Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Cyber Attacks. Show all posts

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.

Lazarus Group Suspected in $11M Crypto Heist Targeting Taiwan’s BitoPro Exchange

 

Taiwanese cryptocurrency platform BitoPro has blamed North Korea’s Lazarus Group for a cyberattack that resulted in $11 million in stolen digital assets. The breach occurred on May 8, 2025, during an upgrade to the exchange’s hot wallet system. 

According to BitoPro, the tactics and methods used by the hackers closely resemble those seen in other global incidents tied to the Lazarus Group, including high-profile thefts via SWIFT banking systems and other major crypto platforms. BitoPro serves a primarily Taiwanese customer base, offering fiat transactions in TWD alongside various cryptocurrencies. 

The exchange currently supports over 800,000 users and processes approximately $30 million in daily trades. The attack exploited vulnerabilities during a system update, enabling the unauthorized withdrawal of funds from a legacy hot wallet spread across several blockchain networks, including Ethereum, Tron, Solana, and Polygon. The stolen cryptocurrency was then quickly laundered through decentralized exchanges and mixers such as Tornado Cash, Wasabi Wallet, and ThorChain, making recovery and tracing more difficult. 

Despite the attack taking place in early May, BitoPro only publicly acknowledged the breach on June 2. At that time, the exchange assured users that daily operations remained unaffected and that the compromised hot wallet had been replenished from its reserve funds. Following a thorough investigation, the exchange confirmed that no internal staff were involved. 

However, the attackers used social engineering tactics to infect a cloud administrator’s device with malware. This allowed them to steal AWS session tokens, bypass multi-factor authentication, and gain unauthorized access to BitoPro’s cloud infrastructure. From there, they were able to insert scripts directly into the hot wallet system and carry out the theft while mimicking legitimate activity to avoid early detection. 

After discovering the breach, BitoPro deactivated the affected wallet system and rotated its cryptographic keys, though the damage had already been done. The company reported the incident to authorities and brought in a third-party cybersecurity firm to conduct an independent review, which concluded on June 11. 

The Lazarus Group has a long history of targeting cryptocurrency and decentralized finance platforms. This attack on BitoPro adds to their growing list of cyber heists, including the recent $1.5 billion digital asset theft from the Bybit exchange.

Krispy Kreme Confirms Cyberattack Affected Over 160,000 People

 



Popular U.S.-based doughnut chain Krispy Kreme has confirmed that a cyberattack last year compromised the personal data of more than 160,000 individuals.

According to a notification filed with the Maine Attorney General's Office, the company stated that the breach took place in late November 2024. However, affected individuals were informed only in May 2025, after the company completed its internal investigation.

In letters sent to those impacted, Krispy Kreme explained that while they currently have no evidence of misuse, sensitive data may have been accessed during the breach. The company has not publicly confirmed all the types of information that were exposed, but a separate disclosure in Massachusetts revealed that documents containing Social Security numbers, banking details, and driver's license information were among those compromised.

Further updates posted on Krispy Kreme's official website in June added that other personal records may have also been involved. These include medical and health data, credit card numbers, passport details, digital signatures, and even login credentials for financial and email accounts. The extent of exposure varied depending on the individual.

The breach first came to light on November 29, 2024, when Krispy Kreme discovered unusual activity on its internal systems. The incident disrupted its online ordering services and was reported in a regulatory filing on December 11. To manage the situation, the company brought in independent cybersecurity specialists and took steps to secure its systems.

While the company has not commented on the source of the attack, a ransomware group known as “Play” claimed responsibility in late December. The group has a history of targeting organizations around the world and is known for stealing data and demanding ransom by threatening to publish stolen information online—a tactic known as double extortion. However, their claims about the stolen data have not been verified by Krispy Kreme.

The Play ransomware operation has been linked to hundreds of cyberattacks globally, including incidents involving governments, corporations, and local authorities. U.S. federal agencies, along with international partners, issued a security advisory in late 2023 warning organizations about the group’s growing threat.

