Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Students
AI Cyber Security entrepreneurs founders Healthcare new startup Stanford University Students

Student Founders Establish Backed Program to Help Peers Build Startups

 



Two students affiliated with Stanford University have raised $2 million to expand an accelerator program designed for entrepreneurs who are still in college or who have recently graduated. The initiative, called Breakthrough Ventures, focuses on helping early-stage founders move from rough ideas to viable businesses by providing capital, guidance, and access to professional networks.

The program was created by Roman Scott, a recent graduate, and Itbaan Nafi, a current master’s student. Their work began with small-scale demo days held at Stanford in 2024, where student teams presented early concepts and received feedback. Interest from participants and observers revealed a clear gap. Many students had promising ideas but lacked practical support, legal guidance, and introductions to investors. The founders then formalized the effort into a structured accelerator and raised funding to scale it.

Breakthrough Ventures aims to address two common obstacles faced by student founders. First, early funding is difficult to access before a product or revenue exists. Second, students often do not have reliable access to mentors and industry networks. The program responds to both challenges through a combination of financial support and hands-on assistance.

Selected teams receive grant funding of up to $10,000 without giving up ownership in their companies. Participants also gain access to legal support and structured mentorship from experienced professionals. The program includes technical resources such as compute credits from technology partners, which can lower early development costs for startups building software or data-driven products. At the end of the program, founders who demonstrate progress may be considered for additional investment of up to $50,000.

The accelerator operates through a hybrid format. Founders participate in a mix of online sessions and in-person meetups, and the program concludes with a demo day at Stanford, where teams present their progress to potential investors and collaborators. This structure is intended to keep participation accessible while still offering in-person exposure to the startup ecosystem.

Over the next three years, the organizers plan to deploy the $2 million fund to support at least 100 student-led companies across areas such as artificial intelligence, healthcare, consumer products, sustainability, and deep technology. By targeting founders at an early stage, the program aims to reduce the friction between having an idea and building a credible company, while promoting responsible, well-supported innovation within the student community.

Read more »
Ukraine
Cloud Data Starlink Technology Ukraine

Ukraine Increases Control Over Starlink Terminals


New Starlink verification system 

Ukraine has launched a new authentication system for Starlink satellite internet terminals used by the public and the military after verifying that Russia state sponsored hackers have started using the technology to attack drones. 

The government has also introduced a compulsory “whitelist” for Starlink terminals, where only authenticated and registered devices will work in Ukraine. All other terminals used will be removed, as per the statement from Mykhailo Fedorov, country's recently appointed defense chief. 

Why the new move?

Kyiv claims that Russian unmanned aerial vehicles are now being commanded in real time using Starlink links, making them more difficult to detect, jam, or shoot down. This action is intended to counteract these threats. "It is challenging to intercept Russian drones that are equipped with Starlink," Fedorov stated earlier this week. "They can be controlled by operators over long distances in real time, will not be affected by electronic warfare, and fly at low altitudes." The Ministry of Defense is implementing the whitelist in collaboration with SpaceX, the company that runs the constellation of low-Earth orbit satellites for Starlink.

The step is presently the only technological way to stop Russia from abusing the system, Fedorov revealed Wednesday, adding that citizens have already started registering their terminals. "The government has taken this forced action to save Ukrainian lives and safeguard our energy infrastructure," he stated. 

How will it impact other sectors?

Businesses will be able to validate devices online using Ukraine's e-government services, while citizens will be able to register their terminals at local government offices under the new system. According to Ukraine's Ministry of Defense, military units will be exempt from disclosing account information and will utilize a different secure registration method.

Using Starlink connectivity, Ukraine discovered a Russian drone operating over Ukrainian territory at the end of January. After then, Kyiv got in touch with SpaceX to resolve the problem, albeit the specifics of the emergency procedures were not made public. Army, a Ukrainian military outletSetting a maximum speed at which Starlink terminals can operate was one step, according to Inform, which cited an initial cap of about 75 kilometers per hour. According to the study, Russian strike drones usually fly faster than that, making it impossible for operators to manage them in real time.


Read more »
KEV
CISA CISA advisory CISA KEV catalog CVE CVE vulnerability CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity vulnerability KEV

CISA Warns of Actively Exploited SmarterMail Flaw Used in Ransomware Attacks

 

CISA includes a fresh SmarterMail weakness in its KEV list - this marks the third such addition linked to the messaging system within fourteen days. Identified as CVE-2026-24423, the security gap faces real-world abuse during ransom operations. Evidence points to sustained interest in compromising SmarterTools’ broadly adopted software suite. 

Another entry joins a pair of prior SmarterMail flaws listed in the KEV database since January 26. One was tagged CVE-2025-52691 - marked by unchecked uploads of hazardous files. The second, assigned CVE-2026-23760, let attackers skip login checks entirely. Analysis came first from experts at watchTowr, who unpacked how each could be triggered. Once those specifics emerged, several security teams observed active attacks; the login flaw saw more frequent abuse. Although both were dissected publicly, it was the broken verification that drew wider misuse. 

A security issue labeled CVE-2026-24423 arises because a key part of SmarterMail - the ConnectToHub API - lacks proper access checks. Versions before v100.0.9511 are exposed, letting outsiders run harmful code remotely. Instead of requiring login details, hackers exploit it by submitting a modified POST message. This leads to direct command control on the target machine through intentional input manipulation. 

Separate findings came from teams at watchTowr, CODE WHITE GmbH, and VulnCheck. As noted by Cale Black of VulnCheck, the affected endpoint skips any login checks - opening a way to set up server directory links remotely. Because that setup pulls instructions directly from an outside machine under attacker influence, control is effectively handed over. Those instructions appear as support routines inside the system. Once SmarterMail reads them, they run unchecked on whatever platform hosts the software. 

Starting at the ConnectToHub endpoint, the process handles a remote address sent via one particular parameter. Afterward, communication initiates from the SmarterMail server toward a machine controlled by the attacker. That system replies - not with ordinary data - but with settings containing command inputs meant to run. Provided minimal checks are satisfied, execution follows without further barriers. Control over the compromised environment expands widely under these conditions. 

By February 26, 2026, U.S. federal civilian agencies must fix the vulnerability - this stems from ongoing attacks involving ransomware. Though only binding for federal bodies, its listing in CISA’s KEV catalog hints at wider exposure across any organization using affected SmarterMail versions. Not just government systems face potential harm; real-world misuse raises stakes beyond official mandates. 

Right now, updating to the newest SmarterMail release is a top priority, according to analysts watching threats closely. Instead of waiting, teams managing large systems should examine log data - especially activity tied to the open ConnectToHub interface, since probes might show up as odd patterns in API traffic. What stands out is how quickly multiple flaws in SmarterMail entered official exploit databases, signaling that delays in patching could lead to real breaches. Because of this, those overseeing network access must act fast while rethinking how exposed their mail platforms really are.
Read more »
Sandworm
Cyber Attacks Cyberattacks DynoWiper Energy Grid Poland Russian APT44 Sandworm

Sandworm Hackers Fail in DynoWiper Attack on Poland's Power Grid

 

A recently disclosed cyberattack against Poland’s energy infrastructure has been linked to the Russian state-backed hacking group Sandworm, highlighting the persistent threat facing Europe’s critical sectors. The incident occurred between December 29 and 30, 2025, and reportedly targeted elements of the country’s power grid, including combined heat and power plants and systems managing electricity from renewable sources such as wind and solar. Although the attackers attempted to deploy a new destructive data wiper known as DynoWiper, Polish authorities say the operation ultimately failed to cause large-scale disruption.

Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, has a long history of conducting disruptive and destructive cyber operations aligned with Russian strategic interests. Active since at least 2009 and believed to be part of Russia’s GRU Military Unit 74455, the group is infamous for past campaigns, including an attack on Ukraine’s energy grid roughly a decade ago that temporarily cut power to about 230,000 people. The latest activity in Poland fits a broader pattern of Sandworm’s focus on critical infrastructure, particularly in countries supporting Ukraine or opposing Russian policies.

In the Polish case, security firm ESET linked Sandworm to the attack and identified the destructive malware used as DynoWiper, a previously unknown data-wiping tool. Data wipers are designed to iterate through a filesystem and delete or corrupt files, rendering the operating system unusable and forcing victims to rebuild systems from backups or perform complete reinstalls. ESET says DynoWiper is detected as Win32/KillFiles.NMO and has a specific SHA-1 hash, though no public samples have yet appeared on common malware analysis platforms such as VirusTotal or Any.Run.

Polish officials reported that the attackers focused on two combined heat and power plants, as well as a management system responsible for controlling energy generated from wind turbines and photovoltaic farms. Prime Minister Donald Tusk stated that “everything indicates” the operation was carried out by groups directly linked to Russian services, underscoring the political and geopolitical context surrounding the intrusion. While authorities did not provide detailed information on the extent of the compromise or the attackers’ dwell time, they emphasized that the attempt to cause destructive impact was thwarted.

Despite the failed outcome, cybersecurity experts warn that the incident should serve as a serious wake-up call for defenders across Europe. Team Cymru’s Senior Threat Intel Advisor Will Thomas has urged security teams to review Microsoft’s February 2025 report on Sandworm to better understand the group’s tactics, techniques, and procedures. With Sandworm also tied to destructive wiper attacks on Ukraine’s education, government, and grain sectors in mid and late 2025, the Polish incident reinforces the need for robust backups, network segmentation, and proactive threat hunting in all critical infrastructure environments.
Read more »
Voice Phishing Attacks
Data Breach Identity-Based Breaches Microsoft Entra Security Okta SSO Compromise Phishing-Resistant MFA Single Sign-On Security Voice Phishing Attacks

ShinyHunters Targets Okta and Microsoft SSO in Data Breach


 

Several voice-based social engineering attacks have prompted renewed scrutiny of single sign-on ecosystem security assumptions. The cybercrime collective ShinyHunters has publicly announced that it has carried out an extensive campaign to harvest SSO credentials from approximately 100 organizations, signaling an intentional shift toward identity-centered intrusion methods. 

As a result of the early disclosures, substantial amounts of data have already been exposed, as leaks have been confirmed to platforms such as SoundCloud, Crunchbase, and Betterment, which have affected tens of millions of user records. 

Moreover, the intrusions were not the result of software malfunctions or misconfigurations, but rather carefully executed voice phishing attacks that took advantage of human trust in modern authentication workflows to achieve success. 

A growing reality for enterprises is underscored by this tactic. As authentication becomes more centralized via single sign-on providers, compromises of individual identities can result in systemic access to entire SaaS environments, amplifying the scale and impact of these breaches. 

Once an employee's single sign-on credentials have been successfully accessed, the impact is extensive beyond the initial account compromise. By gaining access to a single sign-on identity, attackers will gain access to the organization's broader application ecosystem. 

Various SSO platforms, including Okta, Microsoft Entra, and Google, streamline authentication by federating access to a variety of internal and third-party services under a single login, which facilitates streamlining authentication. As a result of this architecture, usability and administrative control are improved, but risk is also concentrated, as a single breached identity can unlock multiple downstream systems.

The SSO dashboard provides authenticated users with an integrated view of all enterprise applications connected to it, transforming a compromised account into a digital footprint map of the organization. A number of business-critical applications are commonly integrated into platforms, including Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Atlassian, Dropbox, Adobe, Zendesk, and other software as a service applications. 

ShinyHunters and associated actors have exploited this model through targeted voice phishing campaigns, impersonating internal IT personnel, and guiding victims through credential entry and multi-factor authentication challenges on convincingly replicated login portals. 

Following authentication, the attackers systematically enumerate all available applications within the SSO environment, and then begin extracting data from each platform, enabling massive data thefts and lateral expansion across interconnected services before security teams may detect any abnormal activity. 

In the aftermath of initial access, attackers began targeting cloud-based software-as-a-service environments, which are systematically targeting systems for storing corporate data and internal documents. The objective goes beyond data theft, with stolen information increasingly being utilized for subsequent extortion campaigns following the initial data theft. 

Various designations are being tracked by Google Threat Intelligence Group (GTIG), including UNC6661, UNC6671, and UNC6240, reflecting a loosely coordinated but tactically aligned group of operators employing a similar approach to intrusions and monetizations. 

The GTIG and Mandiant investigations indicate that activity associated with UNC6661 intensified in mid-January, when attackers posed as internal IT personnel to contact employees within targeted organizations. In addition to being told that multifactor authentication settings would soon be updated, victims were directed to convincingly branded credentials harvesting portals.

It was designed to capture both single-sign-on credentials and MFA codes in real-time, thereby enabling immediate account control. Mandiant confirmed that, in multiple instances, the compromised credentials came from Okta customers, as mentioned in an Okta blog posting describing a campaign employing advanced phishing kits in response to the compromised credentials. 

In a subsequent study, researchers attributed follow-up extortion efforts to UNC6240, citing overlapping operational artifacts including the reuse of a common Tox account during negotiations, among others. In late January, a newly established leak site listing alleged victims was published, which described the nature of the stolen information and imposed payment deadlines of 72 hours. 

Researchers have previously reported that allegations of compromise have been made against at least five organizations. UNC6671 is exhibiting similar tradecraft in parallel activities. Throughout the past week, operators connected to this cluster have conducted vishing attacks involving impersonation of IT personnel and real-time credential harvesting.

In spite of the underlying domain infrastructure being similar to that of UNC6661, researchers observed differences in domain registration services, suggesting that operations are separate despite common tools and techniques. It is believed that these groups are collectively associated with ShinyHunters, which operates under alternative banners such as Scattered Lapsus$ Hunters at times. 

The collective is derived from an ecosystem of loosely affiliated cybercriminals known as The Com, whose members have proven to be skilled at telephone social engineering. An increasingly sophisticated phishing toolkit is at the core of these operations, designed to manage the complete lifecycle of an attack. 

The latest kits are capable of generating phishing emails and hosting replicate login pages, as well as relaying captured credentials in real time to attackers—an essential feature of multifactor authentication. 

A growing number of advanced frameworks now support voice-enabled phishing, which allows attackers to coordinate live phone calls in conjunction with dynamic manipulations of the victim's browser session Okta researchers have observed that these toolkits can be adjusted on the fly, enabling callers to control which pages are presented to victims according to their scripts as well as with legitimate MFA challenges encountered during the login process. 

With this level of orchestration, attackers are able to neutralize most multi-factor authentication (MFA) mechanisms that are not explicitly phishing-resistant. These campaigns are known to target identity platforms, cryptocurrencies, and Okta's own identity and access management services, which serve as authentication hubs for extensive corporate application portfolios, including Google and Microsoft Entra. 

It has been demonstrated that phishing pages are closely modeled after legitimate sign-in interfaces, ensuring a seamless experience for victims. According to Okta threat researcher Moussa Diallo, attackers can coordinate on-screen instructions with spoken instructions, even advising victims that they will receive MFA push notifications in advance, thus lending credibility to what would otherwise appear to be an unsolicited authentication request. 

However, phishing-resistant MFA technology such as smartcards, FIDO security keys, cryptographic passkeys, and Okta FastPass introduces cryptographic binding between the service and the user, thus reducing the effectiveness of real-time social engineering attacks. 

