Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Tropic Trooper
cyber attack malware Salt Typhoon Telco Tropic Trooper

China Based Hackers Attack Telco With New Malware


A China-based advanced persistent cyber criminal tracked as UAT-9244 has been attacking telecommunication service providers in South America since 2024. Threat actor attacks Linux, Windows, and network-edge devices. 

Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.

According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.

New malware attacking telco networks

The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).

About TernDoor

TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).

The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.

Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.

About PeerTime

PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.

Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.

About BruteEntry

Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.

The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.

Read more »
Malware Attack
AI Risks APT36 APT36 Cyber Espionage APT36 hackers Cloud Security cyber espionage Cyber Espionage Campaign Cyber Security Google Sheets API abuse Malware Attack

APT36 Uses AI-Generated “Vibeware” Malware and Google Sheets to Target Indian Government Networks

 

Researchers at Bitdefender have uncovered a new cyber campaign linked to the Pakistan-aligned threat group APT36, also known as Transparent Tribe. Unlike earlier operations that relied on carefully developed tools, this campaign focuses on mass-produced AI-generated malware. Instead of sophisticated code, the attackers are pushing large volumes of disposable malicious programs, suggesting a shift from precision attacks to broad, high-volume activity powered by artificial intelligence. Bitdefender describes the malware as “vibeware,” referring to cheap, short-lived tools generated rapidly with AI assistance. 

The strategy prioritizes quantity over accuracy, with attackers constantly releasing new variants to increase the chances that at least some will bypass security systems. Rather than targeting specific weaknesses, the campaign overwhelms defenses through continuous waves of new samples. To help evade detection, many of the programs are written in lesser-known programming languages such as Nim, Zig, and Crystal. Because most security tools are optimized to analyze malware written in more common languages, these alternatives can make detection more difficult. 

Despite the rapid development pace, researchers found that several tools were poorly built. In one case, a browser data-stealing script lacked the server address needed to send stolen information, leaving the malware effectively useless. Bitdefender’s analysis also revealed signs of deliberate misdirection. Some malicious files contained the common Indian name “Kumar” embedded within file paths, which researchers believe may have been placed to mislead investigators toward a domestic source. In addition, a Discord server named “Jinwoo’s Server,” referencing a popular anime character, was used as part of the infrastructure, likely to blend malicious activity into normal online environments. 

Although some tools appear sloppy, others demonstrate more advanced capabilities. One component known as LuminousCookies attempts to bypass App-Bound Encryption, the protection used by Google Chrome and Microsoft Edge to secure stored credentials. Instead of breaking the encryption externally, the malware injects itself into the browser’s memory and impersonates legitimate processes to access protected data. The campaign often begins with social engineering. Victims receive what appears to be a job application or resume in PDF format. Opening the document prompts them to click a download button, which silently installs malware on the system. 

Another tactic involves modifying desktop shortcuts for Chrome or Edge. When the browser is launched through the altered shortcut, malicious code runs in the background while normal browsing continues. To hide command-and-control activity, the attackers rely on trusted cloud platforms. Instructions for infected machines are stored in Google Sheets, while stolen data is transmitted through services such as Slack and Discord. Because these services are widely used in workplaces, the malicious traffic often blends in with routine network activity. 

Once inside a network, attackers deploy monitoring tools including BackupSpy. The program scans internal drives and USB storage for specific file types such as Word documents, spreadsheets, PDFs, images, and web files. It also creates a manifest listing every file that has been collected and exfiltrated. Bitdefender describes the overall strategy as a “Distributed Denial of Detection.” Instead of relying on a single advanced tool, the attackers release large numbers of AI-generated malware samples, many of which are flawed. However, the constant stream of variants increases the likelihood that some will evade security defenses. 

The campaign highlights how artificial intelligence may enable cyber groups to produce malware at scale. For defenders, the challenge is no longer limited to identifying sophisticated attacks, but also managing an ongoing flood of low-quality yet constantly evolving threats.
Read more »
Passaic County
IT Systems malware New Jersey Passaic County

Malware Attack Cripples Passaic County Phones and IT Systems

 

A malware attack has disrupted government services in Passaic County, New Jersey, knocking out key IT systems and phone lines that serve nearly 600,000 residents across the region. Officials say they are working with state and federal partners to investigate the incident and restore critical communications as quickly as possible.

The disruption began midweek, when county phones suddenly stopped working and a service alert warned that all lines were “currently down,” leaving residents unable to reach many government offices by telephone. The outage has extended beyond a brief glitch, with phone issues lingering into the following day as technical teams assess the scope of the compromise. In public statements, the county has confirmed that a malware attack is affecting its IT infrastructure and impacting phone lines but has released few technical details about the nature of the malicious software involved. 

Passaic County leaders emphasize that they are collaborating closely with both federal and state authorities to investigate and contain the attack, reflecting growing concern over cyber threats to local government systems. Agencies are working to determine how attackers gained access, what systems were affected, and whether any data was stolen, altered, or encrypted.Officials have not yet said whether emergency services such as 911 or dispatch operations were impacted, nor have they confirmed if any personal information of residents has been compromised.

This incident comes amid a broader wave of cyberattacks targeting smaller municipalities and public institutions, as criminals shift focus away from the larger metropolitan governments and corporations that hardened their defenses in recent years. Experts note that local governments often rely on aging infrastructure and limited cybersecurity resources, making them appealing targets for malware campaigns that can disrupt daily operations for thousands of residents. Recent attacks on other New Jersey jurisdictions and hospitals across the country have led to extended outages, raising alarms about the resilience of public services in the face of persistent digital threats.

For Passaic County residents, the immediate impact is practical and personal: difficulty reaching county offices, confusion about service availability, and uncertainty over potential exposure of sensitive data. Authorities have urged patience as investigations continue and pledged to share updates once systems are fully restored and more is known about the attack’s origin and impact.The episode underscores the need for stronger cybersecurity investments at the local level, from securing phone and network infrastructure to training staff against phishing and other common malware entry points.
Read more »
Wordpress Vulnerability
Cyber Security cyber threat Plugin Privilege Escalation Website Takeover Risk WordPress Security Flaw Wordpress Vulnerability

Newly Discovered WordPress Plugin Bug Enables Privilege Escalation to Admin


 

With WordPress, millions of websites depend on its convenience, but it also includes a complex web of extensions, which quietly handle everything from user onboarding to payment-based membership. In addition to simplifying site management and extending functionality, these plugins often work with deep integration into the platform's authentication and permission systems.

If any minor mistake is made within this layer, the consequences can extend far beyond a routine software malfunction. Having recently discovered a security flaw in a widely deployed membership management plugin, attention has been drawn to this fragile intersection between functionality and security, showing how external parties could bypass normal security safeguards by bypassing the user registration process and achieving the highest level of administrative privileges. 

