Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

China-Linked Hackers Exploit Middle East Conflict to Launch Cyberattacks on Qatar

  A recent investigation by Check Point Research has uncovered a surge in cyberattacks targeting Qatar, orchestrated by China-linked threat...

All the recent news you need to know
enterprise cybersecurity
Attack Vectors AWS AWS security report Cyber Attacks data security Enterprise Cyber Risk enterprise cybersecurity

AWS Bedrock Security Risks Exposed as Researchers Identify Eight Key Attack Vectors

 

Unexpectedly, Amazon Web Services’ Bedrock - built for crafting AI-driven apps - is drawing sharper attention from cybersecurity experts. Several exploit routes have emerged, threatening to reveal corporate infrastructure. Although the system smooths links between artificial intelligence models and company software, such fluid access now raises alarms. Because convenience widens exposure, what helps operations may also invite intrusion.  

Eight ways into Bedrock setups emerge from XM Cyber’s analysis. Not the models but their access settings, setup choices, and linked tools draw attacker focus. Threats now bend toward structure gaps instead of core algorithms. How risks grow changes shape - seen here in surrounding layers, not beneath. 

What makes the risk stand out isn’t just technology - it’s how Bedrock links directly to systems like Salesforce, AWS Lambda, and Microsoft SharePoint. Because of these pathways, AI agents pull in confidential information while performing actions across business environments. Operation begins once integration takes hold, placing automated units at the heart of company workflows. 

A significant type of threat centers on altering logs. When attackers gain entry to storage platforms such as Amazon S3, they may collect confidential prompts - alternatively, reroute records to outside destinations, allowing unseen data transfers. Sometimes, erasing those logs follows, wiping evidence of wrongdoing entirely. 

Starting differently each time helps clarity. Access points through knowledge bases create serious risks. Using retrieval-augmented generation, Bedrock pulls information from places like cloud storage, internal databases, or SaaS tools. When hackers obtain entry to those systems - or the login details tied to them - they skip past the AI completely. Getting in this way lets them grab unfiltered company data. Movement across linked environments also becomes possible. 

Though designed to assist, AI agents may become entry points for compromise. When given broad access, bad actors might alter an agent's directives, link destructive modules, or slip corrupted scripts into backend systems. Such changes let them perform illicit operations - editing records or generating fake profiles - all while appearing like normal activity. What seems like automation could mask sabotage beneath routine tasks. One risk involves changing how workflows operate. 

When Bedrock Flows get modified, information may flow through harmful components instead of secure paths. In much the same way, tampering with safeguards - those filters meant to block unsafe content - opens doors to deceptive inputs. Without strong barriers, systems face higher chances of being tricked or misused. Prompt management systems tend to become vulnerable spots. Because templates move between apps, harmful directions might slip through - reshaping how AIs act broadly, without needing new deployments, which hides activity longer. 

Security teams worry most about small openings turning into big breaches. Though minimal, access might be enough for intruders to boost their permissions. One identity granted too much control could become a pathway inward. Instead of broad attacks, hackers exploit these narrow points deeply. They pull out sensitive information once inside. Control over AI systems may shift without warning. Cloud setups face risks just like local networks do. 

Although researchers highlight visibility across AI tasks, tight access rules shape secure Bedrock setups. Because machine learning tools now live inside core business software, defenses increasingly target system architecture instead of algorithm accuracy.
Read more »
RMW
Cyber Fraud IRS Microsoft Phishing scam RMW

Microsoft Alerts 29,000 Users Hit by IRS-Themed Phishing Wave

 

Microsoft is warning of a major IRS‑themed phishing wave that hit 29,000 users in a single day, using tax‑season panic to steal credentials and deploy remote access malware. The campaigns piggyback on the urgency of the U.S. tax season, sending emails that pretend to be refund notices, payroll forms, filing reminders, or messages from tax professionals to pressure recipients into acting quickly.

