Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Phishing Campaign Targets Marketing Professionals Using Fake Job Interviews from Top Global Brands

 

A sophisticated phishing campaign is targeting marketing professionals by posing as recruiters from more than 30 globally recognized brands, including Adobe, Netflix, Coca-Cola, OpenAI, Adidas, and Marriott. The attackers aim to steal Google account credentials by luring victims into fake job interview processes.

According to cybersecurity intelligence and threat hunting company Team Cymru, the operation exploits legitimate cloud-based platforms such as PeopleForce, a human resources service, and domains linked to Salesforce Marketing Cloud before redirecting users to malicious websites. To make the scam appear authentic, the threat actors are also using the names and profile pictures of actual recruiters from the companies they impersonate.

Will Thomas, senior advisor at Team Cymru, investigated the campaign and found that the phishing emails present themselves as recruitment messages. As he noted, the emails appear to be from “a recruiter looking to hire people for marketing roles.”

The investigation revealed that attackers have registered at least 34 domains designed to mimic prominent organizations across multiple industries. These include airlines and travel companies such as American Airlines, Booking.com, Delta Air Lines, and United Airlines; food and beverage giants Coca-Cola, PepsiCo, and Red Bull; fashion and luxury brands Adidas, Louis Vuitton, Sephora, and Levi’s; consulting and technology firms including Adobe, Aquent, ManpowerGroup, McKinsey & Company, and OpenAI; hospitality and marketing companies Marriott and Omnicom Group; as well as entertainment and sports brands like FIFA and Netflix.

Researchers found that the attackers rely on a technique known as nested redirects, where users are routed through several legitimate online services before ultimately reaching a fraudulent webpage. Although the phishing emails appear to originate from PeopleForce, the embedded links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of ExactTarget, now known as Salesforce Marketing Cloud.

From there, victims are redirected through Wise Agent, a cloud-based customer relationship management (CRM) platform for real estate professionals, before arriving at the phishing website.

BleepingComputer reported that the campaign has been active for at least five months. Earlier versions reportedly used Outlook email addresses carrying the names of the companies being impersonated.

In one example, a phishing email claiming to be from Adidas recruiter Paulina Manzo invited recipients to schedule a discussion regarding a potential job opportunity. Clicking the scheduling link redirected users to the fraudulent domain adidas-hiring[.]com.

To proceed with booking the interview, victims are instructed to sign in with their Google accounts. Selecting the “Continue with Google” option launches what appears to be a genuine Google authentication window. However, the pop-up is actually created using HTML and CSS within the phishing page itself, a deception technique known as browser-in-the-browser (BitB).

By leveraging modern web development methods, attackers can closely replicate legitimate authentication prompts, making it difficult for users to distinguish fake login windows from real ones.

Researchers emphasized that the misuse of legitimate platforms does not necessarily indicate those services have been compromised. Instead, threat actors may have created valid accounts specifically for the campaign or used compromised credentials to configure redirect chains and phishing pages.

A complete list of the malicious domains associated with the campaign has been published in Will Thomas' GitHub analysis.

Mount Royal University says hackers stole and deleted files following June cyberattack





Mount Royal University (MRU) has confirmed that threat actors stole data and deleted files after breaching the university's network in a cyberattack that continues to affect recovery efforts weeks after the incident.

In an update published on its website, the Calgary-based public university said the attack occurred on June 17 and that internal technical teams are working alongside external cybersecurity specialists to investigate the intrusion, determine its full scope, and restore affected systems.

The cyberattack disrupted a wide range of university services, including internet connectivity, online platforms, and several internal systems used across campus. Recovery efforts remain ongoing, with the university warning that restoring all affected services may take several weeks or, in some cases, months.

According to the university's investigation, attackers gained unauthorized access to data stored on the institution's "H drive," a file storage system used by students and employees. Investigators have confirmed that files stored within certain folders were accessed and exfiltrated before the attackers deleted the original copies, a move that has further complicated recovery operations.

"We regret to inform our community that our investigation has now shown that data within certain folders on the University's 'H drive' was accessed and taken by an unauthorized actor," the university said in its advisory.

MRU said the affected folders contained information relating to current and former students, current and former employees, as well as other individuals whose data was stored within the impacted environment. The university has not yet disclosed the exact categories of information exposed or the total number of people affected.

The investigation also found that attackers deleted data stored on a separate departmental file storage system known as the "J drive." While the university said there is currently no evidence that information from the J drive was accessed or copied before it was erased, officials cautioned that recovering the deleted data remains an ongoing process and acknowledged that a complete restoration may not be possible.

The university has reported the incident to the Alberta Information and Privacy Commissioner and notified law enforcement authorities. Officials added that determining the precise impact for each affected individual will take time because the deletion of files has made forensic analysis more complex. Individuals whose information is confirmed to have been affected will receive direct notifications as the investigation progresses.

Responsibility for the attack has been claimed by the cybercrime group CMD Organization, which has published samples of what it alleges is stolen university data, including passport scans and other sensitive documents.

The group is demanding a ransom of 30 Bitcoin, valued at approximately $1.9 million at current exchange rates, and has reportedly given the university six days to respond before releasing additional data. CMD Organization also appears to operate an auction-based extortion model, advertising exclusive access to stolen datasets for the highest bidder through both clear web and dark web leak sites. At the time of writing, the group lists approximately 30 organizations on its extortion portal.

Founded more than a century ago, Mount Royal University currently serves about 11,560 students, including roughly 12,500 undergraduate learners.

As recovery work continues, the university said it will provide additional updates as more information becomes available. MRU is also offering two years of credit monitoring and identity theft protection to current employees and individuals who have worked at the university within the past five years.

AI Agent Executes End-to-End Ransomware Attack Without Human Intervention, Researchers Say

 

Cybersecurity researchers have uncovered what they believe is the first ransomware attack conducted by an autonomous artificial intelligence agent which they named JADEPUFFER. It is notable because the AI performed all stages of the attack, from targeting and compromising the system to installing and using ransomware, without requiring any human input. 

The researchers noted that JADEPUFFER targeted a vulnerability in the open-source application Langflow which was used to design and build various AI applications and tools. The vulnerability was already patched but many internet-facing instances of the application remained unpatching, giving the AI agent an entry point. Many such instances host API keys, cloud service credentials, and database tokens, making them an attractive target for bad actors.

After compromising the target, the AI agent began scanning the system for any valuable information, including cloud service credentials, wallet addresses, API keys, and database passwords. It also located a storage server which had default administrator credentials. Researchers noted that JADEPUFFER used this server as a foothold to pivot to other systems on the network. 

