Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Gravity SMTP Vulnerability Under Active Exploitation, Over 17 Million Attack Attempts Detected

  Cybersecurity researchers are warning WordPress administrators about ongoing attacks targeting a recently fixed security flaw in the Grav...

All the recent news you need to know

New Prinz Eugen Ransomware Targets Recently Modified Files First, Researchers Find

 



Security researchers have revealed a ransomware operation known as Prinz Eugen that employs an unusual file-encryption strategy designed to increase pressure on victims. According to an investigation by ThreatDown, Malwarebytes' enterprise security division, the malware gives priority to files that have been modified most recently, focusing its efforts on data that organizations are most likely to rely on for day-to-day operations.

Researchers describe the actors behind Prinz Eugen as highly interactive intruders who rely on direct involvement throughout the attack process rather than fully automated deployment methods. Instead of depending on large-scale ransomware affiliate networks, the group appears to conduct attacks manually, using legitimate administration tools and built-in system utilities to move through victim environments and maintain access.

Evidence collected during incident response investigations suggests that attackers may initially gain entry through compromised Remote Desktop Protocol (RDP) credentials. After securing access, operators manually retrieve and launch the ransomware payload, identified as servertool.exe. In one investigated intrusion, researchers observed the use of the RemotePC remote management platform, alongside the creation of a backdoor administrator account that allowed the attackers to retain access to the compromised environment.

ThreatDown noted that Prinz Eugen does not currently appear to operate under the ransomware-as-a-service model that has become common across the cybercriminal ecosystem. Researchers found no indication that the group's operators are actively recruiting affiliates or distributing their malware to external partners. Instead, available evidence points to a more centralized operation in which attacks are carried out directly by the threat actors themselves.

Although the group's data-leak platform presently displays only three victims, researchers believe the actual number of affected organizations is higher. Information gathered during investigations indicates that multiple organizations have experienced incidents linked to the ransomware. Depending on the attack, victims may face file encryption, data theft, or a combination of both. Security researchers have identified at least five organizations impacted by the operation, including an incident involving Standard Bank, where attackers reportedly demanded a ransom payment of one Bitcoin. The demand was ultimately rejected.

One of the most distinctive characteristics of Prinz Eugen is its approach to selecting files for encryption. Analysis of the malware revealed that it processes files according to modification time, encrypting the most recently changed data before moving to older content. When several files share the same timestamp, the malware follows alphabetical order to determine which file is processed next.

Researchers believe this strategy is intended to maximize operational disruption. Files that have been edited recently are often associated with ongoing business activities, active projects, financial records, or other information that employees depend on regularly. By rendering this data inaccessible first, attackers can create immediate pressure on organizations to engage with extortion demands.

Technical analysis further showed that the ransomware scans directories recursively without imposing depth restrictions. Unlike some ransomware families that avoid certain locations or system folders, the examined Prinz Eugen sample applies very few limitations. The malware attempts to encrypt virtually every accessible file it encounters, excluding only files that already carry the .prinzeugen extension, which is added to data after encryption has been completed.

The encryption mechanism itself incorporates multiple modern cryptographic components. Researchers found that the ransomware uses the ChaCha20-Poly1305 algorithm together with a 32-byte master key. Each targeted file receives its own randomly generated initialization vector, while key generation and derivation processes rely on Argon2id, SHA-256, and HKDF-SHA256. Data is encrypted in 1 MB segments, and SHA-256 hashing is used to verify file integrity throughout the process.

Investigators also identified a safeguard built into the malware's deletion routine. When operators use the – delete option, the ransomware removes original files only after confirming that the encrypted version can be successfully decrypted. This verification step reduces the likelihood of accidental data destruction that could undermine the attackers' leverage over victims.

Beyond encrypting files, Prinz Eugen incorporates measures intended to frustrate forensic investigations. Researchers observed that the malware overwrites encryption keys with zero values once they are no longer needed, triggers garbage collection routines to remove remaining traces from memory, and then attempts to delete itself from disk. These actions are designed to make post-incident analysis and key recovery efforts more difficult.

Another noteworthy aspect of the ransomware is the absence of conventional extortion artifacts. The analyzed sample contains no functionality for dropping a ransom note onto infected systems, nor does it alter the victim's desktop wallpaper to display payment instructions. While such techniques have historically been common among ransomware groups, ThreatDown researchers noted that some organized operations are increasingly shifting away from visible on-system communications.

Instead, attackers may conduct negotiations through external channels such as email correspondence, direct phone contact, or dedicated dark-web portals. By moving communications outside the compromised environment, threat actors leave behind fewer artifacts that investigators can collect and reduce opportunities for automated security tools to identify the extortion phase of an attack.