According to Microsoft Threat Intelligence and Defender researchers, some lures target regular taxpayers for financial data, while others focus on accountants and professionals who routinely handle sensitive tax documents and are used to receiving legitimate tax‑related mail.Many of these messages direct users either to phishing pages built on Phishing‑as‑a‑Service platforms like the Energy365 kit or to downloads that silently install remote monitoring and management (RMM) tools. 

In one large campaign unearthed on February 10, 2026, more than 29,000 users across 10,000 organizations were targeted in just a day, with about 95% of victims located in the U.S. The emails impersonated the Internal Revenue Service and claimed that irregular tax returns had been filed under the recipient’s Electronic Filing Identification Number, pushing them to urgently review those returns. Sectors hit hardest included financial services, technology and software, and retail and consumer goods, reflecting the high value of the data and access that successful compromises could deliver to attackers. 

Victims were instructed to download a supposed “IRS Transcript Viewer” via a button labeled “Download IRS Transcript View 5.1,” which actually redirected to smartvault[.]im, a domain posing as legitimate document platform SmartVault. The site used Cloudflare protections so that automated scanners saw a benign front, while real users received a maliciously packaged ScreenConnect installer that gave attackers remote access to their systems. Once installed, this RMM tooling enabled data theft, credential harvesting, and further post‑exploitation such as lateral movement or deploying additional malware. 

Microsoft also highlights related tax‑themed tactics: CPA‑style lures tied to the Energy365 phishing kit, bogus tax‑themed domains that push ScreenConnect, and cryptocurrency‑tax emails that impersonate the IRS and distribute ScreenConnect or SimpleHelp via malicious domains like “irs-doc[.]com” and “gov-irs216[.]net.” In some cases, attackers emailed accountants and organizations asking for help filing taxes, then funneled them to Datto RMM installers under the guise of sharing documentation. Collectively, these methods show a trend of abusing legitimate RMM platforms for stealthy, persistent access instead of relying solely on traditional malware. 

To defend against these threats, Microsoft advises organizations to enforce two‑factor authentication on all accounts, implement conditional access policies, and harden email security to better scan attachments, links, and visited websites. They also recommend blocking access to known malicious domains, monitoring networks and endpoints for unauthorized RMM tools like ScreenConnect, Datto, and SimpleHelp, and educating users—especially finance and tax staff—on spotting urgent, tax‑themed emails that request downloads or credentials.
Read more »
Phishing Campaigns
Callback Phishing Cloud Security Threats Cyber Attacks Cyber Threat Intelligence Email Authentication Bypass Enterprise Security Risks Microsoft Azure Monitor Phishing Campaigns

Cybercriminals Misuse Microsoft Azure Monitor Alerts for Phishing Operations


Using trusted enterprise monitoring systems as a tool for credentialing their deception, threat actors have begun to make a subtle but highly effective shift in phishing tradecraft. Through the use of Microsoft Azure Monitor alerting mechanisms, attackers are orchestrating callback phishing campaigns that blur the line between legitimate security communication and malicious activity. 


Organizations commonly rely upon these alerts to monitor system health and security events in real time, but they are now being repurposed to convey a false sense of urgency, encouraging recipients to initiate contact with attacker-controlled telephone numbers. 

By using messages originating from authentic Microsoft infrastructure, the tactic represents a significant improvement over conventional phishing, thereby evading many of the technical and psychological safeguards users have been trained to rely on. 

Microsoft Azure Monitor is now one of a growing number of legitimate enterprise tools increasingly repurposed to facilitate phishing operations, joining a growing roster of legitimate enterprise tools. The platform is widely deployed to aggregate telemetry across applications and infrastructure, which assists organizations in tracking performance metrics, uncovering anomalies, and responding to operational disruptions in real time. The adversaries are now exploiting precisely this trusted functionality. 

