Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Business Security. Show all posts
Vulnerabilities and Exploits
AI API Business Security GitHub Tokens Vulnerabilities and Exploits

65% of Top AI Companies Leak Secrets on GitHub

 

Leading AI companies continue to face significant cybersecurity challenges, particularly in protecting sensitive information, as highlighted in recent research from Wiz. The study focused on the Forbes top 50 AI firms, revealing that 65% of them were found to be leaking verified secrets—such as API keys, tokens, and credentials—on public GitHub repositories. 

These leaks often occurred in places not easily accessible to standard security scanners, including deleted forks, developer repositories, and GitHub gists, indicating a deeper and more persistent problem than surface-level exposure. Wiz's approach to uncovering these leaks involved a framework called "Depth, Perimeter, and Coverage." Depth allowed researchers to look beyond just the main repositories, reaching into less visible parts of the codebase. 

Perimeter expanded the search to contributors and organization members, recognizing that individuals could inadvertently upload company-related secrets to their own public spaces. Coverage ensured that new types of secrets, such as those used by AI-specific platforms like Tavily, Langchain, Cohere, and Pinecone, were included in the scan, which many traditional tools overlook.

The findings show that despite being leaders in cutting-edge technology, these AI companies have not adequately addressed basic security hygiene. The researchers disclosed the discovered leaks to the affected organisations, but nearly half of these notifications either failed to reach the intended recipients, were ignored, or received no actionable response, underscoring the lack of dedicated channels for vulnerability disclosure.

Security Tips 

Wiz recommends several essential security measures for all organisations, regardless of size. First, deploying robust secret scanning should be a mandatory practice to proactively identify and remove sensitive information from codebases. Second, companies should prioritise the detection of their own unique secret formats, especially if they are new or specific to their operations. Engaging vendors and the open source community to support the detection of these formats is also advised.

Finally, establishing a clear and accessible disclosure protocol is crucial. Having a dedicated channel for reporting vulnerabilities and leaks enables faster remediation and better coordination between researchers and organisations, minimising potential damage from exposure. The research serves as a stark reminder that even the most advanced companies must not overlook fundamental cybersecurity practices to safeguard sensitive data and maintain trust in the rapidly evolving AI landscape.
Read more »
Threat Intelligence
Business Security Cl0p Cyber Security Google Mandiant Ransom Threat Intelligence

Google Warns of Cl0p Extortion Campaign Against Oracle E-Business Users

 

Google Mandiant and the Google Threat Intelligence Group are tracking a suspected extortion campaign by the Cl0p ransomware group targeting executives with claims of stealing Oracle E-Business Suite data. 

The hackers have demanded ransoms reaching up to $50 million, with cybersecurity firm Halcyon reporting multiple seven and eight-figure ransom demands in recent days. The group claims to have breached Oracle's E-Business Suite, which manages core operations including financial, supply chain, and customer relationship management functions.

Modus operandi 

The attackers reportedly hacked user emails and exploited Oracle E-Business Suite's default password reset functionality to steal valid credentials. This technique bypassed single sign-on protections due to the lack of multi-factor authentication on local Oracle accounts. At least one company has confirmed that data from their Oracle systems was stolen, according to sources familiar with the matter. The hackers provided proof of compromise to victims, including screenshots and file trees.

This activity began on or before September 29, 2025, though Mandiant experts remain in early investigation stages and have not yet substantiated all claims made by the group. Charles Carmakal, Mandiant's CTO, described the operation as a high-volume email campaign launched from hundreds of compromised accounts. Initial analysis confirms at least one compromised account previously associated with FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion.

Threat actor background 

Since August 2020, FIN11 has targeted organizations across multiple industries including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation. The group is believed to operate from Commonwealth of Independent States countries, with Russian-language file metadata found in their malware code. In 2020, Mandiant observed FIN11 hackers using spear-phishing messages to distribute a malware downloader called FRIENDSPEAK.

