Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Microsoft Copilot Bug Exposes Confidential Outlook Emails

  A critical bug in Microsoft 365 Copilot, tracked as CW1226324, allowed the AI assistant to access and summarize confidential emails in Out...

All the recent news you need to know

Rocket Software Research Highlights Data Security and AI Infrastructure Gaps in Enterprise IT Modernization

 

Stress is rising among IT decision-makers as organizations accelerate technology upgrades and introduce AI into hybrid infrastructure. Data security now leads modernization concerns, with nearly 70 percent identifying it as their primary pressure point. As transformation speeds up, safeguarding digital assets becomes more complex, especially as risks expand across both legacy systems and cloud environments. 

Aligning security improvements with system upgrades remains difficult. Close to seven in ten technology leaders rank data protection as their biggest modernization hurdle. Many rely on AI-based monitoring, stricter access controls, and stronger data governance frameworks to manage risk. However, confidence in these safeguards is limited. Fewer than one-third feel highly certain about passing upcoming regulatory audits. While 78 percent believe they can detect insider threats, only about a quarter express complete confidence in doing so. 

Hybrid IT environments add further strain. Just over half of respondents report difficulty integrating cloud platforms with on-premises infrastructure. Poor data quality emerges as the biggest obstacle to managing workloads effectively across these mixed systems. Secure data movement challenges affect half of those surveyed, while 52 percent cite access control issues and 46 percent point to inconsistent governance. Rising storage costs also weigh on 45 percent, slowing modernization and increasing operational risk. 

Workforce shortages compound these challenges. Nearly 48 percent of organizations continue to depend on legacy systems for critical operations, yet only 35 percent of IT leaders believe their teams have the necessary expertise to manage them effectively. Additionally, 52 percent struggle to recruit professionals skilled in older technologies, underscoring the need for reskilling to prevent operational vulnerabilities. 

AI remains a strategic priority, particularly in areas such as fraud detection, process optimization, and customer experience. Still, infrastructure readiness lags behind ambition. Only one-quarter of leaders feel fully confident their systems can support AI workloads. Meanwhile, 66 percent identify data accessibility as the most significant factor shaping future modernization plans. 

Looking ahead, organizations are prioritizing stronger data protection, closing infrastructure gaps to support AI, and improving data availability. Progress increasingly depends on integrated systems that securely connect applications and databases across hybrid environments. The findings are based on a survey conducted with 276 IT directors and vice presidents from companies with more than 1,000 employees across the United States, the United Kingdom, France, and Germany during October 2025.

Qualcomm Zero Day Among 129 Issues Fixed in Android Security Push

 


With its latest security bulletin, Google has taken steps to address a broad range of Android vulnerabilities, releasing patches for 129 vulnerabilities spanning core platform components and third party modules. 

These vulnerabilities include ten that are rated critical, and one that is believed to have been exploited outside of controlled environments. Thus, the persistent pressure on mobile infrastructure is evident. CVE-2026-21385, a buffer over-read vulnerability related to an open-source Qualcomm module, was central to the update. 

The vulnerability has a severity score of 7.8 and is tracked as CVE-2026-21385. Input from a user is improperly handled without the possibility of verifying buffer space, which may result in memory corruption under certain circumstances. This advisory describes a vulnerability identified as CVE-2026-21385, which has a CVSS score of 7.8 and has been categorized as a buffer overread within the Graphics component. 

Qualcomm describes the vulnerability as an integer overflow that may result in memory corruption if user supplied data is appended without adequately validating the buffer space available. As stated by the chipmaker, the flaw was originally reported to Google's Android Security team on December 18, 2025, and downstream customers were notified on February 2, 2026 as a result. 

Even though Google has not disclosed technical information about actual real-world exploitation, it has acknowledged evidence of limited and targeted abuses, suggesting that this vulnerability may have been exploited in controlled attack scenarios rather than indiscriminate attacks. 

It is noteworthy that the March 2026 Android security update includes a comprehensive remediation effort that addresses 129 vulnerabilities across the entire system layer in addition to Qualcomm's defect. Furthermore, it contains a critical remote code execution vulnerability in the System component, identified as CVE-2026-0006, that can be exploited without requiring additional user interaction or additional privileges—a significantly increased risk profile.

Further, the update resolves the CVE-2026-0047 privilege escalation issue in the Framework component, the CVE-2025-48631 denial-of-service condition in the System module, and seven individual privilege escalation vulnerabilities in Kernel components. 

