Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Orchid security
Audit Cyber Security IAM identity Online Authentication Orchid security

Orchid Security Launches Tool to Monitor Identity Behavior Across Business Applications

 



Modern organizations rely on a wide range of software systems to run daily operations. While identity and access management tools were originally designed to control users and directory services, much of today’s identity activity no longer sits inside those centralized platforms. Access decisions increasingly happen inside application code, application programming interfaces, service accounts, and custom login mechanisms. In many environments, credentials are stored within applications, permissions are enforced locally, and usage patterns evolve without formal review.

As a result, substantial portions of identity activity operate beyond the visibility of traditional identity, privileged access, and governance tools. This creates a persistent blind spot for security teams. The unseen portion of identity behavior represents risk that cannot be directly monitored or governed using configuration-based controls alone.

Conventional identity programs depend on predefined policies and system settings. These approaches work for centrally managed user accounts, but they do not adequately address custom-built software, legacy authentication processes, embedded secrets, non-human identities such as service accounts, or access routes that bypass identity providers. When these conditions exist, teams are often forced to reconstruct how access occurred after an incident or during an audit. This reactive process is labor-intensive and does not scale in complex enterprise environments.

Orchid Security positions its platform as a way to close this visibility gap through continuous identity observability across applications. The platform follows a four-part operational model designed to align with how security teams work in practice.

First, the platform identifies applications and examines how identity is implemented within them. Lightweight inspection techniques review authentication methods, authorization logic, and credential usage across both managed and unmanaged systems. This produces an inventory of applications, identity types, access flows, and embedded credentials, establishing a baseline of how identity functions in the environment.

Second, observed identity activity is evaluated in context. By linking identities, applications, and access paths, the platform highlights risks such as shared or hardcoded secrets, unused service accounts, privileged access that exists outside centralized controls, and differences between intended access design and real usage. This assessment is grounded in what is actually happening, not in what policies assume should happen.

Third, the platform supports remediation by integrating with existing identity and security processes. Teams can rank risks by potential impact, assign ownership to the appropriate control teams, and monitor progress as issues are addressed. The goal is coordination across current controls rather than replacement.

Finally, because discovery and analysis operate continuously, evidence for governance and compliance is available at all times. Current application inventories, records of identity usage, and documentation of control gaps and corrective actions are maintained on an ongoing basis. This shifts audits from periodic, manual exercises to a continuous readiness model.

As identity increasingly moves into application layers, sustained visibility into how access actually functions becomes essential for reducing unmanaged exposure, improving audit preparedness, and enabling decisions based on verified operational data rather than assumptions.

Read more »
Wi-Fi security tips
Firmware Updates home security cameras IoT hacking risks protect smart devices smart home security Technology Wi-Fi security tips

Smart Homes Under Threat: How to Reduce the Risk of IoT Device Hacking

 

Most households today use some form of internet of things (IoT) technology, whether it’s a smartphone, tablet, smart plugs, or a network of cameras and sensors. Learning that nearly 120,000 home security cameras were compromised in South Korea and misused for sexploitation footage is enough to make anyone reconsider adding connected devices to their living space. After all, the home is meant to be a private and secure environment.

Although all smart homes carry some level of risk, widespread hacking incidents are still relatively uncommon. Cybercriminals targeting smart homes tend to be opportunistic rather than strategic. Instead of focusing on a particular household and attempting to break into a specific system, they scan broadly for devices with weak or misconfigured security settings that can be exploited easily.

The most effective way to safeguard smart home devices is to avoid being an easy target. Unfortunately, many of the hacking cases reported in the media stem from basic security oversights that could have been prevented with simple precautions.

How to Protect Your Smart Home From Hackers

Using weak passwords, neglecting firmware updates, or leaving Wi-Fi networks exposed can increase the risk of unauthorized access—even if the overall threat level remains low. Below are key steps homeowners can take to strengthen smart home security.

1. Use strong and unique passwords
Hackers gaining access to baby monitors and speaking through two-way audio is often the result of unchanged default passwords. Weak or reused passwords are easy to guess, especially if they have appeared in previous data breaches. Each smart device and account should have a strong, unique password to make attacks more difficult and less appealing.

2. Enable two-factor or multi-factor authentication
Multi-factor authentication adds an extra layer of protection by requiring a second form of verification beyond a password. Even if login credentials are compromised, attackers would still need additional approval. Many major smart home platforms, including Amazon, Google, and Philips Hue, support this feature. While it may add a small inconvenience during login, the added security is well worth the effort.

3. Secure your Wi-Fi network
Wi-Fi security is often overlooked but plays a critical role in smart home protection. Using WPA2 or WPA3 encryption and changing the router’s default password are essential steps. Limiting who has access to your Wi-Fi network also helps. Creating separate networks—one for personal devices and another exclusively for IoT devices—can further reduce risk by isolating smart home hardware from sensitive data.

4. Keep device firmware updated
Manufacturers regularly release firmware updates to patch newly discovered vulnerabilities. Enabling automatic updates ensures devices receive these fixes promptly. Keeping firmware current is one of the simplest and most effective ways to close security gaps.

5. Disable unnecessary features
Features that aren’t actively used can create additional entry points for attackers. If remote access isn’t needed, disabling it can significantly reduce exposure—particularly for devices with cameras. It’s also advisable to turn off Universal Plug and Play (UPnP) on routers and decline unnecessary integrations or permissions that don’t serve a clear purpose.

6. Research brands before buying
Brand recognition alone doesn’t guarantee strong security. Even well-known companies such as Wyze, Eufy, and Google have faced security issues in the past. Before purchasing a smart device, it’s important to research the brand’s security practices, data protection policies, and real-world user experiences. If features like local-only storage are important, they should be verified through reviews, forums, and independent evaluations.

Smart homes offer convenience and efficiency, but they also demand responsibility. By following basic cybersecurity practices and making informed purchasing decisions, homeowners can significantly reduce risks and enjoy the benefits of connected living with greater peace of mind.
Read more »
malware
APT41 China cybersecurity Southeast Asia Cyberthreats malware

China-Linked Hackers Step Up Quiet Spying Across South-East Asia

Threat actors linked to China have been blamed for a new wave of cyber-espionage campaigns targeting government and law-enforcement agencies across South-East Asia during 2025, according several media reports. Researchers at Check Point Research said they are tracking a previously undocumented cluster, which they have named Amaranth-Dragon, that has targeted Cambodia, Thailand, Laos, Indonesia, Singapore and the Philippines. 

The activity shows technical and operational links to APT41, a well-known Chinese hacking ecosystem.  
“Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” Check Point said. “By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content.” 

The firm described the operations as tightly scoped and deliberately restrained, suggesting an effort to establish long-term access rather than cause disruption. Infrastructure was configured to communicate only with victims in specific countries, reducing the risk of discovery. 

A key technique involved exploiting CVE-2025-8088, a now-patched flaw in WinRAR that allows arbitrary code execution when a malicious archive is opened. Check Point said the group began exploiting the vulnerability within days of its public disclosure in August. “The speed and confidence with which this vulnerability was operationalised underscores the group’s technical maturity and preparedness,” the researchers said. 

