Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

US
China Cyber Security firmware Routers US

U.S. Agencies Consider Restrictions on TP-Link Routers Over Security Risks

 



A coordinated review by several federal agencies in the United States has intensified scrutiny of TP-Link home routers, with officials considering whether the devices should continue to be available in the country. Recent reporting indicates that more than six departments and agencies have supported a proposal recommending restrictions because the routers may expose American data to security risks.

Public attention on the matter began in December 2024, when major U.S. outlets revealed that the Departments of Commerce, Defense and Justice had opened parallel investigations into TP-Link. The inquiries focused on whether the company’s corporate structure and overseas connections could create opportunities for foreign government influence. After those initial disclosures, little additional information surfaced until the Washington Post reported that the proposal had cleared interagency review.

Officials involved believe the potential risk comes from how TP-Link products collect and manage sensitive information, combined with the company’s operational ties to China. TP-Link strongly disputes the allegation that it is subject to any foreign authority and says its U.S. entity functions independently. The company maintains that it designs and manufactures its devices without any outside control.

TP-Link was founded in Shenzhen in 1996 and reorganized in 2024 into two entities: TP-Link Technologies and TP-Link Systems. The U.S. arm, TP-Link Systems, operates from Irvine, California, with roughly 500 domestic employees and thousands more across its global workforce. Lawmakers previously expressed concern that companies with overseas operations may be required to comply with foreign legal demands. They also cited past incidents in which compromised routers, including those from TP-Link, were used by threat actors during cyber operations targeting the United States.

The company has grown rapidly in the U.S. router market since 2019. Some reports place its share at a majority of consumer sales, although TP-Link disputes those figures and points to independent data that estimates a smaller share. One industry platform found that about 12 percent of active U.S. home routers are TP-Link devices. Previous reporting also noted that more than 300 internet providers distribute TP-Link equipment to customers.

In a separate line of inquiry, the Department of Justice is examining whether TP-Link set prices at levels intended to undercut competitors. The company denies this and says its pricing remains sustainable and profitable.

Cybersecurity researchers have found security flaws in routers from many manufacturers, not only TP-Link. Independent analysts identified firmware implants linked to state-sponsored groups, as well as widespread botnet activity involving small office and home routers. A Microsoft study reported that some TP-Link devices became part of password spray attacks when users did not change default administrator credentials. Experts emphasize that router vulnerabilities are widespread across the industry and not limited to one brand.

Consumers who use TP-Link routers can reduce risk by updating administrator passwords, applying firmware updates, enabling modern encryption such as WPA3, turning on built-in firewalls, and considering reputable VPN services. Devices that no longer receive updates should be replaced.

The Department of Commerce has not issued a final ruling. Reports suggest that ongoing U.S. diplomatic discussions with China could influence the timeline. TP-Link has said it is willing to improve transparency, strengthen cybersecurity practices and relocate certain functions if required. 

Read more »
Redback IFV leak
Australia Hanwha Defense deal Cyber Toufan Data Breach Elbit Systems Israeli defense companies hack Redback IFV leak

Pro-Hamas Hackers Leak Alleged Redback IFV Plans and Israeli Defense Employee Data After Major Cyber Breach

A hacker collective aligned with Hamas has allegedly released sensitive information tied to Australia’s Redback next-generation infantry fighting vehicle program, along with hundreds of photographs of staff from Israeli defense companies.

The group, known as Cyber Toufan and widely believed to have links to Iran, posted detailed 3D schematics and technical files connected to the AUD $7 billion Redback project. The leak followed a series of cyberattacks on 17 Israeli defense contractors, carried out after infiltrating the systems of supply-chain partner MAYA Technologies, The Australian reported. According to the outlet, the hackers claimed they had “infiltrated the heart of Israel’s defense engineering operations” and began releasing information on 36 joint defense projects from October 22 onward.

They further asserted that they “have obtained tens of terabytes of personal data, administrative and technical documents, audio calls, and video recordings of these criminals… Some designed the rocket, the UAVs, and the tank, while others participated in making their parts and programming their systems, even transporting them to the battlefield.”

A report released in May by Israeli cybersecurity company OP Innovate noted that the group heavily targets organizations connected to Israel’s defense and economic sectors. The report highlighted that Cyber Toufan often exploits default or previously leaked credentials used by third-party security providers, enabling access “not by breaking in, but by walking through an unlocked door.”

Australia previously signed a deal with South Korea’s Hanwha Defense to purchase 127 Redback vehicles for AUD $7 billion. The platform incorporates several Israeli-made systems, including Elbit Systems’ advanced 30mm turret, COAPS gunner sight, a suite of sensors, the Iron Fist active protection system, the Iron-Vision helmet-mounted display, and a laser warning system.

What Was Exposed?

In addition to employee photos, Cyber Toufan published files relating to numerous defense programs. Among the disclosed items were materials tied to Elbit’s Iron-Vision helmet display, Rafael’s Iron Beam laser defense system, the Ice Breaker missile, Spike NLOS anti-tank missiles, Elbit’s Hermes 900 drone storage module, the ROEM self-propelled howitzer, and the Crossbow turreted mortar system.

The Australian also reported that internal considerations by the Australian Defence Force regarding the purchase of Rafael’s Spike NLOS missiles were revealed in the leak. However, Israeli defense industry officials told Defense and Tech by The Jerusalem Post that no classified data had been compromised.

The leak comes amid heightened political tension, as Australia has been outspoken in its criticism of Israel’s military actions in Gaza. Prime Minister Anthony Albanese has previously stated that Australia does “not sell arms to Israel,” though Defence Industry Minister Pat Conroy recently defended the continued use of Israeli technology within the Australian Defence Force.

“We make no apology for getting the best possible equipment for the Australian Defence Force,” he said at the Indo-Pacific Maritime Exposition.

Despite this stance, The Nightly reported that Australia has discreetly implemented new restrictions on defense-related exports to Israel. According to the outlet, permit holders governed under the Customs (Prohibited Exports) Regulations 1956 are now barred from exporting certain approved items to Israel. The Department of Defence reportedly declined to comment, citing national security and confidentiality obligations.

Cyber Toufan stated: “Through the systems, we have breached Elbit and Rafael’s through then [sic]. Their phones, printers, routers, and cameras as well,” the group said. “We have recorded your meetings with sound and video for over a year. This is just the beginning with Maya!”

In a statement to the publication, Rafael said:
“no Rafael classified networks, customer data, or operational systems were affected.”
“Rafael’s cybersecurity framework is among the most advanced in the industry, with continuous monitoring and protection applied across all digital environments. All projects, programs, and customer engagements remain fully secure and uninterrupted.”


Read more »
Modern Vehicles
autonomous vehicles car tracking Cyber Security cyberattacks on transportation cybersecurity vulnerability Hacker attack Modern Vehicles

Why Oslo’s Bus Security Tests Highlight the Hidden Risks of Connected Vehicles

 

Modern transportation looks very different from what it used to be, and the question of who controls a vehicle on the road no longer has a simple answer. Decades ago, the person behind the wheel was unquestionably the one in charge. But as cars, buses, and trucks increasingly rely on constant connectivity, automated functions, and remote software management, the definition of a “driver” has become more complicated. With vehicles now vulnerable to remote interference, the risks tied to this connectivity are prompting transportation agencies to take a closer look at what’s happening under the hood. 