The vulnerabilities are identified as CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031 identifiers. Due to the fragmented device ecosystem, Google retains its dual patch-level structure - 2026-03-01 and 2026-03-05 - so that original equipment manufacturers and silicon partners can deploy patches according to their deployment cycle. 

In addition to updating Android kernel components, this patch level also includes updates for third-party silicon and GPU vendors, such as Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc, emphasizing the complexity of modern security governance mechanisms. 

Even though Google has not disclosed operational details regarding the observed activity, vulnerabilities of this nature have traditionally been of interest to commercial surveillance vendors as well as other actors capable of exploiting memory-handling vulnerabilities to gain covert access to data. A mitigation for CVE-2026-21385 has been included in the second tranche of this month's rollout, distributed under the level of security patch 2026-03-05. 

With this cumulative update, more than 60 new vulnerabilities have been addressed across the Kernel components and silicon partner ecosystems, including integrations with Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm, reflecting the multiple dependencies that are embedded within Android deployments. 

The earlier patch level, meanwhile, focuses primarily on Framework and System components, resolving over 50 security vulnerabilities. One of these vulnerabilities enables remote code execution without any level of elevated privileges or interaction with the user - a risk profile that places it among the most serious Android vulnerabilities.

According to Google, devices updated to 2026-03-05 security level or later are protected from the full set of disclosed vulnerabilities. Additionally, the company has announced patches for two vulnerabilities within Wear OS' Framework and System layers that affect Wear OS. It also incorporates all of the Android security patches outlined in the March 2026 security bulletin, ensuring alignment across Google's broader product lines. 

There have been no platform-specific security patches released for Android Automotive OS or Android XR this cycle, which indicates that those distributions have remained relatively stable during this time period of updates. This advisory reinforces the necessity of timely patch adoption across enterprise as well as consumer deployments from a defensive standpoint.

It is recommended that security teams verify whether devices are compliant with the March 2026 security patch levels, prioritize assets which are exposed to untrusted input vectors, and watch for unusual behavior that may be indicative of an exploitation attempt. 

Since memory corruption and privilege escalation issues are recurring patterns of targeted abuse, maintaining strict update governance, enforcing mobile device management controls, and restricting unnecessary application privileges remain critical measures for risk mitigation. 

As Android will continue to be dependent on a complex supply chain of silicon and software contributors, coordinated vulnerability disclosure and rapid patch integration will remain crucial to ensuring the platform's resilience over time.

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations

 



A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to recruit women for voice phishing operations targeting corporate IT help desks.

The development was detailed in a threat intelligence brief published by Dataminr. According to the firm, recruits are provided with prepared scripts and paid upfront for participating in impersonation calls designed to trick help desk staff into granting account access. Analysts assess that specifically seeking female callers may be an intentional tactic to improve credibility and increase the likelihood of successful password or multi-factor authentication resets.

SLH is described as a high-profile cybercrime alliance associated with actors tied to LAPSUS$, Scattered Spider, and ShinyHunters. The group has previously demonstrated the ability to bypass multi-factor authentication using methods such as MFA prompt flooding and SIM swapping.

A core component of its intrusion strategy involves directly contacting help desks or call centers while posing as legitimate employees. Attackers attempt to persuade support staff to reset credentials or deploy remote monitoring and management software that enables persistent remote access. Once inside a network, Scattered Spider operators have been observed moving laterally into virtualized infrastructure, elevating privileges, and extracting sensitive enterprise information. In some incidents, the intrusion progressed to ransomware deployment.

To blend into legitimate traffic and evade detection, the actors routinely leverage trusted infrastructure and residential proxy services, including Luminati and OxyLabs. They have also used tunneling tools such as Ngrok, Teleport, and Pinggy, along with file-sharing platforms like file.io, gofile.io, mega.nz, and transfer.sh to transfer stolen data.

Earlier this month, Palo Alto Networks Unit 42, which tracks Scattered Spider under the alias Muddled Libra, described the actor as highly adept at manipulating human psychology. In one September 2025 investigation, attackers reportedly obtained privileged credentials through a help desk call, created a virtual machine, conducted Active Directory enumeration, and attempted to extract Microsoft Outlook mailbox data along with information downloaded from a Snowflake database.

Unit 42 also documented the group’s extensive targeting of Microsoft Azure environments through the Graph API to gain access to cloud resources. Tools such as ADRecon have been deployed to map directory structures and identify valuable assets.