The AI agent managed to establish persistence on the compromised system by implanting a backdoor which sent out requests to a remote command and control server. It then lateraled to the production database server and used the administrative privileges to exploit another vulnerability in the system configuration service. 

It then created its own administration account in the server using a default signing key and altered other configurations in the system. JADEPUFFER proceeded to encrypt over 1300 configuration entries, deleting them before encrypting more data and displaying a ransom note demanding payment in Bitcoins. However, the researchers noted that the ransomware used a randomly generated encryption key which was only viewable once. 

In addition, the ransomware did not store or transmit the decryption key in any way, meaning that the victims would be unable to recover their data even if they paid the ransom. In addition to encrypting data, JADEPUFFER also deleted several databases after claiming that it had backed up the data elsewhere. However, researchers at Sysdig found no evidence that the data had been successfully backed up or transferred. This indicated that the attackers might have been trying to extort more money from the victims, potentially by threatening to delete all data or hinder recovery efforts. 

The researchers concluded that the ransomware attack was performed by an artificial intelligence due to the nature of certain observed behaviors. They noted that most of the ransomware’s behaviors were documented in natural language within the malware’s code, a practice common in many large language models. Additionally, the AI was able to resolve some of its own errors, such as failed authentication attempts, without requiring human intervention. The researchers estimated that over 600 discrete actions had been taken by the AI during the attack. 

The researchers added that while many of the techniques used by JADEPUFFER had been seen in other ransomware attacks, the fact that an autonomous AI agent had been able to use them in succession to launch a major ransomware attack was notable. They believe that such an attack has significant implications for the future of ransomware attacks, as it reduces the level of expertise needed to launch such an attack and allows attacks to occur at a much faster rate than would otherwise be possible. 

The researchers recommended that organizations reduce the risk of falling victim to similar attacks by ensuring that all software is updated to the latest versions, keeping administration systems offline when possible, protecting cloud service credentials, and monitoring systems for signs of unauthorized automated activity. Sysdig noted that JADEPUFFER was a warning about the potential threat posed by agentic AI ransomware in the future as the technology becomes more advanced.

Fake Paysafe and Skrill SDKs on npm and PyPI Steal Developer Credentials

 

A coordinated supply-chain attack has compromised developers by distributing 17 malicious packages on npm and PyPI that impersonate legitimate SDKs for Paysafe, Skrill, and Neteller payment services. These packages were designed to silently exfiltrate sensitive credentials, including API keys, AWS tokens, GitHub secrets, and npm tokens, to a command-and-control server hosted on Amazon Web Services. 

The threat actor published these fake SDKs with names closely resembling official payment integration libraries, such as paysafe-checkout, skrill-payments, and paysafe-api. While the packages expose expected APIs and return fake success responses to avoid detection, their real purpose is credential theft. The embedded malware scans the compromised environment for secrets and exfiltrates them to the attacker's server. 

Security researchers at Socket identified 13 malicious npm packages and four PyPI packages in this campaign. The npm packages were released in four versions (1.0.0 to 1.0.3), while the PyPI packages had only one malicious version (1.0.0). The full list includes well-known names like paysafe-js, paysafe-fraud, skrill-sdk, neteller, and paysafe-kyc. Developers who installed any of these packages risked having their secrets stolen, especially if they were working on payment integration projects for these services. The data theft module in the npm packages attempts exfiltration only if a Paysafe API key is present and activates when the fake SDK is called. The PyPI packages automatically activate the data theft routine upon initialization and do not require a Paysafe API key to be present at all. 

The malware incorporates basic anti-analysis features to avoid detection in sandboxed or virtualized environments. For instance, it halts execution if it detects fewer than two CPU cores or if the hostname or username suggests a virtual machine. To detect potential compromise, organizations should search their dependency trees for the listed package names and scan CI/CD logs for PAYSAFE_API_KEY in combination with these packages. Denying requests for these packages at the registry proxy level is also recommended to prevent accidental installation. If any of the listed packages were installed, developers are recommended to immediately rotate all secrets on any machine that imported or executed this package. 

The researchers also advise searching dependency trees for the package names used in the campaign and deny any requests for them at the registry proxy level. It is also recommended to look in the logs of Continuous Integration (CI) systems for PAYSAFE_API_KEY in combination with any of the listed package names. Additionally, teams should audit their project dependencies and CI/CD pipelines to ensure no traces of these malicious packages remain. Staying vigilant and verifying package sources before installation remains crucial to avoiding similar supply-chain attacks in the future. This incident highlights the growing sophistication of attackers targeting open-source repositories and the critical need for robust software supply-chain security practices. 

Developers must remain cautious when integrating third-party libraries into their projects, especially those related to financial services and payment processing. The use of automated dependency scanning tools and regular security audits can help identify and mitigate risks associated with malicious packages. Furthermore, organizations should implement strict access controls and monitoring for their CI/CD environments to detect and respond to potential credential theft attempts quickly. By adopting a proactive security posture and staying informed about emerging threats, the developer community can better protect itself against evolving supply-chain attacks.

Rogue Agent Bug Could Have Let Attackers Hack AI Conversations


A critical vulnerability in Google’s Dialogflow could have let a hacker exploit other Code-Block-enabled agents via one Code Block-power agent, in one Google Cloud project.

After this, the attacker could read chats, steal user data, and command bots to send hacker-written texts such as re-entering a password.

Discovery of the bug

Cyber security firm Varonis discovered the tactic and called it ‘Rogue Agent.’ The bug impacted only businesses that make agents with custom Code Blocks and Dialogflow’s Playbooks, which allows hackers to add their own Python. The attack was not remote, or unauthorized.

For the attack to happen, it required the dialogflow.playbooks.update green light one such agent, which restricts the hacker to an infected insider or a breached developer account, not some stranger on the web. From that point, the reach extended to every agent inside the project.

Google has patched the bug, and Varonis and Google have said there are no signs that the flaw was deployed in a real attack or campaign.

Single writable file prompted each agent Code Blocks

Dialogflow’s Code Blocks allows developers to add custom Python to a chatbot’s flow to test input, invoke defined tools, and control behavior. 

The code runs within a Google-operated Cloud Run environment, and every agent that uses Code Blocks in the similar Google Cloud project shares one incident of it. The customer cannot control or see the environment that Google runs, meanwhile Varonis discovered no real separation between the agents within it.

Attack tactic

When the agent runs a Code Block, the code is added to internal setup code and sent to Python’s exec()function. The functions and variables that block can touch are defined by the setup. 

Functions consist(), which makes the bot reply with a given string, whereas variables consist of a history of full chats and state for session information such as the session ID.

Varonis discovered code_execution_env.py, the file that does this wrapping, lying in the shared environment with write access. 

