Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Debate Intensifies Over CEO Accountability in Cybersecurity Breaches

  A growing debate is emerging around whether chief executives should be held directly accountable when companies suffer cyberattacks. Some...

All the recent news you need to know
sophos
Artificial Intelligence Claude malware MITRE ATT&CK ransomware sophos

AI-Assisted Malware Lab Found Testing Ways to Evade Security Tools, Sophos Reports

 



Researchers at cybersecurity firm Sophos have uncovered a malware development framework that uses artificial intelligence tools to speed up the creation and testing of ransomware-related software designed to avoid detection by security products.

The investigation began after Sophos analysts discovered suspicious files on a customer system. What initially appeared to be a collection of penetration-testing tools soon revealed signs of criminal activity, including references to ransom notes and organizations listed on ransomware leak sites.

According to Sophos, the framework combines traditional attack tools with AI-assisted development workflows. Researchers found evidence that the operators used coding assistants such as Cursor and Claude Opus during different stages of development, including writing code, reviewing results, refining payloads, and researching techniques that could help malware evade security controls.

One of the framework's primary goals was to bypass Endpoint Detection and Response (EDR) platforms. These security products are designed to identify malicious activity on computers and servers, often detecting attacks that traditional antivirus software might miss.

The toolkit contained several components intended to reduce the chances of detection. Among them were customized Cobalt Strike profiles that made malicious network traffic resemble ordinary web browsing activity, communication channels that routed commands through Telegram, and malware development scripts capable of injecting malicious code into legitimate Windows applications while allowing those programs to continue functioning normally.

Researchers also identified the use of a Cloudflare Worker that acted as an intermediary between infected systems and attacker-controlled infrastructure. This setup can make it more difficult for defenders to identify the true location of command-and-control servers.

A particularly notable feature of the framework was an automated Active Directory discovery system. Active Directory is widely used in enterprise networks to manage users, computers, permissions, and other resources. Because it contains valuable information about an organization's internal structure, attackers frequently attempt to map Active Directory environments after gaining access to a network.

Sophos found that the discovery process relied on a series of AI-assisted agents that gathered information, assessed results, selected follow-up actions, and continued the investigation of the network. Rather than requiring a human operator to manually perform every step, parts of the reconnaissance process could be carried out through predefined automated workflows.

The framework itself appeared to operate through multiple specialized AI agents assigned to different tasks. Sophos reported that one agent coordinated the overall development process while others focused on testing, documentation, operational security improvements, virtual machine deployment, proxy testing, and malware evaluation.

Researchers also discovered that some agents had been tasked with examining publicly available security research. The system collected information from technical reports and research publications, extracted details about detection-evasion methods, mapped those techniques to the MITRE ATT&CK framework, recreated testing environments, and documented the results.

At the center of the operation was a Python-based payload generation tool. This component produced malware written primarily in Rust and Go while combining encryption, execution techniques, and anti-analysis measures intended to make detection more difficult. Sophos observed nearly 80 generated modules being tested against more than 70 separate evasion methods.

The malware was evaluated in laboratory environments against security products from Sophos, CrowdStrike, and Microsoft. Researchers noted that repeated testing and revision cycles appeared to improve the success rate of many payloads. However, they also observed inconsistencies between some reported results and actual testing outcomes, leaving questions about the accuracy of certain internal performance claims.

Despite the extensive use of artificial intelligence during development, Sophos found no indication that AI was embedded within deployed malware or operating independently on victim systems. The technology was primarily used to accelerate the research, testing, and refinement process while human operators remained responsible for directing the activity.

The findings provide another example of how threat actors are incorporating AI into existing workflows. Rather than introducing entirely new attack methods, these tools appear to be helping attackers shorten the time needed to transform publicly available security research into functioning malware capable of challenging modern security defenses.

