Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Telegram
Artificial Intelligence Cyber Attacks Government Telecommunication Telegram

Government Remains Primary Target as Cyberattacks Grow in 2025

 



Government institutions were the most heavily targeted sector in 2025, according to newly published research from HPE Threat Labs, which documented 1,186 active cyberattack campaigns throughout the year. The dataset reflects activity tracked between January 1 and December 31, 2025, and spans a wide range of industries and attack techniques, offering a broad view of how threat actors are operating at scale.

Out of all industries analyzed, government bodies accounted for the largest share, with 274 recorded campaigns. The financial services sector followed with 211, while technology companies experienced 179 campaigns. Defense-related organizations were targeted in 98 cases, and manufacturing entities saw 75. Telecommunications and healthcare sectors each registered 63 campaigns, while education and transportation sectors reported 61 incidents each. The distribution shows a clear trend: attackers are prioritizing sectors responsible for sensitive information, essential services, and large operational systems.

Researchers also observed a growing reliance on automation and artificial intelligence to accelerate cyber operations. Some threat groups have adopted highly organized workflows resembling production lines, enabling faster execution of attacks. These operations are often coordinated through platforms such as Telegram, where attackers can manage tasks and extract compromised data in real time.

In addition to automation, generative artificial intelligence is being actively used to enhance social engineering techniques. Cybercriminals are now creating synthetic voice recordings and deepfake videos to carry out vishing attacks and impersonate senior executives with greater credibility. In one identified case, an extortion group conducted detailed research into vulnerabilities in virtual private networks, allowing them to refine and improve their methods of gaining unauthorized access.

When examining the types of threats, ransomware emerged as the most prevalent, making up 22 percent of all campaigns. Infostealer malware followed at 19 percent, with phishing attacks accounting for 17 percent. Remote Access Trojans represented 11 percent, while other forms of malware comprised 9 percent of the total activity.

The scale of malicious infrastructure uncovered during the analysis further underscores the intensity of the threat environment. Investigators identified 147,087 harmful domains and 65,464 malicious URLs. In addition, 57,956 malicious files and 47,760 IP addresses were linked to cybercriminal operations. Over the course of the year, attackers exploited 549 distinct software vulnerabilities.

Insights from a global deception network revealed 44.5 million connection attempts originating from 372,800 unique IP addresses. Among these, 36,600 requests matched known attack signatures and were traced to 8,200 distinct source IPs targeting five specific destination systems.

A closer examination of attack patterns shows that cybercriminals frequently focus on exposed systems and known weaknesses. Remote code execution vulnerabilities in digital video recorders were triggered approximately 4,700 times. Exploitation attempts targeting Huawei routers were observed 3,490 times, while misuse of Docker application programming interfaces occurred in about 3,400 cases.

Other commonly exploited weaknesses included command injection vulnerabilities in PHPUnit and TP-Link systems, each recorded around 3,100 times. Printer-related enumeration attacks using Internet Printing Protocol, along with Realtek UPnP exploitation, were each observed roughly 2,700 times.

The vulnerabilities most frequently targeted during these campaigns included CVE-2017-17215, CVE-2023-1389, CVE-2014-8361, CVE-2017-9841, and CVE-2023-26801, all of which have been widely documented and continue to be exploited in systems that remain unpatched.

Beyond the raw data, the findings reflect a dynamic development in cybercrime. Attackers are combining automation, artificial intelligence, and well-known vulnerabilities to increase both the speed and scale of their operations. This shift reduces the time required to identify targets, exploit weaknesses, and generate impact, making modern cyberattacks more efficient and harder to contain.

The report points to the crucial need for organizations to strengthen their defenses by continuously monitoring systems, addressing known vulnerabilities, and adapting to rapidly evolving threat techniques. As attackers continue to refine their methods, proactive security measures are becoming essential to limit exposure and reduce risk across all sectors.


Read more »
Technology
AI Autonomy MiniMax M2.7 Model Optimization Self-Evolving AI Technology

MiniMax Unveils Self-Evolving M2.7 AI: Handles 50% of RL Research

 

Chinese AI startup MiniMax has unveiled its latest proprietary model, M2.7, touted as the industry's first "self-evolving" AI capable of independently handling 30% to 50% of reinforcement learning research workflows. According to a VentureBeat report, this breakthrough positions M2.7 as a reasoning powerhouse that automates key stages of model development, from debugging to evaluation and iterative optimization. Unlike traditional large language models reliant on constant human oversight, M2.7 actively participates in its own improvement cycle, building agent harnesses, updating memory systems, and refining skills based on real-time experiment outcomes. 

The model's self-evolution mechanism represents a paradigm shift in AI training. MiniMax claims M2.7 can execute complex tasks such as hyperparameter tuning and performance benchmarking with minimal engineer intervention, drastically reducing development timelines and costs. Early benchmarks underscore its prowess: a 56.22% score on SWE-Pro for software engineering tasks, alongside competitive results in coding and logical reasoning evaluations. This autonomy stems from advanced reinforcement learning integration, allowing the model to learn from failures and adapt dynamically without external prompts. 

MiniMax, known for previous hits like the Hailuo video generation platform, developed M2.7 amid intensifying global competition in AI. The Shanghai-based firm emphasizes that the model's proprietary nature safeguards its edge, though it plans limited API access for enterprise users. Industry observers note this launch echoes trends from OpenAI and Anthropic, where AI agents increasingly shoulder research burdens, but M2.7's scale—handling up to half of RL workflows—sets it apart. 

Practical implications extend to software engineering and enterprise automation. Developers report M2.7 excels in generating production-ready code, debugging intricate systems, and optimizing algorithms, making it a boon for tech firms grappling with talent shortages. As AI models grow more autonomous, concerns arise over transparency and control; MiniMax assures safeguards like human veto mechanisms prevent runaway evolution. Still, the model's ability to self-improve raises questions about the future obsolescence of human-led training pipelines. 

Looking ahead, M2.7 signals an era where AI doesn't just consume data but engineers its own advancement. If validated at scale, this could accelerate innovation across sectors, from autonomous vehicles to drug discovery, while challenging Western dominance in AI. MiniMax's bold claim invites scrutiny, but early demos suggest self-evolving models are no longer science fiction—they're here, reshaping the boundaries of machine intelligence.
Read more »
Cyber Security
authentication bypass flaw blocking unauthorized access ConnectWise ConnectWise ScreenConnect ConnectWise ScreenConnect malware Cyber flaws Cyber Security

ConnectWise Warns of Critical ScreenConnect Flaw Enabling Unauthorized Access

 

A security alert now circulates among ScreenConnect users - critical exposure lurks within older builds. Versions released before 26.1 carry a defect labeled CVE-2026-3564. Unauthorized entry becomes possible through this gap, alongside elevated permissions. ConnectWise urges immediate awareness around these risks. Though no widespread attacks appear confirmed yet, the potential remains serious. 

Running on servers or in the cloud, ScreenConnect serves MSPs, IT departments, and help desks needing distant computer control. A flaw detailed in the alert stems from weak checks on digital signatures - potentially leaking confidential ASP.NET keys meant to stay protected.  

Should machine keys fall into the wrong hands, forged authentication data might emerge - opening doors normally protected by access checks. Access of this kind often lets attackers move through ScreenConnect environments unnoticed. Their actions then mirror those permitted to verified accounts. 