Although the initial infection vector remains unclear, analysts believe spear-phishing emails were used to distribute malicious RAR files hosted on cloud services such as Dropbox. Once opened, the archive launches a loader using DLL side-loading, a tactic frequently associated with Chinese groups. The loader then retrieves an encryption key from one server, decrypts a payload from another location and executes it directly in memory. 

The final stage deploys Havoc, an open-source command-and-control framework. Earlier versions of the campaign relied on ZIP files containing Windows shortcuts and batch files, while a separate operation in Indonesia delivered a custom remote-access trojan known as TGAmaranth RAT. That malware used a hard-coded Telegram bot for command and control and supported functions such as taking screenshots, running shell commands and transferring files. 

Check Point said the command infrastructure was shielded by Cloudflare and restricted by geography, accepting traffic only from targeted countries. Compilation times and working patterns pointed to operators based in China’s time zone. 

“In addition, the development style closely mirrors established APT41 practices,” the company said, adding that overlaps in tools and techniques suggest shared resources within the ecosystem. The findings come as another Chinese group, Mustang Panda, was linked to a separate espionage campaign uncovered by Dream Research Labs. The operation, dubbed PlugX Diplomacy, targeted officials involved in diplomacy, elections and international coordination between December 2025 and mid-January 2026.  

“Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” Dream said. 

Victims were lured into opening files disguised as diplomatic or policy documents, which triggered infection automatically. The files installed a modified version of PlugX, a long-used Chinese espionage tool, through a multi-step process involving Windows shortcuts, PowerShell scripts and DLL search-order hijacking using a legitimate signed executable. A decoy document was shown to victims while the malware quietly embedded itself in the system. 

“The correlation between actual diplomatic events and the timing of detected lures suggests that analogous campaigns are likely to persist as geopolitical developments unfold,” Dream concluded.
Read more »
Technology
AI Apple Data Google Internet Microsoft Techno Technology

Experts Find Malicious Browser Extensions, Chrome, Safari, and Edge Affected


Threat actors exploit extensions

Cybersecurity experts found 17 extensions for Chrome, Edge, and Firefox browsers which track user's internet activity and install backdoors for access. The extensions were downloaded over 840,000 times. 

The campaign is not new. LayerX claimed that the campaign is part of GhostPoster, another campaign first found by Koi Security last year in December. Last year, researchers discovered 17 different extensions that were downloaded over 50,000 times and showed the same monitoring behaviour and deploying backdoors. 

Few extensions from the new batch were uploaded in 2020, exposing users to malware for years. The extensions appeared in places like the Edge store and later expanded to Firefox and Chrome. 

Few extensions stored malicious JavaScript code in the PNG logo. The code is a kind of instruction on downloading the main payload from a remote server. 

The main payload does multiple things. It can hijack affiliate links on famous e-commerce websites to steal money from content creators and influencers. “The malware watches for visits to major e-commerce platforms. When you click an affiliate link on Taobao or JD.com, the extension intercepts it. The original affiliate, whoever was supposed to earn a commission from your purchase, gets nothing. The malware operators get paid instead,” said Koi researchers. 

After that, it deploys Google Analytics tracking into every page that people open, and removes security headers from HTTP responses. 

In the end, it escapes CAPTCHA via three different ways, and deploy invisible iframes that do ad frauds, click frauds, and tracking. These iframes disappear after 15 seconds.

Besides this, all extensions were deleted from the repositories, but users shoul also remove them personally. 

This staged execution flow demonstrates a clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms,” said LayerX. 

The PNG steganography technique is employed by some. Some people download JavaScript directly and include it into each page you visit. Others employ bespoke ciphers to encode the C&C domains and use concealed eval() calls. The same assailant. identical servers. many methods of delivery. This appears to be testing several strategies to see which one gets the most installs, avoids detection the longest, and makes the most money.

This campaign reflects a deliberate shift toward patience and precision. By embedding malicious code in images, delaying execution, and rotating delivery techniques across identical infrastructure, the attackers test which methods evade detection longest. The strategy favors longevity and profit over speed, exposing how browser ecosystems remain vulnerable to quietly persistent threats.

Read more »
Liquidity Pool
Cyber Security Finance Sector Financial Loss Flash Loan Flash Loan Attack Illicit Trade Liquidity Pool

Makina Finance Loses $4M in ETH After Flash Loan Price Manipulation Exploit

 

One moment it was operating normally - then suddenly, price feeds went haywire. About 1,299 ETH vanished during what looked like routine activity. That sum now exceeds four million dollars in value. The trigger? A flash loan attack targeting Makina Finance, built on Ethereum. Not a hack of code - but an economic twist inside the system. Security teams such as PeckShield traced moves across the DUSD–DUSDC liquidity pool. Borrowed funds flooded in, shifting valuations without breaking access rules. Prices bent under pressure from artificial trades. Afterward, profits drained off-chain. What stayed behind were distorted reserves and puzzled users. No stolen keys. No failed signatures. Just manipulation riding allowed functions too far. 

The exploit started, researchers say, with a $280 million flash loan taken in USDC. Of that amount, roughly $170 million went toward distorting data from the MachineShareOracle, which sets values for the targeted liquidity pool. With prices artificially raised, trades worth around $110 million passed through the system - leaving over 1,000 ETH missing afterward. What happened fits a known pattern: manipulating value via temporary shifts in market depth. Since Makina's setup depended on immediate price points, sudden influxes of borrowed funds were enough to warp them. Inserting capital, pushing valuations up, then pulling assets out while gains lasted exposed a flaw built into how prices are calculated.  

Even though the exploit worked, the hacker did not receive most of the stolen money. A different actor, an MEV builder, stepped in ahead during the draining transaction and took nearly all the ETH pulled out. According to PeckShield, this twist could make getting back the assets more likely. Yet, there has been no public word from Makina on whether they have reached out to - or even found - the MEV searcher responsible. 

After reviewing what happened, Makina explained the vulnerability only touched its DUSD–DUSDC Curve pool, leaving everything else untouched. Security measures kicked in across all Machines - its smart vault network - as checks continue into how deep the effects go. To stay safe, users putting liquidity in that specific pool got a heads-up to pull out whatever they had left. More details will come once the team learns more through their ongoing review. 

Not long ago, flash loan attacks started showing up more often in DeFi. By October, the Bunni exchange closed for good following one such incident - $8.4 million vanished fast. Its team said restarting safely would mean spending too much on checks and oversight. Just weeks before, another hit struck Shibarium, a layer-two system. That breach pulled out $2.4 million in value almost instantly. 