Krispy Kreme, which operates in over 40 countries and runs thousands of sales points including through a partnership with McDonald’s is continuing to investigate the full impact of the incident. The company is urging those affected to stay alert for signs of identity theft and take steps to protect their financial and personal accounts.

UBS Acknowledges Employee Data Leak Following Third-Party Cyberattack

 



Swiss financial institution UBS has confirmed that some of its employee data was compromised and leaked online due to a cybersecurity breach at one of its external service providers. The incident did not impact client information, according to the bank.

The breach came to light after reports surfaced from Swiss media suggesting that data belonging to roughly 130,000 UBS staff members had been exposed online for several days. The compromised records reportedly include employee names, job titles, email addresses, phone numbers, workplace locations, and spoken languages.

UBS stated that it responded immediately upon learning of the breach, taking necessary steps to secure its operations and limit potential risks.

The cyberattack did not directly target UBS but rather a company it works with for procurement and administrative services. This supplier, identified as a former UBS spin-off, confirmed that it had been targeted but did not specify the extent of the data breach or name all affected clients.

A threat group believed to be behind the breach is known for using a form of cyber extortion that involves stealing sensitive data and threatening to publish it unless a ransom is paid. Unlike traditional ransomware attacks, this group reportedly skips the step of encrypting files and focuses solely on the theft and public exposure of stolen information.

So far, only one other company besides UBS has confirmed being impacted by this incident, though the service provider involved works with several major international firms, raising concerns that others could be affected as well.

Cybersecurity experts warn that the exposure of employee data, even without customer information can still lead to serious risks. Such data can be misused in fraud, phishing attempts, and impersonation scams. In today’s digital age, tools powered by artificial intelligence can mimic voices or even create fake videos, making such scams increasingly convincing.

There are also fears that exposed information could be used to pressure or manipulate employees, or to facilitate financial crimes through social engineering.

This breach serves as a reminder of how cyber threats are not limited to the primary organization alone. When suppliers and vendors handle sensitive internal information, their security practices become a critical part of the larger cybersecurity ecosystem. Threat actors increasingly target third-party providers to bypass more heavily secured institutions and gain access to valuable data.

As investigations continue, the focus remains on understanding the full scope of the incident and taking steps to prevent similar attacks in the future.

Keylogger Injection Targets Microsoft Exchange Servers

 

Keylogging malware is a particularly dangerous as it is often designed to steal login passwords or other sensitive information from victims. When you add a compromised Exchange server to the mix, it makes things significantly worse for any organisation. 

Positive Technologies researchers recently published a new report on a keylogger-based campaign that targets organisations worldwide. The effort, which is identical to an attack uncovered in 2024, targets compromised Microsoft Exchange Server installations belonging to 65 victims in 26 nations. 

The attackers infiltrated Exchange servers by exploiting well-known security flaws or using completely novel techniques. After getting access, the hackers installed JavaScript keyloggers to intercept login credentials from the organization's Outlook on the Web page. 

OWA is the web version of Microsoft Outlook and is integrated into both the Exchange Server platform and the Exchange Online service within Microsoft 365. According to the report, the JavaScript keyloggers gave the attackers persistence on the compromised servers and went unnoticed for months.

The researchers uncovered various keyloggers and classified them into two types: those meant to save captured inputs to a file on a local server that could be accessed from the internet later, and those that transferred stolen credentials across the global network using DNS tunnels or Telegram bots. The files containing the logged data were properly labelled to help attackers identify the compromised organisation.

PT researchers explained that most of the affected Exchange systems were owned by government agencies. A number of other victims worked in industries like logistics, industry, and IT. The majority of infections were found in Taiwan, Vietnam, and Russia; nine infected companies were found in Russia alone. 

The researchers emphasised that a huge number of Exchange servers remain vulnerable to well-known security issues. The PT experts encouraged companies to regard security flaws as major issues and implement adequate vulnerability management strategies. 

