Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Korean Air Confirms Employee Data Leak Linked to Third-Party Breach

  Korean Air has confirmed that personal information belonging to thousands of its employees was exposed following a cyber incident at Korea...

All the recent news you need to know
Government attacks
Cyber Security Cyberattacks cybersecurity risks Data Breaches Data Theft Digital Risk Digital Security Government attacks

A Year of Unprecedented Cybersecurity Incidents Redefined Global Risk in 2025

 

The year 2025 marked a turning point in the global cybersecurity landscape, with the scale, frequency, and impact of attacks surpassing anything seen before. Across governments, enterprises, and critical infrastructure, breaches were no longer isolated technical failures but events with lasting economic, political, and social consequences. The year served as a stark reminder that digital systems underpinning modern life remain deeply vulnerable to both state-backed and financially motivated actors. 

Government systems emerged as some of the most heavily targeted environments. In the United States, multiple federal agencies suffered intrusions throughout the year, including departments responsible for financial oversight and national security. Exploited software vulnerabilities enabled attackers to gain access to sensitive systems, while foreign threat actors were reported to have siphoned sealed judicial records from court filing platforms. The most damaging episode involved widespread unauthorized access to federal databases, resulting in what experts described as the largest exposure of U.S. government data to date. Legal analysts warned that violations of established security protocols could carry long-term legal and national security ramifications. 

The private sector faced equally severe challenges, particularly from organized ransomware and extortion groups. One of the most disruptive campaigns involved attackers exploiting a previously unknown flaw in widely used enterprise business software. By silently accessing systems months before detection, the group extracted vast quantities of sensitive employee and executive data from organizations across education, healthcare, media, and corporate sectors. When victims were finally alerted, many were confronted with ransom demands accompanied by proof of stolen personal information, highlighting the growing sophistication of data-driven extortion tactics. 

Cloud ecosystems also proved to be a major point of exposure. A series of downstream breaches at technology service providers resulted in the theft of approximately one billion records stored within enterprise cloud platforms. By compromising vendors with privileged access, attackers were able to reach data belonging to some of the world’s largest technology companies. The stolen information was later advertised on leak sites, with new victims continuing to surface long after the initial disclosures, underscoring the cascading risks of interconnected software supply chains. 

In the United Kingdom, cyberattacks moved beyond data theft and into large-scale operational disruption. Retailers experienced outages and customer data losses that temporarily crippled supply chains. The most economically damaging incident struck a major automotive manufacturer, halting production for months and triggering financial distress across its supplier network. The economic fallout was so severe that government intervention was required to stabilize the workforce and prevent wider industrial collapse, signaling how cyber incidents can now pose systemic economic threats. 

Asia was not spared from escalating cyber risk. South Korea experienced near-monthly breaches affecting telecom providers, technology firms, and online retail platforms. Tens of millions of citizens had personal data exposed due to prolonged undetected intrusions and inadequate data protection practices. In one of the year’s most consequential incidents, a major retailer suffered months of unauthorized data extraction before discovery, ultimately leading to executive resignations and public scrutiny over corporate accountability. 

Collectively, the events of 2025 demonstrated that cybersecurity failures now carry consequences far beyond IT departments. Disruption, rather than data theft alone, has become a powerful weapon, forcing governments and organizations worldwide to reassess resilience, accountability, and the true cost of digital insecurity.
Read more »
Ransomware
BlackCat Cyber Crime Insider Threat Plea Guilty Ransomware

Ex-Cybersecurity Pros Plead Guilty in $9.5M Ransomware Spree

 

Former incident responders Ryan Clifford Goldberg and Kevin Tyler Martin have pleaded guilty to participating in a series of ransomware attacks while working at cybersecurity firms tasked with helping organizations recover from such incidents. The case highlights a rare instance of trusted professionals abusing their positions to commit cybercrime, causing significant damage to multiple organizations in 2023.

Goldberg, formerly a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint, collaborated with an unnamed co-conspirator to carry out ransomware attacks using the ALPHV (BlackCat) ransomware variant. According to federal court records, the total losses caused by their actions exceeded $9.5 million. The attacks targeted a medical company in Florida, a pharmaceutical firm in Maryland, a California doctor’s office, an engineering company in California, and a drone manufacturer in Virginia. 

The indictment revealed that the trio received nearly $1.3 million in ransom payments from the Florida medical company in May 2023, but were unable to extort payments from the other victims. The ALPHV/BlackCat ransomware, first identified in late 2021, has been linked to numerous attacks on critical infrastructure providers, including the high-profile breach of UnitedHealth Group’s subsidiary Change Healthcare in 2024.