As the file was writable, a single Code Block could change it. The block downloads an altered code_execution_env.py from a threat actor-controlled server and overwrites the original within the running container.

After that, the attacker’s variant commands every Code Block deployment throughout every agent that shares the environment. The attacker’s code sits in the same place as the real code, with similar access to respond(), state, and history, 

Accenture Confirms Cyber Breach as Hacker Lists Alleged Company Data


 

Accenture, a global IT services firm, has confirmed experiencing a cybersecurity breach as a threat actor claimed to have stolen company data and was offering it for sale on a cybercrime forum. The breach claim was made in relation to the dataset which was offered for sale on July 6 on a cybercrime forum for the cryptocurrency Monero (XMR).

According to the listing, the stolen documents originated from Accenture's internal environment, and were described as an "Accenture Data Breach." A threat actor claiming to be "888" reported that in July 2026, more than 35 gigabytes of data were exfiltrated from Accenture's systems. This confirmation follows the allegations by the threat actor. It is possible that the exposed source code and cloud credentials could pose broader security risks if they are authentic, giving unauthorized access to development environments, cloud infrastructures, or software repositories. 

However, no public evidence is available to indicate whether the alleged credentials remain valid or have been misused. An Azure DevOps repository associated with an Accenture domain has been claimed to be accessed by the threat actor, according to a screenshot that the threat actor has published to support this claim. However, the extent and authenticity of the alleged data have not been independently verified. 

Accenture confirmed the security incident, but did not verify the threat actor's claims regarding the reported 35 gigabytes of stolen data or the alleged content of the dataset. Additionally, the company has not disclosed how the attackers gained access, whether any customer information was compromised, or whether any of the credentials exposed remain active.

In addition, Accenture declined to disclose how the attackers gained access to the company or whether customer information had been compromised. This incident follows prior claims of cybersecurity breaches involving Accenture. The same threat actor claimed in 2024 that employee data had been compromised as a result of a third-party breach. 

Accenture later dispute the scale of these claims, stating its review revealed that only limited employee information had been discovered and no evidence of compromises to its own systems or customer environments. It was also targeted by the LockBit ransomware group in 2021. Earlier, in 2021, the company announced a breach following a LockBit ransomware attack. 

Cybercriminals are increasingly using underground marketplaces to monetize stolen corporate data, which highlights the continued risks organizations face from credential theft and source code exposure. Additional information regarding the extent of the breach and potential consequences for customers remains unknown as investigations continue.

Investigations are ongoing, but it remains unclear what the full scope of the incident is. Accenture has confirmed that a security breach occurred but has stated that operations remain unaffected. However, questions remain regarding the authenticity of the alleged dataset, the means by which the data was compromised, and any potential impacts on customers.

Microsoft 365 Users Targeted in New Device Code Phishing Campaign

 



Cybersecurity researchers have revealed a phishing campaign that is exploiting Microsoft's legitimate device authentication process to seize control of Microsoft 365 accounts, reflecting a broader shift in how cybercriminals are conducting identity-focused attacks. Rather than stealing passwords through counterfeit login pages, the operation manipulates victims into completing a genuine Microsoft authentication process, allowing attackers to obtain valid authentication tokens that grant direct access to compromised accounts.

The campaign, tracked by email security firm ZeroBEC, was observed between the final week of June and early July 2026. Investigators found that the attackers relied on collaboration-themed phishing lures that directed recipients to Microsoft's authentic device login experience instead of fraudulent credential harvesting websites. Behind the scenes, a backend broker generated Microsoft device authentication codes and continuously polled the authentication process until victims completed the sign-in sequence, enabling the attackers to capture valid authentication tokens without ever collecting passwords.

Researchers noted that the activity closely resembles techniques previously documented by Microsoft in its investigation of the threat cluster known as Storm-2372. That campaign, first disclosed in February 2025, used fake Microsoft Teams invitations and messaging-themed social engineering to persuade victims to enter attacker-generated device codes. Once authentication was completed, the attackers received valid access tokens that allowed them to take over Microsoft 365 accounts. Microsoft said Storm-2372 had targeted organizations across government, defense, healthcare, telecommunications, higher education, information technology, energy, and non-governmental sectors spanning Europe, North America, Africa, and the Middle East. The company also stated that the attacks abused legitimate authentication functionality rather than exploiting vulnerabilities in Microsoft products.

Although the latest campaign mirrors many of Storm-2372's tactics, ZeroBEC believes the operation is powered by a reusable phishing framework called DEBULL rather than the original threat actor itself. The researchers concluded that techniques once associated with advanced threat groups are now being packaged into reusable infrastructure that enables multiple operators to launch similar attacks with far less effort. This evolution reflects the continuing commercialization of identity-focused phishing operations, where sophisticated attack methods are increasingly offered through phishing-as-a-service platforms instead of being developed independently by individual threat actors.

At the center of the campaign is device code phishing, an attack technique that abuses the OAuth 2.0 Device Authorization Grant, a legitimate authentication mechanism designed for devices that cannot easily support traditional browser-based sign-ins. The workflow is commonly used by devices such as smart televisions, printers, conference room equipment, and other systems with limited input capabilities. Instead of entering credentials directly on those devices, users receive a short verification code that must be entered on another device through Microsoft's official authentication portal to complete the login process.

Threat actors exploit the separation between the device requesting authentication and the browser used to authorize it. Rather than creating counterfeit Microsoft login pages, attackers initiate their own device authentication session, obtain a legitimate verification code from Microsoft, and deliver that code to victims through convincing phishing emails. When recipients unknowingly enter the supplied code into Microsoft's authentic login page and complete the sign-in process, they authorize the attackers' session instead of their own, handing over valid authentication tokens that can be used to access Microsoft 365 resources. Because the victim is interacting with a genuine Microsoft service, traditional indicators of phishing, such as suspicious URLs or fake login portals, are largely absent.

Security researchers have increasingly warned that device code phishing represents a natural evolution of identity attacks. As organizations strengthened defenses against conventional credential phishing and adversary-in-the-middle attacks, threat actors shifted toward abusing trusted authentication workflows that require no password theft and can effectively circumvent multi-factor authentication protections by obtaining legitimate session tokens directly from users. Proofpoint recently reported a sharp increase in device code phishing activity during 2026, attributing the growth to publicly available criminal toolkits and the rapid expansion of phishing-as-a-service platforms that have made these techniques accessible to a wider range of cybercriminals.