Even so, wider trends hint at slow progress. Chainalysis notes that losses tied to DeFi stayed modest in 2025, though value held in decentralized systems climbed back near earlier peaks. Despite lingering dangers from flash loans, safeguards within the space seem to be growing more resilient over time.
Read more »
Technology
AI Scanner Business Security LLM Microsoft Technology

Microsoft Unveils Backdoor Scanner for Open-Weight AI Models

 

Microsoft has introduced a new lightweight scanner designed to detect hidden backdoors in open‑weight large language models (LLMs), aiming to boost trust in artificial intelligence systems. The tool, built by the company’s AI Security team, focuses on subtle behavioral patterns inside models to reliably flag tampering without generating many false outcomes. By targeting how specific trigger inputs change a model’s internal operations, Microsoft hopes to offer security teams a practical way to vet AI models before deployment.

The scanner is meant to address a growing problem in AI security: model poisoning and backdoored models that act as “sleeper agents.” In such attacks, threat actors manipulate model weights or training data so the model behaves normally in most scenarios, but switches to malicious or unexpected behavior when it encounters a carefully crafted trigger phrase or pattern. Because these triggers are narrowly defined, the backdoor often evades normal testing and quality checks, making detection difficult. Microsoft notes that both the model’s parameters and its surrounding code can be tampered with, but this tool focuses primarily on backdoors embedded directly into the model’s weights.

To detect these covert modifications, Microsoft’s scanner looks for three practical signals that indicate a poisoned model. First, when given a trigger prompt, compromised models tend to show a distinctive “double triangle” attention pattern, focusing heavily on the trigger itself and sharply reducing the randomness of their output. Second, backdoored LLMs often leak fragments of their own poisoning data, including trigger phrases, through memorization rather than generalization. Third, a single hidden backdoor may respond not just to one exact phrase, but to multiple “fuzzy” variations of that trigger, which the scanner can surface during analysis.

The detection workflow starts by extracting memorized content from the model, then analyzing that content to isolate suspicious substrings that could represent hidden triggers. Microsoft formalizes the three identified signals as loss functions, scores each candidate substring, and returns a ranked list of likely trigger phrases that might activate a backdoor. A key advantage is that the scanner does not require retraining the model or prior knowledge of the specific backdoor behavior, and it can operate across common GPT‑style architectures at scale. This makes it suitable for organizations evaluating open‑weight models obtained from third parties or public repositories.

However, the company stresses that the scanner is not a complete solution to all backdoor risks. It requires direct access to model files, so it cannot be used on proprietary, fully hosted models. It is also optimized for trigger‑based backdoors that produce deterministic outputs, meaning more subtle or probabilistic attacks may still evade detection. Microsoft positions the tool as an important step toward deployable backdoor detection and calls for broader collaboration across the AI security community to refine defenses. In parallel, the firm is expanding its Secure Development Lifecycle to address AI‑specific threats like prompt injection and data poisoning, acknowledging that modern AI systems introduce many new entry points for malicious inputs.
Read more »
XSS Mitigation
Cloud Security Cross-Site Scripting CVE-2026-1591 Enterprise Document Security Foxit eSign Foxit PDF Editor Cloud PDF Security Risks Vulnerabilities and Exploits Web Application Security XSS Mitigation

Foxit Publishes Security Patches for PDF Editor Cloud XSS Bugs


 

In response to findings that exposed weaknesses in the way user-supplied data was processed within interactive components, Foxit Software has issued a set of security fixes intended to address newly identified cross-site scripting vulnerabilities. 

Due to the flaws in Foxit PDF Editor Cloud and Foxit eSign, maliciously crafted input could be rendered in an unsafe manner in the user's browser, potentially allowing arbitrary JavaScript execution during authenticated sessions. 

The fundamental problem was an inconsistency in input validation and output encoding in some UI elements (most notably file attachment metadata and layer naming logic), which enabled attacker-controlled payloads to persist and be triggered during routine user interactions. 

Among these issues, the most important one, CVE-2026-1591, affected the File Attachments list and Layers panel of Foxit PDF Editor Cloud, thus emphasizing the importance of rigorously enforcing client-side trust boundaries in order to prevent the use of seemingly low-risk document features as attack vectors. 

These findings were supported by Foxit's confirmation that the identified weaknesses were related to a specific way in which certain client-side components handled untrusted input within a cloud environment. Affected functionality allowed for the processing of user-controlled values — specifically file attachment names and PDF layer identifiers — without sufficient validation or encoding prior to rendering in the browser. 

By injecting carefully constructed payloads into the application's HTML context, carefully constructed payloads could be executed upon the interaction between an authenticated user and the affected interface components. In response to these security deficiencies, Foxit published its latest security updates, which it described as routine security and stability enhancements that require no remediation other than ensuring deployments are up to date. 

The advisory also identifies two vulnerabilities, tracked as CVE-2026-1591 and CVE-2026-1592, which are both classified under CWE-79 for cross-site scripting vulnerabilities. Each vulnerability has a CVSS v3.0 score of 6.3 and is rated Moderate in severity according to the advisory. 

Foxit PDF Editor Cloud is impacted by CVE-2026-1591, which has a significant impact on its File Attachments and Layers panels due to insufficient input validation and improper output encoding which can allow arbitrary JavaScript execution from the browser. 

The vulnerability CVE-2026-1592 poses a comparable risk through similar paths to data handling. Both vulnerabilities were identified and responsibly disclosed by Novee, a security researcher. However, the potential consequences of exploitation are not trivial, even if user interaction is required. In order to inject a script into a trusted browser context, an attacker would have to persuade a logged-in user to open or interact with a specially crafted attachment or altered layer configuration. 

By executing this script, an attacker can hijack a session, obtain unauthorized access to sensitive document data, or redirect the user to an attacker-controlled resource. As a result, the client-side trust assumptions made by document collaboration platforms pose a broader risk, particularly where dynamic document metadata is not rigorously sanitized. 

During the disclosure period, the source material did not enumerate specific CVE identifiers for each individual flaw, apart from those referenced in the advisory. The vulnerability involved in cross-site scripting has been extensively documented across a wide array of web-based applications and is routinely cataloged in public vulnerability databases such as MITRE's CVE repository.

XSS vulnerabilities in unrelated platforms, such as those described in CVE-2023-38545 and CVE-2023-38546, underscore the broader mechanics and effects of this attack category. This type of example is not directly related to Foxit products, but nevertheless is useful for gaining an understanding of how similar weaknesses may be exploited when web-rendered interfaces mishandle user-controlled data. 


Technically, Foxit PDF Editor Cloud is exploitable via the way it ingests, stores, and renders user-supplied metadata within interactive components like the File Attachments list and Layers dialog box. If input is not rigorously validated, an attacker may embed executable content (such as script tags or event handlers) into attachment filenames or layer names embedded within a PDF file without rigorous input validation. 

Upon presenting these values to the browser without appropriate output encoding, the application unintentionally enables the browser to interpret the injected content as active HTML or JavaScript as opposed to inert text. As soon as the malicious script has been rendered, it is executed within the security context of the authenticated user's session. 

The attacker can exploit the execution environment to gain access to session tokens and other sensitive browser information, manipulate the on-screen content, or redirect the user to unauthorized websites. Foxit cloud environments can be compromised with scripts that can perform unauthorized actions on behalf of users in more advanced scenarios. 