An email address in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, though Google lacks definitive proof to confirm the attackers' claims. The malicious emails contain contact information verified as publicly listed on the Cl0p data leak site, strongly suggesting association with Cl0p and leveraging their brand recognition. Cl0p has launched major attacks in recent years exploiting zero-day flaws in popular software including Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit.

Security recommendations

Oracle confirmed the investigation on October 3, 2025, stating that attacks potentially relate to critical vulnerabilities disclosed in their July 2025 Critical Patch Update. The company strongly encouraged customers to review the July update and patch their systems for protection. Mandiant researchers recommend investigating environments for indicators of compromise associated with Cl0p operations.
Read more »
Wealthy Families
Business Security Concierge Cyber Security Extortion Scheme Wealthy Families

Sophisticated Cyber Attacks on Rich Families Drive Demand for 24/7 Cybersecurity Concierge Services

 

Wealthy individuals are increasingly becoming prime targets for cybercriminals, driving a surge in demand for personal cybersecurity concierge services among high-net-worth families, wealth managers, and corporate executives. Recent high-profile incidents, including the hacking of Jeff Bezos' phone through a malicious WhatsApp video file and the Twitter account breaches of Bill Gates and Elon Musk for bitcoin scams, have highlighted the vulnerability of affluent individuals to sophisticated cyber threats. 

Growing target population 

Bill Roth, CEO of HardTarget, a cyber resilience firm specializing in wealthy families, emphasizes that "high-net-worth families are now the low-hanging fruit for cybercriminals". Despite possessing resources comparable to large corporations, these families often lack equivalent security measures, particularly for personal devices and home networks that remain inadequately protected compared to corporate systems. 

The scope of targeting extends beyond billionaires to include family offices and corporate leaders. According to JPMorgan Private Bank's 2024 Family Office Report, 24% of surveyed family offices experienced cybersecurity breaches or financial fraud, yet 20% still maintain no cybersecurity measures. Bobby Stover from Ernst & Young notes that major breaches affecting wealthy families often remain "under the radar" since families aren't obligated to disclose incidents and may choose silence due to shame. 

Evolving threat landscape 

Cybercriminals are employing increasingly sophisticated tactics, including extortion schemes that escalate demands from small initial payments to substantial sums. One case involved a family's son targeted through a Tinder-to-Instagram extortion scheme that escalated from $500 to $100,000 demands against the family patriarch. A 2023 Ponemon Institute survey revealed that 42% of IT professionals reported executives and family members facing cybercriminal attacks, with 25% experiencing seven or more attacks over two years. 

Financial institution response 

Major financial institutions are adapting their services to address these vulnerabilities. JPMorgan Private Bank now provides cybersecurity assistance to ultra-high-net-worth clients through their in-house Advice Lab, covering topics from multi-factor authentication to device privacy settings. Ila Van Der Linde from JPMorgan Asset & Wealth Management notes that 75% of cyberattacks target small and medium-sized enterprises, countering the misconception that family offices are "too small to be noticed". 

Comprehensive protection services 

Cybersecurity concierge services are filling critical gaps in personal digital security. Companies like BlackCloak offer 24/7 protection, conducting on-site evaluations and providing education for secure setups across multiple residences with interconnected security systems. These services address complex scenarios, such as a bank CEO discovering their home's smart camera system was accessible to anyone online due to improper configuration.

The trend reflects a broader digital transformation where personal cybersecurity mirrors physical security needs. As Christopher Budd from Sophos explains, "just as individuals employ personal security and bodyguards when facing heightened risks in the physical space, it is logical to see similar trends in digital security".
Read more »
Vulnerabilities and Exploits
Business Security Data I/O Ransomware attack Supply Chain Vulnerabilities and Exploits

Data I/O Ransomware Attack Exposes Vulnerability in Global Electronics Supply Chain

 

Data I/O, a leading manufacturer specializing in device programming and security provisioning solutions, experienced a major ransomware attack in August 2025 that crippled core operations and raised industry-wide concerns about supply chain vulnerabilities in the technology sector.

