeered. 

Employees have been abruptly locked out of corporate systems across geographical boundaries, suggesting that administrative actions have been coordinated. This is consistent with "living off the land" techniques that exploit native enterprise controls in order to avoid detection and maximize operational consequences. It is evident that the scale of disruption underscores the structural dependence that is inherent within the global healthcare supply chain. 

Stryker, one of the most prominent companies in the sector, operates in dozens of countries and employs tens of thousands of people. In the event that internal systems underlying manufacturing and order fulfillment were rendered inaccessible, the effects spread rapidly across the organization's international operations. 

Many facilities, including major hubs in Ireland, reported experiencing widespread downtime, with employees being unable to access company network services. In spite of the fact that the company stated that its medical devices continued to function safely in clinical settings due to their segregation from affected corporate systems, the incident nevertheless highlights the fragility of interconnected supply chains. 

Medical technology providers serve as critical intermediaries and disruptions at this level can have an adverse effect on distributors, healthcare providers, and ultimately the timeline for delivering patient care. On a technical level, the breach indicates that attacker priorities have shifted from endpoint compromise to identity dominance. 

Identity-centric operations are increasingly replacing traditional intrusion models, which typically involve malware deployment, lateral movement, and persistence mechanisms. These adversaries use credential, authentication token, or privileged session vulnerabilities to gain control over the enterprise control planes.

After being embedded within identity infrastructure, attackers are able to interact with administrative portals, SaaS management consoles, and device orchestration platforms as if they were legitimate operators. Because actions are executed through trusted channels, malicious activity is significantly less visible. It is therefore important to note that the extent to which the attackers have affected the network is determined by the scope of privileges that the compromised identities possess. 

Additionally, it is evident that the attacker's intent has shifted from financial extortion to outright disruption. Although ransomware continues to dominate the threat landscape, these incidents are more closely associated with destructive operations, which are aimed at disabling systems and degrading functionality rather than extracting payment.

In light of the reported scale of device resets and data exfiltration, it appears the campaign was intended to disrupt operational continuity, echoing tactics employed in previous wiper-style attacks often associated with state-aligned actors. Operations of this type are often designed to disrupt organizations for maximum disruption, rather than to maximize financial gain, and are frequently deployed to signal strategic intent. 

As evidenced by the attribution claims surrounding the incident, the group Handala defined the operation within the framework of broader geopolitical tensions, indicating that it was aimed at retaliation. Even if such claims are not capable of being fully attributed to such entities, the narrative is consistent with an observation that private sector entities - particularly those involved in critical supply chains - are increasingly at risk of state-linked cyber activity. 

Cyberspace geopolitical contestation is no longer confined to peripheral targets, but encompasses integral elements of healthcare, manufacturing, and logistics. A recalibration of enterprise security priorities is particularly necessary in environments in which identity systems and management platforms serve as the operational backbone. These events emphasize the need to refocus enterprise security priorities. 

The tactics that are employed today are increasingly misaligned with defenses centered around endpoint detection and malware prevention. Organizations must instead adopt a security posture that focuses on identity-centric risk management, enforcing strict privilege governance, performing continuous authentication validation, and monitoring administrative actions across control planes at the granular level. 

Additionally, it is crucial that enterprise management tools themselves be hardened, ensuring that high impact functions such as remote wipe, policy enforcement, and system-wide configuration changes are subject to layered authorization controls and real-time anomaly detection. For industries embedded in critical supply chains, resilience planning extends to the capability of sustaining operations when control-plane disruptions occur, as well as the prevention of intrusions. 

Ultimately, Stryker's incident serves as a reminder that in modern enterprise settings, the most trusted of systems can inadvertently turn into the most damaging failure points-and their secure operation requires a degree of scrutiny commensurate with their impact. It can also be argued that the Stryker incident provides a useful illustration of how modern cyber operations can transcend isolated breaches into instruments that can cause widespread disruptions throughout global networks.

Read more »
Subscribe to: Comments (Atom)

Featured