Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Infrastructure Security
AI Infrastructure Security AI Security Credential Cyber Security Enterprise AI Security Enterprise security Infrastructure Security

AI Credential Security Emerges as Critical Risk in Modern Enterprise Infrastructure

 

Surprisingly, artificial intelligence alters how companies build their internal systems. Yet warnings emerge - not about flawed code, but about access methods growing more dangerous by the day. Credentials like API keys, login tokens, or automated service IDs now attract attackers as firms adopt more AI tools. 

A new report highlights an odd trend: defenses focus on outer boundaries, though weak identity controls often cause breaches inside AI environments. Investment flows into firewalls, even when real threats hide within permission structures Security breaches lately show a shift: criminals now aim more at login details instead of bugs within AI tools. A known example occurred when hackers gained access to publishing rights for a software library, slipping in harmful updates that collected AI account passwords, cloud keys, and system tokens across infected setups. 

Elsewhere, hidden project files left public helped adversaries grab artificial intelligence API secrets - before any code ran. Attackers succeeded here by abusing leaked authentication data, not defects in the underlying AI frameworks One reason experts point to is deeper issues baked into how AI systems are built. Instead of isolated logins for narrow tools, today’s setups often let one key open doors across many models and platforms. Because of this shift, losing control of login details means much wider exposure. Stolen tokens now offer criminals far greater leverage than before Among recent findings, signs point to an expanding problem with stolen login details.

A study across sectors showed over 1.27 million credentials tied to artificial intelligence services spilled online in 2025 alone - an uptick compared to prior periods. Old access tokens, though outdated, often stayed valid well beyond issue dates; when such keys fell into the wrong hands earlier, risk lingered far longer than expected Still, old-style safeguards like changing passwords, locking secrets away, or running automatic checks hold value - even if they fall short in AI-driven settings. 

Credentials tied to artificial intelligence tend to appear inside container files, system blueprints, build processes, recorded outputs, along with various hosted platforms. Once leaked access keys get found or reset, harm might already be done - copies hidden elsewhere, misuse underway. What worked before now lags behind how fast these systems share and replicate trust tokens Most security experts suggest companies start viewing AI identifiers much like those assigned to people or devices - restricting access based on necessity. 

Instead of using one wide-reaching API key, authorization should match only the needed tools, functions, or tasks. Each environment - whether used for live operations, trials, data review, or public interaction - ought to have distinct login details. This separation helps contain damage if one set gets exposed Security grows sharper when teams watch systems without pause. 

Ownership of access keys must be obvious, someone always accountable. Seeing what runs at any moment helps spot odd behavior early. Frequent checks on user actions reveal risks before they spread. A login seen outside usual patterns? Treat it as breached, just in case. With AI spreading through daily workflows, tracking who can do what matters more each month. Identity rules once tucked behind firewalls now step forward. They anchor defenses instead of trailing behind. Trust shifts only when proof holds firm.
Read more »
Technology
AI Robots AI Training Humanoid Robots Indian Workers Job Automation Technology

Inside India’s AI Boom: Workers Training Robots to Replace Human Jobs

 

Indian workers are increasingly being paid to record themselves performing everyday tasks so AI systems can learn how to do those jobs — a trend that’s creating short-term income but raising serious long-term questions about automation and worker displacement. 

Employers and startups are using head-mounted cameras, smartphones and motion sensors to collect “egocentric” footage of activities such as chopping vegetables, folding clothes and assembling parts; that data trains models intended to teach humanoid robots how humans move and interact with objects in real environments. The work has opened a new gig economy niche: workers earn small payments per hour of footage, often in low-cost regions like India where labour is cheaper than in Western markets. 

For many workers the pay provides immediate relief — a few hundred rupees per hour can be meaningful — but the jobs themselves are repetitive and sometimes physically taxing, involving long shifts and continuous filming that can cause eye strain and fatigue. Companies argue this is legitimate work in a growing data economy: capturing real-world human movement is essential for training robots to operate safely and effectively outside labs. Tech firms say egocentric data accelerates progress toward practical household and industrial robots by exposing models to the messy realities of kitchens, factories and crowded workspaces that simulated data cannot reproduce. 

Yet the ethical and economic implications are stark. Critics say the model resembles a paradox: workers are paid to teach machines how to replace them, creating what some call a “data-for-displacement” cycle. Labor advocates worry that once humanoid robots mature, tasks now filmed by humans — from domestic chores to basic factory assembly — could be automated, squeezing informal-sector incomes on which millions depend. Policy analysts note that much public debate on AI’s job impacts focuses on white-collar roles, while the millions in informal or low-wage physical jobs receive far less attention despite being directly targeted by physical AI development. 

Responses are emerging but remain fragmented. Some companies insist robots will complement rather than replace human workers, enabling safer or higher-skilled jobs; others have introduced retraining or higher-paying annotation roles as partial mitigation. Meanwhile civil-society groups and researchers call for stronger labor protections, transparency about how footage will be used, and social-safety nets to support workers displaced by automation, especially in countries with large informal workforces. 

The situation highlights a broader policy challenge: balancing technological progress with social safeguards so that the value created by AI doesn’t accrue only to firms and investors while leaving vulnerable workers behind. As physical AI moves from research labs into everyday life, regulators, companies and worker representatives will need to negotiate fair pay, consent, and transition measures—or risk repeating past technological revolutions that expanded productivity while widening inequality.
Read more »
sim swap
CBZC cryptocurrency Cyber Crime FBI Poland sim swap

Poland arrests four suspects in international SIM-swapping operation linked to multimillion-dollar cryptocurrency thefts

 



Polish law enforcement authorities have arrested four suspected members of an organized cybercrime group accused of orchestrating intricate SIM-swapping attacks that allegedly enabled the theft of millions of dollars in cryptocurrency from victims. The coordinated operation was led by Poland's Central Bureau for Combating Cybercrime (CBZC) with operational assistance from the U.S. Federal Bureau of Investigation (FBI) and Homeland Security Investigations (HSI), highlighting the cross-border nature of the investigation.

According to investigators, the group combined technical intrusions with social engineering techniques to compromise organizations working alongside telecommunications providers. By infiltrating partner infrastructure and gaining unauthorized access to employee email accounts, the suspects allegedly obtained sensitive information that enabled them to perform fraudulent SIM-swapping attacks.

A SIM-swap attack involves transferring a victim's mobile phone number to a SIM card controlled by an attacker. Once the transfer is completed, the attacker can intercept SMS messages, one-time verification codes, password reset requests, and other communications that rely on the victim's phone number for authentication.

Authorities allege that after taking control of victims' mobile numbers, the cybercriminals intercepted SMS-based authentication messages and email communications before using that access to seize control of cryptocurrency exchange accounts. The attackers then transferred digital assets from compromised accounts before attempting to conceal the proceeds through an extensive laundering operation.

Investigators estimate that the criminal scheme generated millions of U.S. dollars in stolen cryptocurrency. The illicit proceeds were allegedly moved through a distributed financial network consisting of multiple domestic and international bank accounts, international payment platforms, and multi-currency digital wallets in an effort to obscure the origin of the funds. Polish authorities estimate that the total amount laundered exceeded tens of millions of Polish złoty, equivalent to at least approximately US$5 million based on current exchange rates.

In a statement describing the operation, CBZC said the suspects relied on specialized software together with social engineering techniques to gain unauthorized access to infrastructure belonging to organizations cooperating with telecommunications operators, as well as employee email accounts. Investigators said the information obtained during those compromises enabled the illegal cloning and takeover of victims' phone numbers through SIM-swapping attacks.