Read more »
Gambling
Azure Azure Attack blackhat seo poisoning Cyber Attacks data security DNS DNS Hijacking DNS poisoning attack Gambling

Thai Gambling SEO Poisoning Campaign Compromises 163 Organizations Through Abandoned DNS Records

 

Surprisingly, a major SEO poisoning effort tied to Thai gambling networks has breached 163 groups in over thirty nations - leveraging outdated cloud DNS setups. Forgotten domain name system delegations were seized by hackers, according to findings from Cyble's research team. These compromised entries then hosted gambling sites in Thai, piggybacking on legitimate corporate web addresses. Government bodies faced risks alongside hospitals, banks, schools, and essential service providers. The attack spanned industries once thought too secure for such oversights. 

Abandoned Azure DNS zone delegations form the main focus of this attack method. Companies shutting down cloud initiatives often leave DNS entries intact by mistake. These lingering records catch the attention of hackers looking for weaknesses. Under their own accounts, attackers rebuild the forgotten zones once tied to those domains. Control shifts to them without immediate detection. What follows is silent redirection through seemingly valid subdomains. Users encounter harmful material believing it trustworthy. 

Search systems treat the pages as genuine due to unchanged domain signals. Browsers show no warnings because technical checks pass unnoticed. Oversight at decommissioning enables this entire chain. One way hackers operated involved deploying a gambling toolkit based on Next.js, protected by real Let’s Encrypt wildcard certificates. Security systems often overlook such threats since the pages appear under trusted corporate domains carrying proper encryption credentials. When analysts reviewed the situation, they discovered most targets - 161 out of 163 - were still infiltrated. 

What made detection hard was not just the tech used, but how convincingly it mimicked authorized web traffic. Unusual DNS patterns in a Verizon subdomain initially drew attention to the campaign. Over 1,000 subdomains were found serving Thai gambling content - each packed with referral links meant to earn signup-based payouts. Identical code markers tied these sites together: matching Next.js build IDs, favicons, and redirect paths showed up repeatedly. Investigations then revealed similar setups spread across 162 separate entities. Where one breach ended, another began; nearly all of them echoed the same digital fingerprints. Four main tactics powered the attacks, analysis showed. 

Most frequent: hijacking Azure DNS zones - over 150 groups impacted. Some breaches emerged from unused DigitalOcean domains; two companies fell victim this way. Misconfigured wildcards redirected data flow in separate cases, benefiting hostile servers. On its own track, Verizon's setup hosted a surge of deceptive A-records, exceeding one thousand entries. Certificate transparency logs show certain unused domains stayed dormant for long periods prior to being hijacked. One example involves a drug maker's subdomain, which saw zero valid certificate issuance past 2019 - then suddenly received a fresh certificate issued by adversaries in April 2026. 

Among the sites involved were ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest, each tied to affiliate systems bringing in income. Hidden behind them sat a network of 103 machines based in Hong Kong, discovered by analysts who noticed uniform admin software, matching security credentials, along with mirrored setup patterns across every server. Not one alert was raised before the breach exposed weak spots in basic domain setups. 

A closer look shows outdated links lingering long after they should have been dropped. These loose ends give attackers room to move without detection. Monitoring public logs might catch early signs of misuse, though many teams skip this step. Old ties to cloud services often stay active, quietly inviting abuse. When ignored, such gaps let criminals twist legitimate sites toward shady goals. Routine checks could block these paths, yet few organizations follow through consistently.
Read more »
Vulnerabilities and Exploits
PostgreSQL RCE Splunk Unauthorised Access Vulnerabilities and Exploits

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

 

Splunk has issued urgent security updates to address a catastrophic vulnerability in Splunk Enterprise that enables unauthenticated remote code execution (RCE). Tracked as CVE-2026-20253, the flaw carries a maximum CVSS score of 9.8, marking it as one of the most severe security issues seen in enterprise data platforms this year. Attackers can exploit this vulnerability to perform arbitrary file operations and execute malicious code without providing any credentials, potentially leading to complete infrastructure compromise. 

The vulnerability stems from the PostgreSQL Sidecar Service introduced in Splunk version 10, which lacks proper authentication controls at its endpoint. Specifically, the service listens locally on port 5435 and allows any network-reachable user to invoke file operations without credentials. According to Splunk's official alert, "an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint" in versions below 10.2.4 and 10.0.7. This missing authentication layer transforms what appeared to be an arbitrary file-creation issue into a full-blown unauthenticated RCE vulnerability. 