ED Charge Sheet Maps Sriki's Darknet Crypto Laundering Network

 

The Enforcement Directorate (ED) has filed a sprawling 3,500-page prosecution complaint before a special PMLA court in Bengaluru, laying out what it calls a “sophisticated network” blending high-level hacking, darknet operations, cyber extortion and multi-crore cryptocurrency laundering. The charge sheet names serial hacker Srikrishna Ramesh, alias “Sriki”, crypto trader Robin Khandelwal, businessman Sunish Hegde, a private IT firm and two of its officials as accused in a case that spans breached government portals, crypto exchanges and online gaming platforms. 

From government portals to poker sites: the alleged breach chain 

According to the ED, Sriki, described as a highly skilled software programmer, exploited vulnerabilities in national and international cryptocurrency exchanges, online gaming and poker platforms, and corporate servers. He is accused of breaching the Karnataka government’s e-procurement portal and siphoning off about ₹11.5 crore in two transactions, besides hacking the Unocoin exchange and several major online poker platforms. The agency alleges that stolen virtual digital assets such as Bitcoin were then “layered” and offloaded through multiple international crypto platforms to obscure their origin.

The prosecution complaint details how Robin Khandelwal allegedly acted as a key conduit, converting illicit digital assets into fiat currency through over-the-counter deals and crypto-trading channels. Investigators claim Sunish Hegde conspired with Sriki to extort money from hacked companies by negotiating with them after the breaches, while Infinzy Solutions and two officials are accused of facilitating the transfer of funds stolen from a poker site. The three main accused were arrested in May and are in judicial custody at Parappana Agrahara Central Prison, with the ED citing digital evidence, blockchain analysis and bank records to support its case. 

 Darknet links and ongoing money trail probes 

The 3,500-page document reportedly sketches connections between Sriki’s hacking operations and darknet marketplaces, building on earlier investigations that noted his use of the darknet to purchase drugs using Bitcoin. About ₹7 crore of the ₹11.5 crore siphoned from the e-procurement portal has been traced, with around ₹2 crore formally attached and another ₹5 crore frozen in various bank accounts; the remaining ₹4.5 crore is still being tracked. The ED says its probe into the movement and use of the alleged proceeds of crime is continuing, even as the prosecution complaint functions as the equivalent of a police charge sheet under PMLA. 


For regulators, the Sriki case underscores how advanced technical skills, weak spots in government and corporate platforms, and an evolving crypto ecosystem can intersect to create large-scale financial crime. The dossier highlights the need for stronger blockchain forensics capacity, tighter oversight of informal crypto-OCT channels, and better coordination between cybercrime units, the ED and financial intelligence agencies. As India’s digital economy expands, securing e-governance portals, exchanges and gaming platforms is becoming not just an IT issue, but a core element of financial integrity and national cybersecurity strategy.

Romania’s Hospital Cyberattack Highlights Growing Ransomware Threats to Healthcare Systems

 

A large-scale ransomware attack that took place in the healthcare system of Romania in February 2024 makes for textbook material on how to respond to such incidents, as well as the challenges they present. The ransomware attack scenario started when criminals got hold of a hospital management system called Hippocrates and, using it as a vector, distributed BackMyData ransomware to encrypt data. 

One of the software’s main functions is processing and storing information on laboratory results, pharmacy claims, payroll, admission and discharge of patients, doctors, and other medical staff. After being locked, the hospitals had to pay nearly 160 thousand euros to decrypt the data, which is in Bitcoin. When some hospitals reported the ransomware attack, the National Computer Security Center (DNSC) took an extraordinary measure to order over a hundred facilities to disconnect from the internet to prevent the virus from spreading to other institutions. 

Consequently, the hospitals’ systems became unable to provide access to email, the Internet, and interconnected medical devices. To manage patients and keep the critical functions running, doctors and nurses used paper-based solutions to write down and manually input lab results, physician orders, and treatment plans. In parallel, hospital staff worked on taking down the ransomware and securing the system. 

Authorities eventually found out that the ransomware infection was confirmed in 26 hospitals, where the ransomware attack response team with the help of the system supplier isolated the contaminated systems from the network. After decrypting files and securing the system, the technicians returned the hospitals to the network and ensured there were no other problems. 

Throughout the ransomware incident, authorities provided the public with updates on the ransomware situation, telling the people to avoid visiting the facilities if possible and advising the hospitals not to give in to the attackers’ demands. Nevertheless, the response to the challenge was far from perfect, as Romania continues to face challenges with cybercrime. The patients complained about the inconvenience of standing in queues and having their tests processed manually, but the government did not go through with paying off the ransom. 

At the same time, it is worth noting that having up-to-date data backups allowed the hospitals to quickly restore their vital functions without having to wait for decrypting tools from hackers. Five days after the ransomware attack, most of the affected facilities had already returned to normal operations. At the same time, there were no reports of patient deaths or damage to health caused by the ransomware attack. Still, doctors and nurses had to manually enter a lot of the patient’s personal data, which took them several more weeks to finish, while some of the relevant information was lost altogether. 

So far, the ones behind the ransomware attack have not been revealed. Still, it has been reported that some of the suspects’ resources in Russia have been shut down by the police, while others are currently detained abroad. It is not yet known whether they will be brought to justice in Romania. The ransomware attack on the healthcare system of Romania serves as a reminder of how fragile our systems are and the importance of protecting them. 

In many ways, hospitals are a critical infrastructure component, meaning that potential attackers will always attempt to take advantage of them by holding vital functions hostage until they get a hefty ransom. Even though the ransomware response team handled the situation in Romania efficiently, the ransomware incidents in the UK and the US show that problems of that sort are far from being exclusive to Romania.

Business Threat Management: Moving from Isolated to Unified Approach


Shifting away from isolated, technical data, to a continuous risk lifecycle can assist organizations in balancing security controls with actual business impact.

A CVSS score of 9.5 may not be significant to a CFO, but when it demonstrates a flaw in a payment system processing $2 million, it becomes a big deal. Therefore, the data must be linked with information about operational barriers that can result in financial damages, product delays, or loop in regulatory agencies.

A robust risk lifecycle

Periodic risk lifecycle cannot keep up with the changing threat scenario, which if further impacted by an unstable geopolitical environment and rising technology like AI and quantum computing. Thus, information risk assessment must be a continuous process that links threats, supervising controls, and the possible repercussions for the business if the controls fail.

Different risks carry different impacts, stakeholder needs, and available data. This means that analysis also changes. You need two analysis tracks for this: qualitative analysis for quick decisions with limited data, and quantitative analysis for investment decisions when they need financial backing. 

The IRAM3 methodology unifies both tracks into a single framework that uses the same process and is built to be modular, so businesses can gain entry at any desirable phase they think fits their demands.

Moving towards business-aligned risk management

A linked risk lifecycle changes how businesses perceive organization threats. It also helps to keep activities such as interpreting threats, evaluating controls, and measuring exposure connected instead of treating each analysis as an isolated process.