The attack, first detected on August 16, 2025, used a sophisticated phishing campaign to compromise network credentials, enabling the attackers to exploit vulnerabilities in the company’s remote access systems and achieve lateral movement across network segments. 

This incident resulted in the encryption of critical proprietary data, including chip design schematics, manufacturing blueprints, sensitive communications, and firmware for products used by major clients such as Amazon, Apple, Google, and automotive manufacturers. 

Attack methodology 

Investigations mapped the attack to multiple MITRE ATT&CK techniques: T1566 for phishing, T1021 for remote services exploitation, T1486 for impact via data encryption, and possible use of T1078 via valid accounts. The attackers sent deceptive emails to Data I/O employees that tricked users into surrendering network credentials or accessing malicious links. After gaining access, the adversaries leveraged weaknesses in remote connectivity protocols to move laterally and encrypt essential files.

The ransomware incident caused widespread disruptions: internal and external communications, shipping, receiving, manufacturing production lines, and support functions were all impacted. The company activated incident response protocols, isolating affected systems and proactively taking critical platforms offline to prevent further spread. As of late August, some systems remained offline, without a clear timeline for full restoration. 

Broader implications 

Data I/O’s strategic role as a supply chain hub in electronics manufacturing made it a disproportionate target. Disruption reverberated across technology, automotive, and IoT sectors due to the company’s handling of security credentials and firmware for multi-billion-dollar products.

The incident underscores how ransomware operators increasingly target manufacturing entities, exploiting supply chain vulnerabilities to extract ransoms and maximize operational harm. The attackers reportedly demanded a ransom of $30 million, threatening to release encrypted data publicly if payment was not made within 72 hours. 

Data I/O engaged external cybersecurity experts and forensic professionals, initiated a full-scale investigation, and pledged transparency as more details emerged. The incident highlights urgent needs for improved remote access security, robust phishing defenses, and faster detection and response capabilities across the technology manufacturing sector. 

Analysts warn this attack may foreshadow future campaigns targeting critical infrastructure and high-tech supply chains, stressing the necessity for more resilient cybersecurity strategies.
Read more »
Vulnerabilities and Exploits
Business Security Dell ControlVault RevaUlt SOC Platform Vulnerabilities and Exploits

ReVault Flaws Expose Dell ControlVault3 Hardware to Persistent Attacks

 

RevaUlt, a company marketing itself on advanced endpoint protection and next-generation SOC capabilities, recently suffered a severe security breach. The attackers penetrated its internal environment, exploiting vulnerabilities in the architecture used for their supposed secure SOC platform. 

The compromise was discovered after suspicious activity was detected both within the RevaUlt corporate network and among several client deployments, suggesting a supply chain dimension to the attack as well. 

Attack mechanics

The attackers leveraged persistence techniques and privilege escalation to move laterally through RevaUlt's infrastructure, ultimately acquiring administrative access to sensitive SOC data. The breach included the exfiltration of client logs, incident reports, and in some cases, authentication secrets used by RevaUlt for remote management of client environments.

Attackers used sophisticated anti-forensic measures to delay detection, making full remediation more challenging and indicating a high level of attacker maturity. 

Impact on clients and the industry 

This compromise not only undermined RevaUlt’s internal systems but also exposed multiple organizations relying on its SOC services to potential intrusion and sensitive data leakage. As a result, clients had to initiate emergency incident response procedures, rotate credentials, and validate the integrity of their log data and detection mechanisms. 

The breach underscores the inherent risks of outsourcing critical security operations to third-party SOC providers, especially when those providers lack sufficient internal controls or operational transparency. 

Lessons and industry response 

The incident has prompted a wave of scrutiny regarding trust in managed SOC platforms and the challenges of ensuring supply chain security within cybersecurity itself. 

