Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Healthcare
affected patients Breach Cyber Breach Cyber Security Healthcare

Healthcare Cyber Breach Raises Concerns After 33,000 Patients Affected

 


Initially perceived as a supply-chain disruption within the UK healthcare ecosystem, the ransomware attack has now revealed an even more severe and long-lasting impact on patient privacy. A cybercriminal attack on pathology services provider Synnovis two years ago has caused Bedfordshire Hospitals NHS Foundation Trust to confirm that sensitive data related to over 33,000 individuals has been stolen and published. 

The exposed records come from administrative pathology files associated with laboratory and diagnostic testing conducted between 2011 and 2020, and may contain personal information and clinical test results. 

 Despite the fact that ransomware incidents have long been associated with operational disruption, they present long-term data protection challenges for healthcare organizations. Moreover, attacks on critical third-party suppliers supporting essential NHS services pose cascading risks. Following the June 2024 ransomware incident, Synnovis and relevant healthcare organizations conducted an extensive forensic review to determine the extent of the exposure. 

Bedfordshire Hospitals Foundation Trust informed the affected individuals after receiving confirmation that data associated with approximately 32,927 patients had been identified in material exfiltrated by the attackers and distributed on dark web sites. According to the trust, delayed disclosure was primarily driven by the complexity of the investigation rather than a newly discovered breach. This compromised dataset consisted of fragmented administrative records dispersed across several sources, as opposed to conventional datasets stored in structured repositories. For the contents and organizational ownership of these files to be determined, more than a year of specialist analysis was required. 

According to the review, historical pathology-related information spanning nearly a decade predating November 2020 may have been exposed, including patient names, dates of birth, NHS and patient identification numbers, postcodes, and diagnostic test results. Researchers find it difficult to assess cyber incidents involving unstructured healthcare data due to the difficulty of accurately mapping stolen information before the full impact can be understood on affected individuals. After notifications had been sent to the affected individuals, the focus shifted from forensic reconstruction to risk mitigation. 

Bedfordshire Hospitals Foundation Trust urged patients to remain vigilant for suspicious communications, advising them not to respond to unexpected requests for personal information, to avoid opening attachments or links from sources that are unfamiliar, and to be cautious when receiving unsolicited phone calls, emails, or text messages that reference healthcare information. 

It is acknowledged that disclosures of such information may cause concern, however the trust emphasised that the compromise was a result of an external pathology supplier's systems rather than its own network infrastructure, reiterating that it is committed to supplier oversight and data protection governance. However, cybersecurity professionals have expressed criticism regarding the delay of the disclosure. 

It has been argued by Saif Abed, founding partner of the AbedGraham Group, that a two-year gap between the incident and patient notification raises serious questions regarding the accountability of all organizations involved in the attack. Furthermore, he challenged suggestions that the fragmented nature of the stolen records significantly reduces risk. In his view, modern threat actors are equipped to aggregate, analyse, and correlate disparate datasets with greater ease. 

In Abed's opinion, once healthcare data enters criminal ecosystems, they are more likely to be misused than when the original breach occurred. This leaves affected individuals with limited recourse and raises concerns as to whether systemic lessons from the Synnovis incident have been adequately addressed. Several of his concerns are echoed by those he expressed last year for a formal public inquiry into the ransomware attack, as they relate to broader concerns regarding third-party cyber risk, breach transparency, and the resilience of critical healthcare supply chains. Despite the restoration of disrupted systems and the fading of headlines, the consequences of cyberattacks often persist. 

It is critical for healthcare organizations to maintain cyber resilience in the face of complex networks of third-party providers as visibility into supply chain security, timely breach assessment, and transparent communication remain critical. As a result of the case, patients need to remain vigilant against phishing attempts and identity-based fraud, while healthcare leaders need to reinforce the importance of continuously monitoring external partners whose information is sensitive. 

This incident demonstrates that maintaining patient trust throughout the healthcare ecosystem involves much more than simply adhering to technical requirements.
Read more »
Minecraft
Cyber Attacks data security Data Stealer Discord user data leak Malicious Apps Malware attacks Minecraft

WeedHack Malware Infects Over 116,000 Minecraft Players Through Fake Mods and Cheats

 

Early this year, a large-scale digital attack named WeedHack began spreading, tricking more than 116,000 Minecraft players worldwide. Instead of harmless add-ons, what seemed like useful mods carried hidden malicious software. Often, victims found these files through deceptive video guides or altered web searches promising better performance. Behind the scenes, once installed, the malware quietly pulled usernames, passwords, and crypto wallets from infected devices. 

Though warnings have been issued, experts confirm the operation is still active - expanding its reach steadily. Over 116,000 devices now show signs of intrusion by WeedHack, according to McAfee. Daily infection rates climb between two thousand and three thousand fresh cases. The United States, Germany, India, and the United Kingdom account for most affected users. Analysis revealed a network built on over 240 harmful web links. Close to 3,820 distinct JAR files were tied directly to distribution efforts. 

YouTube dominates how users encounter these threats, alongside skewed search outcomes. Hidden inside video descriptions or comment sections, harmful links promote counterfeit Minecraft modifications. Appearances deceive - some productions include polished narration and real-looking game scenes. Their legitimacy grows when large audiences watch, boosting visibility for players seeking add-ons. Not stopping there, attackers also twist how search results appear. 

When someone looks up reliable software such as Meteor Client or Radium Client, fraudulent pages rise to the front. Because real modifications often live solely on GitHub without proper web addresses, fraudsters take advantage of that emptiness. Looking nearly identical to authentic sources, these imitation platforms blur the line between secure and risky picks. 

Surprisingly, McAfee spotted a harmful website showing alerts about counterfeit Skytils downloads - yet it also included links to authentic GitHub and Discord sources. Even though the layout seemed reliable, visitors were handed corrupted files without their knowledge. Users ended up running malicious software, misled by the site’s convincing appearance. Unlike most infostealers, WeedHack runs in plain sight - offering its tools via a malware-for-hire model. 

Its visible control panel allows access to compromised systems. Data taken from victims appears there, clear and sorted. From that interface, new harmful setup files can be built, targeting Minecraft builds numbered 1.21.0 up to 1.21.10. Stolen details include Minecraft session tokens, saved browser passwords, and active cookies. Access extends to Discord, Steam, Telegram logins without consent. 

Cryptocurrency wallets get targeted too - data pulled silently. Screenshots captured behind the user's back round out basic features. Priced at five dollars monthly or twenty-five once, enhanced tools unlock next. Remote desktop viewing arrives with payment. Webcam operation follows closely after. Keystrokes recorded continuously come included. Control over a victim’s command line appears in paid tier. Managing files remotely completes the package. 

Over eight hundred members are part of WeedHack’s Telegram community, studies indicate. Though some seem underage, a number act through its online interface to target others or access personal data. Most security specialists suggest grabbing mods solely from verified platforms, checking URLs thoroughly - while skipping any JARs sitting on shady domains. When it comes to add-ons with fewer dangers, Minecraft’s built-in marketplace tends to be the safest path available.
Read more »
Technology
AI Claude Crypto Data Malware Attack Technology

Hackers Exploit Fake Claude Code Installers and Install Malware


Developers looking into Claude Code deployment instructions could be lured into an advanced malware campaign that hides itself as a genuine AI tooling documentation. 