To assist defenders, ThreatDown has published a collection of indicators of compromise associated with Prinz Eugen activity. These indicators can help security teams, incident responders, and researchers identify potential infections, investigate suspicious activity, and strengthen defenses against future attacks involving the ransomware. 

Bitcoin Drops Below $60,000 as Market Selloff and Security Fears Weigh on Crypto

 

Falling further now, Bitcoin dipped under $60,000 again - the first time since early 2024 - amid softness across financial markets and rising unease about digital safety. Around $59,909, it lost close to 6% in one session, almost 18.5% in seven days. This slump stretches beyond just Bitcoin. Ethereum followed closely behind, sliding 23% over the week until reaching approximately $1,555. Meanwhile, Solana saw a similar drop of 22%, settling near $63.75 after sharp downward pressure. 

Bitcoin now trades over 52 percent below its peak of $126,080 set last October. A mix of pressures drives the drop, according to market observers. Attention earlier centered on steady withdrawals from physical Bitcoin ETFs along with Strategy offloading coins for the first time since 2022. Lately, though, shifts in outlook regarding Federal Reserve interest moves have added pressure, alongside fresh unease about digital asset safety. 

Surprising strength marked last month's U.S. labor numbers, as payrolls expanded by 172,000 during May. That outcome ran well ahead of forecasts - almost twice what analysts had predicted - shifting how investors view future rate moves. With inflation concerns lingering, officials may feel less pressure to ease policy soon. Because higher yields often make safer investments more appealing, digital coins typically face headwinds under such conditions. Market participants now weigh whether extended tightening cycles could dampen speculative flows. 

Despite recent gains in employment figures, expectations for lower interest rates have faded, according to Nicolai Søndergaard of Nansen. Having shed roughly 15 percent lately, Bitcoin now faces added strain without any obvious economic trigger to spark rebound. Though digital assets struggle, broader uncertainty lingers due to unrest in the Middle East. That stress shows up in cautious trading behavior worldwide. 

With few positive signals on the horizon, momentum remains fragile. Even as attention grows around blockchain safety, news of a serious weakness in Zcash - a coin built for anonymity - has raised alarms. Though programmers pushed out an update to correct the problem, they stated plainly that tracking past misuse is impossible due to hidden transaction details. Without clear evidence of abuse, doubt spread quickly among investors. 

That hesitation showed in price movements: ZEC plunged over two-fifths in value in just one day. Now worries spread through crypto circles after the event. Because AI tools might detect weak spots in blockchains, investor unease grows. Questions emerge - could similar flaws threaten more digital currencies? As machine learning advances, trust faces new tests. Out of nowhere, a slight uptick appeared for Bitcoin ETFs amid continued market softness. 

On Thursday, U.S. spot Bitcoin funds saw inflows exceeding $3 million - breaking a run of 13 straight days of outflows. While tiny next to the billions pulled so far this year, the shift hinted at changed sentiment, if only briefly. Not long after prolonged pullbacks, investors paused, then edged back in. After tech shares slipped, so did broader market sentiment - Nasdaq dropped sharply amid wider financial strains. 

Not just crypto felt the downturn; traditional assets wavered too, pulled by similar worries. Investors moved carefully through overlapping pressures: shaky economies, global conflicts, threats in digital finance. When equities fell, digital coins followed close behind, mirroring the wariness spreading through capital markets.

Haldwani Cyber Fraud: ₹2.5 Lakh Stolen Without OTP, Raising Bank Security Concerns

 

In Haldwani, a cyber fraud case has once again shaken public trust in digital banking, after a victim reportedly lost money without clicking a suspicious link or sharing an OTP. The case is worrying because it shows how modern fraud can bypass the protections many users still consider reliable. For years, OTPs have been seen as a strong safety layer, but incidents like this suggest scammers are finding new ways to drain accounts while staying hidden. As digital payments grow, so does the need to understand how these silent attacks work. 

What makes such frauds especially alarming is that victims often receive no obvious warning before the money disappears. In some recent cases, cybercriminals have used methods such as SIM swap attacks, malware, account takeovers, call forwarding, or unauthorized beneficiary additions to move funds without the user’s approval. Other reports have also shown that fraud can happen through fake banking apps, remote access tools, or abuse of pre-linked payment mandates. This means the problem is no longer just about sharing an OTP; it is also about securing the phone, SIM, banking app, and personal identity. 

