Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Foxit Publishes Security Patches for PDF Editor Cloud XSS Bugs

  In response to findings that exposed weaknesses in the way user-supplied data was processed within interactive components, Foxit Software ...

All the recent news you need to know
Rhysida
California Databreach Exposed Patient Records Healthcare Privacy ransomware attacks Rhysida

Tribal Health Clinics in California Report Patient Data Exposure

 


Patients receiving care at several tribal healthcare clinics in California have been warned that a cyber incident led to the exposure of both personal identification details and private medical information. The clinics are operated by a regional health organization that runs multiple facilities across the Sierra Foothills and primarily serves American Indian communities in that area.

A ransomware group known as Rhysida has publicly claimed responsibility for a cyberattack that took place in November 2025 and affected the MACT Health Board. The organization manages several clinics in the Sierra Foothills region of California that provide healthcare services to Indigenous populations living in nearby communities.

In January, the MACT Health Board informed an unspecified number of patients that their information had been involved in a data breach. The organization stated that the compromised data included several categories of sensitive personal information. This exposed data may include patients’ full names and government-issued Social Security numbers. In addition to identity information, highly confidential medical details were affected. These medical records can include information about treating doctors, medical diagnoses, insurance coverage details, prescribed medications, laboratory and diagnostic test results, stored medical images, and documentation related to ongoing care and treatment.

The cyber incident caused operational disruptions across MACT clinic systems starting on November 20, 2025. During this period, essential digital services became unavailable, including phone communication systems, platforms used to process prescription requests, and scheduling tools used to manage patient appointments. Telephone services were brought back online by December 1. However, as of January 22, some specialized imaging-related services were still not functioning normally, indicating that certain technical systems had not yet fully recovered.

Rhysida later added the MACT Health Board to its online data leak platform and demanded payment in cryptocurrency. The amount requested was eight units of digital currency, which was valued at approximately six hundred sixty-two thousand dollars at the time the demand was reported. To support its claim of responsibility, the group released sample files online, stating that the materials were taken from MACT’s systems. The files shared publicly reportedly included scans of passports and other internal documents.

The MACT Health Board has not confirmed that Rhysida’s claims are accurate. There is also no independent verification that the files published by the group genuinely originated from MACT’s internal systems. At this time, it remains unclear how many individuals received breach notifications, what method was used by the attackers to access MACT’s network, or whether any ransom payment was made. The organization declined to provide further information when questioned.

In its written notification to affected individuals, MACT stated that it experienced an incident that disrupted its information technology operations. The organization reported that an internal investigation found that unauthorized access occurred to certain files stored on its systems during a defined time window between November 12 and November 20, 2025.

The health organization is offering eligible individuals complimentary identity monitoring services. These services are intended to help patients detect possible misuse of personal or financial information following the exposure of sensitive records.

Rhysida is a cybercriminal group that first became active in public reporting in May 2023. The group deploys ransomware designed to both extract sensitive data from victim organizations and prevent access to internal systems by encrypting files. After carrying out an attack, the group demands payment in exchange for deleting stolen data and providing decryption tools that allow victims to regain access to locked systems. Rhysida operates under a ransomware-as-a-service model, in which external partners pay to use its malware and technical infrastructure to carry out attacks and collect ransom payments.

The group has claimed responsibility for more than one hundred confirmed ransomware incidents, along with additional claims that have not been publicly acknowledged by affected organizations. On average, the group’s ransom demands amount to several hundred thousand dollars per incident.

A significant portion of Rhysida’s confirmed attacks have targeted hospitals, clinics, and other healthcare providers. These healthcare-related incidents have resulted in the exposure of millions of sensitive records. Past cases linked to the group include attacks on healthcare organizations in multiple U.S. states, with ransom demands ranging from over one million dollars to several million dollars. In at least one case, the group claimed to have sold stolen data after a breach.

Researchers tracking cybersecurity incidents have recorded more than one hundred confirmed ransomware attacks on hospitals, clinics, and other healthcare providers across the United States in 2025 alone. These attacks collectively led to the exposure of nearly nine million patient records. In a separate incident reported during the same week, another healthcare organization confirmed a 2025 breach that was claimed by a different ransomware group, which demanded a six-figure ransom payment.