An issue that affects affected sites is not simply one of technical misconfiguration, but also one that may allow unauthorized actors to take complete control of the website. In the past few years, WordPress has been powered by a robust ecosystem of plugins, enabling everything from membership portals to subscription-based services with minimal technical effort. 

Nevertheless, when input validation and access controls are not carefully applied, this same flexibility can pose subtle security risks. Recent disclosures of a vulnerability in a widely used membership plugin highlight this fragile balance, which opens the door to a possible takeover of tens of thousands of WordPress installations. 

It has been confirmed that malicious actors have already exploited the vulnerability, tracked as CVE-2026-1492, by manipulating account roles during the sign-up process, granting them administrator-level privileges without authentication and effectively gaining full control over affected sites through exploiting a flaw in the plugin's registration process.

It is estimated that the vulnerability affects more than 60,000 websites using WPEverest's User Registration & Membership plugin. As a result, the plugin fails to properly validate role parameters entered during registration, which leads to the issue. 

Unauthenticated attackers can tamper with this input to assign elevated privileges to newly created accounts, bypassing the intended permission restrictions, allowing them to register directly as site administrators. By obtaining such access, attackers can install malicious plugins, alter site content, extract sensitive information, such as user databases, embed hidden malware within the website infrastructure, or alter site content after obtaining such access.

Consequently, the consequences of privilege escalation are particularly severe within the WordPress permission framework, in which administrator accounts are granted unrestricted access to virtually all website functionality. Those who gain access to this level of the system can modify themes and plugins, modify PHP code, alter security settings, and even remove legitimate administrators.

In practical terms, a compromised website can become a controlled asset that can be used for further malicious activities, such as malware distribution or unauthorized data harvesting from registered users or visitors. After the vulnerability was publicly disclosed, Defiant researchers, the company behind the widely used Wordfence security plugin, reported observing attempts to exploit the vulnerability. 

Over two hundred malicious requests attempting to exploit CVE-2026-1492 were blocked within a 24-hour period by monitoring across protected environments, indicating that the flaw has been rapidly incorporated into automated attacks. As a result of the vulnerability, all versions of the plugin up to version 5.1.2. are vulnerable. 

Developers have since released a fix to address the issue, first in version 5.1.3 and then in version 5.1.4. This version also has additional stability and security improvements. Consequently, administrators are strongly advised to upgrade as soon as possible to the latest version, or temporarily disable the plugin if patch deployment cannot be completed promptly. 

It has been reported by Wordfence that CVE-2026-1492 is the most severe vulnerability to date in the plugin. Additionally, this incident reflects an ongoing trend in which attackers systematically scan the WordPress ecosystem for exploitable plugin vulnerabilities. In addition to distributing malware and hosting phishing campaigns, compromised websites are frequently used to operate command-and-control infrastructure, proxy malicious traffic, or store data stolen from others. 

Similar patterns were observed earlier in January 2026 when threat actors exploited another critical vulnerability, CVE-2026-23550, affecting the Modular DS WordPress plugin and allowing remote authentication bypass with administrator access. 

In incidents such as these, security risks remain prevalent in platforms powered by plugins such as WordPress, where a single mistake in access control can result in the compromise of thousands of websites. Since the vulnerability is so severe and exploitation attempts have already surfaced so quickly, security experts emphasize the importance of taking immediate defensive action.

Website operators are advised to review installed plugins, apply available security updates as soon as possible, and implement monitoring mechanisms that will detect any suspicious administrative activity or unauthorized account creation. By conducting regular security audits, following the principle of least privilege, and employing reputable security plugins, similar threats can be significantly reduced. 

In general, the incident illustrates the importance of maintaining continuous vigilance, timely patch management, and disciplined configuration practices to ensure that widely used plugins do not become entry points into large-scale attacks. It is crucial that the operational convenience offered by extensible platforms like WordPress is balanced with continuous vigilance and timely patch management.
Read more »
Vulnerabilities and Exploits
Cisco breach firewall management Security Flaws Vulnerabilities and Exploits

Hackers Exploit Two Vulnerabilities in Cisco SD-WAN Manager

 



Cisco Systems has confirmed that attackers are actively exploiting two security flaws affecting its Catalyst SD-WAN Manager platform, previously known as SD-WAN vManage. The company disclosed that both weaknesses are currently being abused in real-world attacks.

The vulnerabilities are tracked as CVE-2026-20122 and CVE-2026-20128, each presenting different security risks for organizations operating Cisco’s software-defined networking infrastructure.

The first flaw, CVE-2026-20122, carries a CVSS score of 7.1 and is described as an arbitrary file overwrite vulnerability. If successfully exploited, a remote attacker with authenticated access could overwrite files stored on the system’s local file structure. Exploitation requires the attacker to already possess valid read-only credentials with API access on the affected device.

The second vulnerability, CVE-2026-20128, has a CVSS score of 5.5 and involves an information disclosure issue. This flaw could allow an authenticated local user to escalate privileges and obtain Data Collection Agent (DCA) user permissions on a targeted system. To exploit the vulnerability, the attacker must already have legitimate vManage credentials.

Cisco released fixes for these issues late last month. The patches also addressed additional vulnerabilities identified as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.

The company provided updates across multiple software releases. Systems running versions earlier than 20.9.1 should migrate to a patched release. Fixes are available in the following versions:

  • Version 20.9 → fixed in 20.9.8.2
  • Version 20.11 → fixed in 20.12.6.1
  • Version 20.12 → fixed in 20.12.5.3 and 20.12.6.1
  • Version 20.13 → fixed in 20.15.4.2
  • Version 20.14 → fixed in 20.15.4.2
  • Version 20.15 → fixed in 20.15.4.2
  • Version 20.16 → fixed in 20.18.2.1
  • Version 20.18 → fixed in 20.18.2.1

According to Cisco’s Product Security Incident Response Team, the company became aware in March 2026 that CVE-2026-20122 and CVE-2026-20128 were being actively exploited. Cisco did not disclose how widespread the attacks are or who may be responsible.

Additional insights were shared by researchers at watchTowr. Ryan Dewhurst, the firm’s head of proactive threat intelligence, reported that the company observed exploitation attempts originating from numerous unique IP addresses. Investigators also identified attackers deploying web shells, malicious scripts that allow remote command execution on compromised systems.

Dewhurst noted that the most significant surge in attack activity occurred on March 4, with attempts recorded across multiple global regions. Systems located in the United States experienced slightly higher levels of activity than other areas.