Building business impact

Linked assets must be grouped by the business function they assist. This lets the teams conduct risk analysis that connect how the organization actually works and also helps in defining the risk appetite.

Assessing threat incidents

In this step, you identify the risks to your business, map related threats to critical assets, and predict how likely they will materialize. According to Security Week, “From a quantitative standpoint, a three-point frequency estimate—minimum, most likely, and maximum—is assigned instead of a rating. The number of loss events you would anticipate in a year is represented by this estimate.”

Testing control success

A business might have a MFA coverage, but if privileged accounts are not included as allowing MFA disrupted a legacy integration, the gap is a direct pathway into critical systems. Thus, these controls should be carefully mapped to particular threats, checked for implementation, and analyzed if they actually reduce risk. 

Phishing Campaign Targets Marketing Professionals Using Fake Job Interviews from Top Global Brands

 

A sophisticated phishing campaign is targeting marketing professionals by posing as recruiters from more than 30 globally recognized brands, including Adobe, Netflix, Coca-Cola, OpenAI, Adidas, and Marriott. The attackers aim to steal Google account credentials by luring victims into fake job interview processes.

According to cybersecurity intelligence and threat hunting company Team Cymru, the operation exploits legitimate cloud-based platforms such as PeopleForce, a human resources service, and domains linked to Salesforce Marketing Cloud before redirecting users to malicious websites. To make the scam appear authentic, the threat actors are also using the names and profile pictures of actual recruiters from the companies they impersonate.

Will Thomas, senior advisor at Team Cymru, investigated the campaign and found that the phishing emails present themselves as recruitment messages. As he noted, the emails appear to be from “a recruiter looking to hire people for marketing roles.”

The investigation revealed that attackers have registered at least 34 domains designed to mimic prominent organizations across multiple industries. These include airlines and travel companies such as American Airlines, Booking.com, Delta Air Lines, and United Airlines; food and beverage giants Coca-Cola, PepsiCo, and Red Bull; fashion and luxury brands Adidas, Louis Vuitton, Sephora, and Levi’s; consulting and technology firms including Adobe, Aquent, ManpowerGroup, McKinsey & Company, and OpenAI; hospitality and marketing companies Marriott and Omnicom Group; as well as entertainment and sports brands like FIFA and Netflix.

Researchers found that the attackers rely on a technique known as nested redirects, where users are routed through several legitimate online services before ultimately reaching a fraudulent webpage. Although the phishing emails appear to originate from PeopleForce, the embedded links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of ExactTarget, now known as Salesforce Marketing Cloud.

From there, victims are redirected through Wise Agent, a cloud-based customer relationship management (CRM) platform for real estate professionals, before arriving at the phishing website.

BleepingComputer reported that the campaign has been active for at least five months. Earlier versions reportedly used Outlook email addresses carrying the names of the companies being impersonated.

In one example, a phishing email claiming to be from Adidas recruiter Paulina Manzo invited recipients to schedule a discussion regarding a potential job opportunity. Clicking the scheduling link redirected users to the fraudulent domain adidas-hiring[.]com.

To proceed with booking the interview, victims are instructed to sign in with their Google accounts. Selecting the “Continue with Google” option launches what appears to be a genuine Google authentication window. However, the pop-up is actually created using HTML and CSS within the phishing page itself, a deception technique known as browser-in-the-browser (BitB).

By leveraging modern web development methods, attackers can closely replicate legitimate authentication prompts, making it difficult for users to distinguish fake login windows from real ones.

Researchers emphasized that the misuse of legitimate platforms does not necessarily indicate those services have been compromised. Instead, threat actors may have created valid accounts specifically for the campaign or used compromised credentials to configure redirect chains and phishing pages.

A complete list of the malicious domains associated with the campaign has been published in Will Thomas' GitHub analysis.

Centre Orders Blocking of Battery Management Apps Exploited to Disable E-Rickshaws


After the Central Government discovered that seven battery management system (BMS) mobile applications were being misused to remotely disable batteries in electric vehicles and e-rickshaws, the Central Government has ordered the blocking of those applications. In multiple locations across India, this disruption disrupted services and enabled extortion. 


MeitY Secretary S. has directed Google and Apple to remove seven identified applications from their respective app stores on Android and iOS by the Ministry of Electronics and Information Technology (MeitY). In order to ensure applications that may threaten public safety or facilitate unlawful activities are not made available to users, Krishnan said app marketplaces must exercise due diligence. 

In response to reports that battery management apps primarily developed by Chinese companies for monitoring lithium-ion battery packs were being exploited by e-rickshaw drivers to shut down the vehicles while passengers were aboard. Authorities stated that while the applications are designed for proper battery management, they can be misused if battery systems are not properly protected by passwords or PINs. 

In the government's view, removing these apps from digital platforms will not eliminate the vulnerability completely, since Bluetooth connectivity is required in place of internet access to exploit this vulnerability. Thus, even after apps are blocked, unsecured battery management systems remain vulnerable to unauthorized access. Video clips circulated on social media showing e-rickshaws suddenly stopping on public roads attracted nationwide attention to this issue. 

The existing certification standards for e-rickshaws in India do not include cybersecurity requirements, which can result in potential misuse of connected battery systems. This vulnerability has already led to criminal activity. Police in Ujjain, Madhya Pradesh, arrested a suspect who has been accused of remotely disabling batteries from e-rickshaws and demanding compensation from their drivers. 

Local authorities claim the accused abused the flaw by deliberately immobilizing vehicles and charging drivers for assistance. A criminal offence involving intentionally disabling vehicles is considered to be an offence and can be prosecuted under applicable provisions of the Bharatiya Nyaya Sanhita (BNS) relating to criminal mischief. 

Concerns have been raised regarding the cybersecurity risk associated with connected electric vehicles and battery management systems following the incident. In order to prevent such misuse and safeguard public transportation operations, observers say stronger security controls are needed to prevent similar misuse, including authentication mechanisms and cybersecurity standards for electric vehicle components. 

A government intervention highlights the challenges facing connected electric mobility in terms of cybersecurity. Since software increasingly controls the functions of critical vehicle systems, stronger security standards, authenticated access controls, and continuous oversight will be critical in protecting drivers, passengers, and public infrastructure.

Researchers Expose Veil#Drop: A Stealthy Malware Chain Delivering PureLog Stealer via Blogspot

 

 
Threat researchers at Securonix have identified an advanced, multi-layered malware delivery operation that leans on hacked websites and social-engineering tactics to plant information-stealing malware on victims' systems.