With version 26.1, ConnectWise rolled out stronger safeguards - data encryption and better machine key management now built in. Updates reached cloud-hosted users without any action needed; systems shifted quietly behind the scenes. Yet those managing local installations must act fast: moving to the latest release cuts exposure sharply. Delay raises concerns, especially where control rests internally. 

Even though the firm reported no verified cases of CVE-2026-3564 currently under attack, it admitted experts have spotted efforts to misuse accessible machine keys outside lab settings. Such activity implies the flaw carries a realistic risk right now. 

Unconfirmed reports suggest certain weaknesses might have already caught the attention of skilled attackers. Earlier incidents could tie into these, one example being CVE-2025-3935. That case revolved around stolen machine keys pulled from ScreenConnect systems. Some connections between past events and current concerns remain unclear. 

Software updates aside, ConnectWise advises tighter access rules for configuration files. Unusual patterns in login records should draw attention. Backups need protection through layered safeguards. Each extension must remain current to reduce exposure. Monitoring happens alongside preventive steps by design. 

Despite common assumptions, remote access tools continue posing significant threats. Patching delays often open doors to attackers. Staying ahead means adopting active defenses before weaknesses are exploited. Vigilance matters most when systems appear secure. Preventive steps reduce chances of unauthorized entry significantly.
Read more »
Third Party Risk
Banking Security Cybersecurity Threats Data Breach Data protection financial data exposure Network Security Ransomware attack SonicWall Vulnerability Third Party Risk

Large Scale Ransomware Attack at Marquis Compromises Data of 672000 People


 

Marquis, a Texas-based provider of analytics and visualization solutions to hundreds of U.S. banks, recently disclosed a ransomware intrusion that took place in August 2025 resulted in a large-scale compromise of highly sensitive customer information, demonstrating the systemic vulnerability inherent in today's interconnected financial data ecosystem. 

A breach that has only recently become publicized due to regulatory disclosures affected at least 672,075 individuals, and involved exfiltration of both personal identifiers and critical financial information. A company filing submitted to the Maine Attorney General's office indicates that it is beginning the process of notifying the affected, with a significant concentration of those affected residing in Texas. 

In light of the extent of the stolen dataset, which consists of names, dates of birth, addresses, bank account details, payment card information, and even Social Security numbers, this is not merely an unauthorized access incident, but a deeply consequential event threatening consumer financial security as well as institutional trust for the long term. 

Marquis has received subsequent disclosures suggesting that the incident may have been linked to a broader compromise within the vendor ecosystem on which Marquis relies. SonicWall released an advisory in mid-September 2025 urging its customers to reset their credentials following the discovery of a brute-force attack on the MySonicWall cloud platform. This service stores and manages configuration backups on behalf of firewall administrators. 

A backup may contain highly sensitive operational data, including network rules, access control policies, VPN configurations, authentication parameters associated with enterprise identity systems such as LDAP, RADIUS, and SNMP, as well as administrative account credentials. Later, Marquis confirmed the inclusion of Marquis among those affected entities, and the company acknowledged that the compromise encompassed the entire company's customer base. 

Although early reports do not offer a complete picture of downstream impact, subsequent regulatory filings by Marquis across multiple jurisdictions show that the nature and extent of compromised data varies from state to state. This company provided a particularly comprehensive dataset in its submission to Maine authorities that included names, physical addresses, contact information, Social Security numbers, taxpayer identification numbers, and financial account information without associated security codes. 

The date of birth, as well as the dates of birth, indicate a breach with both infrastructure and personal consequences. As a result of the incident, more attention has been drawn to the structural risks associated with the financial sector's reliance on third-party service providers, where a single point of compromise can have cascading effects on a number of institutions and, by extension, their clients. 

The runsomware event in August affected data associated with clients from dozens of banks and credit unions, according to Marquis, but it has only recently been confirmed how broad the scope of the individual impact and the amount of information exposed have been clarified. According to our investigation, the initial intrusion vector was caused by unauthorized access to the SonicWall firewall, which permitted a third party to gain access to Marquis’ internal network. 

In response to this incident, the company has taken legal action against the vendor, emphasizing the complexity of accountability issues which often follow breaches involving interconnected technology. Providing digital and physical marketing solutions to more than 700 financial institutions along with compliance software and services, Marquis occupies a position of considerable data centrality, which inherently magnifies the downstream consequences of any security breaches. 

Due to their centralized storage of aggregated financial data and personally identifiable information, such intermediaries remain high-value targets for ransomware groups. Upon learning about the breach, affected individuals are advised to adopt heightened monitoring practices, including carefully reviewing their bank and credit card transactions, obtaining credit reports from established credit bureaus, and activating fraud alerts and credit freezes whenever necessary. 

Furthermore, caution is being urged against unsolicited communications that may attempt to exploit the incident through phishing or social engineering methods. Ultimately, the episode underscores the importance of continuous risk assessments, stronger access controls, and coordinated security strategies between institutions and service providers as an increasingly persistent and sophisticated threat landscape continues to affect the financial ecosystem.

A security breach has also drawn attention to the systemic vulnerabilities introduced by financial institutions' deeper integration with third-party technology providers, where operational efficiency is often sacrificed at the expense of expanded attack surfaces. 

Even though Marquis had previously acknowledged that the August ransomware incident affected banking and credit union clients, subsequent disclosures have clarified the extent of individual exposures as well as the sensitive nature of compromised records.

A forensic analysis revealed that the point of entry was a SonicWall firewall that permitted unauthorized access to Marquis' internal infrastructure, allowing an external actor to gain access to the system. It has therefore decided to pursue legal action against the vendor in response, emphasizing the complex issues of liability and shared responsibility that arise from breaches within interconnected digital ecosystems. 

A significant amount of information within Marquis's systems magnifies the impact of such an intrusion because of the company's role in providing marketing, compliance, and data-driven services to more than 700 financial institutions. Observations from security experts suggest organizations that operate at this crossroads of aggregated financial and personally identifiable data remain particularly attractive targets for ransomware operators seeking maximum impact. 

In light of the incident, individuals are being urged to adopt a more vigilant stance, which includes monitoring their financial statements on a continuous basis, obtaining credit reports to detect anomalies, and implementing precautionary measures, such as fraud alerts or credit freezes, as appropriate.

A special focus is being placed on preventing opportunistic follow-on attacks, such as phishing attacks or deceptive outreach that may use compromised information to establish trust. These incidents serve as a reminder, together with tighter access governance and more cohesive defensive collaboration between service providers and their institutional clients, of the importance of continuous security reassessment, tighter access governance, and more cohesive defensive collaboration. 

In an increasingly complex digital environment, threat actors continue to refine their tactics. Despite the incident's unfortunate outcome, it serves as a defining example of how digitally interconnected financial services are evolving in terms of risk dynamics, in which trust is distributed among vendors, platforms, and shared infrastructure. 

As a result, cybersecurity is no longer considered a perimeter function, but rather an integrated, continuous discipline throughout the entire supply chain that must be addressed continuously. It entails a deeper level of vendor due diligence, stricter configuration governance, and real-time visibility into third-party dependencies for institutions. As a result, service providers must harden cloud-integrated environments and limit the persistence of sensitive credentials within systems that can be accessed. 