The service is reporting that users are receiving alert emails directing them to purported "suspicious charges" or irregular "invoice activity" based upon recent activity. In order to ensure that such notifications merge seamlessly into routine administrative workflows, they align closely with the types of events that are flagged by the platform, making it extremely difficult to distinguish them from real alerts and increasing the likelihood that users will engage with them. 

In the last several weeks, a noticeable increase in such activity has been observed, with multiple individuals reporting receiving alert notifications that alerts were received warning of suspicious charges or anomalous billing events connected to their accounts.

To strengthen the authenticity of these messages, they often incorporate fabricated transaction metadata, such as merchant identifiers, transaction IDs, timestamps, and dollar amounts, to mirror legitimate security advisories. Upon receiving the message, recipients are urged to immediately act under the pretext of fraud prevention, typically by contacting a designated support number allegedly relating to the account security department. 

In order to prompt quick response by users, the language employed is deliberately urgent yet procedural, implying risks of account suspension or additional financial exposure. Unlike more conventional phishing attempts, this campaign is distinguished not only by the narrative sophistication it contains, but also by the delivery mechanism it employs. 

Alerts are sent directly through Microsoft Azure Monitor using legitimate Microsoft-associated email channels, including standard no-reply addresses, rather than through spoofed domains or lookalike infrastructure. These communications, as a result, successfully satisfy email authentication protocols such as SPF, DKIM, and DMARC, which enable them to pass through secure email gateways without raising typical red flags. 

By combining technical legitimacy and social engineering precision, this attack is elevated significantly in credibility, complicating both automated detection and user-driven scrutiny of the attack. The campaign reveals a deliberate use of Microsoft Azure Monitor's configurability as a basis for generating alerts based on predefined conditions across applications, infrastructure, and billing workflows. 

Users can create alert rules related to routine operational events, such as the confirmation of orders, the processing of payments, and the creation of invoices, in order to create granular alert rules. As a result of this flexibility, threat actors are embedding malicious content directly within alert metadata, primarily in custom description fields, which are normally used as administrative context fields. 

After establishing these rules, the alerts will be triggered programmatically and routed through distribution lists controlled by the attacker, allowing broad dissemination while maintaining the appearance that the system has generated the alert. 

In addition to benign-looking system events such as resource utilization spikes or storage constraints, the content of these notifications is deliberately varied, incorporating a variety of financial-oriented messages referencing successful fund transfers or billing updates in a format aligned with the standard Microsoft alert template format.

A deliberate pivot toward callback-based social engineering is the cornerstone of this operation, which shifts the point of compromise from an inbox to a controlled voice interaction, shifting the point of compromise to the telephone.

By instructing recipients to contact a designated support number instead of embedding malicious links, the alerts circumvent traditional URL-based detection mechanisms by preventing recipients from contacting malicious links. In their messaging, immediacy is consistently emphasized, citing potential account suspensions, financial penalties, or pending transaction verifications as a means to compel immediate response.

Researchers who have observed similar campaigns note that the victim is often guided through a sequence of steps designed to escalate access, from revealing credentials and authorizing payments to installing remote access utilities. 

Ultimately, such interactions can facilitate deeper intrusions into corporate environments, resulting in the exposure to persistent unauthorized access and system compromise that extends beyond initial fraud. Additionally, the campaign's operational scope demonstrates its calculated design, as attackers mimic routine billing notifications generated within enterprise environments using a variety of alert categories, primarily those related to invoicing and payments.

When alerts are aligned with familiar financial processes, they are more likely to evade suspicion during initial evaluation when they have a thematic structure. Through consistent insertion of urgency-driven language in the email, recipients are compelled to contact the recipients using the embedded phone numbers in an effort to resolve time-sensitive account discrepancies. 

This interaction presents multiple avenues for exploitation, including credential harvesting, fraudulent transaction authorization, and the deployment of remote access tools, which can further establish attacker footholds within the targeted system. 