This concern is central to a recent initiative by Ruter, the public transport agency responsible for Oslo and the surrounding Akershus region. Ruter conducted a detailed assessment of two electric bus models—one from Dutch manufacturer VDL and another from Chinese automaker Yutong—to evaluate the cybersecurity implications of integrating modern, connected vehicles into public transit networks. The goal was straightforward but crucial: determine whether any external entity could access bus controls or manipulate onboard camera systems. 

The VDL buses showed no major concerns because they lacked the capability for remote software updates, effectively limiting the pathways through which an attacker could interfere. The Yutong buses, however, presented a more complex picture. While one identified vulnerability tied to third-party software has since been fixed, Ruter’s investigation revealed a more troubling possibility: the buses could potentially be halted or disabled by the manufacturer through remote commands. Ruter is now implementing measures to slow or filter incoming signals so they can differentiate between legitimate updates and suspicious activity, reducing the chance of an unnoticed hijack attempt. 

Ruter’s interest in cybersecurity aligns with broader global concerns. The Associated Press noted that similar tests are being carried out by various organizations because the threat landscape continues to expand. High-profile demonstrations over the past decade have shown that connected vehicles are susceptible to remote interference. One of the most well-known examples was when WIRED journalist Andy Greenberg rode in a Jeep that hackers remotely manipulated, controlling everything from the brakes to the steering. More recent research, including reports from LiveScience, highlights attacks that can trick vehicles’ perception systems into detecting phantom obstacles. 

Remote software updates play an important role in keeping vehicles functional and reducing the need for physical recalls, but they also create new avenues for misuse. As vehicles become more digital than mechanical, transit agencies and governments must treat cybersecurity as a critical aspect of transportation safety. Oslo’s findings reinforce the reality that modern mobility is no longer just about engines and wheels—it’s about defending the invisible networks that keep those vehicles running.
Read more »
USB
Backup Cyber Security Data protection Encryption storage USB

USB Drives Are Handy, But Never For Your Only Backup

 

Storing important files on a USB drive offers convenience due to their ease of use and affordability, but there are significant considerations regarding both data preservation and security that users must address. USB drives, while widely used for backup, should not be solely relied upon for safeguarding crucial files, as various risks such as device failure, malware infection, and physical theft can compromise data integrity.

Data preservation challenges

USB drive longevity depends heavily on build quality, frequency of use, and storage conditions. Cheap flash drives carry a higher failure risk compared to rugged, high-grade SSDs, though even premium devices can malfunction unexpectedly. Relying on a single drive is risky; redundancy is the key to effective file preservation.

Users are encouraged to maintain multiple backups, ideally spanning different storage approaches—such as using several USB drives, local RAID setups, and cloud storage—for vital files. Each backup method has its trade-offs: local storage like RAID arrays provides resilience against hardware failure, while cloud storage via services such as Google Drive or Dropbox enables convenient access but introduces exposure to hacking or unauthorized access due to online vulnerabilities.

Malware and physical risks

All USB drives are susceptible to malware, especially when connected to compromised computers. Such infections can propagate, and in some cases, lead to ransomware attacks where files are held hostage. Additionally, used or secondhand USB drives pose heightened malware risks and should typically be avoided. Physical security is another concern; although USB drives are inaccessible remotely when unplugged, they are unprotected if stolen unless properly encrypted.

Encryption significantly improves USB drive security. Tools like BitLocker (Windows) and Disk Utility (MacOS) enable password protection, making it more difficult for thieves or unauthorized users to access files even if they obtain the physical device. Secure physical storage—such as safes or safety deposit boxes—further limits theft risk.

Recommended backup strategy

Most users should keep at least two backups: one local (such as a USB drive) and one cloud-based. This dual approach ensures data recovery if either the cloud service is compromised or the physical drive is lost or damaged. For extremely sensitive data, robust local systems with advanced encryption are preferable. Regularly simulating data loss scenarios and confirming your ability to restore lost files provides confidence and peace of mind in your backup strategy.
Read more »
Threat Intelligence
Cloud Security continuous monitoring Cyber Security Cybersecurity Endpoint Defense Incident response ransomware protection Risk Management SOC Operations Threat Intelligence

Continuous Incident Response Is Redefining Cybersecurity Strategy

 


With organizations now faced with relentless digital exposure, continuous security monitoring has become an operational necessity instead of a best practice, as organizations navigate an era where digital exposure is ubiquitous. In 2024, cyber-attacks will increase by nearly 30%, with the average enterprise having to deal with over 1,600 attempted intrusions a week, with the financial impact of a data breach regularly rising into six figures. 

Even so, the real crisis extends well beyond the rising level of threats. In the past, cybersecurity strategies relied on a familiar formula—detect quickly, respond promptly, recover quickly—but that cadence no longer suffices in an environment that is characterized by adversaries automating reconnaissance, exploiting cloud misconfiguration within minutes, and weaponizing legitimate tools so that they can move laterally far faster than human analysts are able to react. 

There has been a growing gap between what organizations can see and the ability to act as the result of successive waves of innovation, from EDR to XDR, as a result of which they have widened visibility across sprawling digital estates. The security operations center is already facing unprecedented complexity. Despite the fact that security operations teams juggle dozens of tools and struggle with floods of alerts that require manual validation, organisations are unable to act as quickly as they should. 

A recent accelerated disconnect between risk and security is transforming how security leaders understand risks and forcing them to face a difficult truth: visibility without speed is no longer an effective defence. When examining the threat patterns defining the year 2024, it becomes more apparent why this shift is necessary. According to security firms, attackers are increasingly using stealthy, fileless techniques to steal from their victims, with nearly four out of five detections categorised as malware-free today, with the majority of attacks classified as malware-free. 

As a result, ransomware activity has continued to climb steeply upward, rising by more than 80% on a year-over-year basis and striking small and midsized businesses the most disproportionately, accounting for approximately 70% of all recorded incidents. In recent years, phishing campaigns have become increasingly aggressive, with some vectors experiencing unprecedented spikes - some exceeding 1,200% - as adversaries use artificial intelligence to bypass human judgment. 

A number of SMBs remain structurally unprepared in spite of these pressures, with the majority acknowledging that they have become preferred targets, but three out of four of them continue to use informal or internally managed security measures. These risks are compounded by human error, which is responsible for an estimated 88% of reported cyber incidents. 

There have been staggering financial consequences as well; in the past five years alone, the UK has suffered losses of more than £44 billion, resulting in both immediate disruption and long-term revenue losses. Due to this, the industry’s definition of continuous cybersecurity is now much broader than periodic audits. 

It is necessary to maintain continuous threat monitoring, proactive vulnerability and exposure management, disciplined identity governance, sustained employee awareness programs, regularly tested incident response playbooks, and ongoing compliance monitoring—a posture which emphasizes continuous evaluation rather than reactive control as part of an operational strategy. Increasingly complex digital estates are creating unpredictable cyber risks, which are making continuous monitoring an essential part of modern defence strategies. 

Continuous monitoring is a real time monitoring system that scans systems, networks, and cloud environments in real time, in order to detect early signs of misconfiguration, compromise, or operational drift. In contrast to periodic checks which operate on a fixed schedule and leave long periods of exposure, continuous monitoring operates in real time. 