Furthermore, organisations that use the Microsoft platform should implement up-to-date web applications and security measures to detect malicious network activities. It is also a good idea to analyse user authentication files on a regular basis for potentially malicious code.

Israel Iran Crisis Fuels Surge in State Backed Cyberattacks

 


As Israeli and Iranian forces engaged in a conventional military exchange on June 13, 2025, the conflict has rapidly escalated into a far more complex and multi-faceted conflict that is increasingly involving a slew of coordinated cyberattacks against a broad variety of targets, all of which have been initiated in response to this conventional military exchange.

In response to Israeli airstrikes targeting Iranian nuclear and military installations, followed by Iranian retaliatory missile barrages, the outbreak began in a matter of days and has quickly spread beyond the country's borders. Both nations have long maintained a hostile and active presence in cyberspace. 

There has been a growing tension between Israel and Iran since kinetic fighting began in the region. Both countries are internationally known for their advanced cyber capability. In the days since the start of the kinetic fighting, several digital actors have emerged, from state-affiliated hackers to nationalist hacktivists to disinformation networks to opportunistic cybercriminals. They have all contributed to the rapidly developing threat environment that is unfolding. 

This report provides an overview of the cyber dimension of the conflict, highlighting key incidents, emerging malware campaigns, and the strategic implications of this growing cyberspace. A response to the increasing geopolitical tensions arising from the Israel-Iran conflict and the United States' military involvement in that conflict has been issued by the Department of Homeland Security (DHS). 

A new bulletin from the National Terrorism Advisory System (NTAS) was issued on Sunday by the Department of Homeland Security (DHS). Cyberattacks are more likely to occur across critical infrastructure sectors across the United States, and this alert emphasises the heightened threat. Particularly, it focuses on hospitals, industrial networks, and public utilities. 

An advisory states that Iranian hacktivist groups and state-sponsored cyber actors have been using malware to gain unauthorized access to a wide range of digital assets, including firewalls, Internet of Things (IoT) devices, and operational technology platforms, as a result of the use of malware by those groups. Iranian authorities issued a bulletin after they publicly condemned U.S. airstrikes conducted over the weekend and said they would retaliate against American interests. 

According to US cybersecurity officials, the growing anti-Israel sentiment, coupled with the adversarial posture of Iran towards the United States, could fuel a surge in cyberattacks on domestic networks shortly. Not only are sophisticated nation-state actors expected to carry out these attacks, but also loosely affiliated hacktivist cells fueled by ideological motivations are expected to carry out these attacks. 

According to the Department of Homeland Security, such actors tend to use vulnerabilities in poorly secured systems to launch disruptive operations that could compromise critical services by attacking internet-connected devices. Throughout the advisory, cyber threats have increasingly aligned with geopolitical flashpoints, and it serves both as a warning and a call for heightened vigilance for public and private organisations. 

Recent threat intelligence assessments have indicated that a large proportion of the cyber operations observed during the ongoing digital conflict were carried out by pro-Iranian hacktivists, with over 90 per cent of them attributed to Iranian hacktivist groups. 

The majority of these groups are currently targeting the digital infrastructure of Israelis, deploying a variety of disruptive tactics that are aimed at crippling systems, compromising sensitive data and sowing fear among the public. However, Iran has not remained untouched. Several cyberattacks have taken place against the Islamic Republic, which demonstrates the reciprocal nature of the cyber warfare that is currently taking place in the region, as well as the volatility that it has experienced. 

During this period of digital escalation, the focus has been extended far beyond just the two main adversaries. As a result, neighbouring nations such as Egypt, Jordan, the United Arab Emirates, Pakistan, and Saudi Arabia have also reported cyberattacks affecting sectors ranging from telecommunications to finance, and as a result, spillover effects have been reported. 

A wide range of attack vectors have been used by regional hacktivist operations, including distributed denial-of-service (DDoS) attacks, website defacements, network intrusions, and data breaches, among others. In particular, there has been a shift towards more sophisticated operations, involving ransomware, destructive wiper malware, and banking trojans. This indicates that objectives are increasingly being viewed from an economic and strategic perspective. 