Dataminr characterized the recruitment campaign as a calculated evolution in tactics, suggesting that the use of female voices may help bypass preconceived attacker profiles that help desk staff are trained to recognize.

Update: Shift Toward Branded Subdomain Impersonation and Mobile-Focused Phishing

In a follow-up assessment dated February 26, 2026, ReliaQuest reported observing ShinyHunters potentially transitioning to branded subdomain impersonation paired with live adversary-in-the-middle phishing and phone-guided social engineering. Observed domains followed formats resembling “organization.sso-verify.com.”

Researchers indicated that the group may be reusing previously exposed software-as-a-service records to craft convincing scenarios and identify the most effective internal targets. This method can enable rapid identity compromise and SaaS access through a single valid single sign-on session or help desk reset, without deploying custom malware.

ReliaQuest assessed that moving away from newly registered lookalike domains could help evade traditional domain-age detection controls. Simultaneously, mobile-oriented phishing lures may reduce visibility within enterprise network monitoring systems. The firm also noted signs of outsourced criminal labor to scale phone, email, and SMS outreach.

While the impersonation style resembles earlier Scattered Spider techniques, ReliaQuest attributed the recent subdomain activity primarily to ShinyHunters based on victim targeting patterns and operational behavior. The company stated it has no independently verifiable evidence confirming that the broader SLH collective is responsible for the subdomain campaign, though partial collaboration among groups remains possible. It also observed Telegram discussions indicating that the actors sometimes “unite” for specific social engineering operations, though the structure and scope of such collaboration remain unclear.

Security experts increasingly warn that help desks represent a critical weak point in modern enterprise defense. As organizations strengthen technical controls such as MFA and endpoint detection, attackers are redirecting efforts toward human intermediaries capable of overriding safeguards. Industry reporting throughout 2024 and 2025 has shown a consistent rise in vishing-led intrusions tied to cloud identity compromise.

Defensive recommendations include implementing stricter identity verification workflows, eliminating SMS-based authentication where possible, enforcing conditional access policies, and conducting post-call audits for new administrative accounts or privilege changes. Continuous monitoring of cloud logs and abnormal single sign-on activity is also considered essential.

The recruitment-driven expansion of scripted vishing operations signals an ongoing professionalization of social engineering. Rather than relying solely on technical exploits, threat actors are scaling psychologically informed tactics to accelerate high-volume, low-cost account compromise across enterprise environments.

Two AI Data Breaches Leak Over Billion KYC Records


About the leaks

Two significant data leaks connected to two AI-related apps have been discovered by cybersecurity researchers, exposing the private information and media files of millions of users worldwide. 

The security researchers cautioned that more than a billion records might be exposed in two different studies published by Cybernews, which were initially reported by Forbes. An AI-powered Know Your Customer (KYC) technology utilized by digital identity verification company IDMerit has been blamed for the initial leak. The business offers real-time verification tools to the fintech and financial services industries as part of its AI-powered digital identity verification solutions.

Attack tactic 

When the researchers discovered the unprotected instance on November 11, 2025, they informed the company right away, and they quickly secured the database. The cybersecurity researchers said, "Automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear, even though there is currently no evidence of malicious misuse." 

Leaked records

One billion private documents belonging to people in 26 different nations were compromised. With almost 203 million exposed data, the United States was the most impacted, followed by Mexico (124 million) and the Philippines (72 million). Full names, residences, postcodes, dates of birth, national IDs, phone numbers, genders, email addresses, and telecom information were among the "core personal identifiers used for your financial and digital life" that were made public.

According to researchers, account takeovers, targeted phishing, credit fraud, SIM swaps, and long-term privacy losses are some of the downstream hazards associated with this data leak. The Android software "Video AI Art Generator & Maker," which has received over 500,000 downloads on Google Play and has received over 11,000 reviews with a rating of 4.3 stars, is connected to the second leak. Due to a Google Cloud Storage bucket that was improperly configured, allowing anyone to access stored files without authentication, the app was discovered to be leaking user data. According to researchers, the app exposed millions of media assets created by users utilizing AI, as well as more than 1.5 million user photos and 385,000 videos.

The app was created by Codeway Dijital Hizmetler Anonim Sirketi, a company registered in Turkey. Previously, the company's Chat & Ask AI app leaked around 300 million messages associated with over 25 million users.