Ultimately, the campaign reinforces the critical lesson that defenders should take away: identity has become the primary attack surface, and human interaction has become one of its most vulnerable components. 

Threat actors have refined their abilities to manipulate trust by engaging in real-time voice engagements, challenging traditional assumptions about authentication strength. In addition to considering the fact that even well-implemented SSO and MFA controls can be undermined when users are persuaded to actively participate in an attack chain, security teams must change both technical and operational strategies to address this risk. 

By adopting cryptographically bound authentication mechanisms that are phishing-resistant, organizations can reduce the probability of credential replay in real-time. Furthermore, sustained employee awareness training that recognizes voice phishing as a major threat, rather than a niche variant of email-based scams, is equally important. 

The use of clear internal IT communication processes, along with monitoring for anomalous SSO behavior and rapid response playbooks, can further limit the blast radius in the event of compromise. In order to increase resilience against identity-driven attacks, layered controls will need to remain effective even when social engineering is successfully employed.
Read more »
Cyberspace Threats
AI Security AI technology Cyber Protection Cyber Security Cybersecurity Strategy Cyberspace Cyberspace Threats

US Cybersecurity Strategy Shifts Toward Prevention and AI Security

 

Early next month, changes to how cyber breaches are reported will begin to surface, alongside a broader shift in national cybersecurity planning. Under current leadership, federal teams are advancing a more proactive approach to digital defense, focusing on risks posed by hostile governments and increasingly complex cyber threats. Central to this effort is stronger coordination across agencies, updated procedures, and shared responsibility models rather than reliance on technology upgrades alone. Officials emphasize resilience, faster implementation timelines, and adapting safeguards to keep pace with rapidly evolving technologies. 

At the Information Technology Industry Council’s Intersect Summit, White House National Cyber Director Sean Cairncross previewed an upcoming national cybersecurity strategy expected to be released soon. While details remain limited, the strategy is built around six pillars, including shaping adversary behavior in cyberspace. The aim is to move away from reactive responses and toward reducing incentives for cybercrime and state-backed attacks. Prevention, rather than damage control, is driving the update, with layered actions and long-term thinking guiding near-term decisions. Much of the work happens behind the scenes, with success measured by systems that remain secure. 

Cairncross noted that cyber harm often occurs before responses begin. The updated approach targets a wide range of threats, including nation states, state-linked criminal groups, ransomware actors, and fraud operations. By reshaping the digital environment, officials hope to make cybercrime less profitable and less attractive. This philosophy now sits at the core of federal cybersecurity policy. 

Another pillar focuses on refining the regulatory environment through closer collaboration with industry. Instead of rigid compliance checklists, officials want cybersecurity rules aligned with real-world threats and operational realities. According to Cairncross, effective oversight depends on adaptability and practicality, ensuring regulations support security outcomes rather than burden organizations unnecessarily. 

Additional priorities include modernizing and securing federal IT systems, protecting critical infrastructure such as power and transportation networks, maintaining leadership in emerging technologies like artificial intelligence, and addressing shortages in skilled cyber professionals. Officials are under pressure to deliver visible progress quickly, given political time constraints. Meanwhile, the Cybersecurity and Infrastructure Security Agency is preparing updates to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Although Congress passed the law in 2022, it will not take effect until final rules are issued. 

Once implemented, organizations across 16 critical infrastructure sectors must report significant cyber incidents to CISA within 72 hours. Nick Andersen, CISA’s executive assistant director for cybersecurity, said clarification on the rules could arrive within weeks. Until then, reporting remains voluntary. CISA released a proposed CIRCIA rule in early 2024, estimating it would apply to roughly 316,000 entities. Industry groups and some lawmakers criticized the proposal as overly broad and raised concerns about overlapping reporting requirements. They have urged CISA to better align CIRCIA with existing federal and sector-specific disclosure mandates. 

Originally expected in October 2025, the final rules are now delayed until May 2026. Some Republicans, including House Homeland Security Committee Chairman Andrew Garbarino, are calling for an ex parte process to allow direct industry feedback. Andersen also discussed progress on establishing an AI Information Sharing and Analysis Center, or AI-ISAC, outlined in the administration’s AI Action Plan. The proposed group would facilitate sharing AI-related threat intelligence across critical infrastructure sectors. He stressed the importance of avoiding fragmented public and private efforts and ensuring coordination from the outset as AI adoption accelerates. 

Separately, the Office of the National Cyber Director is developing an AI security policy framework. Cairncross emphasized that security must be built into AI systems from the start, not added later, as AI becomes embedded in essential services and daily life. Uncertainty remains around a replacement for the Critical Infrastructure Partnership Advisory Council, which DHS disbanded last year. A successor body, potentially called the Alliance of National Councils for Homeland Operational Resilience, or ANCHOR, is under consideration. Andersen said the redesign aims to address past shortcomings, including limited focus on cybersecurity and inflexible structures that restricted targeted collaboration.
Read more »
Russia
Cyber Attacks Cyberattack Cybersecurity Threats Germany Russia

A New Twist on Old Cyber Tricks

 


Germany’s domestic intelligence and cybersecurity agencies have warned of a covert espionage campaign that turns secure messaging apps into tools of surveillance without exploiting any technical flaws. The Federal Office for the Protection of the Constitution and the Federal Office for Information Security said the operation relies instead on social engineering carried out through the Signal messaging service. In a joint advisory, the agencies said the campaign targets senior figures in politics, the military and diplomacy, as well as investigative journalists in Germany and elsewhere in Europe. 

By hijacking messenger accounts, attackers can gain access not only to private conversations but also to contact networks and group chats, potentially widening the scope of compromise. The operation does not involve malware or the exploitation of vulnerabilities in Signal. Instead, attackers impersonate official support channels, posing as “Signal Support” or a so-called security chatbot. 

Targets are urged to share a PIN or verification code sent by text message, often under the pretext that their account will otherwise be lost. Once the victim complies, the attackers can register the account on a device they control and monitor incoming messages while impersonating the user. In an alternative approach, victims are tricked into scanning a QR code linked to Signal’s device-linking feature. 

This grants attackers access to recent messages and contact lists while allowing the victim to continue using the app, unaware that their communications are being mirrored elsewhere. German authorities warned that similar tactics could be applied to WhatsApp, which uses comparable features for account linking and two-step verification. 

They urged users not to engage with unsolicited support messages and to enable registration locks and regularly review linked devices. Although the perpetrators have not been formally identified, the agencies noted that comparable campaigns have previously been attributed to Russia-aligned threat groups. Reports last year from Microsoft and the Google Threat Intelligence Group documented similar methods used against diplomatic and political targets. 

The warning comes amid a flurry of state-linked cyber activity across Europe. Norway’s security services recently accused Chinese-backed groups of penetrating multiple organisations by exploiting vulnerable network equipment, while also citing Russian monitoring of military targets and Iranian cyber operations against dissidents. 

Separately, CERT Polska said a Russian-linked group was likely behind attacks on energy facilities that relied on exposed network devices lacking multi-factor authentication. 

Taken together, the incidents highlight a shift in cyber espionage away from technical exploits towards psychological manipulation. As secure messaging becomes ubiquitous among officials and journalists, the weakest link increasingly lies not in encryption, but in the trust users place in what appears to be help.
Read more »
Ransomware
cyber attack Data Breach Hacking Information Security IT Security Italy Law Enforcement Ransomware

La Sapienza University’s Digital Systems Remain Shut After Cyber Intrusion Disrupts Services

 




Rome’s La Sapienza University is continuing to experience major operational disruption after a cyber intrusion forced administrators to take its digital infrastructure offline as a safety measure. The shutdown began on February 2 and has affected core online services used by students, faculty, and administrative staff.

