Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

How a Brute-Force Attack Exposed a Wider Ransomware Ecosystem

  What initially appeared to be a routine brute-force alert ultimately revealed a far more complex ransomware-linked infrastructure, demonst...

All the recent news you need to know
Threat Intelligence
Advanced Persistent Threats Critical Infrastructure Security cyber espionage Cyber Security Cybersecurity EU Sanctions State Sponsored Attacks Threat Intelligence

Europe Targets Chinese and Iranian Entities in Response to Cyber Threats


 

Council of the European Union, in response to the escalation of state-linked cyber intrusions, has tightened its defensive posture by imposing targeted sanctions on a cluster of entities and individuals allegedly engaged in sophisticated digital attacks against European interests in a measured yet unmistakably firm manner. 

According to the Council, on behalf of the bloc's member states, this decision represents a broader strategic shift within the European Union, where cyber threats are increasingly treated as instruments of geopolitical pressure capable of compromising critical infrastructure, public trust, and economic stability rather than isolated technical disruptions. 

It was announced earlier this week that sanctions would extend beyond corporate entities and include senior leadership figures, indicating a desire to hold not only organizations, but also their decision-makers accountable for orchestrating or enabling malicious cyber activity. 

China's Integrity Technology Group and Anxun Information Technology Co., a company formerly known as iSoon, were among those names, along with Iranian entity Emennet Pasargad, who are believed to have participated directly in attacks against essential services and government networks. 

The inclusion of executives such as Wu Haibo and Chen Cheng further underscores the EU's evolving approach to cyber operations, one in which the traditional veil of denial is pierced. 

The European Union attempts to reset deterrence in cyberspace by formally assigning responsibility and imposing economic and legal constraints, where attribution is a challenging task, accountability is often elusive, and the consequences of inaction continue to increase with each successive breach by establishing a new standard of deterrence. 

European authorities have also focused attention on Anxun Information Technology Co., commonly referred to as I-Soon. The company appears to be closely connected to Chinese domestic security apparatuses, particularly the Ministry of Public Security. Despite its formal positioning as a commercial company, Huawei has long been associated with cyber operations aligned with Beijing's strategic intelligence objectives, blurring the line between state-directed activity and outsourced service. 

As a result of this dual-purpose posture, Western governments have paid sustained attention to the situation; following sanctions imposed by the United Kingdom in March 2025, the Department of Justice unveiled charges against multiple I-Soon personnel for participating in coordinated intrusion campaigns. 

In confirming these concerns, the European Union has made the claim that I-Soon operated as an offensive cyber services provider, systematically attacking critical infrastructure sectors and governmental systems both within member states and abroad. 

As alleged by investigators, its activities extend beyond unauthorized access to include sensitive data exfiltration and monetization, introducing persistent risks to the diplomatic and security frameworks supporting the Common Foreign and Security Policy as a result of institutionalizing the hacker-for-hire model.

It is also important to note that the Council has designated key corporate figures, including Wu Haibo and Chen Cheng, who are senior managers and legal representatives within the company's structure. This reinforces the EU's intention to attribute accountability at both the individual and organization level. There have also been actions taken against Emennet Pasargad, an Iranian threat actor known by various aliases, such as Cotton Sandstorm, Marnanbridge, and Haywire Kitten and widely considered to be linked with the Cyber-Electronic Command of the Islamic Revolutionary Guard Corps. 

A wide range of disruptive and influence-driven cyber activities have been associated with the group, ranging from interference operations in connection with the 2020 presidential election to intrusion attempts related to the Summer Olympics in 2024. 

In accordance with European assessments, cyberattacks against Sweden's digital infrastructure, including the compromise of the national SMS distribution service, were also attributed to the group, indicating a pattern of operations intended not only to infiltrate systems but also to undermine public trust and operational resilience.

Furthermore, additional technical assessments further demonstrate the extent and persistence of Emennet Pasargad's activities. As indicated by Microsoft's analysis previously, the group-tracked as "Neptunium"-is suspected of compromising the personal information of over 200,000 Charlie Hebdo subscribers. 