The approach outlined above aligns closely with the NIST guidance, which urges organizations to set up an adaptive monitoring strategy capable of ingesting a variety of data streams, analysing emerging vulnerabilities, and generating timely alerts for security teams to take action. Using continuous monitoring, organizations can discover latent weaknesses that are contributing to their overall cyber posture. 

Continuous monitoring reduces the frequency and severity of incidents, eases the burden on security personnel, and helps them meet increasing regulatory demands. Even so, maintaining such a level of vigilance remains a challenge, especially for small businesses that lack the resources, expertise, and tooling to operate around the clock in order to stay on top of their game. 

The majority of organizations therefore turn to external service providers in order to achieve the scalability and economic viability of continuous monitoring. Typically, effective continuous monitoring programs include four key components: a monitoring engine, analytics that can be used to identify anomalies and trends on a large scale, a dashboard that shows key risk indicators in real time, and an alerting system to ensure that emerging issues are quickly addressed by the appropriate staff. 

With the help of automation, security teams are now able to process a great deal of telemetry in a timely and accurate manner, replacing outdated or incomplete snapshots with live visibility into organisational risk, enabling them to respond successfully in a highly dynamic threat environment. 

Continuous monitoring can take on a variety of forms, depending on the asset in focus, including endpoint monitoring, network traffic analysis, application performance tracking, cloud and container observability, etc., all of which provide an important layer of protection against attacks as they spread across every aspect of the digital infrastructure. 

It has also been shown that the dissolution of traditional network perimeters is a key contributor to the push toward continuous response. In the current world of cloud-based workloads, SaaS-based ecosystems, and remote endpoints, security architectures mustwork as flexible and modular systems capable of correlating telemetrics between email, DNS, identity, network, and endpoint layers, without necessarily creating new silos within the architecture. 

Three operational priorities are usually emphasized by organizations moving in this direction: deep integration to keep unified visibility, automation to handle routine containment at machine speed and validation practices, such as breach simulations and posture tests, to ensure that defence systems behave as they should. It has become increasingly common for managed security services to adopt these principles, and this is why more organizations are adopting them.

909Protect, for instance, is an example of a product that provides rapid, coordinated containment across hybrid environments through the use of automated detection coupled with continuous human oversight. In such platforms, the signals from various security vectors are correlated, and they are layered on top of existing tools with behavioural analysis, posture assessment and identity safeguards in order to ensure that no critical alert goes unnoticed while still maintaining established investments. 

In addition to this shift, there is a realignment among the industry as a whole toward systems that are built to be available continuously rather than undergoing episodic interventions. Cybersecurity has gone through countless “next generation” labels, but only those approaches which fundamentally alter the behavior of operations tend to endure, according to veteran analysts in the field. In addressing this underlying failure point, continuous incident response fits perfectly into this trajectory. 

Organizations are rarely breached because they have no data, but rather because they do not act on it quickly enough or cohesively. As analysts argue, the path forward will be determined by the ability to combine automation, analytics, and human expertise into a single adaptive workflow that can be used in an organization's entirety. 

There is no doubt that the organizations that are most likely to be able to withstand emerging threats in the foreseeable future will be those that approach security as a living, constantly changing system that is not only based on the visible, but also on the ability of the organization to detect, contain, and recover in real time from any threats as they arise. 

In the end, the shift toward continuous incident response is a sign that cybersecurity resilience is more than just about speed anymore, but about endurance as well. Investing in unified visibility, disciplined automation, as well as persistent validation will not only ensure that the path from detection to containment is shortened, but that the operations remain stable over the longer term as well.

The advantage will go to those who treat security as an evolving ecosystem—one that is continually refined, coordinated across teams and committed to responding in a continuity similar to the attacks used by adversaries.
Read more »
Scams
2FA Cyber Threats Digital ID Digital identification Passwords Privacy Ransomware Scams

How Oversharing, Weak Passwords, and Digital IDs Make You an Easy Target and What You Can Do




The more we share online, the easier it becomes for attackers to piece together our personal lives. Photos, location tags, daily routines, workplace details, and even casual posts can be combined to create a fairly accurate picture of who we are. Cybercriminals use this information to imitate victims, trick service providers, and craft convincing scams that look genuine. When someone can guess where you spend your time or what services you rely on, they can more easily pretend to be you and manipulate systems meant to protect you. Reducing what you post publicly is one of the simplest steps to lower this risk.

Weak passwords add another layer of vulnerability, but a recent industry assessment has shown that the problem is not only with users. Many of the most visited websites do not enforce strong password requirements. Some platforms do not require long passwords, special characters, or case sensitivity. This leaves accounts easier to break into through automated attacks. Experts recommend that websites adopt stronger password rules, introduce passkey options, and guide users with clear indicators of password strength. Users can improve their own security by relying on password managers, creating long unique passwords, and enabling two factor authentication wherever possible.

Concerns about device security are also increasing. Several governments have begun reviewing whether certain networking devices introduce national security risks, especially when the manufacturers are headquartered in countries that have laws allowing state access to data. These investigations have sparked debates over how consumer hardware is produced, how data flows through global supply chains, and whether companies can guarantee independence from government requests. For everyday users, this tension means it is important to select routers and other digital devices that receive regular software updates, publish clear security policies, and have a history of addressing vulnerabilities quickly.

Another rising threat is ransomware. Criminal groups continue to target both individuals and large organisations, encrypting data and demanding payment for recovery. Recent cases involving individuals with cybersecurity backgrounds show how profitable illicit markets can attract even trained professionals. Because attackers now operate with high levels of organisation, users and businesses should maintain offline backups, restrict access within internal networks, and test their response plans in advance.

Privacy concerns are also emerging in the travel sector. Airline data practices are also drawing scrutiny. Travel companies cannot directly sell passenger information to government programs due to legal restrictions, so several airlines jointly rely on an intermediary that acts as a broker. Reports show that this broker had been distributing data for years but only recently registered itself as a data broker, which is legally required. Users can request removal from this data-sharing system by emailing the broker’s privacy address and completing identity verification. Confirmation records should be stored for reference. The process involves verifying identity details, and users should keep a copy of all correspondence and confirmations. 

Finally, several governments are exploring digital identity systems that would allow residents to store official identification on their phones. Although convenient, this approach raises significant privacy risks. Digital IDs place sensitive information in one central location, and if the surrounding protections are weak, the data could be misused for tracking or monitoring. Strong legal safeguards, transparent data handling rules, and external audits are essential before such systems are implemented.

Experts warn that centralizing identity increases the potential impact of a breach and may facilitate tracking unless strict limits, independent audits, and user controls are enforced. Policymakers must balance convenience with strong technical and legal protections. 


Practical, immediate steps one should follow:

1. Reduce public posts that reveal routines or precise locations.

2. Use a password manager and unique, long passwords.

3. Turn on two factor authentication for important accounts.

4. Maintain offline backups and test recovery procedures.

5. Check privacy policies of travel brokers and submit opt-out requests if you want to limit data sharing.

6. Prefer devices with clear update policies and documented security practices.

These measures lower the chance that routine online activity becomes a direct route into your accounts or identity. Small, consistent changes will greatly reduce risk.

Overall, users can strengthen their protection by sharing less online, reviewing how their travel data is handled, and staying informed about the implications of digital identification. Small and consistent actions reduce the likelihood of becoming a victim of cyber threats.