Since the incident, students have been unable to complete basic academic and administrative tasks such as registering for examinations, viewing tuition-related records, or accessing official contact information for teaching staff. With internal platforms unavailable, the university has relied mainly on its social media channels to share updates. These notices have acknowledged the disruption but have not provided detailed technical explanations or a confirmed date for when full access will be restored.

University officials confirmed that their systems were deliberately powered down to contain the threat and to prevent malicious software from spreading to other parts of the network. Emergency shutdowns of this kind are typically used when there is a risk that an attack could compromise additional servers, user accounts, or stored data. This response suggests that the incident involved harmful software capable of moving across connected systems.

According to publicly available reporting, the disruption was caused by ransomware, a category of cyber attack in which criminals attempt to lock organizations out of their own systems or data. Some media sources have claimed that a newly observed cybercrime group may be linked to the breach and that a ransomware variant referred to in security research as Bablock, also known as Rorschach, may have been involved. These attributions are part of ongoing assessments and have not been formally confirmed by authorities.

Technical analyses cited in public reporting describe this malware family as drawing components from previously leaked cybercrime tools, allowing attackers to combine multiple techniques into a single, highly disruptive program. Such ransomware is designed to operate rapidly and can spread across large digital environments, which helps explain the scale of the disruption experienced by one of Europe’s largest universities by student enrollment.

The university has formally reported the incident to Italian law enforcement and to the National Cybersecurity Agency, both of which are now involved in the investigation and response. Administrators have stated that emergency management is being coordinated across academic offices, administrative departments, and student representatives, with discussions underway to introduce deadline extensions and flexible arrangements to limit academic harm.

Due to the ongoing shutdown of internal systems, campus information desks are currently unable to access digital records that would normally support student inquiries. Updates about service availability and office hours are being shared through official faculty social media pages.

Meanwhile, technical teams are examining the full scope of the breach before restoring systems from backups. This step is necessary to ensure that no malicious code remains active. It is still unclear whether all stored data can be fully recovered or whether some information may remain inaccessible following the attack.


Read more »
Romania National Oil Pipeline
Cybersecurity Attack Data Breach data threat Romania National Oil Pipeline

Romania’s National Oil Pipeline Joins a Growing Cyberattack list

Romania’s national oil pipeline operator, Conpet, has disclosed that it suffered a cyberattack that disrupted its corporate IT systems and temporarily knocked its website offline, adding to a growing series of digital incidents affecting the country’s critical infrastructure. 

In a statement issued on Wednesday, the company said the attack affected its business information systems but did not interfere with pipeline operations or its ability to meet contractual obligations. 

Conpet operates almost 4,000 kilometres of pipelines, transporting domestically produced and imported crude oil, gasoline and other petroleum derivatives to refineries across Romania, making it a key component of the country’s energy infrastructure. 

The firm sought to reassure customers and authorities that its core operational technologies were not compromised. Systems responsible for supervising and controlling pipeline flows, as well as telecommunications networks, continued to function normally throughout the incident. 

As a result, the transport of crude oil and fuel through the national pipeline system was not disrupted. Conpet’s public website, however, remained inaccessible as recovery efforts were under way. 

Conpet said it is investigating the breach in cooperation with national cybersecurity authorities and has notified Romania’s Directorate for Investigating Organised Crime and Terrorism, filing a formal criminal complaint. 

The company has not provided details on how the attackers gained access or the specific techniques used, citing the ongoing investigation. Despite this lack of official confirmation, the ransomware group Qilin has claimed responsibility for the attack. 

The group has listed Conpet on its dark web leak site and alleges it exfiltrated close to one terabyte of data from the company’s systems. 

To support its claim, Qilin published a selection of images said to show internal documents, including financial information and scans of passports. Qilin emerged in 2022 as a ransomware-as-a-service operation, initially operating under the name Agenda. 

Since then, it has built a long list of alleged victims across the world, targeting private companies and public institutions alike. Such groups typically combine data theft with extortion, threatening to publish stolen material unless a ransom is paid. 

The attack on Conpet follows a spate of ransomware incidents in Romania over the past year. Water authorities, major energy producers, electricity distributors and dozens of hospitals have all reported disruptive cyberattacks. 

Together, these cases underline a persistent weakness in the corporate IT systems that support essential services, even when industrial control networks are kept separate. 


Read more »
State-Sponsored Cyber Espionage
Advanced Persistent Threats Critical Infrastructure Cyberattack Data Breach Global Cybersecurity Threats Linux Rootkit Malware nation-state hackers Palo Alto Unit 42 State-Sponsored Cyber Espionage

Widespread Cyber Espionage Campaign Breaches Infrastructure in 37 Countries


 

Research over the past year indicates that a newly identified cyberespionage threat actor operating in Asia has been conducting a sustained and methodical cyberespionage campaign that is characterized both by its operational scale and technical proficiency. 

A fully adaptive and mature toolchain has been utilized by this group to successfully compromise 70 government and critical infrastructure institutions spanning 37 countries. The group's operations utilize a range of classic intrusion vectors, including targeted phishing, advanced exploitation frameworks, along with custom malware, Linux-based rootkits, persistent web shells, tunneling and proxying mechanisms to hide command-and-control traffic and maintain long-term access. 

According to the analysis of the campaign, these intrusions represent only a portion of the group's overall activities. There appears to be an increase in reconnaissance efforts, indicating a strategic expansion beyond confirmed victims, according to security researchers. 

During November and December of 2025, the actor was observed conducting active scanning and reconnaissance against government-linked infrastructures located in 155 countries, indicating that an intelligence collection operation had a global perspective rather than an opportunistic approach. 

A previously unknown cyberespionage actor identified as TGR-STA-1030, also known as UNC6619, has been attributed to the activity by researchers at Palo Alto Networks' Unit 42. Based on a combination of technical artifacts, operational behavior, and targeting patterns, Unit 42 assesses with high confidence that the group is state-aligned and operating from Asia. 

A 12-month period during which the actor compromised government and critical infrastructure organizations across 37 countries puts nearly one fifth of the world's countries within the campaign's verified impact zone. 

A sharp increase in reconnaissance activity was observed by Unit 42 in parallel with these intrusions between November and December 2025, as the group actively scanned government-linked infrastructure associated with 155 countries, signaling a shift toward a broader collection of intelligence. 

Based on the analysis conducted by Unit 42, the group was first discovered during an investigation into coordinated phishing operations targeting European government entities in early 2025. 

Eventually, as the actor refined its access methods, these campaigns, which were part of the initial phase of the Shadow Campaigns, evolved into more direct exploitation-driven intrusions based on exploitation. In light of the assessment that the activity aligns with state interests but has not yet been conclusively linked to a particular sponsoring organization, the designation TGR-STA-1030 is serving as a temporary tracking label while attribution efforts are continued.

Over time, the group demonstrated increasing technical maturity by deploying persistence mechanisms capable of providing extended access to exposed services beyond email-based lures, and exploiting exposed services. To date, a wide range of sensitive government and infrastructure sectors have been identified as victims, including interior affairs, foreign relations, finance, trade, economic policy, immigration, mining, justice, and energy ministries and departments. 

Despite confirmed compromises, researchers from Unit 42 believe that the breadth of reconnaissance activity offers insight into the actor's global priorities, while confirmed scanning efforts indicate that scanning efforts can be translated into operational access. 

There were at least 70 successful breaches during the period under review, and attackers maintained footholds in several environments for several months at a time. Although the campaign appears to be primarily geared toward espionage, Unit 42 has cautioned that the scale, persistence, and alignment of the activity with real-world geopolitical events raise concerns about potential long-term consequences for national security and critical service resilience. 