According to many observers, the intrusion was a retaliatory act in response to the publication's controversial content targeting Ali Khamenei, illustrating the trend of politically motivated cyber operations being increasingly integrated with information exposure and intimidation methods.

The Council of the European Union identifies the group as conducting hybrid operations, including the unauthorized control of digital advertising billboards during the 2024 Summer Olympics for propaganda purposes, as well as a compromise of a Swedish SMS distribution service.

Interestingly, the latter incident is consistent with an earlier documented campaign that utilized mass messaging to incite retaliatory sentiments within the Swedish community, a tactic that has later been referenced by the Federal Bureau of Investigation in its threat advisories. 

Additionally, the Council's documentation illustrates earlier interference activities targeting the 2020 United States presidential elections, during which stolen voter data was used to deliver coercive communications using false political identities, demonstrating a deliberate campaign to undermine the trust of voters. 

Indictments have been issued in the United States against individuals such as Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian as a result of enforcement actions. Financial sanctions have been imposed by the Treasury Department in an attempt to disrupt the group's operations funding. In spite of these measures, the actor has remained active, and subsequent attribution has linked it to ransomware campaigns believed to be affiliated with the Islamic Revolutionary Guard Corps.

There are parallel findings regarding Integrity Technology Group that reinforce the transnational nature of these threats. Investigators discovered that the company's infrastructure and tooling were used by the Flax Typhoon threat group as a means of gaining access to tens of thousands of devices throughout the European continent, as well as facilitating espionage-focused activities targeting Taiwanese entities. 

In addition, coordinated sanctions between the United Kingdom and the United States indicate a growing alignment of international responses targeted at reducing the ability of state-linked cyber activities to sustain their operations.

In combination, these coordinated efforts indicate a maturing enforcement posture in which cyber operations are not viewed merely as technical incidents but rather as matters of strategic significance that require sustained, multilateral responses. 

As part of the ongoing process of improving the European Union's cyber sanctions framework, the EU will emphasize attribution, intelligence sharing, and alignment with international partners in order to ensure that punitive measures are effectively translated into tangible operational disruptions.

It becomes increasingly important for organizations operating both within and outside of Europe to strengthen their resilience against advanced persistent threats, in particular those that utilize supply chain access, managed service providers, and covert infrastructure. 

It has been noted that the convergence of espionage, cybercrime, and influence operations calls for a more integrated defense model that includes technical controls, threat intelligence, and regulatory compliance. 

Having said that, the effectiveness of sanctions will ultimately depend on the consistency with which they are enforced, on the timely attribution of the perpetrators and on the ability of both public and private sectors to anticipate and mitigate the evolving threat environment.
Read more »
Network Server
CISO CISO best practices Cyber Security Cyberattacks. Network Safety Network Security Network Server

Cisco Warns of Actively Exploited SD-WAN Vulnerabilities Affecting Catalyst Network Systems

 

Cisco warns of several security holes in its Catalyst SD-WAN Manager, noting hackers have begun using at least one in live operations. Updates exist - applying them quickly reduces risk exposure. Exploitation is underway; delayed patching increases danger. Systems remain vulnerable until fixes take effect. Each unpatched flaw offers attackers a potential entry point. Action now limits future compromise chances. 

Catalyst SD-WAN Manager - once called vManage - serves organizations that need oversight of extensive networks, letting them manage many devices from one location. Because it plays a key part in keeping connections running, flaws within the system can lead to serious problems when updates are delayed. Cisco reports active exploitation of two flaws, labeled CVE-2026-20122 and CVE-2026-20128. 

While one poses a higher risk by letting those with basic API access overwrite critical files, the other leaks confidential information when insiders already have login rights. Though differing in impact level, both demand attention due to ongoing attacks. Access restrictions alone do not fully block either pathway. One alters content without permission; the other quietly reveals what should remain hidden. 