The Haldwani incident highlights a deeper issue in bank security: authentication systems are only as strong as the weakest device or process connected to them. If a fraudster gains access to a phone number, banking credentials, or an already trusted payment route, the transaction may look legitimate to the bank’s systems. That is why “no OTP” does not automatically mean “no compromise.” In fact, some frauds exploit loopholes where money is shifted through internal banking paths, or through beneficiary changes that may not trigger immediate user attention. 

Safety recommendations 

For users, the first rule is to monitor bank alerts closely and treat any unexpected debit, SMS, or app activity as urgent. Keep mobile software updated, avoid installing apps from unknown links, and never grant unnecessary SMS, accessibility, or call permissions to random applications. It also helps to use strong screen locks, secure SIM cards with a PIN, and enable additional notifications through email or alternate channels. If anything looks suspicious, contact the bank immediately and report the fraud through the cybercrime helpline without delay. 

This case is a reminder that cybersecurity is no longer only a technical concern; it is a daily financial survival issue. Banks need stronger fraud detection, faster alerts, and better protection against account takeover methods that bypass OTP-based trust. At the same time, users must stop assuming that OTP alone can keep money safe. The real defense is layered security, quick reporting, and constant digital caution.

Unpatchable BootROM Flaw Exposes Apple A12 and A13 SecureROM Chain


 

The disclosure of a new hardware-level exploit has raised new concerns about the long-term security implications of immutable silicon vulnerabilities across Apple's entire ecosystem. Paradigm Shift researchers have revealed usbliter8, a working SecureROM exploit compromising the boot chain of Apple A12 and A13 processor-based devices. 

In 2019, checkm8 emerged as the first publicly released unpatched attack on these chip generations. By exploiting a flaw within the BootROM, the code that runs before iOS and all higher security controls, the exploit is able to bypass protections at the earliest stage of the initialization process. Physical access, a USB connection, and manual placement of the device into DFU mode are required to perform the attack, but the significance lies in the vulnerability itself. This vulnerability is not able to be remedied by updating firmware, updating operating systems, or restoring devices since it occurs in silicon rather than software.

In addition to the niche jailbreak development impacted by this disclosure, Apple hardware that is still supported, including iPhones, iPads, Apple Watches, and other Apple devices, now carry a permanent hardware weakness that can be exploited throughout the device's operational lifetime. 

Along with presenting a notable research discovery, USBliter8 also presents a significant hardware security incident due to the permanent nature of the vulnerability exploited by it. The affected SecureROM code is therefore physically embedded within the processor while the device is being manufactured, placing it beyond Apple's control once the device leaves the factory. This is in contrast to conventional vulnerabilities that can be mitigated by updating firmware or operating systems. 

During a coordinated engagement with Apple Product Security on June 18, 2026, researchers revealed the exploit and accompanying proof of concept, demonstrating that a successful attack can be carried out in less than two seconds before Apple's trusted boot sequence takes over. There remains a strict physical access requirement for the attack: a target device must be manually placed into Device Firmware Update (DFU) mode and connected to an RP2350-based microcontroller platform using USB. Nevertheless, there is a considerable range of hardware impacted. 

Publicly supported targets include devices built on Apple's A12 and A13 application processors, in addition to the S4 and S5 systems-on-chip used across Apple Watch and HomePod products. There are a number of products, such as the iPhone XS, iPhone XR, iPhone 11, two-generation iPhone SE, multiple iPad models, Apple Watch Series 4 and 5, the first-generation Apple Watch SE, HomePod mini, and others, which continue to see active deployment. 

Research indicates that support for A12X and A12Z processors may be technically achievable in the future, but this has not yet been implemented. The architectural differences in USB memory handling do not seem to affect devices based on A11 silicon, while A14 and newer generations appear to be immune due to improved DART configuration and memory isolation controls within the boot environment.

The disclosure also highlights an aspect of modern device security that is seldom encountered: there are some vulnerabilities that are beyond the reach of all software-based defense mechanisms available to vendors as well as users. The vulnerability can not be eliminated by iOS updates, firmware revisions, factory restores, or standard hardening measures since the vulnerability lies within immutable SecureROM code. It remains imperative to maintain the latest software versions, enforce strong authentication controls, and adhere to sound security practices to protect against conventional threats; however, those measures do not alter the hardware trust anchor targeted by USBliter8. 

In identifying the most practical long-term mitigation strategy for organizations and individuals seeking to reduce exposure, Paradigm Shift identified migration to devices utilizing A14 or newer silicon. While Apple has not publicly addressed the research as of publication, the researchers stated that Apple Product Security has been notified and disclosure procedures have been completed before technical details and exploit code can be released. There is a great deal of variation in the security implications associated with the various operating environments in which affected devices are used. 

