Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

University of Hawaiʻi Cancer Center Suffers Data Breach from Ransomware Attacks

A ransomware attack on the University of Hawaii Cancer Center's epidemiology division last year resulted in information leaks for up to ...

All the recent news you need to know
Southold cyber attack
Bitcoin Cyber Security government breach New York local Ransom Demand ransomware-as-a-service Rhysida Ransomware Southold cyber attack

Rhysida Claims Responsibility for November 2025 Ransomware Attack on Southold, New York

 

A ransomware gang known as Rhysida has claimed it was behind a cyberattack carried out in November 2025 against the local government of Southold, New York.

Town authorities first disclosed the incident on November 24, 2025, revealing that a ransomware attack had disrupted critical municipal services. Impacted systems included email communications, payroll processing, tax collection, permitting, and other essential operations. While most systems were restored within two weeks, some remained offline through mid-January.

On its data leak portal, Rhysida demanded a ransom payment of 10 bitcoin—valued at approximately $661,400 at the time of reporting. The group gave the town a seven-day deadline, threatening to auction the allegedly stolen data to other cybercriminal actors if the ransom was not paid. Southold Supervisor Al Krupski stated that the town does not plan to comply with the ransom demand.

Town officials have not confirmed Rhysida’s involvement, and independent verification of the gang’s claims has not been established. It remains unclear what specific data may have been compromised or how attackers gained access to the town’s network. Officials were contacted for further comment, and updates are expected if additional information becomes available.

Following the breach, the town allocated $500,000 toward cybersecurity enhancements.

“Please be advised that the Town of Southold is investigating a potential cyber incident affecting town servers, which affects our ability to communicate with residents via email,” said the city’s November 24 announcement. “During the course of this investigation, we regret to inform you that all town services will be limited.”

Rhysida emerged in May 2023 and operates a ransomware-as-a-service (RaaS) model. The group’s malware is capable of encrypting systems and exfiltrating sensitive data. Victims are typically pressured to pay for both a decryption key and assurances that stolen information will be deleted. Affiliates can lease Rhysida’s infrastructure to conduct attacks and share in ransom proceeds.

In 2025, the group claimed responsibility for 21 verified ransomware incidents and made an additional 70 unconfirmed claims. Several confirmed attacks targeted public-sector entities, including:
  • Oregon Department of Environmental Quality (April 2025 – $2.6 million ransom, unpaid)
  • Maryland Department of Transportation (August 2025 – $3.4 million ransom, unpaid)
  • Cleveland County Sheriff’s Office (November 2025 – $782,000 ransom)
  • Cheyenne and Arapaho Tribes (December 2025 – $682,000 ransom, unpaid)
So far in 2026, the group has claimed six additional breaches.

Security researchers documented 84 confirmed ransomware incidents targeting U.S. government entities in 2025, exposing roughly 639,000 personal records. The average ransom demand across these cases reached $987,000.

In 2026, confirmed government-sector victims include Midway, Florida, Winona County, Minnesota, New Britain, Connecticut, and Tulsa International Airport.

Ransomware attacks on public institutions often involve both data theft and system encryption, disrupting services such as bill payments, court records management, and emergency response operations. Governments that refuse to pay may face prolonged outages, data loss, and heightened risks of fraud for affected residents.

Southold is a town located on Long Island in New York, with a population of approximately 24,000 residents. It falls within Suffolk County, which experienced a significant ransomware incident in 2021 that exposed the personal data of around 470,000 residents and severely disrupted county services.
Read more »
cybersecurity threat
BYOVD Attack cyber attack Cyber Attacks cybersecurity threat

BYOVD Attacks Turn Trusted Windows Drivers Into Security Threats

 

Cybersecurity researchers are warning about a growing wave of attacks that exploit legitimate Windows drivers to bypass security protections and gain deep control over targeted systems. 

The technique, known as Bring Your Own Vulnerable Driver or BYOVD, involves attackers loading digitally signed but flawed drivers onto a compromised machine. Once active, the vulnerable driver can be exploited to gain kernel level privileges, the highest level of access in the Windows operating system. 

Researchers from Picus Security said the method allows threat actors to “load a legitimate, digitally signed, but vulnerable driver onto a target system” and then exploit weaknesses in that driver to gain arbitrary kernel mode execution. 

With this level of access, attackers can disable endpoint security tools, manipulate operating system processes and carry out further malicious activity without interference. 