He also warned that exploitation attempts are likely to continue as additional threat actors begin targeting the vulnerabilities. Because both opportunistic and coordinated attacks appear to be occurring, Dewhurst said any exposed system should be treated as potentially compromised until proven otherwise.

Security experts emphasize that SD-WAN management platforms function as centralized control hubs for enterprise networks. As a result, vulnerabilities affecting these systems can carry heightened risk because they may allow attackers to manipulate network configurations or maintain persistent access across multiple connected sites.

In response to the ongoing attacks, Cisco advises organizations to update affected systems immediately and implement additional security precautions. Recommended actions include restricting administrative access from untrusted networks, placing devices behind properly configured firewalls, disabling the HTTP interface for the Catalyst SD-WAN Manager administrator portal, turning off unused services such as HTTP or FTP, changing default administrator passwords, and monitoring system logs for suspicious activity.

The disclosure follows a separate advisory issued a week earlier in which Cisco reported that another flaw affecting Catalyst SD-WAN Controller and SD-WAN Manager — CVE-2026-20127, rated 10.0 on the CVSS scale had been exploited by a sophisticated threat actor identified as UAT-8616 to establish persistent access within high-value organizations.

This week the company also released updates addressing two additional maximum-severity vulnerabilities in Secure Firewall Management Center. The flaws, tracked as CVE-2026-20079 and CVE-2026-20131, could allow an unauthenticated remote attacker to bypass authentication protections and execute arbitrary Java code with root-level privileges on affected systems.

Read more »
fault-tolerant quantum computing
Computing Cryptography cryptography risk Cyber Security Cyberattacks fault-tolerant quantum computing

Quantum Cybersecurity Risks Rise as Organizations Prepare for Post-Quantum Cryptography

 

Security experts often trust encrypted data since today's cryptography aims to block unapproved users. Still, some warn new forms of computation might one day weaken common encryption techniques. Even now, as quantum machines advance, potential threats are starting to shape strategies for what comes after today’s security models. 

A rising worry for some cybersecurity professionals involves what they call "harvest now, decrypt later." Rather than cracking secure transmissions at once, attackers save encoded information today, waiting until conditions improve. When machines powered by quantum computing reach sufficient strength, old ciphers may unravel overnight. Data believed safe could then spill into view years after being taken. Such delays in threats make preparation harder to justify before damage appears. 

This threat weighs heavily on institutions tasked with protecting sensitive records over long durations. Finance, public administration, health services, and digital infrastructure sectors routinely manage details requiring protection across many years. When coded messages get captured today and kept aside, future advances in quantum machines might unlock them later. What worries experts is how current encryption often depends on math challenges too tough for regular computers to crack quickly. Built around this idea are systems like RSA and elliptic curve cryptography. 

Yet quantum machines might handle specific intricate computations much faster than conventional ones. That speed could erode the security these common encryption methods now provide. Facing new risks, experts in cybersecurity now push forward with post-quantum methods. Security built on these models holds up under extreme computing strength - like that of quantum machines. A growing favorite? Hybrid setups appear more often, linking older ciphers alongside fresh defenses ready for future attacks. With hybrid cryptography, companies boost protection without abandoning older tech setups. 

Instead of full system swaps, new quantum-resistant codes mix into present-day encryption layers. Slow shifts like these ease strain on operations yet build stronger shields for future threats. One of the recent additions to digital security is ML-KEM, built to withstand threats posed by future quantum machines. Though still emerging, this method works alongside existing encryption instead of replacing it outright. As processing power grows, blending such tools into current systems helps maintain protection over time. Progress here does not erase older methods but layers new defenses on top. Even now, early adoption supports long-term resilience without requiring immediate overhaul. 

One step at a time, security specialists stress the need for methodical planning ahead of the quantum shift. What often gets overlooked is which data must stay secure over many years, so mapping sensitive information comes first. After that, reviewing existing encryption methods across IT environments helps reveal gaps. Where needed, combining classical and post-quantum algorithms slowly becomes part of the solution. Tracking all crypto tools in use supports better oversight down the line. Staying aligned with new regulations isn’t optional - it’s built into the process from the start. 

Even while stronger encryption matters, defenses cannot rely on math alone. To stay ahead, teams need ways to examine encrypted data streams without weakening protection. Watching for risks demands consistent oversight within tangled network setups. Because trust is never assumed today, systems built around verification help sustain both access checks and threat spotting. Such designs make sure safeguards work even when connections are hidden. 

When companies start tackling these issues, advice from specialists often highlights realistic steps for adapting to quantum-safe protections. Because insights spread through training programs, conversations among engineers emerge that clarify risk assessment methods. While joint efforts across sectors continue growing, approaches to safeguarding critical data gradually take shape in response. 

A clearer path forward forms where knowledge exchange meets real-world testing. Expectations grow around how quantum computing might shift cybersecurity in the years ahead. Those who prepare sooner, using methods resistant to quantum risks, stand a better chance at safeguarding information. Staying secure means adjusting before changes arrive, not after they disrupt. Progress in technology demands constant review of protection strategies. Forward-thinking steps today could define resilience tomorrow.
Read more »
Windows
AI BadPaw Cloud Data malware Windows

BadPaw Malware Targets Uranian Systems


A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts. 

About the campaign 

The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.

BadPaw malware 

Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file. 

The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background. 

Attack tactic 

Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts. 

If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file. 

Only nine antivirus engines could spot the payload at the time of study. 

Multi-Layered Attack

After activation within a particular parameter, BadPaw links to a C2 server. 

The following process happens:

Getting a numeric result from the /getcalendar endpoint. 

Gaining access to a landing page called "Telemetry UP!” through /eventmanager. 

Downloading the ASCII-encoded payload information installed within HTML. 

In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access. 

Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.

Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.

Read more »
Rui-Siang Lin Pharoah
Cyber Security Dark Web dark web drug market FBI informant investigation fentanyl overdose crisis Incognito Market Rui-Siang Lin Pharoah

FBI Informant Allegedly Ran Most Operations on Incognito Market While Fentanyl-Laced Drugs Caused Overdose Deaths

 

An FBI informant reportedly handled the majority of activity on Incognito Market—one of the largest drug marketplaces on the dark web—for nearly two years, even as fentanyl-laced pills linked to the platform caused fatal overdoses across the United States. Court documents indicate that the unnamed confidential source managed roughly 95% of transactions on the site between 2022 and 2024, effectively helping operate the $100 million marketplace.

According to filings, the informant approved vendor listings, mediated disputes among users, and oversaw cryptocurrency payments on the platform. These activities allegedly continued even after buyers warned about near-fatal overdoses connected to certain suppliers.