Having observed the intensification of digital attacks, Iranian authorities have apparently begun implementing internet restrictions as a response to these attacks, perhaps intended to halt Israeli cyber incursions as well as prevent critical internal systems from being exposed to external threats. As a result, cyber policy and national security strategy are becoming increasingly entwined in the broader geopolitical confrontation as a whole.

The escalation of cyber warfare has led to the emergence of new and increasingly targeted malware campaigns, which reveal the ever-evolving sophistication and geopolitical motivations of those attempting to engage in these campaigns. A new executable, dubbed “encryption.exe,” has been identified by researchers on June 16, believed to be a ransomware or wiper malware, a file previously unknown. 

A malicious file known as this has been attributed to a new threat actor known as Anon-g Fox. In addition, this malware has a special feature: it checks the victim's computer for both Israeli Standard Time (IST) and Hebrew language settings. If this condition is not met, the malware will cease its operations, displaying an error message that reads, "This program can only run in Israel." [sic] In light of this explicit targeting mechanism, it may be clear that there is a deliberate geopolitical motive here, probably related to the broader cyber confrontation between Israel and Iran. 

As part of their work, researchers at Cyble Research and Intelligence Labs also discovered a second campaign employing IRATA, a sophisticated Android banking malware actively targeting users within Iran. In some cases, malicious software can appear as legitimate government-sponsored applications, for example, the Islamic Republic of Iran Judicial System and the Ministry of Economic Affairs and Finance, as platforms for disseminating malware. 

IRATA is a malicious software program designed to attack over 50 financial and cryptocurrency-related applications. Android's Accessibility Services are exploited to identify specific banking applications, extract sensitive information about the account, harvest card credentials, and steal financial information. 

The IRATA software not only has the capability of stealing data, but it also has advanced surveillance capabilities, such as remote device control, SMS and contact harvesting, hiding icons, capturing screenshots, and observing installed applications in real time. By utilising these features, the malware can carry out highly targeted fraud operations, causing significant financial damage to the targeted users as a result. 

These two malware incidents, together with the others, illustrate a pattern of cyber threats that are increasingly targeted and politically charged, exploiting national conflict narratives and digital vulnerabilities in order to disrupt strategic operations and exploit financial opportunities. A cyber operation has become an integral part of modern warfare as it shapes public perception and destabilises adversaries from within, thereby influencing public perception and destabilising adversaries. 

A cyberattack is a common occurrence during traditional military conflicts in which critical systems are disrupted, but also psychological distress is instilled in civilian populations through the use of cyberattacks. Cyberattacks that cause significant damage to national infrastructure are usually reserved for the strategic phase before large-scale military operations. However, smaller-scale incursions and disinformation campaigns often appear in advance, causing confusion and fear in the process. 

The analogy is drawn from Russia's invasion of Ukraine in 2022, which was preceded by cyber operations that were used to prepare for kinetic attacks. Security experts have reported that Iran's current cyber strategy appears to follow a similar pattern to the one described above. As a consequence of this, Iran has opted to deploy disinformation campaigns and relatively limited cyberattacks rather than unleash large-scale disruptive attacks.

It has been suggested by experts that the intent is not necessarily to cause immediate physical damage, but to cause psychological unease, undermine trust in digital infrastructure, and maintain strategic ambiguity as well. Although Israel is well known for its advanced cyber capabilities, its cyber capabilities present a substantial counterforce in this regard. 

Even though Israel has a long-standing reputation for conducting advanced cyber operations, including the Stuxnet campaign, which crippled Iran's nuclear program, the nation is considered to be among the world's most advanced cyber powers. In recent history, one of the most effective cyber espionage operations has been carried out by the elite military cyber intelligence division Unit 8200. A pro-Israeli hacking group has claimed responsibility for a significant attack that occurred earlier today against Iran’s Bank Sepah, reflecting the current state of cyber engagement. 