Goldberg and Martin each pleaded guilty to one count of conspiracy to interfere with interstate commerce by extortion, which reduces their maximum penalty from 50 years to 20 years in federal prison. As part of their plea agreements, both defendants are ordered to forfeit $342,000, representing the value of proceeds traced to their crimes. The court may also impose fines of up to $250,000 and additional restitution. 

A spokesperson for DigitalMint stated that the company cooperated fully with the Justice Department and supports the outcome as a step toward accountability. “His behavior is a clear violation of our values and ethical standards,” the spokesperson said, emphasizing that Martin’s actions were undertaken without the company’s knowledge or involvement. Sygnia did not immediately respond to requests for comment. 

Prosecutors noted that Goldberg and Martin abused their positions of trust and used their specialized skills to facilitate and conceal their crimes. Officials have indicated that they will recommend reduced sentences if both defendants make full, accurate, and complete disclosures of their offenses and refrain from committing further crimes.
Read more »
Social Engineering
Brand Impersonation Crypto Wallet Theft Cryptocurrency Fraud DNS Attack email security Holiday Cybercrime Merchant Data Breach Phishing scam Social Engineering

Grubhub Branding Misused to Promote Exponential Crypto Returns

 


The holiday season is a time when consumer engagement is at its peak and digital transactions are in the ascendant. However, a wave of misleading communication has been plaguing Grubhub's user community in recent weeks. 

There has been an increase in the number of users of Grubhub's online food delivery platform that has been targeted by a coordinated email scam designed to mimic Grubhub's infrastructure in order to cultivate trust among its customers.

It was falsely framed as part of a holiday crypto promotion. It used the authentic-sounding subdomain b.grubhub.com. The emails were derived from addresses typically associated with the company’s merchant partner outreach, appearing to have originated from those addresses. 

The verified communications team at Grubhub uses a similar domain when communicating with restaurants and commercial partners, giving legitimacy to what has really been a malicious impersonation campaign in reality. A fraud email was sent to users that asked them to transfer Bitcoins to external wallets and promised a tenfold return within minutes.

A widely circulated message claimed that there were only 30 minutes left in this promotion, asserting that any Bitcoin that was sent would be multiplied tenfold. This illustrates how the scam relies heavily on urgency and unrealistic financial incentives in order to convince victims. 

In multiple reports, it is revealed that these emails were being dispatched from counterfeit email addresses resembling merchant support channels, including Grubhubforrestaurants and other restaurant-specific sender tags, for example. This scam, which has been active since December 24, displays a high level of personalization, as recipient names are embedded directly in the email's body and delivery metadata, which indicates structured data harvesting or prior exposure to breaches.

Throughout the cryptocurrency fraud landscape, social engineering attacks have grown increasingly sophisticated, according to a study conducted by the University of Surrey. These attacks are raising renewed concerns about the misuse of digital trust and brand-based impersonation, and the exploitation of corporate identity, among other things. 

It has been reported that recipients have received scam emails, titled merry-christmas-promotion and crypto-promotion, starting on December 24. The emails were both deceptively appended to the b.grubhub.com subdomain and embedded with their full names, along with their e-mail addresses, and contained personal identifiers such as their full names.

It is without a doubt that this scam is one of the most textbook examples of high yield cryptocurrency reward scams, as it relies on psychological mechanics like trust, financial aspirations, and manufactured urgency so that it can deliver high returns with minimal investment. It is apparent from the attackers' narrative that they promised exponential returns on Bitcoin transfers, which is consistent with cryptocurrency fraud models that use implausible incentives to overcome skepticism. 

According to some users and independent researchers, this breach could have been caused by a DNS takeover, a situation where forged emails would have passed through normal authentication checks. However, Grubhub has not yet officially confirmed any of these claims, nor has it provided any technical information regarding the breach. 

BleepingComputer was informed by the company that the issue was identified within its merchant partner communications channels, and was promptly isolated from the issue, and that a full investigation is underway in order to prevent it from recurring in the future. A spokesperson from the platform also stated that containment measures were immediately implemented, suggesting that the platform does not view the incident as a routine spam attack, but rather as an attack on targeted integrity. 

Additionally, the company also discussed Grubhub's disclosure earlier this year during the event. The Grubhub company reported at that time that a threat actor had accessed a large volume of contact information of customers, merchants, and delivery drivers - providing contact information, but not payment credentials - resulting in the discovery of the threat actor's access to the servers of the company as a result. 

Even though the January breach is not related in structure in any way, experts note that previously exposed identity datasets are often resurfaced as raw material in impersonation campaigns a decade or two later, providing attackers with the level of personalization needed to appear credible and targeted to consumers. 

