Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Sensata Technologies data breach
Cyber Attacks employee data exposed ransomware attack April 2025 Sensata cybersecurity incident Sensata Technologies data breach

Sensata Technologies Confirms Data Breach After April Ransomware Attack, Notifies Employees of Exposed Personal Information

 

Sensata Technologies has begun notifying current and former employees of a data breach following the conclusion of an internal investigation into a ransomware attack that took place in April 2025.

A global leader in industrial technology, Sensata specializes in mission-critical sensors, controls, and electrical protection systems, serving sectors such as automotive, aerospace, and defense. The company generates annual revenues exceeding $4 billion.

The breach was initially disclosed in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) after a ransomware attack occurred on Sunday, April 6. At the time, Sensata confirmed that the incident included data exfiltration and disrupted its shipping, manufacturing, and other operations.

While early findings verified that data had been accessed without authorization, the specifics of the stolen information remai5ned unclear. A detailed investigation, supported by external cybersecurity experts, later revealed that the attackers infiltrated Sensata’s systems on March 28, 2025.

"The evidence showed that there was unauthorized activity in our network between March 28, 2025, and April 6, 2025," reads the notice sent to impacted persons.

"During that time, an unauthorized actor viewed and obtained files from our network. We conducted a careful review of the files and, on May 23, 2025, determined that one or more of them may have contained your information."

According to the company, the compromised data may include sensitive personal details such as:
  • Full name
  • Address
  • Social Security Number (SSN)
  • Driver’s license number
  • State ID card number
  • Passport number
  • Financial account and payment card details
  • Medical and health insurance information
  • Date of birth
The breach has affected both current and former employees, as well as their dependents, with the nature of the exposed data varying from person to person.

To support those affected, Sensata is offering one year of complimentary credit monitoring and identity theft protection services.

BleepingComputer has contacted the company to clarify the scale of the breach and the number of individuals impacted, but no response was received as of publication time.

So far, no ransomware group has claimed responsibility for the attack on Sensata Technologies.
Read more »
Social Engineering
Cyber Attacks Extortion FBI Luna Moth Ransomware attack Social Engineering

FBI Warns of Luna Moth Ransomware Attacks Targeting U.S. Law Firms

 

The FBI said that over the last two years, an extortion group known as the Silent Ransom Group has targeted U.S. law firms through callback phishing and social engineering tactics. 

This threat outfit, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since 2022. It was also responsible for BazarCall campaigns, which provided initial access to corporate networks for Ryuk and Conti ransomware assaults. Following Conti's shutdown in March 2022, the threat actors broke away from the cybercrime syndicate and created their own operation known as the Silent Ransom Group.

In recent attacks, SRG mimics the targets' IT help via email, bogus websites, and phone conversations, gaining access to their networks via social engineering tactics. This extortion group does not encrypt victims' systems and is infamous for demanding ransoms in order to keep sensitive information stolen from hacked devices from being leaked online. 

"SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight," the FBI stated in a private industry notification.

"Once in the victim's device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'” 

After acquiring the victims' data, they use ransom emails to blackmail them, threatening to sell or publish the information. They frequently call employees of breached organisations and force them into ransom negotiations. While they have a dedicated website for disclosing their victims' data, the FBI claims the extortion ring does not always followup on its data leak promises. 

To guard against these attacks, the FBI recommends adopting strong passwords, activating two-factor authentication for all employees, performing regular data backups, and teaching personnel on recognising phishing efforts.

The FBI's warning follows a recent EclecticIQ report detailing SRG attacks targeting legal and financial institutions in the United States, with attackers observed registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”

A recent EclecticIQ report about SRG attacks against American legal and financial institutions revealed that the attackers were registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." The FBI issued the warning in response to this information. 

Malicious emails with fake helpdesk numbers are being sent to victims, prompting them to call in order to fix a variety of non-existent issues. On the other hand, Luna Moth operators would try to deceive employees of targeted firms into installing remote monitoring & management (RMM) software via phoney IT help desk websites by posing as IT staff.

Once the RMM tool is installed and started, the threat actors have direct keyboard access, allowing them to search for valuable documents on compromised devices and shared drivers, which will then be exfiltrated via Rclone (cloud syncing) or WinSCP (SFTP). According to EclecticIQ, the Silent Ransom Group sends ransom demands ranging from one to eight million USD, depending on the size of the hacked company.
Read more »
IT Infrastructure
ALPHV Change Healthcare Cyber Attacks CyberCrime Cybersecurity cybersecurity in healthcare CyberThreat data security EHRs IT Infrastructure

Weak Links in Healthcare Infrastructure Fuel Cyberattacks

 


Increasingly, cybercriminals are exploiting systemic vulnerabilities in order to target the healthcare sector as one of the most frequently attacked and vulnerable targets in modern cybersecurity, with attacks growing both in volume and sophistication. These risks go well beyond the theft of personal information - they directly threaten the integrity and confidentiality of critical medical services and patient records, as well as the stability of healthcare operations as a whole. 

There has been an increase in threat actors targeting hospitals and medical institutions due to the outdated infrastructure and limited cybersecurity resources they often have. Threat actors are targeting these organisations to exploit sensitive health information and disrupt healthcare delivery for financial or political gain. The alarming trend reveals that there is an urgent and critical security issue looming within the healthcare industry that needs to be addressed immediately. 

Such breaches have the potential to have catastrophic consequences, from halting life-saving treatments due to system failures to eroding patients' trust in healthcare providers. Considering the rapid pace at which the digital transformation is taking place in healthcare, it is important that the sector remains committed to robust cybersecurity strategies so as to safeguard the welfare of its patients and ensure the resilience of essential medical services in the future. 

BlackCat, also referred to as ALPHV, is at the centre of a recent significant cybersecurity incident. In recent months, it has gained prominence as a highly organised, sophisticated ransomware group that has been linked to the high-profile attack on Change Healthcare. As a result of the infiltration of the organisation's IT infrastructure and the theft of highly sensitive healthcare data by the group, the group has claimed responsibility for obtaining six terabytes of data.

As a result of this breach, not only did it send shockwaves throughout the healthcare sector, but it also highlighted the devastating power of modern ransomware when targeting critical systems. It has been reported that the attack was triggered by known vulnerabilities in ConnectWise's ScreenConnect remote access application, a tool that is frequently employed in many industries, including healthcare, as a remote access tool. 

Having this connection has given rise to more concern about the broader cybersecurity risks posed by third-party vendors as well as software providers, showing that even if one compromised application is compromised, it can lead to widespread data theft and operational disruption as a result. This incident has served as a stark reminder that digital ecosystems in healthcare are fragile and interconnected, with a breach in one component leading to cascading effects across the entire healthcare service network. 

There is a growing concern in the healthcare sector that, as investigations continue and new details emerge, healthcare providers are still on high alert, coping with the aftermath of the attack as well as the imperative necessity of strengthening their defensive infrastructure in order to prevent similar intrusions in the future. As one of the most frequently targeted sectors of the economy by cybercriminals, healthcare continues to be one of the most highly sensitive data centres in the world. 