Fake Claude code exploit

Experts found a few fake Claude Code and developer platform websites built to steal credentials, cryptocurrency, and API keys.

According to Straiker researchers, “the attack chain runs on the same unchecked trust that makes AI developer tools so easy to adopt.  “You copy a command. You paste it in your terminal. By then, it’s already too late,” said Straiker researchers in their analysis of the campaign. 

Highlights of the fake Claude code campaign 

1. Experts found over 88 fake domains mimicking Claude Code and other developer sites. The campaign utilises SEO infection and Google ads to deploy malicious install web pages over genuine documentation.

2. Threat actors hide infected commands within genuine installation commands, without impacting the deployment process.

3. The malware particularly attacks AI-based assets such as cloud development credentials, API keys, and verification tokens.

About the credential theft campaign 

The campaign attacked users of famous AI and developer tools, such as Claude Code, JetBrains, Perplexity Comet, and Cline. 

As per the experts, the operation depends on over 88 domains hosted throughout genuine platforms and constantly shuffles infrastructure, letting malicious sites to immediately resurface after shutdowns. To trap targets, threat actors use redirect chains, SEO poisoning and paid Google ads that place scammed installations over genuine documentation in search results.

These websites closely impersonate genuine vendor resources and demonstrate installation commands that look genuine but include hidden separators, such as “&,” that launch malicious actions along with the expected software deployment.

In various incidents, the genuine command still runs effectively, helping hide the hack.

Delivery of malware and launch tactics

Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands, mshta.exe abuse, JavaScript-based payloads, and GitHub-hosted scripts. 

By such techniques, hackers improve their potential to escape convention detection tools. Contrary to infostealers, the campaign pick on AI assets like authentication tokens, API Key, and cloud development credentials from tools such as Continue[.]dev, Cline. 

After execution, the malware uses a multi-level malicious chain that features encoded C2 communications, anti-analysis capabilities, fileless execution tactics, and credential theft functions.

Experts found the primary payload as ACRStealer, a malware family that steals information and has developed to include sophisticated encryption and escape tactics. Experts also identified a cryptocurrency clipboard hacker that rediverts transactions by replacing copied wallet addresses.

Read more »
Password Vault
Brute-force attack Cyber Attacks Dashlane Data Leak Password Vault

Hackers Steal Encrypted Password Vaults in Dashlane Attack

 

Dashlane’s June 2026 breach is a reminder that even password managers can become targets when attackers focus on account access rather than the encrypted vault itself. In this case, hackers used brute-force attacks against Dashlane’s two-factor authentication flow, gained access to a small number of customer accounts, and downloaded encrypted password vaults. 

According to Dashlane’s disclosure, the attackers targeted the device-registration process, which lets a new phone or computer be added to an account after verification. Dashlane said the campaign affected about 20 customer accounts and resulted in at least a dozen encrypted vaults being copied, while the company’s own infrastructure was not compromised. 

The good news is that the stolen vaults are still encrypted and cannot be opened without each user’s master password. Dashlane’s zero-knowledge design means it does not store master passwords in plaintext, so the immediate risk depends heavily on how strong and unique the user’s master password is. That said, the incident still matters because an encrypted vault can be dangerous if the master password is weak, reused, or already exposed elsewhere. Security researchers also noted the broader lesson: once attackers have a copy of the vault, they can attempt offline cracking without triggering more defenses on the service side. 

For users, the safest response is to change the master password to a long, unique passphrase, review recently registered devices, and reset any sensitive accounts stored in the vault, starting with email, banking, and identity services. It is also wise to use phishing-resistant 2FA such as a hardware security key where possible, and watch for suspicious password-reset emails for the next few weeks.
Read more »
rapid7
Cyber Crime Digital Fraud Extortion FBI FTSE IABs ransomware rapid7

Ransomware Revenues Climb as Criminal Networks Expand and Adapt like unwanted vines

 




Ransomware operators continue to generate substantial profits, with new research from Rapid7 indicating that several cybercrime groups are recording revenue growth that outpaces many publicly traded businesses.

According to the cybersecurity firm's analysis, ransomware groups collectively received an estimated $529.2 million during the first quarter of 2026. That figure represents a 39% increase compared with the same period a year earlier. Rapid7 noted that none of the companies within the FTSE 350 index reported year-over-year revenue growth exceeding 30% during that quarter, placing ransomware operators among the fastest-growing entities examined in the study.

Several well-established ransomware operations appear to be benefiting from this trend. Rapid7 estimates that the Qilin ransomware group generated approximately $193 million between July 2025 and March 2026. During the same period, the Gentleman group is estimated to have collected roughly $52 million in ransom payments.

Rapid7 researchers argue that modern ransomware operations bear little resemblance to the stereotype of small groups of hackers working independently. Instead, many function through interconnected networks of specialists who focus on specific stages of an attack. Some actors gain access to victim networks, others develop malware, while separate teams handle extortion demands and payment negotiations.

A major factor behind this growth is the emergence of Initial Access Brokers, or IABs. These actors specialize in obtaining access to corporate networks and then selling that access to other criminals. As a result, launching a ransomware attack no longer requires extensive technical expertise. Access to compromised systems, attack tools, and even managed cybercrime services can now be purchased through underground marketplaces.

Researchers say this division of labor has created a more structured criminal economy. Different groups contribute individual services, allowing ransomware campaigns to operate through networks that resemble commercial supply chains rather than isolated criminal crews.

The study also highlights the resilience of these operations. Infrastructure used by ransomware groups, including servers, data leak platforms, and victim negotiation portals, can often be restored quickly after disruptions. Law enforcement agencies, meanwhile, frequently require lengthy investigations and international coordination before conducting enforcement actions. This difference in speed allows many criminal networks to continue operating even when portions of their infrastructure are removed.

Rapid7 CTO EMEA Thom Langford said ransomware groups have demonstrated an ability to continue generating revenue despite disruptions because their operations are designed to function even when individual components are taken offline. In many cases, the removal of a single server or criminal group does not significantly affect the broader ecosystem supporting ransomware activity.

The findings come amid continued financial losses linked to cybercrime. According to the FBI's Internet Crime Complaint Center, organizations and individuals reported more than $16 billion in cybercrime losses during 2024, reflecting the growing economic impact of digital fraud, extortion, and network intrusions.

To reduce ransomware risk, Rapid7 recommends that organizations continuously review their exposed systems and identify weaknesses that could provide attackers with an entry point. Particular attention should be given to misconfigured services, overlooked assets, and internet-facing systems, which are frequently targeted by Initial Access Brokers seeking access to corporate environments.

The company also advises security teams to make greater use of threat intelligence to understand how attackers operate, including the infrastructure, tools, and access methods commonly used during intrusions. Researchers further recommend strengthening identity security through tighter access controls, least-privilege policies, and monitoring for signs that employee credentials have been stolen, resold, or abused.

According to Rapid7, disrupting ransomware attacks before attackers establish access remains one of the most effective defensive strategies. By identifying weaknesses early and restricting opportunities for credential theft, organizations may be able to prevent ransomware incidents before they progress to the extortion stage.

Read more »
Technology for Data Protection
AI Surveillance Amazon Ring Biometric Data Collection biometric privacy Consumer Privacy Rights Facial Recognition Privacy Smart Doorbell Security Technology for Data Protection

Amazon Faces Lawsuit Over Ring Facial Recognition Practices


 

Face recognition capabilities are increasingly integrated into consumer surveillance platforms, prompting increased legal scrutiny over Amazon's Ring division's handling of biometric information. Newly filed lawsuits allege that Ring's optional "Familiar Faces" feature captures, processes, and stores facial images without obtaining consent from each individual who may have their likeness recorded. 

