Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Student Founders Establish Backed Program to Help Peers Build Startups

  Two students affiliated with Stanford University have raised $2 million to expand an accelerator program designed for entrepreneurs who ar...

All the recent news you need to know
Ukraine
Cloud Data Starlink Technology Ukraine

Ukraine Increases Control Over Starlink Terminals


New Starlink verification system 

Ukraine has launched a new authentication system for Starlink satellite internet terminals used by the public and the military after verifying that Russia state sponsored hackers have started using the technology to attack drones. 

The government has also introduced a compulsory “whitelist” for Starlink terminals, where only authenticated and registered devices will work in Ukraine. All other terminals used will be removed, as per the statement from Mykhailo Fedorov, country's recently appointed defense chief. 

Why the new move?

Kyiv claims that Russian unmanned aerial vehicles are now being commanded in real time using Starlink links, making them more difficult to detect, jam, or shoot down. This action is intended to counteract these threats. "It is challenging to intercept Russian drones that are equipped with Starlink," Fedorov stated earlier this week. "They can be controlled by operators over long distances in real time, will not be affected by electronic warfare, and fly at low altitudes." The Ministry of Defense is implementing the whitelist in collaboration with SpaceX, the company that runs the constellation of low-Earth orbit satellites for Starlink.

The step is presently the only technological way to stop Russia from abusing the system, Fedorov revealed Wednesday, adding that citizens have already started registering their terminals. "The government has taken this forced action to save Ukrainian lives and safeguard our energy infrastructure," he stated. 

How will it impact other sectors?

Businesses will be able to validate devices online using Ukraine's e-government services, while citizens will be able to register their terminals at local government offices under the new system. According to Ukraine's Ministry of Defense, military units will be exempt from disclosing account information and will utilize a different secure registration method.

Using Starlink connectivity, Ukraine discovered a Russian drone operating over Ukrainian territory at the end of January. After then, Kyiv got in touch with SpaceX to resolve the problem, albeit the specifics of the emergency procedures were not made public. Army, a Ukrainian military outletSetting a maximum speed at which Starlink terminals can operate was one step, according to Inform, which cited an initial cap of about 75 kilometers per hour. According to the study, Russian strike drones usually fly faster than that, making it impossible for operators to manage them in real time.


Read more »
KEV
CISA CISA advisory CISA KEV catalog CVE CVE vulnerability CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity vulnerability KEV

CISA Warns of Actively Exploited SmarterMail Flaw Used in Ransomware Attacks

 

CISA includes a fresh SmarterMail weakness in its KEV list - this marks the third such addition linked to the messaging system within fourteen days. Identified as CVE-2026-24423, the security gap faces real-world abuse during ransom operations. Evidence points to sustained interest in compromising SmarterTools’ broadly adopted software suite. 

Another entry joins a pair of prior SmarterMail flaws listed in the KEV database since January 26. One was tagged CVE-2025-52691 - marked by unchecked uploads of hazardous files. The second, assigned CVE-2026-23760, let attackers skip login checks entirely. Analysis came first from experts at watchTowr, who unpacked how each could be triggered. Once those specifics emerged, several security teams observed active attacks; the login flaw saw more frequent abuse. Although both were dissected publicly, it was the broken verification that drew wider misuse. 

A security issue labeled CVE-2026-24423 arises because a key part of SmarterMail - the ConnectToHub API - lacks proper access checks. Versions before v100.0.9511 are exposed, letting outsiders run harmful code remotely. Instead of requiring login details, hackers exploit it by submitting a modified POST message. This leads to direct command control on the target machine through intentional input manipulation. 

Separate findings came from teams at watchTowr, CODE WHITE GmbH, and VulnCheck. As noted by Cale Black of VulnCheck, the affected endpoint skips any login checks - opening a way to set up server directory links remotely. Because that setup pulls instructions directly from an outside machine under attacker influence, control is effectively handed over. Those instructions appear as support routines inside the system. Once SmarterMail reads them, they run unchecked on whatever platform hosts the software. 

Starting at the ConnectToHub endpoint, the process handles a remote address sent via one particular parameter. Afterward, communication initiates from the SmarterMail server toward a machine controlled by the attacker. That system replies - not with ordinary data - but with settings containing command inputs meant to run. Provided minimal checks are satisfied, execution follows without further barriers. Control over the compromised environment expands widely under these conditions. 