A defensive approach to billing that involves alerts originating from platforms such as Microsoft Azure Monitor or associated Microsoft services should be viewed with heightened scrutiny, especially if the alerts deviate from standard operational patterns by containing direct support contact instructions or urgent financial remediation requests.

A security practitioner emphasizes the importance of independently verifying the legitimacy of such communications before taking action. As the alerts are enterprise-centric, there is a strong probability that the activity is not limited to isolated financial fraud, but may also serve as an initial point of entry for broader intrusion chains targeting corporate networks, in addition to isolated financial fraud. 

Considering these findings, organizations should reevaluate the implicit trust placed in system-generated communications, specifically those that originate from widely adopted cloud platforms, such as Microsoft Azure Monitor.

Teams responsible for security should focus on implementing contextual alert validation mechanisms, educating users about callback-based attacks, and implementing more restrictive rules for creating and distributing alerts within cloud environments. 

The establishment of verification protocols requiring users to confirm the legitimacy of billing or security-related notifications through official channels rather than relying on embedded contact information is equally important.

It is increasingly evident that adversaries will continue to exploit the convergence of trusted infrastructure and human response behaviors as well as the ability of an organization to critically assess its own operational signals in order to remain resilient.
Read more »
Telus Digital
Data Breach Data Exposure Microsoft 365 Salesforce ShinyHunters Telus Digital

Telus Digital Faces Scrutiny Following Claims of Large-Scale Data Extraction

 



Canadian outsourcing and digital services firm Telus Digital has confirmed that it experienced a cybersecurity incident after threat actors alleged they had extracted an enormous volume of data, estimated at nearly one petabyte, over a prolonged period of unauthorized access.

Telus Digital operates as the outsourcing and digital solutions division of Telus. The company provides services such as customer support, content moderation, artificial intelligence data operations, and other business process outsourcing functions to organizations around the world. Because firms in this sector often manage customer interactions, billing systems, and internal authentication tools on behalf of multiple clients, they are frequently targeted by attackers aiming to gain access to large datasets through a single compromise.

The breach has been linked to a threat group known as ShinyHunters, which claims it obtained a wide range of customer-related data connected to Telus Digital’s outsourcing services, along with call records tied to Telus’ consumer telecommunications operations.

Reports about a possible breach had surfaced earlier this year, and inquiries were made to the company at the time, though no response was received then. Telus has now acknowledged the incident, stating that it is investigating what information may have been accessed and which customers could be affected.

In its official statement, the company said unauthorized access was identified in a limited number of systems. It added that immediate steps were taken to contain the activity and prevent further intrusion. Telus also stated that its operations remain fully functional, with no evidence of disruption to customer connectivity or services. The company confirmed that external cyber forensics specialists have been engaged and that law enforcement authorities are involved. It further noted that additional safeguards have been implemented and that affected customers will be notified where appropriate.

Sources indicated that the attackers attempted to extort the company, but Telus did not engage in communication with them.


Attack Method and Data Exposure Claims

After learning that the company was not negotiating, the attackers were contacted for further details regarding the incident.

According to their claims, the intrusion began with access to Google Cloud Platform credentials that were previously exposed in data linked to the Salesloft Drift breach. In that earlier incident, attackers extracted Salesforce data belonging to approximately 760 organizations, including customer support tickets. These records were then examined to locate credentials, authentication tokens, and other sensitive information, which could be reused to access additional systems.

The threat actors stated that they identified credentials associated with Telus within that dataset. These credentials allegedly enabled them to access multiple internal systems, including a large BigQuery data environment. After extracting initial data, they reportedly used the tool trufflehog to scan for further secrets, allowing them to expand their access into additional parts of the company’s infrastructure.

The group claims that the total amount of data taken is close to one petabyte, though this figure has not been independently verified. They also shared the names of 28 well-known companies that they allege were affected. However, these claims have not been confirmed, and the identities of those organizations remain undisclosed.