For the average consumer, the requirement for physical possession, DFU mode access, and specialized hardware greatly narrows the scope of potential exploitation. Individuals who operate under elevated threat conditions, including journalists, corporate executives, activists, government employees, and others whose devices may be seized, inspected, or held for extended periods, face a significantly different risk profile. In such scenarios, a compromised device based on A12, A13, S4, or S5 could be affected by persistent boot-level intrusions that are anchored underneath the operating system itself, even after software updates are applied. Thus, device lifecycle planning now includes security considerations instead of just procurement, with the newer A14-generation hardware and later platforms posing the most obvious route to avoiding this type of exposure. 

In addition to the immediate technical accomplishments, researchers are closely tracking whether usbliter8 follows a similar path to checkm8 that was established nearly seven years ago. Along with the research, a proof-of-concept code was released that gained significant attention from the security community.

It quickly gained hundreds of GitHub stars and indicated strong interest from researchers and developers alike. It is widely anticipated that jailbreak-focused tools will emerge in the near future, but the more consequential question is whether the exploit will evolve into a mature hardware research and forensic framework for A12 and A13 devices. Ultimately, Checkm8 has become the primary tool for examining and interacting with older Apple hardware in a manner previously not possible for defenders, researchers, and forensic practitioners. 

While USBliter8 has not yet reached that level, its publication provides the first public insight into a generation of Apple silicon which, until now, has been largely beyond the reach of unpatched SecureROM exploits. With the advent of USBliter8, we are reminded that not all security risks originate with software, and not all can be resolved through patching. 

By exposing a hardware-rooted vulnerability that remains widely deployed, this research contributes to a heightened awareness of the long-term security implications of silicon-level trust boundaries. However, organizations and individuals responsible for sensitive data should reassess their device custody practices, hardware refresh strategies, and exposure to high-risk environments as a result of the exploit. 

Usbliter8 remains a significant landmark in Apple security research and is being examined by the security community in order to fully comprehend its impact. It demonstrates how important it is not only to secure the software on a device, but also the device itself.

AutoJack Reveals New Threat to Autonomous AI Agent Security

Researchers are discovering new security threats that extend well beyond traditional prompt manipulation as artificial intelligence agents acquire the capability of browsing websites, interacting with local services, executing tools, and automating complex workflows. 

AutoJack, the newest example of malware that can be exploited by trusted AI-powered browsers to compromise systems unintentionally, demonstrates how a single malicious web page can be used to manipulate the browser. A number of vulnerabilities combine to bypass assumptions surrounding localhost security. 

The exploit chain targets Microsoft's AutoGen Studio, an open-source environment designed to develop and test multi-agent AI systems, utilizing multiple weaknesses. Using the agent's native web browsing functionality and the agent's interaction with locally exposed services, the attack allows the execution of arbitrary code on the host machine by simply submitting a URL by the user. It has been demonstrated that AI security is becoming increasingly problematic as agents are integrated into browsers, developer tools, and operating systems. 

As a result, the boundary between untrusted internet content and privileged local resources is becoming increasingly difficult to enforce. As a result of the analysis, the attack does not require stolen credentials, bypasses of user authentication, or repeated actions by the user to proceed. The attack therefore does not require stolen credentials or bypasses of user authentication. 

An attacker-controlled webpage can be accessed by browsing agents once they have been directed there, whether they have been directed there by a submitted URL, a malicious link, or prompt-injected content embedded in a workflow. This issue centers around AutoGen Studio's implementation of the Model Context Protocol (MCP) WebSocket, which was included in the development builds 0.4.3.dev1 and 0.4.3.dev2, but was absent from Microsoft's stable version 0.4.2.2. 

According to Microsoft, the exposed MCP WebSocket surface did not appear in a stable PyPI release. Researchers have however identified three different weaknesses that combine to form a viable remote code execution path within the development branch. As a result of inadequate origin validation, WebSocket connections were limited to localhost origins, but JavaScript executed within the AI-controlled headless browser on the same machine was not considered. 

The second stemmed from authentication controls that intentionally excluded /api/mcp/* routes, allowing access to the MCP WebSocket without verification. One of the most critical security issues arose from the handling of the server_params argument, which accepted attacker-supplied commands and arguments, decoded them into execution parameters, and passed these parameters directly to the process spawning functionality without any meaningful restrictions. 

When a developer uses AutoGen Studio on localhost:8081 along with a browsing agent, the agent could unintentionally trigger the chain by allowing the agent to browse a carefully crafted webpage. By leveraging authentication and origin validation gaps, the embedded JavaScript would create a WebSocket connection with the local MCP endpoint and instruct the application to launch an attacker-defined executable with the logged-in user's privileges. 

