Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

MDASH AI Helps Microsoft Detect 16 Critical Windows Security Flaws

  The company has reported that the MDASH framework, developed internally by Microsoft for agentic artificial intelligence, was instrumental...

All the recent news you need to know
Public Sector Banks
AI Threat Cyber Security Indian Banks Public Sector Banks

Indian Banks Step Up IT Spending Over AI Security Fears

 

Public sector banks are preparing to spend more on technology because a new wave of AI-driven cyber risk is making their existing systems look vulnerable. The main concern is Anthropic’s Claude Mythos, which has raised alarms for its ability to identify software weaknesses and potentially help attackers exploit them. 

Indian banks are being pushed to treat IT spending as a survival need, not just an operating cost. Senior bank executives have said they will raise budgets this financial year, with a large share going into cybersecurity, stronger defenses, and monitoring tools to reduce exposure to attacks. 

The issue is especially serious because banks depend on legacy systems that run critical operations in real time. One successful breach can ripple across payments, forex, clearing, depositories, and other linked financial networks, making the whole sector more exposed than a single institution might appear on its own.

The concern grew after Anthropic’s tests suggested Mythos could perform advanced cybersecurity and hacking-related tasks at a level that outpaced humans in some cases. Reports also noted that the model found thousands of high-severity vulnerabilities, which made regulators and bank leaders worry that similar tools could shorten the time between discovering a flaw and weaponizing it. 

In response, the government formed a panel under SBI Chairman C S Setty to study the risks and recommend safeguards. Finance Minister Nirmala Sitharaman has also urged banks to take pre-emptive measures, while institutions are expected to coordinate in the coming weeks to identify weak points and decide where additional investment is needed.
Read more »
telecom systems
5G Network Cyber Warfare Cybersecurity Mobile Security sim SIMjacking telecom systems

How Telecom Systems Were Used to Secretly Track Mobile Users Worldwide

A new investigation by the digital rights research group Citizen Lab has revealed how weaknesses inside global telecom infrastructure were allegedly exploited to secretly monitor mobile phone users in more than ten countries over the past three years.

The findings, reviewed by Haaretz, highlight how parts of the global mobile network system, originally developed decades before smartphones existed, continue to expose users to modern surveillance risks despite the arrival of 4G and 5G technologies.

According to the report, researchers uncovered two separate surveillance operations that appear to be linked to commercial spyware and cyber intelligence vendors selling tracking capabilities to government clients worldwide. One of the operations reportedly used telecom infrastructure connected to Israeli providers 019Mobile and Partner Communications, although both companies denied involvement.

Researchers say the operations relied on weaknesses in SS7, an older telecom signaling protocol used globally to route phone calls, text messages, and roaming traffic between mobile operators. SS7 was designed during a period when telecom networks trusted one another by default, long before today’s cybersecurity threats emerged. Security experts have warned for years that attackers can abuse the protocol to monitor phone activity, intercept communications, or identify a user’s location.

The report states that some surveillance firms were able to impersonate legitimate mobile carriers and gain access to these legacy telecom systems in order to track users internationally. A second operation was reportedly linked to Fink Telecom Services, a Swiss company previously named in a 2023 investigation by Haaretz and Lighthouse Reports involving telecom surveillance services supplied to cyber intelligence vendors, including Rayzone.

Last week, British regulators reportedly moved to ban similar telecom signaling abuse practices, describing them as a major source of malicious activity affecting mobile networks. However, the new findings suggest that even newer systems built for 4G and 5G communications are vulnerable to similar exploitation.

One example highlighted in the report is Diameter, a signaling protocol widely used in 4G roaming and many 5G environments to manage subscriber connectivity and authentication. Although Diameter was introduced with stronger security protections than SS7, researchers found that attackers are still capable of abusing the system to conduct tracking operations.

In the first campaign identified by Citizen Lab, researchers documented more than 500 location-tracking attempts between November 2022 and 2025 across countries including Thailand, Bangladesh, Norway, Malaysia, South Africa, and several African nations. The investigation reportedly began after researchers observed a Middle Eastern businessman being repeatedly tracked over a four-hour period through international telecom queries.