A stronger regulatory scrutiny and continued exploits of systemic interdependencies will lead to an increasing focus on resilience, which will not necessarily mean avoiding breaches but rather anticipating, containing, and responding transparently to breaches without eroded stakeholder trust.
Read more »
malware
Crypto Wallet Theft DarkSword exploit kit GHOSTBLADE iOS security iOS Vulnerability iPhone Malware malware

DarkSword Exploit Kit Targets iPhones, Steals Crypto Wallet and Personal Data


 

A newly identified exploit kit named “DarkSword” is being used to target iOS devices and extract a wide range of sensitive user information, including data from cryptocurrency wallet applications.

The threat specifically impacts iPhones running iOS versions 18.4 to 18.7 and has been linked to multiple threat actors. Among them is UNC6353, believed to have Russian origins, which leveraged the previously disclosed Coruna exploit chain earlier this month.

The exploit kit was uncovered by researchers at mobile security firm Lookout during an investigation into infrastructure tied to Coruna-based attacks. The analysis was further supported by Google’s Threat Intelligence Group (GTIG) and iVerify, providing deeper insights into this emerging threat and the groups behind it. According to iVerify, the exploit chain relies on already known vulnerabilities—covering sandbox escape, privilege escalation, and remote code execution—that have since been patched by Apple in recent iOS updates.

DarkSword operates using six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

According to a report from GTIG, the exploit kit has been active since at least November 2025 and has been deployed by several actors using three distinct malware families:
  • GHOSTBLADE: A JavaScript-based data stealer that collects extensive information such as cryptocurrency wallet details, system data, browsing history, photos, location, and communications from platforms like iMessage, Telegram, WhatsApp, email, and call logs.
  • GHOSTKNIFE: A backdoor capable of extracting account credentials, messages, browsing data, location history, and recordings.
  • GHOSTSABER: Another JavaScript-based backdoor that can enumerate devices and accounts, execute scripts, access files, and steal data.
The earliest observed use of this exploit chain is attributed to UNC6748, which targeted users in Saudi Arabia through a website mimicking Snapchat.

GTIG also reported that in late November 2025, DarkSword activity was detected in Turkey and linked to PARS Defense, a commercial surveillance vendor. These attacks targeted devices running iOS 18.4 through 18.7.

"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes.

Subsequently, Google researchers observed similar activity in Malaysia, where another PARS Defense client deployed the GHOSTSABER backdoor.

UNC6353, suspected to be involved in Russian espionage operations, has been using the Coruna exploit kit since mid-2025 and began deploying DarkSword in December 2025 against targets in Ukraine. These attacks continued into March 2026, primarily through watering hole campaigns involving compromised websites that delivered the GHOSTBLADE malware.

Researchers also noted that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline."

Lookout researchers highlighted that both Coruna and DarkSword show signs of development aided by large language models (LLMs), with DarkSword containing multiple explanatory code comments.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says.

“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”

In addition to the one-click exploit kit, iVerify identified a Safari-based exploit chain involving sandbox escape, privilege escalation, and in-memory implants capable of extracting sensitive data.

DarkSword attacks typically begin in the Safari browser, where multiple exploits are chained together to gain kernel-level read/write access. A central orchestrator component (pe_main.js) is then used to execute malicious code.

While the initial compromise vector remains unclear, attackers were able to inject malicious iframes into targeted websites. The orchestrator then embeds a JavaScript engine into high-privilege iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, enabling data exfiltration via modules like GHOSTBLADE.

The stolen data may include:
  • Saved passwords
  • Photos (including hidden and screenshots)
  • Messaging app databases (WhatsApp, Telegram)
  • Cryptocurrency wallets (Coinbase, Binance, Ledger, etc.)
  • SMS messages
  • Contacts and call history
  • Location and browsing history
  • Cookies and Wi-Fi credentials
  • Apple Health data
  • Calendar entries and notes
  • Installed apps and linked accounts
Notably, the malware deletes temporary files and exits after exfiltration, suggesting it is not designed for persistent surveillance.

Lookout assesses that DarkSword is likely used by a Russian-linked threat actor pursuing both financial gain and espionage objectives aligned with national intelligence interests.

Users are strongly advised to update their devices to the latest iOS version. Devices with Lockdown Mode enabled are also protected against both Coruna and DarkSword.

In a statement to BleepingComputer, Apple confirmed that patches addressing these vulnerabilities were released last year and extended to older devices as well. The company noted that users running iOS 15 through iOS 26 are already protected, and that devices on iOS 17 and later benefit from the Memory Integrity Enforcement feature, which mitigates such attacks.

To enhance security, users should enable passcodes, use strong passwords with two-factor authentication, avoid sideloading apps, and refrain from clicking on suspicious links or attachments.



Read more »
Iran
APT Group Artificial Intelligence CISA Cyber Attacks Cyber Breach Hacktivism Iran

Cyber Operations Expand as Iran Conflict Extends into Digital Warfare

 




Cyberattacks are increasingly being used alongside conventional military actions in the ongoing conflict involving Iran, with both state-linked actors and loosely organised hacker groups targeting systems in the United States and Israel.

A recent incident involving Stryker illustrates the scale of this activity. On March 11, the company confirmed that a cyberattack had disrupted parts of its global network. Employees across several offices reportedly encountered login screens displaying the symbol of Handala, a group believed to have links to Iran. The attack affected systems within Microsoft’s environment, although the full extent of the disruption and the timeline for recovery remain unclear.

Handala has claimed responsibility for the operation, stating that it exploited Microsoft’s cloud-based device management platform, Intune. According to data from SOCRadar, the group alleged it remotely wiped more than 200,000 devices across 79 countries. These claims have not been independently verified, and attempts have been made to seek confirmation from Microsoft. The group described the attack as retaliation for a missile strike in Minab, Iran, which reportedly killed more than 160 people at a girls’ school.

This breach is part of a broader surge in cyber activity following Operation Epic Fury, with multiple pro-Iranian actors directing attacks against American and Israeli systems.


State-linked groups target essential systems

A cybersecurity assessment indicates that several groups associated with Iran’s Islamic Revolutionary Guard Corps, including CyberAv3ngers, APT33, and APT55, are actively targeting critical infrastructure in the United States.

These operations focus on industrial control systems, which are specialised computers used to manage essential services such as electricity grids, water treatment plants, and manufacturing processes. In some instances, attackers have gained access by using unchanged default passwords, allowing them to install malicious software capable of interfering with or taking control of these systems.

CyberAv3ngers has reportedly accessed industrial machinery in this way, while APT33 has used commonly reused passwords to infiltrate accounts at US energy companies. After gaining entry, the group attempts to weaken safety mechanisms by inserting malware into operational systems. APT55, meanwhile, has focused on cyber-espionage, targeting individuals connected to the energy and defence sectors to gather intelligence for Iranian operations.

Other groups linked to Iran’s Ministry of Intelligence and Security, including MuddyWater and APT34, are also involved in these campaigns. MuddyWater has targeted telecommunications providers, oil and gas companies, and government organisations. It functions as an initial access broker, meaning it breaks into networks, collects login credentials, and then passes that access to other attackers.

Handala has also claimed additional operations beyond the Stryker incident. These include deleting more than 40 terabytes of data from servers at the Hebrew University of Jerusalem and breaching systems linked to Verifone in Israel. However, Verifone has stated that it found no evidence of any compromise or service disruption.