Korean Tax Agency Leaks Seed Phrase, Loses $4.8M in Crypto

 

South Korea's National Tax Service (NTS) turned a major tax evasion crackdown into a $4.8 million cryptocurrency catastrophe by accidentally exposing a seized wallet's seed phrase in a public press release. Hackers drained 4 million Pre-Retogeum (PRTG) tokens from the Ledger hardware wallet within hours of the February 26, 2026, announcement. This blunder exposed profound gaps in government handling of digital assets. 

The NTS raided 124 wealthy tax dodgers, confiscating crypto worth 8.1 billion won ($5.6 million total). Their celebratory photos showed the Ledger device next to an unredacted handwritten 24-word mnemonic—the master key granting full wallet access anywhere, without needing the physical hardware or passwords. By failing to blur this critical information, officials broadcast the equivalent of a bank vault combination nationwide. 

On-chain sleuthing confirmed the rapid heist: an attacker added Ethereum for gas fees, then siphoned the PRTG in three transactions to new addresses. Blockchain experts, including Hansung University's Professor Cho Jae-woo, slammed the NTS for crypto illiteracy, comparing it to "leaving a safe wide open for public plunder." Local reports noted subsequent chaos—one hacker allegedly returned funds, only for another to steal them again, pushing losses toward 6.9 billion won. 

In response, the NTS yanked the images, issued a full apology admitting fault for "careless vividness," and called in police for a cyber probe. Deputy PM Koo Yun-cheol announced multi-agency reviews by the Financial Services Commission to overhaul seizure protocols. This follows prior embarrassments, like police losing 22 BTC ($1.5 million) in a 2021 custody failure.

The incident underscores seed phrases' immense power in crypto security—irreversible access that demands ironclad protection. Governments worldwide must adopt air-gapped storage, expert audits, and redaction training for digital seizures. For users: etch seeds on metal, store offline, never snap photos. Such lapses risk taxpayer funds in the exploding crypto enforcement era.

Google Chrome Introduces Merkle Tree Certificates to Build Quantum-Resistant HTTPS

 

A fresh move inside Google Chrome targets long-term security of HTTPS links against risks tied to quantum machines. Instead of dropping standard X.509 certificates straight into the Chrome Root Store - ones using post-quantum methods - the team leans on an alternate design path. Speed stays high, system growth remains smooth, thanks to this structural twist shaping how protection rolls out online. 

The decision comes from Chrome’s Secure Web and Networking Team: conventional post-quantum X.509 certificates won’t enter the root program right now. Rather than adopt them outright, Google works alongside others on a different path - Merkle Tree Certificates (MTCs). Progress unfolds inside the PLANTS working group, shifting how HTTPS verification could function down the line. 

One way to look at MTCs, according to Cloudflare, is as an updated framework for how online trust systems operate today. Instead of relying on long chains of verification, these models aim to cut down excess - fewer keys, fewer signatures traded when devices connect securely. A key feature involves certification authorities signing just one root structure, known as a Tree Head, which stands in for vast groups of individual certificates. During a web visit, the user's browser gets a small cryptographic note confirming the site’s credentials live inside that larger authenticated structure. Rather than pulling multiple files across networks, only minimal evidence travels each time. 

One way this setup works is by fitting new quantum-resistant codes without needing much extra data flow. Large certificates often grow bulkier when using tougher encryption methods. Instead of linking security directly to file size, these compact certificates help maintain speed during secure browsing. With less information needed at connection start, performance stays high even under upgraded protection levels. 

Testing of MTCs is now happening, using actual internet data flows, alongside a step-by-step introduction schedule that runs until 2027. Right now, the opening stage focuses on checking viability through joint work with Cloudflare, observing how things run when exposed to active TLS environments. Instead of waiting, preparations are shifting ahead - by early 2027, those running Certificate Transparency logs, provided they had at least one accepted by Chrome prior to February 1, 2026, may join efforts to kickstart broader MTC availability. Moving forward, around late 2027, rules for admitting CAs into Google's new quantum-safe root store should be set, a system built only to handle MTC certificates. 

A shift like this one sits at the core of Google's approach to future-proofing online security. Rather than wait, the team is rebuilding trust systems so they handle both emerging risks and current efficiency needs. With updated certificates in place, stronger defenses can spread faster across services. Speed does not take a back seat - performance stays aligned with how people actually use browsers now.

Featured