Taiwanese national Rui-Siang Lin, who used the alias “Pharoah,” created Incognito Market and ran it from October 2020 until March 2024. The Tor-based platform hosted nearly 1,800 vendors who sold drugs such as cocaine, methamphetamine, MDMA, and opioids to hundreds of thousands of buyers worldwide.

In October, Judge Colleen McMahon sentenced Lin to 30 years in federal prison and ordered him to forfeit $105 million. The judge described him as a “drug kingpin,” despite the defense raising serious questions about the extent of FBI involvement in the operation.

During sentencing in Manhattan federal court, Arkansas physician David Churchill spoke about the death of his son Reed in September 2022. The 22-year-old died after taking fentanyl-laced oxycodone pills purchased through Incognito Market. The drugs were supplied by a vendor known as RedLightLabs, whose operators—Michael Ta and Raj Srinivasan—later pleaded guilty to charges tied to five overdose deaths.

Churchill asked Lin to remember his son’s face while serving his sentence. However, the revelation that the FBI’s own confidential asset was moderating the marketplace at the time of Reed’s death added another troubling dimension to the case.

When Law Enforcement Becomes the Accomplice

Lin’s defense team argued that the FBI informant functioned more like a partner than an undercover observer. According to defense filings, the government’s source did more than infiltrate the marketplace—it played a central operational role.

Documents suggest the informant approved vendors, handled user complaints, and processed transactions while allegedly overlooking warnings about fentanyl contamination in certain drug listings.

In November 2023, users reported severe overdoses and hospitalizations tied to a particular vendor who nevertheless continued fulfilling more than 1,000 orders. Court records also show the informant debated Lin about maintaining bans on fentanyl, reportedly advocating for “free markets” before Lin conducted a user poll—later described as rigged—that maintained the prohibition.

Defense attorney Noam Biale described the situation as a joint operation, saying: “The government had the ability to mitigate the harm—and didn’t do it.”

Judge McMahon also questioned the length of the investigation, asking why authorities allowed the marketplace to remain active for such an extended period after gaining access.

Prosecutors, however, argued that the informant was simply following Lin’s instructions as part of a broader strategy to identify “Pharaoh.” Authorities ultimately traced Lin through blockchain analysis and seized servers tied to the marketplace.

While Lin’s 30-year sentence remains in place, his planned appeal and the debate surrounding the informant’s role indicate that the legal and ethical questions surrounding the Incognito Market investigation are far from resolved.
Read more »
malware
ATM jackpotting Bank Security FBI Financial crime malware

ATM Jackpotting Malware Triggers Record Global ATM Heists in 2025

 

ATM jackpotting attacks surged dramatically in 2025, with cybercriminals using specialized malware to force cash machines to spit out money on command, often without touching any customer account. This new wave of attacks exposed serious weaknesses in how banks protect the physical and digital components of their ATM fleets. 

According to FBI figures, there have been about 1,900 reported ATM jackpotting cases in the United States since 2020, and more than 700 of those incidents occurred in 2025 alone, causing over 20 million dollars in losses. The attacks rely heavily on malware families such as Ploutus, which has been around for over a decade but continues to evolve. Instead of targeting customer accounts, Ploutus directly compromises the ATM’s operating system, allowing crooks to drain cassettes in minutes before anyone notices something is wrong. 

To execute a jackpotting operation, attackers first need physical access to the machine’s internals. The FBI notes that gangs often use widely available “generic” keys to open the service panel, then remove or connect to the hard drive or USB ports. Once inside, they either load malware onto the existing drive or swap in a pre‑infected disk that boots a compromised operating system capable of issuing unauthorized dispense commands. In many cases, a mule returns later, enters a secret code or connects a device, and collects the cash as the ATM empties itself.

What makes these operations so dangerous is that the malware can bypass normal bank authorization checks and trigger cash withdrawals without a card, PIN, or even a linked account.Because the machine behaves as if it is performing legitimate transactions, banks often only discover the theft after reconciling cash levels and seeing large, unexplained shortages. The U.S. Justice Department has already charged dozens of suspects in jackpotting schemes, including crews tied to transnational criminal groups accused of stealing millions of dollars from victim banks and credit unions. 

In response, the FBI and regulators are urging financial institutions and ATM operators to harden both physical and software defenses. Recommended steps include replacing standard locks, reinforcing ATM cabinets, keeping systems fully patched, and closely monitoring machines for signs of tampering or unexpected restarts. As 2026, ATM jackpotting has become a priority threat for the banking sector, underlining the need for continuous security upgrades and better coordination between banks, law enforcement, and cybersecurity teams.
Read more »
VNC Remote Access
Accessibility Service Exploit AI DrivenMalware Android Malware Android Security Threats Cyber Threats Gemini AI Abuse malware Mobile Banking Phishing VNC Remote Access

Google Responds After Reports of Android Malware Leveraging Gemini AI



There has been a steady integration of artificial intelligence into everyday digital services that has primarily been portrayed as a story of productivity and convenience. However, the same systems that were originally designed to assist users in interpreting complex tasks are now beginning to appear in much less benign circumstances. 


According to security researchers, a new Android malware strain appears to be woven directly into Google's Gemini AI chatbot, which seems to have a generative AI component. One of the most noteworthy aspects of this discovery is that it marks an unusual development in the evolution of mobile threat evolution, as a tool that was intended to assist users with problems has been repurposed to initiate malicious software through the user interface of a victim's device.

In real time, the malware analyzes on-screen activity and generates contextual instructions based on it, demonstrating that modern AI systems can serve as tactical enablers in cyber intrusions. As a result of the adaptive nature of malicious applications, traditional automated scripts rarely achieve such levels of adaptability. 

It has been concluded from further technical analysis that the malware, known as PromptSpy by ESET, combines a variety of established surveillance and control mechanisms with an innovative layer of artificial intelligence-assisted persistence. 

When the program is installed on an affected device, a built-in virtual network computing module allows operators to view and control the compromised device remotely. While abusing Android's accessibility framework, this application obstructs users from attempting to remove the application, effectively interfering with user actions intended to terminate or uninstall it. 

Additionally, malicious code can harvest lock-screen information, collect detailed device identifiers, take screenshots, and record extended screen activity as video while maintaining encrypted communications with its command-and-control system. 


According to investigators, the campaign is primarily motivated by financial interests and has targeted heavily on Argentinian users so far, although linguistic artifacts within the code base indicate that the development most likely took place in a Chinese-speaking environment. However, PromptSpy is characterized by its unique implementation of Gemini as an operational aid that makes it uniquely unique. 

A dynamic interpretation of the device interface is utilized by the malware, instead of relying on rigid automation scripts that simulate taps at predetermined coordinates, an approach that frequently fails across different versions or interface layouts of Android smartphones. It transmits a textual prompt along with an XML representation of the current screen layout to Gemini, thereby providing a structured map of the visible buttons, text labels, and interface elements to Gemini. 