It is important to note that the risk is heightened by the low interaction threshold required to trigger exploitation, since simply opening or viewing a specially crafted document may trigger an injected payload, emphasizing the importance of robust client-side sanitization in cloud-based document platforms. 

These flaws are especially apparent in enterprise settings where Foxit PDF Editor Cloud is frequently integrated into day-to-day collaboration workflows. In such environments, employees exchange and modify documents sourced from customers, partners, and public repositories frequently, thereby increasing the risk that maliciously crafted PDFs could enter the ecosystem undetected. 

As part of its efforts to mitigate this broader risk, Foxit also publicly revealed and resolved a related cross-site scripting vulnerability in Foxit eSign, tracked as CVE-2025-66523, which was attributed to improper handling of URL parameters in specially constructed links. 

By enabling users to access these links with authenticated access, the untrusted input could be introduced into JavaScript code paths and HTML attributes without sufficient encoding, which could result in privilege escalation or cross-domain data exposure. A fix for this problem was released on January 15, 2026. 

Foxit confirmed that all identified vulnerabilities, including CVE-2026-1591, CVE-2026-1592, and CVE-2025-66523, have been fully addressed thanks to updates that strengthen both input validation and output encoding across all affected components. As a result of Foxit PDF Editor Cloud's automated updates or standard update mechanisms, customers are not required to perform any additional configuration changes. 

However, organizations are urged to verify that all instances are running the latest version of the application and remain alert for indicators such as unexpected JavaScript execution, anomalous editor behavior, or irregular entries in application logs which may indicate an attempt at exploitation.

Based on aggregate analysis, these issues are the result of a consistent breakdown in the platform's handling of user-controlled metadata during rendering of the File Attachments list and Layers panel. Insufficient validation controls allow attackers to introduce executable content through seemingly benign fields, such as attachment filenames or layer identifiers, through which malicious content may be introduced. This content, since it is not properly encoded, is interpreted by the browser as active code rather than plain text due to the lack of proper output encoding.

The injected JavaScript executes within the context of an authenticated session when triggered, resulting in a variety of outcomes, including data disclosure, interface manipulation, forced navigation, and unauthorised actions under the user's privilege. In addition to the low interaction threshold, the operational risks posed by these flaws are also highlighted by their limited access. 

While Foxit's remediation efforts address the immediate technical deficiencies, effective risk management extends beyond patch deployment alone. Organizations must ensure that all cloud-based instances are operating on current versions by applying updates promptly. 

In addition to these safeguards, other measures can be taken to minimize residual exposure, such as restricting document collaboration to trusted environments, enforcing browser content security policies, and monitoring application behavior for abnormal script execution.

Additional safeguards, such as web application firewalls and intrusion detection systems, are available at the perimeter of the network to prevent known injection patterns from reaching end users. Together with user education targeted at handling unsolicited documents and suspicious links, these measures can mitigate the broader threat posed by client-side injection vulnerabilities in collaborative documents.
Read more »
Rhysida
California Databreach Exposed Patient Records Healthcare Privacy ransomware attacks Rhysida

Tribal Health Clinics in California Report Patient Data Exposure

 


Patients receiving care at several tribal healthcare clinics in California have been warned that a cyber incident led to the exposure of both personal identification details and private medical information. The clinics are operated by a regional health organization that runs multiple facilities across the Sierra Foothills and primarily serves American Indian communities in that area.

A ransomware group known as Rhysida has publicly claimed responsibility for a cyberattack that took place in November 2025 and affected the MACT Health Board. The organization manages several clinics in the Sierra Foothills region of California that provide healthcare services to Indigenous populations living in nearby communities.

In January, the MACT Health Board informed an unspecified number of patients that their information had been involved in a data breach. The organization stated that the compromised data included several categories of sensitive personal information. This exposed data may include patients’ full names and government-issued Social Security numbers. In addition to identity information, highly confidential medical details were affected. These medical records can include information about treating doctors, medical diagnoses, insurance coverage details, prescribed medications, laboratory and diagnostic test results, stored medical images, and documentation related to ongoing care and treatment.

The cyber incident caused operational disruptions across MACT clinic systems starting on November 20, 2025. During this period, essential digital services became unavailable, including phone communication systems, platforms used to process prescription requests, and scheduling tools used to manage patient appointments. Telephone services were brought back online by December 1. However, as of January 22, some specialized imaging-related services were still not functioning normally, indicating that certain technical systems had not yet fully recovered.

Rhysida later added the MACT Health Board to its online data leak platform and demanded payment in cryptocurrency. The amount requested was eight units of digital currency, which was valued at approximately six hundred sixty-two thousand dollars at the time the demand was reported. To support its claim of responsibility, the group released sample files online, stating that the materials were taken from MACT’s systems. The files shared publicly reportedly included scans of passports and other internal documents.

The MACT Health Board has not confirmed that Rhysida’s claims are accurate. There is also no independent verification that the files published by the group genuinely originated from MACT’s internal systems. At this time, it remains unclear how many individuals received breach notifications, what method was used by the attackers to access MACT’s network, or whether any ransom payment was made. The organization declined to provide further information when questioned.

In its written notification to affected individuals, MACT stated that it experienced an incident that disrupted its information technology operations. The organization reported that an internal investigation found that unauthorized access occurred to certain files stored on its systems during a defined time window between November 12 and November 20, 2025.

The health organization is offering eligible individuals complimentary identity monitoring services. These services are intended to help patients detect possible misuse of personal or financial information following the exposure of sensitive records.

Rhysida is a cybercriminal group that first became active in public reporting in May 2023. The group deploys ransomware designed to both extract sensitive data from victim organizations and prevent access to internal systems by encrypting files. After carrying out an attack, the group demands payment in exchange for deleting stolen data and providing decryption tools that allow victims to regain access to locked systems. Rhysida operates under a ransomware-as-a-service model, in which external partners pay to use its malware and technical infrastructure to carry out attacks and collect ransom payments.

The group has claimed responsibility for more than one hundred confirmed ransomware incidents, along with additional claims that have not been publicly acknowledged by affected organizations. On average, the group’s ransom demands amount to several hundred thousand dollars per incident.

A significant portion of Rhysida’s confirmed attacks have targeted hospitals, clinics, and other healthcare providers. These healthcare-related incidents have resulted in the exposure of millions of sensitive records. Past cases linked to the group include attacks on healthcare organizations in multiple U.S. states, with ransom demands ranging from over one million dollars to several million dollars. In at least one case, the group claimed to have sold stolen data after a breach.

Researchers tracking cybersecurity incidents have recorded more than one hundred confirmed ransomware attacks on hospitals, clinics, and other healthcare providers across the United States in 2025 alone. These attacks collectively led to the exposure of nearly nine million patient records. In a separate incident reported during the same week, another healthcare organization confirmed a 2025 breach that was claimed by a different ransomware group, which demanded a six-figure ransom payment.