Citizen Lab found that telecom identifiers associated with 019Mobile were used to send location-tracking requests through infrastructure connected to Partner Communications, which supports 019Mobile’s services. Another network route reportedly passed through Exelera Telecom, a communications and cloud services provider that also manages international fiber-optic infrastructure. Exelera did not publicly respond to requests for comment.

019Mobile’s head of security denied involvement and stated that the company operates as a virtual provider using another carrier’s infrastructure rather than maintaining its own roaming agreements. Researchers noted that attackers may have forged the company’s telecom identity to access the network.

Although Citizen Lab did not publicly identify the companies behind the operations, the report referenced several possible actors, including Cognyte. Internal files reviewed by Haaretz reportedly showed that Cognyte’s former parent company, Verint Systems, sold an SS7-based tracking product called SkyLock to a government customer in the Democratic Republic of Congo.

According to the report, SkyLock could reportedly locate mobile devices globally by exploiting telecom roaming systems. The documents also pointed to commercial relationships with telecom operators in Thailand, Malaysia, Indonesia, Vietnam, and Congo, several of which overlap with countries mentioned in the surveillance campaign.

Researchers also uncovered a more advanced surveillance method known as SIMjacking. The technique exploits vulnerabilities inside SIM cards by sending hidden binary text messages containing secret instructions. Once received, the SIM card can silently transmit the device’s location back to the attacker without displaying any visible warning or notification to the user.

Citizen Lab identified more than 15,700 suspected SIMjacking-related tracking attempts since late 2022. Researchers noted that when Haaretz and Lighthouse Reports first exposed Fink Telecom Services in 2023, the company had not yet been linked to the SIMjacking technique.

Cybersecurity experts warn that these attacks are especially concerning because they target weaknesses within telecom infrastructure itself rather than requiring malware installation or phishing attacks on individual devices. Researchers also cautioned that many telecom providers continue operating old and new signaling systems together, creating additional opportunities for attackers to bypass modern protections.

Fink Telecom Services, Exelera Telecom, Verint, and Cognyte did not publicly respond to the allegations referenced in the report. Partner Communications stated that it had no connection to the incident and rejected attempts to associate the company with the activity described by researchers.

Read more »
location tracking
Bluetooth Bluetooth exploits Bluetooth Flaw Cyber Police Cyber Privacy Cyber Security cybersecurity risks location tracking

Axon Police Taser and Body Camera Bluetooth Flaw Raises Officer Tracking Concerns

 

Australian police may unknowingly be exposing their live locations through Bluetooth-enabled devices made by Axon. Researchers discovered that body cameras and tasers used across the country broadcast signals without modern privacy protections, potentially allowing anyone nearby to detect and track officers in real time. 

Unlike smartphones that randomize Bluetooth MAC addresses to prevent tracking, Axon devices reportedly use static identifiers. This means simple apps or laptops can detect nearby police equipment and reveal device details, coordinates, and movement patterns. 

A security researcher demonstrated the issue in Melbourne using publicly available Android software capable of identifying Axon devices. Custom tools reportedly extended the tracking range to nearly 400 meters, raising concerns for undercover officers, tactical teams, and police returning home after shifts. 

Experts warn criminal groups could deploy low-cost Bluetooth scanners across neighborhoods to monitor police activity, detect raids, or map officer movement in real time. The flaw has reportedly been known since 2024, when warnings were sent to police agencies, ministers, federal authorities, and national security offices urging immediate action. 

Internal reviews within Victoria Police reportedly acknowledged the threat and recommended protections for covert units. However, after discussions with Axon, the issue was later downgraded internally. Victoria Police later stated there had been no confirmed cases of officers being tracked through the devices. Police agencies across New South Wales, Queensland, Western Australia, South Australia, Tasmania, the Northern Territory, and the Australian Federal Police were also informed of the vulnerability. 

Most declined to explain whether officers were warned or if safeguards had been introduced. Researchers believe the flaw stems from hardware design rather than software alone, making simple patches unlikely to fully resolve the problem. Fixing it may require redesigning core system components entirely. 

Axon has acknowledged on its security pages that its cameras emit detectable Bluetooth and Wi-Fi signals and advises customers to consider operational risks before deployment in sensitive situations. Critics argue these warnings remain buried in technical documentation instead of being clearly communicated to frontline officers. 