By February 26, 2026, U.S. federal civilian agencies must fix the vulnerability - this stems from ongoing attacks involving ransomware. Though only binding for federal bodies, its listing in CISA’s KEV catalog hints at wider exposure across any organization using affected SmarterMail versions. Not just government systems face potential harm; real-world misuse raises stakes beyond official mandates. 

Right now, updating to the newest SmarterMail release is a top priority, according to analysts watching threats closely. Instead of waiting, teams managing large systems should examine log data - especially activity tied to the open ConnectToHub interface, since probes might show up as odd patterns in API traffic. What stands out is how quickly multiple flaws in SmarterMail entered official exploit databases, signaling that delays in patching could lead to real breaches. Because of this, those overseeing network access must act fast while rethinking how exposed their mail platforms really are.
Read more »
Sandworm
Cyber Attacks Cyberattacks DynoWiper Energy Grid Poland Russian APT44 Sandworm

Sandworm Hackers Fail in DynoWiper Attack on Poland's Power Grid

 

A recently disclosed cyberattack against Poland’s energy infrastructure has been linked to the Russian state-backed hacking group Sandworm, highlighting the persistent threat facing Europe’s critical sectors. The incident occurred between December 29 and 30, 2025, and reportedly targeted elements of the country’s power grid, including combined heat and power plants and systems managing electricity from renewable sources such as wind and solar. Although the attackers attempted to deploy a new destructive data wiper known as DynoWiper, Polish authorities say the operation ultimately failed to cause large-scale disruption.

Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, has a long history of conducting disruptive and destructive cyber operations aligned with Russian strategic interests. Active since at least 2009 and believed to be part of Russia’s GRU Military Unit 74455, the group is infamous for past campaigns, including an attack on Ukraine’s energy grid roughly a decade ago that temporarily cut power to about 230,000 people. The latest activity in Poland fits a broader pattern of Sandworm’s focus on critical infrastructure, particularly in countries supporting Ukraine or opposing Russian policies.

In the Polish case, security firm ESET linked Sandworm to the attack and identified the destructive malware used as DynoWiper, a previously unknown data-wiping tool. Data wipers are designed to iterate through a filesystem and delete or corrupt files, rendering the operating system unusable and forcing victims to rebuild systems from backups or perform complete reinstalls. ESET says DynoWiper is detected as Win32/KillFiles.NMO and has a specific SHA-1 hash, though no public samples have yet appeared on common malware analysis platforms such as VirusTotal or Any.Run.

Polish officials reported that the attackers focused on two combined heat and power plants, as well as a management system responsible for controlling energy generated from wind turbines and photovoltaic farms. Prime Minister Donald Tusk stated that “everything indicates” the operation was carried out by groups directly linked to Russian services, underscoring the political and geopolitical context surrounding the intrusion. While authorities did not provide detailed information on the extent of the compromise or the attackers’ dwell time, they emphasized that the attempt to cause destructive impact was thwarted.

Despite the failed outcome, cybersecurity experts warn that the incident should serve as a serious wake-up call for defenders across Europe. Team Cymru’s Senior Threat Intel Advisor Will Thomas has urged security teams to review Microsoft’s February 2025 report on Sandworm to better understand the group’s tactics, techniques, and procedures. With Sandworm also tied to destructive wiper attacks on Ukraine’s education, government, and grain sectors in mid and late 2025, the Polish incident reinforces the need for robust backups, network segmentation, and proactive threat hunting in all critical infrastructure environments.
Read more »
Voice Phishing Attacks
Data Breach Identity-Based Breaches Microsoft Entra Security Okta SSO Compromise Phishing-Resistant MFA Single Sign-On Security Voice Phishing Attacks

ShinyHunters Targets Okta and Microsoft SSO in Data Breach


 

Several voice-based social engineering attacks have prompted renewed scrutiny of single sign-on ecosystem security assumptions. The cybercrime collective ShinyHunters has publicly announced that it has carried out an extensive campaign to harvest SSO credentials from approximately 100 organizations, signaling an intentional shift toward identity-centered intrusion methods. 