As a result of the attack, the bank's service outages have been severe, and the bank's data has been irreversibly destroyed, an accusation which, if verified, indicates a significant escalation in financial cyber warfare. According to cybersecurity researchers, as happened with previous geopolitical flashpoints like the Hamas attacks of October 7, they expect a surge of activity as ideologically driven hackers attempt to use the conflict for political messages, influence building, or disruption, just as there has been in the past. 

Today's digitally integrated battlespaces emphasise the crucial intersection between cyber operations, psychological warfare, and geopolitical strategy. It is becoming increasingly evident that as the Israel-Iran conflict intensifies both physically and digitally, the cyber dimension has developed, posing urgent challenges not only for the nations directly involved in the conflict but also for a broader global community in general. 

Considering the interconnected nature of cyberspace, regional hostilities can have wide-ranging impacts on multinational corporations, cross-border infrastructure, and even individual consumers through ripple effects. Creating resilience in this volatile environment requires more than just reactive security measures; it also requires proactive intelligence gathering, continuous threat monitoring, and robust international cooperation. 

It is imperative for organisations operating in sensitive sectors - especially those in the finance and healthcare industries, energy sector and government sector - to prioritise cybersecurity, implement zero-trust architectures, and be on the lookout for rapidly changing threat patterns that are driven by geopolitical issues. 

Additionally, as cyber warfare becomes an increasingly normalised extension of military strategy, governments and private companies should both invest in digital diplomacy and cyber crisis response frameworks in order to prevent the long-term consequences of cyber warfare. The current crisis has served as a stark reminder that a modern war is one in which the digital front is not just a complement to the battles, but is at the centre of them.

Cybercriminals Are Now Tricking Holidaymakers: How You Can Stay Safe

 


People planning their holidays are now facing a sneaky online threat. Cyber experts have discovered that hackers are building fake travel websites that closely resemble popular booking platforms. These websites are designed to fool people who are searching for vacation deals.


Imitation Websites Can Fool You

Researchers from HP Wolf Security have found that cyber attackers are copying the design of trusted travel sites, such as Booking.com. The fake pages use the same colours, logos, and overall style as the real ones, making it very difficult for most people to spot the difference.

However, there is a key warning sign. The information on these fake sites appears blurry or unclear. On top of this blurred page, a pop-up message shows up asking you to accept cookies.

Most internet users are familiar with cookie permission requests. Accepting cookies is normally safe and helps websites remember your settings. But in this scam, clicking on the cookie button secretly starts downloading harmful files.


What Happens When You Click?

When someone clicks to accept the cookies on these fake sites, a dangerous file is immediately downloaded to their computer. This file installs a type of harmful program known as a remote access trojan, or RAT.

The specific malware used in this case is called XWorm. Once installed, this program gives hackers full control over the device. The attackers can view your personal files, turn on your camera or microphone, shut down your security software, install other harmful programs, and steal important information such as passwords.


Why Holidaymakers Are Being Targeted

The security team noticed that this scam began spreading in early 2025. This period is when many people are busy planning summer trips and are more likely to click quickly without checking details carefully.

Experts also explained that because cookie banners have become a normal part of browsing, many people automatically click to accept without stopping to think. Hackers are using this habit to spread their malware more easily.


How to Protect Yourself

The most important way to stay safe is to slow down when browsing travel websites. Always check the web address carefully to make sure you are on the official website. Be extra careful if the page looks blurry, or if the cookie pop-up seems strange.

Take your time before clicking anything. Do not rush when making bookings, even if you feel excited or pressured. Scammers depend on people clicking too quickly.

Being careful and paying attention can help keep you safe from these kinds of online traps. Always verify the website before you move forward.

Smartwatches: New Air-Gapped System Assault Vehicle

 

A novel assault identified as 'SmartAttack' leverages smartwatches as a covert ultrasonic signal receiver to extract data from physically isolated (air-gapped) devices.