Once the chatbot has returned structured JSON instructions which indicate where interaction should take place, PromptSpy executes those instructions and repeats the process until the malicious application has successfully been anchored in the recent-apps list. This reduces the likelihood that the process may be dismissed by routine user gestures or management of the system. 


ESET researchers noted that the malware was first observed in February 2026 and appears to have evolved from a previous strain known as VNCSpy. The operation is believed to selectively target regional victims while maintaining development infrastructure elsewhere by uploading samples from Hong Kong, before later variants surface in Argentina. 

It is not distributed via official platforms such as Google Play; instead, victims are directed to a standalone website impersonating Chase Bank's branding by using identifiers such as "MorganArg." In addition, the final malware payload appears to be delivered via a related phishing application, thought to be originated by the same threat actor. 

Even though the malicious software is not listed on the official Google Play store, analysts note that Google Play Protect can detect and block known versions of the threat after they are identified. This interaction loop involves the AI model interpreting the interface data and returning structured JSON responses that are utilized by the malware for operational guidance. 

The responses specify both the actions that should be performed-such as simulated taps-as well as the exact interface element on which they should occur. By following these instructions, the malicious application is able to interact with system interfaces without direct user input, by utilizing Android's accessibility framework. 

Repeating the process iteratively is necessary to secure the application's position within the recent apps list of the device, a state that greatly complicates efforts to initiate task management or routine gestures to terminate the process. 

Gemini assumes the responsibility of interpreting the interface of the malware, thereby avoiding the fragility associated with fixed automation scripts. This allows the persistence routine to operate reliably across a variety of screen sizes, interface configurations, and Android builds. Once persistence is achieved, the operation's main objective becomes evident: establishing sustained remote access to the compromised device. 

By deploying a virtual network computing component integrated with PromptSpy, attackers have access to a remote monitor and control of the victim's screen in real time via the VNC protocol, which connects to a hard-coded command-and-control endpoint and is controlled remotely by the attacker infrastructure. 

Using this channel, the malware is able to retrieve operational information, such as the API key necessary to access Gemini, request screenshots on demand, or initiate continuous screen recording sessions. As part of this surveillance capability, we can also intercept highly sensitive information, such as lock-screen credentials, such as passwords and PINs, and record pattern-based unlock gestures. 

The malware utilizes Android accessibility services to place invisible overlays across portions of the interface, which effectively prevents users from uninstalling or disabling the application. As a result of distribution analysis, it appears the campaign uses a multi-stage delivery infrastructure rather than an official application marketplace for delivery. 


Despite never appearing on Google Play, the malware has been distributed through a dedicated website that distributes a preliminary dropper application instead. As soon as the dropper is installed, a secondary page appears hosted on another domain which mimics JPMorgan Chase's visual identity and identifies itself as MorganArg. Morgan Argentina appears to be the reference to the dropper. 

In the interface, victims are instructed to provide permission for installing software from unknown sources. Thereafter, the dropper retrieves a configuration file from its server and quietly downloads it. According to the report, the file contains instructions and a download link for a second Android package delivered to the victim as if it were a routine application update based on Spanish-language prompts. 

Researchers later discovered that the configuration server was no longer accessible, which left the specific distribution path of the payload unresolved. Clues in the malware’s code base provide additional insight into the campaign’s origin and targeting strategy. Linguistic artifacts, including debug strings written in simplified Chinese, suggest that Chinese-speaking operators maintained the development environment. 

Furthermore, the cybersecurity infrastructure and phishing material used in the operation indicate an interest in Argentina, which further supports the assessment that the activity is not espionage-related but rather financially motivated. It is also noted that PromptSpy appears to be a result of the evolution of a previously discovered Android malware strain known as VNCSpy, the samples of which were first submitted from Hong Kong to VirusTotal only weeks before the new variant was identified.

In addition to highlighting an immediate shift in the technical design of mobile threats, the discovery also indicates a broader shift. It is possible for attackers to automate interactions that would otherwise require extensive manual scripting and constant maintenance as operating systems change by outsourcing interface interpretation to a generative artificial intelligence system. 

Using this approach, malware can respond dynamically to changes in interfaces, device models, and regional system configurations by changing its behavior accordingly. Additionally, PromptSpy's persistence technique complicates remediation, since invisible overlays can obstruct victims' ability to access the uninstall controls, thereby further complicating remediation. 

In many cases, the only reliable way to remove the application is to restart the computer in Safe Mode, which temporarily disables third-party applications, allowing them to be removed without interruption. As security researchers have noted, PromptSpy's technique indicates that Android malware development is heading in a potentially troubling direction. 

By feeding an image of the device interface to artificial intelligence and receiving precise interaction instructions in return, malicious software gains an unprecedented degree of adaptability and efficiency not seen in traditional mobile threats. 

It is likely that as generative models become more deeply ingrained into consumer platforms, the same interpretive capabilities designed to assist users may be increasingly repurposed by threat actors who wish to automate complicated device interactions and maintain long-term control over compromised systems. 

Security practitioners and everyday users alike should be reminded that defensive practices must evolve to meet the changing technological landscape. As a general rule, analysts recommend installing applications only from trusted marketplaces, carefully reviewing accessibility permission requests, and avoiding downloads that are initiated by unsolicited websites or update prompts. 

The use of Android security updates and Google Play Protect can also reduce exposure to known threats as long as the protections remain active. Research indicates that, as tools such as Gemini are increasingly being used in malicious workflows, it signals an inflection point in mobile security, which may lead to a shift in both the offensive and defensive sides of the threat landscape as artificial intelligence becomes more prevalent. 

It is likely that in order to combat the next phase of adaptive Android malware, the industry will have to strengthen detection models, improve behavioural monitoring, and tighten controls on high-risk permissions.
Read more »
Middle East
Cyber Crime DDOS Attack Hackers IoT devices Middle East

149 Hacktivist DDoS Claims Recorded Across 16 Countries Following Middle East Escalation





A sharp rise in politically motivated cyber activity has emerged in the aftermath of the coordinated U.S.–Israel military operations against Iran, referred to as Epic Fury and Roaring Lion. Security analysts say online retaliation unfolded almost immediately, with hacktivist groups launching large-scale distributed denial-of-service, or DDoS, campaigns against institutions across multiple regions.

According to a report published by Radware, 149 separate DDoS attack claims were documented between February 28 and March 2, 2026. These incidents targeted 110 distinct organizations spanning 16 countries. Twelve different groups participated in the activity. Three of them, Keymous+, DieNet, and NoName057(16), were responsible for 74.6 percent of the total claims. Radware further noted that Keymous+ and DieNet alone accounted for nearly 70 percent of activity during that period.