It is important to note that even though industry leaders often fail to rank cybersecurity as one of their top challenges, Mike Fuhrman, CEO of Omega Systems, pointed out that despite this growing concern, there are already significant consequences resulting from insufficient cyber risk management, including putting patient safety at risk, disrupting care delivery, and making compliance with regulations even more difficult. Even though perceived priorities are not aligned with actual vulnerabilities, this misalignment poses an increasing and significant risk for the entire healthcare system. 

Fuhrman stressed the necessity of improving visibility into security threats and organisational readiness, as well as increasing cybersecurity resources, to bridge this gap. As long as healthcare organisations fail to take proactive and comprehensive steps to ensure cyber resilience, they may continue to experience setbacks that are both detrimental to operational continuity as well as eroding public trust, as well as putting patient safety at risk. 

As cybersecurity has become more and more important to the leadership, it has never been more important to elevate it from a back-office issue to an imperative. As a result of the growing number of cyberattacks targeting the healthcare sector in the past few years, the scale and frequency of these attacks have reached alarming levels.

According to the Office for Civil Rights (OCR), the number of security breaches reported by the healthcare industry between 2018 and 2023 has increased by a staggering 239%. Over the same period, there was a 278% increase in ransomware incidents, which suggests that cybercriminals are increasingly looking for disruptive, extortion-based attacks against healthcare providers as a means of extorting money. 

There is a likelihood that nearly 67% of healthcare organisations will have been attacked by ransomware at some point shortly, which indicates that such threats are no longer isolated events but rather a persistent and widespread threat. According to experts within the health care industry, one of the primary contributing factors to this vulnerability is the lack of preparedness at all levels. In fact, 37% of healthcare organisations do not have an incident response plan in place, leaving them dangerously vulnerable to ever-evolving cyberattacks. 

Health care institutions are appealing to malicious actors because they manage a huge amount of valuable data. Cybercriminals and even nation-state threat actors are gaining an increasing level of interest in electronic health records (EHRs), which contain comprehensive information about patient health, financial health, and medical history.

As a result of outdated cybersecurity protocols, legacy IT infrastructure, and operational pressures of high-stress environments, these records are frequently inadequately protected due to the likelihood that human error will occur more often. These factors together create an ideal storm for exploitation, making the healthcare industry a very vulnerable and frequently targeted industry in today's digital threat landscape.

Despite the growing frequency and complexity of cyberattacks, healthcare organisations face a critical crossroads as 2025 unfolds. Patient safety, data security, and regulatory compliance all intersect at the same time, resulting in a crucial crossroads more than ever before. Enhancing cyber resilience has become a strategic priority and a fundamental requirement, not just a strategic priority. 

Healthcare institutions must proactively adopt forward-looking security practices and technologies to secure sensitive patient data and ensure continuous care delivery. As a key trend influencing the healthcare cybersecurity landscape, zero-trust architectures are a growing trend that challenges traditional security models by requiring all users and devices to be verified before they are allowed access. 

In a hyperconnected digital environment where cyber threats exploit even the most subtle of system weaknesses, a model such as this is becoming increasingly important. IoT devices are becoming increasingly popular, and many of them were not originally designed with cybersecurity in mind, so we must secure them as soon as possible. Providing robust protections for these devices will be crucial if we are to reduce the attack surfaces of these devices. 

AI has been rapidly integrated into healthcare, and it has brought new benefits as well as new vulnerabilities to the healthcare sector. In order for organisations to meet emerging risks and ensure a responsible deployment, they must now develop AI-specific safety frameworks. Meanwhile, the challenge of dealing with technological sprawl, an increasingly fragmented IT environment with disparate security tools, calls for a more unified, centralised cybersecurity management approach.

A good way to prepare for 2025 is to install core security measures like multi-factor authentication, strong firewalls, and data backups, as well as advanced measures like endpoint detection and response (EDR), segmentation of the network, and real-time AI threat monitoring. In addition to strengthening third-party risk management, it will also be imperative to adhere to global compliance standards like HIPAA and GDPR.

There is only one way to protect both healthcare infrastructure and the lives that are dependent on it in this ever-evolving threat landscape, and that is by implementing a comprehensive, proactive, and adaptive cybersecurity strategy. Healthcare organisations must take proactive measures rather than reactive measures and adopt a forward-looking mindset so they can successfully navigate the increasing cybersecurity storm. 

Embedding cybersecurity into healthcare operations' DNA is the path to ensuring patient safety, operational resilience, and institutional trust in healthcare organisations, not treating it as a standalone IT concern, but as a critical pillar of patient safety, operational resilience, and institutional trust in healthcare organisations.

To achieve this, leadership must take the initiative to champion security from the boardroom level, integrate threat intelligence into strategic planning, and invest in people and technology that will be able to anticipate, detect, and neutralise emerging threats before they become a major issue. As part of the process of fostering cyber maturity, it is also essential to cultivate a culture of shared responsibility among all stakeholders, ranging from clinicians to administrative personnel to third-party vendors, who understand the importance of keeping data and systems secure. 

Training on cybersecurity hygiene, cross-functional collaboration, and continuous vulnerability assessment must become standard operating procedures in the healthcare industry. As attackers become more sophisticated and bold, the costs of inaction do not stop at regulatory fines or reputational damage. Rather, inaction may mean interruptions of care, delays in treatments, and the risk to human life. 

Only organisations that recognise cybersecurity as a strategic imperative will be in the best position to deliver uninterrupted, trustworthy, and secure care in an age when digital transformation is accelerating. This is a sector that is built on the pillars of trust, a sector that offers life-saving services, which does not allow for room for compromise. They have to act decisively, investing today in the defensive measures that will ensure the future of their industry.
Read more »
stolen credentials dark web
AI cyberattacks Cyber Attacks Fortinet threat report infostealer malware surge ransomware trends 2025 stolen credentials dark web

AI-Driven Cyberattacks Surge Globally as Stolen Credentials Flood the Dark Web: Fortinet Report

 

Artificial intelligence is accelerating the scale and sophistication of cyberattacks, according to Fortinet’s latest 2025 Global Threat Landscape Report. The cybersecurity firm observed a significant 16.7% rise in automated scanning activity compared to last year, with a staggering 36,000 scans occurring every second worldwide. The report emphasizes that attackers are increasingly "shifting left" — targeting vulnerable digital entry points such as Remote Desktop Protocol (RDP), Internet of Things (IoT) devices, and Session Initiation Protocols (SIP) earlier in the attack cycle.

Infostealer malware remains a major concern, with a dramatic 500% increase in compromised system logs now available online. This translates to over 1.7 billion stolen credentials circulating on the dark web. The report warns, “this flood of stolen data has led to a sharp increase in targeted cyberattacks against businesses and individuals.” Cybercriminals are actively exploiting this data, leading to a 42% jump in credentials listed for sale on underground forums.

Interestingly, zero-day vulnerabilities only make up a minor portion of the current threat landscape. Instead, attackers are leveraging “living off the land” tactics — exploiting built-in system tools and overlooked weaknesses — to stay hidden and avoid detection.

The ransomware ecosystem is also evolving. New groups are emerging while established ones strengthen their presence. In 2024, Ransomhub led the charts, accounting for 13% of ransomware victims. It was followed closely by LockBit 3.0 (12%), Play (8%), and Medusa (4%).

A majority of these ransomware incidents targeted U.S.-based entities, which experienced 61% of the reported cases. The United Kingdom and Canada followed with 6% and 5% respectively, suggesting a disproportionate focus on American organizations.