According to an in-depth analysis of the campaign, a pattern of targeting closely tracked sensitive geopolitical and commercial developments. Unit 42 documented the compromise of one of the largest suppliers in Taiwan's power equipment industry among the confirmed intrusions, which underscores the group's interest in energy-related industrial ecosystems. 

The actors also breached an Indonesian airline's network during the active procurement process with a U.S.-based aircraft manufacturer in a separate incident. Researchers noted that the intrusion coincided with a significant increase in the promotion of competing aircraft products from a manufacturer based in Southeast Asia, suggesting that the operation was not limited to passive intelligence gathering, but extended to strategic economic interests. 

It is important to note that several intrusion waves corresponded directly with diplomatic and political flashpoints involving China. After a high-profile meeting between the country’s president and the Dalai Lama, scanning activity was observed against the Czech military, national police, parliamentary systems, and multiple government bureaus in the Czech Republic. 

A month prior to Honduras' presidential election, during which both of the leading candidates indicated their willingness to reestablish diplomatic relations with Taiwan, the group launched a targeted attack against Honduran government infrastructure on October 31, approximately one month before the election. 

At least 200 government-associated IP addresses were targeted during this period by Unit 42, marking one of the largest concentrations of activity recorded by the group to date, which resulted in reconnaissance attempts and intrusion attempts. From a technical standpoint, the actor's tooling exhibits a high level of sophistication and operational discipline. 

As a part of initial access, phishing campaigns were frequently used to deliver custom malware loaders known as DiaoYu. DiaoYu is the Chinese word for fishing. Upon execution, the malware loader performed antivirus checks before deploying follow-on payloads, including command-and-control beacons known as Cobalt Strike beacons.

Additionally, the group exploited various enterprise-facing vulnerabilities, including Microsoft Exchange Server, SAP Solution Manager, as well as more than a dozen other widely deployed platforms and services, attempting to exploit these vulnerabilities in parallel. By utilizing a previously undocumented Linux rootkit known as ShadowGuard, Palo Alto Networks enhanced persistence and stealth. 

Rootkits operate within Linux kernel virtual machines referred to as Extended Berkeley Packet Filters (eBPF), allowing malicious logic to be executed entirely within highly trusted kernel space. According to researchers from Unit 42, eBPF-based backdoors pose a particular challenge for detection, because they are capable of intercepting and manipulating core system functions and auditing data before host-based security tools or monitoring platforms are aware of them. 

A similar approach has been documented in recent research on advanced Chinese-linked threat actors. However, certain operational artifacts also emerged in spite of the group's multi-tiered infrastructure strategy designed to obscure command-and-control pathways and impede attribution. 

Several cases involved investigators observing connections to victims' environments originating from IP address ranges associated with China Mobile Communications Group, a major backbone telecommunications provider. 

According to Palo Alto Networks, based on infrastructure analysis and historical telemetry, this group has been active since at least January 2024 and continues to pose a threat to the company. According to Unit 42, TGR-STA-1030 remains an active and evolving threat to critical infrastructure and government environments worldwide. This threat's combination of geopolitical alignment, technical capability, and sustained access creates a potential long-term threat. 

Unit 42 encourages governments and critical infrastructure operators to revisit long-held assumptions related to perimeter security and incident visibility in light of these findings. Through the campaign, it can be seen how advanced threat actors are increasingly combining prolonged reconnaissance with selective exploitation in order to achieve durable access and remain undetected for extended periods of time. 

It is recommended that security professionals prioritize continuous monitoring of exposed services, improve detection capabilities at both the endpoint and network layers, and closely monitor anomalous activity within trusted system components, such as kernel-level processes, where appropriate. 

Additionally, the researchers emphasize the importance of cross-sector coordination and threat intelligence sharing in addition to immediate technical mitigations, noting that the campaign's scale and geopolitical alignment demonstrate the deterioration of national resilience over time through cyberespionage operations. 

Keeping a keen eye on current and future state-aligned operations and adjusting defensive strategies in response will remain critical to limiting their strategic impact, especially as state-aligned actors continue to develop their skills.
Read more »
Youtube
AI ChatGPT Cloud Data GenAI Technology Youtube

YouTube's New GenAI Feature in Tools Coming Soon


Youtube is planning something new for its platform and content creators in 2026. The company plans to integrate AI into its existing and new tools. The CEO said that content creators will be able to use GenAI for shorts. While we don't know much about the feature yet, it looks like OpenAI’s Sora app where users make videos of themselves via prompt. 

What will be new in 2026? 

“This year you'll be able to create a Short using your own likeness, produce games with a simple text prompt, and experiment with music “ said CEO Neal Mohan. All these apps will be AI-powered which many creators may not like. Many users prefer non-AI content. CEO Neil Mohan has addressed these concerns and said that “throughout this evolution, AI will remain a tool for expression, not a replacement.”

But the CEO didn't provide other details about these new AI capabilities. It is not clear how this will help the creators and the music experimentation work. 

That's not all, though.

Additionally, YouTube will introduce new formats for shorts. According to Mohan, Shorts would let users to share images in the same way as Instagram Reels does. Direct sharing of these will occur on the subscribers' feed. 

In 2026, YouTube will likewise concentrate on the biggest displays it can be accessed on, which are televisions. According to Mohan, the business will soon introduce "more than 10 specialized YouTube TV plans spanning sports, entertainment, and news, all designed to give subscribers more control," along with "fully customizable multiview.”

Why new feature?

Mohan noted that the creator economy is another area of concern. According to YouTube's CEO, video producers will discover new revenue streams this year. The suggestions made include fan funding elements like jewelry and gifts, which will be included in addition to the current Super Chat, as well as shopping and brand bargains made possible by YouTube. 

YouTube's new venture

The business also hopes to grow YouTube Shopping, an affiliate program that lets content producers sell goods directly in their videos, shorts, and live streams. The business stated that it will implement in-app checkout in 2026, enabling users to make purchases without ever leaving the site.


Read more »
Vulnerabilities and Exploits
CISA Enterprise Flaws KEV Vulnerabilities and Exploits

CISA Confirms Active Exploitation of Four Critical Enterprise Software Flaws

 

CISA has confirmed active exploitation of four critical vulnerabilities in widely used enterprise software, urging immediate action from federal agencies and organizations worldwide. These flaws, now added to the agency's Known Exploited Vulnerabilities (KEV) catalog, affect products from Versa, Zimbra, Vite, and Prettier, with evidence of real-world attacks underway. As cyber threats escalate in 2026, this development highlights the urgent need for swift patching to safeguard networks.

The first vulnerability, CVE-2025-31125, is a high-severity improper access control issue in the Vite frontend tooling framework. It allows attackers to expose non-allowed files if the server is exposed to the network, primarily impacting development instances . Patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11, this flaw underscores the risks of misconfigured dev environments in production-like setups.

CVE-2025-34026 represents a critical authentication bypass in Versa Concerto SD-WAN orchestration platform, versions 12.1.2 through 12.2.0. Stemming from a Traefik reverse proxy misconfiguration, it grants unauthorized access to admin endpoints, including sensitive heap dumps and trace logs . Discovered by ProjectDiscovery in February 2025 and fixed by March, it exposes enterprises relying on SD-WAN to potential data leaks and deeper intrusions.

A supply-chain attack targeted the eslint-config-prettier package via CVE-2025-54313, compromising npm versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. Malicious install scripts deployed node-gyp.dll payloads on Windows to steal npm tokens, affecting developers using ESLint and Prettier for code formatting . This incident reveals the growing dangers of dependency hijacking in open-source ecosystems.