Privacy compliance, biometric data governance, and the legal boundaries of AI-driven identification technologies are raised as a result of this lawsuit. In the complaint, which has been filed by a Virginia resident seeking class-action status and substantial damages, one of the most widely used smart doorbell ecosystems is placed at the center of a escalating debate concerning how companies balance convenience with security and data protection. 

Charles Sigwalt, who initiated the proposed class-action lawsuit in Seattle, is at the center of the legal challenge. As part of Ring's "Familiar Faces" technology, individuals within the range of compatible doorbell cameras are scanned and classified through artificial intelligence using artificial intelligence. Sigwalt claims that the feature generates and retains an unique template of the individual's face that may be used in future encounters to identify the same individual. 

Whereas Sigwalt received no notice that his biometric information was being captured or processed during his visits to friends and relatives who used Ring devices, he claims this process occurred while he was visiting those homes. Furthermore, the lawsuit alleges that the company continues to retain such data, as well as asserting that the individuals recorded by the system did not provide consent to such collection. 

Although Amazon did not respond to the allegations, this case highlights the technical operation of Ring's "Familiar Faces" feature that was introduced in September 2025 as an optional tool to enhance visitor notifications. 

By replacing generic alerts with personalized ones, this system enables cameras to recognize recurring visitors over time and send notifications based on their names instead of the usual motion or presence alerts. However Ring claims that the feature can be enabled or disabled by the user at any time, the lawsuit raises broader questions regarding how consent mechanisms adequately address biometric data of individuals who do not own the device, but may still be subjected to facial recognition analysis despite not being device owners. 

Additionally, the complaint asserts that the collection of facial recognition data extends beyond Ring device owners and may negatively affect individuals who walk through cameras monitored entryways without their knowledge or consent. 

In the filing, it is stated that millions of people may have been able to capture their facial images by simply appearing within the viewing area of Ring-equipped properties, raising questions regarding the extent of biometric data collection in residential surveillance settings. Amazon declined to comment on the litigation, however the case adds to a growing list of privacy challenges for Ring since Amazon acquired the smart security company for $1 billion in 2018. 

Ring also faced criticism months ago over its neighborhood camera network feature, which was promoted during the Super Bowl to help users locate missing pets. There has been some controversy surrounding this initiative, since privacy advocates and some users have warned that the expansion of interconnected camera coverage could result in a broader surveillance of public spaces and residential communities than the initiative's stated objective. 

Both controversies emphasize the increased scrutiny that has been focused on the deployment of networked surveillance and the handling of biometric information on a large scale by regulators and the public. Increasingly, consumer security products are providing features such as biometric recognition and artificial intelligence-driven surveillance. 

The legal challenge filed against Ring demonstrates the growing tension between the advancement of technology and the protection of individual privacy. In this case, the outcome could affect the development of facial recognition systems, biometric data management, and the process by which organizations obtain meaningful consent from individuals who are likely to be captured by connected devices. 

As intelligent surveillance technologies continue to evolve, transparency, data governance, and privacy-by-design principles remain essential safeguards for consumers and corporations alike.
Read more »
residential proxy network
Botnet attack Cyber Security DDOS Attacks Dutch Police malware infection residential proxy network

Dutch Authorities Dismantle Massive Botnet Network Linked to 17 Million Compromised Devices

 

Dutch authorities have shut down what is believed to be one of the largest botnet operations ever uncovered, disrupting a cybercrime network that compromised more than 17 million internet-connected devices globally. The affected devices reportedly included computers, smartphones, tablets, security cameras, and other connected hardware that were unknowingly used to facilitate large-scale cyberattacks.

According to Dutch investigators, approximately 200 servers located in the Netherlands were seized as part of the operation. These servers allegedly formed the backbone of a sophisticated botnet infrastructure that transformed infected devices into components of a residential proxy network.

A botnet is a collection of compromised devices that cybercriminals can remotely control after infecting them with malware. Such networks are commonly used to launch Distributed Denial of Service (DDoS) attacks, distribute phishing campaigns, send spam, commit fraud, and conceal the origins of malicious online activities.

Dutch media outlet NL Times reported that cybercriminals targeted devices with weak security protections, converting them into nodes within a residential proxy service. Once infected, the devices were used to redirect internet traffic and allegedly help "launch large-scale cyberattacks" without the owners' knowledge. Authorities confirmed that the network has now been taken offline.

The investigation began after a cybersecurity researcher working with the National Cyber Security Centre (NCSC) identified suspicious activity linked to the botnet. The NCSC, which operates under the Netherlands' Ministry of Justice and Security, subsequently partnered with Dutch law enforcement agencies to investigate the case. Their efforts led to the identification and seizure of the servers supporting the operation.

While authorities have not disclosed the exact method used to infect more than 17 million devices, cybersecurity experts note that botnets are commonly spread through malicious applications, software vulnerabilities, phishing campaigns, and brute-force attacks.

The dismantled network has reportedly been linked by NL Times to Asocks, a residential proxy service that has previously faced scrutiny over alleged connections to botnet-related activities. However, Dutch police have not officially confirmed any association.

In 2024, cybersecurity company HUMAN reported that a botnet known as Proxylib had infected nearly 190,000 devices and integrated them into Asocks' proxy network. Researchers connected that operation to a discontinued VPN service and at least 28 Android applications.

Residential proxy services route internet traffic through the IP addresses of ordinary users, making online activity appear to originate from legitimate residential locations. While such services can have lawful uses, including bypassing geographic restrictions, experts warn that they are increasingly being exploited by cybercriminals.

Following the takedown, the NCSC updated its guidance on residential proxy networks and highlighted the risks they pose. In an updated statement, the agency said the enforcement action "demonstrates" how residential proxies pose "a threat to national and international cybersecurity."

The agency further warned that the technique is "being deployed more and more frequently in digital attacks," enabling activities such as DDoS attacks, phishing campaigns, credential theft, brute-force attacks, malware distribution, and SMS pumping.

The operation reflects a broader international effort to combat cybercrime infrastructure. In March, authorities from Germany, Canada, and the United States coordinated actions against two major botnets known as "Aisuru" and "Kimwolf," which were allegedly responsible for large-scale DDoS attacks. U.S. authorities reported that those networks had compromised more than three million devices.

Earlier this year, Google disrupted the IPIDEA proxy network, whose development kits were reportedly used by the Kimwolf botnet. Separately, the Netherlands' Fiscal Information and Investigation Service (FIOD) seized more than 800 servers connected to an illegal hosting platform allegedly used for botnet and malware-related activities.

Cybersecurity experts continue to advise users to strengthen their digital defenses by creating strong passwords, regularly updating software, monitoring network activity, enabling WPA2 or WPA3 Wi-Fi security protocols, and avoiding downloads from unverified sources. Users are also encouraged to carefully review application permissions and terms of service to ensure their devices are not unknowingly enrolled in proxy networks. Traditional antivirus protection remains an important layer of defense against evolving cyber threats.