“Our 2025 Global Threat Landscape Report makes it clear: cybercriminals are scaling faster than ever, using AI and automation to gain the upper hand,” stated Derek Manky, Chief Security Strategist and Global Vice President of Threat Intelligence at FortiGuard Labs.

He added, “Defenders must abandon outdated security playbooks and transition to proactive, intelligence-driven strategies that incorporate AI, zero trust architectures, and continuous threat exposure management.”
Read more »
Microsoft
AI AI Engineers Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Fake AI Microsoft

London Startup Allegedly Deceived Microsoft with Fake AI Engineers

 


There have now been serious allegations of fraud against London-based startup Builder.ai, once considered a disruptor of software development and valued at $1.5 billion. Builder.ai is now in bankruptcy. The company claims that its artificial intelligence-based platform will revolutionise app development. With the help of its AI-assisted platform, Natasha, the company claims that building software will be easier than ordering pizza. 

The recent revelations, however, have revealed a starkly different reality: instead of employing cutting-edge AI technology, Builder.ai reportedly relies on hundreds of human developers in India, who manually execute customer requests while pretending to be AI-generated results.

Having made elaborate misrepresentations about this company, Microsoft and Qatar Investment Authority invested $445 million, led by the false idea that they were backed by a scalable, AI-based solution, which resulted in over $445 million in funding being raised. This scandal has sparked a wider conversation about transparency, ethics, and the hype-driven nature of the startup ecosystem, as well as raised serious concerns about due diligence in the AI investment landscape. 

In 2016, Builder.ai, which was founded by entrepreneur Sachin Dev Duggal under the name Engineer.ai, was conceived with a mission to revolutionise app development. In the company's brand, the AI-powered, no-code platform was touted to be able to dramatically simplify the process of creating software applications by cutting down on the amount of code required. 

Founded by a group of MIT engineers and researchers, Builder.ai quickly captured the attention of investors worldwide, as the company secured significant funding from high-profile companies including Microsoft, the Qatar Investment Authority, the International Finance Corporation (IFC), and SoftBank's DeepCore. 

The company highlighted its proprietary artificial intelligence assistant, Natasha, as the technological breakthrough that could be used to build custom software without human intervention. This innovative approach was a central part of the company's value proposition. With the help of a compelling narrative, the startup secured more than $450 million in funding and achieved unicorn status with a peak valuation of $1.5 billion. 

It was widely recognised in the early stages of the evolution of Builder.ai that it was a pioneering force that revolutionised software development, reducing the reliance on traditional engineering teams and democratizing software development. However, underneath the surface of the company's slick marketing campaigns and investor confidence lay a very different operational model—one which relied heavily on human engineers, rather than advanced artificial intelligence. 

Building.ai's public image unravelled dramatically when its promotional promises diverged from its internal practices. It was inevitable that the dramatic collapse of Builder.ai, once regarded as a rising star in the global tech industry, would eventually lead to mounting scrutiny and a dramatic unravelling of its public image. This has revealed troubling undercurrents in the AI startup sector.

In its beginnings, Builder.ai was marketed as a groundbreaking platform for creating custom applications, but it also promised automation, scale, and cost savings, and was positioned as a revolutionary platform for developing custom applications. Natasha was the company's flagship artificial intelligence assistant, which was widely advertised as enabling it to develop software with no code. Yet internal testimonies, lawsuits, and investigation findings have painted a much more troubling picture since then. 

According to its claims of integrating sophisticated artificial intelligence, Natasha was only used as a simple interface for collecting client requirements, whereas the actual development work was done by large engineering teams in India, despite Natasha's claims of sophisticated artificial intelligence integration. According to whistleblowers, including former executives, Builder.ai did not have any genuine AI infrastructure in place. 

As it turns out, internal documentation indicates that applications are being marketed as “80% built by AI” when in fact their underlying tools are rudimentary at best, when they are actually built with artificial intelligence. Former CEO Robert Holdheim filed a $5 million lawsuit alleging wrongful termination after raising concerns about deceptive practices and investor misrepresentation in the company. Due to his case catalysing broader scrutiny, allegations of financial misconduct, as well as technological misrepresentations, were made, resulting in allegations of both. 

After Sachin Dev Duggal had taken over as CEO in mid-2025, Manpreet Ratia took over as CEO, starting things off in a positive manner by stabilising operations. An independent financial audit was ordered under Ratia's leadership that revealed massive discrepancies between the reported revenue and the actual revenue. 

Builder.ai claimed that it had generated more than $220 million in revenues for 2024, while the true figure was closer to $50 million. As a result, Viola Credit, a company's loan partner, quickly seized $37 million in the company's accounts and raised alarm among creditors and investors alike. A final-ditch measure was to release a press release acknowledging Builder.ai had been unable to sustain payroll or its global operations, with only $5 million remaining in restricted funds. 

In the statement, it acknowledged that it had not been able to recover from its past decisions and historic challenges. Several bankruptcy filings were initiated across multiple jurisdictions within a short period of time, including India, the United Kingdom, and the United States. The result was the layoff of over 1,000 employees and the suspension of a variety of client projects. 

The controversy exploded as new allegations were made about revenue roundtrips with Indian technology company VerSe, which was believed to be a strategy aimed at inflating financial performance and attracting new investors. Further, reports revealed that Builder.ai has defaulted on substantial payments to Amazon and Microsoft, owing approximately $85 million to Amazon and $30 million to Microsoft for unpaid cloud services. 

As a result of these developments, a federal investigation has been launched, with authorities requesting access to the company's finances and client contracts as well. As a result of the Builder.ai scandal, a broader issue is at play in the tech sector — "AI washing", where startups exaggerate or misstate their artificial intelligence capabilities to get funding and market traction. 

In an interview with Info-Tech Research Group, Principal Analyst Phil Brunkard summarised this crisis succinctly: "Many of these so-called AI companies scaled based on narrative rather than infrastructure." There is a growing concern among entrepreneurs, investors, and the entire technology industry that Builder.ai could be serving as a cautionary tale for investors, entrepreneurs, and the entire technology industry as regulatory bodies tighten scrutiny of AI marketing claims. 

There have been concerns regarding the legitimacy of Builder.ai's artificial intelligence capabilities ever since a report published by The Wall Street Journal in 2019 raised questions about how heavily the company relies on human labour over artificial intelligence. It has been reported that, despite the company's marketing narrative emphasising automation and machine learning, the company's internal operations paint a different picture. 

The article quotes former employees of Builder.ai saying that Builder.ai was a platform that was primarily engineering, and not AI-driven. This statement starkly contradicted the company's claim to be an AI-first, no-coding platform. Even though many investors and stakeholders ignored these early warnings, they hinted that there might be deeper structural inconsistencies with the startup's operations than what the initial warnings indicated. 

When Manpreet Ratia took on the role of CEO of the company in February 2025, succeeding founder Sachin Dev Duggal, the extent to which the company's internal dysfunction was revealed. It became apparent to Ratia quickly that the company had been misreported and that data had been manipulated for years in order to increase its valuation and public image, despite the fact that it had been tasked with restoring investor confidence and operational transparency. 

Following the revelations in this case, U.S. federal prosecutors immediately began an investigation into the company's business practices in response to the disclosures. Earlier this week, the authorities formally requested access to Builder.AI's financial records, internal communications, and its customer data. The request is part of a broader investigation looking into the possibility of fraud, deception of investors, and violations related to false descriptions of AI capabilities.