Cyber operations are also being carried out by the United States and Israel.

General Dan Caine stated on March 2 that US Cyber Command was one of the first operational units involved in Operation Epic Fury. He said these efforts disrupted Iran’s communication and sensor networks, leaving it with reduced ability to monitor, coordinate, or respond effectively. He did not provide further operational details.

On March 13, Pete Hegseth confirmed that the United States is using artificial intelligence alongside cyber tools as part of its military approach in the conflict.

Separate reporting suggests that Israeli intelligence agencies may have used data obtained from compromised traffic cameras across Tehran to support planning related to Iran’s leadership, including Ayatollah Ali Khamenei.


Hacktivist networks operate with fewer constraints

Alongside state-backed actors, hacktivist groups have played a significant role. More than 60 such groups reportedly mobilised in the early hours of Operation Epic Fury, forming a coalition known as the Cyber Islamic Resistance.

This network coordinates its activity through Telegram channels described as an “Electronic Operations Room.” Unlike state-directed groups, these actors operate based on ideological motivations rather than central command structures. Analysts note that such groups tend to be less disciplined, more unpredictable, and more likely to act without regard for civilian impact.

Within the first two weeks of the conflict, the coalition claimed responsibility for more than 600 distinct cyber incidents across over 100 Telegram channels. These include attacks targeting Israeli defence-related systems, drone detection platforms such as VigilAir, and infrastructure affecting electricity and water services at a hotel in Tel Aviv.

The same group also claimed to have compromised BadeSaba Calendar, a widely used religious mobile application with more than five million downloads. During the incident, users reportedly received messages such as “Help is on the way” and “It’s time for reckoning,” based on screenshots shared online.

Some analysts assess that these groups may be using artificial intelligence tools to compensate for limited technical expertise, allowing them to scale operations more effectively.


Global actors join the conflict

Cyber intelligence findings suggest that participation in these operations is expanding geographically. Ongoing internet restrictions within Iran appear to be limiting the involvement of domestic hacktivists by disrupting Telegram-based coordination.

As a result, increased activity has been observed from pro-Iranian groups based in Southeast Asia, Pakistan, and other parts of the Middle East.

The Islamic Cyber Resistance in Iraq, also known as the 313 Team, has claimed responsibility for attacks on websites belonging to Kuwaiti government ministries, including defence-related institutions, according to a separate threat intelligence briefing. The group has also reportedly targeted websites in Romania and Bahrain.

Another group, DieNet, has claimed cyber operations affecting airport systems in Bahrain, Saudi Arabia, and the United Arab Emirates.

Russian-linked actors have also entered the landscape. NoName057(16), previously involved in cyber campaigns related to Ukraine, has launched distributed denial-of-service attacks, a technique used to overwhelm websites with traffic and render them inaccessible. Targets include Israeli municipal services, political platforms, telecommunications providers, and defence-related entities, including Elbit Systems, as noted by a threat intelligence monitoring platform.

The group is also reported to be collaborating with Hider-Nex, a North Africa-based collective that has claimed attacks on Kuwaiti government domains.


Some pro-Israeli hacktivist groups are active, including Anonymous Syria Hackers. One such group recently claimed to have breached an Iranian technology firm and released sensitive data, including account credentials, emails, and passwords.

However, these groups remain less visible. Analysts suggest that Israel primarily conducts cyber operations through state-controlled channels, reducing the role and visibility of independent actors. In addition, these groups often do not appear in alerts issued by agencies such as the US Cybersecurity and Infrastructure Security Agency, making their activities harder to track.


These developments suggest how cyber operations are becoming embedded in modern warfare. Such attacks are used not only to disrupt infrastructure but also to gather intelligence, impose financial strain, and influence perception.

The growing use of artificial intelligence, combined with the involvement of decentralised and ideologically driven groups, is making attribution more complex and the threat environment more difficult to manage. As a result, cyber capabilities are now a central component of how conflicts are conducted, extending the battlefield into digital systems that underpin everyday life.

Read more »
User Security
Cyber Fraud Indian Government Loan Apps RBI User Security

Govt, RBI Tighten Grip on Fraudulent Loan Apps

 

The Government of India and the Reserve Bank of India (RBI) have intensified efforts to combat fraudulent digital loan apps that exploit vulnerable borrowers. In a recent Rajya Sabha response, Minister of State for Finance Pankaj Chaudhary outlined coordinated measures to strengthen the digital lending framework and protect consumers from unauthorized platforms. These steps follow growing concerns over illegal apps that charge exorbitant rates and harass users. 

RBI formed a Working Group on Digital Lending, including loans via online platforms and mobile apps, leading to comprehensive guidelines issued to regulated entities (REs). All REs must comply, with supervisory assessments ensuring adherence; non-compliance triggers rectification or enforcement actions. The guidelines aim to make the ecosystem transparent, safe, and customer-focused by firming up regulations for app-based lending. 

A key initiative is RBI's 'Digital Lending Apps (DLAs)' directory, launched on July 1, 2025, listing all apps deployed by REs. This public tool helps users verify an app's legitimacy and association with regulated lenders. It addresses the confusion caused by fake apps mimicking legitimate ones, empowering borrowers to avoid scams before downloading. 

The Ministry of Electronics and Information Technology (MeitY) blocks fraudulent apps under Section 69A of the IT Act, 2000, following due process. Internet intermediaries face directives for tech-driven vetting to stop malicious ads from offshore entities, while the Indian Cyber Crime Coordination Centre (I4C) analyzes risky apps. Citizens can report issues via the National Cybercrime Reporting Portal (cybercrime.gov.in) or helpline 1930, with banks using 'SACHET' and State Level Coordination Committees for complaints. 

Awareness drives include RBI's SMS, radio campaigns, and e-BAAT programs on cyber fraud prevention. States handle enforcement as 'Police' is their domain, supported by central advisories. These multi-pronged actions signal a robust push toward a secure digital lending space in India.
Read more »
Gaming Community
AI Gaming AI in gaming AI technology Artifcial Intelligence Cyber Security Gaming Community

Nvidia DLSS 5 Sparks Backlash as AI Graphics Divide Gaming Industry

 

Despite fanfare at a Silicon Valley event, Nvidia's latest graphics innovation, DLSS 5, has stirred debate among industry observers. Promoted as a leap toward lifelike visuals in gaming, the system leans heavily on artificial intelligence. Set for release before year-end, it aims to match film-quality rendering once limited to major studios. Reactions remain mixed, even as the tech giant touts breakthrough performance. 

Starting with sharper image synthesis, DLSS 5 expands Nvidia's prior work - especially the 2018 debut of real-time ray tracing - by applying machine learning to render lifelike details: soft shadows, natural skin surfaces, flowing hair, cloth movement. In gameplay previews, games such as Resident Evil Requiem and Hogwarts Legacy displayed clear upgrades in scene fidelity, revealing how deeply this method can reshape virtual worlds. Visual depth emerges differently now, not just brighter but more coherent. 

Still, reactions among gamers and developers differ widely. Though scenery looks sharper to many, figures on screen sometimes seem stiff or too polished. Some worry stylized design might fade if algorithms shape too much of what players see. A few point out that leaning hard into artificial imagery risks blurring one game from another. Imagine stepping into games where details feel alive - Jensen Huang called DLSS 5 exactly that kind of shift. He emphasized sharper visuals without taking flexibility away from those building the experience. 