Affected versions include all Splunk Enterprise releases below 10.2.4 and 10.0.7, impacting multiple release branches across the 10.x series. The flaw specifically targets the PostgreSQL Sidecar Service API, which was introduced as part of Splunk version 10's architecture. Cybersecurity experts warn that due to the potential for full infrastructure compromise in both enterprise and cloud environments, immediate patching is absolutely required. Organizations running unpatched Splunk instances face extreme risk since the vulnerability requires no authentication whatsoever. 

Splunk has released security updates that properly address this critical flaw by implementing authentication controls at the PostgreSQL Sidecar Service endpoint. Security administrators should prioritize upgrading to version 10.2.4 or 10.0.7 (or newer) immediately to close this attack vector. The cybersecurity community has noted the ironic danger here: Splunk is supposed to be your security monitoring tool, so if this unpatched vulnerability sits on your network, attackers can bypass your very security infrastructure. No active detections in the wild have been confirmed yet, but the severity makes this a likely target for rapid exploitation. 

This vulnerability represents a critical security gap that demands immediate attention from all Splunk Enterprise users worldwide. With a CVSS score of 9.8, CVE-2026-20253 elevates what was initially reported as an arbitrary file-creation flaw into a dangerous unauthenticated remote code execution threat. Organizations must treat this as a top-priority security incident and apply Splunk's patches without delay to prevent potential data breaches, system compromise, or complete infrastructure takeover by malicious actors.
Read more »
Technology for Data Protection
AI Surveillance Amazon Ring Biometric Data Collection biometric privacy Consumer Privacy Rights Facial Recognition Privacy Smart Doorbell Security Technology for Data Protection

Amazon Faces Lawsuit Over Ring Facial Recognition Practices


 

Face recognition capabilities are increasingly integrated into consumer surveillance platforms, prompting increased legal scrutiny over Amazon's Ring division's handling of biometric information. Newly filed lawsuits allege that Ring's optional "Familiar Faces" feature captures, processes, and stores facial images without obtaining consent from each individual who may have their likeness recorded. 

Privacy compliance, biometric data governance, and the legal boundaries of AI-driven identification technologies are raised as a result of this lawsuit. In the complaint, which has been filed by a Virginia resident seeking class-action status and substantial damages, one of the most widely used smart doorbell ecosystems is placed at the center of a escalating debate concerning how companies balance convenience with security and data protection. 

Charles Sigwalt, who initiated the proposed class-action lawsuit in Seattle, is at the center of the legal challenge. As part of Ring's "Familiar Faces" technology, individuals within the range of compatible doorbell cameras are scanned and classified through artificial intelligence using artificial intelligence. Sigwalt claims that the feature generates and retains an unique template of the individual's face that may be used in future encounters to identify the same individual. 

Whereas Sigwalt received no notice that his biometric information was being captured or processed during his visits to friends and relatives who used Ring devices, he claims this process occurred while he was visiting those homes. Furthermore, the lawsuit alleges that the company continues to retain such data, as well as asserting that the individuals recorded by the system did not provide consent to such collection. 

Although Amazon did not respond to the allegations, this case highlights the technical operation of Ring's "Familiar Faces" feature that was introduced in September 2025 as an optional tool to enhance visitor notifications. 

By replacing generic alerts with personalized ones, this system enables cameras to recognize recurring visitors over time and send notifications based on their names instead of the usual motion or presence alerts. However Ring claims that the feature can be enabled or disabled by the user at any time, the lawsuit raises broader questions regarding how consent mechanisms adequately address biometric data of individuals who do not own the device, but may still be subjected to facial recognition analysis despite not being device owners. 

Additionally, the complaint asserts that the collection of facial recognition data extends beyond Ring device owners and may negatively affect individuals who walk through cameras monitored entryways without their knowledge or consent. 

In the filing, it is stated that millions of people may have been able to capture their facial images by simply appearing within the viewing area of Ring-equipped properties, raising questions regarding the extent of biometric data collection in residential surveillance settings. Amazon declined to comment on the litigation, however the case adds to a growing list of privacy challenges for Ring since Amazon acquired the smart security company for $1 billion in 2018. 