It should be noted that the failure of Builder.AI serves as an obvious sign that the investment and innovation ecosystems surrounding artificial intelligence need to be recalibrated urgently and sharply. Capital is continuing to flow into AI-powered ventures at a rapid pace, and stakeholders need to raise their standards in regards to due diligence, technical validation and governance oversight as a result. 

It is important to temper investor enthusiasm for innovative startups by rigorously evaluating the company's technical capabilities beyond polished pitch decks and strategic storytelling. The case reinforces the importance of transparency and sustainability over short-term hype for founders, as well as the need for regulators to develop frameworks aimed at holding companies accountable if they make misleading claims in their product representations and financial disclosures. 

Regulators are becoming increasingly aware of what is being called "AI washing" and are developing strategies to address it. Credibility in a sector built upon trust has become an essential cornerstone of long-term viability, and the collapse of Builder.ai illustrates that this is no longer just a case of a singular failure; rather, it has become a call to action in the tech industry to place substance above spectacle in the age of artificial intelligence.
Read more »
Software
Cyber Attacks CyberCrime Cybersecurity Cyberthreart Google Mandiant Scam Alarms Security Concerns Software

North Korea’s Innovative Laptop Farm Scam Alarms Cybersecurity Experts

 


A group of software engineers, many of whom secretly work on behalf of North Korea, has infiltrated major U.S. companies, many of which are Fortune 500 companies, by masquerading as American developers to obtain money from them. This has been confirmed by a coordinated investigation conducted by the U.S Treasury Department, State Department, and the FBI. This elaborate deception, which has been performed for several years, has allowed North Korea to generate hundreds of millions of dollars in revenue every year. 

It has been reported that these operatives, embedded within legitimate remote workforces, have been sending their earnings back to Pyongyang so that they will be used to finance Pyongyang's prohibited weapons of mass destruction and ballistic missile programs. National security officials and cybersecurity experts alike are both alarmed by the scale and sophistication of this operation. Because it represents a massive manipulation of the global digital economy to finance a sanctioned regime's military ambitions, it has raised serious security concerns. 

As detailed in a recent report published by Google's Mandiant division, this North Korean operative pursued employment opportunities within high-level sectors whose security has been deemed especially sensitive, including defence contractors and government agencies within the United States. Apparently, the individual was engaged in a sophisticated pattern of deceiving recruiters, using fabricated references and cultivating trust between recruiters, as well as using alternate online personas as a means to reinforce their legitimacy, as reported by the investigators. 

The case illustrates a more extensive and persistent threat that Western organisations have faced over the years—unwittingly hiring North Koreans under false identities as freelancers or remote workers. As a consequence, these operatives, often embedded deep within corporate infrastructures, have been implicated in a wide range of malicious activities, including intellectual property thefts and extortions, as well as the planting of digital backdoors that can then be exploited at a later date. 

In addition to the illicit earnings from these operations, North Korea also generates revenue through forced labour in Chinese factories, cigarette smuggling, and a high-profile cryptocurrency heist, all of which contribute to North Korea's strategic weaponry programs. Consequently, U.S. authorities have increased their efforts to break down the infrastructure that enables these schemes, raiding laptop farms, issuing sanctions, and indicting those involved. 

It has been noted by Mandiant researchers that North Korean cyber activities are expanding across Europe, indicating that both the scope and scale of the threat have increased considerably over the past few years, with the primary targets remaining U.S.-based companies. There has been a long history of exploiting platforms such as Upwork and Freelancer to pose as highly skilled developers who specialise in fields such as blockchain technology, artificial intelligence, and web development to gain unauthorised access to sensitive corporate environments. 

Besides the fact that North Korea wanted to collect wages illegally from Western companies, there were many other reasons why they infiltrated them. In addition to gaining access to and exfiltrating sensitive internal data once they were embedded in corporate networks, these operatives also had access to and stole proprietary business data, proprietary intellectual property, and confidential communications. It has been proven that this activity is related to both the pursuit of financial gain through ransomware operations as well as the pursuit of state-sponsored espionage objectives. 

Several confirmed incidents have taken place involving North Korean employees who were caught covertly downloading and sending internal company files abroad to unauthorised locations, exposing the organisation to significant security breaches as well as potential financial liabilities. As an incident response manager for cybersecurity firm Sygnia, Ryan Goldberg provided further insights into the scale and sophistication of these operations.

During Goldberg's analysis of a laptop seized from a single such operative, he found advanced surveillance tools suited for infiltrating remote work environments, as reported in The Wall Street Journal. As a result of the tools, Zoom meetings could be monitored live, and sensitive data from the employer's system could be extracted silently. There were several things Goldberg noted about the way they were utilising the remote control that he had never seen before, pointing out that the tactics employed were unprecedented. 

It is a clear indication that traditional cyber defences are no longer adequate against adversaries who leverage human access, social engineering, and stealthy digital surveillance in tandem, demonstrating how the threat landscape has evolved over the years. According to FBI officials and cybersecurity researchers, North Korea’s remote work scam is not a disorganised effort but a meticulously coordinated operation involving specialised teams assigned to different stages of the scheme. 

Dedicated units are reportedly responsible for guiding North Korean IT operatives through every phase of the recruitment process, leveraging artificial intelligence tools to craft convincing résumés and generate polished responses for technical interviews. As a result of FBI officials and cybersecurity researchers' efforts, the North Korean remote work scam is not a disorganised scheme, but rather a meticulously planned operation, where teams of experts are assigned to various stages of the scam. 

It is reported that North Korean IT operatives are being guided by dedicated units through every stage of the recruitment process, using artificial intelligence tools to create convincing summaries and composing polished answers for technical interviews, using artificial intelligence tools. As part of these groups, operatives work systematically to embed themselves within legitimate companies, with a particular focus on roles in software development, IT infrastructure, and blockchain technology. 

In the past few years, law enforcement agencies have issued public warnings about the scam, but analysts, including the intelligence chief of DTEX Systems, have seen a disturbing evolution of the scam. It is becoming increasingly apparent that some of these IT workers have begun to attempt extortion from their employers or have given their credentials to North Korean hacking groups as a result of increased scrutiny. 

Once these advanced persistent threat actors gain access to a computer system, they are able to deploy malware, steal sensitive data, and carry out large-scale cryptocurrency thefts. The scam, as Barnhart emphasised, is not isolated fraud, but is instead part of a broader national strategy. The scam is directly linked to state-sponsored hacking groups, digital financial crime, and the funding of North Korean nuclear and ballistic missile programs. 

A large number of these IT workers are reportedly located in call centre-style compounds in Southeast Asia and parts of China, where they are housed. In addition to being under strict surveillance and under intense pressure, their monthly financial quotas are set - initially around $5,000 for each individual - and there is only a small percentage of the earnings that can be used for personal reasons, sometimes as little as $200. Those who fail to meet these targets often face physical punishments or fear being deported back home to North Korea. 

There has been a dramatic increase in these quotas over the past few months, according to Barnhart, with many workers now being required to earn as much as $20,000 per month through any means possible, regardless of whether that means legitimate freelance work or illegal cyber operations such as crypto scams. A review of the internal communications of the workers by investigators has revealed that they are operating in a high-pressure environment. 