Read more »
VDI
application delivery models cloud desktops DaaS IT Infrastructure local applications saaS Technology VDI

How Modern Application Delivery Models Are Evolving: Local Apps, VDI, SaaS, and DaaS Explained

 

Since the early 1990s, the methods used to deliver applications and data have been in constant transition. Today, IT teams must navigate a wider range of options—and a greater level of complexity—than ever before. Because applications are deployed in different ways for different needs, most organizations now rely on more than one model at a time. To plan future investments effectively, it’s important to understand how local applications, Virtual Desktop Infrastructure (VDI), Software-as-a-Service (SaaS), and Desktop-as-a-Service (DaaS) complement each other.

Local Applications

Local applications are installed directly on a user’s device, a model that dominated the 1990s and remains widely used. Their biggest advantage is reliability: apps are always accessible, customizable, and available wherever the device goes.

However, maintaining these distributed installations can be challenging. Updates must be rolled out across multiple endpoints, often leading to inconsistency. Performance may also fluctuate if these apps depend on remote databases or storage resources. Security adds another layer of complexity, as corporate data must move to the device, increasing the risk of exposure and demanding strong endpoint protection.

Virtual Desktop Infrastructure (VDI)

VDI centralizes desktops and applications in a controlled environment—whether hosted on-premises or in private or public clouds. Users interact with the system through transmitted screen updates and input signals, while the data itself stays securely in one place.

This centralization simplifies updates, strengthens security, and ensures more predictable performance by keeping applications near their data sources. On the other hand, VDI requires uninterrupted connectivity and often demands specialized expertise to manage. As a result, many organizations supplement VDI with other delivery models instead of depending on it alone.

Software-as-a-Service (SaaS)

SaaS delivers software through a browser, eliminating the need for local installation or maintenance. Providers apply updates automatically, keeping applications “evergreen” for subscribers. This reduces operational overhead for IT teams and allows vendors to release features quickly.

But the subscription-based model also means customers don’t own the software—access ends when payments stop. Transitioning to a different provider can be difficult, especially when exporting data in a usable form. SaaS can also introduce familiar endpoint challenges, as user devices still interact directly with data.

The model’s rapid growth is evident. According to the Parallels Cloud Survey 2025, 80% of respondents say at least a quarter of their applications run as SaaS, with many reporting significantly higher adoption.

Desktop-as-a-Service (DaaS)

DaaS extends the SaaS model by delivering entire desktops through a managed service. Organizations access virtual desktops much like VDI but without overseeing the underlying infrastructure.

This reduces complexity while providing consolidated management, stable performance, and strong security. DaaS is especially useful when organizations need to scale quickly to support new teams or projects. However, like SaaS, DaaS is subscription-based, and the service stops if payments lapse. The model works best with standardized desktop environments—heavy customization can add complexity.

Another key consideration is data location. If desktops move to DaaS while critical applications or data remain elsewhere, users may face performance issues. Aligning desktops with the data they rely on is essential.

A Multi-Model Reality

Most organizations no longer rely on a single delivery method. They use local apps where necessary, VDI for tighter control, SaaS for streamlined access, and DaaS for scalability.

The Parallels survey highlights this blend: 85% of organizations use SaaS, but only 2% rely on it exclusively. Many combine SaaS with VDI or DaaS. Additionally, 86% of IT leaders say they are considering or planning to shift some workloads away from the public cloud, reflecting the complexity of modern delivery decisions.

What IT Leaders Need to Consider

When determining how these models fit together, organizations must assess:

Security & Compliance: Highly regulated sectors may prefer VDI for data control, while SaaS and DaaS providers offer certifications that may not apply universally.

Operational Expertise: VDI demands specialized skills; companies lacking them may adopt DaaS. SaaS’s isolated data structures may require additional tools or expertise.

Scalability & Agility: SaaS and DaaS typically allow faster expansion, though cloud-based VDI is narrowing this gap.

Geographical Factors: User locations, latency requirements, and regional data regulations influence which model performs best.

Cost Structure: VDI often requires upfront investments, while SaaS and DaaS distribute costs over time. Both direct and hidden operational costs must be evaluated.

Each application delivery model offers distinct benefits: local apps provide control, VDI enhances security, SaaS simplifies operations, and DaaS supports flexibility. Most organizations will continue using a combination of these approaches.

The optimal strategy aligns each model with the workloads it supports best, prioritizes security and compliance, and maintains adaptability for future needs. With clear objectives and thoughtful planning, IT leaders can deliver secure, high-performing access today while staying ready for whatever comes next.


Read more »
data security
Chinese Chinese Hackers Cyber Security Data Breaches Data Leak Data protection data security

Knownsec Data Leak Exposes Deep Cyber Links and Global Targeting Operations

 

A recent leak involving Chinese cybersecurity company Knownsec has uncovered more than 12,000 internal documents, offering an unusually detailed picture of how deeply a private firm can be intertwined with state-linked cyber activities. The incident has raised widespread concern among researchers, as the exposed files reportedly include information on internal artificial intelligence tools, sophisticated cyber capabilities, and extensive international targeting efforts. Although the materials were quickly removed after surfacing briefly on GitHub, they have already circulated across the global security community, enabling analysts to examine the scale and structure of the operations. 

The leaked data appears to illustrate connections between Knownsec and several government-aligned entities, giving researchers insight into China’s broader cyber ecosystem. According to those reviewing the documents, the files map out international targets across more than twenty countries and regions, including India, Japan, Vietnam, Indonesia, Nigeria, and the United Kingdom. Of particular concern are spreadsheets that allegedly outline attacks on around 80 foreign organizations, including critical infrastructure providers and major telecommunications companies. These insights suggest activity far more coordinated than previously understood, highlighting the growing sophistication of state-associated cyber programs. 

Among the most significant revelations is the volume of foreign data reportedly linked to prior breaches. Files attributed to the leaks include approximately 95GB of immigration information from India, 3TB of call logs taken from South Korea’s LG U Plus, and nearly 459GB of transportation records from Taiwan. Researchers also identified multiple Remote Access Trojans capable of infiltrating Windows, Linux, macOS, iOS, and Android systems. Android-based malware found in the leaked content reportedly has functionality allowing data extraction from widely used Chinese messaging applications and Telegram, further emphasizing the operational depth of the tools. 

The documents also reference hardware-based hacking devices, including a malicious power bank engineered to clandestinely upload data into a victim’s system once connected. Such devices demonstrate that offensive cyber operations may extend beyond software to include physical infiltration tools designed for discreet, targeted attacks. Security analysts reviewing the information suggest that these capabilities indicate a more expansive and organized program than earlier assessments had captured. 

Beijing has denied awareness of any breach involving Knownsec. A Foreign Ministry spokesperson reiterated that China opposes malicious cyber activities and enforces relevant laws, though the official statement did not directly address the alleged connections between the state and companies involved in intelligence-oriented work. While the government’s response distances itself from the incident, analysts note that the leaked documents will likely renew debates about the role of private firms in national cyber strategies. 

Experts warn that traditional cybersecurity measures—including antivirus software and firewall defenses—are insufficient against the type of advanced tools referenced in the leak. Instead, organizations are encouraged to adopt more comprehensive protection strategies, such as real-time monitoring systems, strict network segmentation, and the responsible integration of AI-driven threat detection. 