Finally, CVE-2025-68645 is a local file inclusion flaw in Zimbra Collaboration Suite 10.0 and 10.1's Webmail Classic UI. Unauthenticated attackers exploit the /h/rest endpoint due to poor parameter handling in the RestFilter servlet, reading arbitrary WebRoot files . CISA mandates federal agencies to patch by February 12, 2026, or discontinue use, emphasizing proactive vulnerability management amid unknown ransomware links.
Read more »
Unit 42 report
cyber espionage Cyber Security government network breach Shadow Campaigns state-sponsored cyber attack Unit 42 report

Shadow Campaigns: Asia-Linked Espionage Group Breaches Government and Critical Infrastructure Networks Worldwide

 

A state-backed cyber espionage group has infiltrated dozens of government and critical infrastructure networks across 37 countries as part of a global operation known as “Shadow Campaigns.”

During November and December of last year, the threat actor also carried out large-scale reconnaissance against government-linked entities spanning 155 countries, significantly expanding its intelligence-gathering footprint.

Researchers from Palo Alto Networks’ Unit 42 report that the group has been operational since at least January 2024 and is believed, with high confidence, to be based in Asia. Until firm attribution is established, the actor is being tracked under the identifiers TGR-STA-1030/UNC6619.

The Shadow Campaigns activity has primarily targeted government ministries and agencies involved in law enforcement, border security, finance, trade, energy, mining, immigration, and diplomacy. Unit 42 confirmed successful compromises of at least 70 government and critical infrastructure organizations across 37 nations.

Impacted entities include organizations handling trade policy, geopolitical affairs, and election-related matters in the Americas; ministries and parliamentary bodies across several European countries; Australia’s Treasury Department; and multiple government and infrastructure organizations in Taiwan. Researchers noted that the selection of targets and timing appeared to align closely with region-specific political or economic events.

According to Unit 42, the group intensified scanning activity during the U.S. government shutdown in October 2025, focusing on entities across North, Central, and South America, including Brazil, Canada, the Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago.

Particularly notable was extensive reconnaissance against “at least 200 IP addresses hosting Government of Honduras infrastructure” just one month ahead of the country’s national elections, a period marked by political discussions around restoring diplomatic relations with Taiwan.

Unit 42 assessed that confirmed compromises included Brazil’s Ministry of Mines and Energy, a Bolivian mining-related entity, two Mexican ministries, government infrastructure in Panama, and an IP address linked to a Venezolana de Industria Tecnológica facility. Additional victims spanned government entities across Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal, and Serbia, along with an Indonesian airline, several Malaysian ministries, a Mongolian law enforcement organization, a major Taiwanese power equipment supplier, and a Thai government department likely associated with economic and trade data. Critical infrastructure organizations across multiple African nations were also affected.

The researchers further believe the actor attempted SSH connections to systems associated with Australia’s Treasury Department, Afghanistan’s Ministry of Finance, and Nepal’s Office of the Prime Minister and Council of Ministers. Beyond confirmed breaches, evidence suggests widespread reconnaissance and intrusion attempts in numerous other countries.

Unit 42 also observed scanning of Czech government infrastructure, including systems tied to the army, police, parliament, and several ministries. The group attempted to access European Union infrastructure as well, targeting over 600 IP addresses hosting *.europa.eu domains. In July 2025, Germany was a focal point, with connection attempts made to more than 490 government-hosted IP addresses.

Early stages of the campaign relied heavily on spear-phishing emails crafted specifically for government officials. These messages often referenced internal ministry restructuring to increase credibility.

The phishing emails contained links to malicious archives hosted on Mega.nz, using localized file names. Inside the archives were a malware loader called Diaoyu and a zero-byte PNG file named pic1.png. Unit 42 found that Diaoyu could retrieve Cobalt Strike payloads and the VShell framework for command-and-control operations, but only after passing several analysis-evasion checks.

“Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory,” the researchers say.

They explained that the empty image file acts as an integrity check, causing the malware to terminate if the file is missing. To further avoid detection, the loader scans for active processes linked to security tools such as Kaspersky, Avira, Bitdefender, Sentinel One, and Norton.

In addition to phishing, the group exploited at least 15 known vulnerabilities to gain initial access, targeting flaws in SAP Solution Manager, Microsoft Exchange Server, D-Link products, and Microsoft Windows.

New Linux Rootkit Discovered


The Shadow Campaigns toolkit includes multiple webshells—such as Behinder, Godzilla, and Neo-reGeorg—as well as tunneling tools like GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX.

Researchers also uncovered a previously undocumented Linux kernel eBPF rootkit named ShadowGuard, believed to be exclusive to TGR-STA-1030/UNC6619.

“eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space,” the researchers explain.
“This allows them to manipulate core system functions and audit logs before security tools or system monitoring applications can see the true data.”

ShadowGuard hides malicious processes at the kernel level, concealing up to 32 process IDs from standard Linux monitoring utilities through syscall interception. It can also obscure files and directories named swsecret, while allowing operators to specify which processes remain visible.

The campaign’s infrastructure relies on victim-facing servers hosted with legitimate VPS providers in the U.S., Singapore, and the UK, combined with relay servers, residential proxies, and Tor for traffic obfuscation. Researchers noted the use of deceptive command-and-control domains designed to appear familiar to targets, including region-specific top-level domains.

"It’s possible that the domain name could be a reference to 'DOGE Jr,' which has several meanings in a Western context, such as the U.S. Department of Government Efficiency or the name of a cryptocurrency," the researchers explain.

Unit 42 concludes that TGR-STA-1030/UNC6619 is a highly capable espionage actor focused on gathering strategic, economic, and political intelligence, with a proven record of impacting government entities worldwide. The full report includes indicators of compromise (IoCs) to assist defenders in identifying and blocking related activity.
Read more »
Software
cyber espionage Cyber Phishing Cyber Security Government Linux Kernel organisations Software

Dozens of Government and Infrastructure Networks Breached in Global Espionage Campaign



Security researchers have identified a previously undocumented cyber espionage group that infiltrated at least 70 government and critical infrastructure organizations across 37 countries within the past year. The same activity cluster also conducted wide-scale scanning and probing of government-related systems connected to 155 countries between November and December 2025, indicating a broad intelligence collection effort rather than isolated attacks.

The group is tracked as TGR-STA-1030, a temporary designation used for actors assessed to operate with state-backed intent. Investigators report evidence of activity dating back to January 2024. While no specific country has been publicly confirmed as the sponsor, technical indicators suggest an Asian operational footprint. These indicators include the services and tools used, language and configuration preferences, targeting patterns tied to regional interests, and working hours consistent with the GMT+8 time zone.


Who was targeted and what was taken

Confirmed victims include national law enforcement and border agencies, finance ministries, and departments responsible for trade, natural resources, and diplomatic affairs. In several intrusions, attackers maintained access for months. During these periods, sensitive data was taken from compromised email servers, including financial negotiations, contract material, banking information, and operational details linked to military or security functions.


How the intrusions worked

The initial entry point commonly involved phishing messages that led recipients to download files hosted on a legitimate cloud storage service. The downloaded archive contained a custom loader and a decoy file. The malware was engineered to avoid automated analysis by refusing to run unless specific environmental conditions were met, including a required screen resolution and the presence of the decoy file. It also checked for the presence of selected security products before proceeding.

Once active, the loader retrieved additional components disguised as image files from a public code repository. These components were used to deploy a well known command and control framework to manage compromised systems. The repository linked to this activity has since been taken down.

Beyond phishing, the group relied on known vulnerabilities in widely used enterprise and network software to gain initial access. There is no indication that previously unknown flaws were used. After entry, the attackers employed a mix of command and control tools, web shells for remote access, and tunneling utilities to move traffic through intermediary servers.

Researchers also observed a Linux kernel level implant that hides processes, files, and network activity by manipulating low level system functions. This tool concealed directories with a specific name to avoid detection. To mask their operations, the attackers rented infrastructure from legitimate hosting providers and routed traffic through additional relay servers.