Often, workers are comparing earnings, trading tactics, and strategising to increase their monthly income to meet the demands of the regime by boosting their salaries. They frequently share apartments with up to ten individuals, and together they maintain dozens of jobs at the same time, and can sometimes pay over 70 individual paychecks per month under different aliases, often occupying the same apartment. 

In light of the industrial scale of this operation and its aggressive nature, global cybersecurity officials have expressed concerns regarding the threat that North Korea's hybrid cyber-economic campaigns pose to them as a growing threat. It has become increasingly clear that North Korea is infiltrating its workforce through cyber means, and industry leaders and security professionals are urging businesses to adopt far more stringent procedures for verification and internal monitoring of their employees.

In the age of artificial intelligence and social engineering, traditional background checks and identity verification processes are failing to protect organisations against state-sponsored deception campaigns that leverage artificial intelligence and social engineering at large scales. In order to protect themselves against this evolving threat, organisations in critical infrastructure, finance, defence, and emerging technologies must adopt proactive strategies such as advanced behavioural analytics, continuous access audits, and zero-trust security models. 

There is a need for more than just technical solutions; it is critical that all departments—from human resources to information technology—develop a culture of cybersecurity awareness. This North Korean laptop farm scheme serves as a stark reminder that geopolitical adversaries can easily bypass sanctions, fund hostile programs, and compromise sensitive systems from within by exploiting the digital workforce.

Defeating this challenge, however, calls for not only vigilance, but also the implementation of a coordinated global response- one that brings together policy enforcement, international intelligence exchange, and private sector innovation as well as other components that will lead to success against the next wave of cyber attacks.
Read more »
tata company
cyber attack Cyber Attacks Data Theft M&S tata company

TCS Investigates Possible Link to M&S Cyberattack

 

Tata Consultancy Services (TCS), a leading Indian IT services firm under the Tata Group umbrella, is reportedly investigating whether its systems played any role in the recent ransomware attack that disrupted operations at British retail giant Marks & Spencer (M&S). 

The cyberattack, which occurred in late April 2025, was initially described by M&S as a “cyber incident.” However, subsequent reports confirmed it to be a ransomware assault that severely affected both in-store and online operations. Key services such as contactless payments and Click and Collect were disabled, while online orders came to a standstill. 

Several internal systems were reportedly taken offline as a containment measure. The prolonged disruption, lasting several weeks, had a significant impact on M&S’s business. The company’s market capitalization is estimated to have dropped by £1 billion, and there are allegations that customer data may have been compromised in the breach. 

As M&S continues recovery efforts, TCS is conducting a thorough internal investigation to determine whether any part of its infrastructure might have been involved in the incident. TCS has long been a key technology partner for M&S, which adds urgency to the ongoing review. The attack has once again brought cybersecurity solutions into focus. 

Platforms like Keeper Security, known for their zero-knowledge encryption-based password managers and digital vaults, are gaining traction. Keeper offers features such as two-factor authentication, secure file storage, dark web monitoring, and real-time breach alerts—tools that are increasingly vital in defending against sophisticated cyber threats like ransomware. 
Read more »
User Privacy
Cyber Attacks MathWorks MATLAB Ransomware attack User Privacy

MathWorks Hit by Ransomware Attack Affecting Over 5 Million Clients

 

The renowned MATLAB programming language and numeric computing environment's developer has reported a ransomware attack on its IT systems. 

MathWorks, based in Massachusetts, sent an update to users after initially reporting issues on May 18, stating that the company had been hit by a ransomware attack that shut down online services and internal systems used by employees. 

“We have notified federal law enforcement of this matter,” the company noted. “We have brought many of these systems back online and are continuing to bring other systems back online with the assistance of cybersecurity experts.” 

MathWorks has millions of users, including engineers and scientists who use MATLAB for data analysis, calculation, and other purposes. MATLAB and other MathWorks products are utilised by nearly 6,500 colleges and universities, according to the company.

The firm has 6,500 employees and over 30 offices in Europe, Asia, and North America. This issue affected several MATLAB services as well as parts of the MathWorks website, such as the job page, cloud centre, store, and file exchange. MATLAB Online and MATLAB Mobile were restored on Friday.

MathWorks stated in a Tuesday update that the issue was still being investigated. Several pages on the MathWorks website are still offline. The firm did not immediately respond to a request for comment. 

Verizon's comprehensive data breach report released last month revealed that ransomware was utilised in nearly half of the 12,195 confirmed data breaches in 2024. The researchers discovered that 64% of ransomware victims did not pay the ransoms, up from 50% two years ago, and the typical amount paid to ransomware groups has dropped to $115,000 (down from $150,000 last year). 

“This could be partially responsible for the declining ransom amounts. Ransomware is also disproportionately affecting small organizations,” the researchers noted. “In larger organizations, ransomware is a component of 39% of breaches, while small and medium-sized businesses experienced ransomware-related breaches to the tune of 88% overall.” 

The number of large ransoms paid has also reduced, with Verizon estimating that 95% of ransoms paid will be less than $3 million by 2024. That value is a significant increase above the $9.9 million recorded in 2023.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
NCRP
Cyber Attacks CyberCrime Cybersecurity CyberThreat E-Zero FIR FIR High Value Cybercrime I4C NCRP

Automatic e-ZERO FIR Filing Introduced for High-Value Cyber Crimes

 


There has been a significant increase in cybercrime incidents in India recently, and the government of India has responded by launching the e-Zero FIR facility, a landmark initiative that will strengthen the nation's cybersecurity framework and expedite the investigation of digital financial frauds. It was part of a broader effort to strengthen cyber vigilance, increase the responsiveness of law enforcement, and ensure citizens were protected from cyber crimes on an ever-escalating scale. 

Several recent reports highlighting the growing scale of cybercrime in India highlight the urgency of such a measure. It is estimated that over 7,4 lakh cybercrime complaints were filed in the National Cyber Crime Reporting Portal (NCRP) between January and April 2024 alone, according to official figures. It has been estimated that these incidents resulted in financial losses exceeding 1,750 crores, reflecting the increasing sophistication and frequency of digital frauds across the world. 

Further, according to the Indian Cyber Crime Coordination Centre (I4C), in May 2024, authorities received an average of 7,000 complaints regarding cybercrime per day, which indicates a troubling pattern that is persisting and persisting. A study by the International Center for Research on Cyberfrauds has estimated that if preventive measures are not taken to stop cyberfrauds in the future, a loss of $1.2 lakh crore could result, in the future. 

As a result of this situation, the e-Zero FIR system is a crucial tool. By enabling automatic FIR generation for high-value cybercrime cases that involve financial fraud over Rs.10 lakh, the initiative is expected to result in drastic reductions in procedural delays and ensure that legal proceedings are initiated as quickly as possible. 

Aside from empowering victims by simplifying the reporting process, the system also equips law enforcement agencies with a robust tool to take action quickly and decisively against cybercriminals in order to protect themselves. A new system known as e-Zero FIR has been launched in India, aiming at tackling cyber financial fraud as a major threat. This is a transformational step in digitising Indian law enforcement. 