The data described by the attackers covers a wide range of business operations. This includes information related to customer support services, call center activities, agent performance metrics, AI-powered support systems, fraud detection mechanisms, and content moderation processes. In addition, they claim to have accessed source code, financial records, Salesforce data, background verification documents, and recordings of customer service calls.

The breach is also said to affect Telus’ telecommunications operations, particularly its consumer fixed-line services. The allegedly exposed data includes detailed call logs, voice recordings, and campaign-related information. Samples of these call records reportedly contain timestamps, call durations, originating and receiving numbers, and technical metadata such as call quality indicators.

Overall, the nature of the exposed data appears to vary significantly depending on the organization, indicating that multiple business functions across different clients may have been impacted.

The attackers stated that they began extortion attempts in February, demanding $65 million in exchange for not releasing the stolen data. The company did not respond to these demands.

Telus has indicated that further updates may be provided as its investigation progresses.


Who Are ShinyHunters

The name ShinyHunters has been associated with various individuals and cyber incidents over time, but the group currently operating under this identity has emerged as one of the more active data extortion actors in recent months. Their operations have largely focused on compromising cloud-based platforms, particularly those connected to enterprise software ecosystems.

The group has been linked to incidents involving major organizations such as Google, Cisco, and Match Group, among others.

More recently, their tactics have expanded to include voice phishing, or vishing, attacks. In these cases, employees are contacted by individuals posing as IT support staff and are persuaded to reveal login credentials or multi-factor authentication codes through fraudulent websites. The group has also been observed using device code phishing techniques to obtain authentication tokens linked to identity platforms such as Microsoft Entra.

Once valid credentials and authentication codes are obtained, attackers can take control of single sign-on accounts and gain access to interconnected enterprise services, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.


Security Implications

This incident reflects a broader trend in which attackers reuse previously stolen data to launch new intrusions. It also highlights the elevated risk associated with outsourcing providers that centralize sensitive operations for multiple organizations.

Cybersecurity experts increasingly note that modern attacks often occur in stages, where one breach creates opportunities for subsequent compromises. As businesses continue to rely on cloud platforms and third-party service providers, the potential scale and impact of such incidents continue to grow.

The situation is currently under investigation, and additional verified details are expected as more information surfaces.

Read more »
Ransomware attack
AiLock Cyber Attacks Double extortion England Hockey Ransomware attack

AiLock Ransomware Hits England Hockey: 129GB Data Breach Under Probe

 

England Hockey, the national governing body for field hockey in England, is grappling with a serious cybersecurity incident as the ransomware group AiLock claims responsibility for stealing 129GB of sensitive data.The organization, which supports over 800 clubs, 150,000 players, and thousands of coaches and officials, confirmed it is investigating the potential breach alongside law enforcement to assess system compromises and data impacts. AiLock listed England Hockey on its data leak site, threatening to publish the stolen files unless a ransom is paid, following a classic double-extortion tactic. 

This attack highlights the growing menace of ransomware targeting sports organizations, where vast databases of member information become prime targets.AiLock, a ransomware operation first observed in 2025 and documented by Zscaler researchers, employs sophisticated methods including ChaCha20 and NTRUEncrypt encryption, appending .AILock extensions to files and dropping ransom notes across directories.The group pressures victims with strict deadlines—72 hours to start negotiations and five days for payment—or faces data leaks and recovery tool destruction, often exploiting privacy law violations for leverage. 

England Hockey has prioritized data security in its response, engaging internal teams and external cybersecurity experts to evaluate the breach's scope amid ongoing uncertainty. While specifics on affected data remain undisclosed due to the investigation, the sheer volume of 129GB suggests potential exposure of personal records, club details, and operational files. The organization emphasized that understanding any data impacts is its top priority, urging caution without commenting further. 