Ransomware attacks against healthcare organizations often involve both data theft and system disruption. Such incidents can disable critical medical systems, interfere with patient care, and create risks to patient safety and privacy. When hospitals and clinics lose access to digital systems, staff may be forced to rely on manual processes, delay or cancel appointments, and redirect patients to other facilities until systems are restored. These disruptions can increase operational strain and place patients and healthcare workers at heightened risk.

The MACT Health Board is named after the five California counties it serves: Mariposa, Amador, Alpine, Calaveras, and Tuolumne. The organization operates approximately a dozen healthcare facilities that primarily serve American Indian communities in the region. These clinics provide a range of services, including general medical care, dental treatment, behavioral health support, vision and eye care, and chiropractic services.


Read more »
Zero Trust Security
authentication failure authorization systems cloud outages cloud resilience Cyber Security Identity Security Zero Trust Security

Why Cloud Outages Turn Identity Systems into a Critical Business Risk

 

Recent large-scale cloud outages have become increasingly visible. Incidents involving major providers like AWS, Azure, and Cloudflare have disrupted vast portions of the internet, knocking critical websites and services offline. Because so many digital platforms are interconnected, these failures often cascade, stopping applications and workflows that organizations depend on daily.

For everyday users, the impact usually feels like a temporary annoyance—difficulty ordering food, streaming shows, or accessing online tools. For enterprises, the consequences are far more damaging. If an airline’s reservation platform goes down, every minute of downtime can mean lost bookings, revenue leakage, reputational harm, and operational chaos.

These events make it clear that cloud failures go well beyond compute and networking issues. One of the most vulnerable—and business-critical—areas affected is identity. When authentication or authorization systems fail, the problem is no longer simple downtime; it becomes a fundamental operational and security crisis.

Cloud Infrastructure as a Shared Failure Point

Cloud providers are not identity platforms themselves, but modern identity architectures rely heavily on cloud-hosted infrastructure and shared services. Even if an identity provider remains technically operational, disruptions elsewhere in the stack can break identity flows entirely.
  • Organizations commonly depend on the cloud for essential identity components such as:
  • Databases storing directory and user attribute information
  • Policy and authorization data stores
  • Load balancers, control planes, and DNS services
Because these elements are shared, a failure in any one of them can completely block authentication or authorization—even when the identity service appears healthy. This creates a concealed single point of failure that many teams only become aware of during an outage.

Identity as the Universal Gatekeeper

Authentication and authorization are not limited to login screens. They continuously control access for users, applications, APIs, and services. Modern Zero Trust architectures are built on the principle of “never trust, always verify,” and that verification is entirely dependent on identity system availability.

This applies equally to people and machines. Applications authenticate repeatedly, APIs validate every request, and services constantly request tokens to communicate with each other. When identity systems are unavailable, entire digital ecosystems grind to a halt.

As a result, identity-related outages pose a direct threat to business continuity. They warrant the highest level of incident response, supported by proactive monitoring across all dependent systems. Treating identity downtime as a secondary technical issue significantly underestimates its business impact.

Modern authentication goes far beyond checking a username and password—or even a passkey, as passwordless adoption grows. A single login attempt often initiates a sophisticated chain of backend operations.

Typically, identity systems must:
  • Retrieve user attributes from directories or databases
  • Maintain session state
  • Generate access tokens with specific scopes, claims, and attributes
  • Enforce fine-grained authorization through policy engines
Authorization decisions may occur both when tokens are issued and later, when APIs are accessed. In many architectures, APIs must also authenticate themselves before calling downstream services.

Each step relies on underlying infrastructure components such as datastores, policy engines, token services, and external integrations. If any part of this chain fails, access can be completely blocked—impacting users, applications, and critical business processes.

Why High Availability Alone Falls Short

High availability is essential, but on its own it is often insufficient for identity systems. Traditional designs usually rely on regional redundancy, with a primary deployment backed up by a secondary region. When one region fails, traffic shifts to the other.

This strategy offers limited protection when outages affect shared or global services. If multiple regions depend on the same control plane, DNS service, or managed database, a regional failover does little to improve resilience. In such cases, both primary and backup systems can fail simultaneously.

The result is an identity architecture that looks robust in theory but collapses during widespread cloud or platform-level disruptions.

True resilience requires intentional design. For identity systems, this may involve reducing reliance on a single provider or failure domain through multi-cloud deployments or carefully managed on-premises options that remain reachable during cloud degradation.