As a result of the early disclosures, substantial amounts of data have already been exposed, as leaks have been confirmed to platforms such as SoundCloud, Crunchbase, and Betterment, which have affected tens of millions of user records. 

Moreover, the intrusions were not the result of software malfunctions or misconfigurations, but rather carefully executed voice phishing attacks that took advantage of human trust in modern authentication workflows to achieve success. 

A growing reality for enterprises is underscored by this tactic. As authentication becomes more centralized via single sign-on providers, compromises of individual identities can result in systemic access to entire SaaS environments, amplifying the scale and impact of these breaches. 

Once an employee's single sign-on credentials have been successfully accessed, the impact is extensive beyond the initial account compromise. By gaining access to a single sign-on identity, attackers will gain access to the organization's broader application ecosystem. 

Various SSO platforms, including Okta, Microsoft Entra, and Google, streamline authentication by federating access to a variety of internal and third-party services under a single login, which facilitates streamlining authentication. As a result of this architecture, usability and administrative control are improved, but risk is also concentrated, as a single breached identity can unlock multiple downstream systems.

The SSO dashboard provides authenticated users with an integrated view of all enterprise applications connected to it, transforming a compromised account into a digital footprint map of the organization. A number of business-critical applications are commonly integrated into platforms, including Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Atlassian, Dropbox, Adobe, Zendesk, and other software as a service applications. 

ShinyHunters and associated actors have exploited this model through targeted voice phishing campaigns, impersonating internal IT personnel, and guiding victims through credential entry and multi-factor authentication challenges on convincingly replicated login portals. 

Following authentication, the attackers systematically enumerate all available applications within the SSO environment, and then begin extracting data from each platform, enabling massive data thefts and lateral expansion across interconnected services before security teams may detect any abnormal activity. 

In the aftermath of initial access, attackers began targeting cloud-based software-as-a-service environments, which are systematically targeting systems for storing corporate data and internal documents. The objective goes beyond data theft, with stolen information increasingly being utilized for subsequent extortion campaigns following the initial data theft. 

Various designations are being tracked by Google Threat Intelligence Group (GTIG), including UNC6661, UNC6671, and UNC6240, reflecting a loosely coordinated but tactically aligned group of operators employing a similar approach to intrusions and monetizations. 

The GTIG and Mandiant investigations indicate that activity associated with UNC6661 intensified in mid-January, when attackers posed as internal IT personnel to contact employees within targeted organizations. In addition to being told that multifactor authentication settings would soon be updated, victims were directed to convincingly branded credentials harvesting portals.

It was designed to capture both single-sign-on credentials and MFA codes in real-time, thereby enabling immediate account control. Mandiant confirmed that, in multiple instances, the compromised credentials came from Okta customers, as mentioned in an Okta blog posting describing a campaign employing advanced phishing kits in response to the compromised credentials. 

In a subsequent study, researchers attributed follow-up extortion efforts to UNC6240, citing overlapping operational artifacts including the reuse of a common Tox account during negotiations, among others. In late January, a newly established leak site listing alleged victims was published, which described the nature of the stolen information and imposed payment deadlines of 72 hours. 

Researchers have previously reported that allegations of compromise have been made against at least five organizations. UNC6671 is exhibiting similar tradecraft in parallel activities. Throughout the past week, operators connected to this cluster have conducted vishing attacks involving impersonation of IT personnel and real-time credential harvesting.

In spite of the underlying domain infrastructure being similar to that of UNC6661, researchers observed differences in domain registration services, suggesting that operations are separate despite common tools and techniques. It is believed that these groups are collectively associated with ShinyHunters, which operates under alternative banners such as Scattered Lapsus$ Hunters at times. 

The collective is derived from an ecosystem of loosely affiliated cybercriminals known as The Com, whose members have proven to be skilled at telephone social engineering. An increasingly sophisticated phishing toolkit is at the core of these operations, designed to manage the complete lifecycle of an attack. 

The latest kits are capable of generating phishing emails and hosting replicate login pages, as well as relaying captured credentials in real time to attackers—an essential feature of multifactor authentication. 

A growing number of advanced frameworks now support voice-enabled phishing, which allows attackers to coordinate live phone calls in conjunction with dynamic manipulations of the victim's browser session Okta researchers have observed that these toolkits can be adjusted on the fly, enabling callers to control which pages are presented to victims according to their scripts as well as with legitimate MFA challenges encountered during the login process. 

