Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Meta Begins Removing Under-16 Users Ahead of Australia’s New Social Media Ban

  Meta has started taking down accounts belonging to Australians under 16 on Instagram, Facebook and Threads, beginning a week before Austra...

All the recent news you need to know
Technology
AI Data Google Internet Microsoft Teams Technology

End to End-to-end Encryption? Google Update Allows Firms to Read Employee Texts


Your organization can now read your texts

Microsoft stirred controversy when it revealed a Teams update that could tell your organization when you're not at work. Google did the same. Say goodbye to end-to-end encryption. With this new RCS and SMS Android update, your RCS and SMS texts are no longer private. 

According to Android Authority, "Google is rolling out Android RCS Archival on Pixel (and other Android) phones, allowing employers to intercept and archive RCS chats on work-managed devices. In simpler terms, your employer will now be able to read your RCS chats in Google Messages despite end-to-end encryption.”

Only for organizational devices 

This is only applicable to work-managed devices and doesn't impact personal devices. In regulated industries, it will only add RCS archiving to existing SMS archiving. In an organization, however, texting is different than emailing. In the former, employees sometimes share about their non-work life. End-to-end encryptions keep these conversations safe, but this will no longer be the case.

The end-to-end question 

There is alot of misunderstanding around end-to-end encryption. It protects messages when they are being sent, but once they are on your device, they are decrypted and no longer safe. 

According to Google, this is "a dependable, Android-supported solution for message archival, which is also backwards compatible with SMS and MMS messages as well. Employees will see a clear notification on their device whenever the archival feature is active.”

What will change?

With this update, getting a phone at work is no longer as good as it seems. Employees have always been insecure about the risks in over-sharing on email, as it is easy to spy. But not texts. 

The update will make things different. According to Google, “this new capability, available on Google Pixel and other compatible Android Enterprise devices gives your employees all the benefits of RCS — like typing indicators, read receipts, and end-to-end encryption between Android devices — while ensuring your organization meets its regulatory requirements.”

Promoting organizational surveillance 

Because of organizational surveillance, employees at times turn to shadow IT systems such as Whatsapp and Signal to communicate with colleagues. The new Google update will only make things worse. 

“Earlier,” Google said, ““employers had to block the use of RCS entirely to meet these compliance requirements; this update simply allows organizations to support modern messaging — giving employees messaging benefits like high-quality media sharing and typing indicators — while maintaining the same compliance standards that already apply to SMS messaging."

Read more »
data security
AI Platform AI Security AI security flaw AI technology Critical security flaw Cyber Security data security

AI IDE Security Flaws Exposed: Over 30 Vulnerabilities Highlight Risks in Autonomous Coding Tools

 

More than 30 security weaknesses in various AI-powered IDEs have recently been uncovered, raising concerns as to how emerging automated development tools might unintentionally expose sensitive data or enable remote code execution. A collective set of vulnerabilities, referred to as IDEsaster, was termed by security researcher Ari Marzouk (MaccariTA), who found that such popular tools and extensions as Cursor, Windsurf, Zed.dev, Roo Code, GitHub Copilot, Claude Code, and others were vulnerable to attack chains leveraging prompt injection and built-in functionalities of the IDEs. At least 24 of them have already received a CVE identifier, which speaks to their criticality. 

However, the most surprising takeaway, according to Marzouk, is how consistently the same attack patterns could be replicated across every AI IDE they examined. Most AI-assisted coding platforms, the researcher said, don't consider the underlying IDE tools within their security boundaries but rather treat long-standing features as inherently safe. But once autonomous AI agents can trigger them without user approval, the same trusted functions can be repurposed for leaking data or executing malicious commands. 

Generally, the core of each exploit chain starts with prompt injection techniques that allow an attacker to redirect the large language model's context and behavior. Once the context is compromised, an AI agent might automatically execute instructions, such as reading files, modifying configuration settings, or writing new data, without the explicit consent of the user. Various documented cases showed how these capabilities could eventually lead to sensitive information disclosure or full remote code execution on a developer's system. Some vulnerabilities relied on workspaces being configured for automatic approval of file writes; thus, in practice, an attacker influencing a prompt could trigger code-altering actions without any human interaction. 

Researchers also pointed out that prompt injection vectors may be obfuscated in non-obvious ways, such as invisible Unicode characters, poisoned context originating from Model Context Protocol servers, or malicious file references added by developers who may not suspect a thing. Wider concerns emerged when new weaknesses were identified in widely deployed AI development tools from major companies including OpenAI, Google, and GitHub. 