Support is already growing, with names like Bethesda, Capcom, and Warner Bros. Games on board. Progress often hides in quiet upgrades; this time, it speaks through clarity. Even with support, arguments about AI in games grow sharper by the day. A number of creators have run into trouble after introducing computer-made content, some reworking their plans - or halting them altogether - when players pushed back hard. 

While some remain cautious, figures across the sector see artificial intelligence driving fresh approaches. Advocates suggest systems such as DLSS 5 open doors to deeper experiences, offering creators broader room to explore. Yet perspectives differ even within tech circles embracing change. What we’re seeing with DLSS 5 isn’t just about one technology - it mirrors broader changes taking place across game development. 

As artificial intelligence reshapes what’s possible, limits are being stretched in unexpected ways. Still, alongside progress comes debate: how much should machines shape creative choices? Behind the scenes, tension grows between efficiency driven by algorithms and the human touch behind visual design.
Read more »
Southeast Asia Crime
Cryptocurrency Laundering Cyber Fraud Digital Fraud Prevention FBI Investigation Online Scam Detection Scam Networks social engineering attacks Southeast Asia Crime

FBI Escalates Enforcement Against Thai Fraud Rings Targeting US Individualsa


 

Digital exchanges that begin with a polite greeting, an apparent genuine conversation, or a quiet offer of companionship increasingly become entry points into a far more calculated form of transnational fraud. For many Americans, these interactions are not merely chance encounters, but carefully crafted overtures designed to cultivate trust before gradually dismantling it. 

Many of these schemes are now linked to sophisticated criminal enterprises operating in highly secured compounds throughout Southeast Asia, where deception is being industrialized and carried out at an unprecedented scale. Therefore, the FBI's presence in Thailand has been increased in response. 

Often, these networks leave little trace other than fractured finances and shattered confidence, but the FBI is working with regional authorities to disrupt these networks that steal billions of dollars from unsuspecting victims each year. It has become increasingly apparent within Washington that the size and sophistication of these operations warrants further investigation. As a result, the investigation has widened considerably. 

According to Kash Patel, elements associated with the Chinese Communist Party have played an important role in enabling the construction of fortified scam compounds across Myanmar and other parts of Southeast Asia. These facilities, he described as purpose-built environments, were targeted at large-scale financial exploitation of American citizens, particularly elderly individuals. 

An investigation framed as a high-priority national security issue has been initiated by the Federal Bureau of Investigation, which has initiated a coordinated operation that incorporates domestic and international measures. This effort includes the establishment of a centralized complaint processing system to streamline victim reporting and gathering information. 

There are parallel efforts being made by regional governments to disrupt the digital infrastructure underpinning these networks, notably by limiting connectivity to compounds located in Cambodia and along Myanmar's border with Thailand. 

Authorities have concluded that these syndicates now function with the operational maturity of structured enterprises, utilizing multilingual outreach, social engineering tactics, and cryptocurrency-based laundering frameworks in order to conceal financial records. 

In addition to being a multilateral enforcement initiative, the enforcement campaign has also involved partners such as the National Crime Agency and counterparts from the Canadian, Australian, New Zealandan, South Korean, Japanese, Singaporean, Philippine and Indonesian governments.

A number of early coordinated actions have already demonstrated significant impact, including dismantling thousands of fraudulent accounts, pages, and online groups across major digital platforms. This has been accompanied by targeted legal actions, including arrest warrants, as a result of the increasing synchronization of efforts to contain the threat in addition to the scale of the threat. 

A senior official of the Federal Bureau of Investigation has confirmed that transnational fraud networks in Southeast Asia constitute a persistent and evolving threat vector to the United States, which is primarily driven by highly organized criminal syndicates that are able to operate across multiple jurisdictions without causing significant friction. 

As Scott Schelble noted, these entities function in a manner far beyond conventional cybercrime organizations. They use coordinated infrastructure, advanced social engineering techniques, and cross-border financial mechanisms to systematically target American citizens every day. 

Based on his recent engagements in Thailand, Cambodia, and Vietnam, he emphasized that these operations are characterized by well-capitalized, technologically advanced, and structured operations with the ability to exploit regulatory gaps, digital platforms, and human vulnerabilities in order to generate significant illegal revenues.

Consequently, the FBI, in coordination with the Department of Justice, has intensified its efforts to coordinate a globally aligned enforcement strategy, integrating intelligence sharing, victim identification, and financial disruption into a unified operational framework that is integrated into a global alignment of enforcement. 

Through collaboration with regional counterparts, in particular, the Royal Thai Police, this approach has been able to generate actionable intelligence flows and to launch joint interventions that target both personnel and the financial infrastructure supporting these schemes. 

The Cambodian National Police has pursued similar cooperation channels, including the prospect of revisiting previous task force models to combat the resurgence of scam compounds, as well as the Vietnamese Ministry of Public Security on shared enforcement priorities.

The fact that even limited observations of these facilities can reveal a scale of operations that is difficult to fully comprehend remotely, as entire complexes are designed to support continuous fraud activities, underscores the systemic and entrenched nature of the threat these networks pose, according to Scheble. 

As an additional signal of the sustained momentum of enforcement efforts, Jirabhop Bhuridej of the Royal Thai Police stressed that the ongoing crackdown is intended to provide a clear deterrent to transnational fraud groups, emphasizing that jurisdictional boundaries cannot prevent coordinated legal action from being taken against organized scam syndicates. 

The private sector has also taken steps to complement this enforcement posture, with Meta Platforms introducing enhanced user protection mechanisms across its ecosystem to complement this enforcement posture. In addition, Facebook has introduced proactive alerts to detect anomalous connection requests, and WhatsApp has strengthened security mechanisms in order to detect and warn against potentially fraudulent device-linking activities. 

In light of recent task force initiatives, operational outcomes demonstrate how significant and material these initiatives are. Authorities have seized mobile phones and data storage systems from suspected scam facilities in order to generate critical forensic evidence to support ongoing investigation and prosecution. 

Furthermore, a large volume of accounts associated with fraud networks have been removed through large-scale account disruption campaigns, while coordinated law enforcement actions have resulted in multiple arrests within affected jurisdictions.

In regard to the financial sector, the United States Department of Justice expanded its intervention by establishing a dedicated Scam Center Strike Force, launched in late 2025 to address the growing nexus between crypto-enabled laundering channels and these operations.

In the past few months, this initiative has achieved significant asset disruption milestones, identifying, freezing, and securing hundreds of millions of dollars worth of illicit digital assets a critical step towards constraining the financial lifelines that sustain these highly adaptive criminal organizations. It is evident from these developments that both the public and private sectors are required to respond sustainably and adaptively to threats that are evolving in both scale and sophistication. 

According to officials, disruption alone will not suffice without parallel investments in prevention, such as improving digital literacy, strengthening platform-level safeguards, and developing cross-border intelligence sharing frameworks that are more agile. 

In order for enforcement efforts to be effective in the long run, the ability to anticipate rather than merely react will be crucial as fraud ecosystems continue to iterate tactics and utilize emerging technologies. 