As a result of the responsible disclosure to the Microsoft Security Response Center, the affected code path has been hardened in the upstream repository. However, these findings indicate that trusted local AI agents may unintentionally bridge the gap between untrusted web content and privileged development environments in the absence of checks on security assumptions surrounding localhost services. 

However, researchers emphasize that the broader architectural weakness of AutoJack extends beyond just a single framework or implementation, although the specific vulnerabilities leveraged by the project have been addressed in its source code. As an interim measure until updated releases are fully adopted, security practitioners suggest separating AutoGen Studio from browsing and code-execution agents that interact with untrusted internet content in order to eliminate the conditions required for exploitation. 

A mitigation layer that provides effective protection against this attack chain is the isolation of workloads through dedicated containers, virtual machines, or restricted user contexts. In addition, the findings of this study identify a recurring design pattern increasingly observed across agent ecosystems: highly privileged, local services that are protected primarily by localhost assumptions, combined with artificial intelligence agents that may freely access external content. 

Recently, similar concerns emerged in the ChatGPhish campaign, where AI-generated summary pages were manipulated in order to facilitate phishing attempts. Research conducted with Microsoft's Semantic Kernel, reported as CVE-2026-26030 and CVE-2026-25592, demonstrated comparable risks associated with locally trusted execution paths. These examples indicate that localhost-based trust models are becoming increasingly fragile in environments where autonomous agents routinely connect external and internal systems. 

Researchers have argued that meaningful defense requires stronger control-plane authentication, strict allowlisting, and separate agent identities from developer sessions in order to provide meaningful defense. In light of the continued development of artificial intelligence frameworks that enable browsing, execution, and orchestration across multiple systems, security boundaries are no longer defined solely by the network location. 

When an agent gains access to both the open web and privileged local services, traditional localhost protections no longer provide a reliable security measure. It serves as a reminder that the security challenges associated with artificial intelligence agents have rapidly evolved from theoretical concerns into practical attack scenarios as the AutoJack findings demonstrate. 

The adoption of increasingly autonomous systems capable of browsing the web, interacting with local services, and performing tasks on behalf of users is challenging long-established trust assumptions in a new way. According to the research, artificial intelligence agents should be evaluated both as productivity tools and as privileged software components that can access sensitive environments directly. 

Security teams should reassess localhost exposure, strengthen authentication controls around agent-accessible services, and enforce strict execution boundaries before experimental workflows become dependent on production processes. In a technological landscape where AI agents are expected to be capable of making decisions and taking actions independently, security architecture also needs to evolve at the same rapid speed as the technology itself.

Operation Escaneo Signals Shift in Latin America Cyber Threat Landscape

 

Operation Escaneo is a warning sign for Latin America’s cybersecurity ecosystem, showing that financially motivated attackers are adopting more advanced intrusion methods. The campaign, uncovered through an exposed attacker server, targeted government, financial, and critical infrastructure organizations across Mexico, with smaller activity in Ecuador and Portugal. Researchers say the operation reflects a shift in the region, where threat actors are increasingly combining opportunistic motives with sophisticated tooling. 

The attackers relied heavily on internet-facing vulnerabilities to gain entry. Reporting links the campaign to Fortinet FortiOS SSL-VPN and Ivanti Connect Secure flaws, along with other exploits involving Apache Tomcat, Windows, and Log4Shell. Rather than depending on a single vulnerability, the group appears to have built a flexible intrusion chain that could adapt to different environments, increasing its chances of success and making defense more difficult. 

Once inside, the operation used multiple layers of persistence and control. CloudSEK’s findings, as summarized by Infosecurity Magazine, describe Neo-reGeorg webshells, Chisel reverse tunnels, and even a compromised Cisco router configured with a GRE tunnel to maintain access. These methods helped the attackers stay connected while blending into normal traffic, a tactic that can evade host-based security tools and delay detection. 

The damage was not limited to access alone. Analysts reported large-scale theft of sensitive data, including personal records, Active Directory maps, SSL private keys, SAP service-account hashes, and browser-stored passwords. That level of exposure creates serious risks for identity abuse, lateral movement, and further compromise, especially in public-sector and financial environments where trust and encryption keys are critical assets.

Operation Escaneo is a reminder that Latin American defenders should prioritize patching perimeter appliances, monitoring for unusual tunneling activity, and limiting the spread of privileged credentials. The campaign’s scale and tradecraft suggest that regional attackers are moving closer to APT-level capability, with the potential to disrupt operations far beyond the initial breach.

Featured