There has been an escalation in digital fraud during high-traffic holiday periods, according to law enforcement agencies, a trend highlighted in a recent public advisory from the Federal Bureau of Investigation which cautioned consumers against the seasonal cycle of scams. According to the bureau, attackers deliberately increase their activities at times of high demand for discounts, limited-time offers, and fast money gains, deploying schemes that are based on expectations and urgency. 

According to the FBI, non-payment scams and non-delivery scams were among the most frequently reported tactics in 2024, with victims misled into paying for goods or services that never materialized. There have been significant financial impacts on the financial system resulting from these frauds. 

The FBI estimates that in 2024 alone, these frauds alone will account for more than $785 million in losses to users, while credit card frauds will contribute an additional $199 million. This reinforces the persistence of the profitability of financial crime driven by impersonation. 

Additionally, investigators highlighted that phishing environments have evolved beyond traditional credential theft, and increasingly target passwords to cryptocurrency exchanges and accesses to digital wallets, where a single compromised account could allow the liquidation and transfer of assets immediately. 

A recent FBI advisory has advised users to be cautious when clicking on unsolicited links. Authorities are warning that malicious landing pages are routinely being used to collect crypto-platform authentication details, such as multi-factor authentication codes, for the purpose of diversion of funds that may not be recoverable. 

Researchers have drawn parallels between the ongoing Grubhub campaign and the more widespread crypto-doubling scam, a type of social engineering scam that engages in recognizable branding, individualized targeting, and a countdown-style deadline as a means to feign legitimacy and to eliminate suspicion. 

In an effort to combat fraud, industry experts and national agencies have repeatedly said that communications that include verified-looking domain names, time-sensitive ultimatums, or requests for transfers to external wallets have been identified as some of the most obvious behavioral indicators. 

In both Grubhub's guidance as well as from federal authorities, it is stressed that independent verification through official channels is a key component of ensuring authenticity, especially when messages are individually addressed. However, personalization no longer stands as a reliable sign of authenticity, but is often a sign that prior personal data exposure has been weaponized in order to enhance credibility. 

There are many ramifications of the phishing campaign that go far beyond the theft of isolated amounts of money. They prompt a broader discussion of digital trust, corporate identity, and the fragility of brand credibility in an increasingly weaponized online environment. Although users who have been affected by this crypto-crisis are at direct risk of losing cryptocurrencies, Grubhub itself faces an equally troubling threat - the erosion of public confidence - which is not a case of an actual breach of security, but rather a perception of one. 

As industry observers and researchers have noted for years, modern phishing operations are no longer dependent solely on technical intrusion; their success depends equally on psychological authenticity, which means familiar email formats, harvesting personal identifiers, and brand-aligned subdomains can alter the perception of phishing operations. 

It has been emphasized that this incident has raised concerns about how cybercriminals are reusing previously disclosed identity datasets, which they routinely repurpose to personalize fraudulent outreach on a large scale, giving phishing mail the appearance of one-on-one legitimacy. Security commentators have warned that such events can create lasting doubt among consumers who may be unable to distinguish a genuine system lapse from a forged communication. 

However, even if the corporate infrastructure remains intact, consumers may have difficulty distinguishing between a genuine system lapse, since their perception may be frightful. Additionally, the situation has also highlighted the growing gap between user preparedness and law enforcement agency preparedness, with cyber security experts emphasizing that the importance of phishing literacy is as crucial as the importance of a good password hygiene regimen. 

The following precautions are recommended: Verifying unexpected financial or promotional claims through company channels rather than embedded links, strengthening account defenses with unique, high-entropy passwords, and enabling multi-factor authentication as soon as possible, especially in cryptocurrency exchange accounts, where credential theft can result in a quick, irreversible transfer of funds. 

It has been reported that the campaign is part of a larger pattern of crypto-doubling social engineering fraud, which is a scam archetype that has been around for quite some time due to its perfect combination of technological deception with the strength of the promise of a big payday. 

In light of the incident, the delivery platforms and digital marketplaces have been urged to intensify customer education initiatives, including technical monitoring as well as public awareness outreach, since the most effective defense against impersonation-driven fraud lies not only in one strategy, but in a combination of infrastructure resilience, informed skepticism, and a robust defensive strategy.
Read more »
MgBot malware
China-linked APT Cyber Attacks Cyber Espionage Campaign DNS poisoning attack Evasive Panda MgBot malware

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign

 

Security researchers at Kaspersky have uncovered a sophisticated cyber-espionage operation attributed to the China-linked advanced persistent threat (APT) group known as Evasive Panda, also tracked as Daggerfly, Bronze Highland, and StormBamboo. The campaign leveraged DNS poisoning techniques to distribute the MgBot backdoor, targeting select victims across Türkiye, China, and India.