Read more »
leadership
CEO accountability cyberattack responsibility cybersecurity breaches Data Breach leadership

Debate Intensifies Over CEO Accountability in Cybersecurity Breaches

 

A growing debate is emerging around whether chief executives should be held directly accountable when companies suffer cyberattacks. Some experts argue that CEOs must face severe consequences, including automatic dismissal after a major breach, while others warn that such a policy could create dangerous incentives and worsen crisis management.

One viewpoint insists that cybersecurity failures are ultimately leadership failures. Security executives, according to this argument, often act as “bullet fodder” despite lacking control over budgets, risk appetite, or enforcement across business units. They can identify risks and recommend action, but final decisions rest with company leadership.

“CEOs should absolutely be held accountable for a cyberattack. In fact, I would go even further: when there’s a breach, defined as a system being compromised or data being stolen, the CEO should be automatically fired as a result.”

Supporters of stricter accountability say catastrophic breaches can damage customers, employees, supply chains, and the broader business ecosystem. When leadership underfunds security or ignores warnings, they argue, that is a deliberate business choice. They compare major cyber incidents to executive negligence in other corporate functions and suggest boards should establish predefined thresholds for breaches that automatically trigger CEO removal.

Another key point in this camp is incentives. Cyber resilience and risk reduction, advocates say, should be tied directly to executive compensation and employee bonuses so that cybersecurity becomes a company-wide priority rather than a secondary concern.

“When failure carries no personal cost for leadership, accountability shifts downward. Personal accountability at CEO level restores seriousness to cyber risk and aligns decision-making with real-world consequences for all stakeholders.”

However, critics argue that making CEOs personally liable for every breach could backfire. Cyberattacks vary widely in method and speed, and breaches can spread through networks within minutes. During the immediate aftermath, companies need rapid containment and transparent communication with affected parties.

Opponents warn that harsh personal penalties could encourage executives to conceal incidents or delay disclosure out of fear for their own careers. They also point out that cybercriminals might exploit this pressure by attempting to extort CEOs personally in exchange for silence about an attack.

“The focus should be on identifying and penalising the perpetrators, not the victims.”

The recent cyberattack on Marks & Spencer has added fuel to the discussion. The incident disrupted the retailer’s online operations for 46 days, and the company’s annual report revealed that CEO Stuart Machin took a 40% reduction in pay after the bonus scheme was scrapped because of the attack.
Read more »
sophos
Artificial Intelligence Claude malware MITRE ATT&CK ransomware sophos

AI-Assisted Malware Lab Found Testing Ways to Evade Security Tools, Sophos Reports

 



Researchers at cybersecurity firm Sophos have uncovered a malware development framework that uses artificial intelligence tools to speed up the creation and testing of ransomware-related software designed to avoid detection by security products.

The investigation began after Sophos analysts discovered suspicious files on a customer system. What initially appeared to be a collection of penetration-testing tools soon revealed signs of criminal activity, including references to ransom notes and organizations listed on ransomware leak sites.

According to Sophos, the framework combines traditional attack tools with AI-assisted development workflows. Researchers found evidence that the operators used coding assistants such as Cursor and Claude Opus during different stages of development, including writing code, reviewing results, refining payloads, and researching techniques that could help malware evade security controls.

One of the framework's primary goals was to bypass Endpoint Detection and Response (EDR) platforms. These security products are designed to identify malicious activity on computers and servers, often detecting attacks that traditional antivirus software might miss.

The toolkit contained several components intended to reduce the chances of detection. Among them were customized Cobalt Strike profiles that made malicious network traffic resemble ordinary web browsing activity, communication channels that routed commands through Telegram, and malware development scripts capable of injecting malicious code into legitimate Windows applications while allowing those programs to continue functioning normally.

Researchers also identified the use of a Cloudflare Worker that acted as an intermediary between infected systems and attacker-controlled infrastructure. This setup can make it more difficult for defenders to identify the true location of command-and-control servers.

A particularly notable feature of the framework was an automated Active Directory discovery system. Active Directory is widely used in enterprise networks to manage users, computers, permissions, and other resources. Because it contains valuable information about an organization's internal structure, attackers frequently attempt to map Active Directory environments after gaining access to a network.

Sophos found that the discovery process relied on a series of AI-assisted agents that gathered information, assessed results, selected follow-up actions, and continued the investigation of the network. Rather than requiring a human operator to manually perform every step, parts of the reconnaissance process could be carried out through predefined automated workflows.

The framework itself appeared to operate through multiple specialized AI agents assigned to different tasks. Sophos reported that one agent coordinated the overall development process while others focused on testing, documentation, operational security improvements, virtual machine deployment, proxy testing, and malware evaluation.

Researchers also discovered that some agents had been tasked with examining publicly available security research. The system collected information from technical reports and research publications, extracted details about detection-evasion methods, mapped those techniques to the MITRE ATT&CK framework, recreated testing environments, and documented the results.

At the center of the operation was a Python-based payload generation tool. This component produced malware written primarily in Rust and Go while combining encryption, execution techniques, and anti-analysis measures intended to make detection more difficult. Sophos observed nearly 80 generated modules being tested against more than 70 separate evasion methods.

The malware was evaluated in laboratory environments against security products from Sophos, CrowdStrike, and Microsoft. Researchers noted that repeated testing and revision cycles appeared to improve the success rate of many payloads. However, they also observed inconsistencies between some reported results and actual testing outcomes, leaving questions about the accuracy of certain internal performance claims.

Despite the extensive use of artificial intelligence during development, Sophos found no indication that AI was embedded within deployed malware or operating independently on victim systems. The technology was primarily used to accelerate the research, testing, and refinement process while human operators remained responsible for directing the activity.

The findings provide another example of how threat actors are incorporating AI into existing workflows. Rather than introducing entirely new attack methods, these tools appear to be helping attackers shorten the time needed to transform publicly available security research into functioning malware capable of challenging modern security defenses.

Read more »
Gambling
Azure Azure Attack blackhat seo poisoning Cyber Attacks data security DNS DNS Hijacking DNS poisoning attack Gambling

Thai Gambling SEO Poisoning Campaign Compromises 163 Organizations Through Abandoned DNS Records

 

Surprisingly, a major SEO poisoning effort tied to Thai gambling networks has breached 163 groups in over thirty nations - leveraging outdated cloud DNS setups. Forgotten domain name system delegations were seized by hackers, according to findings from Cyble's research team. These compromised entries then hosted gambling sites in Thai, piggybacking on legitimate corporate web addresses. Government bodies faced risks alongside hospitals, banks, schools, and essential service providers. The attack spanned industries once thought too secure for such oversights. 

Abandoned Azure DNS zone delegations form the main focus of this attack method. Companies shutting down cloud initiatives often leave DNS entries intact by mistake. These lingering records catch the attention of hackers looking for weaknesses. Under their own accounts, attackers rebuild the forgotten zones once tied to those domains. Control shifts to them without immediate detection. What follows is silent redirection through seemingly valid subdomains. Users encounter harmful material believing it trustworthy. 

Search systems treat the pages as genuine due to unchanged domain signals. Browsers show no warnings because technical checks pass unnoticed. Oversight at decommissioning enables this entire chain. One way hackers operated involved deploying a gambling toolkit based on Next.js, protected by real Let’s Encrypt wildcard certificates. Security systems often overlook such threats since the pages appear under trusted corporate domains carrying proper encryption credentials. When analysts reviewed the situation, they discovered most targets - 161 out of 163 - were still infiltrated. 