The issue highlights growing concerns about modern policing’s dependence on connected technology. As law enforcement increasingly relies on wireless devices, AI systems, and cloud-based tools, small cybersecurity flaws can quickly become serious operational and physical safety risks.
Read more »
Telegram
Application Apps Crypto Crypto scams Cyber Crime Scam Telegram

Hackers Exploit Telegram Mini Apps, Distribute Malware and Crypto Scams

 

Cybersecurity experts found a large-scale fraud campaign that used Telegram’s Mini App feature to launch crypto attacks, mimic famous brands and spread Android malware. 

FEMITBOT malware 


Research by CTM360 has dubbed the platform as FEMITBOT, it is based on a string present in API responses and uses Telegram bots and integrated Mini Apps to make believable, app-like experiences directly inside the messaging platform.

These Mini Apps are lightweight web apps that run within Telegram’s built-in browser, allowing services like payments, interactive tools, and account access without needing users to leave the application. Exploiting Telegram Mini apps

The FEMITBOT platform is used for various scams such as financial frauds, AI tools, streaming sites, and fake cryptocurrency platforms.

In a few campaigns, hackers imitated famous brands to boost engagement and credibility, while having the same backend infrastructure with multiple Telegram bots and different domains.

Brands impersonated


Brands copied in this campaign are Disny, eBay, YouKu, NVIDIA, Moon Pay, Apple, and Coco-Cola. The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform," indicating they are all using the same infrastructure.

Telegram bots compromised


Campaign used Telegram bots to show phishing websites directly inside the social media site. Once a user interacts with a Telegram bot and opens “Start,” the bot starts a Mini App that shows a phishing page inside Telegram’s default WebView. The user is tricked into thinking it's part of the application itself.

Tricking users via phishing tactics


After entering the system, targets are displayed dashboards with fake balances with fake countdown timers or limited-time offers to bait users.

When a user tries to take money, they are asked to make a deposit or do referral work. This is a general tactic in advanced-fee scams and investments.

The infrastructure is built to be used across multiple campaigns so that hackers can easily switch among brands, themes, and languages. The campaigns also use tracking scripts like TikTok and Meta tracking pixels, to trace users’ activity, optimize performance, and measure interactions.

Malware distribution via mini apps


Additionally, some Mini Apps tried to spread malware by posing as companies like the BBC, NVIDIA, CineTV, Coreweave, and Claro in Android APKs.

“Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics. This reflects a shift toward scalable, marketing-like fraud operations designed to maximize user conversion and financial gain,” the report said.
Read more »
Vulnerabilities and Exploits
Cybersecurity Exim security flaw Exim vulnerability remote code execution Vulnerabilities and Exploits

Critical Exim Flaw Exposes Email Servers to Remote Code Execution Risk

 

A newly discovered security vulnerability in the widely used mail transfer agent Exim has raised serious concerns among cybersecurity experts, as attackers could exploit the flaw to potentially execute malicious code remotely on vulnerable email servers.

According to researchers, the vulnerability occurs due to improper memory handling during the TLS session shutdown process. The issue specifically affects Exim installations using GnuTLS configurations.

“This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.”

Security experts confirmed that all Exim versions starting from 4.97 through 4.99.2 are vulnerable. However, systems relying on OpenSSL or other TLS libraries are not affected, as the flaw only impacts builds compiled with USE_GNUTLS=yes.

The vulnerability was identified by Federico Kirschbaum, Head of Security Lab at XBOW, an autonomous cybersecurity testing platform, who reported the issue on May 1, 2026.

“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region,” Kirschbaum said. “That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives.”

XBOW described the flaw as one of the most severe vulnerabilities uncovered in Exim in recent years, noting that attackers require minimal server-side configuration to trigger the exploit successfully.

To address the issue, Exim developers released version 4.99.3 and urged administrators to upgrade immediately. The developers also clarified that no temporary workaround or mitigation is currently available.

“The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used,” Exim noted.