The earliest attack in this wave was attributed to Hider Nex, also known as the Tunisian Maskers Cyber Force, on February 28. Information shared by Orange Cyberdefense describes Hider Nex as a Tunisian hacktivist collective aligned with pro-Palestinian causes. The group reportedly employs a dual strategy that combines service disruption with data theft and public leaks to amplify political messaging. Researchers trace its emergence to mid-2025.

Geographically, 107 of the 149 DDoS claims were directed at organizations in the Middle East, where government bodies and public infrastructure entities were disproportionately affected. Europe accounted for 22.8 percent of the global targeting during the same timeframe. By sector, government institutions represented 47.8 percent of all affected entities worldwide. Financial services followed at 11.9 percent, while telecommunications organizations accounted for 6.7 percent.

Within the Middle East, three countries experienced the highest concentration of reported activity. Kuwait accounted for 28 percent of regional attack claims, Israel represented 27.1 percent, and Jordan comprised 21.5 percent, according to Radware’s analysis.

Threat intelligence from Flashpoint, Palo Alto Networks Unit 42, and Radware identified additional groups engaged in disruptive campaigns, including Nation of Saviors, Conquerors Electronic Army, Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro.

The cyber activity extended beyond DDoS operations. Pro-Russian hacktivist collectives Cardinal and Russian Legion publicly claimed breaches of Israeli military networks, including the Iron Dome missile defense system. These assertions have not been independently verified.

Separate threat reporting identified an active SMS-based phishing operation distributing a counterfeit version of Israel’s Home Front Command RedAlert mobile application. Victims were reportedly persuaded to install a malicious Android package disguised as a wartime update. Once installed, the application displayed a functional alert interface while covertly deploying surveillance and data-exfiltration capabilities.

Flashpoint also reported that Iran’s Islamic Revolutionary Guard Corps targeted energy and digital infrastructure sectors in the Middle East, including Saudi Aramco and an Amazon Web Services data center in the United Arab Emirates. Analysts assessed that the intent was to impose broader economic pressure in response to military losses.

Researchers at Check Point observed that Cotton Sandstorm, also known as Haywire Kitten, revived a previous online identity called Altoufan Team and claimed responsibility for website compromises in Bahrain. The firm described the activity as reactive and warned of the likelihood of further involvement across the region.

Data from Nozomi Networks shows that the Iranian state-linked group UNC1549, also tracked as GalaxyGato, Nimbus Manticore, and Subtle Snail, ranked as the fourth most active threat actor in the second half of 2025. Its campaigns focused on defense, aerospace, telecommunications, and government entities in support of national strategic objectives.

Economic signals have also reflected the instability. Major Iranian cryptocurrency exchanges remain operational but have introduced adjustments such as batching or temporarily suspending withdrawals and issuing advisories about potential connectivity disruptions. Ari Redbord, Global Head of Policy at TRM Labs, stated that the situation does not yet indicate large-scale capital flight, but rather market volatility managed under connectivity constraints and regulatory intervention. He noted that Iran has long relied in part on cryptocurrency infrastructure to circumvent sanctions, and current conditions represent a real-time stress test of that system.

Despite heightened online activity, Sophos reported observing an increase in hacktivist operations without a corresponding escalation in confirmed impact. The firm cited DDoS attacks, website defacements, and unverified compromise claims attributed largely to pro-Iran personas, including Handala Hack and APT Iran.

The National Cyber Security Centre has warned organizations of elevated Iranian cyber risk and advised strengthening defenses against DDoS campaigns, phishing activity, and threats targeting industrial control systems.

Cynthia Kaiser of Halcyon, formerly Deputy Assistant Director of the Federal Bureau of Investigation’s Cyber Division, stated that Iran has historically used cyber operations to retaliate against perceived political provocations and has increasingly incorporated ransomware into its playbook. She added that Tehran’s tolerance of private cybercriminal actors provides strategic options when responding to geopolitical events.

SentinelOne assessed with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, particularly across government, critical infrastructure, defense, financial services, academic, and media sectors.

Nozomi Networks further emphasized that Iranian threat actors have a history of blending espionage, disruption, and psychological operations to achieve strategic objectives. During periods of instability, such campaigns often intensify and extend beyond immediate conflict zones.

To mitigate risk amid the ongoing conflict, security experts recommend continuous monitoring aligned with elevated threat conditions, updating threat intelligence signatures, minimizing external exposure, conducting comprehensive reviews of connected assets, enforcing strict segmentation between information technology and operational technology networks, and isolating Internet-of-Things devices.

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, noted that Iranian cyber actors have historically synchronized digital campaigns with broader strategic goals. He added that these adversaries have evolved beyond traditional network intrusions, expanding into cloud and identity-focused operations capable of operating rapidly across hybrid enterprise environments with greater scale and impact.

As tensions persist, analysts caution that cyberspace is likely to remain an active parallel arena of confrontation, requiring sustained vigilance from organizations across affected and allied regions.

Read more »
iPhone
Apple Cyber Security Data Theft iOS Devices iPhone

Coruna Exploit Kit Targets iPhones With 23 Vulnerabilities Across Multiple iOS Versions

 

Security researchers have identified a powerful exploit framework targeting Apple iPhones running older versions of the iOS operating system. 

The toolkit, called Coruna and also known as CryptoWaters, includes multiple exploit chains capable of targeting devices running iOS versions from 13.0 through 17.2.1, according to researchers from Google’s Threat Intelligence Group. 

The framework contains five full exploit chains and a total of 23 vulnerabilities. Researchers said the exploit kit is not effective against the most recent versions of iOS. 

“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non public exploitation techniques and mitigation bypasses,” Google researchers said. 

They added that the infrastructure supporting the kit is carefully designed and integrates several exploit components into a unified framework. 

“The framework surrounding the exploit kit is extremely well engineered. The exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.” 

According to researchers, the exploit kit has circulated among several types of threat actors since early 2025. 

The toolkit first appeared in a commercial surveillance operation before being used by a government backed attacker. 

By late 2025, it had reached a financially motivated threat group operating from China. Investigators say the movement of the exploit kit between groups suggests a growing underground market where previously developed zero day tools are resold and reused. 

Security firm iVerify said the spread of Coruna demonstrates how advanced surveillance tools can move beyond their original operators. 

“Coruna is one of the most significant examples we’ve observed of sophisticated spyware grade capabilities proliferating from commercial surveillance vendors into the hands of nation state actors and ultimately mass scale criminal operations,” the company said. 