A critical challenge for policymakers, law enforcement agencies, and technology providers alike is developing a resilient defense posture based on intelligence that can gradually erode the operational advantages on which these networks have been based for many years.
Read more »
saaS
ai agents Anthropic APT29 coding Cyber Security Cyber Threats kill chain MCP saaS

AI Agents Are Reshaping Cyber Threats, Making Traditional Kill Chains Less Relevant

 



In September 2025, Anthropic disclosed a case that highlights a major evolution in cyber operations. A state-backed threat actor leveraged an AI-powered coding agent to conduct an automated cyber espionage campaign targeting 30 organizations globally. What stands out is the level of autonomy involved. The AI system independently handled approximately 80 to 90 percent of the tactical workload, including scanning targets, generating exploit code, and attempting lateral movement across systems at machine speed.

While this development is alarming, a more critical risk is emerging. Attackers may no longer need to progress through traditional stages of intrusion. Instead, they can compromise an AI agent already embedded within an organization’s environment. Such agents operate with pre-approved access, established permissions, and a legitimate role that allows them to move across systems as part of daily operations. This removes the need for attackers to build access step by step.


A Security Model Designed for Human Attackers

The widely used cyber kill chain framework, introduced by Lockheed Martin in 2011, was built on the assumption that attackers must gradually work their way into a system. It describes how adversaries move from an initial breach to achieving their final objective.

The model is based on a straightforward principle. Attackers must complete a sequence of steps, and defenders can interrupt them at any stage. Each step increases the likelihood of detection.

A typical attack path includes several phases. It begins with initial access, often achieved by exploiting a vulnerability. The attacker then establishes persistence while avoiding detection mechanisms. This is followed by reconnaissance to understand the system environment. Next comes lateral movement to reach valuable assets, along with privilege escalation when higher levels of access are required. The final stage involves data exfiltration while bypassing data loss prevention controls.

Each of these stages creates opportunities for detection. Endpoint security tools may identify the initial payload, network monitoring systems can detect unusual movement across systems, identity solutions may flag suspicious privilege escalation, and SIEM platforms can correlate anomalies across different environments.

Even advanced threat groups such as APT29 and LUCR-3 invest heavily in avoiding detection. They often spend weeks operating within systems, relying on legitimate tools and blending into normal traffic patterns. Despite these efforts, they still leave behind subtle indicators, including unusual login locations, irregular access behavior, and small deviations from established baselines. These traces are precisely what modern detection systems are designed to identify.

However, this model does not apply effectively to AI-driven activity.


What AI Agents Already Possess

AI agents function very differently from human users. They operate continuously, interact across multiple systems, and routinely move data between applications as part of their designed workflows. For example, an agent may pull data from Salesforce, send updates through Slack, synchronize files with Google Drive, and interact with ServiceNow systems.

Because of these responsibilities, such agents are often granted extensive permissions during deployment, sometimes including administrative-level access across multiple platforms. They also maintain detailed activity histories, which effectively act as a map of where data is stored and how it flows across systems.

If an attacker compromises such an agent, they immediately gain access to all of these capabilities. This includes visibility into the environment, access to connected systems, and permission to move data across platforms. Importantly, they also gain a legitimate operational cover, since the agent is expected to perform these actions.

As a result, the attacker bypasses every stage of the traditional kill chain. There is no need for reconnaissance, lateral movement, or privilege escalation in a detectable form, because the agent already performs these functions. In this scenario, the agent itself effectively becomes the entire attack chain.


Evidence That the Threat Is Already Looming 

This risk is not theoretical. The OpenClaw incident provides a clear example. Investigations revealed that approximately 12 percent of the skills available in its public marketplace were malicious. In addition, a critical remote code execution vulnerability enabled attackers to compromise systems with minimal effort. More than 21,000 instances of the platform were found to be publicly exposed.

Once compromised, these agents were capable of accessing integrated services such as Slack and Google Workspace. This included retrieving messages, documents, and emails, while also maintaining persistent memory across sessions.

The primary challenge for defenders is that most security tools are designed to detect abnormal behavior. When attackers operate through an AI agent’s existing workflows, their actions appear normal. The agent continues accessing the same systems, transferring similar data, and operating within expected timeframes. This creates a significant detection gap.


How Visibility Solutions Address the Problem

Defending against this type of threat begins with visibility. Organizations must identify all AI agents operating within their environments, including embedded features, third-party integrations, and unauthorized shadow AI tools.

Solutions such as Reco are designed to address this challenge. These platforms can discover all AI agents interacting within a SaaS ecosystem and map how they connect across applications.

They provide detailed visibility into which systems each agent interacts with, what permissions it holds, and what data it can access. This includes visualizing SaaS-to-SaaS connections and identifying risky integration patterns, including those formed through MCP, OAuth, or API-based connections. These integrations can create “toxic combinations,” where agents unintentionally bridge systems in ways that no single application owner would normally approve.

Such tools also help identify high-risk agents by evaluating factors such as permission scope, cross-system access, and data sensitivity. Agents associated with increased risk are flagged, allowing organizations to prioritize mitigation.

In addition, these platforms support enforcing least-privilege access through identity and access governance controls. This limits the potential impact if an agent is compromised.

They also incorporate behavioral monitoring techniques, applying identity-centric analysis to AI agents in the same way as human users. This allows detection systems to distinguish between normal automated activity and suspicious deviations in real time.


What This Means for Security Teams

The traditional kill chain model is based on the assumption that attackers must gradually build access. AI agents fundamentally disrupt this assumption.

A single compromised agent can provide immediate access to systems, detailed knowledge of the environment, extensive permissions, and a legitimate channel for moving data. All of this can occur without triggering traditional indicators of compromise.

Security teams that focus only on detecting human attacker behavior risk overlooking this emerging threat. Attackers operating through AI agents can remain hidden within normal operational activity.

As AI adoption continues to expand, it is increasingly likely that such agents will become targets. In this context, visibility becomes critical. The ability to monitor AI agents and understand their behavior can determine whether a threat is identified early or only discovered during incident response.

Solutions like Reco aim to provide this visibility across SaaS environments, enabling organizations to detect and manage risks associated with AI-driven systems more effectively.

Read more »
Stryker cyberattack
Cyber Attacks Handala hackers Healthcare cybersecurity Iran cyber warfare Microsoft Intune breach Stryker cyberattack

Stryker Cyberattack Disrupts Operations as Pro-Iran Hackers Allegedly Wipe Employee Devices

 

Medical technology leader Stryker has begun restoring its systems after a cyberattack that reportedly enabled pro-Iranian hackers to remotely erase data from tens of thousands of employee devices.

The incident caused significant operational disruption and is being viewed as potentially the first large-scale cyberattack in the United States linked to tensions surrounding the Donald Trump administration’s conflict with Iran.

In a weekend update, Stryker confirmed that the March 11 breach was limited to its internal Microsoft environment, emphasizing that its internet-connected medical devices are “safe to use.”

Although investigations into the root cause are ongoing, the company stated it has found no evidence of ransomware or malware involvement. However, disruptions to order processing, manufacturing, and shipping operations persist.

A pro-Iran hacking group known as Handala claimed responsibility for the attack, stating it was retaliation for a U.S. airstrike on an Iranian school that reportedly killed at least 175 people, most of them children. The group also defaced Stryker’s login portals with its branding.

According to Bleeping Computer, the attackers may have gained entry through an internal administrator account, granting them extensive access to Stryker’s Windows network. Reports suggest the hackers accessed Microsoft Intune dashboards, a system used to manage employee devices remotely, including the ability to erase data if devices are lost or stolen.