Authorities further stated that the suspects allegedly treated the criminal enterprise as a continuous source of income, repeatedly moving stolen assets across numerous financial accounts and cryptocurrency wallets located in multiple jurisdictions to complicate financial tracing efforts.

All four suspects have been placed in pre-trial detention. They face allegations including participation in an organized criminal organization, unauthorized access to information systems to facilitate theft, and money laundering. If convicted, the offenses carry penalties of up to 25 years' imprisonment under Polish law.

While Polish authorities have not publicly identified the individuals arrested because of the ongoing international investigation, blockchain investigator ZachXBT claimed that one of the detainees is Wojtek Kulisz, also known online by the alias "Merry." The identification was reportedly based on items visible in official footage released during the police operation. Authorities have not independently confirmed that claim.

Investigators have also declined to disclose which cryptocurrency exchanges were affected or identify the victims, citing the continuing international investigation. Law enforcement agencies say efforts to identify additional victims, trace stolen assets, and pursue further investigative leads remain ongoing.

The case stresses the urgency of the risks associated with SMS-based authentication. Security professionals have long advised cryptocurrency investors and organizations to replace SMS-based two-factor authentication with authenticator applications or hardware security keys whenever possible, as SIM-swapping attacks remain an effective method for bypassing text message verification when attackers successfully compromise telecommunications systems or manipulate carrier processes.

Read more »
Information Security Leadership
AI cybersecurity Chief Information Security Officer CISO Code Of Ethics Cyber Risk Management Cyber Security Information Security Leadership

The Growing Call for a CISO Code of Ethics


CISOs today are no longer measured solely by the effectiveness of an organization's cyber defenses. With the increase of cyber threats, the acceleration of offensive capabilities with artificial intelligence, and increasing regulatory scrutiny, the role of enterprise-wide risk management, strategic decision making, and executive accountability has increased. 

The rapid evolution of the security industry, however, exposes a critical imbalance. Although companies increasingly rely on Chief Information Security Officers to safeguard their business operations, sensitive data, and corporate resilience, many security leaders are still lacking board-level support, clearly defined governance frameworks, or an universally accepted ethical framework. 

With the rise of data breaches and the growing concern about AI-enabled cyber threats, the question is not whether CISOs are equipped to deal with technical security challenges, but whether the profession itself requires a code of ethics that guides high-impact decisions that extend beyond cybersecurity in order to guide high-impact decisions. 

In addition to managing firewalls, security tools, and incident response operations, the CISO position has evolved far beyond managing firewalls and security tools to encompass a strategic role that encompasses more than ethical accountability. It is the chief information security officer's responsibility to design, implement, and enforce enterprise-wide security policies as well as ensuring the organization's long-term business strategy remains infused with cybersecurity. 

A CISO is responsible for overseeing the implementation of security technologies and workforce awareness programs to reduce the risk of data breaches and system compromise, in addition to fostering a security-first culture that strengthens organizational resilience and facilitates compliance with a growing range of regulatory and industry guidelines.

An organization's security posture must first be evaluated, existing controls evaluated, capability gaps identified, and risks prioritized to develop a security roadmap aligned with business objectives. These responsibilities require a combination of cybersecurity expertise, executive leadership, and strategic decision-making to accomplish. 

The modern CISO must have extensive knowledge of risks, threat detection, and response, as well as compliance standards such as GDPR, NIST, and SOC 2. They must also be equipped to manage security teams, budgets, and enterprise resources simultaneously. Board members and executive leadership must also be able to translate complex cyber risks into business-focused insights in order to facilitate informed decision-making and facilitate cross-functional collaboration capable of adapting to an increasingly sophisticated threat landscape, which is equally critical. 

According to recent findings, these challenges in governance translate into measurable risks in the operating environment. In the Voice of the CISO survey, conducted during the first quarter of 2025, 1,600 chief information security officers were surveyed across 16 countries by organizations with over 1,000 employees. 

According to nearly two-thirds of respondents, their organizations have suffered a material loss of sensitive information within the past year—a sharp increase over 46% reported in the previous survey. As a consequence, three quarters of CISOs are concerned that their organizations will be susceptible to material cyberattacks in the next 12 months. As a result of increased regulatory oversight and the demand for greater transparency, security leaders are increasingly willing to disclose security incidents as a result of these rising figures, indicating more than an increase in threat activity. 

Patrick Joyce, Global Resident CISO at Proofpoint, observed that CISOs are increasingly open about cyber risk exposure as a result of evolving governance expectations. The majority of respondents stated that they were confident in their organizations' cybersecurity culture, however six out of ten stated that they were not adequately prepared to handle a major cyber-attack. 

A significant proportion of CISOs indicated that they would consider paying a ransomware demand in order to recover critical data or restore business operations, highlighting the difficulty of making ethical decisions during crisis response. The findings also emphasize the complex balance between business continuity, risk management, and ethical decisions. 

A formal code of ethics for CISOs is gaining renewed relevance in light of this background. It is argued that technical expertise alone is no longer sufficient to fulfill the role of Chief Information Security Officer, which involves high-impact decisions affecting national infrastructure, business continuity, compliance with regulatory requirements, and public trust frequently. This framework is deliberately concise, incorporating four mandatory canons that describe the profession's fundamental ethical obligations rather than replacing individual professional judgment. 

By providing advisory guidance, the framework aims to assist security leaders in navigating complex situations in which competing responsibilities are often not clear on a technical or legal level. The code's preamble emphasizes that the CISO's primary responsibility is to protect society, organizational stakeholders, and critical infrastructure, making compliance with the code a mandatory assignment. 

According to the four core principles, cybersecurity professionals are expected to protect society and essential infrastructure, act with honesty, integrity, and stewardship, serve their organizations competently and diligently, and actively strengthen and safeguard the cybersecurity profession as a whole. 

A practical objective complements these mandatory canons, which encourage cybersecurity research, education, mentoring of future practitioners, and the preservation of professional certification values, while discouraging conduct that could adversely affect public confidence or security. There are many ways a professional can undermine ethical credibility, such as creating unnecessary fear or uncertainty, providing false reassurance, promoting poor security practices, exposing inadequately secured systems to a public network, or participating in professional associations that compromise ethical standards. 

A further requirement of the framework is that compliance with the preamble and four canons be enforced, and any conflicts between ethical obligations are resolved in accordance with the order in which the canons are defined. This ensures that security professionals have a structured hierarchy for resolving complex ethical dilemmas without creating conflicting obligations. 

CISOs continue to assume increasingly extensive legal, operational, and ethical responsibilities, and industry experts emphasize that personal crisis management strategies should also be developed to protect security executives along with the organizations they serve. 

A comprehensive incident response plan should not only prepare for technical incident response, but also consider professional, legal, financial, and reputational risks that may arise following an investigation by the government or a major cyber incident. It is important to maintain comprehensive documentation of security decisions, risk assessments, mitigation strategies, and executive communications, including instances where recommendations for security measures are declined by senior management or the board. 

By maintaining an auditable record of both approved and rejected security recommendations, companies can demonstrate due diligence, compliance with regulations, and informed decision making when faced with legal scrutiny. 

A CISO's security strategies must align with changing compliance obligations as they evolve in cybersecurity legislation, disclosure requirements, and regulatory frameworks by engaging in continuous professional development and consulting with legal counsel regularly. 