Tracked under the name Veil#Drop, the campaign chains together JavaScript launchers and PowerShell download routines to fetch and run malicious code hosted on Blogspot — a platform sitting on Google's reputable infrastructure, which helps the activity blend in with legitimate traffic.

The attack kicks off when a target opens a JavaScript file disguised to look like an ordinary document. Once triggered, the script fires off PowerShell commands built to slip past execution-policy restrictions, then reaches out to attacker-run Blogspot pages to pull down further payloads.

Those Blogspot-hosted stages carry out several actions at once: they show a decoy document to keep the victim unaware, shut down certain running processes, and decrypt hidden content. The unpacked code then spins up more Blogspot links and runs the next payloads straight from memory, leaving little behind on disk.

According to Securonix, a follow-on loader stores XOR-scrambled .NET assemblies inside oversized embedded data blocks. These are rebuilt and unscrambled only while the malware is running, a technique that frustrates static inspection and weakens signature-based defenses.

The operation is also engineered with redundancy in mind, relying on backup execution paths and misusing legitimate, Microsoft-signed Windows binaries (living-off-the-land binaries, or LOLBINs) to run code while sidestepping security tools. Securonix notes that the mix of compromised sites, files masquerading with multiple extensions, trusted cloud hosting, obfuscated payloads, reflective in-memory .NET loading, and LOLBIN abuse reflects a calculated push to dodge conventional antivirus products, minimize forensic traces, and stay hidden throughout the intrusion.

The endgame is infection with PureLog Stealer, a .NET-based data thief. Once installed, it profiles the compromised machine and begins scraping data from a wide range of browsers, including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and other Chromium-based options.

Its targets include saved credentials, cookies, autofill entries, session tokens, and browsing history, and it actively hunts for cryptocurrency wallet data on the device. Beyond browsers, PureLog Stealer can pull information from messaging apps, email clients, remote-access utilities, FTP tools, cloud-storage software, developer applications, and password managers. Everything it collects is bundled up and transmitted to attacker-controlled servers in encrypted form.

Because the stealer casts such a wide net, Securonix warns that compromising a single endpoint could open the door to a much larger breach, depending on the secrets — credentials, tokens, and keys — stored on that machine. In corporate settings, the firm points out, info-stealers often serve as the opening move in bigger campaigns, with harvested logins later fueling ransomware deployment, data-theft operations, business email compromise, or drawn-out espionage.

India Considers Separate AI Regulatory Framework as Government Signals Policy Shift

 

The Indian government is considering a law to govern artificial intelligence (AI) systems, signaling a shift from its previous approach of relying solely on existing information technology laws. Senior officials from the Ministry of Electronics and Information Technology (MeitY) stated that the current developments in this space are so significant that they require legislation. 

Speaking at an industry event this week, MeitY Secretary S. Krishnan said that consultations on laws governing AI had already begun. Both Krishnan and Union IT minister Ashwini Vaishnaw had previously stated that the government would consider separately legislating for AI at an appropriate time, and he added that the moment appeared to be now. 

Existing laws were largely sufficient to address deepfakes or AI-manipulated media, as well as misinformation, fraud, and other issues, he argued, but this was no longer the case as AI became more sophisticated and started to be integrated into critical industries. The new framework would provide guidance on the development of these systems while also protecting citizens, businesses, and critical infrastructure. 

While the government did not set a deadline for legislation, Krishnan noted that MeitY could begin drafting proposals for approval, with the framework then being debated and approved by Parliament. India is not alone in this endeavor as policymakers globally are considering steps to govern AI. A growing number of countries have been looking at laws and policies that seek to address potential risks to privacy, national security, intellectual property, and more while also encouraging innovation. 

The move also marks a notable shift in approach for India, which has largely promoted a lax regulatory environment for technology and adopted a voluntary approach to AI governance, with laws and policies focusing on promoting innovation and adopting existing frameworks for oversight. 

A separate law could add another layer of oversight while also supporting India’s broader ambitions in this space, including IndiaAI Mission, as it looks to promote and bolster its AI ecosystem alongside its digital transformation initiatives. 

Industry stakeholders will also be able to contribute to the process as the government considers its proposals. The law would promote responsible innovation and address risks posed by increasingly ubiquitous and sophisticated AI systems, officials added.

WhatsApp Appoints CRED Founder Kunal Shah as New Global Head

 

In a landmark move for the global tech industry, WhatsApp announced in June 2026 that its long-serving head Will Cathcart will step down, with Indian fintech founder Kunal Shah appointed as his successor. This transition marks the first time an Indian entrepreneur will lead one of the world's largest messaging platforms, which boasts over three billion monthly active users. The announcement coincides with Meta's substantial $900 million investment in Shah's credit-card rewards platform, CRED, valuing the fintech company at $4.5 billion. 

Will Cathcart has led WhatsApp since 2019, overseeing a period of rapid expansion and navigating complex challenges around encryption, misinformation, and regulatory scrutiny across multiple continents. During his seven-year tenure, the platform evolved from a simple messaging app into a comprehensive communication ecosystem with business tools, payments integration, and enhanced privacy features. 

Cathcart will not depart Meta entirely; instead, he transitions to a newly created division focused on developing next-generation consumer products using artificial intelligence technologies. Meta CEO Mark Zuckerberg expressed enthusiasm about continuing close collaboration with Cathcart in this innovative capacity, signaling the company's strategic pivot toward AI-driven product development. 

Kunal Shah, 42, is no stranger to building successful technology ventures, having previously co-founded FreeCharge—an online recharge platform acquired by Snapdeal in 2015—before launching CRED in 2018. CRED quickly became one of India's most prominent fintech platforms, offering a members-only credit-card payment and rewards service that recently achieved its first profitable quarter in 2026. 

As part of this leadership transition, Shah will relocate from Bengaluru to Meta's headquarters in Menlo Park, California, stepping away from day-to-day operations at CRED while remaining a shareholder. Miten Sampat, who has led strategy and finance at CRED since 2020, assumes the role of interim CEO. 

The $900 million investment secures Meta a 20 percent minority stake in CRED, reflecting the tech giant's confidence in Shah's vision and India's digital payments ecosystem. Shah emphasized on social media that Meta's investment does not grant access to CRED member data, maintaining the platform's privacy commitments. 

This deal positions Meta deeper into India's fintech landscape while leveraging Shah's expertise in building trusted, user-centric platforms—a critical asset as WhatsApp continues expanding its payment and business services globally. The timing underscores Meta's broader strategy of integrating financial services within its social and communication products, with Shah's appointment expected to accelerate WhatsApp's monetization efforts in emerging markets.