Active for over a decade, Evasive Panda is widely recognized for developing and deploying the custom MgBot malware framework. In 2023, Symantec previously linked the group to an intrusion at an African telecommunications provider, where new MgBot plugins were observed—demonstrating the group’s continued refinement of its cyber-espionage toolkit.

According to Kaspersky, the latest campaign was highly selective in nature and operated for nearly two years, beginning in November 2022 and continuing through November 2024.

The attackers employed adversary-in-the-middle (AiTM) techniques, delivering encrypted malware components through manipulated DNS responses. Each target received a tailored implant designed to evade detection. The MgBot backdoor was injected directly into legitimate processes in memory, frequently using DLL sideloading, allowing the malware to remain concealed for extended periods.

Initial compromise was achieved through fake software updates masquerading as legitimate applications. In one observed case, threat actors distributed a malicious executable posing as a SohuVA update, likely delivered through DNS poisoning that redirected update requests to infrastructure under attacker control.

“The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource”

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.”

Beyond SohuVA, similar trojanized updaters were observed targeting widely used applications such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often launched by legitimate system services to reinforce trust and avoid suspicion.

The initial malware loader, written in C++ and built using the Windows Template Library, was disguised as a harmless sample project. Once executed, it decrypted and decompressed its configuration data, revealing installation directories, command-and-control domains, and encrypted MgBot parameters. The malware dynamically altered its behavior based on the active user context, decrypted strings only at runtime, and used XOR and LZMA obfuscation to hinder analysis. Ultimately, it executed shellcode directly in memory after modifying memory permissions, enabling covert deployment without leaving obvious forensic traces.

The infection chain followed a multi-stage execution model. The first-stage loader launched shellcode that concealed API usage by resolving Windows functions via hashing. This shellcode searched for a specific DAT file within the installation directory. If found, the file was decrypted using Windows CryptUnprotectData, ensuring it could only be accessed on the infected system, before being deleted to erase evidence.

If the DAT file was absent, the shellcode retrieved the next stage from the internet. Through DNS poisoning, victims were redirected to attacker-controlled servers while believing they were accessing legitimate domains such as dictionary.com. System details, including the Windows version, were transmitted via HTTP headers, allowing attackers to tailor payloads accordingly. The downloaded data was decrypted using XOR, memory permissions were altered, and the payload was executed. The malware later re-encrypted the payload and stored it in a newly created DAT file, often unique to each victim.

Researchers also identified a secondary loader named libpython2.4.dll, which masqueraded as a legitimate Windows library. This component was loaded through a signed executable, evteng.exe—an outdated Python binary—to further mask malicious activity. The loader recorded its file path in status.dat, likely to support future updates, and decrypted additional payloads from perf.dat, which were also delivered via DNS poisoning. Throughout this process, the attackers repeatedly renamed and relocated the payloads, decrypting them with XOR and re-encrypting them using a customized combination of DPAPI and RC5, effectively binding the malware to the infected host and complicating analysis.

Kaspersky telemetry indicates confirmed victims in Türkiye, China, and India, with some systems remaining compromised for more than a year. The prolonged duration of the operation highlights the attackers’ persistence, operational maturity, and access to substantial resources.

The observed tactics, techniques, and procedures (TTPs) strongly align with previous Evasive Panda operations. While a new loader was introduced, the attackers continued to rely on the long-established MgBot implant, albeit with updated configuration elements. As seen in earlier campaigns, Evasive Panda favored stealthy propagation methods such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole techniques to avoid detection.

“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.”

“Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”
Read more »
Technology
Facebook links Meta Subscription Technology

Facebook Tests Paid Access for Sharing Multiple Links

 



Facebook is testing a new policy that places restrictions on how many external links certain users can include in their posts. The change, which is currently being trialled on a limited basis, introduces a monthly cap on link sharing unless users pay for a subscription.

Some users in the United Kingdom and the United States have received in-app notifications informing them that they will only be allowed to share a small number of links in Facebook posts without payment. To continue sharing links beyond that limit, users are offered a subscription priced at £9.99 per month.

Meta, the company that owns Facebook, has confirmed the test and described it as limited in scope. According to the company, the purpose is to assess whether the option to post a higher volume of link-based content provides additional value to users who choose to subscribe.

Industry observers say the experiment reflects Meta’s broader effort to generate revenue from more areas of its platforms. Social media analyst Matt Navarra said the move signals a shift toward monetising essential platform functions rather than optional extras.