Regardless of how devices are set up, Cisco confirmed the flaws affect the software across the board - leaving any system without updates at risk. Though there is no current evidence of exploitation for the additional bugs listed, moving to protected releases remains advised simply because it limits exposure. 

Despite earlier assurances, Cisco now admits CVE-2026-20127 has seen active exploitation beginning in 2023. Though complex, the flaw makes it possible for experienced hackers to skip authentication steps on network controllers. Unauthorized entry leads to insertion of untrusted devices within protected systems. 

What was once theoretical is now observed in real attacks. Appearing trustworthy at first glance, these unauthorized devices let intruders spread across systems, gain higher access levels, while staying hidden for long periods. Growing complexity and frequency now worry security experts worldwide. Authorities including the Cybersecurity and Infrastructure Security Agency (CISA) have responded by issuing directives requiring organizations, particularly federal agencies, to identify affected systems, collect forensic data, apply patches, and investigate potential compromises linked to these vulnerabilities. 

One step further, Cisco revealed two additional high-risk weaknesses in its Secure Firewall Management Center. Labeled CVE-2026-20079 along with CVE-2026-20131, they involve a flaw allowing login circumvention and another enabling remote command execution. When triggered, hackers might reach root privileges on compromised devices while running harmful scripts from afar - no credentials needed. 

Though rare, such access opens deep control paths across networks. When flaws carry serious risks, acting fast matters most. Those running Cisco’s network control systems should update quickly - while checking logs closely. Exploits already in motion mean delays increase exposure. Watching traffic patterns might reveal breaches hidden before now. 

Facing ever-changing digital dangers, events such as these underline why staying ahead of weaknesses matters - especially when reacting quickly to warnings. A slow reaction can widen risk, while early action reduces harm before it spreads.
Read more »
Risky Extensions
AI tools Browser Security Cyber Security Data Exposure Enterprise Risks Risky Extensions

AI Boom Turns Browsers into Enterprise Security’s Biggest Blind Spot

 

Telemetry data from the 2026 State of Browser Security Report reveals that, while the browser has become the de facto operating system for work in the enterprise, it remains one of the least secured segments in the overall security stack. In 2025, AI-native browsers, embedded copilots, and generative tools transitioned from being experimental pilots to being ubiquitous, routine tools for search, write, code, and workflow automation, thus creating a significant disconnect between the way employees are actually working and the organization’s risk monitoring capabilities.

The data also indicates that generative artificial intelligence has become an integral part of browser workflows, extending beyond the browser as a gateway for a small set of approved tools. According to the telemetry data collected by Keep Aware, 41% of end-users interacted with at least one AI tool on the web in 2025, with an average of 1.91 AI tools used per end-user, thus revealing the widespread integration of AI tools in the browser workflows. However, it has been observed that governance has not kept pace with the adoption of these tools, with end-users using their own accounts or unauthorized tools in the same browser session as their work activities. 

This behavioral reality is especially dangerous when it comes to sensitive data exposure. In a one‑month snapshot of authenticated sessions, 54% of sensitive inputs to web apps went to corporate accounts, while a striking 46% went to personal or unverified work accounts, often within “trusted” apps like SharePoint, Google services, Slack, Box, and other collaboration tools. Because traditional DLP tools focus on email, network traffic, or endpoint files, they largely miss typed inputs, pasted content, and file uploads occurring directly inside live browser sessions, where today’s AI‑driven work actually happens.

Attackers have adapted to this shift as well, increasingly targeting the browser layer to bypass hardened email, network, and endpoint defenses. Keep Aware observed that 29% of browser‑based threats in 2025 were phishing, 19% involved suspicious or malicious extensions, and 17% were social engineering, highlighting how social and UI‑driven tactics dominate. Notably, phishing domains had a median age of more than 18 years, indicating adversaries are abusing long‑standing, seemingly trustworthy infrastructure rather than relying only on newly registered domains that filters are tuned to flag.