BeyondTrust Patches Four Vulnerabilities in Remote Support and PRA

 




BeyondTrust has released security updates to remediate four vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) solutions, including two Critical authentication bypass flaws that could allow attackers to gain unauthorized access to vulnerable appliances under specific deployment configurations. The products are commonly used by organizations to deliver remote technical support and manage privileged access to enterprise systems, making them attractive targets because they often provide administrative access to critical IT environments.

The most severe issues originate within the products' authentication mechanisms, which verify user identities before granting access. Because the vulnerabilities can be triggered before the authentication process is completed, successful exploitation may allow attackers to bypass an important security control without first supplying valid credentials.

One of the Critical vulnerabilities, tracked as CVE-2026-40138, carries a CVSS score of 9.2 and affects both BeyondTrust Remote Support and Privileged Remote Access. According to the advisory, the flaw stems from improper validation of authentication data within the authentication subsystem. Under specific authentication configurations, a network-positioned attacker could bypass access controls and obtain unauthorized access to the appliance, including accounts with elevated privileges.

BeyondTrust also addressed CVE-2026-40139, another Critical vulnerability assigned a CVSS score of 9.2 that impacts Remote Support. The issue results from improper processing of authentication requests and could enable an unauthenticated remote attacker to circumvent authentication controls and gain unauthorized access to affected appliances, including privileged accounts. Similar to CVE-2026-40138, exploitation depends on a particular authentication configuration being enabled, meaning the exposure varies according to how affected environments are deployed.

In addition to the authentication bypass flaws, the company disclosed CVE-2026-40140, a High-severity vulnerability with a CVSS score of 8.7 affecting the network communication subsystem. The issue arises from insufficient validation of client-supplied input and could allow an unauthenticated remote attacker to trigger a denial-of-service (DoS) condition, disrupting the availability of vulnerable appliances rather than providing direct access to them.

The fourth vulnerability, CVE-2026-40141, received a CVSS score of 8.5 and affects web application components within both Remote Support and Privileged Remote Access. Caused by inadequate validation of user-supplied input, the flaw could enable an authenticated user with limited privileges to access resources or information beyond their intended authorization. BeyondTrust noted that exploitation of this vulnerability is limited to accounts that already possess specific permissions.

The company said the vulnerabilities were identified during ongoing internal security assessments with assistance from publicly available artificial intelligence models, including Anthropic Claude Opus 4.8, alongside BeyondTrust's proprietary security research tooling. The use of AI-supported analysis reflects a growing trend of incorporating large language models into vulnerability research to assist security teams in identifying potential weaknesses alongside conventional testing techniques.

According to BeyondTrust, the most severe vulnerabilities could allow authentication bypass and unauthorized access when affected systems are configured in specific ways. The remaining flaws could result in service disruption, unintended access to data, or expanded privileges for authenticated users under defined conditions, potentially affecting the confidentiality, availability, and integrity of vulnerable systems.

The vulnerabilities have been resolved in Remote Support version 25.3.3 and later and Privileged Remote Access version 25.3.3 and later. Organizations running version 25.3.2 or earlier of either product are advised to upgrade to the latest available release to mitigate the disclosed risks.

BeyondTrust stated that it has not observed evidence of the newly disclosed vulnerabilities being exploited in the wild. Nevertheless, the company noted that its Remote Support and Privileged Remote Access products have previously been targeted by threat actors. Earlier vulnerabilities, including CVE-2024-12356 and CVE-2026-1731, were exploited to deploy web shells and backdoors on compromised appliances, demonstrating the continued interest of attackers in enterprise remote access infrastructure. Given that history and the privileged role these products play within enterprise environments, organizations are encouraged to apply the available security updates promptly to reduce their exposure to potential attacks.

Flipper Zero Firmware Continues With New Community Rules


Flipper Devices said it will continue the development of the Flipper Zero firmware, with more reliance on community contributions and a smaller internal team.

New devices 

The announcement came after Flipper decided on building new devices such as Flipper One open Linux platform, where the organization shifted to the community’s help to finish development.

Besides this, Flipper also launched a Buy Bar device for people with Attention Deficit Hyperactivity Disorder (ADHD) to reduce interruptions, which will be open for sale on July 14 in the US, U.K, Canada, and Europe.

Limited production 

Flipper Devices said that the genuine firmware for the Flipper Zero portable pen-testing device will still continue, but full-time feature production ends now.

The first major stable release- Flipper Zero Firmware 1.0, was announced in September last year, after three years of development. The latest stable launch is variant 1.4.3, out since December last year.

By then, the company felt that the firmware was matured, with APIs and a stable SDK and all features implemented safely.

Backlash from community

Recently, the team hinted that firmware development was shut down, resulting in strong backlash from people. “We've seen the strong reaction from the community over the idea that we've stopped developing the Flipper Zero firmware,” Flipper said in a blog post. "We want to address this and let you know that we've heard all your feedback and have decided to rethink our approach to maintaining the project and engaging with the community," Flipper added.

Flipper's response

To address the concerns, Flipper has made a new technique for the project that depends on closer communication with supporters to keep firmware development in process.

The project will continue with a few resources and in a new way to communicate with the community, such as:

  • Interactions will only happen via GitHub Discussions, where new requests may be voted too.
  • Flipper Zero requests will be seen weekly.
  • Community pull requests will be considered with strict review guidelines.
  • Firmware modifications to require compulsory integration and regression analysis, and will be open to the community. 

“We're moving all requests from the Flipper Zero community to GitHub Discussions. Now you can 🤚 vote for feature requests that really matter, so we can see what the community actually wants and prioritize them,” Flipper said.

Five Eyes Warn AI-Powered Cyberattacks Could Outpace Defenses Within Months


 

A Five Eyes intelligence alliance has issued an urgent warning, warning that advanced artificial intelligence could soon allow cyberattacks capable of overwhelming government and enterprise defenses. They urge companies to strengthen their cybersecurity before these threats become reality. 

The alliance, comprising the United States, the United Kingdom, Canada, Australia, and New Zealand, announced on Monday that frontier artificial intelligence models are expected to transform offensive and defensive cyber operations in the coming months, rather than years, according to the alliance. According to the agencies, rapidly advancing artificial intelligence capabilities are lowering the barriers to cybercrime by facilitating faster, more sophisticated attacks. 

Several recent U.S. restrictions on foreign access to Anthropic's most advanced AI systems were prompted by concerns about their cybersecurity capabilities. This warning comes amid growing concern over the security implications of next-generation AI models. It was requested by intelligence partners that governments and businesses strengthen their cyber resilience immediately. 

There are several recommended measures, including patching known software vulnerabilities, modernizing legacy infrastructure, enforcing stricter access controls, and investing in proactive security monitoring. In addition to acknowledging the trend of threat actors adopting artificial intelligence to accelerate cyber operations, the alliance also stressed that this technology can significantly strengthen defenses.