He explained that the test is not primarily about identity verification. Instead, it places practical features that users rely on for visibility and reach behind a paid tier. In his view, Meta is now charging for what he describes as “survival features” rather than premium add-ons.

Meta already offers a paid service called Meta Verified, which provides subscribers on Facebook and Instagram with a blue verification badge, enhanced account support, and safeguards against impersonation. Navarra said that after attaching a price to these services, Meta now appears to be applying a similar approach to content distribution itself.

He noted that this includes the basic ability to direct users away from Facebook to external websites, a function that creators and businesses depend on to grow audiences, drive traffic, and promote services.

Navarra was among those who received a notification about the test. He said he was informed that from 16 December onward, he would only be able to include two links per month in Facebook posts unless he subscribed.

For creators and businesses, he said the message is clear. If Facebook plays a role in their audience growth or traffic strategy, that access may now require payment. He added that while platforms have been moving in this direction for some time, the policy makes it explicit.

The test comes as social media platforms increasingly encourage users to verify their accounts in exchange for added features or improved engagement. Platforms such as LinkedIn have also adopted similar models.

After acquiring Twitter in 2022, Elon Musk restructured the platform’s verification system, now known as X. Blue verification badges were made available only to paying users, who also received increased visibility in replies and recommendation feeds.

That approach proved controversial and resulted in regulatory scrutiny, including a fine imposed by European authorities in December. Despite the criticism, Meta later introduced a comparable paid verification model.

Meta has also announced plans to introduce a “community notes” system, similar to X, allowing users to flag potentially misleading posts. This follows reductions in traditional moderation and third-party fact-checking efforts.

According to Meta, the link-sharing test applies only to a selected group of users who operate Pages or use Facebook’s professional mode. These tools are widely used by creators and businesses to publish content and analyse audience engagement.

Navarra said the test highlights a difficult reality for creators. He argued that Facebook is becoming less reliable as a source of external traffic and is increasingly steering users away from treating the platform as a traffic engine.

He added that the experiment reinforces a long-standing pattern. Meta, he said, ultimately designs its systems to serve its own priorities first.

According to analysts, tests like this underline the risks of building a business that depends too heavily on a single platform. Changes to access, visibility, or pricing can occur with little warning, leaving creators and businesses vulnerable.

Meta has emphasized  that the policy remains a trial. However, the experiment illustrates how social media companies continue to reassess which core functions remain free and which are moving behind paywalls.

Read more »
Scam Recovery
Cyber Crime Digital Arrest fraud prevention Karnataka Police Online fraud Scam Recovery

Karnataka’s Cybercrime Losses Soar as Scam Recoveries Plunge

 

Recoveries in Karnataka's cybercrime prosecutions are falling even as authorities ramp up specialized policing capability, reflecting how criminals are changing tactics faster than enforcement can counteract. Data from the State Legislature show that citizens lost ₹5,473.97 crore in 57,733 incidents of cybercrime over the last three years, with recoveries amounting to only approximately 11.5% of the total value, underlining the fraught nature of tracking and refunding monies once they leave a victim's account.

The Home Minister, G. Parameshwara, told the Legislature that Karnataka has risen to meet this challenge by forming focused cybercrime capacity with a total of 43 Cybercrime Economic and Narcotics (CEN) police stations around the state, along with a cyber command centre. Senior leadership has also been appointed at the state level to drive cyber investigations, which will further accelerate response times, ensure better coordination with banking institutions, and enhance technical capabilities. 

Notwithstanding these efforts, the minister acknowledged a critical gap: while the number of cases reported in 2025 (up to November 15) has declined, “there has been no significant difference in the money lost,” which suggests that the incidents are fewer but larger and better organized. Annual figures mirror both the scale of losses and the recovery challenge: in 2023, losses stood at ₹873 crore with ₹177 crore recovered; in 2024, losses jumped to ₹2,562 crore with ₹323 crore recovered; and in 2025, up to November 15, losses have been ₹2,038 crore, of which ₹127 crore has so far been recovered. 

According to investigators, the reason behind the decline in the number of recoveries is due to a shift in the way scammers operate—the rapid transfer of money from a network of accounts across international borders, making it difficult for law enforcement and banks to recover these amounts. At the same time, law enforcement agencies have also pointed out a shift in the type of fraud. For instance, “digital arrest” and stock investment fraud may take several hours or even days to commit. 

During the discussion in the House, the need for speed in reporting incidents is clearly highlighted. In the discussion, one legislator cited the risk that waiting to register the complaint can equate to the loss of those “crucial moments” necessary to halt the transaction transfers.
Read more »
Subscribe to: Comments (Atom)

Featured