Providing an innovative facility that automatically converts Cyber Fraud Complaints—whether they are submitted through the National Cyber Crime Reporting Portal (NCRP) or through the cybercrime helpline number 1930—into Zero Filings against an individual without requiring any human intervention is the purpose of this project. This system, which is initially intended to be applied to financial frauds of a value over ten lakh rupees, aims to eliminate procedural delays by initiating investigations as soon as possible and thereby giving victims the best chance of recovering and obtaining legal justice.

It is currently being implemented as a pilot project in Delhi, under the guidance of the Indian Cyber Crime Coordination Centre (I4C), as part of its cybercrime prevention and detection strategy. It is anticipated that if it is successful, the government will gradually extend the service nationwide. By utilising automation, the e-Zero FIR framework aims to significantly reduce the time lag between registering a complaint and initiating legal proceedings, an area where conventional FIR filing systems often fail, especially in cases of high-stakes financial crime.

Users need to be aware of what a Zero FIR entails to fully comprehend the foundations of Zero FIRs. This provision guarantees that victims are not turned away because of territorial boundaries, particularly in an urgent or critical situation. Zero FIRs are typically filed at any police station, regardless of jurisdiction, and they can be filed at any police station, regardless of jurisdiction. 

When the FIR has been registered, it is transferred to the appropriate police station where the case is under jurisdiction, where a thorough investigation is conducted. This concept is the digital evolution of e-Zero FIRs, designed to address the issue of cyber financial fraud in a particular way. The system allows victims to file a complaint at any point in the country, whether they call or use the online portal, and the system then generates an FIR automatically, based on the complaint. 

By simplifying not only the complaint process but also strengthening the government's efforts to develop a technology-enabled, responsive justice system that is up to date with the technological advances of the digital age, this not only simplifies but also strengthens the government cannot only simplify but also strengthen its efforts. As part of the government's ongoing effort to modernise cybercrime response mechanisms and legal enforcement infrastructure, the e-Zero FIR initiative represents a significant step forward. 

As a result of the initiative, spearheaded by Union Home Minister Amit Shah, complaints of cyber financial fraud are automatically converted into formal First Information Reports (FIRs) when the total amount involved exceeds $ 100,000. A seamless integration of all complaints processed through the National Cyber Crime Reporting Portal (NCRP) or the national cyber crime helpline number 1930 is made in this automated system in order to ensure that all complaints received will be recognised immediately and that action will be taken by investigators. 

It has been proposed that this initiative be implemented in Delhi and be based on the integration of key national systems. In addition, the Indian Cyber Crime Coordination Centre (I4C) NCRP, the Delhi Police’s e-FIR system, and the National Crime Records Bureau’s (NCRB) Criminal and Criminal Tracking Network and Systems (CCTNS) are also integrated into this initiative. As a result of aligning these platforms, the initiative facilitates rapid registration, real-time data exchange, and rapid transfer of FIRs to the appropriate authorities for investigation by facilitating streamlined registration. 

By establishing this collaborative framework, it is ensured that complaints are processed efficiently, and it is ensured that the law enforcement agencies can begin investigating complaints as quickly as possible. In addition, e-Zero FIRs comply with newly enacted criminal legislation, especially Section 173(1) and Section 1(ii) of the Bhartiya Nagrik Suraksha Sanhita (BNSS), which were enacted in 2005. As a result of these provisions, the legal system must respond quickly to cases involving serious crimes, including cyber fraud, as well as provide effective citizen protection. 

In operationalizing this initiative, the Delhi Police and I4C demonstrate a unified and technologically driven approach to cybercrime that is based on a technology-driven approach. The e-Zero FIR system has the potential to play a transformative role in ensuring timely justice, financial recovery, and the deterrence of digital financial crimes across the country in the future, thanks to its capability for nationwide implementation. 

Developed in collaboration with the Indian Cyber Crime Coordination Centre (I4C), this system is intended to simplify the initial stages of investigating by eliminating procedural delays and to ensure prompt action at the start of an investigation. By automating the filing of FIRs for substantial financial offences, the government aims to curb the rising number of cases of digital fraud, which are often not reported or not resolved because of bureaucratic hiccups. 

Providing immediate legal recognition of complaints through e-Zero FIRs serves as a proactive measure, enabling faster interagency coordination for the handling of cases. As per officials who are in charge of the initiative, after the pilot phase is completed and its effectiveness has been evaluated, the initiative will be implemented across the country after it is evaluated to ensure its effectiveness. 

The move does not just represent a shift towards a more technologically advanced justice system, but it also signifies the government's commitment to safeguarding its citizens from cybercrime, which is a growing threat in an increasingly digital economy. It will be the responsibility of complainants in order to facilitate the conversion of the Zero FIR into a regular FIR by providing them with a maximum window of three days during which they are allowed to physically visit the police station in question to facilitate the implementation of the structured implementation of the e-Zero FIR initiative.

A procedural requirement of this kind ensures that the legal process is not only initiated promptly through automation, but also formally advanced through due diligence to ensure a smoother and more effective investigation has been achieved. As a result of this provision, each case is able to transition efficiently into the traditional legal framework and undergo proper judicial handling while maintaining a balance between speed and procedural accountability. 

A pilot project is currently being run in Delhi as a pilot project, and the initiative was created with scalability in mind. As part of their broader vision to create a cyber-secure Bharat, the Indian government has indicated plans to extend this mechanism to other states and Union Territories in subsequent phases. Using a phased rollout strategy will allow for a systematic evaluation of the program, technological advancements, and capacity building at the state level before it is adopted nationwide. 

Initially, the Delhi e-Crime Police Station will be in charge of registering, routing, and coordinating all of the electronic FIRs generated through the National Cyber Crime Reporting Portal (NCRP) as part of the pilot program. As a result of the specialised unit, which is equipped to handle the complexity of financial fraud, this office will serve as a central point of contact for the processing of complaints during the initial phase of the program. 

A new model of policing aimed at modernising the way law enforcement agencies across the country approach cybercrime by integrating digital tools with conventional policing structures sets a precedent for how law enforcement agencies throughout the country can modernise their approach to cybercrime. This will result in quicker redress, better victim support, and stronger deterrence. 

The e-Zero FIR system solves a major problem where cybercriminals could withdraw funds before a formal case was filed. The Delhi Police's online e-FIR system is now automatically creating FIRs for cyber frauds over 10 lakh rupees at any time, anywhere and anytime. As a result of the direct registration of complaints into the e-FIR system, victims no longer need to visit police stations.

In the next 24 hours, the complaint must be accepted by an Investigating Officer, and the FIR number must be issued. Inspectors are overseeing the investigation. With this new system, law enforcement officials will be able to respond to cybercrime investigations more quickly, minimise delays, and initiate legal action against cybercriminals much more quickly and efficiently across jurisdictions. As India’s digital ecosystem continues to grow, robust, technology-driven law enforcement mechanisms become more central to the country's future success. 

There is no doubt that the introduction of the e-Zero FIR initiative is more than merely a technological change, but it is also a strategic move toward an approach to cybercrime governance that is more proactive and accountable. While this pilot project lays the groundwork for a successful collaboration between law enforcement agencies, continuous system improvement and comprehensive training are required to ensure that the program will be successful in the future.

In the future, stakeholders - from government agencies, financial institutions, cybersecurity experts, and citizens - need to work together to improve cybersecurity vigilance, ensure system integrity, and foster a culture of prompt reporting. Those who understand and utilise this platform responsibly can make a significant difference in whether their lives can be recovered or irreversibly lost. 