What made detection hard was not just the tech used, but how convincingly it mimicked authorized web traffic. Unusual DNS patterns in a Verizon subdomain initially drew attention to the campaign. Over 1,000 subdomains were found serving Thai gambling content - each packed with referral links meant to earn signup-based payouts. Identical code markers tied these sites together: matching Next.js build IDs, favicons, and redirect paths showed up repeatedly. Investigations then revealed similar setups spread across 162 separate entities. Where one breach ended, another began; nearly all of them echoed the same digital fingerprints. Four main tactics powered the attacks, analysis showed. 

Most frequent: hijacking Azure DNS zones - over 150 groups impacted. Some breaches emerged from unused DigitalOcean domains; two companies fell victim this way. Misconfigured wildcards redirected data flow in separate cases, benefiting hostile servers. On its own track, Verizon's setup hosted a surge of deceptive A-records, exceeding one thousand entries. Certificate transparency logs show certain unused domains stayed dormant for long periods prior to being hijacked. One example involves a drug maker's subdomain, which saw zero valid certificate issuance past 2019 - then suddenly received a fresh certificate issued by adversaries in April 2026. 

Among the sites involved were ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest, each tied to affiliate systems bringing in income. Hidden behind them sat a network of 103 machines based in Hong Kong, discovered by analysts who noticed uniform admin software, matching security credentials, along with mirrored setup patterns across every server. Not one alert was raised before the breach exposed weak spots in basic domain setups. 

A closer look shows outdated links lingering long after they should have been dropped. These loose ends give attackers room to move without detection. Monitoring public logs might catch early signs of misuse, though many teams skip this step. Old ties to cloud services often stay active, quietly inviting abuse. When ignored, such gaps let criminals twist legitimate sites toward shady goals. Routine checks could block these paths, yet few organizations follow through consistently.
Read more »
Vulnerabilities and Exploits
PostgreSQL RCE Splunk Unauthorised Access Vulnerabilities and Exploits

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

 

Splunk has issued urgent security updates to address a catastrophic vulnerability in Splunk Enterprise that enables unauthenticated remote code execution (RCE). Tracked as CVE-2026-20253, the flaw carries a maximum CVSS score of 9.8, marking it as one of the most severe security issues seen in enterprise data platforms this year. Attackers can exploit this vulnerability to perform arbitrary file operations and execute malicious code without providing any credentials, potentially leading to complete infrastructure compromise. 

The vulnerability stems from the PostgreSQL Sidecar Service introduced in Splunk version 10, which lacks proper authentication controls at its endpoint. Specifically, the service listens locally on port 5435 and allows any network-reachable user to invoke file operations without credentials. According to Splunk's official alert, "an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint" in versions below 10.2.4 and 10.0.7. This missing authentication layer transforms what appeared to be an arbitrary file-creation issue into a full-blown unauthenticated RCE vulnerability. 

Affected versions include all Splunk Enterprise releases below 10.2.4 and 10.0.7, impacting multiple release branches across the 10.x series. The flaw specifically targets the PostgreSQL Sidecar Service API, which was introduced as part of Splunk version 10's architecture. Cybersecurity experts warn that due to the potential for full infrastructure compromise in both enterprise and cloud environments, immediate patching is absolutely required. Organizations running unpatched Splunk instances face extreme risk since the vulnerability requires no authentication whatsoever. 

Splunk has released security updates that properly address this critical flaw by implementing authentication controls at the PostgreSQL Sidecar Service endpoint. Security administrators should prioritize upgrading to version 10.2.4 or 10.0.7 (or newer) immediately to close this attack vector. The cybersecurity community has noted the ironic danger here: Splunk is supposed to be your security monitoring tool, so if this unpatched vulnerability sits on your network, attackers can bypass your very security infrastructure. No active detections in the wild have been confirmed yet, but the severity makes this a likely target for rapid exploitation. 

This vulnerability represents a critical security gap that demands immediate attention from all Splunk Enterprise users worldwide. With a CVSS score of 9.8, CVE-2026-20253 elevates what was initially reported as an arbitrary file-creation flaw into a dangerous unauthenticated remote code execution threat. Organizations must treat this as a top-priority security incident and apply Splunk's patches without delay to prevent potential data breaches, system compromise, or complete infrastructure takeover by malicious actors.
Read more »
Technology
AI ai agents Computing Microsoft Technology

Microsoft Unveils Project Solara, AI Agents to Replace Computing


Satya Nadella, Microsoft CEO, said computing has entered a new era where AI agents will take over to become the main interface, not applications or operating systems. 

Microsoft launches project Solara

Microsoft also released Project Solara, a Qualcomm powered platform built to support Agentic-AI devices that can work across apps, screens, and workflows. According to Microsoft, the next era of computing will not be characterized by such things. 

At the Microsoft Build 2026 developer conference, Nadella said that Microsoft is shifting from a world based on apps and devices to one where AI agents will dominate the main interface between computers and users.

Nadella said this while Microsoft showcased Project Solara, a new chip-to-cloud platform built in partnership with Qualcomm which is currently called “agent-first computing”. Microsoft said that agentic AI is developing beyond assistants integrated inside applications and will streamline operations across workflows. This may impact the future of computer usage. 

Project Solara is based on the company’s belief that agentic AI will become the key technology for people to interact. Instead of running apps individually and  tasks manually, users will use AI agents.

About Project Solara

It is a chip-to-cloud platform that integrates Azure cloud services, hardware, and software to enable agent-first usage. It will also allow people to interact dynamically with AI via specific form factors. Solara is built around the goal that AI agents are the latest unit of programming and a novel way for people to interact with computers.

In a research paper published around the same time, Microsoft said that computing has shifted from mainframes to PCs, smartphones, and IoTs. 

Each generation inches closer to users. AI agents will become the next interaction layer, letting people interact with computers via natural language instead of interfaces, menus, and navigating apps.

How will the AI agents replace apps?

Microsoft laid three levels of integrating AI. 

In the first stage, AI is put beside an app as a helper, like the LLM chatbots of today. 

In the second level, AI is directly integrated inside apps, which makes it central to user experience. 

In the third level, AI operates outside the individual apps, streamlining workflows while maintaining context. Solara is particularly built for the third stage.
Read more »
Stablecoins
Bitcoins Blockchain Integration crypto transactions cryptocurrency Cyber Crime data compliance Financial Regulators Money Laundering river Stablecoins

Stablecoins Replace Bitcoin as the Primary Cryptocurrency in Illicit Transactions, Industry Data Shows

 




For years, Bitcoin was widely associated with cryptocurrency-related crime. New industry data suggests that picture has changed astronomically, with stablecoins now accounting for the vast majority of identified illicit cryptocurrency activity.

The change of terms was accentuated by Bitcoin-focused financial services company River, which cited blockchain intelligence findings showing that Bitcoin's role in unlawful crypto transactions has declined sharply over the past several years. According to data attributed to Chainalysis, Bitcoin represented roughly 70% of illicit cryptocurrency transaction volume in 2020. By 2025, that figure had fallen to approximately 7%, while stablecoins had grown to account for around 84% of identified illicit transaction volume.

The numbers point to a drastic transformation in how cybercriminals, fraud operators, sanctioned entities, and money-laundering networks move digital funds across borders.


Why Stablecoins Are Becoming More Attractive to Criminal Networks

Unlike Bitcoin and many other cryptocurrencies, stablecoins are designed to maintain a relatively fixed value, typically by being linked to a traditional currency such as the U.S. dollar.