The Knownsec incident underscores that as adversaries continue to refine their methods, defensive systems must evolve accordingly to prevent large-scale breaches and safeguard sensitive data.
Read more »
Token Farming Attack
Automated Attacks Cyber Security Dependency Threats malware NPM malware Open Source Risks Registry Abuse Research Software Integrity supply chain security Token Farming Attack

$116 Million at Risk as Balancer Suffers Major Smart Contract Breach

 

Security experts are becoming increasingly concerned about a developing anomaly in the JavaScript ecosystem after researchers discovered a massive cluster of self-replicating npm packages that seem to have no technical function but instead indicate a well-thought-out and financially motivated scheme. Over 43,000 of these packages—roughly 1% of the whole npm repository—were covertly uploaded over a two-year period using at least 11 synchronized accounts, according to recent research by Endor Labs. 

The libraries automatically reproduce themselves when downloaded and executed, filling the ecosystem with nearly identical code, even though they do not behave like traditional malware—showing no indicators of data theft, backdoor deployment, or system compromise. Investigators caution that even while these packages are harmless at the moment, their size and consistent behavior could serve as a channel for harmful updates in the future. 

With many packages containing tea.yaml files connected to TEA cryptocurrency accounts, early indications also point to a potential monetization plan, indicating the operation may be built to farm tokens at scale. The scope and complexity of the program were exposed by more research in the weeks that followed. 

In late October, clusters of unusual npm uploads were first observed by Amazon's security experts using improved detection algorithms and AI-assisted monitoring. By November 7, hundreds of suspicious packages had been found, and by November 12, over 150,000 malicious entries had been linked to a network of coordinated developer accounts. 

What had started out as a few dubious packages swiftly grew into a huge discovery. They were all connected to the tea.xyz token-farming initiative, a decentralized protocol that uses TEA tokens for staking, incentives, and governance to reward open-source contributions. Instead of using ransomware or credential stealers, the attackers flooded the registry with self-replicating packages that were made to automatically create and publish new versions.

As unwary developers downloaded or interacted with the contaminated libraries, the perpetrators silently accumulated token rewards. Each package was connected to blockchain wallets under the attackers' control by embedded tea.yaml files, which made it possible for them to embezzle profits from lawful community activities without drawing attention to themselves. The event, according to security experts, highlights a broader structural flaw in contemporary software development, where the speed and transparency of open-source ecosystems may be readily exploited at scale. 

Amazon's results show how AI-driven automation has made it easy for attackers to send large quantities of garbage or dangerous goods in a short amount of time, according to Manoj Nair, chief innovation officer at Snyk. He emphasized that developers should use behavior-based scanning and automated dependency-health controls to identify low-download libraries, template-reused content, and abrupt spikes in mass publishing before such components enter their build pipelines, as manual review is no longer sufficient. 

In order to stop similar operations before they start, he continued, registry operators must also change by proactively spotting bulk uploads, duplicate code templates, and oddities in metadata. Suzu CEO Michael Bell shared these worries, claiming that the discovery of 150,000 self-replicating, token-farming npm packages shows why attackers frequently have significantly more leverage when they compromise the development supply chain than when they directly target production systems. 

Bell cautioned that companies need to treat build pipelines and dependency chains with the same rigor as production infrastructure because shift-left security is becoming the standard. This includes implementing automated scans, keeping accurate software bills of materials, enforcing lockfiles to pin trusted versions, and verifying package authenticity before installation. He pointed out that once malicious code enters production, defenders are already reacting to a breach rather than stopping an assault. 

The researchers discovered that by incorporating executable scripts and circular dependency chains into package.json files, the campaign took advantage of npm's installation procedures. In actuality, installing one malicious package set off a planned cascade that increased replication and tea.xyz teaRank scores by automatically installing several more.

The operation created significant risks by flooding the registry with unnecessary entries, taxing storage and bandwidth resources, and increasing the possibility of dependency confusion, even if the packages did not include ransomware or credential-stealing payloads. Many of the packages shared cloned code, had tea.yaml files connecting them to attacker-controlled blockchain wallets, and used standard naming conventions. Amazon recommended that companies assess their current npm dependencies, eliminate subpar or non-functional components, and bolster their supply-chain defenses with separated CI/CD environments and SBOM enforcement. 

The event contributes to an increasing number of software supply-chain risks that have led to the release of new guidelines by government organizations, such as CISA, with the goal of enhancing resilience throughout development pipelines. The campaign serves as a sobering reminder that supply-chain integrity can no longer be ignored as the inquiry comes to an end. The scope of this issue demonstrates how readily automation may corrupt open-source ecosystems and take advantage of community trust for commercial gain if left uncontrolled. 

Stronger verification procedures throughout development pipelines, ongoing dependency auditing, and stricter registry administration are all necessary, according to experts. In addition to reducing such risks, investing in clear information, resilient tooling, and cross-industry cooperation will support the long-term viability of the software ecosystems that contemporary businesses rely on.
Read more »
Spyware
Android Security Data Theft malware Payment Faud Spyware

Android Malware Hits 42 Million Downloads, Risking Mobile Payments

 

Android malware is surging globally, with attackers increasingly targeting mobile payments and IoT devices, exposing critical vulnerabilities in systems heavily relied upon for communication, work, and financial activity. 

Recent findings from Zscaler indicate that 239 malicious Android apps were discovered on Google Play, amassing a staggering 42 million downloads, mainly by users seeking productivity and workflow solutions trusted in hybrid work settings. This reflects a pronounced shift away from traditional card-based fraud toward abuse of mobile payment channels using various social engineering tactics—such as phishing, smishing, and SIM-swapping.

Mobile compromise incidents are escalating rapidly, highlighted by a 67% year-over-year spike in Android malware transactions. Spyware, banking trojans, and adware are the dominant threats, with adware constituting 69% of all malware detections, indicating evolving monetization strategies among cybercriminals while the notorious 'Joker' family has sharply declined to only 23% of activity. The report outlines a trend of attackers focusing on high-value sectors, with the energy industry experiencing a dramatic 387% increase in attack attempts compared to the previous year.

IoT environments remain highly vulnerable, particularly in manufacturing and transportation, which saw over 40% of IoT-related malware activity. IoT attacks are primarily driven by botnet malware families such as Mirai, Mozi, and Gafgyt—collectively responsible for about 75% of observed malicious payloads within this space. Routers, in particular, are heavily targeted, making up 75% of all IoT attacks, as attackers use them for botnet building and proxy networks.

Geographically, India is the prime target for mobile malware, receiving 26% of analyzed attacks, followed by the United States (15%) and Canada (14%). In IoT, the United States is most affected, seeing 54.1% of all malicious traffic. Certain threats like the Android Void backdoor have infected at least 1.6 million Android TV boxes, mostly in India and Brazil, exposing the dangers linked to widespread use of inexpensive devices and outdated software. Malware families like Anatsa and Xnotice continue to refine tactics for financial theft and regional targeting.

To defend against these threats, experts recommend maintaining regularly updated devices, using reputable antivirus apps, enabling ransomware protection, limiting unnecessary app installations, scrutinizing permissions, running frequent malware scans, and utilizing Google Play Protect. The article stresses the need for a "zero trust everywhere" approach combined with AI-driven threat detection to counter the evolving cyber landscape.
Read more »
User Data
Landfall malware Samsung Spyware User Data

Landfall Spyware Exploited a Samsung Image Flaw to Secretly Target Users For Nearly a Year




Security specialists at Palo Alto Networks’ Unit 42 have uncovered a complex spyware tool named Landfall that silently infiltrated certain Samsung Galaxy phones for close to a year. The operation relied on a serious flaw in Samsung’s Android image-processing system, which allowed the device to be compromised without the user tapping or opening anything on their screen.