A successful breach of these dashboards would have allowed attackers to remotely wipe both corporate and personal devices without deploying malware.

The Wall Street Journal also reported that Intune systems were a primary target in the attack.

Stryker has not publicly responded to questions regarding the breach, including whether the compromised account was secured with multi-factor authentication.

The initial entry point for the attackers remains unclear. Researchers from Palo Alto Networks suggested phishing could have been used to infiltrate the network. IBM noted that Iran-linked groups like Handala are known for phishing campaigns and destructive cyber operations, particularly targeting healthcare and energy industries. Infostealer malware, which captures login credentials and sensitive data, may also have contributed to the breach.

Stryker employs approximately 56,000 people globally and operates across more than 60 countries, according to Reuters.
Read more »
Information Security
Cyber Breach Cyber Security Cyberattacks Data Exposure Data Leak Data Privacy data security Information Security

Mazda Reports Limited Data Exposure After Warehouse System Breach

 

Early reports indicate Mazda Motor Corporation faced a data leak following suspicious activity uncovered in its systems during December 2025. Information belonging to staff members, along with details tied to external partners, became accessible due to the intrusion. Investigation results point to a weak spot found within software managing storage logistics. This particular setup supports component sourcing tasks based in Thailand. Findings suggest the flaw allowed outside parties to enter without permission. 

Despite early concerns, investigators confirmed the breach touched only internal systems - no client details were involved. A count later showed 692 records may have been seen by unauthorized parties. Among what was accessed: login codes, complete names, work emails, firm titles, along with tags tied to collaboration networks. What escaped exposure? Anything directly linked to customers. 

After finding the issue, Mazda notified Japan’s privacy regulator while launching a probe alongside outside experts focused on digital security. So far, no signs have appeared showing the leaked details were exploited. Still, people touched by the event are being urged to watch closely for suspicious messages or fraud risks tied to the breach. Despite limited findings now, caution remains key given how personal information might be used later.  

Mazda moved quickly, rolling out several upgrades to protect its digital infrastructure. With tighter controls on who can enter systems, fewer services exposed online now limit entry points. Patches went live where needed most, closing known gaps before they could be used. Monitoring grew sharper, tuned to catch odd behavior faster than before. Each change connects to a clear goal - keeping past problems from repeating. Protection improves not by one fix but through layers put in place over time. 

Mazda pointed out the breach showed no signs of ransomware or malicious software, yet operations remain unaffected. Though certain hacking collectives once said they attacked Mazda’s networks, the firm clarified this event holds no connection - no communication from any threat actor occurred. 

Now more than ever, protection across suppliers and daily operations demands attention - the car company keeps watch, adjusts defenses continuously. Emerging risks push updates to digital safeguards forward steadily.
Read more »
Ransomware
ClickFix Cyber Attacks Deno LeakNet Ransomware

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks

 

LeakNet ransomware has changed its approach by pairing ClickFix social-engineering lures with a Deno-based loader, making its intrusion chain harder to spot. The group is using compromised websites to trick users into running malicious commands, then executing payloads in memory to reduce obvious traces on disk. 

Security researchers say this is a notable shift because ClickFix replaces older access methods like stolen credentials with a user-triggered infection path. Once the victim interacts with the fake prompt, scripts such as PowerShell and VBS can launch the next stage, often with misleading file names that look routine rather than malicious. 

The Deno runtime is the second major piece of the campaign. Deno is a legitimate JavaScript and TypeScript runtime, but LeakNet is abusing it in a “bring your own runtime” style so it can run Base64-encoded code directly in memory, fingerprint the host, contact command-and-control servers, and repeatedly fetch additional code. 

That design helps the attackers stay stealthy because it minimizes the amount of malware written to disk and can blend in with normal software activity better than a custom loader might. Researchers also note that LeakNet is building a repeatable post-exploitation flow that can include lateral movement, payload staging, and eventually ransomware deployment. 

For organizations, the primary threat is that traditional file-based detection may miss the earliest stages of the attack. A campaign that starts with a convincing browser prompt or a fake verification page can quickly turn into an internal breach if users are not trained to question unexpected instructions. 

Safety recommendations 

To mitigate threat, companies should train users to avoid following browser-based “fix” prompts, especially on unfamiliar or compromised sites. They should also restrict PowerShell, VBS, and other script interpreters where possible, monitor for Deno running outside developer workflows, watch for unusual PsExec or DLL sideloading activity, and segment networks so one compromised host cannot easily spread access. Finally, maintain tested offline backups and keep a playbook for rapid isolation, because fast containment is often the difference between a blocked intrusion and a full ransomware incident.
Read more »
Token Minting Flaw
Blockchain Security Crypto Hack Cyber Attacks Decentralized Finance DeFi Risk Digital Asset Theft Smart Contract Vulnerability Stablecoin Exploit Token Minting Flaw

24.5 Million Dollar Hack Exposes Vulnerabilities in Resolv DeFi


 

The concept of stability is fundamental to the architecture of decentralized finance - it is the foundation upon which trust is built. A stablecoin brings parity with the dollar to the decentralized finance system, providing a quiet assurance that one token will reliably mirror one unit of currency. 

The premise of this proposition has been severely undercut with the case of Resolv, where the USR token now trades at less than a third of its intended peg and hovers around 27 cents, clearly demonstrating a structural breakdown that cannot be rectified by simple recalibration. 

During the early hours of Sunday morning, at approximately 2:21 a.m. UTC, an attacker exploited a vulnerability within the protocol's minting contract, fabricating nearly 80 million tokens without backing. A swift and systematic unwinding of value followed-those artificially created assets were funneled through decentralized exchanges, exchanged for more liquid stablecoins, and eventually consolidated into Ether. 

After completing the activity, the attacker had obtained digital assets worth approximately $25 million, leaving behind not only a depegged token, but also a stark reminder of how confidence can rapidly erode when mathematical foundations of financial systems fail to hold up. It is evident from the mechanics of the breach that there was a deeper architectural weakness rather than a momentary lapse that led to the breach. 

A capital injection of $100,000 to $200,000 in USDC was sufficient to engage the protocol's minting interface under normal conditions at the beginning of the sequence. However, what occurred afterward diverged significantly from what was expected. By exploiting a flaw in the authorization flow, the adversary was able to generate approximately 80 million USR tokens, a number that is significantly greater than the initial collateral provided. 

Ultimately, this breakdown occurred as a result of an off-chain signing service entrusted with a privileged private key that authorised the minting of mint quantities. The contract verified the presence of a valid cryptographic signature, but failed to impose any intrinsic ceiling on issuance. Therefore, a critical control was externalized without being enforced on the blockchain. 

Having created the unbacked tokens, the attacker moved with calculated precision to convert USR into its staked derivative, wstUSR, and unwind the position using decentralized liquidity pools. Upon incremental exchange of the assets for stablecoins and then consolidation of Ether, the proceeds could be absorbed into deeper market liquidity, thereby providing a greater level of market liquidity. 

Parallel to the sudden injection of uncollateralized supply, USR's market equilibrium was destabilized, resulting in a rapid depreciation of almost 80 percent. As a result of establishing the sequence of events, the incident demonstrates the importance of investigating the minting architecture and implicit trust assumptions that enabled such a breach to occur.