Policymakers need to take advantage of this opportunity to revamp India's framework for responding to cybercrime in a manner that is not only efficient but also future-oriented. India needs to embrace e-Zero FIR, a system that serves as both a foundation for reforms in its battle against cyber financial fraud and India's transition toward a fully digital justice system.
Read more »
Ukraine
Cyber Attacks EU Fake news Information War propaganda Russia Ukraine

EU Sanctions Actors Involved in Russian Hybrid Warfare


EU takes action against Russian propaganda

The European Union (EU) announced sweeping new sanctions against 21 individuals and 6 entities involved in Russia’s destabilizing activities abroad, marking a significant escalation in the bloc’s response to hybrid warfare threats.

European Union announced huge sanctions against 6 entities and 21 individuals linked to Russia’s destabilizing activities overseas, highlighting the EU’s efforts to address hybrid warfare threats. 

The Council’s decision widens the scope of regulations to include tangible assets and brings new powers to block Russian media broadcasting licenses, showcasing the EU’s commitment to counter Moscow’s invading campaigns. The new approach now allows taking action against actors targeting vessels, real estate, aircraft, and physical components of digital networks and communications. 

Financial organizations and firms giving crypto-asset services that allow Russian disruption operations also fall under the new framework. 

The new step addresses systematic Russian media control and manipulation, the EU is taking authority to cancel the broadcasting licenses of Russian media houses run by the Kremlin and block their content distribution within EU countries. 

Experts describe this Russian tactic as an international campaign of media manipulation and fake news aimed at disrupting neighboring nations and the EU. 

Interestingly, the ban aligns with the Charter of Fundamental Rights, allowing select media outlets to do non-broadcasting activities such as interviews and research within the EU. 

Propaganda and Tech Companies

The EU has also taken action against StarkIndustries, a web hosting network. The company is said to have assisted various Russian state-sponsored players to do suspicious activities such as information manipulation, interference ops, and cyber attacks against the Union and third-world countries. 

The sanctions also affect Viktor Medvedchuk, an ex-Ukranian politician and businessman, who is said to control Ukranian media outlets to distribute pro-Russian propaganda. 

Hybrid Threats Framework

The sections are built upon a 2024 framework to address Russian interference actions compromising EU fundamental values, stability, independence, integrity, and stability. 

Designated entities and individuals face asset freezes, whereas neutral individuals will face travel bans blocking entry and transit through EU nations. This displays the EU’s commitment to combat hybrid warfare via sustained, proportionate actions.

Read more »
Ransomware
Black Basta Cyber Attacks GoodSync Microsoft Ransomware

Hackers Tricking Employees with Fake IT Calls and Email Floods in New Ransomware Scam

 


A growing number of cyberattacks are being carried out by a group linked to the 3AM ransomware. These attackers are using a combination of spam emails and fake phone calls pretending to be a company’s tech support team. Their goal is to fool employees into giving them access to internal systems.

This method, which has been seen in past cyber incidents involving other groups like Black Basta and FIN7, is becoming more widespread due to how effective it is. Cybersecurity company Sophos has confirmed at least 55 attacks using this approach between November 2024 and January 2025. These incidents appear to come from two different hacker groups following similar tactics.

In one recent case during early 2025, the attackers targeted a company using a slightly different method than before. Instead of pretending to be tech support over Microsoft Teams, they called an employee using a fake caller ID that showed the company’s actual IT department number. The call took place while the employee’s inbox was being flooded with dozens of spam emails in just minutes — a technique known as email bombing.

During the call, the attacker claimed the employee's device had security issues and asked them to open Microsoft’s Quick Assist tool. This is a real remote help feature that allows another person to take control of the screen. Trusting the caller, the employee followed instructions and unknowingly handed over access to the attacker.

Once inside, the hacker downloaded a dangerous file disguised as a support tool. Inside the file were harmful components including a backdoor, a virtual machine emulator (QEMU), and an old Windows system image. These tools allowed the attacker to hide their presence and avoid detection by using virtual machines to move through the network.

The hacker then used tools like PowerShell and WMIC to explore the system, created a new admin account, installed a remote support tool called XEOXRemote, and gained control of a domain-level account. Although Sophos security software stopped the ransomware from spreading and blocked attempts to shut down protections, the hacker managed to steal 868 GB of company data. This data was sent to cloud storage using a syncing tool called GoodSync.

The full attack lasted around nine days. The majority of the data theft happened in the first three days before the attackers were cut off from further access.

To protect against such attacks, Sophos suggests reviewing admin accounts for weaknesses, using security tools that can spot unusual uses of trusted programs, and setting strict rules for running scripts. Most importantly, companies should train employees to recognize signs of fake support calls and suspicious emails, as these scams depend on fooling people — not just machines.

The 3AM ransomware group is relatively new, first spotted in late 2023, but appears to have links with well-known cybercrime networks like Conti and Royal.


Read more »
Ransomware attack
Cyber Attacks Cyberattack elective procedures Interlock gang Kettering Health Ohio hospitals Ransomware attack

Ransomware Attack Disrupts Kettering Health Network, Elective Procedures Canceled Across 14 Ohio Facilities

 

A ransomware incident has caused a significant “system-wide technology outage” at a network of over a dozen medical centers in Ohio, resulting in the cancellation of both inpatient and outpatient elective procedures. This information comes from a statement released by the health system and a ransom note obtained by CNN.

Kettering Health, which serves a substantial portion of Ohio and employs more than 1,800 physicians, confirmed in a statement that the cyberattack began Tuesday morning and has created “a number of challenges” across its 14 facilities. The disruption has also affected the network’s call center. Despite this, emergency rooms and outpatient clinics remain operational and continue to treat patients.

“Inpatient and outpatient procedures have been canceled for today,” the network said in its statement. “Scheduled procedures at Kettering Health medical centers will be rescheduled.” It added that contingency protocols are in place “for these types of situations” to maintain safe and high-quality patient care.

Internally, Kettering Health's IT teams and executives are working to limit the damage from the ransomware attack. According to the ransom note reviewed by CNN, hackers deployed ransomware on the network’s computer systems.

“Your network was compromised, and we have secured your most vital files,” the note reads. It warns that the attackers may release allegedly stolen data online unless negotiations for a ransom payment begin.

The note includes a link to an extortion platform tied to the ransomware group known as Interlock, which surfaced in late 2023. Since then, the group has reportedly targeted various sectors including technology, manufacturing, and government organizations, as per Cisco’s cyber-intelligence division, Talos.

A spokesperson for Kettering Health did not offer additional details beyond the network’s official statement.

Typically, major cyber incidents affecting U.S. healthcare providers involve responses from the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA). CNN has reached out to all three agencies for comment.

Cybercriminals have long targeted the U.S. healthcare sector, viewing hospitals as particularly vulnerable and likely to pay ransoms to prevent disruptions in patient care. Last year, healthcare organizations reported more than 440 ransomware incidents and data breaches to the FBI—more than any other critical infrastructure sector.

In the past 18 months, a string of high-profile cyberattacks on major health providers has directly affected patient care nationwide, prompting growing concern among lawmakers and federal authorities about the resilience of U.S. healthcare cybersecurity systems.