Security tools powered by artificial intelligence can be used to identify vulnerabilities earlier, detect suspicious activity in real-time, improve software quality, and respond to incidents more quickly. According to cybersecurity experts, the warning is of particular significance to small and medium-sized companies, which may lack the resources and mature security programs found in large corporations. 

AI-driven attacks are likely to present the greatest risk to organizations with outdated systems and weak security controls as they become more accessible. Furthermore, the statement highlights the growing debate on AI governance. The debate between governments and industry continues, however experts contend that regulatory efforts have not kept pace with the rapid development of frontier AI models. 

echnology leaders and security researchers have recently called for a more transparent and scientifically based approach to artificial intelligence risk assessment while ensuring defensive security capabilities continue to advance. A Five Eyes warning emphasizes that artificial intelligence is rapidly transforming the cyber threat landscape. 

Organizations that are proactive in strengthening their security posture and integrating artificial intelligence into their defense systems will have greater success defending themselves against the next generation of cyber threats. The Five Eyes warning reflects a growing consensus that artificial intelligence is transforming cyber threat landscapes at a historic pace. 

Organizations with a strong resilience strategy, modernized security infrastructure, and responsible adoption of AI-driven defenses will be better prepared to deal with the next generation of cyber threats as offensive capabilities evolve.

Proxy Servers Power More Than Cybersecurity, Emerging as a Backbone for AI and Digital Businesses

 

Proxy servers are commonly linked with cybersecurity and online privacy, with much of the public conversation focusing on their association with cybercrime. However, beyond these concerns, proxy servers have become an essential part of modern business operations, research activities and emerging technologies, particularly artificial intelligence (AI).

According to Proxyway's annual market report, which has tracked the commercial proxy server industry since 2019, proxy servers play a much larger role in the digital economy than many people realise.

Proxy servers are computers that allow users to access the internet through a different internet connection. By routing traffic through another device, users can obtain a different IP address, making it appear as though they are browsing from another location or internet service provider.

Although they share similarities with virtual private networks (VPNs), proxy servers differ in one important way. Businesses often operate multiple proxy servers simultaneously instead of relying on a single connection, enabling them to collect publicly available web data on a much larger scale, subject to the policies of individual websites.

Beyond cybersecurity, proxy servers have become a key part of legitimate commercial operations. A well-established industry now provides proxy services to businesses across the globe while working towards responsible self-regulation. Several leading providers generate significant annual revenues by offering enterprises tools for large-scale web access and data collection.

Proxyway surveyed 13 major proxy service providers and found that e-commerce remains the biggest area of demand. Businesses use proxy servers to monitor competitors' product listings and pricing, build price comparison platforms, analyse customer reviews to understand market sentiment and support other commercial intelligence activities.

Proxy servers are also used to detect counterfeit products across online marketplaces and verify that digital advertisements appear in the intended locations.

In the travel industry, proxy technology enables online travel agencies and hotel booking platforms to compare prices and secure competitive deals. Digital marketers rely on proxies to track search engine rankings across different locations, while cybersecurity professionals use them to identify malicious applications online. Researchers and academic institutions also depend on proxy networks to gather extensive datasets, including studies examining media representation of women in workplaces.

Supporting AI development

Proxy servers are increasingly becoming an important component of the AI ecosystem.

They help facilitate access to the vast volumes of web data needed to train and update large language models. As AI systems continue to evolve through regular retraining, proxy infrastructure supports ongoing data collection efforts.

The report also highlights the growing role of proxy servers in agentic AI, where autonomous AI systems perform tasks on behalf of users.

For several proxy providers, AI-focused clients now represent a substantial share of their customer base. One major industry participant has reported strong year-on-year growth driven partly by rising demand from AI companies, with annualised recurring revenue increasing significantly and further expansion expected, according to the report.

Industry experts stress that proxy servers themselves are neutral technologies whose impact depends on how they are used. Their applications range from cybersecurity investigations and academic research to commercial operations and AI development.

Many established providers have adopted measures to ensure responsible usage. Residential proxy networks are built by obtaining users' consent and offering compensation to participants who contribute their internet connections.

Providers also conduct customer verification, with some requiring identity documents and video-based authentication. Many restrict access to high-risk websites, including government and financial institutions, while continuously monitoring their networks for misuse.

Several companies have also come together under the Ethical Web Data Collection Initiative, a consortium that aims to promote responsible data collection practices, strengthen public confidence and encourage sustainable industry standards.

While debates continue around AI training practices and the use of publicly available web data, proxy servers remain an important part of the internet's infrastructure, quietly supporting many digital services that people use every day.

Sovereign File Architecture Gains Importance as Enterprises Rethink Cloud Data Control

 

Cloud computing changed enterprise IT by enabling organizations to achieve significant storage scalability and cost savings. Companies quickly embraced the idea of storing data in the cloud because of its flexibility and accessibility. However, because information remains on physical servers, companies are discovering that data is stored in a specific location subject to local legislation. 

This led to the concept of sovereign file architecture, one of the strategies by which organizations seek to store information considering jurisdiction as a critical factor. The data storage strategy is now focused on achieving file sovereignty and residency rather than convenience. Data sovereignty differs from privacy in that the former concerns the primary authority that possesses the right to store and access information, while the latter relates to its geographic location. 

While the early cloud computing innovators placed their data with the most accessible and cost-effective infrastructure, there was little information on where exactly it was stored. This created a sovereignty gap, as the organizations had limited insight into who could access the information and the applicable legal frameworks. At the same time, there are more data residency and sovereignty risks today as countries impose strict regulations and trade barriers while dealing with cybersecurity threats and geopolitical tensions. 

Data residency is a crucial consideration for many organizations, particularly those dealing with sensitive data and operating at a multinational level. Disasters, government restrictions, or geopolitical tensions may render some servers inaccessible, thus necessitating the need to store data in different jurisdictions. Enterprises are now prioritizing storage solutions that give them the most control by allowing them to migrate or place their information as they see fit. 

These factors are driving companies to adopt sovereign file architecture, which is designed to decouple file management from storage. By doing so, organizations satisfy the need to store data in several jurisdictions and maintain flexibility regarding where to store sensitive or non-sensitive information. Enterprises can also utilize a hybrid strategy consisting of private and public storage methods, thus balancing costs and file security. 

Sovereign file architecture allows organizations to remain compliant with the increasingly stringent data residency and sovereignty laws enforced by governments worldwide. Consequently, there is now a growing preference for sovereign file architectures over other options when considering factors such as transparency, legal protection, and control.