Ring also faced criticism months ago over its neighborhood camera network feature, which was promoted during the Super Bowl to help users locate missing pets. There has been some controversy surrounding this initiative, since privacy advocates and some users have warned that the expansion of interconnected camera coverage could result in a broader surveillance of public spaces and residential communities than the initiative's stated objective. 

Both controversies emphasize the increased scrutiny that has been focused on the deployment of networked surveillance and the handling of biometric information on a large scale by regulators and the public. Increasingly, consumer security products are providing features such as biometric recognition and artificial intelligence-driven surveillance. 

The legal challenge filed against Ring demonstrates the growing tension between the advancement of technology and the protection of individual privacy. In this case, the outcome could affect the development of facial recognition systems, biometric data management, and the process by which organizations obtain meaningful consent from individuals who are likely to be captured by connected devices. 

As intelligent surveillance technologies continue to evolve, transparency, data governance, and privacy-by-design principles remain essential safeguards for consumers and corporations alike.
Read more »
Technology
AI ai agents Computing Microsoft Technology

Microsoft Unveils Project Solara, AI Agents to Replace Computing


Satya Nadella, Microsoft CEO, said computing has entered a new era where AI agents will take over to become the main interface, not applications or operating systems. 

Microsoft launches project Solara

Microsoft also released Project Solara, a Qualcomm powered platform built to support Agentic-AI devices that can work across apps, screens, and workflows. According to Microsoft, the next era of computing will not be characterized by such things. 

At the Microsoft Build 2026 developer conference, Nadella said that Microsoft is shifting from a world based on apps and devices to one where AI agents will dominate the main interface between computers and users.

Nadella said this while Microsoft showcased Project Solara, a new chip-to-cloud platform built in partnership with Qualcomm which is currently called “agent-first computing”. Microsoft said that agentic AI is developing beyond assistants integrated inside applications and will streamline operations across workflows. This may impact the future of computer usage. 

Project Solara is based on the company’s belief that agentic AI will become the key technology for people to interact. Instead of running apps individually and  tasks manually, users will use AI agents.

About Project Solara

It is a chip-to-cloud platform that integrates Azure cloud services, hardware, and software to enable agent-first usage. It will also allow people to interact dynamically with AI via specific form factors. Solara is built around the goal that AI agents are the latest unit of programming and a novel way for people to interact with computers.

In a research paper published around the same time, Microsoft said that computing has shifted from mainframes to PCs, smartphones, and IoTs. 

Each generation inches closer to users. AI agents will become the next interaction layer, letting people interact with computers via natural language instead of interfaces, menus, and navigating apps.

How will the AI agents replace apps?

Microsoft laid three levels of integrating AI. 

In the first stage, AI is put beside an app as a helper, like the LLM chatbots of today. 

In the second level, AI is directly integrated inside apps, which makes it central to user experience. 

In the third level, AI operates outside the individual apps, streamlining workflows while maintaining context. Solara is particularly built for the third stage.
Read more »
Stablecoins
Bitcoins Blockchain Integration crypto transactions cryptocurrency Cyber Crime data compliance Financial Regulators Money Laundering river Stablecoins

Stablecoins Replace Bitcoin as the Primary Cryptocurrency in Illicit Transactions, Industry Data Shows

 




For years, Bitcoin was widely associated with cryptocurrency-related crime. New industry data suggests that picture has changed astronomically, with stablecoins now accounting for the vast majority of identified illicit cryptocurrency activity.

The change of terms was accentuated by Bitcoin-focused financial services company River, which cited blockchain intelligence findings showing that Bitcoin's role in unlawful crypto transactions has declined sharply over the past several years. According to data attributed to Chainalysis, Bitcoin represented roughly 70% of illicit cryptocurrency transaction volume in 2020. By 2025, that figure had fallen to approximately 7%, while stablecoins had grown to account for around 84% of identified illicit transaction volume.

The numbers point to a drastic transformation in how cybercriminals, fraud operators, sanctioned entities, and money-laundering networks move digital funds across borders.