Analysts assess that the campaign focuses on countries with active or emerging economic partnerships of interest to the attackers. The scale, persistence, and technical depth of these operations highlight ongoing risks to national security and essential public services, and reinforce the need for timely patching, email security controls, and continuous monitoring across government networks. 

Read more »
Updates
AI Bug Fortinet Internet Technology Updates

Threat Actors Exploit Fortinet Devices and Steal Firewall Configurations


Fortinet products targeted

Threat actors are targeting Fortinet FortiGate devices via automated attacks that make rogue accounts and steal firewall settings info. 

The campaign began earlier this year when threat actors exploited an unknown bug in the devices’ single-sign-on (SSO) option to make accounts with VPN access and steal firewall configurations. This means automation was involved. 

About the attack

Cybersecurity company Arctic Wolf discovered this attack and said they are quite similar to the attacks it found in December after the reveal of a critical login bypass flaw (CVE-2025-59718) in Fortinet products. 

The advisory comes after a series of reports from Fortinet users about threat actors abusing a patch bypass for the bug CVE-2025-59718 to take over patched walls. 

Impacted admins complaint that Fortinet said that the latest FortiOS variant 7.4.10 doesn't totally fix the authentication bypass bug, which should have been fixed in December 2025.

Patches and fixing 

Fortinet also plans on releasing more FortiOS variants soon to fully patch the CVE-2025-59718 security bug. 

Following an SSO login from cloud-init@mail.io on IP address 104.28.244.114, the attackers created admin users, according to logs shared by impacted Fortinet customers. This matches indications of compromise found by Arctic Wolf during its analysis of ongoing FortiGate attacks and prior exploitation the cybersecurity firm noticed in December. 

Turn off FortiCloud SSO to prevent intrusions. 

Turning off SSO

Admins can temporarily disable the vulnerable FortiCloud login capability (if enabled) by navigating to System -> Settings and changing "Allow administrative login using FortiCloud SSO" to Off. This will help administrators safeguard their firewalls until Fortinet properly updates FortiOS against these persistent assaults.

You can also run these commands from the interface:

"config system global

set admin-forticloud-sso-login disable

end"

What to do next?

Internet security watchdog Shadowserver is investigating around 11,000 Fortinet devices that are vulnerable to online threats and have FortiCloud SSO turned on. 

Additionally, CISA ordered federal agencies to patch CVE-2025-59718 within a week after adding it to its list of vulnerabilities that were exploited in attacks on December 16.

Read more »
WordPress
ACF Administrative Rights Plugin Flaw Vulnerabilities and Exploits WordPress

ACF Plugin Flaw Exposes 50,000 WordPress Sites to Admin Takeover

 

A critical vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin has exposed around 50,000 sites to potential hacker takeovers. Tracked as CVE-2025-14533, this flaw affects versions up to 0.9.2.1 and allows unauthenticated attackers to gain administrator privileges through flawed user creation forms. Discovered by researcher Andrea Bocchetti and reported via Wordfence on December 10, 2025, the issue was swiftly patched in version 0.9.2.2 just four days later. Despite the quick fix, download stats show many sites remain unpatched, leaving them vulnerable to remote exploitation.

The vulnerability originates in the plugin's 'Insert User / Update User' form action, where role restrictions are not properly enforced. Attackers can exploit this by submitting crafted requests that assign the 'administrator' role, bypassing any configured limitations in field settings.This privilege escalation requires sites to use forms with a 'role' field mapped to custom fields, a common setup for user registration features. Once successful, hackers achieve full site control, enabling data theft, malware injection, or backdoor installation without needing prior access.

ACF Extended, active on over 100,000 WordPress installations, builds on the popular Advanced Custom Fields plugin to offer developers advanced customization tools. Its widespread use amplifies the risk, as roughly half of users have yet to update since the patch release in mid-December 2025. WordPress sites relying on these plugins for dynamic content often overlook such configurations, inadvertently creating attack vectors.

This privilege escalation bug allows attackers to arbitrarily assign the 'administrator' role during user registration or updates, bypassing any configured limitations in field settings. Exploitation requires sites using ACF Extended forms with a 'role' field mapped to custom fields, a common setup for advanced user management in custom themes and plugins. Once exploited, hackers gain full control, enabling them to install malicious code, steal data, or pivot to server-level compromises without needing credentials.

Threat intelligence from GreyNoise reveals aggressive reconnaissance scanning 706 WordPress plugins, including ACF Extended, by nearly 1,000 IPs across 145 ASNs from late October 2025 to mid-January 2026. While no confirmed exploits of CVE-2025-14533 have surfaced, patterns mirror attacks on vulnerabilities like those in Post SMTP and LiteSpeed Cache, signaling imminent danger.This enumeration boom underscores how attackers probe for unpatched flaws before launching mass campaigns.

Site owners must urgently update to ACF Extended 0.9.2.2 or later via the WordPress dashboard and audit forms for role mappings.Additional steps include disabling public registration, reviewing user accounts for anomalies, and deploying firewalls like Wordfence for real-time blocking. In WordPress's vast ecosystem, proactive patching remains the frontline defense against such admin takeovers, preventing potential site-wide devastation.
Read more »
Malware Attack
Data Breach Database Breach Database Compromised Infostealer Infostealer Malware Malware Attack

Unsecured Database Exposes 149 Million Logins Linked to Infostealer Malware Operations

 

Appearing without warning on the internet, a massive collection of personal login details became reachable to any passerby. This trove - spanning about 96 gigabytes - included close to 150 million distinct credentials gathered from various sources. Not shielded by locks or scrambled coding, its contents lay fully exposed. Inside, endless spreadsheets paired emails with user handles, access codes, plus entry points to accounts. Examination showed evidence of widespread digital theft, driven by aggressive software designed to harvest private information. Such leaks reveal how deeply automated attacks now penetrate everyday online activity. 

Credentials came from people across the globe, tied to many different websites. Access information showed up for big social networks, romance apps, subscription video sites, games, and money-handling services. Among them: login pairs for digital currency storage, bank entry points, and systems linked to payment cards. A mix like that points not to one hacked business but likely stems from software designed to gather passwords automatically.  

What stood out most was the appearance of login details tied to government-backed email addresses in various nations. Though these accounts do not always grant entry to critical infrastructure, basic official credentials might still be exploited - serving as tools for focused scams or fake identities. Starting from minor access points, attackers could work their way deeper into secure environments. The level of danger shifts with each individual's privileges; when higher-access .gov logins fall into the wrong hands, consequences can stretch well beyond a single agency. 

Appearing first in the analysis was a database organized much like those seen in infostealer activities. Keylog results sat alongside extra details - hostnames flipped intentionally to sort thefts by target and origin. Though built on hashes, every record carried its own distinct ID, likely meant to prevent repeats while easing bulk sorting tasks. From this setup emerges something functional: a system shaped for gathering, handling, even passing along login information. Last noted - the traits match what supports credential trafficking behind the scenes. 

With unclear responsibility for the database, reporting went straight to the hosting company. Still, fixing the issue dragged on - weeks passed, with multiple alerts needed before entry was blocked. While delays continued, more data kept flowing in, expanding the volume of sensitive records exposed. Who controlled the system, how long it stayed open online, or whether others harvested its contents stays unanswered. One wrong move here leads to serious trouble. 

When hackers get full logins alongside active URLs, they run automated break-ins across many accounts - this raises chances of stolen identities, fake messages that seem real, repeated fraud, and unauthorized access. Personal habits emerge through used platforms, painting a clearer picture of who someone is online, which deepens threats to private data and future safety. 