One such attack last year on Ascension, a nonprofit health system based in St. Louis with operations across 19 states, left nurses at some hospitals working without access to electronic health records, compromising patient safety, according to what two nurses told CNN. Similarly, a February 2024 ransomware attack on a UnitedHealth Group subsidiary disrupted pharmacy services across the country and exposed sensitive data belonging to a large number of Americans.
Read more »
UK
Cyber Attacks Logistics Firm Peter Green Chilled Ransomware attack UK

British supermarkets' Supplier of Refrigerated Goods Hit by a Ransomware Attack

 

Peter Green Chilled, a logistics firm, has announced that it has been attacked by a ransomware attack, interrupting deliveries of refrigerated goods to some of the country's top supermarkets.

Customers — largely smaller producers who provide food to regional stores in Somerset, such as Aldi, Tesco, and Sainsbury's — received an email last Thursday informing them that the company will be unable to complete part of their orders owing to the cyber incident.

Peter Green Chilled told the BBC that the attack occurred last Wednesday and had no effect on the company's transport business, but he declined to elaborate on how the incident affected the IT infrastructure via which orders are placed. 

A substantial part of the nation's frozen food is transported by Reed Boardall, a cold storage and refrigerated transport company that was attacked a number of years ago. Some of its customers have warned that they would be spoilt if they couldn't get their products delivered to retailers in time, despite the fact that Peter Green Chilled is a far smaller supplier than Reed Boardall.

After incidents involving Marks & Spencer, the Co-op, and the upscale London retailer Harrods, this attack is the most recent to affect the British retail industry. A string of recent attacks, including one revealed last week that could expose the personal information of domestic violence victims to their abusers, has prompted renewed calls for the British government to adopt a more active response to the ransomware threat. 

Law enforcement agencies should hack the criminals' systems and take them down as the "ideal response" to ransomware gangs' attempts at data extortion, in which the gangs steal data and threaten to release it unless a certain amount of money is paid in cryptocurrency, according to Gareth Mott, a research fellow at the Royal United Services Institute think tank.

It was not an easy task, Mott said. Even though the National Crime Agency and its allies had been successful in combating ransomware organisations such as LockBit, Mott stated that he was unsure if they currently have the ability to eliminate the most risky data breaches on a selective basis.
Read more »
West Lothian ransomware attack
cyber attack 2025 Cyber Attacks Cyber Breach Edinburgh council Scotland Scottish councils cybersecurity West Lothian ransomware attack

Experts Warn Scottish Councils Still Ill-Prepared for Cyber Attacks Amid Recent Breaches

 

Cybersecurity professionals have raised concerns that local authorities across Scotland remain underprepared for cyber threats and are hampered by outdated IT infrastructure.

In recent days, multiple Scottish organisations have fallen victim to cyber incidents. Among them are Edinburgh and West Lothian Councils. In Edinburgh, an attempted cyber attack targeting the education department disrupted students’ access to crucial revision materials during exam season. The attack involved a targeted "spear-phishing" attempt—an advanced, more personalised form of phishing. Fortunately, staff identified the threat after receiving a suspicious meeting invitation earlier that day.

Earlier that week, a suspected ransomware attack affected schools in West Lothian. Though no sensitive or personal data was compromised, the council had to implement backup plans to keep schools operational.

Cybersecurity experts are now sounding the alarm, warning that many public bodies are neither equipped to prevent such attacks nor adequately prepared to recover from them.

Dr Karen Renaud, a cybersecurity expert and reader in the Department of Computer and Information Sciences at Strathclyde University, said many organisations lack the foresight and systems needed for effective recovery following a breach.

“If you fail to plan, you plan to fail,” she warned. “Many organisations don’t even have a plan to recover after a successful attack. They put most of their eggs into the ‘resistance’ basket. Balancing things out and trusting everyone to play their part does not need to cost that much more.”

Dr Renaud emphasized that resilience needs to be prioritised alongside resistance.

“Resistance is usually achieved by using technical measures and ensuring that staff are well aware of secure actions they should take. Many organisations fail to give the same amount of time and attention to resilience, so when they get breached things fall apart.

There is a simple technique called replication where you ensure that a fully replicated system can take over if one system fails or is breached.

She also criticised the notion that human users are the weakest link in cybersecurity, calling it a flawed perspective.

“If humans are falling for phishing attacks, they either have not been trained effectively to cope with the new AI-generated phishing attacks or the organisation has not implemented measures like two-factor authentication to act as a safety net in case people do get deceived.

On the surface it might look as if humans are the vulnerability - the actual vulnerability is that organisations respond by applying more and more constraints, rules and restrictions on employees.
When you treat humans as the problem, they will become the problem.

Organisations need to start treating their employees as the solution and giving them the knowledge and ability to be the solution.”

Dimitros Pezaros, professor of computer networks at the University of Glasgow, echoed similar concerns, pointing to the risks posed by legacy IT systems, particularly in public sector environments where regular software updates, or patching, may not be straightforward.

He noted that investment in cybersecurity remains insufficient across many public organisations.

“In contrast to other parts of our civil infrastructure, such as roads and bridges, we have traditionally approached software systems as less critical, hence prioritising requirements such as speed of development, deployment and reduced cost - at the expense of cybersecurity,” he explained.

“We have been able to get away with it and with retrofitting cybersecurity to existing systems, mainly due to the lack or slowness of pervasiveness of software systems. However, in this modern day and age where software and digitalisation are pervasive and are used to drive critical systems, the frequency and intensity of cyber attacks are, and will increasingly be, such that lack of native cybersecurity will be extremely costly to retrofit later, while the consequences of cyber attacks can be dramatic.”

Professor Pezaros also pointed out a rising trend in cyber attacks across multiple sectors—including local councils, healthcare, and retail—where attackers aim to extort victims by threatening to release or withhold access to sensitive information.

“As a minimum, organisations should be able to report cyber incidents promptly and honestly, let relevant stakeholders know what has happened and what elements of the system have been compromised and, operationally, be able to react swiftly to detect breaches and minimise damage, for example through employing principles of data and system segregation. Also, be proactive, making sure that any data they store remains encrypted.”

The wave of cyber threats has prompted mounting political pressure on the Scottish Government to take action. Miles Briggs MSP, education spokesperson for the Scottish Conservatives, commented on the urgency of the situation:

“Last week’s cyber attack, which left pupils in Edinburgh unable to access revision materials days before their exams, shows there are still huge vulnerabilities in the way our councils store information.
Organisations are often too quick to blame people for the problems rather than admitting their cybersecurity system isn’t up to scratch.

SNP ministers need to ensure that public bodies and local authorities have robust cybersecurity mechanisms in place to avoid further security breaches.”

Scottish Liberal Democrat leader Alex Cole-Hamilton added that prior incidents have shown the lasting and costly impact of cyber attacks on public services:

“We know from previous cyber attacks on SEPA and NHS Dumfries and Galloway that these attacks can be complex, expensive and the full impact not truly understood for a considerable period of time.
As more of our lives move online, there are also going to be an increasing number of malicious actors out there trying to cause chaos or make a profit.

The Scottish Government must ensure that local authorities, health boards and public bodies have the support they need to toughen up their digital infrastructure and avoid disruption to people’s lives.”
Read more »
Subscribe to: Posts (Atom)