In addition, experts recommend that executives take out professional liability insurance specifically designed for executive cybersecurity roles, as standard corporate policies may not cover CISOs who have not been appointed as officers or directors by the organization, potentially leaving them personally liable for the consequences. As an added safeguard, a documented ethical decision-making framework will be developed that will serve as a consistent reference when dealing with incidents involving conflicting legal obligations, executive pressures, or sensitive disclosure decisions. 

The establishment of strong working relationships with legal, finance, public relations, and corporate communications teams is essential to the coordination of incident response, which ensures that regulatory notifications, public disclosures, and stakeholder communication remains both legally compliant and ethically sound during times of crisis. 

In the age of cybersecurity, enterprise resilience and national digital security continue to be shaped by it, which means that CISOs are increasingly responsible for more than just technical oversight. Effective cyber leadership requires strong governance, ethical accountability, transparent risk communication, and executive support.

The organizations that empower security leaders with clear ethical frameworks, documented decision-making processes, and cross-functional collaboration will have better chances of navigating an increasingly complex threat landscape while maintaining trust, regulatory compliance, and long-term operational efficiency.

Read more »
Self-Driving
ADAS Cyber Security India Auto Tech Radar Sensors Road Safety Self-Driving

India Removes Spectrum Barriers to Fast‑Track ADAS and Self‑Driving Tech

 

India has taken a significant step toward modernizing road safety by removing licensing requirements for radar sensors used in crash-avoidance and self-driving technologies. Reuters reports that the move is meant to reduce barriers for automakers and encourage the adoption of systems that can help lower the country’s high road fatality rate.

The issue is important because India’s roads remain among the most dangerous in the world, and vehicle safety technology is still unevenly deployed. By clearing spectrum access for key systems, the government is signaling that it wants advanced driver-assistance features such as emergency braking, blind-spot detection, and adaptive cruise control to become easier and cheaper to install. 

Under the new policy, manufacturers no longer need separate licensing to use radar sensors in the 77 GHz to 81 GHz range, which are central to many safety functions. Reuters also says similar relief was granted for systems operating in the 59 GHz band, which support communication between vehicles and roadside infrastructure. 

The policy shift also brings India closer to the regulatory approach used in the United States and the European Union, where standardized hardware can be deployed more freely. That matters for automakers because it reduces the need to build expensive India-specific alternatives, potentially speeding up launch timelines and lowering costs for consumers. 

At the same time, the report highlights that this is not a full autonomous-driving policy and does not solve India’s broader road safety problems on its own. The real test will be whether these regulatory changes translate into safer vehicles on the road, broader adoption by automakers, and measurable reductions in crashes over time.
Read more »
Microsoft security
Cyber Security Cyber Threats CyberCrime Cybercrime Ecosystem Microsoft Microsoft security

Microsoft, Europol and Industry Partners Disrupt Amadey and StealC Cybercrime Infrastructure

 

Surprisingly, global police forces took down two key cybercrime systems at once - unusual given past efforts typically focused on one threat. Backing came from Microsoft, adding weight to actions targeting Amadey, a program that loads malicious software. 

Meanwhile, StealC was also hit; it specializes in stealing user data. Though often seen working hand-in-hand during digital break-ins, both were struck together this time. Shifting tactics like this disrupted not just the tools but their entire support network. Recovery now becomes harder simply because so much of their foundation is gone. 

With infrastructure damaged across multiple points, launching new attacks will take far longer than before. Microsoft’s Digital Crimes Unit joined forces with law enforcement, cyber defense companies, and intelligence teams to tackle organized digital threats. From the start, findings on Amadey emerged through collaboration between ESET, BitSight, Lumen, and Mitsui Bussan Secure Directions. 

Meanwhile, tracking StealC unfolded thanks to insights from Europol, Germany’s Federal Criminal Police Office, authorities in the Netherlands and Denmark, alongside IBM X-Force and Proofpoint. One thread led to another until distinct probes merged into a clearer picture of an extensive crime network. 

From the start, law enforcement leveraged the RICO Act - typically tied to mob-related prosecutions - to dismantle over 200 command hubs controlling malicious software networks. While not obvious at first glance, patterns uncovered by Microsoft’s Copilot system, driven by artificial intelligence, revealed connections across distinct malware groups. Because of these findings, officials began viewing the threats as branches of one coordinated operation rather than separate incidents. 

Microsoft reported that just in the first week of May, systems tied to Amadey and StealC reached over 140,000 machines globally. Though it appeared only in 2023, StealC functions like a rental-based attack tool - focused on grabbing login details from browsers, crypto wallets, messages, email accounts, even game profiles. 

Those using it adjust their attacks individually, while handling what they collect via online control panels built for ease. First seen in 2018, Amadey operates by delivering malicious software to compromised devices. Because of its design, cybercriminals often leverage it to introduce programs like StealC. One breach may lead - through this tool - to several layers of intrusion. 

Though initially subtle, the consequences multiply quickly once active. Modern cybercrime often works like a factory, experts note, where the link between these tools shows how tasks get split up. One crew might build something, another circulate it, while someone else runs it - yet everything fits. Because pieces snap together smoothly, attackers can stack actions into longer sequences even if they never talk. 

The setup thrives on separation, not teamwork. Targeting entire networks of malicious software could work better than going after single components, Microsoft suggests. Instead of isolated attacks on specific tools, focusing on how these systems connect might weaken criminal infrastructure more deeply. 

When security teams hit several points in an attacker's process simultaneously, it becomes harder, slower, and costlier to bounce back. Disrupting coordination between different parts slows down rebuilding attempts significantly. Each broken link adds friction, making revival less likely or much delayed.
Read more »
technology
AI AI research Alibaba Anthropic Claude technology

Anthropic Alleges Alibaba Conducted Massive AI Capability Extraction Campaign Against Claude

 


Anthropic has accused Chinese technology conglomerate Alibaba and its AI research division, Qwen, of carrying out a large-scale effort to extract capabilities from its Claude family of artificial intelligence models, describing the incident as the most extensive distillation operation the company has encountered.

The allegations were detailed in a June 10 letter sent to U.S. Senate Banking Committee Chair Tim Scott and Ranking Member Elizabeth Warren. In the correspondence, Anthropic claimed that operators linked to Alibaba and Qwen systematically interacted with Claude in an attempt to capture and reproduce some of the model's most advanced capabilities.

According to the company, the activity occurred between April 22 and June 5, 2026. During that period, Anthropic says it recorded more than 28.8 million exchanges associated with the operation. The requests were allegedly distributed across nearly 25,000 fraudulent accounts, enabling the actors to conduct high-volume interactions with the platform while obscuring the true source of the activity.

Anthropic stated that the campaign was not focused on general-purpose chatbot functions. Instead, it allegedly targeted capabilities considered among the most valuable within the Claude ecosystem, including software engineering tasks and advanced agentic reasoning. These functions form a critical component of the company's Mythos Preview model, one of Anthropic's most sophisticated AI systems designed to perform complex reasoning and autonomous task execution.

At the center of the allegations is a technique known as adversarial distillation. In machine learning, distillation generally refers to the process of training a model using outputs generated by another system. While the approach itself is commonly used within the AI industry, Anthropic argues that the method becomes problematic when it relies on unauthorized access to proprietary models.

According to the company, the actors behind the campaign repeatedly queried Claude and collected its responses at scale. Those outputs could then be used as training material for another AI system, allowing developers to reproduce aspects of Claude's behavior without investing the time, computational resources, and research expenditure typically required to build a frontier model from the ground up.