Midway through this event lies proof: stealing login details now operates like mass production, fueled by weak cloud setups. Because information-harvesting software grows sharper every month, staying protected means doing basics well - shielding devices, practicing careful habits online, using separate codes everywhere, while adding extra identity checks. Found gaps here reveal something odd at first glance - not just legitimate systems fail from poor setup, but illegal networks do too; when they collapse, masses of people get caught unaware, their private pieces scattered without knowing a breach ever happened.
Read more »
Traffic Manipulation
Adversary In The Middle China Linked APT DarkNimbus DKnife Framework malware Network Edge Attacks Router Hijacking ShadowPad Traffic Manipulation

China-Linked DKnife Threat Underscores Risks to Network Edge Devices

 


Despite adversaries increasing their focus on the network edge, recent findings suggest a sustained and deliberate effort to weaponize routing infrastructure itself for surveillance and delivery purposes. An attacker can observe, modify, and selectively redirect data streams in transit by embedding malicious logic directly into traffic paths rather than relying on endpoint compromise. 

This evolution is reflected in the development of the DKnife framework, which has transformed attacker-in-the-middle capabilities into modular, long-lived platforms that are designed to be persistent, stealthy, and operationally flexible. 

Through the framework's ability to operate at a level where legitimate traffic aggregation and inspection already take place, the line between benign network functionality and hostile control is blurred, enabling malware deployment and long-term monitoring across a variety of device classes and user environments targeted at targeted users. 

According to cybersecurity researchers, DKnife is an adversary-in-the-middle framework that has operated from at least 2019 to maintain router-centric infrastructure by threat actors who have been found to be linked to China. 

In order to enable deep packet inspection, selective traffic manipulation, and covert delivery of malicious payloads, seven Linux-based implants are installed on gateways and edge devices. Several code artifacts and telemetry indicate a clear focus on Chinese-speaking users, including credential-harvesting components tailored specifically for Chinese email services, data exfiltration modules specifically targeted at popular mobile applications, and hard-coded references to domestic media domains buried within the implants. 

It is argued that DKnife's potential strategic value lies in its ability to act as a conduit between legitimate update and download channels and users. As the framework intercepts binary transfers and mobile application updates in transit, it is possible to deploy and manage established backdoors across a broad range of endpoints ranging from desktop systems to mobile devices to Internet of Things environments, including ShadowPad and DarkNimbus. 

According to Cisco Talos, the activity has been associated with the ongoing tracking of a Chinese threat cluster dubbed Earth Minotaur, previously associated with exploit kits like MOONSHINE as well as backdoors like DarkNimbus. The reuse of DarkNimbus is noteworthy, as the malware has also been found in operations attributed to another Chinese advanced persistent threat group, The Wizards, indicating the possibility of sharing tools or infrastructure among these groups. 

Upon further analysis of the infrastructure, it was revealed that DKnife-associated resources overlapped with those connected to WizardNet, a Windows implant deployed by TheWizards through an AitM framework called Spellbinder, which was publicized in 2025. This led to additional connections between DKnife-associated systems and WizardNet resources. 

As Cisco cautions, current insights into DKnife's targeting may be incomplete due to the fact that the configuration data obtained from a single command-and-control server provide limited information about its target market of Chinese-speaking users. It is possible that parallel servers exist to support operations in other regions as well. 

Due to The Wizards' history of targeting individuals and gambling-related entities across Southeast Asia, Greater China, and the Middle East, the convergence of infrastructure and tactics is significant, highlighting the wider implications of DKnife as a traffic hijacking platform with reusable, regionally adaptable features. 

Although researchers have not determined the exact vector used to compromise network equipment, researchers have established that DKnife functions to deliver and control backdoors known as ShadowPad and DarkNimbus, both of which have been used by Chinese-allied threat actors for decades. A technical analysis reveals that there are seven discrete modules in the framework. 

Each module is designed to support a particular operational role, such as traffic inspection, manipulation, and control-and-control messages, as well as origin obfuscation. In addition to packet inspection and attack logic, the system includes relay services to facilitate communication with remote C2 servers as well as a customized reverse proxy derived from HAProxy to mask and manage malicious traffic flows. 

Additionally, DKnife extends its capabilities beyond passive monitoring with additional modules. An attacker is able to establish a virtual Ethernet TAP interface on the compromised router and connect it directly to the local network, effectively placing themselves in the data path of internal communications.

In addition, there are third parties who provide peer-to-peer VPN connectivity using modified n2n software, coordinate the download and update of malicious Android applications, and manage the deployment of the DKnife implants themselves. 

Together, these elements provide a range of tools for a wide range of activities, including DNS hijacking, intercepting legitimate binary and application updates, selectively disrupting security-related traffic, and exfiltrating detailed user activity to external command infrastructures. In addition to intercepting and rewriting packets destined for their original hosts once activated on a device, DKnife also uses its network-bridging capabilities to substitute malicious payloads during transit transparently. 

Through this technique, weaponized APK files can be delivered to Android devices as well as compromised binaries to Windows systems connected to the affected network using this technique. Research conducted by Cisco Talos demonstrated instances in which the framework first installed ShadowPad backdoors for Windows, signed by Chinese certificates, followed by the installation of DarkNimbus backdoors to establish long-term access. 

Unlike secondary droppers, DarkNimbus was delivered directly to Android environments through the manipulated update channel. It was further revealed by investigators that infrastructure was associated with a framework hosting the WizardNet backdoor, a Windows implant previously associated with Spellbinder AitM. This confirmed the link between DKnife and previously documented adversary-in-the-middle attacks. 

Incorporating these tools within the same operational environment implies that development resources will likely be shared or infrastructure will be coordinated. As a result, threat actors are becoming increasingly sophisticated in their use of compromised network devices as covert malware distribution channels as opposed to utilizing endpoints to spread malware. 

The Cisco Talos team further concluded that DKnife is capable of intercepting Windows binary downloads in addition to mobile ecosystems. As observed, the framework was capable of manipulating download URLs in transit, either substituting legitimate installers for trojanized counterparts or redirecting users to malicious distribution points controlled by the attackers. 

In combination with its DNS manipulation capabilities and control over application update channels, DKnife provides an extensive traffic-hijacking platform that can silently deliver malware while maintaining the appearance of normal network behavior.

The framework's components work together to create a continuous attack system at the network gateway that functions in conjunction with each other. Moreover, DKnife offers a broad range of secondary functionality in addition to payload delivery, such as credential harvesting through decrypted POP3 and IMAP sessions, hosting phishing pages, selectively disrupting antivirus and security product traffic, and detailed user activity monitoring. 

Several applications and services were observed to collect telemetry, including messaging platforms, navigation tools, news consumption, telephony, ridesharing, and online shopping, by researchers. In particular, WeChat was observed to receive significant attention, with the framework tracking voice and video calls, message content, media exchanges, and articles accessed through the application. The placement of DKnife on gateway devices permits near real-time visibility into user behavior. 

Activity events are processed internally across the framework's modular components first before being exfiltrated via structured HTTP POST requests to dedicated API endpoints and then forwarded to remote command-and-control infrastructure. 

A significant reduction in the need for persistent malware on individual endpoints is achieved through this architecture, which allows attackers to correlate traffic flows and user actions as packets traverse the network. Researchers note that this approach reflects a greater trend towards infrastructure-level compromise, which is the use of routers and edge devices as persistent delivery platforms for malware. 

According to Cisco Talos, DKnife-associated command-and-control servers remain active as of January 2026, highlighting the continued nature of this threat. An exhaustive set of indicators of compromise has been developed by the firm to assist defenders in identifying compromised systems, as well as emphasizing the need to pay increased attention to network infrastructure as adversaries continue to utilize its unique position within modern digital environments to their advantage.
Read more »
Subscribe to: Comments (Atom)