This is not the first major security concern involving Exim. Back in 2017, the platform fixed another critical use-after-free vulnerability, tracked as CVE-2017-16943, which allowed unauthenticated attackers to execute remote code using specially crafted BDAT commands and potentially take control of email servers.
Read more »
Token Hijacking
Cloud Account Compromise Cyber Threats Identity Attacks Microsoft Azure OAuth Abuse Token Hijacking

Automated OAuth Abuse by ConsentFix v3 Raises Azure Security Concerns


 

Researchers discovered that a newly identified phishing framework called ConsentFix v3 is having a direct impact on identity-based attacks in cloud environments after finding its ability to systematically compromise Microsoft Azure accounts using automated OAuth abuse. 

The latest iteration combines large-scale social engineering, tenant reconnaissance, and automated token harvesting into a coordinated attack chain designed to bypass conventional security controls. This represents an advanced evolution of previous ConsentFix campaigns. Attackers can manipulate authentication consent mechanisms and gain persistent access to enterprise environments via OAuth2 exploits that exploit weaknesses in the authorization code flow. 

Another defining element of the campaign is the use of Pipedream, a serverless integration platform leveraged to automate authorization code collection, refresh token generation, and data exfiltration workflows, significantly improving the scale and operational efficiency of the intrusion process. 

Using Azure tenant IDs and profiling employees for targeted impersonation, attackers initiate compromises, as demonstrated by report findings. Phishing infrastructure is deployed across multiple online services to support credential deception, token interception, and long-term account persistence by deploying phishing infrastructure across several online services.

ConsentFix v3 represents a rapid evolution of OAuth-related phishing methodologies. Late last year, Push Security introduced the original ConsentFix technique as a ClickFix-inspired attack targeting Microsoft authentication workflows, which attracted attention. An early variant of this attack relied heavily on social engineering techniques to trick victims into completing a legitimate Azure CLI login sequence and manually pasting a localhost URL containing an authorization code. 

In exchange for the code, attackers were able to hijack Microsoft accounts without the use of password theft once they had captured it, effectively bypassing multi-factor authentication by utilizing trusted identity processes rather than exploiting endpoint vulnerabilities. In order to streamline the phishing chain, researcher John Hammond developed refinements that eventually resulted in ConsentFix v2, which incorporated a drag-and-drop mechanism for the localhost URL instead of manual copy-and-paste interaction. This improved the realism of the deception process and its success rate. 

ConsentFix v3 continues to weaponize the OAuth2 authorization code flow while abusing Microsoft first-party applications that are already trusted and pre-consented within enterprise environments. This attack model is complemented by enhanced automation, broader scalability, and infrastructure designed to support high volume token interception operations across Azure tenants, while also expanding the attack model. 

A systematic operational analysis of ConsentFix v3 indicates that the campaign is organized around a multi-stage intrusion workflow, which maximizes authenticity as well as the efficiency of token acquisition. Several threat actors report that they conduct extensive reconnaissance on targeted Azure environments, validate tenant identifiers, and aggregate employee intelligence, including corporate e-mail addresses, organizational roles, and identity metadata, in order to support highly tailored impersonation attempts. 

The campaign infrastructure relies on Cloudflare Pages for phishing page hosting and Pipedream for backend automation, enabling attackers to coordinate credential lures, webhook execution, and token collection through a highly scalable framework. By carefully crafting phishing emails containing embedded document links that direct users to fake Microsoft authentication portals that trigger legitimate OAuth login requests, victims are subsequently targeted. This technique significantly increases user trust and reduces conventional phishing indicators, thereby enhancing user trust.

After user interaction, the attack moves into the exploitation phase, where users are manipulated to copy, paste, or interact with localhost URLs containing OAuth authorization codes. Once intercepted, the authorization codes are transmitted to attacker-controlled infrastructure where automated workflows use Microsoft APIs to exchange them for access and refresh tokens capable of granting unauthorized access to mailboxes, cloud storage, and internal enterprise data. 

According to researchers, the abuse of Microsoft's Family of Client IDs (FOCI) functionality further amplifies the threat by enabling token reuse between multiple trusted Microsoft applications, which provides attackers with greater persistence and lateral access without having to repeatedly complete authentication procedures. 

Consequently, the campaign highlights persistent architectural weaknesses associated with OAuth-based trust models and token-centric authentication mechanisms, resulting in a renewed emphasis on defensive measures, such as enforcing granular conditional access policies, binding tokens to managed devices, monitoring anomalous non-interactive sign-ins, and revoking refresh tokens immediately upon suspicion of compromise. 