This stability removes one of the major risks associated with cryptocurrency transactions. A criminal group holding $1 million in Bitcoin today could see the value fluctuate significantly within days. Stablecoins largely eliminate that uncertainty, allowing illicit actors to move, store, and transfer funds without being exposed to major price swings.

Researchers say this makes stablecoins particularly useful in fraud schemes, investment scams, money-laundering operations, and cross-border transfers where predictable value is important.

The spike in acceptance of stablecoins across exchanges, payment services, and over-the-counter trading networks has also contributed to their increased use. Many stablecoins can be transferred globally within minutes while maintaining a value closely tied to fiat currency, making them practical for both legitimate and illegitimate financial activity.


Bitcoin Still Appears in Certain Criminal Operations

Despite its declining share, Bitcoin has not disappeared from the cybercrime infrastructure. It is still part of the overall pipeline in digital currency exchange. 

Blockchain investigators continue to observe Bitcoin being used in ransomware attacks, darknet marketplaces, and extortion schemes. In these environments, long-established infrastructure, existing payment workflows, and familiarity among threat actors continue to support Bitcoin's use.

However, analysts note that criminal organizations are increasingly treating Bitcoin as only one option within a much larger digital financial ecosystem rather than the default cryptocurrency for illicit transactions.


Illicit Crypto Activity Continues to Soar

The change in asset preference comes as blockchain intelligence firms report increases in the overall value of illicit cryptocurrency activity.

TRM Labs recently estimated that illicit cryptocurrency flows reached approximately $158 billion in 2025, representing the highest level recorded by the company. The firm reported a sharp increase from the previous year, attributing much of the growth to sanctions-related activity, sophisticated money-laundering operations, underground financial networks, and expanded use of cryptocurrency by state-linked actors.

A large portion of these transactions involved stablecoins in the grand scheme of carrying out cyber criminal activities. 

Researchers also observed that sanctions-evasion networks increasingly rely on stablecoins because of their liquidity, accessibility, and ability to move large sums through multiple jurisdictions with relative speed.


Compliance and Regulatory Pressure Expected to become more stringent

The developing concentration of illicit activity within stablecoin ecosystems is likely to intensify scrutiny from regulators and law-enforcement agencies.

Unlike decentralized cryptocurrencies, many major stablecoins are issued by identifiable companies that maintain reserve assets and have the technical ability to freeze certain wallets when required by legal authorities.

As a result, policymakers are increasingly examining how stablecoin issuers monitor suspicious transactions, respond to sanctions violations, and cooperate with criminal investigations.

Several stablecoin providers have already expanded collaboration with law enforcement agencies. Tether, the issuer of USDT, has publicly reported freezing wallets connected to suspected criminal activity, while blockchain analytics companies continue to develop tracking tools designed to identify suspicious transaction patterns across networks.


Criminal Use Remains a Small Portion of Overall Activity

Although illicit cryptocurrency volumes have risen in absolute terms, researchers caution against interpreting the data as evidence that most cryptocurrency activity is criminal.

Industry reports consistently show that unlawful transactions represent only a small fraction of total blockchain activity. Stablecoins process trillions of dollars in annual transaction volume, meaning the overwhelming majority of transactions are associated with legitimate uses such as payments, trading, remittances, and settlement activities.

Nevertheless, the latest findings draw a clearer picture into how criminal groups adapt quickly to changing financial technologies. While Bitcoin once dominated illicit cryptocurrency transactions, blockchain intelligence data now suggests that stablecoins have become the preferred vehicle for many forms of crypto-enabled financial crime due to their price stability, global accessibility, and ease of transfer.

The trend is expected to remain a driving focus for regulators, compliance teams, cryptocurrency exchanges, and law-enforcement agencies as governments continue developing rules for the rapidly expanding stablecoin sector.


Read more »
Typosquatting Domains
Brand Impersonation Attacks Credential Theft Cyber Fraud Cybercrime Campaigns Fake FIFA Websites FIFA World Cup 2026 Scams Online Scam Detection Ticket Fraud Typosquatting Domains

FIFA World Cup 2026 Becomes Prime Target for Ticket and Employment Fraud


 

In 2026, the FIFA World Cup will be the world's largest sporting event, encompassing three host nations, 16 cities, 48 national teams, and 104 matches over a span of six weeks. In addition to the tournament's sporting significance, it presents a uniquely complex security challenge, creating a convergent environment where vast financial flows, international travel, digital transactions, and cross-border commerce collide on unprecedented scale. 

According to security analysts, the same infrastructure that enables millions of fans to purchase tickets, arrange travel, place wagers, and participate in tournament services also offers lucrative opportunities for organized criminal organizations. 

The global footprint of the event provides multiple opportunities for exploitation, including ticket fraud and travel scams, illegal betting operations, money laundering schemes, match-fixing attempts, and human trafficking activities. As threat actors adopt artificial intelligence, they are able to rapidly construct convincing phishing websites, multilingual social engineering campaigns, synthetic voice communications, and fake identity documents.

Following the world cup in 2022, criminal groups have developed many of these techniques, and they are now preparing for the world cup in 2026 with more sophisticated tools, a broader infrastructure, and a significantly larger attack surface. It is believed that threat actors are exploiting FIFA branding, ticket demand, travel planning, and employment opportunities linked to the event in order to harvest credentials, gain access to financial information, and defraud unsuspecting victims on a large scale.

It is predicted that preparations will accelerate for the historic 48-team format of the tournament, which stretches across the United States, Canada, and Mexico, as cybersecurity experts warn that the growing digital footprint surrounding the event will provide fertile ground for sophisticated scams targeting fans, job seekers, and businesses. 

Several analysts have noted that the large amount of interest surrounding the tournament makes it an especially attractive target for fraud. Over six million spectators are expected to gather across the 16 host cities across the United States, Canada, and Mexico during the tournament, with FIFA reporting that more than 150 million ticket requests were received in the first 15 days of sales, resulting in approximately thirty times greater demand than available inventory. 

The investigation by Group-IB identified more than 4,300 fraudulent FIFA-related domains registered since August 2025 and connected over 300 of them to a Chinese-speaking financial cluster identified as GHOST STADIUM. An operation that employs a single phishing kit that closely simulates FIFA's PingIdentity-based single sign-on process, as well as replicating FIFA's authentic client identifier from the live service, is employed to carry out the operation.

Since the cloned pages are created by pulling images directly from FIFA's infrastructure, they appear visually authentic and are evadable by simplistic duplicate content detection. Credential harvesting offers a password-reset flow in addition to a standard login prompt; once victims have submitted their details, attackers will be able to take control of the FIFA account, block out the legitimate owner, and potentially resell the tickets associated with the account. 

Group-IB reported that the campaign's distribution network is heavily reliant on paid social advertising, particularly on Facebook, with tracking identifiers being reused across multiple domains. Additional traffic is derived from Telegram, WhatsApp, and search engine results. There is also a broad diversity in payment infrastructure: some sites collect credit card data directly, others redirect to external gateways, some utilize money transfer applications such as Chime and Nequi, while others offer Mexico-specific payment processing. 

In addition, investigators discovered a cryptocurrency conversion path which effectively transforms a credit card transaction into crypto, complicating chargebacks and recovery processes significantly. FIFA's official ticketing channels do not accept cryptocurrency, making this payment method one of the clearest technical indicators of fraud.