Ransomware attacks against healthcare organizations often involve both data theft and system disruption. Such incidents can disable critical medical systems, interfere with patient care, and create risks to patient safety and privacy. When hospitals and clinics lose access to digital systems, staff may be forced to rely on manual processes, delay or cancel appointments, and redirect patients to other facilities until systems are restored. These disruptions can increase operational strain and place patients and healthcare workers at heightened risk.

The MACT Health Board is named after the five California counties it serves: Mariposa, Amador, Alpine, Calaveras, and Tuolumne. The organization operates approximately a dozen healthcare facilities that primarily serve American Indian communities in the region. These clinics provide a range of services, including general medical care, dental treatment, behavioral health support, vision and eye care, and chiropractic services.


Read more »
Zero Trust Security
authentication failure authorization systems cloud outages cloud resilience Cyber Security Identity Security Zero Trust Security

Why Cloud Outages Turn Identity Systems into a Critical Business Risk

 

Recent large-scale cloud outages have become increasingly visible. Incidents involving major providers like AWS, Azure, and Cloudflare have disrupted vast portions of the internet, knocking critical websites and services offline. Because so many digital platforms are interconnected, these failures often cascade, stopping applications and workflows that organizations depend on daily.

For everyday users, the impact usually feels like a temporary annoyance—difficulty ordering food, streaming shows, or accessing online tools. For enterprises, the consequences are far more damaging. If an airline’s reservation platform goes down, every minute of downtime can mean lost bookings, revenue leakage, reputational harm, and operational chaos.

These events make it clear that cloud failures go well beyond compute and networking issues. One of the most vulnerable—and business-critical—areas affected is identity. When authentication or authorization systems fail, the problem is no longer simple downtime; it becomes a fundamental operational and security crisis.

Cloud Infrastructure as a Shared Failure Point

Cloud providers are not identity platforms themselves, but modern identity architectures rely heavily on cloud-hosted infrastructure and shared services. Even if an identity provider remains technically operational, disruptions elsewhere in the stack can break identity flows entirely.
  • Organizations commonly depend on the cloud for essential identity components such as:
  • Databases storing directory and user attribute information
  • Policy and authorization data stores
  • Load balancers, control planes, and DNS services
Because these elements are shared, a failure in any one of them can completely block authentication or authorization—even when the identity service appears healthy. This creates a concealed single point of failure that many teams only become aware of during an outage.

Identity as the Universal Gatekeeper

Authentication and authorization are not limited to login screens. They continuously control access for users, applications, APIs, and services. Modern Zero Trust architectures are built on the principle of “never trust, always verify,” and that verification is entirely dependent on identity system availability.

This applies equally to people and machines. Applications authenticate repeatedly, APIs validate every request, and services constantly request tokens to communicate with each other. When identity systems are unavailable, entire digital ecosystems grind to a halt.

As a result, identity-related outages pose a direct threat to business continuity. They warrant the highest level of incident response, supported by proactive monitoring across all dependent systems. Treating identity downtime as a secondary technical issue significantly underestimates its business impact.

Modern authentication goes far beyond checking a username and password—or even a passkey, as passwordless adoption grows. A single login attempt often initiates a sophisticated chain of backend operations.

Typically, identity systems must:
  • Retrieve user attributes from directories or databases
  • Maintain session state
  • Generate access tokens with specific scopes, claims, and attributes
  • Enforce fine-grained authorization through policy engines
Authorization decisions may occur both when tokens are issued and later, when APIs are accessed. In many architectures, APIs must also authenticate themselves before calling downstream services.

Each step relies on underlying infrastructure components such as datastores, policy engines, token services, and external integrations. If any part of this chain fails, access can be completely blocked—impacting users, applications, and critical business processes.

Why High Availability Alone Falls Short

High availability is essential, but on its own it is often insufficient for identity systems. Traditional designs usually rely on regional redundancy, with a primary deployment backed up by a secondary region. When one region fails, traffic shifts to the other.

This strategy offers limited protection when outages affect shared or global services. If multiple regions depend on the same control plane, DNS service, or managed database, a regional failover does little to improve resilience. In such cases, both primary and backup systems can fail simultaneously.

The result is an identity architecture that looks robust in theory but collapses during widespread cloud or platform-level disruptions.

True resilience requires intentional design. For identity systems, this may involve reducing reliance on a single provider or failure domain through multi-cloud deployments or carefully managed on-premises options that remain reachable during cloud degradation.

Planning for partial failure is equally important. Completely denying access during outages causes maximum business disruption. Allowing constrained access—using cached attributes, precomputed authorization decisions, or limited functionality—can significantly reduce operational and reputational damage.

Not all identity data demands identical availability guarantees. Some attributes or authorization sources may tolerate lower resilience, as long as those decisions are made deliberately and aligned with business risk.

Ultimately, identity platforms must be built to fail gracefully. Infrastructure outages are unavoidable; access control should degrade in a controlled, predictable manner rather than collapse entirely.
Read more »
Ransomware
AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader


International operation to catch Ransomware leader 

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine. 

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia. 

About the operation 

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta. 

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers." 

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Read more »
Technology
AI AI Assistant Artificial Intelligence Threats DockerDash Technology

Researchers Disclose Patched Flaw in Docker AI Assistant that Enabled Code Execution


Researchers have disclosed details of a previously fixed security flaw in Ask Gordon, an artificial intelligence assistant integrated into Docker Desktop and the Docker command-line interface, that could have been exploited to execute code and steal sensitive data. The vulnerability, dubbed DockerDash by cybersecurity firm Noma Labs, was patched by Docker in November 2025 with the release of version 4.50.0. 

“In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack,” said Sasi Levi, security research lead at Noma Labs, in a report shared with The Hacker News. “Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture.” 

According to the researchers, the flaw allowed Ask Gordon to treat unverified container metadata as executable instructions. When combined with Docker’s Model Context Protocol gateway, this behavior could lead to remote code execution on cloud and command-line systems, or data exfiltration on desktop installations. 

The issue stems from what Noma described as a breakdown in contextual trust. Ask Gordon reads metadata from Docker images, including LABEL fields, without distinguishing between descriptive information and embedded instructions. These instructions can then be forwarded to the MCP Gateway, which executes them using trusted tools without additional checks. “MCP Gateway cannot distinguish between informational metadata and a pre-authorized, runnable internal instruction,” Levi said. 

“By embedding malicious instructions in these metadata fields, an attacker can hijack the AI’s reasoning process.” In a hypothetical attack, a malicious actor could publish a Docker image containing weaponized metadata labels. When a user queries Ask Gordon about the image, the assistant parses the labels, forwards them to the MCP Gateway, and triggers tool execution with the user’s Docker privileges.  
Researchers said the same weakness could be used for data exfiltration on Docker Desktop, allowing attackers to gather details about installed tools, container configurations, mounted directories, and network setups, despite the assistant’s read-only permissions. Docker version 4.50.0 also addressed a separate prompt injection flaw previously identified by Pillar Security, which could have enabled attackers to manipulate Docker Hub metadata to extract sensitive information. 