The security team is also being encouraged to tighten consent controls, reduce excessive permission exposure, and continuously audit authentication telemetry in order to detect signs of advanced OAuth abuse before it can establish long-term persistence. 

Researchers observed substantial operational overlap between ConsentFix and device code phishing, as both techniques abuse OAuth authorization workflows to bypass traditional authentication barriers and achieve unauthorized token issuance without directly stealing credentials. The primary distinction between the two techniques lies in the OAuth mechanisms they exploit. 

Device code phishing abuses the device authorization grant defined in RFC 8628, whereas ConsentFix targets the authorization code grant outlined in RFC 6749, particularly within native and desktop application flows that rely on localhost redirects. The two attack paths converge within the same token issuance infrastructure, regardless of their differences in execution. Therefore, attackers' access level is less dependent on the OAuth flow than it is on the targeted application, its permission scopes, and user privileges. 

Both authentication flows ultimately allow threat actors to obtain highly valuable authentication artifacts capable of sustaining persistent access across cloud environments. Further, researchers report that attackers are increasingly targeting Microsoft applications classified under the Family of Client IDs (FOCI) model due to their portability and utility after compromise, particularly against non-administrative enterprise users. 

The ability to silently pivot between interconnected Microsoft services, such as Outlook, Teams, OneDrive, and SharePoint through API-based access without repeatedly authenticating is enabled by attacking FOCI-enabled applications via ConsentFix or device code phishing campaigns. Operators who are more advanced may escalate the intrusion by abusing Primary Refresh Tokens (PRTs), a technique that allows seamless single sign-on across applications and browser sessions connected to Entra ID. 

Such escalation commonly involves abusing the Microsoft Authentication Broker application and chaining the compromise into a rogue device registration within the victim environment, mirroring tactics previously associated with Storm-2372 during large-scale device code phishing campaigns in 2025. 

Researchers believe ConsentFix v3 currently resembles an operational proof of concept more than a fully industrialized phishing-as-a-service platform. Despite its reliance on legitimate SaaS tools and readily accessible automation infrastructure, its rapid operation by threat actors with minimal custom development overhead demonstrates just how quickly sophisticated OAuth abuse can be operationalized.

In addition, the campaign has intensified the need for a change in defensive strategy, particularly given the fact that browser-based identity attacks continue to bypass many of the conventional methods of protecting endpoints. To detect malicious OAuth activity occurring within trusted authentication sessions, organizations need to use real-time behavioral monitoring and identity-aware threat hunting capabilities, combining real-time behavioral monitoring with identity-aware threat hunting capabilities. 

Traditional mitigations recommended for device code phishing, including disabling device code flow through conditional access policies, offer only partial protection against ConsentFix because the framework abuses a separate authentication pathway. Instead of exposing vulnerable applications to OAuth token phishing, defenders are recommended to create dedicated Service Principals and restrict access only to explicitly authorized users. 

Furthermore, proactively searching authentication logs for suspicious application and resource identifiers should be considered, correlating inconsistencies between initial login IP addresses and subsequent token activity should be monitored closely, as well as closely monitoring anomalous session behavior that could indicate attacker control following legitimate authentication attempts. This emergence of ConsentFix v3 can be attributed to a trend in the modern threat landscape in which cybercriminals are increasingly targeting identity infrastructure and trusted authentication frameworks as an alternative to malware and credential theft alone. 

The campaign demonstrated how adversaries could gain persistent access within enterprise environments while remaining difficult to detect through conventional security mechanisms through the abuse of legitimate OAuth workflows and cloud-native services. According to research, similar techniques are likely to become more operationalized across cloud ecosystems as automation, token abuse and SaaS-based attack infrastructure mature.

Organizations should strengthen identity-centric defenses, continuously monitor authentication behavior, and evaluate their trust relationships embedded within modern cloud platforms as soon as possible before OAuth-driven intrusions become a mainstream enterprise threat vector. The findings reinforce the growing urgency for organizations to strengthen identity-centric defenses before OAuth-driven intrusions become a mainstream enterprise threat.
Read more »
Subscribe to: Posts (Atom)

Featured