Unit 42 traces the campaign back to July 2024. The underlying bug was later assigned CVE-2025-21042, and Samsung addressed it in a security update released in April 2025. The details of how attackers used the flaw became public only recently, after researchers completed their investigation.

The team emphasizes that even users who browsed risky websites or received suspicious files during that period likely avoided infection. Evidence suggests the operation was highly selective, targeting only specific individuals or groups rather than the general public. Based on submitted samples, the activity was concentrated in parts of the Middle East, including Iraq, Iran, Turkey, and Morocco. Who controlled Landfall remains unknown.

The researchers discovered the spyware while examining earlier zero-click bugs affecting Apple iOS and WhatsApp. Those unrelated flaws showed how attackers could trigger remote code execution by exploiting image-handling weaknesses. This motivated Unit 42 to search for similar risks affecting Android devices. During this process, they found several suspicious files uploaded to VirusTotal that ultimately revealed the Landfall attack chain.

At the center of this operation were manipulated DNG image files. DNG is a raw picture format built on the TIFF standard and is normally harmless. In this case, however, the attackers altered the files so they carried compressed ZIP archives containing malicious components. The image-processing library in Samsung devices had a defect that caused the system to extract and run the embedded code automatically while preparing the image preview. This made the threat a true zero-click exploit because no user action was required for infection.

Once the malware launched, it attempted to rewrite parts of the device’s SELinux security policy. This gave the operators broad system access and made the spyware harder to detect or remove. According to Unit 42, the files appeared to have been delivered through messaging platforms like WhatsApp, disguised as regular images. Code inside the samples referenced models such as the Galaxy S22, S23, S24, Z Flip 4, and Z Fold 4. Samsung believes the vulnerability existed across devices running Android 13, 14, and 15.

After installation, Landfall could gather extensive personal information. It could transmit hardware identifiers, lists of installed apps, contacts, browsing activity, and stored files. It also had the technical ability to activate the device’s microphone or camera for surveillance. The spyware included multiple features to avoid detection, meaning that fully removing it would require deep device repairs or resets.

Unit 42 noted similarities between Landfall’s design and advanced commercial spyware used by major surveillance vendors, but they did not identify any company or group responsible. Although Samsung has already released a fix, attackers could reuse this method on devices that have not installed the April 2025 update or later. Users are urged to check their security patch level to remain protected.


Read more »
password alternatives
Compromised Passwords Cyber Security Google security Passkey Security passkeys for Google Account password alternatives

Google Password Warning Explained: Why Gmail Users Should Switch to Passkeys Now

 

Despite viral claims that Google is instructing every Gmail user to urgently change their password because of a direct breach, the reality is more nuanced. Google is indeed advising users to reset their credentials, but not due to a compromise of Gmail accounts themselves. Instead, the company is urging people to adopt stronger authentication—including passkeys—because a separate incident involving Salesforce increased the likelihood of sophisticated phishing attempts targeting Gmail users.  

The issue stems from a breach at Salesforce, where attackers linked to the ShinyHunters group (also identified as UNC6040) infiltrated systems and accessed business-related Gmail information such as contact directories, organizational details, and email metadata. Crucially, no Gmail passwords were stolen. However, the nature of the compromised data gives hackers enough context to craft highly convincing phishing and impersonation attempts. 

Google confirmed that this breach has triggered a surge in targeted phishing and vishing campaigns. Attackers are already posing as Google, IT teams, or trusted service vendors to deceive users into sharing login details. Some threat actors are even placing spoofed phone calls from 650–area-code numbers, making the fraud appear to originate from Google headquarters. According to Google’s internal data, phishing and vishing together now account for roughly 37% of all successful account takeovers, highlighting how effective social engineering continues to be for cybercriminals. 

With access to workplace information, attackers can send messages referencing real colleagues, departments, and recent interactions. This level of personal detail makes fraudulent communication significantly harder to recognize. Once users disclose credentials, attackers can easily break into accounts, bypass additional safeguards, and potentially remain undetected until major damage has been done. 

Google’s central message is simple—never share your Gmail password with anyone. Even callers who sound legitimate or claim to represent support teams should not be trusted. Cybersecurity experts emphasize that compromising an email account can grant attackers control over nearly all linked services, since most account recovery systems rely on email-based reset links. 

To reduce risk, Google continues to advocate for passkeys, which replace traditional passwords with device-based biometric authentication. Unlike passwords, passkeys cannot be phished, reused, or guessed, making them substantially more secure. Google also encourages users to enable app-based two-factor authentication instead of SMS codes, which can be intercepted or spoofed. 

Google’s guidance for users focuses on regularly updating passwords, enabling 2FA or passkeys, staying alert to suspicious messages or calls, using the Security Checkup tool, and taking immediate action if unusual account activity appears. This incident demonstrates how vulnerabilities in external partners—in this case, Salesforce—can still put millions of Gmail users at risk, even when Google’s own infrastructure remains protected. With more than 2.5 billion Gmail accounts worldwide, the platform remains a prime target, and ongoing awareness remains the strongest defense.
Read more »
Tesla
AI Humanoids Optimus Robots Technology Tesla

Tesla’s Humanoid Bet: Musk Pins Future on Optimus Robot

 

Elon Musk envisions human-shaped robots, particularly the Optimus humanoid, as a pivotal element in Tesla's future AI and robotics landscape, aiming to revolutionize both industry and daily life. Musk perceives these robots not merely as automated tools but as advanced entities capable of performing complex tasks in the physical world, interacting seamlessly with humans and their environments.

A core motivation behind developing humanoid robots lies in their potential to address various practical challenges, from industrial automation to personal assistance. Musk believes that these robots can work alongside humans in workplaces, handle repetitive or hazardous tasks, and even serve in caregiving roles, thus transforming societal and economic models. Tesla plans include the manufacturing of a large-scale Optimus factory in Fremont, with aims to produce millions of units, emphasizing the strategic importance Musk attaches to this venture.

Technologically, the breakthrough for these robots extends beyond bipedal mechanics. Critical advancements involve sensor fusion—integrating multiple data inputs for real-time decision-making—energy density to ensure longer operational periods, and edge reasoning, which allows autonomous processing without constant cloud connectivity. These innovations are crucial for creating robots that are not only physically capable but also intelligent and adaptable in diverse environments.

The idea of robots interacting with humans in everyday scenarios has garnered significant attention. Musk envisions Optimus playing a major role in daily life, helping with chores, assisting in services like hospitality, and contributing to industries like healthcare and manufacturing. Tesla's ambitious plans include building a factory capable of producing one million units annually, signaling a ratcheting up of competition and investment in humanoid robotics.

Overall, Musk's emphasis on human-shaped robots reflects a strategic vision where AI-powered humanoids are integral to Tesla's growth in artificial intelligence, robotics, and beyond. His goal is to develop robots that are not only functional but also capable of integration into human environments, ultimately aiming for a future where such machines coexist with and assist humans in daily life.
Read more »
US scam statistics
Broker Chooser report Cryptocurrency Fraud Cyber Fraud investment scam 2025 pig butchering scam social media scams US scam statistics

Investment Scams Surge Across the US as Fraudsters Exploit Social Media, Texts, and Crypto Boom

 

If you've ever received a random “Hi, how are you?” message from a stranger on text or social media, it may not be an accident. While sometimes harmless, these unexpected greetings are increasingly being used by cybercriminals attempting to draw victims into investment schemes.