Anthropic warned lawmakers that such activity enables organizations to appropriate years of research and development through large-scale extraction campaigns. The company argued that these operations are designed to gather capabilities developed by leading U.S. AI laboratories and incorporate them into competing systems without bearing the costs associated with original model development.

Beyond intellectual property concerns, Anthropic also raised questions about safety. The company noted that models trained through adversarial distillation may replicate useful capabilities while failing to inherit the safeguards, alignment mechanisms, and risk controls embedded within the original system. As a result, the practice could create AI models that retain advanced functionality but operate with fewer protections against misuse.

The allegations against Alibaba follow earlier claims made by Anthropic regarding unauthorized access attempts linked to Chinese AI developers. In February 2026, the company disclosed that DeepSeek, the startup whose low-cost AI models attracted global attention in 2025, was among several organizations accused of attempting to improperly obtain Claude outputs. Anthropic now characterizes these incidents as part of a broader pattern of repeated efforts to extract capabilities from leading U.S. AI systems.

The dispute emerges amid growing government scrutiny of advanced AI technologies. Earlier this month, Anthropic revealed that it had received guidance from the Trump administration requiring the company to restrict access to its newest AI models, including Fable 5 and Mythos 5. Under the directive, access would be limited to U.S. persons, preventing non-U.S. citizens, including some employees, from interacting with the latest systems.

The issue is also beginning to influence policy discussions on Capitol Hill. Senators Bill Hagerty and Andy Kim are reportedly preparing legislation that would authorize sanctions or other penalties against Chinese organizations found to have improperly obtained outputs from U.S. AI models for the purpose of training competing systems. The proposal reflects growing concern among lawmakers that frontier AI capabilities have become both strategic economic assets and matters of national security.

Alibaba has not publicly responded to the allegations.

The dispute surfaces a new battleground in the global AI race. As companies invest billions of dollars to develop increasingly capable models, concerns are shifting beyond traditional cybersecurity threats toward the protection of model knowledge itself. For AI developers, the challenge is no longer limited to securing infrastructure and data. It increasingly involves preventing the large-scale extraction of capabilities that can be repurposed to accelerate the development of rival systems.

With governments, technology companies, and regulators paying closer attention to model security, the Anthropic-Alibaba dispute may become an early test case for how the industry addresses unauthorized AI capability harvesting and the growing geopolitical competition surrounding advanced artificial intelligence.

Read more »
Vulnerability Management
CISA KEV catalog Command Injection Network Security Remote Code Execution Ubiquiti UniFi OS Vulnerabilities and Exploits Vulnerability Management

Ubiquiti UniFi OS Flaw Under Active Exploitation CISA Alerts Users


 

A new focus on network infrastructure devices has been drawn after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged several security vulnerabilities in Ubiquiti's UniFi OS platform. Following evidence of active exploitation, the KEV catalog was updated to include these vulnerabilities. 

Among the identified vulnerabilities are access control bypass, path traversal, and command injection vulnerabilities, which researchers warn can provide attackers with direct access from unauthenticated access to a complete system compromise. With UniFi OS widely deployed across enterprise, government, and service provider environments to manage networking equipment, the vulnerabilities present a significant threat to administrative control planes and sensitive operational information. 

In the latest CISA alert, researchers have demonstrated that Internet-exposed management interfaces present an increased threat, as researchers have demonstrated how these flaws may be chained together to facilitate privileged remote code execution. In response, federal agencies and organizations are urging them to expedite remediation efforts before further exploitation activity occurs. 

Inclusions of the KEVs are based on three distinct vulnerabilities that affect UniFi OS, when combined, significantly increases the attack surface of exposed deployments. In this vulnerability, unauthenticated actors have the capability to alter system settings and administrative configurations without authorization as a result of an access control bypass weakness. 

The CVE-2026-4909 vulnerability exposes a path traversal condition that is capable of exposing underlying operating system files, potentially revealing credentials, configuration data, and other sensitive information that can be used to carry out further intrusions. As a result of an improper input validation attack, CVE-2026-34910 can be exploited to execute arbitrary operating system commands on targeted devices. 

All three vulnerabilities were addressed by Ubiquiti through security updates released in May, noting that exploiting the vulnerabilities does not require prior authorization or elevated privileges, making timely patch deployment critical for organizations using UniFi infrastructure. 

Following the analysis, Bishop Fox security researchers have demonstrated that these vulnerabilities are not isolated risks but can be chained together to permit remote code execution on affected systems using privileged privileges. Using their findings, attackers were able to gain complete control over vulnerable UniFi OS instances by gaining initial unauthorized access, demonstrating how severe this vulnerability is in real-world environments. 

Additionally, the researchers published a detection utility to assist defenders in identifying and remediating vulnerable deployments across enterprise networks on GitHub. In conjunction with the CISA alert, active exploitation concerns have also been raised regarding CVE-2025-67038, a critical root-level command injection vulnerability on Lantronix EDS5000 servers using firmware version 2.1.0.0R3 of Lantronix servers. 

Shell commands are invoked as part of the mechanism used to record failed authentication attempts within the device's HTTP RPC component, where the flaw occurs. During the process of handling user input, improper handling could lead to command injection, making it possible for attackers to execute arbitrary commands with root privileges on the affected system. 

By adding the UniFi OS flaws to CISA's Known Exploited Vulnerabilities catalog, the vulnerabilities fall under the remediation requirements of Binding Operational Directive 22-01. According to this directive, federal civilian agencies are required to remediate actively exploited vulnerabilities within prescribed timelines in order to reduce operational risk. 

A response has been provided by CISA, which has ordered that agencies rectify CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 by June 26, 2026, while also recommending that organizations in the private sector evaluate their environments against the KEV catalog and prioritize exposed systems that could be exploited in ongoing attacks. However, reports emerging from community forums and Reddit discussions suggest that threat actors may have weaponized the vulnerabilities before they were disclosed, even though Ubiquiti's security advisories did not explicitly refer to active exploitation. 

Researchers believe that rogue accounts were unexpectedly created by administrators using the username “John Sim,” a process researchers believe might have been linked to automated reconnaissance operations targeting unattended UniFi deployments that were accessible via the internet. 

The Bishop Fox team conducted a technical analysis of CVE-2026-34908 and CVE-2026-34909 and determined that they could be used as part of an authentication gateway bypass resulting from inconsistencies in the way NGINX interprets specially crafted requests. Through the submission of requests that appear to target authentication-exempt routes, but which normalize into protected internal endpoints, attackers may be able to access backend services normally required to log in. 

Research indicates that the bypass can be exploited to trigger CVE-2026-34910, a command injection flaw associated with improper validation of package names during update operations. The researchers validated the bypass against UniFi OS 5.0.6 test environments. 

Using shell metacharacters inserted in crafted package parameters and forcing execution through the affected code path, attackers may be able to execute operating system commands without authentication by enforcing shell metacharacters in the package parameters. This issue goes beyond individual devices. 

As outlined by the Centre for Cybersecurity Belgium, UniFi OS platforms provide visibility and control across switches, gateways, wireless networks, and connected assets, acting as central management systems for network infrastructure. By successfully compromising a system, attackers may be able to harvest credentials, manipulate network configurations, intercept traffic, or advance laterally into broader enterprise environments. 

The same urgency has also been applied to CVE-2025-67038, a critical unauthenticated command injection vulnerability affecting Lantronix EDS5000 devices with a CVSS score of 9.8. Unpatched, the flaw, which was disclosed as part of BRIDGE:BREAK research that uncovered 22 vulnerabilities across Lantronix and Silex products, allows remote command execution with root privileges, posing a comparable risk of complete device compromise. 