“The DockerDash vulnerability underscores the need to treat AI supply chain risk as a current core threat,” Levi said. “Trusted input sources can be used to hide malicious payloads that manipulate an AI’s execution path.”
Read more »
Malware attacks
Cyber Attacks CyberSecurity Ransomware Attacks Finance Sector financial attack malicious PDF files Malware attacks

PDFSider Malware Used in Fortune 100 Finance Ransomware Attack

 

A Fortune 100 finance company was targeted by ransomware actors using a new Windows malware strain called PDFSider, built to quietly deliver malicious code during intrusions. Rather than relying on brute force, the attackers used social engineering, posing as IT support staff and convincing employees to launch Microsoft Quick Assist, enabling remote access. Resecurity researchers identified the malware during incident response, describing it as a stealth backdoor engineered to avoid detection while maintaining long-term control, with traits typically associated with advanced, high-skill intrusion activity. 

Resecurity previously told BleepingComputer that PDFSider had appeared in attacks connected to Qilin ransomware, but researchers emphasize it is not limited to a single group. Their threat hunting indicates the backdoor is now actively used by multiple ransomware operators as a delivery mechanism for follow-on payloads, suggesting it is spreading across criminal ecosystems rather than remaining a niche tool. 

The infection chain begins with spearphishing emails containing a ZIP archive. Inside is a legitimate, digitally signed executable for PDF24 Creator, developed by Miron Geek Software GmbH, paired with a malicious DLL named cryptbase.dll. Since the application expects that DLL, it loads the attacker’s version instead. This technique, known as DLL side-loading, allows the malicious code to execute under the cover of a trusted program, helping it evade security controls that focus on the signed executable rather than the substituted library.  
In some cases, attackers increase the likelihood of execution using decoy documents crafted to appear relevant to targets. One example involved a file claiming authorship from a Chinese government entity. Once launched, the malicious DLL inherits the same privileges as the legitimate executable that loaded it, increasing the attacker’s ability to operate within the system. 

Resecurity notes that while the EXE remains validly signed, attackers exploited weaknesses in the PDF24 software to load the malware and bypass EDR tools more effectively. The firm also warns that AI-assisted coding is making it easier for cybercriminals to identify and exploit vulnerable software at scale. After execution, PDFSider runs primarily in memory to reduce disk traces, using anonymous pipes to issue commands through CMD. 

Each infected device is assigned a unique identifier, system details are collected, and the data is exfiltrated to an attacker-controlled VPS through DNS traffic on port 53. For command-and-control security, PDFSider uses Botan 3.0.0 and encrypts communications with AES-256-GCM, decrypting inbound data only in memory to limit its footprint. It also applies AEAD authentication in GCM mode, a cryptographic approach commonly seen in stealthy remote shell backdoors designed for targeted operations. 

The malware includes anti-analysis checks such as RAM size validation and debugger detection, terminating early when it suspects sandboxing. Based on its behavior and design, Resecurity assesses PDFSider as closer to espionage-grade tradecraft than typical financially motivated ransomware tooling, built to quietly preserve covert access, execute remote commands flexibly, and keep communications protected.
Read more »
Windows DoS
Iconics SCADA Mitsubishi Electric OT security Vulnerabilities and Exploits Windows DoS

Iconics SCADA Flaw Enables Privileged File Abuse and Windows DoS

 

A newly disclosed flaw in Mitsubishi Electric’s Iconics Suite SCADA platform, tracked as CVE-2025-0921, exposes critical industrial environments to denial-of-service attacks by abusing privileged file system operations in Windows-based engineering workstations. Rated with a CVSS score of 6.5, the vulnerability affects GENESIS64 deployments on Microsoft Windows versions 10.97.2 and earlier and could be combined with other weaknesses to corrupt essential system binaries and halt operations.

Researchers from Unit 42 discovered CVE-2025-0921 during an assessment of Iconics Suite, following an earlier set of five vulnerabilities they reported in versions 10.97.3 and below that enabled privilege escalation and system disruption. The latest bug resides in the way multiple Iconics services perform file system operations with elevated privileges, creating an opportunity for attackers with local, non‑admin access to direct these operations toward sensitive files. In industrial sectors such as automotive, energy and manufacturing, where Iconics SCADA is used to monitor and control processes, such misuse could severely impact system integrity and availability.

The core issue is a privileged file system operations vulnerability centered on the Pager Agent component of AlarmWorX64 MMX, which handles custom alerting via SMS and other pager protocols. Administrators configure SMS alerts using the PagerCfg.exe utility, including the path for an SMSLogFile where every SMS operation is logged. Under normal circumstances, the configuration file storing this path, IcoSetup64.ini in C:\ProgramData\ICONICS, should not be writable by standard users; however, when the legacy GenBroker32 component is installed, a previously documented flaw, CVE-2024-7587, grants any user full read-write access to this directory.

Unit 42 showed how an attacker could chain CVE-2025-0921 with CVE-2024-7587 to achieve a reliable denial-of-service condition on Windows. A local attacker first inspects IcoSetup64.ini to learn the SMSLogFile path, then creates a symbolic link from that log file to a critical binary, such as the cng.sys driver used by Microsoft’s Cryptography API: Next Generation. When an administrator later sends a test SMS or an alert fires automatically, the Pager Agent writes log data through the symbolic link into C:\Windows\System32\cng.sys, corrupting the driver so that the operating system fails to boot and becomes stuck in repair mode on reboot.

Even without the GenBroker32 installer misconfiguration, the researchers warn that CVE-2025-0921 remains dangerous if an attacker can make the log file path writable through other errors, alternative bugs or social engineering that changes permissions. They stress that privileged file system behaviors in OT environments are often underestimated, despite their potential to cause total system outages. Mitsubishi Electric has released an advisory and workarounds that address this and the previously reported issues, while Palo Alto Networks recommends hardening OT engineering workstations, segmenting SCADA systems with next-generation firewalls and leveraging OT security tools to detect and limit exploitation attempts.
Read more »
Zero Trust Identity
Cyber Security Cybersecurity Risk Management Enterprise Identity Management IAM Security Identity Control Plane Identity Dark Matter Identity First Security Identity Observability Zero Trust Identity

Orchid Security Debuts Continuous Identity Observability Platform


 

Over the past two decades, organizations have steadily expanded their identity security portfolios, layering IAM, IGA, and PAM to deploy access control at scale. However, identity-driven breaches continue to grow in both frequency and impact despite this sustained investment.

It has been argued that the failure of this system is not the result of weak policy design or inadequate standards, but rather of the widening gap between how the identity system is governed on paper and how access actually works in reality. 

Currently, enterprise environments contain a large number of unmanaged identity artifacts, including local system accounts, legacy authentication mechanisms, orphaned service principals, embedded API keys, and application-specific entitlements, that are inaccessible to centralized controls or cannot be accessed. 