As autonomous coding agents see continued adoption in the enterprise, experts warn these findings demonstrate how AI tools significantly expand the attack surface of development workflows. Rein Daelman, a researcher at Aikido, said any repository leveraging AI for automation tasks-from pull request labeling to code recommendations-may be vulnerable to compromise, data theft, or supply chain manipulation. Marzouk added that the industry needs to adopt what he calls Secure for AI, meaning systems are designed with intentionality to resist the emerging risks tied to AI-powered automation, rather than predicated on software security assumptions.
Read more »
Indian Airline
Aviation System Cyber Attacks DGCA GPS Spoofing Indian Airline

Cyberattacks Target Seven Major Indian Airports Through GPS Spoofing

 

The Indian Ministry of Home Affairs has revealed that seven key airports in the country were hit by GPS spoofing cyber attacks in November 2025, Union Civil Aviation Minister Ram MohanNaidu said. The airports affected are the Indira Gandhi International Airport in Delhi, the Chhatrapati Shivaji Maharaj International Airport in Mumbai, and those in Kolkata, Hyderabad, Bengaluru, Chennai and Amritsar. 

Nature of the attack 

GPS spoofing, which consists of sending fake satellite signals to navigation receivers and makes the aircraft systems believe that it is at a different location and altitude. A number of flights to Runway 10 at the Delhi airport reported being misled by false GPS signals in the midst of GPS approach routines. A number of aircraft suffered navigation systems falsely displaying their locations as far as 60 nautical miles from their actual position, causing some to divert to nearby cities. 

While highlighting the gravity of these attacks, Minister Naidu said, that “no incidents of flight operations being interfered or flights being delayed on account of GPS spoofing were reported.” The aviation regulators were forced to invoke contingency procedures for GPS-spoofed flights, which did not affect scheduled operations on other runways, equipped with more traditional navigational aids. The seamless operations were attributed to India’s strong backup systems and safety procedures in place.

In addition, India operates a Minimum Operating Network (MON) of ground-based navigation and surveillance systems as a backup in the event of disruption of space-based systems. Such a fail-safe model, applied all over the world among satellite navigation and communication providers, ensures the continued availability of traditional navigation means over the skies, when the reception of signals from satellites is lost. The use of the MON enable the aviation community to keep the skies open even in the face of sophisticated cyber attacks on GPS. 

Government response and investigation 

Earlier, the DGCA had issued advisories on GNSS signal jamming and spoofing in the airspace on 24 November 2023, and subsequently Standard Operating Procedure (SOP) guidelines on 10 November 2025 for reporting in real-time GPS jamming and spoofing incidents. Post the recent attacks, Airports Authority of India (AAI) has approached Wireless Monitoring Organization (WMO) to trace the source of interference/spoofing. During a high-level meeting, the WMO was directed to mobilize additional resources to pinpoint the spoofing source based on approximate location details shared by DGCA and AAI. 

Minister Naidu believes that the threats are global, and now more frequently in the form of ransomware and malware attacks targeting aviation. As a result, AAI is rolling out state-of-the-art cybersecurity solutions for IT networks and infrastructure in lieu with the directions from the National Critical Information Infrastructure Protection Centre (NCIIPC) under the Ministry of Home Affairs and the Indian Computer Emergency Response Team (CERT-In). India is also actively engaging in global platforms for learning and sharing of most recent best practices, tools, and techniques to enable real time implementation of security measures.
Read more »
RTO challan scam
Android malware scam Cyber Fraud cyber fraud India fake e-challan WhatsApp scam malicious APK spyware RTO challan scam

Fake RTO e-Challan WhatsApp Scam Resurfaces: Fraudsters Push Spyware Through Malicious APK Files

 

Cybercriminals have once again revived an old trick—but with a more convincing disguise. This time, scammers are exploiting the name of the official RTO e-challan system to deceive smartphone users. Over the past year, malicious APK files have been circulated in the form of fake wedding invitations, PM-Kisan alerts, courier updates, and KYC notices. Now, the same method is being used to send fraudulent “RTO Challan” messages on WhatsApp, luring victims into installing powerful spyware.

The fraud begins with a seemingly urgent WhatsApp alert claiming that a traffic challan has been issued against the recipient’s vehicle. The message includes a link or an attachment labelled as an e-challan file. Many users, acting out of fear or confusion, click the file—unknowingly giving criminals full access to their device.

Victims typically receive a message saying: “An e-challan has been issued for your vehicle. Download the file below to view details.”

The attachment is an APK file with names like RTO_Challan.apk or E-Challan_Details.apk. Once downloaded, the file installs automatically on Android phones and begins functioning as spyware.

After installation, the malware:

  • Provides hackers complete remote access to the device

  • Captures banking app information, OTPs, contacts, and personal files

  • Automatically sends the same malicious APK to all WhatsApp contacts

  • Enables criminals to execute online banking transactions undetected

Cyber experts warn that this form of malware is extremely dangerous because no further interaction is required—the victim’s phone essentially becomes a control panel for the fraudster.