Among the steps CISA suggests to minimize exposure is following vendor-issued mitigation guidance, implementing an accelerated patch management procedure consistent with BOD 26-04 requirements, and maintaining sufficient logging to support forensic investigations when exploitation is suspected. 

The directive requires agencies operating cloud-hosted UniFi environments to comply with cloud-specific provisions, or to discontinue affected services if remediation cannot be completed within the specified timeframe. CISA's latest action reminds us that once vulnerabilities affecting network management platforms become publicly available, they can rapidly transform from technical flaws into high-impact security incidents. 

A critical safeguard for enterprise networks remains timely patching, exposure assessment, and continuous monitoring as threat actors continue to target infrastructure components. It is imperative for organizations relying on UniFi OS and other internet-facing management systems to take these findings seriously, ensuring that remediation efforts are paced at a rate that keeps pace with the speed at which attackers operationalize newly discovered vulnerabilities.
Read more »
Tata Group
Apple iPhone manufacturing Cyber Attacks Cyberattack Cybersecurity Incident Tata Electronics Tata Group

Tata Electronics Confirms Cybersecurity Incident, Says Business Operations Remain Unaffected

 

Tata Electronics has acknowledged that it recently experienced a cybersecurity incident affecting certain parts of its IT infrastructure. However, the company stated that the event did not disrupt its business activities or day-to-day operations.

Addressing the incident, a company spokesperson told BleepingComputer, "A few weeks ago, Tata Electronics identified a cybersecurity incident on some of our systems," adding, "Our response protocols were deployed immediately, and the incident has had no impact on our operations across businesses, which remain unaffected."

Tata Electronics, a subsidiary of the Tata Group, specializes in semiconductor production and electronic component manufacturing. Established in 2020, the company has rapidly expanded its footprint in India's technology manufacturing sector and is currently involved in the production and assembly of Apple iPhones and related components.

While the company has not identified the threat actor behind the attack, its statement follows claims made by the World Leaks cybercrime group, which allegedly published data stolen from Tata Electronics.

According to reports, the leaked material includes folders and documents that purportedly contain manufacturing-related information linked to Apple products. The exposed files are said to feature internal component schematics, printed circuit board (PCB) designs, material specifications, and software development kit (SDK) files.

BleepingComputer has reportedly reached out to Apple for clarification regarding the alleged exposure of proprietary information but has not yet received a response.

World Leaks is widely believed to be the successor to the Hunters International ransomware operation, which ceased activities in July 2025. Unlike its predecessor, which encrypted victims' systems, World Leaks focuses solely on data theft and extortion, threatening to release stolen information publicly unless demands are met.

The group has previously been linked to attacks on several major organizations. Among its notable victims are Dell, which confirmed a cybersecurity breach in July 2025, and Nike, which initiated an investigation after cybercriminals claimed to have stolen 1.4 terabytes of company data in January 2026.

Read more »
stolen information
Bitcoin Cloud Computing Cyber Fraud DOJ scams stolen information

US Authorities Seize Infrastructure Tied to Huione Fraud Network




The U.S. government has taken another step in its ongoing campaign against large-scale cyber fraud operations, announcing the seizure of online infrastructure allegedly used to support one of the world's most active criminal marketplaces while simultaneously expanding financial restrictions against the network behind it.

On Tuesday, the Department of Justice (DOJ) revealed that it had seized a cloud computing account connected to Cambodia-based Huione Group and its subsidiaries. According to federal investigators, the account hosted backend systems used to operate Huione Guarantee, also known as Haowang Guarantee, a platform that authorities say enabled a broad range of illicit activities spanning cybercrime, fraud, money laundering, and other criminal services.

The enforcement action coincided with a series of measures from the U.S. Department of the Treasury, which announced additional sanctions targeting Huione-linked entities and individuals associated with the Prince Group network. The latest moves build upon actions taken by U.S. authorities last year as part of a wider effort to disrupt transnational criminal organizations operating across Southeast Asia.

Federal officials described the seized infrastructure as a key component of a marketplace that allegedly served cybercriminals and fraud operators on a global scale. Rather than functioning as a conventional online marketplace, investigators say the platform acted as an ecosystem where illicit services, stolen information, and financial laundering tools could be accessed by criminal actors.

According to the DOJ, the cloud-based infrastructure provided technical support for operations conducted through Huione Guarantee. Authorities allege that the platform relied heavily on Telegram channels to facilitate communications and transactions involving illegal products and services.

Investigators claim those channels were used to advertise and trade stolen credit card information, sensitive personal data, and services linked to malware-enabled theft. The platform is also accused of facilitating money laundering activities and supporting schemes connected to human trafficking operations. In addition, authorities allege that proceeds generated through romance scams and fraudulent investment schemes were moved through the network.

The DOJ further alleges that Huione Guarantee offered escrow services designed for cryptocurrency transactions. Such services act as intermediaries between parties involved in a transaction, holding digital assets until agreed conditions are met. While escrow systems are commonly used in legitimate commerce, investigators contend that the service was leveraged by criminal actors seeking a trusted mechanism for conducting illicit transactions and laundering funds.

Officials believe the infrastructure played an important role in moving and concealing criminal proceeds. According to the Justice Department, billions of dollars in fraud-related funds were transferred through systems supported by the seized account. Authorities further stated that a massive portion of those proceeds originated from scam compounds operating throughout Southeast Asia, where organized criminal groups have increasingly adopted digital platforms and cryptocurrency networks to scale their operations.

The Treasury Department's actions were designed to expand existing restrictions against the Huione network. One measure formally added H-Pay Service as a successor entity under Treasury's existing rule targeting Huione Group. Treasury also imposed sanctions on nine individuals and 26 entities linked to Prince Group, broadening the scope of enforcement against organizations allegedly connected to the movement of illicit funds.

According to Treasury officials, Huione served as an important financial conduit for proceeds generated through cyber-enabled theft, virtual currency investment fraud, and other criminal schemes. Authorities further allege that the network was used by Prince Group to transfer, consolidate, and manage assets derived from fraudulent operations.

The latest actions follow a series of previous enforcement efforts directed at the same ecosystem. Last October, Treasury moved to further isolate Huione Group from the U.S. financial system, reflecting growing concerns over the company's alleged role in facilitating illicit financial activity.

Federal agencies have increasingly focused on scam networks operating across Southeast Asia as losses linked to online fraud continue to rise. Criminal organizations in the region have become known for running large-scale investment scams, romance fraud operations, and cryptocurrency-related schemes that target victims worldwide. Many of these operations rely on complex laundering networks and digital payment channels to obscure the origin and movement of stolen funds.

The investigation also intersects with earlier actions involving Prince Group chairman Chen Zhi. In October, the DOJ announced the seizure of bitcoin connected to investigations involving Chen and alleged cryptocurrency-related offenses, alongside accusations involving additional criminal schemes. Authorities have also reported that an individual identified as a significant participant in Chen's network was arrested in Cambodia before being extradited to China.

The coordinated actions by the DOJ and Treasury illustrate an emphasis on targeting the infrastructure that enables cyber-enabled fraud rather than focusing solely on individual perpetrators. By disrupting cloud services, financial channels, and marketplace operations that allegedly support criminal activity, U.S. authorities are seeking to make it more difficult for transnational fraud networks to move money, coordinate operations, and reach potential victims.