Experts urge organizations to tighten their vendor evaluation processes, demand greater transparency, and implement layered monitoring—even on services provided by so-called “secure” vendors. The breach serves as a cautionary tale that no security solution is immune to compromise and that shared vigilance and robust incident response remain paramount for cyber resilience. 

Additionally, recommended mitigations include applying Dell’s firmware and driver fixes, disabling ControlVault services and peripherals (fingerprint, smart card, NFC) if unused, and turning off fingerprint login in high-risk scenarios to shrink the attack surface pending updates. 

RevaUlt’s situation is now a key reference point in ongoing discussions about SOC resilience, supply chain vulnerabilities, and the evolving sophistication of attackers targeting high-value security infrastructure.
Read more »
Threat Intelligence
Business Security Cyber Incident Response Cyber Security Mandiant Investigation Threat Intelligence

Cyber Incident Response Needs Dynamic Command Structure Instead of Static Guidelines

 

The SolarWinds cyberattack, which impacted over 18,000 entities, revealed that many organizations respond to breaches with disorganized, makeshift command centers. 

Kevin Mandia, CEO of Mandiant, recognized the 2020 attack on his own firm as the work of Russia's SVR, noting the attackers' sophistication and professionalism. He and other experts argue that with increasing regulatory pressure and reputational risk, this reactive approach is no longer adequate. Effective incident response requires a pre-established infrastructure for rapid action and collaboration among legal, technical, and executive teams. 

Cybersecurity experts observe that attackers often show more discipline and coordination than the companies they target. Many businesses have contacts ready but lack a systematic strategy for managing the fallout of a breach, such as regulatory filings, legal risks, and customer notifications. 

Anderson Lunsford, CEO of the incident response firm BreachRx, notes that dealing with regulators and auditors can often prove more difficult than managing the technical aspects of the breach itself. This lack of organization puts defending companies at a significant disadvantage. 

Traditional training methods like tabletop exercises are criticized as being insufficient for real-world scenarios. Lunsford describes them as theoretical discussions that fail to account for the pressure and dispersion of teams during an actual crisis. A common oversight is the lack of clear guidelines for escalating an incident to the CEO or board. Mandia himself was not informed of the breach at his own company for several days because the threshold for escalation was too high and the response team was focused on containment rather than communication. 

To address these shortcomings, a shift from static response plans to a proactive, automated framework is necessary. Modern solutions can automate action plans based on the specific incident and legal jurisdiction, creating secure communication channels for legal, risk, and executive teams. This approach aids operational efficiency and protects the organization and its leaders from regulatory fines and lawsuits. With over 200 global regulations and increasing personal accountability for executives, this has become a critical governance issue. 

Finally, the mindset around cybersecurity must shift: breaches are inevitable business risks, not rare disasters. Executives must proactively prepare, regularly practice realistic scenarios, and coordinate across all functions. The capacity to respond quickly and cohesively—treating cybersecurity as a core leadership responsibility—will distinguish organizations that endure minor setbacks from those that suffer major scandals. The takeaway is clear: success in cybersecurity incident response depends on preparation, practice, and viewing the challenge as a fundamental aspect of modern leadership.
Read more »
Ransomwares
Akira Ransomware Business Security Cyber Attacks Cyber Vulnerabilities Cybersecurity Threats Public Wifi ransomware attacks Ransomwares

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks

 

Virtual Private Networks (VPNs) have recently been in the spotlight due to the U.K.’s Online Safety Act, which requires age verification for adult content websites. While many consumers know VPNs as tools for bypassing geo-restrictions or securing public Wi-Fi connections, enterprise-grade VPN appliances play a critical role in business security. 