How the attack works 

BYOVD attacks do not provide the initial entry point into a system. Instead, attackers use the technique after gaining administrative access through other methods such as phishing campaigns, stolen credentials, exploitation of exposed services or purchasing access from an initial access broker. 

Once administrative privileges are obtained, attackers introduce a vulnerable driver file into the system. The driver, typically a .sys file, is often placed in directories that allow easy writing access such as temporary Windows folders or public user directories. 

Many of these drivers are taken directly from legitimate vendor software packages, including hardware utilities, monitoring tools or gaming applications. Because the drivers are officially signed and appear legitimate, they can pass Windows trust checks. Attackers then load the driver into the Windows kernel. 

This is commonly done through the Windows Service Control Manager using commands such as sc.exe create and sc.exe start, or by calling system level APIs like NtLoadDriver. 

Since the driver carries a valid digital signature, Windows allows it to run in kernel space without immediately triggering alerts. 

Exploiting driver weaknesses 

After the vulnerable driver is loaded, attackers exploit unsafe input and output control functions exposed by the driver. These functions can allow direct reading and writing of system memory. 

By sending specially crafted requests, attackers can gain access to protected kernel memory regions. This effectively provides full control over the operating system’s most privileged layer. 

With kernel read and write capabilities, attackers can disable security protections in several ways. They may remove endpoint detection and response callbacks from kernel structures, patch tamper protection routines in memory, terminate antivirus processes or manipulate system process objects to conceal malicious activity. 

Even though security software may still appear installed, the endpoint may effectively be left unprotected. 

Example of driver abuse 

One attack analyzed by Picus researchers involved ransomware actors exploiting the mhyprot2.sys anti cheat driver used by the popular video game Genshin Impact. 

In that case, attackers installed the legitimate driver and then used a separate executable to send a specific command instructing the driver to terminate antivirus processes. Because the driver operated with kernel level privileges, it successfully executed system level commands to kill security services. 

Once defenses were disabled, ransomware encryption was deployed without resistance.

Structural weaknesses in driver trust 

The effectiveness of BYOVD attacks stems partly from how Windows manages driver trust. Since Windows 10, most new kernel drivers must be signed through Microsoft’s developer portal. 

However, compatibility requirements allow certain older cross signed drivers to still load under specific conditions. 

These conditions include systems where Secure Boot is disabled or devices that were upgraded from older Windows installations rather than freshly installed. 

Such compatibility allowances create gaps that attackers can exploit by loading vulnerable legacy drivers that remain trusted by the system. 

Microsoft also maintains a vulnerable driver blocklist, but this list is updated only after vulnerabilities are discovered and reported. Updates often coincide with major Windows releases, meaning newly identified vulnerable drivers may remain usable for extended periods. 

As a result, BYOVD attacks do not technically bypass Windows security mechanisms. Instead, they take advantage of drivers that the operating system still considers trustworthy. 

Defending against BYOVD 

Security experts say defending against this technique requires layered protections rather than a single configuration change. 

Organizations are advised to enable hypervisor protected code integrity and the broader virtualization based security framework to prevent unauthorized kernel memory changes. 

Controls such as Windows Defender Application Control and Microsoft’s vulnerable driver blocklist can restrict which drivers are allowed to run. Limiting administrative privileges is another critical step. 

Companies should remove unnecessary local administrator rights, enforce least privilege policies and require multi factor authentication for privileged accounts. Monitoring for suspicious activity is also essential. 

Security teams should watch for unusual driver loading events or new kernel service creation logs. Maintaining Secure Boot and restricting driver installation through group policy can further reduce the risk of unauthorized or legacy drivers being loaded. 

Regular auditing of third party drivers installed on systems can help reduce the overall kernel attack surface. 

Security analysts say BYOVD reflects a broader change in attacker strategy. Instead of relying only on new vulnerabilities or zero day exploits, threat actors increasingly use trusted components that already exist within systems. 

Read more »
User Privacy
Copilot Bug Data Breach Microsoft Outlook Emails User Privacy

Microsoft Copilot Bug Exposes Confidential Outlook Emails

 
























A critical bug in Microsoft 365 Copilot, tracked as CW1226324, allowed the AI assistant to access and summarize confidential emails in Outlook's Sent Items and Drafts folders, bypassing sensitivity labels and Data Loss Prevention (DLP) policies. Microsoft first detected the issue on January 21, 2026, with exposure lasting from late January until early to mid-February 2026. This flaw affected enterprise users worldwide, including organizations like the UK's NHS, despite protections meant to block AI from processing sensitive data.