APK (Android Package Kit) files are standard installation packages for Android apps. While apps on the Google Play Store undergo safety checks, APKs sent through WhatsApp, SMS, email, or Telegram do not. Many users mistake APK files for regular documents or images and tap them without realizing the risk. This lack of awareness makes such scams highly effective.

How the scam could evolve further

Scammers typically exploit themes that trigger fear, urgency, or excitement. Experts believe similar APK-based attacks may soon appear in the form of:

  • PM-Kisan installment notifications

  • Overdue electricity bill alerts

  • Passport or courier delivery updates

  • Lottery or prize winnings

  • Bank KYC reminders

  • Government scheme eligibility messages

While the topics may change, the underlying tactic remains the same: tricking users into downloading malware via a fake APK.

7 essential safety steps

  • Never download APK files received through WhatsApp—even from known contacts.

  • Verify real traffic challans only through: echallan.parivahan.gov.in

  • Remember: wedding invitations, PDFs, photos, and government documents never come in .apk format.

  • If a known person sends an APK, call to confirm—it may be sent from a hacked account.

  • Disable Install apps from unknown sources in your device settings.

  • If you downloaded a suspicious APK:

    • Turn off mobile data/Wi-Fi immediately

    • Uninstall the unknown app

    • Change all banking passwords and PINs

  • In case of financial fraud, call 1930 (National Cyber Fraud Helpline) without delay.

As digital transactions become more common, cyber risks continue to grow. The ongoing fake RTO challan scam is a strong reminder to stay vigilant—check every link, scrutinize every file, and never trust unsolicited messages.

Most importantly, ensure senior citizens and less tech-savvy users are informed, as they are the most vulnerable. Just one infected APK is enough to compromise your phone and drain your bank account in minutes.

Read more »
Vulnerability and Exploits
Cyber Security Cyber Threat Surge Enterprise security GlobalProtect Security Network Intrusion Palo Alto Networks Remote Access Risks Threat Intelligence VPN Attacks Vulnerability and Exploits

Palo Alto GlobalProtect Portals Face Spike in Suspicious Login Attempts

 


Among the developments that have disturbed security teams around the world, threat-intelligence analysts have detected a sudden and unusually coordinated wave of probing of Palo Alto Networks' GlobalProtect remote access infrastructure. This activity appears to be influenced by the presence of well-known malicious fingerprints and well-worn attack mechanisms.

It has been revealed in new reports from GreyNoise that the surge began on November 14 and escalated sharply until early December, culminating in more than 7,000 unique IP addresses trying to log into GlobalProtect portals through the firm's Global Observation Grid monitored by GlobalProtect. This influx of hostile activity has grown to the highest level in 90 days and has prompted fresh concerns among those defending the computer system from attempts to hack themselves, who are watching for signs that such reconnaissance is likely to lead to a significant breach of their system. 

In general, the activity stems mostly from infrastructure that operates under the name 3xK GmbH (AS200373), which accounts for approximately 2.3 million sessions which were directed to the global-protect/login.esp endpoint used by Palo Alto's PAN-OS and GlobalProtect products. The data was reported by GreyNoise to reveal that 62 percent of the traffic was geolocated in Germany, with 15 percent being traced to Canada. 

In parallel, AS208885 contributed a steady stream of probing throughout the entire network. As a result of early analysis, it is clear that this campaign requires continuity with prior malicious campaigns that targeted Palo Alto equipment, showing that recurring TCP patterns were used, repeated JA4T signatures were seen, and that infrastructure associated with known threat actors was reused. 

Despite the fact that the scans were conducted mainly in the United States, Mexico, and Pakistan regions, all of them were subjected to a comparable level of pressure, which suggested a broad, opportunistic approach as opposed to a narrowly targeted campaign, and served as a stark reminder of the persistent attention adversaries pay to remote-access technologies that are widely deployed. 

There has been a recent increase in the activity of this campaign, which is closely related to the pattern that was first observed between late September and mid-October, when three distinct fingerprints were detected among more than nine million nonspoofable HTTP sessions, primarily directed towards GlobalProtect portals, in an effort to track the attacks. 

There is enough technical overlap between four autonomous systems that originate those earlier scans to raise early suspicion, even though they had no prior history of malicious behavior. At the end of November, however, the same signatures resurfaced from 3xK Tech GmbH’s infrastructure in a concentrated burst. This event generated about 2.3 million sessions using identical TCP and JA4t indicators, with the majority of the traffic coming from IP addresses located in Germany. 

In the present, GreyNoise is highly confident that both phases of activity are associated with a single threat actor. It has now been reported that fingerprints of the attackers have reapplied on December 3, this time in probing attempts against SonicWall's SonicOS API, suggesting more than a product-specific reconnaissance campaign, but a more general reconnaissance sweep across widely deployed perimeter technologies. According to security analysts, GlobalProtect remains a high-profile target because of its deep penetration into enterprise networks and its history of high-impact vulnerabilities. 