These factors constitute Identity Dark Matter, an attack surface that adversaries increasingly exploit to bypass SSO, sidestep MFA, move laterally across systems, and escalate privileges without triggering conventional identity alerts. As a result of this work, Identity Dark Matter is not merely viewed as a risk category, but as a structural defect in existing identity architectures as a whole.

The new identity control plane proposes a method of reconciling intended access policies with effective, real-world authorization by correlating runtime telemetry with contextual identity signals and automating remediation across managed and unmanaged identities. 

Amidst this shift toward identity-centered security models, Orchid Security has been formally recognized as a Cool Vendor by Gartner in its 2025 report on Cool Vendors in Identity-First Security, highlighting its growing significance in redefining enterprise identity infrastructure.

Orchid has been recognized as one of a select group of vendors that address real-time security exposure and threat mitigation in increasingly perimeterless environments while maintaining compatibility with existing IAM infrastructures. As cloud adoption and API-driven architectures increase, network-bound security models become obsolete, elevating identity as the primary control plane for modern security architectures, according to Gartner's analysis.

Orchid is positioned as an innovative identity infrastructure provider by utilizing artificial intelligence and machine learning analytics to continuously correlate identity data, identify coverage gaps that are often overlooked during traditional IAM deployments and onboardings, and provide comprehensive observability across the application ecosystems. 

Moreover, Gartner reports that Orchid's emphasis on orchestration and fabric-level visibility enables enterprises to enhance their security posture while simultaneously supporting automated operations, positioning the platform as a unique solution capable of ensuring identity risk compliance across diverse and evolving enterprise environments with precision, scalability, and compliance. 

The traditional identity platforms are mainly designed around static configuration data and predefined policy models, which allows them to be implemented in a very limited number of domains, however their effectiveness is usually limited to well-governed, human-centric identities. 

When applied to the realities of modern enterprise environments, where custom applications are being developed, legacy authentication mechanisms are being used, credentials are embedded, non-human identity is still prevalent, and access paths do not bypass centralized identity providers, these approaches fall short. In consequence, security teams are often forced to conduct reactive analysis, reconstructing identity behavior retrospectively during audits or investigations conducted as a result of these incidents. 

It is inherently unsustainable at scale, as it relies on inference instead of continuous visibility into the utilization of identities within applications and services. To address this structural gap, Orchid Security has developed an identity observability model that aligns with the real-world security operations environment. A four-stage platform consists of four stages: discovery, analysis, orchestration, and auditing. 

The platform begins by identifying how identities are used inside applications in a direct manner, followed by an audit. With Orchid's lightweight instrumentation, we examine both managed and unmanaged environments at a high level in regards to authentication methods, authorization logic and credential handling. The goal of this process is to produce a comprehensive, runtime-driven inventory of applications, services, identity types, authentication flows, and embedded credentials that enables us to create an accurate baseline of identity activity. 

By correlating identities, applications, and access paths, Orchid analyzes identity behavior in context, identifying material risk indicators such as shared or hardcoded credentials, orphaned service accounts, privileged access outside the realm of Identity and Access Controls, as well as drift between desired policy and effective access. 


Identity-centric defense has evolved in alignment with Gartner's assessment that the accelerated adoption of digital transformation, cloud computing, remote work, API-driven architectures, and API-driven architectures have fundamentally undermined perimeter-based security, requiring the adoption of identity-first security as an integral part of enterprise protection.

With the advent of artificial intelligence and large language models within this emerging paradigm for identity and access management, a more dynamic and context-aware approach is now possible, capable of identifying systemic blind spots, latent exposure, and misconfigurations that are normally missed by static, rule-based systems. This technology enables stronger security outcomes while reducing operational friction through automation by continuously analyzing identity flows and enforcing policy according to real-time context. 

The orchestration-centric identity infrastructure offered by Orchid Security reflects this shift by extending beyond traditional IAM limitations associated with manual application onboarding and partial visibility of managed systems that have already been deployed. 

By enabling continuous evaluation of identity behavior, contextual gap analysis, and risk-based remediation enforced through automated orchestration, the platform provides a more comprehensive approach to identity governance than static roles and fragmented insights. In addition to providing consistent governance across distributed environments, Orchid aligns identity operations with business objectives as well as security objectives by embedding observability and intelligence directly into the identity fabric. 


Through continuous discovery, analysis and evaluation of enterprise applications at runtime, the platform supports evidence-driven prioritization by analyzing authentication and authorization paths and comparing them to regulatory requirements and established cybersecurity frameworks. 

In addition to augmenting native controls, the remediation process is simplified by integrating with existing Identity and Access Management systems, often without requiring custom development. It is through this approach that Orchid assists organizations in addressing the increasing presence of unmanaged identity exposure, commonly known as identity dark matter. 

In addition to reducing systemic risk, improving compliance posture, and reducing operational overhead, Orchid has already deployed its platform across Fortune 500 and Global 2000 enterprises, supporting Orchid's role in operationalizing identity-first security. It has been proven that adopting Orchid's platform yields measurable improvements in governance and accountability, in addition to incremental security improvements. 

By providing a detailed understanding of application-level identity usage, the platform reduces exposure caused by unmanaged access paths and helps security teams prepare for audits in a more timely and confident manner. The identification risk is no longer inferred or distributed between fragmented tools, but rather clearly attributed and supported by verifiable, runtime-derived evidence. 

In complex enterprise environments, it is imperative for organizations to shift from assumption-driven decision-making to evidence-based control, reinforcing the core objective of identity-first security. Increasingly, identity is fragmenting beyond traditional control points and centralized directories, making continuous, application-aware governance increasingly important. 

Providing persistent identity observability across modern application ecosystems, Orchid Security addresses this challenge by enabling organizations to discover identity usage, assess risk in context, coordinate remediation, and maintain audit-ready evidence through continuous, application-aware governance. 

There is no doubt that the operating model reflects the actual ways in which contemporary enterprise environments function, where access is dynamic, distributed, and deeply embedded within the logic of the applications. As a result of his leadership's experience in both advanced AI research and large-scale security engineering, the company has designed its identity infrastructure using practical knowledge from companies like Google DeepMind and Square, who are now part of Block. 

The rapid adoption of artificial intelligence throughout enterprise and adversarial domains has also raised the stakes for identity security, as threat actors increasingly automate reconnaissance, exploitation, and lateral movements. An Identity Control Plane, Orchid offers its platform as a means to converge managed and unmanaged identities into an authoritative view derived directly from application developers. 

The benefits of this approach include not only strengthening enterprise security postures, but also creating new opportunities for global systems integrators and managed service providers. As a result, they are able to provide additional value-added services such as continuous application security assessment, identity governance, audit readiness, incident response, and identity risk management. 

Using Orchid, organizations can accelerate the onboarding of applications, prioritize remediation according to observed risk, and monitor compliance continuously, thereby enabling the development of a new level of identity governance that minimizes organizational risk, lowers operating costs, and allows for consistent control of both human and machine identities in increasingly AI-driven organizations.
Read more »
Spear Phishing
Cyber Crime Emails financial systems Korea ngos Spear Phishing

Why Emails Pretending to Be from NGOs and Banks Are Becoming More Dangerous



A new cyber threat campaign has been identified in South Korea in which attackers pretended to represent human rights groups and financial institutions to trick people into opening harmful files. The findings were published on January 19 by United Press International, citing research from South Korean cybersecurity firm Genians.