Researchers first detected elements of the exploit chain in early 2025 when a surveillance customer used it within a JavaScript framework that had not been previously documented. 

The framework gathers information about the targeted device including the model and the iOS version running on it. Based on this fingerprinting data, the framework delivers a suitable WebKit remote code execution exploit. 

One of the vulnerabilities used in the chain was CVE-2024-23222, a type confusion flaw in Apple’s WebKit browser engine that was patched in January 2024. 

The framework appeared again in July 2025 when it was discovered on a domain used to deliver malicious content through hidden iframes on compromised websites in Ukraine. 

These sites included pages related to industrial tools, retail services and e commerce platforms. 

Researchers believe a suspected Russian espionage group tracked as UNC6353 was responsible for that activity. The exploit framework was delivered only to certain users based on their geographic location and device characteristics. 

A third wave of activity was identified in December 2025. In that campaign, attackers used a network of fake Chinese websites related to financial topics to distribute the exploit kit. 

Visitors were encouraged to access the sites from iPhones or iPads for a better browsing experience. Once accessed from an Apple device, the websites inserted a hidden iframe that triggered the Coruna exploit kit. This campaign has been linked to a threat cluster tracked as UNC6691. 

Further investigation uncovered a debug version of the exploit kit along with several exploit samples spanning five complete attack chains. 

Researchers said the kit includes vulnerabilities affecting several generations of iOS. These include exploits targeting iOS 13 through iOS 17.2.1 using vulnerabilities such as CVE-2020-27932, CVE-2022-48503, CVE-2023-32409 and CVE-2024-23222. 

Some of the vulnerabilities in the toolkit had previously been used as zero day exploits in earlier operations. 

“Photon and Gallium are exploiting vulnerabilities that were also used as zero days as part of Operation Triangulation,” Google researchers said. 

Once a device is compromised, attackers can deploy additional malware components. In the case of the UNC6691 campaign, the exploit chain delivered a stager called PlasmaLoader. 

The program is designed to decode QR codes embedded in images and retrieve additional modules from external servers. These modules can then collect sensitive data from cryptocurrency wallet applications including Base, Bitget Wallet, Exodus and MetaMask. 

Researchers said the malware contains hard coded command and control servers along with a fallback system that generates domain names automatically using a domain generation algorithm seeded with the word lazarus. 

A notable characteristic of the Coruna exploit kit is that it avoids running on devices using Apple’s Lockdown Mode or devices browsing in private mode. Security researchers recommend that iPhone users update their devices to the latest version of iOS and enable Lockdown Mode when additional protection is needed.
Read more »
Reverse Firewall
Cyber Security Data Access Restrictions Digital Governance DNS Blocking Geo Blocking Great Firewall Internet censorship Network Filtering Reverse Firewall

China Tightens Control Over Official Data Available to the Outside World


 

Early in the Internet's history, the global network architecture was widely recognized as an evolving system for transferring government documents, statistical records, and institutional disclosures across jurisdictions a borderless repository of knowledge that enabled government documents to travel freely across jurisdictions. 

A number of scholars, investors, journalists, and policymakers have become accustomed to considering publicly hosted websites as a reliable window into distant government administration. However, recent observations suggest that the assumption of digital openness in China's online ecosystem may be changing quietly. 

There has been a steady decline in the international accessibility of Chinese government portals over the past few years: more and more official websites that once appeared regularly in global search results cannot be accessed when searching outside the country's boundaries. 

In addition to a broader recalibration of information governance, the emerging pattern is interpreted by analysts as a result of an overall pattern rather than isolated technical disruptions. China's institutional data may also be shaped by these practices, not only by managing the flow of foreign content into the country, but also by how much of it remains public.

Over the past few decades, the internet has facilitated unprecedented accessibility to information, dissolving borders that once restricted public records, statistics, and government disclosures. However, new evidence suggests that this openness may be gradually waning in one of the most influential digital ecosystems in the world.

According to researchers who have examined the accessibility of official Chinese government websites, an increasing number of them are no longer accessible from abroad. Despite the pattern, it does not seem to be isolated technical failures, but rather a subtle architectural shift in Chinese information governance that analysts are increasingly describing: a system that restricts not only what citizens of the country are allowed to observe, but also what the outside world can see about China. 

A detailed analysis conducted in February 2025 indicates these interruptions are not simply a consequence of technical inconsistencies, but rather are the result of deliberate policy restrictions. According to researchers, approximately sixty percent of failed connections to Chinese government portals are a consequence of deliberate policy restrictions, while the remaining cases are attributed to network congestion, legacy infrastructure, or fragmented hosting systems. 

It reverses the logic of Chinese domestic internet controls well known to the public. In contrast to the original system, which limited what users were allowed to view abroad, the new configuration appears to be intended to restrict what audiences outside the country may see regarding China's own administrative, economic, and regulatory landscape. These restrictions are unevenly distributed.

As opposed to a uniform nationwide block of geo-filtering, it is more common to detect clusters of it across specific provinces or prefectures. Due to this, certain municipal or regional data portals remain available to overseas users despite neighboring jurisdictions appearing systematically unreachable from overseas. 

As a consequence of this fragmented pattern, it is increasingly challenging for foreign researchers and analysts to construct consistent datasets, since information availability varies greatly according to the level of administration and technology in place to support government websites.

The tightening of external access has also extended beyond government portals into major commercial information services that have long served as research infrastructure for international observers of China’s economy. 

Several commonly used platforms - such as Qichacha, a corporate registry database, the China National Knowledge Infrastructure academic repository, and Wind - were restricted from allowing foreign connectivity in 2022 and 2023. 

A wide range of multinational companies, consulting firms, and academic institutions used these tools to conduct competitor analysis, regulatory monitoring, and market research within China. As a result of their removal from overseas networks, external stakeholders are significantly limited in the number of verifiable public data they can access. 

In May 2024, another similar episode occurred when the National People’s Congress website temporarily implemented geographical restrictions preventing access to its website from outside mainland China, Hong Kong, Macao, and Taiwan. 

Although the restriction was eventually lifted, the incident illustrated how even the highest legislative information portals of the country can be subject to sudden changes in accessibility without prior notice. It was evident by early 2025 that there was a growing access gap within China's own digital ecosystem as well.

For the phrase "government website" in Chinese, autocompletion suggestions increasingly included queries such as "cannot enter government website" and "cannot open government website." According to the trend, it appears that the issue is not just affecting international analysts, but also Chinese citizens living abroad, overseas scholars, and global business teams seeking official information from abroad. 

Chinese digital governance has been closely linked to what has become known as the Great Firewall, a layered system of network filtering and regulatory oversight designed to limit domestic access to foreign platforms for much of the modern internet era. 