It is important to note, however, that CVE-2024-3400 is still affecting unremedied systems despite being patched in April 2024 with a 9.8 rating due to a critical command-injection flaw, CVE-2024-3400. During recent attacks, malicious actors have used pre-authentication access as a tool for enumerating endpoints, brute-forcing credentials, and deploying malware to persist by exploiting misconfigurations that allow pre-authentication access, such as exposed administrative portals and unchanged default credentials. 

They have also developed custom tools modeled on well-known exploitation frameworks. Although researchers caution that no definitive attribution has been established for the current surge of activity, Mandiant has observed the same methods being used by Chinese state-related groups like UNC4841 in operations linked to those groups. A number of indicators of confirmed intrusions have included sudden spikes in UDP traffic to port 4501, followed by HTTP requests to "/global-protect/login.urd," from which attackers have harvested session tokens and gotten deeper into victim environments by harvesting session tokens.

According to a Palo Alto Networks advisory dated December 5, administrators are urged to harden exposed portals with multi-factor authentication, tighten firewall restrictions, and install all outstanding patches, but noted that properly configured deployments remain resilient despite the increased scrutiny. Since then, CISA has made it clear that appropriate indicators have been added to its Catalog of Known Exploited Vulnerabilities and that federal agencies must fix any issues within 72 hours. 

The latest surge in malicious attacks represents a stark reminder of how quickly opportunistic reconnaissance can escalate into compromise when foundational controls are neglected, so organizations should prepare for the possibility of follow-on attacks. Security experts have highlighted that these recent incidents serve as a warning to organizations about potential follow-on attacks. A number of security experts advise organizations to adopt a more disciplined hardening strategy rather than rely on reactive patching, which includes monitoring the attack surface continuously, checking identity policies regularly, and segmenting all remote access paths as strictly as possible. 

According to analysts, defenders could also benefit from closer alignment between security operations teams and network administrators in order to keep an eye on anomalous traffic spikes or repeated fingerprint patterns and escalate them before they become operationally relevant. Researchers demonstrate the importance of sharing indicators early and widely, particularly among organizations that operate internet-facing VPN frameworks, as attackers have become increasingly adept at recycling infrastructure, tooling, and products across many different product families. 

Even though GlobalProtect and similar platforms are generally secure if they are configured correctly, recent scan activity highlights a broader truth that is not obvious. In order to remain resilient to adversaries who are intent on exploiting even the slightest crack in perimeter defenses, sustained vigilance, timely remediation, and a culture of proactive security hygiene remain the most effective barriers.
Read more »
Portugal
Cyber Crime CyberCrime cybercrime law Portugal

Portugal Updates Cybercrime Law To Protect Good-Faith Security Researchers

 

Portugal has updated its cybercrime law to offer legal protection to security researchers who probe systems in good faith and report vulnerabilities responsibly. The change creates a legal safe harbor for ethical hacking, turning what was previously classified as illegal access or data interception into a non-punishable act when strict conditions are met. The new provision appears in Article 8.o-A under the title "Acts not punishable due to public interest in cybersecurity." 

It states that hacking activities aimed at finding vulnerabilities and improving cybersecurity will not lead to criminal charges if several requirements are followed. To qualify for legal protection, researchers must act only to identify weaknesses that they did not introduce and must not seek financial reward beyond normal professional compensation. They must report the issue immediately to the system owner, any relevant data controller and the Portuguese cybersecurity authority CNCS. 

The law also requires that actions remain limited to what is necessary for detection. Researchers cannot disrupt services, modify data, steal information or cause damage. Personal data protected under GDPR must not be processed illegally, and banned techniques such as DDoS attacks, phishing, malware deployment and social engineering are not allowed. 

Any sensitive data accessed during testing must be kept confidential and deleted within 10 days after the vulnerability is fixed. Acts carried out with the explicit consent of the system owner are also exempt from punishment, but vulnerabilities discovered during the process must still be reported to the CNCS. Cybersecurity professionals view the change as an important step toward separating responsible research from criminal activity. 

The law provides clarity on what is allowed while giving ethical hackers the legal protection they have long requested. Portugal joins a growing number of countries adapting cybercrime laws to support good-faith research. Germany proposed similar protections in late 2024, and in 2022 the United States Department of Justice revised its prosecution guidelines under the Computer Fraud and Abuse Act (CFAA) to exempt responsible security testing. 

These legal reforms reflect an increasing recognition that ethical hackers play a key role in helping organizations find and fix security flaws before real criminals take advantage of them. Supporters say the new rules will encourage more vulnerability reporting and strengthen global cybersecurity.
Read more »
Subscribe to: Comments (Atom)

Featured