According to Genians, the attackers sent deceptive emails that appeared to come from legitimate North Korea-focused human rights organizations and South Korean financial entities. These messages were designed to persuade recipients to click links or open attachments that secretly installed malware on their devices. Malware refers to harmful software that can spy on users, steal information, or allow attackers to control infected systems.

The campaign has been named “Operation Poseidon” by researchers and has been linked to a hacking cluster known as Konni. Security analysts have associated Konni with long-running advanced persistent threat operations. Advanced persistent threats, often called APTs, are prolonged cyber operations that focus on maintaining covert access rather than causing immediate disruption. Genians reported that Konni shares technical infrastructure and target profiles with other North Korea-linked groups, including Kimsuky and APT37. These groups have previously been connected to cyber espionage, surveillance, and influence efforts directed at South Korean government bodies, researchers, and civil society organizations.

The emails used in this operation did not contain direct malicious links. Instead, the attackers hid harmful destinations behind legitimate online advertising and click-tracking services that are commonly used by businesses to measure user engagement. By routing victims through trusted services, the links were more likely to pass email security filters. Genians found that the redirections relied on Google Ads URLs and poorly secured WordPress websites. The final destinations hosted malware files that were often disguised as ordinary PDF documents or financial notices, increasing the likelihood that users would open them.

Security professionals note that campaigns of this nature are difficult to defend against because they combine technical methods with psychological manipulation. Genians assessed that the characteristics of Operation Poseidon reflect a high level of planning and sophistication, making it hard for any single security tool to stop such attacks on its own.

The findings come amid growing international concern over North Korea’s cyber operations. In October, the 11-country Multilateral Sanctions Monitoring Team described North Korea’s cyber program as a state-level effort with capabilities approaching those of China and Russia. The group reported that nearly all malicious cyber activity linked to the Democratic People’s Republic of Korea is conducted under the direction of entities sanctioned by the United Nations for involvement in weapons programs. In November, the United States Treasury Department estimated that more than 3 billion dollars had been stolen over the past three years through attacks on financial systems and cryptocurrency platforms.

Genians advised individuals and organizations to treat unsolicited emails with caution. The firm warned that attackers are likely to continue impersonating financial institutions and urged users not to trust documents based only on subject lines or file names.

Read more »
Windows security update
Kerberos authentication Microsoft NTLM deprecation NTLM authentication NTLM phase-out Technology Windows security update

Microsoft Outlines Three-Stage Plan to Disable NTLM and Strengthen Windows Security

 

Microsoft has detailed a structured, three-phase roadmap to gradually retire New Technology LAN Manager (NTLM), reinforcing its broader push toward more secure, Kerberos-based authentication within Windows environments.

The announcement follows Microsoft’s earlier decision to deprecate NTLM, a legacy authentication mechanism that has long been criticized for its security shortcomings. Officially deprecated in June 2024, NTLM no longer receives updates, as its design leaves systems vulnerable to relay attacks and unauthorized access.

"NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users," Mariam Gewida, Technical Program Manager II at Microsoft, explained. "However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography."

Despite its deprecated status, Microsoft acknowledged that NTLM remains widely used across enterprise networks. This is largely due to legacy applications, infrastructure constraints, and deeply embedded authentication logic that make migration difficult. Continued reliance on NTLM increases exposure to threats such as replay, relay, and pass-the-hash attacks.

To address these risks without disrupting critical systems, Microsoft has introduced a phased strategy aimed at eventually disabling NTLM by default.

Phase 1 focuses on improving visibility and administrative control by expanding NTLM auditing capabilities. This helps organizations identify where NTLM is still in use and why. This phase is already available.

Phase 2 aims to reduce migration barriers by introducing tools such as IAKerb and a local Key Distribution Center (KDC), while also updating core Windows components to favor Kerberos authentication. These changes are expected to roll out in the second half of 2026.

Phase 3 will see NTLM disabled by default in the next release of Windows Server and corresponding Windows client versions. Organizations will need to explicitly re-enable NTLM using new policy controls if required.

Microsoft described the move as a key milestone toward a passwordless and phishing-resistant ecosystem. The company urged organizations that still depend on NTLM to audit usage, identify dependencies, transition to Kerberos, test NTLM-disabled configurations in non-production environments, and enable Kerberos enhancements.

"Disabling NTLM by default does not mean completely removing NTLM from Windows yet," Gewida said. "Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically."

"The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release)."


Read more »
malware
active exploitation Bug Exploit CrossCurve EYWA malware

CrossCurve Bridge Hit by $3 Million Exploit after Smart Contract Flaw


CrossCurve, a cross-chain bridge formerly known as EYWA, has suffered a major cyberattack after hackers exploited a vulnerability in its smart contract infrastructure, draining about $3 million across multiple blockchain networks. The CrossCurve team confirmed the incident on Sunday, saying its bridge infrastructure was under active attack and urging users to immediately stop interacting with the protocol. “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a post on X. 

“Please pause all interactions with CrossCurve while the investigation is ongoing.” Blockchain security account Defimon Alerts said the exploit stemmed from a gateway validation bypass in CrossCurve’s ReceiverAxelar contract. According to the analysis, the contract was missing a critical validation check, allowing attackers to call the expressExecute function using spoofed cross-chain messages. 

By abusing this flaw, the attackers were able to bypass the intended gateway validation logic and trigger unauthorized token unlocks on the PortalV2 contract, resulting in the loss of funds. The exploit affected CrossCurve deployments across several blockchain networks. 

Data from Arkham Intelligence, shared by Defimon Alerts, shows that the PortalV2 contract balance fell from roughly $3 million to nearly zero around Jan. 31. Transaction records indicate the attack unfolded across multiple chains rather than a single network. 

CrossCurve operates a cross-chain decentralized exchange and liquidity protocol built in partnership with Curve Finance. The system relies on what it describes as a Consensus Bridge, which routes transactions through multiple validation layers, including Axelar, LayerZero, and the EYWA Oracle Network. In its documentation, CrossCurve had described this architecture as a security advantage, stating that “the probability of several crosschain protocols getting hacked at the same time is near zero.” 

The incident, however, showed that a single smart contract flaw can still compromise a broader system. The project has backing from prominent figures in decentralized finance. Michael Egorov invested in the protocol in September 2023, and CrossCurve later said it had raised $7 million from venture capital firms. Following the exploit, Curve Finance warned users with exposure to EYWA-related pools to reassess their positions. 

“Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” Curve Finance said on X. 

Security researchers said the attack echoes earlier bridge exploits, drawing comparisons to the 2022 Nomad bridge hack, in which about $190 million was drained after attackers discovered a faulty validation mechanism.
Read more »
Subscribe to: Comments (Atom)