Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

China Based Hackers Attack Telco With New Malware

A China-based advanced persistent cyber criminal tracked as UAT-9244 has been attacking telecommunication service providers in South America...

All the recent news you need to know
Malware Attack
AI Risks APT36 APT36 Cyber Espionage APT36 hackers Cloud Security cyber espionage Cyber Espionage Campaign Cyber Security Google Sheets API abuse Malware Attack

APT36 Uses AI-Generated “Vibeware” Malware and Google Sheets to Target Indian Government Networks

 

Researchers at Bitdefender have uncovered a new cyber campaign linked to the Pakistan-aligned threat group APT36, also known as Transparent Tribe. Unlike earlier operations that relied on carefully developed tools, this campaign focuses on mass-produced AI-generated malware. Instead of sophisticated code, the attackers are pushing large volumes of disposable malicious programs, suggesting a shift from precision attacks to broad, high-volume activity powered by artificial intelligence. Bitdefender describes the malware as “vibeware,” referring to cheap, short-lived tools generated rapidly with AI assistance. 

The strategy prioritizes quantity over accuracy, with attackers constantly releasing new variants to increase the chances that at least some will bypass security systems. Rather than targeting specific weaknesses, the campaign overwhelms defenses through continuous waves of new samples. To help evade detection, many of the programs are written in lesser-known programming languages such as Nim, Zig, and Crystal. Because most security tools are optimized to analyze malware written in more common languages, these alternatives can make detection more difficult. 

Despite the rapid development pace, researchers found that several tools were poorly built. In one case, a browser data-stealing script lacked the server address needed to send stolen information, leaving the malware effectively useless. Bitdefender’s analysis also revealed signs of deliberate misdirection. Some malicious files contained the common Indian name “Kumar” embedded within file paths, which researchers believe may have been placed to mislead investigators toward a domestic source. In addition, a Discord server named “Jinwoo’s Server,” referencing a popular anime character, was used as part of the infrastructure, likely to blend malicious activity into normal online environments. 

Although some tools appear sloppy, others demonstrate more advanced capabilities. One component known as LuminousCookies attempts to bypass App-Bound Encryption, the protection used by Google Chrome and Microsoft Edge to secure stored credentials. Instead of breaking the encryption externally, the malware injects itself into the browser’s memory and impersonates legitimate processes to access protected data. The campaign often begins with social engineering. Victims receive what appears to be a job application or resume in PDF format. Opening the document prompts them to click a download button, which silently installs malware on the system. 

Another tactic involves modifying desktop shortcuts for Chrome or Edge. When the browser is launched through the altered shortcut, malicious code runs in the background while normal browsing continues. To hide command-and-control activity, the attackers rely on trusted cloud platforms. Instructions for infected machines are stored in Google Sheets, while stolen data is transmitted through services such as Slack and Discord. Because these services are widely used in workplaces, the malicious traffic often blends in with routine network activity. 

Once inside a network, attackers deploy monitoring tools including BackupSpy. The program scans internal drives and USB storage for specific file types such as Word documents, spreadsheets, PDFs, images, and web files. It also creates a manifest listing every file that has been collected and exfiltrated. Bitdefender describes the overall strategy as a “Distributed Denial of Detection.” Instead of relying on a single advanced tool, the attackers release large numbers of AI-generated malware samples, many of which are flawed. However, the constant stream of variants increases the likelihood that some will evade security defenses. 

The campaign highlights how artificial intelligence may enable cyber groups to produce malware at scale. For defenders, the challenge is no longer limited to identifying sophisticated attacks, but also managing an ongoing flood of low-quality yet constantly evolving threats.
Read more »
Passaic County
IT Systems malware New Jersey Passaic County

Malware Attack Cripples Passaic County Phones and IT Systems

 

A malware attack has disrupted government services in Passaic County, New Jersey, knocking out key IT systems and phone lines that serve nearly 600,000 residents across the region. Officials say they are working with state and federal partners to investigate the incident and restore critical communications as quickly as possible.

The disruption began midweek, when county phones suddenly stopped working and a service alert warned that all lines were “currently down,” leaving residents unable to reach many government offices by telephone. The outage has extended beyond a brief glitch, with phone issues lingering into the following day as technical teams assess the scope of the compromise. In public statements, the county has confirmed that a malware attack is affecting its IT infrastructure and impacting phone lines but has released few technical details about the nature of the malicious software involved. 

Passaic County leaders emphasize that they are collaborating closely with both federal and state authorities to investigate and contain the attack, reflecting growing concern over cyber threats to local government systems. Agencies are working to determine how attackers gained access, what systems were affected, and whether any data was stolen, altered, or encrypted.Officials have not yet said whether emergency services such as 911 or dispatch operations were impacted, nor have they confirmed if any personal information of residents has been compromised.