According to data from broker comparison platform Broker Chooser, investment-related fraud has become the fifth most common scam in the US. In just the first six months of 2025, more than 66,700 incidents were reported, with losses surpassing $3.5 billion. Cryptocurrencies remain a major target, and scammers pocketed $939 million in digital assets—an increase of $261 million from the same period last year.

Because these schemes prey on individuals hoping to grow their money quickly, the financial damage is substantial. The median loss per victim hit $10,000 in early 2025, rising from 2024’s median of $9,300. Broker Chooser notes this is the highest median loss of any scam category, dwarfing the second-highest—business and job fraud—by 376%.

Certain states are being hit harder than others. Nevada ranks first, logging 211 cases per million residents and more than $40.4 million in losses. Arizona follows with 202 cases per million and over $95.1 million lost. Florida comes in third with 185 reports per million residents and a staggering $241 million in total losses.

A major tactic driving these numbers is the “pig butchering” scam. In this approach, criminals initiate contact on dating platforms or social networks and spend months building trust. Once they establish a rapport, they persuade their targets to invest in fake cryptocurrency platforms, often showing fabricated account growth. As the victim invests more, the scammer eventually disappears with the funds, leaving the person with nothing.

Social media remains the leading gateway for these scams, with 13,577 reports and $589.1 million in losses in the first half of 2025. Many victims turn to these platforms for financial guidance, making them easy targets. Fraudulent websites and apps—often made more convincing through AI—rank second, with 6,007 incidents and $266 million in losses.

Text messages are another tool scammers use to start conversations. A simple, friendly opener can quickly evolve into targeted manipulation once the criminal identifies an opportunity.
Read more »
Transnational Fraud
Cryptocurrency Fraud cyber attack Cyber Fraud Cybercrime Scam Cybersecurity Alert Digital Forensics FTC Impersonation Malware Attack online deception tech support fraud Transnational Fraud

Tech Park Operation in Bengaluru Uncovered in Cross-Border Malware Scam


 

The Bengaluru police have made a major breakthrough in their fight against a far-reaching cybercrime syndicate that was operating inside one of the city's bustling technology parks by uncovering and dismantling an alleged tech-support fraud operation that was operating within. 

The officials stated that the group, which is based out of an office operating under the name Musk Communications situated on the sixth floor of the Delta building in Sigma Soft Tech Park, Whitefield, was posing as Microsoft technical support representatives to terrorize unsuspecting victims in the United States by issuing fabricated Federal Trade Commission (FTC) violation alerts. 

Using a judicial search warrant as well as credible intelligence, Cyber Command's special cell and Whitefield division cyber crime police mounted a series of coordinated raids on Friday and Saturday following the receipt of credible intelligence. According to investigators, the operation was sophisticated, and it siphoned off several crores of rupees by largely using cryptocurrency channels, a process that investigators believe is highly sophisticated. 

It was found, according to the Times of India, that the fraud network employed a carefully choreographed playbook of deception, which included utilizing fake security pop-ups and falsified FTC violation notifications to convince victims into transferring money by using counterfeit security pop-ups and false FTC violation notices. It was found that the Cyber Command's special cell, along with Whitefield division officers, were receiving a credible tip-off which prompted a swift and coordinated response to the operation. 

Upon receiving the intelligence, police conducted a court-ordered search over the weekend at Musk Communications headquarters on the sixth floor of the Delta building, which is located on Whitefield Main Road within Sigma Soft Tech Park. There was a cache of computers, laptops, hard drives, mobile phones, and other digital tools seized inside the building that were thought to have powered the scam. All of the employees present at the scene were detained and later appeared in court, where they were remanded to police custody while the investigation was being conducted.

It was noted by law enforcement officials that the company's owner, who recruited and trained the detained employees, remains on the loose even though the police have arrested only six people in connection with the operation. According to investigators, there may have been more than 500, possibly more than 1,000, US citizens defrauded by this network, based upon preliminary estimates. Investigators believe the network went far beyond the 21 employees caught at the scene. 

As the head of the CCU and DGP, Pronab Mohanty, has stated that the scam involved a carefully layered approach to social engineering combined with deceptive technology that led to a successful exploitation scheme. The officers observed that the group began by deploying malicious Facebook advertisements aimed at users living in the United States. The advertisements were designed to deliver harmful code embedded in links disguised as legitimate company notifications to American users.

It was designed to lock the victim's computer once they clicked on the code, triggering a fake alert, posing as "Microsoft Global Technical Support," complete with a fraudulent helpline number, to click OK. The trained impersonators who greeted victims when they contacted them escalated their fears by claiming they had been compromised, their IP addresses had been breached and that sensitive financial data was about to be exposed. 

Upon attempting to resolve fictitious FTC compliance violations and urgent security fixes, the callers were then coerced into transferring significant amounts of money, often in cryptocurrency, under the guise of resolving fictitious compliance violations. Various CCU teams had been placed under discreet surveillance by the SSTP detectives after receiving specific intelligence regarding the operation of the scam in a 4,500 square foot building that masqueraded as a call center in the Delta building at Sigma Soft Tech Park, which had been operating under the cover of a call centre.

In the case of a suo motu lawsuit filed under the provisions of the Information Technology Act, a team led by Superintendent Savitha Srinivas, the Superintendent of Police, stepped in and conducted a planned raid that lasted from Friday night until Saturday morning. According to the authorities, the arrested employees had been hired for unusually high salaries and had been provided with systematic training. Their educational and professional histories are being verified now. 

Investigators are currently examining all digital devices recovered from the premises in order to identify the individual members who are still involved with the operation. In addition, investigators will attempt to identify those individuals responsible for creating the malicious software, the trainers, and those who manage the network's finances. 

In addition, it is necessary to determine the total extent of the fraud by analyzing all the digital devices recovered from the premises. A senior officer of the company described the operation as a meticulously planned fraud network, one which relied heavily on deception and psychological pressure to perpetrate the fraud. As reported by investigators, the group ran targeted Facebook ads targeted towards U.S. users, encrypting malicious code in messages that appeared to be routine service messages or security alerts, and directing them to them. 

One click of the mouse was enough for a victim's computer to freeze and trigger a pop-up that appeared to mimic the appearance of a genuine technical support warning from Microsoft, including a fake helpline number. Upon calling victims and seeking assistance, trained impersonators dressed as Microsoft technicians spun alarming narratives claiming their computers had been hacked, their IP addresses had been compromised, and their sensitive banking information was immediately at risk. They used fabricated FTC violation notices that enticed the victims to pay hefty amounts for supposed security fixes or compliance procedures that never existed in the first place. 

Upon preliminary analysis of the financial flows, it seems that the syndicate may have siphoned off hundreds of crores through cryptocurrency channels, with Director General of Police, Cyber Command Unit, Mr. Pronab Mohanty noting that he believes the crypto transactions might have been of a large scale. 

A more complete picture of the case would emerge as the suspects were further questioned, he said, adding that investigators already had significant electronic evidence at their disposal. According to official officials, the sophisticated nature of the operation, as well as its technological infrastructure, as well as its widespread reach, suggest that it may be linked to a wider transnational cybercrime network. 