Read more »
VPN Credential Theft
credential harvesting Cyber Threats enterprise cybersecurity FortiBleed Campaign FortiGate Firewall Security FortigateSniffer Initial Access Broker Network Security Breach VPN Credential Theft

FortigateSniffer Malware Harvests User Credentials From Infected Firewalls


The perimeter firewall has been used as a primary line of defense against external intrusions for years, but the newly uncovered campaign illustrates how these same security appliances can be weaponized against the organizations they are intended to safeguard. 

Researchers have discovered a large-scale attack involving a custom Golang-based tool known as FortigateSniffer that has been deployed systematically on compromised FortiGate firewalls since February 2026. Over 430,000 internet-facing devices have been impacted by the campaign, which is linked to an initial access broker (IAB) believed to be operating as a financial motivation threat actor. 

Over 110 million credentials have been collected under covert measures by the attackers. As trusted network gateways were transformed into silent credential-harvesting platforms, the operation illustrates one of the most significant paradigm shifts in attacker tradecraft, where compromised security infrastructures themselves serve as sources of intelligence and access. 

The scale, persistence, and operational sophistication observed throughout the campaign-tracked as FortiBleed-have raised concerns across the cybersecurity community. Particularly after evidence of the exfiltration of sensitive data by a NATO-aligned defense contractor, as well as the potential use of stolen credentials for ransomware, espionage, and post-compromise activities, are emerging. 

It is evident from a further analysis of the operation that it extends well beyond credential theft from FortiGate appliances, and demonstrates a highly automated initial-access ecosystem that can be scaled across multiple technological platforms.

CyberStrike, an open-source, artificial intelligence-native offensive security framework, could have been utilized by the threat actors to streamline portions of the attack workflow, emphasizing how automation has become increasingly important in large-scale intrusion campaigns. As part of the activity, a substantial emphasis was placed on small and medium-sized businesses, especially companies with fewer than 200 employees, with the United States and India emerging as the most heavily targeted regions. 

The potential for IT service providers to serve as entry points into broader customer networks likely prompted particular attention for them. Moreover, researchers observed parallel brute-force attacks on NAS systems, firewalls from Sophos, portals for RDWeb, SSL VPN gateways for Citrix, and Microsoft SQL servers, which suggests that the campaign was designed to acquire access opportunities across diverse enterprise environments. 

On May 31 and June 15, 2026 alone, the operators executed at least 659 automated credential-harvesting pipelines, which resulted in the discovery of more than 110 million authentication items. A total of 14.8 million RADIUS credentials were recovered, along with approximately 924,000 NTLM password hashes, 130,000 Kerberos hashes, and approximately 89 million MySQL authentication tokens, indicating the scale of the operation and the significant downstream risks associated with the reuse and monetization of stolen enterprise credentials. 

FortigateSniffer is a purpose-built credential intercept utility that is suited for Linux and Windows environments and was designed to leverage legitimate FortiOS functionality rather than rely on conventional malware. It has been demonstrated that using FortiGate appliances' native packet diagnostic capabilities, researchers are able to passively monitor authentication traffic moving through compromised devices to collect credentials and authentication artifacts across a wide range of enterprise protocols via the tool. 

The captured traffic is then converted into a packet-capture format and processed by a specially designed analysis framework which extracts cleartext usernames, passwords, NTLMv2 hashes, Kerberos tickets, and session cookies in addition to other authentication data. A structured, multi-stage attack chain is employed in the attack chain, beginning with large-scale internet reconnaissance, which involves the use of scanning utilities and customized filtering tools for the detection and categorization of FortiGate systems by location. 

In order to obtain privileged access to administrative interfaces and SSL-VPN services, attackers use credential validation, password spraying, and credential stuffing techniques. Using persistent SSH access, FortigateSniffer harvests authentication data while recovering hashed passwords are transferred to a dedicated cracking platform using distributed processing and automated task orchestration. 

Once successful credentials are recovered, they can be weaponized for lateral movement, Active Directory reconnaissance, Kerberos verification, SMB authentication, and further network expansion, as well as obtaining sensitive information from file shares accessible to the attacker and maintaining authenticated sessions using stolen cookies. 

A number of significant operational security measures, such as geofencing controls and time-based execution windows aligned with standard Moscow business hours, were incorporated to reduce detection risk, which appear highly deliberate, with targets prioritized based on perceived economic value before operational resources are committed. 

Separate telemetry also revealed an automated validation pipeline that is deployed in recurring five-hour cycles with up to 1,000 simultaneous verification threads, leading to exceptionally high early-stage success rates. Researchers also observed identical usernames and passwords recurring across thousands of different IP addresses, a phenomenon that has raised concerns about the possibility of some credentials being strategically seeded for covert re-entry into compromised environments. 

Throughout the course of the investigation, researchers began to gain a deeper understanding of the extent of credential exploitation enabled by the campaign. Analysis showed that once FortiGate appliances were compromised, attackers deployed FortigateSniffer to covertly collect authentication traffic traversing the devices, allowing them to acquire both cleartext credentials and password hashes that were subsequently cracked, validated, and reused against Active Directory environments, VPN gateways, and other externally accessible enterprise services. 

As a result of reviewing intelligence data collected by Hunt Intelligence on June 12, 2026, cybersecurity researcher Volodymyr "Bob" Diachenko identified indicators of this activity, which immediately sparked widespread interest in the operation. Upon examination of the stolen dataset, it was found that credentials were associated with approximately 74,000 firewall URLs covering 194 countries and impacting over 21,000 unique domains. 

In response, data from the incident was shared with national computer emergency response teams to facilitate coordination and dedicated exposure-checking portals were launched to assist organizations in determining whether their Fortinet infrastructure had been compromised. According to researchers, by mid-June, the attackers' database had grown to contain more than 86,000 authenticated and active credentials related to corporate firewalls and VPN services worldwide.

The largest concentration of exposed organizations is found in India and the United States. These findings are of significance not only due to the high volume of compromised accounts, but also due to their validity; investigators noted that the credentials were systematically tested and verified through an automated validation infrastructure rather than speculative password guessing. 

The information gathered from underground marketplaces confirmed suspicions that the campaign is linked to an initial access brokering operation, as the same threat actor previously advertised network access on darknet forums for substantial sums to organizations across a variety of industries, including healthcare, technology, and telecommunications. 

Even though it is not yet confirmed that these sales are directly related to the FortiGate harvesting campaign, the overlap indicates that access being collected has potential commercial value.  In response, Fortinet has initiated outreach to potentially affected customers and advised organizations to immediately terminate active administrative and VPN sessions, rotate credentials, enforcing multifactor authentication, and reviewing logs and configuration changes in detail. It has also encouraged customers to upgrade FortiOS to the latest versions of FortiOS, which are replacing legacy SHA256-based password storage with Password-Based Key Derivation Function 2 (PBKDF2). 

Security teams, however, are cautioned that firmware upgrades alone cannot eliminate this risk, as legacy SHA256 password entries must be manually removed from the system. After modernization efforts have been completed, attackers may still be able to recover administrative passwords through offline cracking techniques if credentials or configuration files were previously exposed, preserving an opportunity for unauthorized access even after modernization efforts have been completed. 

An increasingly common practice in cyber operations is to harvest access information from security infrastructure and gather credential information in large quantities. The FortiBleed campaign highlights this reality. In addition to the immediate impact on affected organizations, the operation illustrates the capability of combining automated tools, credential validation pipelines, and access brokerage activities in a highly efficient ecosystem to prevent downstream intrusions. 