 The vulnerability stemmed from a code error that ignored confidentiality labels on user-authored emails stored in desktop Outlook.When users queried Copilot Chat, it retrieved and summarized content from these folders, potentially including business contracts, legal documents, police investigations, and health records. Importantly, the bug did not grant unauthorized access; summaries only appeared to users already permitted to view the mailbox. However, feeding such data into a large language model raised fears of unintended processing or training data incorporation.

Microsoft swiftly responded by deploying a global configuration update in early February 2026, restoring proper exclusion of protected content from Copilot. The company continues monitoring rollout and contacting affected customers for verification, though no full remediation timeline or user impact numbers have been disclosed.As of late February, the patch was in place for most enterprise accounts, tagged as a limited-scope advisory.

This incident underscores persistent AI privacy risks in enterprise tools, marking the second Copilot-related email exposure in eight months—the prior EchoLeak involved prompt injection attacks. It highlights how even brief bugs can erode trust in AI assistants handling confidential workflows. Security experts urge organizations to audit DLP configurations and monitor AI behaviors closely.

For Microsoft 365 users, especially in high-stakes sectors like healthcare and finance, the event emphasizes the need for robust sensitivity labeling and regular Copilot audits. While fixed, expanded DLP enforcement across storage locations won't complete until late April 2026. Businesses should prioritize data governance to mitigate future AI flaws, ensuring productivity doesn't compromise security.
Read more »
IT Infrastructure
AI in cybersecurity AI Security Cyber Security Data protection data security Data security software enterprise AI IT Infrastructure

Rocket Software Research Highlights Data Security and AI Infrastructure Gaps in Enterprise IT Modernization

 

Stress is rising among IT decision-makers as organizations accelerate technology upgrades and introduce AI into hybrid infrastructure. Data security now leads modernization concerns, with nearly 70 percent identifying it as their primary pressure point. As transformation speeds up, safeguarding digital assets becomes more complex, especially as risks expand across both legacy systems and cloud environments. 

Aligning security improvements with system upgrades remains difficult. Close to seven in ten technology leaders rank data protection as their biggest modernization hurdle. Many rely on AI-based monitoring, stricter access controls, and stronger data governance frameworks to manage risk. However, confidence in these safeguards is limited. Fewer than one-third feel highly certain about passing upcoming regulatory audits. While 78 percent believe they can detect insider threats, only about a quarter express complete confidence in doing so. 

Hybrid IT environments add further strain. Just over half of respondents report difficulty integrating cloud platforms with on-premises infrastructure. Poor data quality emerges as the biggest obstacle to managing workloads effectively across these mixed systems. Secure data movement challenges affect half of those surveyed, while 52 percent cite access control issues and 46 percent point to inconsistent governance. Rising storage costs also weigh on 45 percent, slowing modernization and increasing operational risk. 

Workforce shortages compound these challenges. Nearly 48 percent of organizations continue to depend on legacy systems for critical operations, yet only 35 percent of IT leaders believe their teams have the necessary expertise to manage them effectively. Additionally, 52 percent struggle to recruit professionals skilled in older technologies, underscoring the need for reskilling to prevent operational vulnerabilities. 

AI remains a strategic priority, particularly in areas such as fraud detection, process optimization, and customer experience. Still, infrastructure readiness lags behind ambition. Only one-quarter of leaders feel fully confident their systems can support AI workloads. Meanwhile, 66 percent identify data accessibility as the most significant factor shaping future modernization plans. 

Looking ahead, organizations are prioritizing stronger data protection, closing infrastructure gaps to support AI, and improving data availability. Progress increasingly depends on integrated systems that securely connect applications and databases across hybrid environments. The findings are based on a survey conducted with 276 IT directors and vice presidents from companies with more than 1,000 employees across the United States, the United Kingdom, France, and Germany during October 2025.
Read more »
Vulnerabilities and Exploits
Android Security Update Cybersecurity Threats Mobile Security Patch Privilege Escalation Qualcomm Zero Day Remote Code Execution Vulnerabilities and Exploits

Qualcomm Zero Day Among 129 Issues Fixed in Android Security Push

 


With its latest security bulletin, Google has taken steps to address a broad range of Android vulnerabilities, releasing patches for 129 vulnerabilities spanning core platform components and third party modules. 