This incident comes amid a broader wave of cyberattacks targeting smaller municipalities and public institutions, as criminals shift focus away from the larger metropolitan governments and corporations that hardened their defenses in recent years. Experts note that local governments often rely on aging infrastructure and limited cybersecurity resources, making them appealing targets for malware campaigns that can disrupt daily operations for thousands of residents. Recent attacks on other New Jersey jurisdictions and hospitals across the country have led to extended outages, raising alarms about the resilience of public services in the face of persistent digital threats.

For Passaic County residents, the immediate impact is practical and personal: difficulty reaching county offices, confusion about service availability, and uncertainty over potential exposure of sensitive data. Authorities have urged patience as investigations continue and pledged to share updates once systems are fully restored and more is known about the attack’s origin and impact.The episode underscores the need for stronger cybersecurity investments at the local level, from securing phone and network infrastructure to training staff against phishing and other common malware entry points.
Read more »
Wordpress Vulnerability
Cyber Security cyber threat Plugin Privilege Escalation Website Takeover Risk WordPress Security Flaw Wordpress Vulnerability

Newly Discovered WordPress Plugin Bug Enables Privilege Escalation to Admin


 

With WordPress, millions of websites depend on its convenience, but it also includes a complex web of extensions, which quietly handle everything from user onboarding to payment-based membership. In addition to simplifying site management and extending functionality, these plugins often work with deep integration into the platform's authentication and permission systems.

If any minor mistake is made within this layer, the consequences can extend far beyond a routine software malfunction. Having recently discovered a security flaw in a widely deployed membership management plugin, attention has been drawn to this fragile intersection between functionality and security, showing how external parties could bypass normal security safeguards by bypassing the user registration process and achieving the highest level of administrative privileges. 

An issue that affects affected sites is not simply one of technical misconfiguration, but also one that may allow unauthorized actors to take complete control of the website. In the past few years, WordPress has been powered by a robust ecosystem of plugins, enabling everything from membership portals to subscription-based services with minimal technical effort. 

Nevertheless, when input validation and access controls are not carefully applied, this same flexibility can pose subtle security risks. Recent disclosures of a vulnerability in a widely used membership plugin highlight this fragile balance, which opens the door to a possible takeover of tens of thousands of WordPress installations. 

It has been confirmed that malicious actors have already exploited the vulnerability, tracked as CVE-2026-1492, by manipulating account roles during the sign-up process, granting them administrator-level privileges without authentication and effectively gaining full control over affected sites through exploiting a flaw in the plugin's registration process.

It is estimated that the vulnerability affects more than 60,000 websites using WPEverest's User Registration & Membership plugin. As a result, the plugin fails to properly validate role parameters entered during registration, which leads to the issue. 

Unauthenticated attackers can tamper with this input to assign elevated privileges to newly created accounts, bypassing the intended permission restrictions, allowing them to register directly as site administrators. By obtaining such access, attackers can install malicious plugins, alter site content, extract sensitive information, such as user databases, embed hidden malware within the website infrastructure, or alter site content after obtaining such access.

Consequently, the consequences of privilege escalation are particularly severe within the WordPress permission framework, in which administrator accounts are granted unrestricted access to virtually all website functionality. Those who gain access to this level of the system can modify themes and plugins, modify PHP code, alter security settings, and even remove legitimate administrators.

In practical terms, a compromised website can become a controlled asset that can be used for further malicious activities, such as malware distribution or unauthorized data harvesting from registered users or visitors. After the vulnerability was publicly disclosed, Defiant researchers, the company behind the widely used Wordfence security plugin, reported observing attempts to exploit the vulnerability. 

Over two hundred malicious requests attempting to exploit CVE-2026-1492 were blocked within a 24-hour period by monitoring across protected environments, indicating that the flaw has been rapidly incorporated into automated attacks. As a result of the vulnerability, all versions of the plugin up to version 5.1.2. are vulnerable. 

Developers have since released a fix to address the issue, first in version 5.1.3 and then in version 5.1.4. This version also has additional stability and security improvements. Consequently, administrators are strongly advised to upgrade as soon as possible to the latest version, or temporarily disable the plugin if patch deployment cannot be completed promptly. 

It has been reported by Wordfence that CVE-2026-1492 is the most severe vulnerability to date in the plugin. Additionally, this incident reflects an ongoing trend in which attackers systematically scan the WordPress ecosystem for exploitable plugin vulnerabilities. In addition to distributing malware and hosting phishing campaigns, compromised websites are frequently used to operate command-and-control infrastructure, proxy malicious traffic, or store data stolen from others. 