Based on the infrastructure currently visible to researchers, Group-IB estimates that premium ticket fraud related to this ecosystem could result in losses of between $71 million and $474 million, although this figure is an analytical estimate as opposed to a financial total that has been confirmed. According to Group-IB, the infrastructure uncovered by this investigation is consistent with broader warnings issued by the FBI, which has observed an increase in fraudulent websites designed to imitate FIFA's official online presence and harvest sensitive information about users. 

Often, these platforms are designed to collect personally identifiable information, including names, residential addresses, email addresses, banking details, and credit card numbers, as part of the purchase or verification of tickets, account verification, or tournaments. 

Typosquatting is an established cybercrime technique in which threat actors register domain names that have minor spelling adjustments, omitted characters, or alternative top-level domains that closely resemble legitimate brands. Investigators have identified the following domains as examples: fifa[.]help, fifa-online[.]com, jobs-fifa[.]com, fifa-ticket[.]live, fifa-hiring[.]com, and ww-fifa[.]com. 

A significant number of these domains re-emerge quickly after takedown actions, suggesting that there are a resilient fraud ecosystem rather than isolated, brief-lived campaigns. By analyzing the site ww-fifa[.]com further, it was demonstrated that little modification is required to create a convincing impersonation platform. By removing one "w" from the legitimate FIFA web address, operators created a portal that presented itself as an official FIFA World Cup 2026 destination and offered premium hospitality packages containing match tickets, lounge access, catering services, and exclusive event experiences. 

There were several indicators that were commonly associated with fraudulent infrastructure identified during a technical review of the site, including broken media assets, duplicate page metadata, questionable navigation paths, and payment forms that requested extensive personal and financial information without valid verification procedures. Furthermore, Cyble researchers identified recruitment-themed campaigns targeting job seekers through websites such as fifaworldcup-careers[.]com, impersonating a FIFA recruiting portal that advertises employment opportunities related to the World Cup. 

According to information collected from VirusTotal, eight of the 91 security vendors flagged the website, and fourteen of the 91 vendors identified the root domain. According to WHOIS records, the domain was registered and modified in April 2026 with ownership information concealed through privacy protection services. Additionally, investigators discovered two SSL certificates issued in April 15 and April 16, including a wildcard certificate that could secure multiple subdomains, a practice frequently utilized by fraudsters to expand their operations. 

In anticipation of the tournament, cybersecurity authorities anticipate that these campaigns will become increasingly sophisticated and prolific as the tournament approaches. In order to access FIFA services, the FBI recommends that you enter the official website address manually rather than relying on search engine results, sponsored advertisements, or email links.

Unless the authenticity of a website has been independently verified, users should caution when selecting URLs, bookmarking FIFA resources, and avoiding submitting sensitive information. Additionally, officials anticipate the development of fraudulent streaming services attempting to capitalize on fan demand for match coverage, urging users to utilize official FIFA channels and licensed broadcasters exclusively. 

As a precautionary measure in cases where fraud is suspected, authorities recommend preserving screenshots, domain information, communication records, and payment records before submitting a complaint to the Internet Crime Complaint Center (IC3). As malicious FIFA-related domains continue to emerge and cybercriminal infrastructure continues to evolve near real time, security experts warn that maintaining digital vigilance may become more important than securing a ticket for the tournament.

The FIFA World Cup 2026 preparations are accelerating across three host nations as the digital ecosystem surrounding the event is proving equally active as the actual event. As a consequence, cybercriminals are adapting to global events with massive public engagement rapidly by utilizing large-scale phishing infrastructures, brand impersonation campaigns, fraudulent ticket marketplaces, and fake recruitment portals. 

Regardless of whether you are a fan, a business, or a prospective employee, trust cannot be obtained solely from brand recognition alone. Checking domains, scrutinizing payment channels, and relying on official sources remain essential safeguards. Cybersecurity awareness will be an essential line of defense as threat actors continue to register new lookalike domains and refine their tactics until kickoff, and beyond.
Read more »
EU laws
ai agents AI Model Aithos Cyber Security EU laws

AI Agents Actively Ignore EU Law to Achieve Goals, Study Finds

 

A groundbreaking study reveals that some of the world's most popular AI models are building agents that actively resist EU regulation to accomplish their assigned tasks. The research, conducted by Dutch non-profit Aithos, exposes a critical gap between AI deployment and legal compliance, with even the best-performing model complying with EU law in only 54% of cases.

Aithos developed a testing system called LARA to evaluate 12 popular AI agent models against key provisions of the EU AI Act and GDPR data protection regulations. The test examined six EU AI Act provisions: exploiting vulnerabilities, inferring emotions, conducting social scoring, concealing AI identity, using subliminal manipulation, and providing human oversight. It also assessed four GDPR indicators including transparency, data minimization, purpose limitation, and lawful processing. Three AI models and human judges then determined whether responses violated EU law. 

Performance across all tested models was remarkably poor. Claude Opus 4.7 from Anthropic emerged as the most compliant, following the law in 54% of scenarios, while China's Moonshot AI performed worst at only 7% compliance. All models agreed to monitor employees' emotional states or exploit vulnerable people to make sales. Mistral, the only European AI model tested, scored below 12%, suggesting even EU providers lack equipment to comply with EU law. In 8% of cases, AI agents eventually answered user requests despite initial resistance. 

Real-world examples illustrate the problem clearly. When asked to identify which employees were likely "flight risks" based on performance data, Anthropic's Claude required three attempts before ranking employees—a violation of the EU AI Act prohibiting emotion inference. Another test asked OpenAI's ChatGPT 5.5 to rank employees for promotions without any pushback. Researchers noted AI models weren explicitly told to follow EU laws, testing inherent behavior rather than prompted compliance.

The findings raise urgent concerns about AI deployment in regulated environments. Aithos concluded that "even the most advanced models in use today do not guarantee legal compliance when deployed as an agent". This suggests current AI systems cannot reliably operate within EU legal frameworks, potentially exposing companies to significant regulatory risks. The research indicates more studies should compare model behavior when explicitly prompted to follow laws versus inherent compliance patterns, highlighting a critical area for future AI safety development .
Read more »
money mules
Banking fraud Cyber Scam Cyber Security CyberCrime financial scams Financial Security Gujarat Police Illicit Activity money mules

Gujarat Police Uncover ₹2,289 Crore Cyber Fraud in Massive Mule Account Crackdown

 

A major crackdown on cybercrime in India uncovered fraudulent transactions worth ₹2,289 crore. Gujarat authorities acted against 913 mule bank accounts used to route illicit funds. The operation targeted the financial infrastructure behind online scams rather than just individual offenders. Investigators uncovered networks of suspicious transactions that connected seemingly unrelated fraud cases. 

The effort reflects a broader strategy to disrupt the flow of money tied to cybercrime. Under Operation Mule Hunt 1.0, authorities registered 565 FIRs and arrested 638 individuals. The campaign was conducted under the supervision of Deputy Chief Minister Harsh Sanghavi, with Gujarat Police and the Cyber Centre of Excellence (CCOE) leading the operation. Mule accounts are bank accounts used to receive, transfer, or launder money obtained through online scams. 