These vulnerabilities include ten that are rated critical, and one that is believed to have been exploited outside of controlled environments. Thus, the persistent pressure on mobile infrastructure is evident. CVE-2026-21385, a buffer over-read vulnerability related to an open-source Qualcomm module, was central to the update. 

The vulnerability has a severity score of 7.8 and is tracked as CVE-2026-21385. Input from a user is improperly handled without the possibility of verifying buffer space, which may result in memory corruption under certain circumstances. This advisory describes a vulnerability identified as CVE-2026-21385, which has a CVSS score of 7.8 and has been categorized as a buffer overread within the Graphics component. 

Qualcomm describes the vulnerability as an integer overflow that may result in memory corruption if user supplied data is appended without adequately validating the buffer space available. As stated by the chipmaker, the flaw was originally reported to Google's Android Security team on December 18, 2025, and downstream customers were notified on February 2, 2026 as a result. 

Even though Google has not disclosed technical information about actual real-world exploitation, it has acknowledged evidence of limited and targeted abuses, suggesting that this vulnerability may have been exploited in controlled attack scenarios rather than indiscriminate attacks. 

It is noteworthy that the March 2026 Android security update includes a comprehensive remediation effort that addresses 129 vulnerabilities across the entire system layer in addition to Qualcomm's defect. Furthermore, it contains a critical remote code execution vulnerability in the System component, identified as CVE-2026-0006, that can be exploited without requiring additional user interaction or additional privileges—a significantly increased risk profile.

Further, the update resolves the CVE-2026-0047 privilege escalation issue in the Framework component, the CVE-2025-48631 denial-of-service condition in the System module, and seven individual privilege escalation vulnerabilities in Kernel components. 

The vulnerabilities are identified as CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031 identifiers. Due to the fragmented device ecosystem, Google retains its dual patch-level structure - 2026-03-01 and 2026-03-05 - so that original equipment manufacturers and silicon partners can deploy patches according to their deployment cycle. 

In addition to updating Android kernel components, this patch level also includes updates for third-party silicon and GPU vendors, such as Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc, emphasizing the complexity of modern security governance mechanisms. 

Even though Google has not disclosed operational details regarding the observed activity, vulnerabilities of this nature have traditionally been of interest to commercial surveillance vendors as well as other actors capable of exploiting memory-handling vulnerabilities to gain covert access to data. A mitigation for CVE-2026-21385 has been included in the second tranche of this month's rollout, distributed under the level of security patch 2026-03-05. 

With this cumulative update, more than 60 new vulnerabilities have been addressed across the Kernel components and silicon partner ecosystems, including integrations with Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm, reflecting the multiple dependencies that are embedded within Android deployments. 

The earlier patch level, meanwhile, focuses primarily on Framework and System components, resolving over 50 security vulnerabilities. One of these vulnerabilities enables remote code execution without any level of elevated privileges or interaction with the user - a risk profile that places it among the most serious Android vulnerabilities.

According to Google, devices updated to 2026-03-05 security level or later are protected from the full set of disclosed vulnerabilities. Additionally, the company has announced patches for two vulnerabilities within Wear OS' Framework and System layers that affect Wear OS. It also incorporates all of the Android security patches outlined in the March 2026 security bulletin, ensuring alignment across Google's broader product lines. 

There have been no platform-specific security patches released for Android Automotive OS or Android XR this cycle, which indicates that those distributions have remained relatively stable during this time period of updates. This advisory reinforces the necessity of timely patch adoption across enterprise as well as consumer deployments from a defensive standpoint.

It is recommended that security teams verify whether devices are compliant with the March 2026 security patch levels, prioritize assets which are exposed to untrusted input vectors, and watch for unusual behavior that may be indicative of an exploitation attempt. 

Since memory corruption and privilege escalation issues are recurring patterns of targeted abuse, maintaining strict update governance, enforcing mobile device management controls, and restricting unnecessary application privileges remain critical measures for risk mitigation. 

As Android will continue to be dependent on a complex supply chain of silicon and software contributors, coordinated vulnerability disclosure and rapid patch integration will remain crucial to ensuring the platform's resilience over time.
Read more »
Vishing
Advanced Social Engineering Cyber Crime IT Help Desk phishing Scattered Spider SIM swap Vishing

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations

 



A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to recruit women for voice phishing operations targeting corporate IT help desks.