Rather than limiting themselves to Resolv's immediate ecosystem, the repercussions of the exploit have been emitted across interconnected DeFi infrastructure protocols. A detailed internal assessment has now been initiated to determine the extent of exposure for organizations that integrated USR into shared liquidity pools, accepted it as collateral, or relied on its yield mechanisms. 

Decentralized finance is based on the premise that it can be layered, enhancing efficiency as well as reducing risk, and this chain reaction is indicative of this. As a result of the sudden depegging of USR, platforms upstream have encountered balance sheet inconsistencies. 

As a precautionary measure, select operations were suspended, withdrawals and deposits were restricted, and governance-driven responses were initiated to mitigate potential deficits. This requires a more detailed audit of smart contract states and liquidity positions to reconcile the impact of a compromised asset than surface-level accounting.

As a result of the episode, DeFi remains aware of a persistent structural reality: vulnerabilities at a foundational layer can lead to instability throughout the entire stack, thereby exposing even indirectly exposed participants to disruption. There has been an increase in attention on the post-exploit environment, where the trajectory of stolen assets may influence recovery prospects. 

On-chain observations indicate that the majority of the approximately $25 million extracted remains consolidated within wallets controlled by the attacker, with no visible signs of obfuscation by mixing or crossing chains. It has historically been observed that such inactivity precedes negotiation attempts, as demonstrated in prior incidents involving attackers engaging with protocol teams under whitehat or quasi-whitehat frameworks to return funds in exchange for incentives. 

In addition to unclear whether Resolv's operators have initiated similar outreach or structured a formal bounty, no confirmation regarding direct communication with the attacker has been released to date. While blockchain analytics firms are actively tracing transaction flows, no parallel involvement by law enforcement agencies has been reported. 

Near-term, the focus is on transparency and remediation for affected users and counterpart protocols monitoring official disclosures, evaluating exposure statements, and waiting for comprehensive post-incident analyses along with compensation frameworks. 

Decentralized finance continues to gain momentum as it moves toward broader adoption; however, the incident once again illustrates that there is still a significant gap between innovation and security assurance in systems where trust is distributed but accountability can become muddled.

A number of factors contribute to the shift in focus from attribution to prevention in the aftermath of the incident, underlining the need for more resilient design principles across decentralized systems. Consequently, security in DeFi cannot be partially delegated to off-chain mechanisms or implicit trust models; critical controls must be enforced at the protocol level by ensuring deterministic safeguards, limiting minting logic, and continuously validating changes to the state. 

During this conference, protocol architects and developers are reminded of the importance of minimizing privileged dependencies, implementing rigorous audit layers, and stress testing composability risks under adversarial conditions. 

Participants are reminded that it is imperative that not only yield opportunities are evaluated, but that underlying mechanisms are also examined for structural integrity. It is expected that sustained credibility will be dependent less on the speed at which innovations are implemented, and more on the discipline with which security assumptions are developed, verified, and communicated transparently.
Read more »
Railway cloud security
AI phishing campaign Cyber Fraud Huntress cybersecurity Microsoft account breach OAuth token attack Railway cloud security

AI-Driven Phishing Campaign Exploits Cloud Platform to Breach Microsoft Accounts at Scale

 

A large-scale phishing operation linked to the AI-enabled cloud hosting platform Railway has enabled cybercriminals to infiltrate Microsoft cloud accounts belonging to hundreds of organizations, according to findings by Huntress.

Rich Mozeleski, a product manager on Huntress’ identity team, revealed that the activity appears to be associated with a relatively small threat actor operating from roughly a dozen IP addresses. Despite its size, the campaign has successfully compromised hundreds of targets in recent weeks.

The attack initially impacted a few dozen organizations daily in early March, but activity surged sharply beginning March 3. Mozeleski noted that the campaign stood out due to its sophistication and variability—no two phishing emails or domains were identical. This led researchers to suspect the use of artificial intelligence tools to generate customized phishing content. The lures included a mix of conventional email tactics, QR codes, and hijacked file-sharing platforms.

“Just the amount of it was like Pandora’s Box had opened, and the efficacy was just through the roof,” Mozeleski said.

The attackers leveraged a weakness in Microsoft’s device authentication process—commonly used by smart TVs, printers, and terminals—to obtain valid OAuth tokens. These tokens can grant access to accounts for up to 90 days without requiring passwords or multi-factor authentication.

While Huntress reported that hundreds of its customers were deceived by the phishing attempts, the firm stated it successfully blocked any follow-on malicious activity. However, researchers believe these cases likely represent only a fraction of the total victims, which could reach into the thousands.

Organizations affected span a wide range of industries, including construction, legal services, nonprofits, real estate, manufacturing, finance, healthcare, and public sector entities. Huntress identified at least 344 impacted organizations in a detailed report.

To mitigate the threat, Huntress deployed a conditional access policy update across 60,000 Microsoft cloud tenants, specifically targeting emails originating from Railway-related domains. Mozeleski described this step as “not anything we’ve ever done before.”

Weaponizing Cloud Infrastructure with AI
Investigators believe the attackers abused Railway’s Platform-as-a-Service offering—designed to help users build applications without coding expertise—to rapidly create phishing infrastructure for credential harvesting.

By using compromised domains and generating highly tailored phishing messages, the attackers were able to evade traditional email security filters. All observed attacks were traced back to Railway’s IP infrastructure, though it remains unclear whether Railway’s native AI tools or external solutions were used to craft the phishing content.

Responding to the incident, Railway solutions engineer Angelo Saraceno confirmed that the company took action after being alerted by Huntress on March 6. “The associated accounts were banned and the domains were blocked,” Saraceno said.

“Our heuristics are built to catch correlations: repeated credit cards, shared code sources, overlapping infrastructure,” he wrote in an email. “When a campaign avoids those signals, it gets further than we’d like.”

Saraceno emphasized that fraud detection requires balancing security enforcement with minimizing false positives, referencing a prior February incident where system tuning caused customer disruptions.

Despite mitigation efforts, Mozeleski stated that Huntress continued to detect over 50 daily compromises tied to Railway-hosted phishing domains. He suggested that stronger vetting processes—especially for free-tier users—could help prevent such abuse, drawing comparisons to platforms like Mailchimp and HubSpot that enforce stricter usage controls.

“Do not allow anybody to come in, start a trial, spin up resources, and start using your infrastructure” for cyberattacks, he said.

A notable aspect of this campaign is the use of AI-powered infrastructure typically associated with advanced or state-backed threat actors, now being deployed for relatively routine phishing schemes. This shift highlights growing concerns among cybersecurity experts about the democratization of powerful attack tools.

Experts warn that lower-tier cybercriminals, often referred to as “script kiddies,” may benefit significantly from generative AI technologies. John Hultquist recently noted that such tools are likely to empower smaller cybercriminal groups even more than state-sponsored actors.

Meanwhile, promotional material from Railway highlights features such as “vertical auto-scale out of the box” and the ease of deploying self-hosted tools—capabilities that may inadvertently aid malicious use.

“We are seeing crooks as the first movers of AI,” said Prakash Ramamurthy, chief product officer at Huntress. “They don’t have any qualms about PII, they don’t have any qualms about model training … and this incident, just in the sheer pace at which it has evolved, is kind of a testament to that.”
Read more »
Subscribe to: Comments (Atom)