Similar patterns were observed earlier in January 2026 when threat actors exploited another critical vulnerability, CVE-2026-23550, affecting the Modular DS WordPress plugin and allowing remote authentication bypass with administrator access. 

In incidents such as these, security risks remain prevalent in platforms powered by plugins such as WordPress, where a single mistake in access control can result in the compromise of thousands of websites. Since the vulnerability is so severe and exploitation attempts have already surfaced so quickly, security experts emphasize the importance of taking immediate defensive action.

Website operators are advised to review installed plugins, apply available security updates as soon as possible, and implement monitoring mechanisms that will detect any suspicious administrative activity or unauthorized account creation. By conducting regular security audits, following the principle of least privilege, and employing reputable security plugins, similar threats can be significantly reduced. 

In general, the incident illustrates the importance of maintaining continuous vigilance, timely patch management, and disciplined configuration practices to ensure that widely used plugins do not become entry points into large-scale attacks. It is crucial that the operational convenience offered by extensible platforms like WordPress is balanced with continuous vigilance and timely patch management.
Read more »
Vulnerabilities and Exploits
Cisco breach firewall management Security Flaws Vulnerabilities and Exploits

Hackers Exploit Two Vulnerabilities in Cisco SD-WAN Manager

 



Cisco Systems has confirmed that attackers are actively exploiting two security flaws affecting its Catalyst SD-WAN Manager platform, previously known as SD-WAN vManage. The company disclosed that both weaknesses are currently being abused in real-world attacks.

The vulnerabilities are tracked as CVE-2026-20122 and CVE-2026-20128, each presenting different security risks for organizations operating Cisco’s software-defined networking infrastructure.

The first flaw, CVE-2026-20122, carries a CVSS score of 7.1 and is described as an arbitrary file overwrite vulnerability. If successfully exploited, a remote attacker with authenticated access could overwrite files stored on the system’s local file structure. Exploitation requires the attacker to already possess valid read-only credentials with API access on the affected device.

The second vulnerability, CVE-2026-20128, has a CVSS score of 5.5 and involves an information disclosure issue. This flaw could allow an authenticated local user to escalate privileges and obtain Data Collection Agent (DCA) user permissions on a targeted system. To exploit the vulnerability, the attacker must already have legitimate vManage credentials.

Cisco released fixes for these issues late last month. The patches also addressed additional vulnerabilities identified as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.

The company provided updates across multiple software releases. Systems running versions earlier than 20.9.1 should migrate to a patched release. Fixes are available in the following versions:

  • Version 20.9 → fixed in 20.9.8.2
  • Version 20.11 → fixed in 20.12.6.1
  • Version 20.12 → fixed in 20.12.5.3 and 20.12.6.1
  • Version 20.13 → fixed in 20.15.4.2
  • Version 20.14 → fixed in 20.15.4.2
  • Version 20.15 → fixed in 20.15.4.2
  • Version 20.16 → fixed in 20.18.2.1
  • Version 20.18 → fixed in 20.18.2.1

According to Cisco’s Product Security Incident Response Team, the company became aware in March 2026 that CVE-2026-20122 and CVE-2026-20128 were being actively exploited. Cisco did not disclose how widespread the attacks are or who may be responsible.

Additional insights were shared by researchers at watchTowr. Ryan Dewhurst, the firm’s head of proactive threat intelligence, reported that the company observed exploitation attempts originating from numerous unique IP addresses. Investigators also identified attackers deploying web shells, malicious scripts that allow remote command execution on compromised systems.

Dewhurst noted that the most significant surge in attack activity occurred on March 4, with attempts recorded across multiple global regions. Systems located in the United States experienced slightly higher levels of activity than other areas.

He also warned that exploitation attempts are likely to continue as additional threat actors begin targeting the vulnerabilities. Because both opportunistic and coordinated attacks appear to be occurring, Dewhurst said any exposed system should be treated as potentially compromised until proven otherwise.

Security experts emphasize that SD-WAN management platforms function as centralized control hubs for enterprise networks. As a result, vulnerabilities affecting these systems can carry heightened risk because they may allow attackers to manipulate network configurations or maintain persistent access across multiple connected sites.

In response to the ongoing attacks, Cisco advises organizations to update affected systems immediately and implement additional security precautions. Recommended actions include restricting administrative access from untrusted networks, placing devices behind properly configured firewalls, disabling the HTTP interface for the Catalyst SD-WAN Manager administrator portal, turning off unused services such as HTTP or FTP, changing default administrator passwords, and monitoring system logs for suspicious activity.

The disclosure follows a separate advisory issued a week earlier in which Cisco reported that another flaw affecting Catalyst SD-WAN Controller and SD-WAN Manager — CVE-2026-20127, rated 10.0 on the CVSS scale had been exploited by a sophisticated threat actor identified as UAT-8616 to establish persistent access within high-value organizations.