Planning for partial failure is equally important. Completely denying access during outages causes maximum business disruption. Allowing constrained access—using cached attributes, precomputed authorization decisions, or limited functionality—can significantly reduce operational and reputational damage.

Not all identity data demands identical availability guarantees. Some attributes or authorization sources may tolerate lower resilience, as long as those decisions are made deliberately and aligned with business risk.

Ultimately, identity platforms must be built to fail gracefully. Infrastructure outages are unavoidable; access control should degrade in a controlled, predictable manner rather than collapse entirely.
Read more »
Ransomware
AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader


International operation to catch Ransomware leader 

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine. 

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia. 

About the operation 

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta. 

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers." 

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Read more »
Technology
AI AI Assistant Artificial Intelligence Threats DockerDash Technology

Researchers Disclose Patched Flaw in Docker AI Assistant that Enabled Code Execution


Researchers have disclosed details of a previously fixed security flaw in Ask Gordon, an artificial intelligence assistant integrated into Docker Desktop and the Docker command-line interface, that could have been exploited to execute code and steal sensitive data. The vulnerability, dubbed DockerDash by cybersecurity firm Noma Labs, was patched by Docker in November 2025 with the release of version 4.50.0. 

“In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack,” said Sasi Levi, security research lead at Noma Labs, in a report shared with The Hacker News. “Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture.” 

According to the researchers, the flaw allowed Ask Gordon to treat unverified container metadata as executable instructions. When combined with Docker’s Model Context Protocol gateway, this behavior could lead to remote code execution on cloud and command-line systems, or data exfiltration on desktop installations. 

The issue stems from what Noma described as a breakdown in contextual trust. Ask Gordon reads metadata from Docker images, including LABEL fields, without distinguishing between descriptive information and embedded instructions. These instructions can then be forwarded to the MCP Gateway, which executes them using trusted tools without additional checks. “MCP Gateway cannot distinguish between informational metadata and a pre-authorized, runnable internal instruction,” Levi said. 

“By embedding malicious instructions in these metadata fields, an attacker can hijack the AI’s reasoning process.” In a hypothetical attack, a malicious actor could publish a Docker image containing weaponized metadata labels. When a user queries Ask Gordon about the image, the assistant parses the labels, forwards them to the MCP Gateway, and triggers tool execution with the user’s Docker privileges.  
Researchers said the same weakness could be used for data exfiltration on Docker Desktop, allowing attackers to gather details about installed tools, container configurations, mounted directories, and network setups, despite the assistant’s read-only permissions. Docker version 4.50.0 also addressed a separate prompt injection flaw previously identified by Pillar Security, which could have enabled attackers to manipulate Docker Hub metadata to extract sensitive information. 

“The DockerDash vulnerability underscores the need to treat AI supply chain risk as a current core threat,” Levi said. “Trusted input sources can be used to hide malicious payloads that manipulate an AI’s execution path.”
Read more »
Malware attacks
Cyber Attacks CyberSecurity Ransomware Attacks Finance Sector financial attack malicious PDF files Malware attacks

PDFSider Malware Used in Fortune 100 Finance Ransomware Attack

 

A Fortune 100 finance company was targeted by ransomware actors using a new Windows malware strain called PDFSider, built to quietly deliver malicious code during intrusions. Rather than relying on brute force, the attackers used social engineering, posing as IT support staff and convincing employees to launch Microsoft Quick Assist, enabling remote access. Resecurity researchers identified the malware during incident response, describing it as a stealth backdoor engineered to avoid detection while maintaining long-term control, with traits typically associated with advanced, high-skill intrusion activity. 

Resecurity previously told BleepingComputer that PDFSider had appeared in attacks connected to Qilin ransomware, but researchers emphasize it is not limited to a single group. Their threat hunting indicates the backdoor is now actively used by multiple ransomware operators as a delivery mechanism for follow-on payloads, suggesting it is spreading across criminal ecosystems rather than remaining a niche tool. 

The infection chain begins with spearphishing emails containing a ZIP archive. Inside is a legitimate, digitally signed executable for PDF24 Creator, developed by Miron Geek Software GmbH, paired with a malicious DLL named cryptbase.dll. Since the application expects that DLL, it loads the attacker’s version instead. This technique, known as DLL side-loading, allows the malicious code to execute under the cover of a trusted program, helping it evade security controls that focus on the signed executable rather than the substituted library.  
In some cases, attackers increase the likelihood of execution using decoy documents crafted to appear relevant to targets. One example involved a file claiming authorship from a Chinese government entity. Once launched, the malicious DLL inherits the same privileges as the legitimate executable that loaded it, increasing the attacker’s ability to operate within the system. 