The framework has made a wide range of international services largely inaccessible to mainland China for a number of years, including major technology platforms and a number of prominent global news outlets. 

Some residents have historically used virtual private networks to circumvent these restrictions; however, authorities have repeatedly moved to tighten regulations pertaining to such tools, framing them as potential threats to national security and information sovereignty, resulting in unauthorized circumvention technologies becoming more prevalent. 

Due to the emerging pattern of restricted access to Chinese government websites, this long-established architecture has been markedly inverted. Rather than focusing exclusively on filtering inbound information, new evidence indicates that outward visibility of Chinese public-sector data could also be limited. 

Lennart Brussee conducted a recent technical assessment, compiled from over 13,000 websites operated by governments at all levels of government, to determine the extent and scope of the phenomenon. Researches conducted by the researcher during November were conducted to evaluate their accessibility from more than a dozen locations outside China, using residential proxy infrastructure to simulate standard user connections. 

Several of these official websites were unable to be accessed from overseas networks, according to the results. Despite some failures appearing consistent with routine connectivity problems, there was a significant share of failures that were consistent with intentional filtering.

Approximately one in ten access attempts encountered mechanisms commonly associated with deliberate blocking. These included server-side restrictions and domain name system filtering, preventing foreign queries from properly resolving. 

The findings together indicate that limitations on external access are not limited to isolated platforms but may also occur on administrative websites of all types. As researchers, investors, and policy analysts utilize public government records to track regulatory developments, demographics, and economic indicators, the increasing opacity of these digital sources presents a challenge in interpreting China's rapidly evolving information environment.

It has already been noticed that such restrictions are likely to have long-term consequences among policy researchers studying the long-term consequences of data opacity. It was argued in 2023 that the limiting international access to publicly available Chinese data would undermine informed policy decisions, according to analysts Dewey Murdick and Owen Daniels of Georgetown University's Centre for Security and Emerging Technology.

The authors cautioned that the continued closure of official datasets would lead to a diminished ability to analyze China's political and economic systems based on evidence. They observed that researchers who cannot verify developments through open information can create speculative narratives and reinforce polarized interpretations as a consequence of the resulting vacuum. 

At a time when geopolitical tensions between China and the United States are already shaping global policy debate, this can be especially problematic. A decline in public data access, they claim, may unintentionally contribute to policy miscalculations, such as poor economic decoupling strategies or protectionist responses that are based primarily on uncertainty rather than verifiable evidence. 

There are broader implications beyond academic research. It has been suggested by Brussee that selective geoblocking of government resources could adversely affect people-to-people exchanges and complicate foreign companies’ attempts to interpret regulatory signals, market conditions, and administrative guidance from official sources. 

As an essential layer of informational infrastructure for international firms operating in or studying the Chinese market, publicly accessible government portals have long been an integral part of this process. In response, reduced accessibility may result in a greater reliance on secondary interpretations rather than direct examination of primary data. 

Nevertheless, the researchers warn against the implication that the phenomenon is unique to Chinese culture. In recent years, governments across several jurisdictions, including the United States and Russia, have explored ways of limiting the exposure of certain domestic information systems to the outside world. In Chinese territory, geo-blocking does not appear to be uniformly distributed. 

The restrictions, however, tend to occur in clusters at the provincial or prefectural administrative level, which suggests that local authorities may be implementing technical controls in response to national policy signals at the same time. 

Consequently, researchers have described the process as a gradual experiment in institutional design. There appears to be a wide range of technical approaches adopted by different agencies and regional governments, potentially evaluating the effectiveness of external access controls before deciding whether to expand them more widely. 

Observers point out that China's approach to digital governance has historically influenced internet management practices beyond its borders, suggesting that such experimentation could suggest the development of a more comprehensive data governance strategy.

The development of network filtering systems by countries such as Russia, Uganda, and Myanmar has often been based on elements of Chinese experience, sometimes accompanied by technical guidance.
Read more »
LexisNexis
AWS Cloud Data Theft Cloud Infrastructure Threats Customer Data Exposed Data Breach Data protection data security Hacker attack LexisNexis

LexisNexis Confirms Data Breach After Hackers Exploit Unpatched React App

 

A breach at LexisNexis Legal & Professional exposed some customer and business data, the firm confirmed. News surfaced after FulcrumSec claimed responsibility and leaked about two gigabytes of files on underground platforms. Hackers accessed parts of the company’s systems, though the breach scope was limited. The American analytics provider confirmed the incident days later, stating only a small portion of its infrastructure was affected. 

The company said an outside actor gained access to a limited number of servers. LexisNexis Legal & Professional provides legal research, regulatory information, and analytics tools to lawyers, corporations, government agencies, and universities in more than 150 countries. According to the firm, most of the accessed information came from older systems and was not considered sensitive, which reduced the potential impact.  

Internal findings showed that much of the exposed data originated from legacy systems storing information created before 2020. Records included customer names, user IDs, and business contact details. Some files contained product usage information and logs from past support tickets, including IP addresses from survey responses. However, sensitive personal identifiers such as Social Security numbers or driver’s license data were not included. Financial information, active passwords, search queries, and confidential client case data were also not part of the compromised dataset. 

The breach reportedly occurred around February 24 after attackers exploited the React2Shell vulnerability in an outdated front-end application built with React. The flaw allowed entry into cloud resources hosted on Amazon Web Services before it was addressed. 

While LexisNexis described the affected systems as containing mostly obsolete data, FulcrumSec claimed the intrusion was broader. The group said it extracted about 2.04GB of structured data from the company’s cloud infrastructure, including numerous database tables, millions of records, and internal system configurations. According to the attacker, the breach exposed more than 21,000 customer accounts and information linked to over 400,000 cloud user profiles, including names, email addresses, phone numbers, and job roles. 

Some of the records reportedly belonged to individuals with .gov email addresses, including U.S. government employees, federal judges and law clerks, Department of Justice attorneys, and staff connected to the Securities and Exchange Commission. FulcrumSec also criticized the company’s cloud security setup, alleging that a single ECS task role had access to numerous stored secrets, including credentials linked to production databases. The group said it attempted to contact the company but claimed no cooperation occurred. 

LexisNexis stated that the breach has been contained and confirmed that its products and customer-facing services were not affected. The company notified law enforcement and engaged external cybersecurity experts to assist with investigation and response. Customers, both current and former, have also been informed about the incident. The company had disclosed another breach last year after a compromised corporate account exposed data belonging to roughly 364,000 customers. 

The latest case highlights how vulnerabilities in cloud applications and outdated software can expose enterprise systems even when they contain primarily legacy information.
Read more »
Subscribe to: Comments (Atom)