With this level of orchestration, attackers are able to neutralize most multi-factor authentication (MFA) mechanisms that are not explicitly phishing-resistant. These campaigns are known to target identity platforms, cryptocurrencies, and Okta's own identity and access management services, which serve as authentication hubs for extensive corporate application portfolios, including Google and Microsoft Entra. 

It has been demonstrated that phishing pages are closely modeled after legitimate sign-in interfaces, ensuring a seamless experience for victims. According to Okta threat researcher Moussa Diallo, attackers can coordinate on-screen instructions with spoken instructions, even advising victims that they will receive MFA push notifications in advance, thus lending credibility to what would otherwise appear to be an unsolicited authentication request. 

However, phishing-resistant MFA technology such as smartcards, FIDO security keys, cryptographic passkeys, and Okta FastPass introduces cryptographic binding between the service and the user, thus reducing the effectiveness of real-time social engineering attacks. 

Ultimately, the campaign reinforces the critical lesson that defenders should take away: identity has become the primary attack surface, and human interaction has become one of its most vulnerable components. 

Threat actors have refined their abilities to manipulate trust by engaging in real-time voice engagements, challenging traditional assumptions about authentication strength. In addition to considering the fact that even well-implemented SSO and MFA controls can be undermined when users are persuaded to actively participate in an attack chain, security teams must change both technical and operational strategies to address this risk. 

By adopting cryptographically bound authentication mechanisms that are phishing-resistant, organizations can reduce the probability of credential replay in real-time. Furthermore, sustained employee awareness training that recognizes voice phishing as a major threat, rather than a niche variant of email-based scams, is equally important. 

The use of clear internal IT communication processes, along with monitoring for anomalous SSO behavior and rapid response playbooks, can further limit the blast radius in the event of compromise. In order to increase resilience against identity-driven attacks, layered controls will need to remain effective even when social engineering is successfully employed.
Read more »
Cyberspace Threats
AI Security AI technology Cyber Protection Cyber Security Cybersecurity Strategy Cyberspace Cyberspace Threats

US Cybersecurity Strategy Shifts Toward Prevention and AI Security

 

Early next month, changes to how cyber breaches are reported will begin to surface, alongside a broader shift in national cybersecurity planning. Under current leadership, federal teams are advancing a more proactive approach to digital defense, focusing on risks posed by hostile governments and increasingly complex cyber threats. Central to this effort is stronger coordination across agencies, updated procedures, and shared responsibility models rather than reliance on technology upgrades alone. Officials emphasize resilience, faster implementation timelines, and adapting safeguards to keep pace with rapidly evolving technologies. 

At the Information Technology Industry Council’s Intersect Summit, White House National Cyber Director Sean Cairncross previewed an upcoming national cybersecurity strategy expected to be released soon. While details remain limited, the strategy is built around six pillars, including shaping adversary behavior in cyberspace. The aim is to move away from reactive responses and toward reducing incentives for cybercrime and state-backed attacks. Prevention, rather than damage control, is driving the update, with layered actions and long-term thinking guiding near-term decisions. Much of the work happens behind the scenes, with success measured by systems that remain secure. 

Cairncross noted that cyber harm often occurs before responses begin. The updated approach targets a wide range of threats, including nation states, state-linked criminal groups, ransomware actors, and fraud operations. By reshaping the digital environment, officials hope to make cybercrime less profitable and less attractive. This philosophy now sits at the core of federal cybersecurity policy. 

Another pillar focuses on refining the regulatory environment through closer collaboration with industry. Instead of rigid compliance checklists, officials want cybersecurity rules aligned with real-world threats and operational realities. According to Cairncross, effective oversight depends on adaptability and practicality, ensuring regulations support security outcomes rather than burden organizations unnecessarily. 

Additional priorities include modernizing and securing federal IT systems, protecting critical infrastructure such as power and transportation networks, maintaining leadership in emerging technologies like artificial intelligence, and addressing shortages in skilled cyber professionals. Officials are under pressure to deliver visible progress quickly, given political time constraints. Meanwhile, the Cybersecurity and Infrastructure Security Agency is preparing updates to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Although Congress passed the law in 2022, it will not take effect until final rules are issued. 