Resecurity notes that while the EXE remains validly signed, attackers exploited weaknesses in the PDF24 software to load the malware and bypass EDR tools more effectively. The firm also warns that AI-assisted coding is making it easier for cybercriminals to identify and exploit vulnerable software at scale. After execution, PDFSider runs primarily in memory to reduce disk traces, using anonymous pipes to issue commands through CMD. 

Each infected device is assigned a unique identifier, system details are collected, and the data is exfiltrated to an attacker-controlled VPS through DNS traffic on port 53. For command-and-control security, PDFSider uses Botan 3.0.0 and encrypts communications with AES-256-GCM, decrypting inbound data only in memory to limit its footprint. It also applies AEAD authentication in GCM mode, a cryptographic approach commonly seen in stealthy remote shell backdoors designed for targeted operations. 

The malware includes anti-analysis checks such as RAM size validation and debugger detection, terminating early when it suspects sandboxing. Based on its behavior and design, Resecurity assesses PDFSider as closer to espionage-grade tradecraft than typical financially motivated ransomware tooling, built to quietly preserve covert access, execute remote commands flexibly, and keep communications protected.
Read more »
Windows DoS
Iconics SCADA Mitsubishi Electric OT security Vulnerabilities and Exploits Windows DoS

Iconics SCADA Flaw Enables Privileged File Abuse and Windows DoS

 

A newly disclosed flaw in Mitsubishi Electric’s Iconics Suite SCADA platform, tracked as CVE-2025-0921, exposes critical industrial environments to denial-of-service attacks by abusing privileged file system operations in Windows-based engineering workstations. Rated with a CVSS score of 6.5, the vulnerability affects GENESIS64 deployments on Microsoft Windows versions 10.97.2 and earlier and could be combined with other weaknesses to corrupt essential system binaries and halt operations.

Researchers from Unit 42 discovered CVE-2025-0921 during an assessment of Iconics Suite, following an earlier set of five vulnerabilities they reported in versions 10.97.3 and below that enabled privilege escalation and system disruption. The latest bug resides in the way multiple Iconics services perform file system operations with elevated privileges, creating an opportunity for attackers with local, non‑admin access to direct these operations toward sensitive files. In industrial sectors such as automotive, energy and manufacturing, where Iconics SCADA is used to monitor and control processes, such misuse could severely impact system integrity and availability.

The core issue is a privileged file system operations vulnerability centered on the Pager Agent component of AlarmWorX64 MMX, which handles custom alerting via SMS and other pager protocols. Administrators configure SMS alerts using the PagerCfg.exe utility, including the path for an SMSLogFile where every SMS operation is logged. Under normal circumstances, the configuration file storing this path, IcoSetup64.ini in C:\ProgramData\ICONICS, should not be writable by standard users; however, when the legacy GenBroker32 component is installed, a previously documented flaw, CVE-2024-7587, grants any user full read-write access to this directory.

Unit 42 showed how an attacker could chain CVE-2025-0921 with CVE-2024-7587 to achieve a reliable denial-of-service condition on Windows. A local attacker first inspects IcoSetup64.ini to learn the SMSLogFile path, then creates a symbolic link from that log file to a critical binary, such as the cng.sys driver used by Microsoft’s Cryptography API: Next Generation. When an administrator later sends a test SMS or an alert fires automatically, the Pager Agent writes log data through the symbolic link into C:\Windows\System32\cng.sys, corrupting the driver so that the operating system fails to boot and becomes stuck in repair mode on reboot.

Even without the GenBroker32 installer misconfiguration, the researchers warn that CVE-2025-0921 remains dangerous if an attacker can make the log file path writable through other errors, alternative bugs or social engineering that changes permissions. They stress that privileged file system behaviors in OT environments are often underestimated, despite their potential to cause total system outages. Mitsubishi Electric has released an advisory and workarounds that address this and the previously reported issues, while Palo Alto Networks recommends hardening OT engineering workstations, segmenting SCADA systems with next-generation firewalls and leveraging OT security tools to detect and limit exploitation attempts.
Read more »
Subscribe to: Comments (Atom)

Featured