A team of experts is currently reviewing seized devices, tracking cryptocurrency wallets, reviewing communications logs, and mapping the victim footprints across multiple jurisdictions as part of the investigation. Authorities are coordinating with central agencies in order to determine if the group had counterparts operating outside of the city or overseas as part of the investigation. The scope of the investigation has continued to expand. 

There is also an investigation underway into whether shell companies, falsified paperwork, or layered financial channels were used to conceal the true leadership and funding network of the operation. As new leads emerge from digital forensics as well as financial analysis in the coming days, officers expect that the investigation will grow significantly in the coming days. According to the authorities who are investigating the incident, tech parks, digital advertisers, and online platforms are being urged to strengthen monitoring systems in order to prevent similar infiltration attempts in the future. 

Cybersecurity experts say the case underscores the growing need to raise public awareness of deceptive pop-ups, unsolicited alerts, and remote support scams—tactics that are becoming more sophisticated as time goes by. As a reminder to users, legitimate agencies will never charge money for compliance or security fixes, and users are advised to verify helplines directly through official websites to ensure they are trustworthy. It is expected that the crackdown will set a critical precedent in dismantling multi-national cyber-fraud operations by setting a critical precedent in international coordination.
Read more »
Travel
Gen AI LLMs MCP prompt injection Open AI Perplexity Technology Travel

How MCP is preparing AI systems for a new era of travel automation

 




Most digital assistants today can help users find information, yet they still cannot independently complete tasks such as organizing a trip or finalizing a booking. This gap exists because the majority of these systems are built on generative AI models that can produce answers but lack the technical ability to carry out real-world actions. That limitation is now beginning to shift as the Model Context Protocol, known as MCP, emerges as a foundational tool for enabling task-performing AI.

MCP functions as an intermediary layer that allows large language models to interact with external data sources and operational tools in a standardized way. Anthropic unveiled this protocol in late 2024, describing it as a shared method for linking AI assistants to the platforms where important information is stored, including business systems, content libraries and development environments.

The protocol uses a client-server approach. An AI model or application runs an MCP client. On the opposite side, travel companies or service providers deploy MCP servers that connect to their internal data systems, such as booking engines, rate databases, loyalty programs or customer profiles. The two sides exchange information through MCP’s uniform message format.

Before MCP, organizations had to create individual API integrations for each connection, which required significant engineering time. MCP is designed to remove that inefficiency by letting companies expose their information one time through a consolidated server that any MCP-enabled assistant can access.

Support from major AI companies, including Microsoft, Google, OpenAI and Perplexity, has pushed MCP into a leading position as the shared standard for agent-based communication. This has encouraged travel platforms to start experimenting with MCP-driven capabilities.

Several travel companies have already adopted the protocol. Kiwi.com introduced its MCP server in 2025, allowing AI tools to run flight searches and receive personalized results. Executives at the company note that the appetite for experimenting with agentic travel tools is growing, although the sector still needs clarity on which tasks belong inside a chatbot and which should remain on a company’s website.

In the accommodation sector, property management platform Apaleo launched an MCP server ahead of its competitors, and other travel brands such as Expedia and TourRadar are also integrating MCP. Industry voices emphasize that AI assistants using MCP pull verified information directly from official hotel and travel systems, rather than relying on generic online content.

The importance of MCP became even more visible when new ChatGPT apps were announced, with major travel agencies included among the first partners. Experts say this marks a significant moment for how consumers may start buying travel through conversational interfaces.

However, early adopters also warn that MCP is not without challenges. Older systems must be restructured to meet MCP’s data requirements, and companies must choose AI partners carefully because each handles privacy, authorization and data retention differently. LLM processing time can also introduce delays compared to traditional APIs.

Industry analysts expect MCP-enabled bookings to appear first in closed ecosystems, such as loyalty platforms or brand-specific applications, where trust and verification already exist. Although the technology is progressing quickly, experts note that consumer-facing value is still developing. For now, MCP represents the first steps toward more capable, agentic AI in travel.



Read more »
Malware Attack
APT44 Cyber Attacks Cyber Hackers Data Hackers Data protection data security data wipers Data Wiping Malware Hacker attack Malware Attack

Russian Sandworm Hackers Deploy New Data-Wipers Against Ukraine’s Government and Grain Sector

 

Russian state-backed hacking group Sandworm has intensified its destructive cyber operations in Ukraine, deploying several families of data-wiping malware against organizations in the government, education, logistics, energy, and grain industries. According to a new report by cybersecurity firm ESET, the attacks occurred in June and September and form part of a broader pattern of digital sabotage carried out by Sandworm—also known as APT44—throughout the conflict. 

Data wipers differ fundamentally from ransomware, which typically encrypts and steals data for extortion. Wipers are designed solely to destroy information by corrupting files, damaging disk partitions, or deleting master boot records in ways that prevent recovery. The resulting disruption can be severe, especially for critical Ukrainian institutions already strained by wartime pressures. Since Russia’s invasion, Ukraine has faced repeated wiper campaigns attributed to state-aligned actors, including PathWiper, HermeticWiper, CaddyWiper, WhisperGate, and IsaacWiper.

ESET’s report documents advanced persistent threat (APT) activity between April and September 2025 and highlights a notable escalation: targeted attacks against Ukraine’s grain sector. Grain exports remain one of the country’s essential revenue streams, and ESET notes that wiper attacks on this industry reflect an attempt to erode Ukraine’s economic resilience. The company reports that Sandworm deployed multiple variants of wiper malware during both June and September, striking organizations responsible for government operations, energy distribution, logistics networks, and grain production. While each of these sectors has faced previous sabotage attempts, direct attacks on the grain industry remain comparatively rare and underscore a growing focus on undermining Ukraine’s wartime economy. 

Earlier, in April 2025, APT44 used two additional wipers—ZeroLot and Sting—against a Ukrainian university. Investigators discovered that Sting was executed through a Windows scheduled task named after the Hungarian dish goulash, a detail that illustrates the group’s use of deceptive operational techniques. ESET also found that initial access in several incidents was achieved by UAC-0099, a separate threat actor active since 2023, which then passed control to Sandworm for wiper deployment. UAC-0099 has consistently focused its intrusions on Ukrainian institutions, suggesting coordinated efforts between threat groups aligned with Russian interests. 

Although Sandworm has recently engaged in more espionage-driven operations, ESET concludes that destructive attacks remain a persistent and ongoing part of the group’s strategy. The report further identifies cyber activity linked to Iranian interests, though not attributed to a specific Iranian threat group. These clusters involved the use of Go-based wipers derived from open-source code and targeted Israel’s energy and engineering sectors in June 2025. The tactics, techniques, and procedures align with those typically associated with Iranian state-aligned hackers, indicating a parallel rise in destructive cyber operations across regions affected by geopolitical tensions. 

Defending against data-wiping attacks requires a combination of familiar but essential cybersecurity practices. Many of the same measures advised for ransomware—such as maintaining offline, immutable backups—are crucial because wipers aim to permanently destroy data rather than exploit it. Strong endpoint detection systems, modern intrusion prevention technologies, and consistent software patching can help prevent attackers from gaining a foothold in networks. As Ukraine continues to face sophisticated threats from state-backed actors, resilient cybersecurity defenses are increasingly vital for preserving both operational continuity and national stability.
Read more »
Subscribe to: Comments (Atom)