Browser extensions add another, often underestimated, attack surface. According to the report, 13% of unique installed extensions were rated High or Critical risk, meaning a significant slice of add‑ons running inside production environments have elevated permissions and potentially dangerous capabilities. Many extensions marketed as productivity tools request broad access to tabs, cookies, storage, and web requests, quietly gaining deep visibility into user sessions and sensitive business data without ongoing scrutiny.

The report makes a clear case that static controls—such as one‑time extension reviews, app allowlists, and domain‑based blocking—are no longer enough in a world of AI copilots, browser‑centric workflows, and adaptive phishing campaigns. Instead, organizations must treat the browser as a primary security control point, with real‑time visibility into AI usage, SaaS activity, extensions, and in‑session behavior to detect threats earlier and prevent data loss at the moment it happens. For security teams, 2026 is shaping up as the year where true browser‑native detection and response moves from “nice to have” to non‑negotiable.
Read more »
Windows 11
Cyber Security Digital Vulnerabilities hotpatch Microsoft system updates Windows 11

Microsoft Releases Hotpatch to Fix Windows 11 RRAS Remote Code Flaw



Microsoft has issued an out-of-band (OOB) security update to remediate critical vulnerabilities affecting a specific subset of Windows 11 Enterprise systems that rely on hotpatch updates instead of the conventional monthly Patch Tuesday cumulative updates.

The update, identified as KB5084597, was released to fix multiple security flaws in the Windows Routing and Remote Access Service (RRAS), a built-in administrative tool used for configuring and managing remote connectivity and routing functions within enterprise networks. According to Microsoft’s official advisory, these vulnerabilities could allow remote code execution if a system connects to a malicious or attacker-controlled server through the RRAS management interface.

Microsoft clarified that the risk is limited to narrowly defined scenarios. The exposure primarily impacts Enterprise client devices that are enrolled in the hotpatch update model and are actively used for remote server management. This means that the vulnerability does not broadly affect all Windows users, but rather a specific operational environment where administrative tools interact with external systems.

The vulnerabilities addressed in this update are tracked under three identifiers: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. These issues were initially resolved as part of Microsoft’s March 2026 Patch Tuesday updates, which were released on March 10. However, the original fixes required system reboots to be fully applied.

Microsoft’s technical description indicates that successful exploitation would require an attacker to already possess authenticated access within a domain. The attacker could then use social engineering techniques to trick a domain-joined user into initiating a connection request to a malicious server via the RRAS snap-in management tool. Once the connection is made, the vulnerability could be triggered, allowing the attacker to execute arbitrary code on the targeted system.

The KB5084597 hotpatch is cumulative in nature, meaning it incorporates all previously released fixes and improvements included in the March 2026 security update package. This ensures that systems receiving the hotpatch are brought up to the same security level as those that installed the full cumulative update.

A key reason for releasing this hotpatch separately is the operational challenge associated with system restarts. Many enterprise environments run mission-critical workloads where even brief downtime can disrupt services, impact business continuity, or affect essential infrastructure. Traditional cumulative updates require a reboot, making them less practical in such contexts.

Hotpatching addresses this challenge by applying security fixes directly into the memory of running processes. This allows vulnerabilities to be mitigated immediately without interrupting system operations. Simultaneously, the update also modifies the relevant files stored on disk so that the fixes remain effective after the next scheduled reboot, maintaining long-term system integrity.

Microsoft also noted that while fixes for these vulnerabilities had been released earlier, the hotpatch update was reissued to ensure more comprehensive protection across all affected deployment scenarios. This suggests that the company identified gaps in earlier coverage or aimed to standardize protection for systems using different update mechanisms.

It is important to note that this hotpatch is not distributed to all devices. It is only available to systems that are enrolled in Microsoft’s hotpatch update program and are managed through Windows Autopatch, a cloud-based service that automates update deployment for enterprise environments. Eligible systems will receive and apply the update automatically, without requiring user intervention or a system restart.

From a broader security standpoint, this development surfaces the increasing complexity of patch management in modern enterprise environments. As organizations adopt high-availability systems that must remain continuously operational, traditional update strategies are evolving to include alternatives such as hotpatching.