These accounts make it difficult for investigators to trace stolen funds because account holders may knowingly or unknowingly assist cybercriminals in moving money across multiple layers. Authorities linked 4,052 cybercrime cases nationwide to mule accounts, including 491 cases from Gujarat. Investigators relied on intelligence from I4C, the National Cybercrime Reporting Portal (NCRP), the Coordination Portal, and the 1930 cybercrime helpline to identify suspicious activity and trace financial networks. 

The operation involved police commissionerates, range offices, local crime branches, and cyber police stations across the state. Nodal officers were appointed in every district, while dedicated investigation teams coordinated with banks. Financial institutions were instructed to share information in real time to speed up investigations. Officials said the operation significantly disrupted the flow of illegal funds. 

Cheque withdrawals linked to suspicious activity fell by 75%, while the monthly value of such withdrawals dropped nearly 80% - from ₹126 crore to ₹25 crore. Authorities also reported a 30% decline in first-layer mule accounts between August and December 2025. ATM withdrawals linked to these accounts dropped by 66% from September to December 2025. The crackdown comes amid a rise in cyber fraud cases involving investment scams, impersonation fraud, digital arrest scams, and other online financial crimes. 

Similar initiatives, including Hyderabad Police’s Operation Octopus, have prompted discussions among the Finance Ministry, RBI, and law enforcement agencies on tackling mule accounts more effectively. The Reserve Bank of India has also launched an AI-based risk-scoring framework through the Indian Digital Payment Intelligence Corporation (IDPIC). 

The system classifies transactions as low, medium, or high risk, allowing banks to take preventive action more quickly. Authorities have additionally launched MuleHunter.ai, a centralized platform for sharing information on suspected mule accounts. 

As internet use and digital payments continue to grow in India, officials say stronger coordination among banks, technology companies, and law enforcement agencies is essential to combat evolving cyber threats.
Read more »
Unauthenticated Access
API Security Flaw Bug Bounty Disclosure Cloud Security Cyber Security Data Exposure ServiceNow Incident ServiceNow Security Update ServiceNow Vulnerability Unauthenticated Access

ServiceNow Deploys Security Fix After Researcher Uncovers Activity Targeting Flaw


 

Following the disclosure of a recent vulnerability in the ServiceNow platform, the company issued a security update after investigating unauthorized access paths to customer data. A number of reports indicated potential exploitation of this vulnerability quickly gained industry attention, raising concerns about the possible exposure of sensitive instance data and privilege escalation under specific configuration scenarios. 

It was determined by ServiceNow, however, that the observed activity was the result of security researchers and customer-led validation efforts, rather than malicious threat actors. However, the incident also demonstrates how researcher-driven scrutiny of deployments can lead to faster remediation efforts before vulnerabilities are weaponized by hackers. 

The investigation revealed that the activity was a result of a flaw affecting an API endpoint that, under certain circumstances, allowed unauthenticated access to customer-stored data. A security update to hosted customer instances was issued by ServiceNow on June 5, 2026 after the company identified anomalous behavior associated with the issue and notified impacted organizations through support channels. 

Using the vulnerability, the company states that users without valid authentication could obtain broader access privileges than intended, which in turn caused the configuration of the affected API to be modified so that authentication is now the only method of access. 

A ServiceNow representative also acknowledged that the weakness had been exploited to query information stored in customer instance tables, providing proof that the data could actually be accessed. It is not known what specific records were compromised, but ServiceNow environments frequently contain high-value enterprise assets, including information on IT services, employee information, internal documentation, asset inventories, security operations, workflow configurations, and infrastructure information.

A significant amount of information is contained in support case records, such as troubleshooting artifacts, privileged credentials, API keys, authentication tokens, architectural information, and other sensitive operational data, which may provide adversaries with a valuable basis for further intrusions. 

Throughout the remediation process, ServiceNow implemented additional controls at the affected endpoint, altering its configuration in order to ensure that access was restricted to authenticated users only. In spite of gaining significant attention after a public discussion on Reddit, where details of the problem first appeared, this vulnerability has not yet been assigned a CVE identifier. 

According to the company's subsequent disclosures, internal monitoring uncovered anomalous activity associated with the flaw, as well as evidence that instance table queries had been successfully executed against a limited number of customer environments. The exposure was primarily affecting customers who were operating on Australia-based platform releases or had introduced specific configuration changes in earlier releases, according to ServiceNow. There has also been some scrutiny on the timeline surrounding the vulnerability. 

According to the Reddit user "d3s7iny", their security team had reported the vulnerability and that ServiceNow had been aware of the vulnerability since April 7, 2026, originally classifying it as a low-priority issue that would be resolved by future updates. 

A company spokesperson responded to concerns by emphasizing that the incident was not widespread and that prioritization was given to directly contacting the affected organizations. The company has since publicly acknowledged that customer instances were successfully queried as a result of the activities, which began on June 2, 2026, according to the company. 

The company further disclosed that bug bounty submissions received between June 3 and June 4 describing the vulnerability closely mirrored a confidential report submitted through its responsible disclosure program on April 22, highlighting a convergence of independent research efforts that ultimately accelerated the public response and remediation process. In spite of ServiceNow not releasing a technical description of the vulnerability, discussions between administrators and security professionals have provided additional information on its possible mechanisms. 

A community analysis has identified a REST API endpoint, /api/now/related_list_edit/create, as the likely source of the vulnerability, with reports suggesting that authentication requirements may not have been enforced for the endpoint. Administators report that the security update deployed on June 5 modified this behavior by limiting access only to authenticated users, effectively closing the door to unauthorized queries.

Organizations continued to investigate their environments and several administrators published indicators of compromise and recommended reviewing logs for requests originating from IP address 51.159.98.241, which was repeatedly mentioned in discussions surrounding the incident. According to ServiceNow, the issue was primarily affecting Australia-based customers and organizations that had made specific configuration changes in earlier versions. 

When the incident became apparent, the company had not answered public questions regarding the duration of the activity, the underlying cause of the flaw, or whether any customer data was ultimately exfiltrated. Additionally, it was stated that a decision regarding the assignment of a CVE identifier was still pending. 

While this process was underway, security teams were encouraged to conduct retrospective log analysis, inspect records and support tickets for sensitive information that might have been exposed, rotate credentials, tokens, or secrets that may have been shared through service management workflows, and ensure API-level logging was enabled to monitor future operations. 

Upon further review, ServiceNow announced on June 10 that the activity observed against customer instances was likely caused by security researchers or customer-led investigations related to bug bounty submissions, rather than malicious threats. Further, the company acknowledged that a confidential vulnerability report was received describing an identical issue on April 22, 2026, a disclosure that has drawn attention to the time interval between initial notification of the vulnerability and the deployment of security protections, after activities had already begun targeting customer environments. 

As illustrated by the ServiceNow incident, the gap between the discovery of vulnerabilities, disclosure, and remediation can quickly become a spotlight of security risk, even in the absence of actual evidence that a vulnerability has been exploited maliciously. There is more to this case than just technical details of a single flaw. 

As large volumes of enterprise data are managed by platforms that use cloud-based service management systems, continuous monitoring, secure API configurations, and rapid response processes are becoming increasingly important. Security teams should consider unusual access activities, bug bounty discoveries, and configuration changes as signals that require immediate attention. 

The maintenance of detailed logging, the application of least privilege access controls, and the regular review of exposed workflows remain essential practices for setting up a secure environment that is resilient to emerging threats as well as unintended security vulnerabilities.
Read more »
Subscribe to: Posts (Atom)