Why Stablecoins Are Becoming More Attractive to Criminal Networks

Unlike Bitcoin and many other cryptocurrencies, stablecoins are designed to maintain a relatively fixed value, typically by being linked to a traditional currency such as the U.S. dollar.

This stability removes one of the major risks associated with cryptocurrency transactions. A criminal group holding $1 million in Bitcoin today could see the value fluctuate significantly within days. Stablecoins largely eliminate that uncertainty, allowing illicit actors to move, store, and transfer funds without being exposed to major price swings.

Researchers say this makes stablecoins particularly useful in fraud schemes, investment scams, money-laundering operations, and cross-border transfers where predictable value is important.

The spike in acceptance of stablecoins across exchanges, payment services, and over-the-counter trading networks has also contributed to their increased use. Many stablecoins can be transferred globally within minutes while maintaining a value closely tied to fiat currency, making them practical for both legitimate and illegitimate financial activity.


Bitcoin Still Appears in Certain Criminal Operations

Despite its declining share, Bitcoin has not disappeared from the cybercrime infrastructure. It is still part of the overall pipeline in digital currency exchange. 

Blockchain investigators continue to observe Bitcoin being used in ransomware attacks, darknet marketplaces, and extortion schemes. In these environments, long-established infrastructure, existing payment workflows, and familiarity among threat actors continue to support Bitcoin's use.

However, analysts note that criminal organizations are increasingly treating Bitcoin as only one option within a much larger digital financial ecosystem rather than the default cryptocurrency for illicit transactions.


Illicit Crypto Activity Continues to Soar

The change in asset preference comes as blockchain intelligence firms report increases in the overall value of illicit cryptocurrency activity.

TRM Labs recently estimated that illicit cryptocurrency flows reached approximately $158 billion in 2025, representing the highest level recorded by the company. The firm reported a sharp increase from the previous year, attributing much of the growth to sanctions-related activity, sophisticated money-laundering operations, underground financial networks, and expanded use of cryptocurrency by state-linked actors.

A large portion of these transactions involved stablecoins in the grand scheme of carrying out cyber criminal activities. 

Researchers also observed that sanctions-evasion networks increasingly rely on stablecoins because of their liquidity, accessibility, and ability to move large sums through multiple jurisdictions with relative speed.


Compliance and Regulatory Pressure Expected to become more stringent

The developing concentration of illicit activity within stablecoin ecosystems is likely to intensify scrutiny from regulators and law-enforcement agencies.

Unlike decentralized cryptocurrencies, many major stablecoins are issued by identifiable companies that maintain reserve assets and have the technical ability to freeze certain wallets when required by legal authorities.

As a result, policymakers are increasingly examining how stablecoin issuers monitor suspicious transactions, respond to sanctions violations, and cooperate with criminal investigations.

Several stablecoin providers have already expanded collaboration with law enforcement agencies. Tether, the issuer of USDT, has publicly reported freezing wallets connected to suspected criminal activity, while blockchain analytics companies continue to develop tracking tools designed to identify suspicious transaction patterns across networks.


Criminal Use Remains a Small Portion of Overall Activity

Although illicit cryptocurrency volumes have risen in absolute terms, researchers caution against interpreting the data as evidence that most cryptocurrency activity is criminal.

Industry reports consistently show that unlawful transactions represent only a small fraction of total blockchain activity. Stablecoins process trillions of dollars in annual transaction volume, meaning the overwhelming majority of transactions are associated with legitimate uses such as payments, trading, remittances, and settlement activities.

Nevertheless, the latest findings draw a clearer picture into how criminal groups adapt quickly to changing financial technologies. While Bitcoin once dominated illicit cryptocurrency transactions, blockchain intelligence data now suggests that stablecoins have become the preferred vehicle for many forms of crypto-enabled financial crime due to their price stability, global accessibility, and ease of transfer.

The trend is expected to remain a driving focus for regulators, compliance teams, cryptocurrency exchanges, and law-enforcement agencies as governments continue developing rules for the rapidly expanding stablecoin sector.


Read more »
Subscribe to: Posts (Atom)

Featured