Ransomware incidents like this expose organizations to immediate and secondary risks, including phishing, credential theft, and social engineering attacks fueled by leaked data claims. Sports bodies, often resource-constrained compared to corporate giants, face heightened vulnerabilities as cybercriminals increasingly target non-profits with high-profile memberships.AiLock's rise in 2025-2026 underscores a trend of newer groups adopting aggressive playbooks to infiltrate networks, exfiltrate data, and encrypt systems swiftly. 

As England Hockey navigates this crisis, the episode serves as a stark reminder for enhanced cybersecurity in amateur and community sports sectors. Proactive measures like regular backups, multi-factor authentication, and employee training could mitigate future threats, preventing disruptions to grassroots programs. With global warnings of AI-driven attacks on sporting events rising, swift collaboration with authorities may limit damage and deter further extortion. Ultimately, transparency post-investigation will be key to rebuilding trust among its vast community.
Read more »
Network Intrusion
Botnet Botnet attack Cyber Security CyberCrime Internet Routers Malware attacks Network Intrusion

Global Law Enforcement Disrupts SocksEscort Proxy Network Powered by AVRecon Malware

 

Federal and regional police units, working alongside independent digital security experts, took down the SocksEscort hacking infrastructure. This setup used hacked gateway gadgets - infected by AVRecon - to route illicit online traffic through hidden channels. 

A team at Black Lotus Labs, under Lumen Technologies, aided the takedown operation together with officials from the U.S. Department of Justice. Over multiple years, authorities found the proxy system kept around twenty thousand compromised gadgets active weekly - revealing both reach and staying power. 

SocksEscort first came into view back in 2023, though signs point to activity stretching well beyond ten years. Operation relied on offering entry to seemingly legitimate IP addresses - pulled from home and office network devices. Because these connections appeared ordinary, users could mask malicious data flows under normal ISP cover. Detection tools often failed, misled by the everyday digital footprint left behind. 

By early 2026, authorities reported the system had provided entry to vast numbers of IP addresses across its lifespan. Nearly 8,000 compromised routers remained operational at that point. Within the U.S., roughly a quarter of those devices were found scattered throughout the country. Though focused on one case, the ripple effects touched various forms of monetary misconduct. 

A trail led authorities to connect SocksEscort with nearly $1 million siphoned from digital wallets belonging to someone in New York. Separate findings showed about $700,000 lost due to deceptive schemes targeting an industrial company based in Pennsylvania. Victims among American military personnel also faced damage after personal banking records were breached, adding further strain. 

Dozens of domains and servers linked to the network were seized across Europe through joint efforts steered by Europol. Backing came from law enforcement agencies in Austria, France, and the Netherlands. Around $3.5 million in digital currency was blocked during the course of the mission. What powered the entire operation was AVRecon, a form of malicious software aimed at Linux-run home and small office routers. 

By June 2023, it had taken hold on over seventy thousand machines, forming a vast network of hijacked devices. This network served one purpose: strengthening the reach of SocksEscort. Analysts found something unusual - none of the affected IPs showed up in unrelated botnet activity, pointing toward tightly managed usage. Despite setbacks during early 2023 that briefly disrupted operations through severed command channels, the group managed recovery by reconstructing systems. Control returned via decentralized nodes rather than a single hub. Activity restarted months afterward with modified communication pathways. 

Early in 2025, more than 280,000 distinct IP addresses got caught up in the activity. Although infections spread globally, those based in the U.S. and the U.K. stood out - due to their appeal in hiding harmful network behavior. Outdated routers should be swapped out, many professionals suggest. Firmware updates come next on the list for staying protected. Default login details? Better revise them promptly. Remote functions that go unused tend to invite trouble - shutting those off helps block intrusions. Reducing exposure often begins with these small shifts. 

A single operation reveals how digital crime groups using hidden relay systems are expanding their reach. Global teamwork across borders proves essential to weaken such operations.
Read more »
Subscribe to: Comments (Atom)

Featured