When researchers issue warnings about possible VPN exploitation, the risk cannot be dismissed. SonicWall has addressed growing concerns after reports surfaced of ransomware groups targeting its devices. According to the company, an investigation revealed that the activity is linked to CVE-2024-40766, a previously disclosed vulnerability documented in their advisory SNWLID-2024-0015, rather than an entirely new zero-day flaw. Fewer than 40 confirmed cases were reported, mostly tied to legacy credentials from firewall migrations. 

Updated guidance includes credential changes and upgrading to SonicOS 7.3.0 with enhanced multi-factor authentication (MFA) protections. Despite these reassurances, Arctic Wolf Labs researcher Julian Tuin observed a noticeable increase in ransomware activity against SonicWall firewall devices in late July. 

Several incidents involved VPN access through SonicWall SSL VPNs. While some intrusions could be explained by brute force or credential stuffing, evidence suggests the possibility of a zero-day vulnerability, as some compromised devices had the latest patches and rotated credentials. 

In several cases, even with TOTP MFA enabled, accounts were breached. SonicWall confirmed it is working closely with threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the incidents are tied to known flaws or a new vulnerability. If a zero-day is confirmed, updated firmware and mitigation steps will be released promptly. 

The urgency is amplified by the involvement of the Akira ransomware group, which has compromised over 300 organizations globally. SonicWall also recently warned of CVE-2025-40599, a serious remote code execution vulnerability in SMA 100 appliances. Experts advise organizations to take immediate precautionary steps, especially given the potential for severe operational disruption. 

Recommended mitigations include disabling SSL VPN services where possible, restricting VPN access to trusted IP addresses, enabling all security services such as botnet protection and geo-IP filtering, removing inactive accounts, enforcing strong password policies, and implementing MFA for all remote access. 

However, MFA alone may not be sufficient in the current threat scenario. The combination of suspected zero-day activity, ransomware escalation, and the targeting of critical remote access infrastructure means that proactive defense measures are essential. 

SonicWall and security researchers continue to monitor the situation closely, urging organizations to act quickly to protect their networks before attackers exploit potential vulnerabilities further.
Read more »
Neblio Technologies
Bengaluru Firm Business Security Crypto Fraud Cyber Crime Neblio Technologies

Hackers Stole 384 Crore From Bengaluru Cryptocurrency Firm

 

In what is arguably the biggest cyberattack on an Indian cryptocurrency company, Neblio Technologies Private Limited, located in Bengaluru, was allegedly robbed off Rs. 384 crore. The company owns CoinDCX, a cryptocurrency exchange platform.

The company claims that someone hacked Neblio's wallet and transferred $44 million (roughly Rs. 384 crore). An employee named Rahul Agarwal is at the focus of this inquiry since his laptop was hijacked to facilitate the alleged transfer. 

Authorities investigating cybercrime are currently looking into the occurrence. When Hardeep Singh, Vice-President, Public Policy and Government Affairs, Neblio Technologies, learnt that the company's wallet had been compromised, the theft became apparent. Around 2.37 a.m. on July 19, cryptocurrency valued at Rs. 384 crore ($44 billion) was transferred to six separate accounts. 

The company's internal investigation found that Rahul Agarwal's laptop had been compromised. Investigators discovered that Agarwal's personal account had received a transfer of Rs. 15 lakh. Agarwal stated he was working a part-time job when questioned.

In his complaint, Singh said that Agarwal had been expressly told not to use the laptop for any other reason and that it was only to be used for official business. Singh believes Agarwal may have conspired with unidentified individuals to execute the hack, according to police sources.

“As the matter is currently under active investigation by the relevant authorities, we are unable to share further details at this point to ensure the integrity of the process is not compromised. We urge the media and the public to avoid speculation or the circulation of unverified information, as it may impede the ongoing investigation,” a Nebilo spokesperson stated. 

Police are still investigating the cyber robbery, which is among the largest crypto thefts reported in India. This incident illustrates crypto companies' increased vulnerability to high-stakes cyberattacks as use grows.
Read more »
Subscribe to: Comments (Atom)