The development was detailed in a threat intelligence brief published by Dataminr. According to the firm, recruits are provided with prepared scripts and paid upfront for participating in impersonation calls designed to trick help desk staff into granting account access. Analysts assess that specifically seeking female callers may be an intentional tactic to improve credibility and increase the likelihood of successful password or multi-factor authentication resets.

SLH is described as a high-profile cybercrime alliance associated with actors tied to LAPSUS$, Scattered Spider, and ShinyHunters. The group has previously demonstrated the ability to bypass multi-factor authentication using methods such as MFA prompt flooding and SIM swapping.

A core component of its intrusion strategy involves directly contacting help desks or call centers while posing as legitimate employees. Attackers attempt to persuade support staff to reset credentials or deploy remote monitoring and management software that enables persistent remote access. Once inside a network, Scattered Spider operators have been observed moving laterally into virtualized infrastructure, elevating privileges, and extracting sensitive enterprise information. In some incidents, the intrusion progressed to ransomware deployment.

To blend into legitimate traffic and evade detection, the actors routinely leverage trusted infrastructure and residential proxy services, including Luminati and OxyLabs. They have also used tunneling tools such as Ngrok, Teleport, and Pinggy, along with file-sharing platforms like file.io, gofile.io, mega.nz, and transfer.sh to transfer stolen data.

Earlier this month, Palo Alto Networks Unit 42, which tracks Scattered Spider under the alias Muddled Libra, described the actor as highly adept at manipulating human psychology. In one September 2025 investigation, attackers reportedly obtained privileged credentials through a help desk call, created a virtual machine, conducted Active Directory enumeration, and attempted to extract Microsoft Outlook mailbox data along with information downloaded from a Snowflake database.

Unit 42 also documented the group’s extensive targeting of Microsoft Azure environments through the Graph API to gain access to cloud resources. Tools such as ADRecon have been deployed to map directory structures and identify valuable assets.

Dataminr characterized the recruitment campaign as a calculated evolution in tactics, suggesting that the use of female voices may help bypass preconceived attacker profiles that help desk staff are trained to recognize.

Update: Shift Toward Branded Subdomain Impersonation and Mobile-Focused Phishing

In a follow-up assessment dated February 26, 2026, ReliaQuest reported observing ShinyHunters potentially transitioning to branded subdomain impersonation paired with live adversary-in-the-middle phishing and phone-guided social engineering. Observed domains followed formats resembling “organization.sso-verify.com.”

Researchers indicated that the group may be reusing previously exposed software-as-a-service records to craft convincing scenarios and identify the most effective internal targets. This method can enable rapid identity compromise and SaaS access through a single valid single sign-on session or help desk reset, without deploying custom malware.

ReliaQuest assessed that moving away from newly registered lookalike domains could help evade traditional domain-age detection controls. Simultaneously, mobile-oriented phishing lures may reduce visibility within enterprise network monitoring systems. The firm also noted signs of outsourced criminal labor to scale phone, email, and SMS outreach.

While the impersonation style resembles earlier Scattered Spider techniques, ReliaQuest attributed the recent subdomain activity primarily to ShinyHunters based on victim targeting patterns and operational behavior. The company stated it has no independently verifiable evidence confirming that the broader SLH collective is responsible for the subdomain campaign, though partial collaboration among groups remains possible. It also observed Telegram discussions indicating that the actors sometimes “unite” for specific social engineering operations, though the structure and scope of such collaboration remain unclear.

Security experts increasingly warn that help desks represent a critical weak point in modern enterprise defense. As organizations strengthen technical controls such as MFA and endpoint detection, attackers are redirecting efforts toward human intermediaries capable of overriding safeguards. Industry reporting throughout 2024 and 2025 has shown a consistent rise in vishing-led intrusions tied to cloud identity compromise.

Defensive recommendations include implementing stricter identity verification workflows, eliminating SMS-based authentication where possible, enforcing conditional access policies, and conducting post-call audits for new administrative accounts or privilege changes. Continuous monitoring of cloud logs and abnormal single sign-on activity is also considered essential.

The recruitment-driven expansion of scripted vishing operations signals an ongoing professionalization of social engineering. Rather than relying solely on technical exploits, threat actors are scaling psychologically informed tactics to accelerate high-volume, low-cost account compromise across enterprise environments.

Read more »
Subscribe to: Comments (Atom)

Featured