Once implemented, organizations across 16 critical infrastructure sectors must report significant cyber incidents to CISA within 72 hours. Nick Andersen, CISA’s executive assistant director for cybersecurity, said clarification on the rules could arrive within weeks. Until then, reporting remains voluntary. CISA released a proposed CIRCIA rule in early 2024, estimating it would apply to roughly 316,000 entities. Industry groups and some lawmakers criticized the proposal as overly broad and raised concerns about overlapping reporting requirements. They have urged CISA to better align CIRCIA with existing federal and sector-specific disclosure mandates. 

Originally expected in October 2025, the final rules are now delayed until May 2026. Some Republicans, including House Homeland Security Committee Chairman Andrew Garbarino, are calling for an ex parte process to allow direct industry feedback. Andersen also discussed progress on establishing an AI Information Sharing and Analysis Center, or AI-ISAC, outlined in the administration’s AI Action Plan. The proposed group would facilitate sharing AI-related threat intelligence across critical infrastructure sectors. He stressed the importance of avoiding fragmented public and private efforts and ensuring coordination from the outset as AI adoption accelerates. 

Separately, the Office of the National Cyber Director is developing an AI security policy framework. Cairncross emphasized that security must be built into AI systems from the start, not added later, as AI becomes embedded in essential services and daily life. Uncertainty remains around a replacement for the Critical Infrastructure Partnership Advisory Council, which DHS disbanded last year. A successor body, potentially called the Alliance of National Councils for Homeland Operational Resilience, or ANCHOR, is under consideration. Andersen said the redesign aims to address past shortcomings, including limited focus on cybersecurity and inflexible structures that restricted targeted collaboration.
Read more »
Russia
Cyber Attacks Cyberattack Cybersecurity Threats Germany Russia

A New Twist on Old Cyber Tricks

 


Germany’s domestic intelligence and cybersecurity agencies have warned of a covert espionage campaign that turns secure messaging apps into tools of surveillance without exploiting any technical flaws. The Federal Office for the Protection of the Constitution and the Federal Office for Information Security said the operation relies instead on social engineering carried out through the Signal messaging service. In a joint advisory, the agencies said the campaign targets senior figures in politics, the military and diplomacy, as well as investigative journalists in Germany and elsewhere in Europe. 

By hijacking messenger accounts, attackers can gain access not only to private conversations but also to contact networks and group chats, potentially widening the scope of compromise. The operation does not involve malware or the exploitation of vulnerabilities in Signal. Instead, attackers impersonate official support channels, posing as “Signal Support” or a so-called security chatbot. 

Targets are urged to share a PIN or verification code sent by text message, often under the pretext that their account will otherwise be lost. Once the victim complies, the attackers can register the account on a device they control and monitor incoming messages while impersonating the user. In an alternative approach, victims are tricked into scanning a QR code linked to Signal’s device-linking feature. 

This grants attackers access to recent messages and contact lists while allowing the victim to continue using the app, unaware that their communications are being mirrored elsewhere. German authorities warned that similar tactics could be applied to WhatsApp, which uses comparable features for account linking and two-step verification. 

They urged users not to engage with unsolicited support messages and to enable registration locks and regularly review linked devices. Although the perpetrators have not been formally identified, the agencies noted that comparable campaigns have previously been attributed to Russia-aligned threat groups. Reports last year from Microsoft and the Google Threat Intelligence Group documented similar methods used against diplomatic and political targets. 

The warning comes amid a flurry of state-linked cyber activity across Europe. Norway’s security services recently accused Chinese-backed groups of penetrating multiple organisations by exploiting vulnerable network equipment, while also citing Russian monitoring of military targets and Iranian cyber operations against dissidents. 

Separately, CERT Polska said a Russian-linked group was likely behind attacks on energy facilities that relied on exposed network devices lacking multi-factor authentication. 

Taken together, the incidents highlight a shift in cyber espionage away from technical exploits towards psychological manipulation. As secure messaging becomes ubiquitous among officials and journalists, the weakest link increasingly lies not in encryption, but in the trust users place in what appears to be help.
Read more »
Subscribe to: Comments (Atom)

Featured