At the same time, vulnerabilities in administrative tools like RRAS demonstrate how trusted system components can become entry points for attackers when combined with social engineering and authenticated access. Even though exploitation requires specific conditions, the potential impact remains substantial due to the elevated privileges typically associated with administrative tools.

Security experts generally emphasize that organizations must go beyond simply applying patches. Continuous monitoring, strict access control policies, and user awareness training are essential to reducing the likelihood of such attack scenarios. Additionally, maintaining visibility into how administrative tools are used within a network can help detect unusual behavior before it leads to compromise.

Overall, Microsoft’s release of this hotpatch reflects both the urgency of addressing critical vulnerabilities and the need to adapt security practices to environments where uptime is as important as protection.

Read more »
underground hacking forums
data breach forum shutdown Data Leak Europol cybercrime operation LeakBase takedown underground hacking forums

Global Crackdown Dismantles LeakBase Data Breach Forum, Dozens Targeted in Europol Operation

 

A large-scale international law enforcement effort has reportedly led to multiple arrests as authorities moved to shut down a well-known underground data leak marketplace.

Europol revealed details of a coordinated operation that successfully dismantled LeakBase, a platform it described as “established itself as a central hub in the cybercrime ecosystem”.

Launched in 2021, the forum rapidly grew in scale, amassing over 142,000 registered members within four years. During this time, users created approximately 32,000 posts and exchanged more than 215,000 private messages. Operating openly on the web and primarily in English, the platform enabled users to trade and distribute stolen or compromised data sourced from individuals and organizations worldwide. Notably, content related to Russia was prohibited, with the forum restricting any sale or publication of such data.

On March 3, 2026, authorities from multiple countries carried out nearly 100 coordinated actions, including house searches, “knock-and-talk” interventions, and arrests as part of the crackdown.

While officials did not disclose the exact number of individuals detained, their locations, or specific charges, they confirmed that enforcement measures were taken against 37 of the forum’s most active participants.

The following day, authorities seized control of the forum’s domain and replaced its content. Investigators also obtained the platform’s database, which is now being analyzed to identify users. Officials have reportedly already “engaged directly with several suspects”.

“This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable,” said Edvardas Å ileris, Head of Europol’s European Cybercrime Centre.

“This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.”
Read more »
ransomware attack 2025
AkzoNobel cyberattack Anubis ransomware Data Breach data breach US site ransomware attack 2025

AkzoNobel Confirms Cyberattack at U.S. Site Following Anubis Ransomware Data Leak

 

kDutch multinational paints and coatings company AkzoNobel has confirmed that a cyberattack impacted one of its facilities in the United States, according to a statement shared with BleepingComputer.

The incident came to light after the Anubis ransomware gang published data allegedly stolen from the company. In response, a spokesperson clarified that the breach was quickly contained and did not spread beyond the affected location.

“AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer. “The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities.”

With a workforce of around 35,000 employees, AkzoNobel generates over $12 billion in annual revenue and operates across more than 150 countries. Its portfolio includes well-known brands such as Dulux, Sikkens, International, and Interpon.

The Anubis ransomware group claims it exfiltrated approximately 170GB of data, comprising nearly 170,000 files. It has also released sample materials on its leak site, including screenshots and file listings as proof of the breach.

According to the group, the leaked data contains sensitive information such as confidential contracts with major clients, contact details, internal communications, passport copies, testing documentation, and technical specifications.

So far, only a portion of the stolen data has been made public. The company has not disclosed whether it has engaged in any negotiations with the attackers.

Anubis operates under a ransomware-as-a-service (RaaS) model, which began in December 2024, offering affiliates a significant share—up to 80%—of ransom payments. The group expanded its reach in February 2025 by launching an affiliate initiative on underground forums, increasing its presence in cybercrime activities

Later in June 2025, the group introduced a destructive tool capable of permanently erasing victims’ data, making recovery efforts significantly more challenging

Read more »
Subscribe to: Comments (Atom)

Featured