This week the company also released updates addressing two additional maximum-severity vulnerabilities in Secure Firewall Management Center. The flaws, tracked as CVE-2026-20079 and CVE-2026-20131, could allow an unauthenticated remote attacker to bypass authentication protections and execute arbitrary Java code with root-level privileges on affected systems.

Read more »
fault-tolerant quantum computing
Computing Cryptography cryptography risk Cyber Security Cyberattacks fault-tolerant quantum computing

Quantum Cybersecurity Risks Rise as Organizations Prepare for Post-Quantum Cryptography

 

Security experts often trust encrypted data since today's cryptography aims to block unapproved users. Still, some warn new forms of computation might one day weaken common encryption techniques. Even now, as quantum machines advance, potential threats are starting to shape strategies for what comes after today’s security models. 

A rising worry for some cybersecurity professionals involves what they call "harvest now, decrypt later." Rather than cracking secure transmissions at once, attackers save encoded information today, waiting until conditions improve. When machines powered by quantum computing reach sufficient strength, old ciphers may unravel overnight. Data believed safe could then spill into view years after being taken. Such delays in threats make preparation harder to justify before damage appears. 

This threat weighs heavily on institutions tasked with protecting sensitive records over long durations. Finance, public administration, health services, and digital infrastructure sectors routinely manage details requiring protection across many years. When coded messages get captured today and kept aside, future advances in quantum machines might unlock them later. What worries experts is how current encryption often depends on math challenges too tough for regular computers to crack quickly. Built around this idea are systems like RSA and elliptic curve cryptography. 

Yet quantum machines might handle specific intricate computations much faster than conventional ones. That speed could erode the security these common encryption methods now provide. Facing new risks, experts in cybersecurity now push forward with post-quantum methods. Security built on these models holds up under extreme computing strength - like that of quantum machines. A growing favorite? Hybrid setups appear more often, linking older ciphers alongside fresh defenses ready for future attacks. With hybrid cryptography, companies boost protection without abandoning older tech setups. 

Instead of full system swaps, new quantum-resistant codes mix into present-day encryption layers. Slow shifts like these ease strain on operations yet build stronger shields for future threats. One of the recent additions to digital security is ML-KEM, built to withstand threats posed by future quantum machines. Though still emerging, this method works alongside existing encryption instead of replacing it outright. As processing power grows, blending such tools into current systems helps maintain protection over time. Progress here does not erase older methods but layers new defenses on top. Even now, early adoption supports long-term resilience without requiring immediate overhaul. 

One step at a time, security specialists stress the need for methodical planning ahead of the quantum shift. What often gets overlooked is which data must stay secure over many years, so mapping sensitive information comes first. After that, reviewing existing encryption methods across IT environments helps reveal gaps. Where needed, combining classical and post-quantum algorithms slowly becomes part of the solution. Tracking all crypto tools in use supports better oversight down the line. Staying aligned with new regulations isn’t optional - it’s built into the process from the start. 

Even while stronger encryption matters, defenses cannot rely on math alone. To stay ahead, teams need ways to examine encrypted data streams without weakening protection. Watching for risks demands consistent oversight within tangled network setups. Because trust is never assumed today, systems built around verification help sustain both access checks and threat spotting. Such designs make sure safeguards work even when connections are hidden. 

When companies start tackling these issues, advice from specialists often highlights realistic steps for adapting to quantum-safe protections. Because insights spread through training programs, conversations among engineers emerge that clarify risk assessment methods. While joint efforts across sectors continue growing, approaches to safeguarding critical data gradually take shape in response. 

A clearer path forward forms where knowledge exchange meets real-world testing. Expectations grow around how quantum computing might shift cybersecurity in the years ahead. Those who prepare sooner, using methods resistant to quantum risks, stand a better chance at safeguarding information. Staying secure means adjusting before changes arrive, not after they disrupt. Progress in technology demands constant review of protection strategies. Forward-thinking steps today could define resilience tomorrow.
Read more »
Windows
AI BadPaw Cloud Data malware Windows

BadPaw Malware Targets Uranian Systems


A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts. 

About the campaign 

The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.

BadPaw malware 

Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file. 

The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background. 

Attack tactic 

Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts. 

If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file. 

Only nine antivirus engines could spot the payload at the time of study. 

Multi-Layered Attack

After activation within a particular parameter, BadPaw links to a C2 server. 

The following process happens:

Getting a numeric result from the /getcalendar endpoint. 

Gaining access to a landing page called "Telemetry UP!” through /eventmanager. 

Downloading the ASCII-encoded payload information installed within HTML. 

In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access. 

Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.

Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.

Read more »
Subscribe to: Comments (Atom)

Featured