It is important to remind defenders that perimeter devices require the same level of continuous monitoring, credential hygiene, and security review as any other critical asset for a defender. When organizations rely on internet-facing authentication services, this campaign is an excellent opportunity to reevaluate access control measures, identify security weaknesses, and investigate unauthorized activity proactively before harvested credentials are used to compromise a broader organization.
Read more »
Ransomware
Crypto Laundering Cyber Crime Bitcoin Fraud Europol Ransomware

Europol Dismantles AudiA6 Crypto Laundering Network Used by Ransomware Gangs

 

Europol has disrupted a major cryptocurrency laundering operation known as AudiA6, which investigators say acted as a financial backbone for ransomware gangs and other cybercriminal networks. According to the agency, the service laundered more than EUR 336 million between 2022 and 2025 by helping criminals hide stolen digital assets and break the money trail. The takedown is significant because it targets not just attackers, but the payment infrastructure that allows cybercrime to stay profitable. 

The operation was carried out by law enforcement partners including the United States Secret Service, IRS Criminal Investigation, Polish Police, Europol, Eurojust, and other international agencies. During the coordinated action on 10 June, authorities arrested two alleged administrators in Georgia, searched three properties, seized more than 30 servers, and took down 25 domains connected to the laundering network. Investigators also froze EUR 692,000 in cryptocurrency and seized more than EUR 86,000, while Telegram accounts used by the group were blocked. 

Europol describes AudiA6 as an industrial-scale laundering service built around thousands of fraudulent exchange accounts created with stolen or purchased identities. The platform allegedly offered criminals fast “cleaning” of stolen crypto, returning funds in about an hour after charging commissions of 3% to 10%. The network was also linked to the dark web forum Dark2Web, which prosecutors say was used to advertise illegal services and connect cybercriminals worldwide. 

One of the most important findings in the investigation was the scale of identity abuse behind the scheme. Europol says more than 6,000 Know Your Customer records tied to money-mule accounts were identified, showing how criminals exploited exchange verification systems to move funds across borders. Many of those accounts were reportedly linked to Russian-speaking intermediaries recruited specifically to move proceeds through cryptocurrency exchanges. Europol also linked the service to more than 15 investigations worldwide involving ransomware attacks and major crypto thefts. 

The AudiA6 case highlights how professionalized crypto laundering has become a core part of the cybercrime economy. Europol warns that criminal groups increasingly rely on mixing services, chain-hopping, and mule networks to move money quickly and avoid detection. By striking this service, law enforcement has not ended ransomware, but it has made it harder for criminals to turn stolen data and extortion into usable cash.
Read more »
Job Security
AI automation threats AI Jobs AI technology AI Threat AI workplace automation Cyber Security job displacement Job Security

Opendoor Shuts India Operations as AI Reshapes Offshore Work Economics

 

Surprisingly quiet since its launch, Opendoor's Indian venture now halts - barely twenty-four months after setting up hubs in Bengaluru and Chennai. Though framed as a digital frontier play, the retreat fuels debate: could smarter machines quietly reshape rules once favorable to offshoring? While cost gaps drove past expansions, algorithmic progress may erode those advantages faster than expected. Some argue efficiency gains from automation make remote labor pools less compelling over time. 

Notably, this shift does not unfold through sudden rupture - but by gradual recalibration behind corporate doors. Outlining the move, CEO Kaz Nejajtian explained efforts to align operations more closely with customers across the United States - using compact teams powered by artificial intelligence. While details remain limited on staff numbers or exactly how AI influenced choices, reactions followed fast from tech executives and investors alike. 

Seen by some as hinting at wider shifts, the news sparked discussion despite minimal data being shared. Nowhere else on Earth does such scale of operational support unfold quite like it does across India. Starting as a hub for routine administrative work, its role gradually shifted toward something far broader. 

Today, sprawling networks of Global Capability Centers operate within its cities, serving international firms through tech solutions, financial oversight, product innovation, while also shaping career paths for countless professionals. Revenue streams run deep each year, woven into the fabric of worldwide service delivery. Far from just an outsourcing destination, the nation holds a central position in how modern enterprises function abroad. 

Early in 2024, Opendoor moved into India by forming groups focused on handling daily operations through various platforms. Around then, close to 250 workers were on payroll at its local offices there. Despite that early growth, pulling out of India aligns with wider job cuts happening throughout the business. Records show a sharp drop in staff worldwide during the last twelve months, along with a steep decline in employees outside the home market. 

Even with broad internal reductions, experts warn it might be misleading to see the shutdown just as a move tied to shifting work overseas. Facing strain from downturns in American real estate - hit hard those who buy houses digitally - Opendoor needed ways to spend less. Still, its push toward artificial intelligence for smoother operations has sparked questions about what comes next for jobs handled abroad. 

One reason some investors saw it was because artificial intelligence might lower the need for jobs requiring heavy human effort. As machines take on repetitive tasks, companies could downsize - not due to location but ability. The shift suggests staffing needs may shrink when automation steps in. What stands out now isn’t a shift of roles from India to the U.S., yet a broader drop in workforce needs across operations. 

Because intelligent systems blend deeper into daily workflows, firms often rely on tighter groups supported by tools instead of people. Efficiency reshapes staffing - software handles tasks once managed by many. Structures shrink not due to location changes, but because technology reduces demand. Outcomes stay steady while headcount falls, driven by smart integration behind the scenes. 

Some researchers view this new framework as movement into "services-as-software," where firms lean on AI-driven processes rather than growing teams indefinitely. In practice, results follow more from blending tools with niche skills than cutting costs through workforce choices. Though Opendoor shut down operations in India, drawing attention amid talks on AI and jobs, experts stress it's not a straightforward story. 

Long before smart algorithms gained ground, job cuts were already underway at the firm. Market forces beyond technology played a role too. Still, the move sparked sharper conversation - what part might automation play in moving service tasks overseas? Could entire sectors shift as machines learn faster?
Read more »
WhatsApp
Cyberattack malware ManageEngine Endpoint Central remote access malware VBScript attack WhatsApp

WhatsApp Malware Campaign Targets Global Users Through Fake Financial Documents and Remote Access Tools

 

A widespread malware campaign is targeting WhatsApp users across several countries by sending deceptive messages containing malicious VBScript files that can ultimately grant attackers remote access to victims' systems.

According to cybersecurity researchers at Kaspersky, the threat actors behind the campaign are disguising the malicious files as legitimate business and financial documents. These files are distributed through WhatsApp accounts that have already been compromised, making the messages appear trustworthy to recipients.

Once a victim downloads and executes the attachment, a multi-stage infection process begins. The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.

Kaspersky’s telemetry data indicates that the campaign has impacted users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.

To increase the likelihood of users opening the attachment, the files are named to resemble invoices, financial reports, billing records, account notifications, and other business-related documents. Researchers also observed that the filenames are adapted to different languages, highlighting the global nature of the operation.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers. These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The software is then installed silently in the background and configured to connect with servers controlled by the attackers. This setup provides cybercriminals with remote administration capabilities over the compromised machine.

Researchers noted a difference in execution behavior depending on the WhatsApp platform being used. When the file is received through WhatsApp Web, it must first be downloaded before execution. However, in the WhatsApp Desktop application, the file can be launched directly through Windows Script Host (wscript.exe).

Although Kaspersky has not attributed the campaign to a specific threat actor, investigators identified indicators suggesting the use of the Chinese language and found overlaps between the campaign’s infrastructure and IP addresses previously linked to ValleyRAT and Gh0st RAT operations.

Despite these findings, researchers emphasized that the available evidence is not sufficient to confidently identify the group responsible for the attacks.

Security experts advise WhatsApp users to exercise caution when receiving files, even from known contacts, as compromised accounts can be used to spread malware.

Users should verify unexpected attachments through an alternative communication channel before opening them. Additionally, all downloaded files should be scanned with an updated antivirus solution to help detect and block potential threats before execution.

Read more »
malware
Crypto heist Cyber Scam Malicious Campaign malware

Crypto Heist Uses Fake Reputation Campaign to Spread Malware

 

Cybercriminals are increasingly borrowing the language and tactics of public relations, and a new campaign shows how effective that can be. According to researchers, attackers promoted malicious crypto-related tools by creating a polished online presence across GitHub, YouTube, VirusTotal, and other channels. The goal was not only to spread malware, but also to build an illusion of trust that would lower suspicion among users and researchers.

At the center of the operation was a Rust-based clipboard hijacker, a type of malware that watches for cryptocurrency wallet addresses copied into a victim’s clipboard. When it detects one, it swaps the address with one controlled by the attackers, causing funds to be sent to the wrong destination. This simple trick can be highly profitable because it targets users at the exact moment they think they are making a legitimate transfer. 

What makes the campaign notable is its layered distribution strategy. Researchers found dedicated phishing pages, fake GitHub and SourceForge projects, and even a YouTube channel designed to make the software look popular and credible. The channel reportedly used AI-generated narrators, suspicious view spikes, and enthusiastic comments that were likely coordinated to reinforce the appearance of real demand. Instead of relying on one channel, the attackers created a network of signals that seemed to validate one another. 

The operation also extended into reputation manipulation on security platforms. By using large numbers of fake accounts, sometimes described as “Ghost Networks,” the attackers attempted to influence systems such as VirusTotal and make their tools appear harmless or merely falsely flagged. That tactic matters because many users and even defenders glance at reputation data before deciding whether a file is safe. If the data is polluted, the warning signs become harder to trust. 

This campaign shows how malware distribution is evolving beyond obvious spam and sketchy downloads. Attackers now understand that credibility itself can be weaponized, especially when users rely on social proof, star ratings, comments, and public scans to judge safety. The result is a more convincing, more scalable deception that blends technical abuse with marketing-style manipulation. 

For users, the lesson is to treat polished packaging as a warning sign rather than reassurance. Check the source of any crypto tool carefully, verify wallet addresses before sending money, and avoid downloading software because it looks popular or well reviewed. For defenders, the case is a reminder that reputation systems can be gamed, so detection must look beyond surface-level trust signals.
Read more »
technology
Anthropic Artificial Intelligence Frontier AI open ai technology

Five Eyes Agencies Say AI-Powered Cyber Threats Are Closer Than Expected

 




Intelligence and cybersecurity agencies from five allied nations have issued a warning that advanced artificial intelligence systems capable of performing meticulously executed cybersecurity tasks may become widely accessible much sooner than many organizations expect.

In a joint statement, representatives from the Five Eyes intelligence alliance, comprising the United States, Canada, the United Kingdom, Australia, and New Zealand, cautioned that frontier AI models are progressing at a pace that could reshape how cyber operations are conducted on both sides of the security landscape. According to the agencies, capabilities that are currently associated with a small number of highly advanced AI systems may reach broader availability within months rather than years.

The warning instills a sense of concern among governments, security practitioners, and AI researchers who have spent the past year examining how rapidly improving language models can influence vulnerability discovery, exploit development, system reconnaissance, and defensive security operations.

Officials stated that frontier AI systems are expected to outperform current industry assumptions regarding cybersecurity-related tasks. As these systems continue to improve, they may alter how organizations identify weaknesses, respond to incidents, and defend critical infrastructure. At the same time, the same technological advances could provide malicious actors with new opportunities to automate portions of cyberattacks that previously required substantial technical expertise.

Notably, the agencies emphasized that their concern is not based solely on future developments. Many of the building blocks needed for AI-assisted cyber operations already exist today.

Security-focused AI models can currently be accessed through a variety of channels, including older commercial systems, open-source releases, and models developed outside Western technology companies. While some frontier AI developers have restricted access to their most capable systems, cybersecurity experts have repeatedly noted that advanced capabilities often spread beyond their original environments as newer generations of models are released.

The agencies argued that one of the most immediate concerns is not the creation of entirely new attack techniques, but the ability of AI systems to exploit weaknesses that organizations have failed to address for years.

Among the issues highlighted were aging technology environments, delayed software patching, unnecessary exposure of internal systems to the public internet, weak identity verification practices, inadequate access controls, and insufficient preparation for responding to security incidents. These weaknesses have contributed to countless breaches over the past decade, and officials believe increasingly capable AI systems could allow attackers to identify and exploit such gaps more efficiently and at greater scale.

The statement suggests that organizations should reassess assumptions about how much time they have to prepare. Traditional planning cycles often operate on the expectation that technological shifts unfold gradually. However, intelligence officials warned that AI-related cyber risks may evolve quickly enough to render existing security assumptions obsolete within a matter of months.

"The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years," the agencies wrote, urging organizations to prepare for changing threat conditions before they become operational realities.

The warning also comes amid growing debate surrounding the release and control of advanced AI systems. The statement references frontier models such as Anthropic's Fable 5 and the cybersecurity-focused Mythos model family, which have attracted attention because of their reported performance on security-related tasks.

While companies have attempted to limit access to some of their most advanced systems, researchers have repeatedly observed that the gap between proprietary frontier models and publicly available alternatives continues to narrow. Historically, open-source models have often trailed leading commercial systems by only several months. As a result, capabilities that are initially restricted to a limited group of users can eventually become available through other channels.

This pattern has intensified concerns among policymakers who worry that highly capable cyber-oriented AI tools may become accessible to a broader range of actors, including criminal groups and nation-state operators seeking to automate parts of their operations.

Government officials and AI developers have already begun exploring ways to use these technologies defensively before they become commonplace in offensive campaigns. Programs such as Anthropic's Project Glasswing and OpenAI's Trusted Access for Cyber Program are designed to provide vetted organizations with access to advanced AI systems for security testing, vulnerability identification, and defensive research.

The objective is straightforward: allow defenders to discover and remediate weaknesses before increasingly capable AI systems can routinely identify and exploit them.

Recent research has reinforced the view that AI is becoming increasingly effective at cybersecurity tasks. Studies conducted in controlled environments have shown that advanced models can assist with vulnerability analysis, code review, system enumeration, and portions of attack-chain development. Although these systems still require human oversight and are far from replacing experienced security professionals, their capabilities continue to improve with each generation.

Despite the attention surrounding frontier AI, the recommendations issued by the Five Eyes agencies are remarkably familiar. Rather than advocating entirely new security frameworks, officials argue that organizations should focus on practices that have long formed the foundation of effective cybersecurity programs.

These include maintaining timely patch management processes, reducing unnecessary internet-facing exposure, strengthening identity and access management controls, developing incident response plans, and treating cybersecurity as a strategic business responsibility rather than a compliance exercise delegated solely to technical teams.

For business leaders, the warning serves as a reminder that advances in artificial intelligence are unlikely to eliminate longstanding cybersecurity challenges. Instead, they may increase the speed at which those challenges can be exploited.

As frontier AI design systems continue to upgrade, organizations that maintain strong operational discipline, address known weaknesses promptly, and integrate cybersecurity considerations into decision-making processes will be better positioned to withstand a rapidly changing threat environment. Those that fail to do so may find that vulnerabilities once considered manageable can be identified, analyzed, and exploited far faster than before.

Read more »
Subscribe to: Posts (Atom)