Air-gapped systems, which are often used in mission-critical environments such as government buildings, weapons platforms, and nuclear power plants, are physically separated from external networks to prevent malware infestations and data theft. Despite their isolation, they are still susceptible to compromise from insider threats like rogue employees utilising USB devices or state-sponsored supply chain attacks. 

Once infiltrated, malware can function silently, modulating the physical features of hardware components to communicate sensitive data to a nearby receiver without interfering with the system's regular operations. 

SmartAttack was developed by Israeli university researchers led by Mordechai Guri, a covert attack channel expert who has previously shown ways for leaking data using LCD screen noise, RAM modulation, network card LEDs, USB drive RF signals, SATA connectors, and power supply. While assaults on air-gapped environments are often theoretical and exceedingly difficult to execute, they do present interesting and unique ways to exfiltrate data. 

Modus operandi

SmartAttack requires malware to infect an air-gapped machine in order to acquire sensitive data such as keystrokes, encryption keys, and credentials. It can then use the computer's built-in speaker to send ultrasonic signals into the environment. The audio signal frequencies can be modified using binary frequency shift keying (B-FSK) to represent binary data, also known as ones and zeros. A frequency of 18.5 kHz symbolises "0," whereas 19.5 kHz represents "1.”

Humans cannot hear frequencies in this range, but they can be picked up by a smartwatch microphone worn by someone close. The smartwatch's sound monitoring app uses signal processing to detect frequency shifts and demodulate encoded signals, as well as integrity tests. The final data exfiltration can occur via Wi-Fi, Bluetooth, or cellular connectivity. 

Performance and limitations 

The researchers point out that smartwatches use smaller, lower-SNR microphones than smartphones, making signal demodulation challenging, particularly at higher frequencies and lower signal intensities. Even wrist position was discovered to be a significant factor in the attack's feasibility, with the watch operating best when it is in "line-of-sight" with the computer speaker. 

The maximum transmission range varies per transmitter (speaker type) and is between 6 and 9 meters (20 - 30 feet). Data transmission rates range from 5 to 50 bits per second (bps), with dependability decreasing as rate and distance rise. Prohibiting smartwatch use in safe settings is the best method to combat the SmartAttack, according to the researchers. 

Eliminating the built-in speakers from air-gapped devices would be an additional step. This would remove the attack surface for not just SmartAttack but all acoustic covert routes. If none of this is practical, ultrasonic jamming using software-based firewalls, audio-gapping, and wideband noise emission may still work.

‘SmartAttack’: New Covert Threat Uses Smartwatches to Steal Data from Air-Gapped Systems via Ultrasound

 

A new cybersecurity threat dubbed "SmartAttack" demonstrates how smartwatches can covertly capture ultrasonic signals to extract sensitive data from air-gapped computers—systems traditionally considered highly secure due to their physical isolation from external networks.

Air-gapped environments are widely used in sensitive sectors such as defense, government, and nuclear power facilities to safeguard against external cyber intrusions. However, researchers have long warned that insider threats or state-sponsored supply chain attacks can bypass this isolation, allowing malware to operate silently.

Once a device is compromised, malware can manipulate physical components like speakers, screens, and cables to transmit confidential information to nearby receivers—without affecting the machine’s core operations.

“SmartAttack was devised by Israeli university researchers led by Mordechai Guri, a specialist in the field of covert attack channels who previously presented methods to leak data using LCD screen noise, RAM modulation, network card LEDs, USB drive RF signals, SATA cables, and power supplies.”

In SmartAttack, once malware is present on an air-gapped machine, it collects sensitive data—such as keystrokes, credentials, and encryption keys—and emits ultrasonic signals through the computer’s built-in speakers using binary frequency shift keying (B-FSK). These sound waves, though inaudible to humans, can be picked up by a smartwatch microphone worn by someone nearby.

The smartwatch, running a custom sound monitoring app, detects frequency shifts and demodulates the data. From there, information can be relayed using Wi-Fi, Bluetooth, or cellular networks, either intentionally by a rogue insider or unknowingly by the wearer.

Despite its innovation, the attack comes with constraints. Smartwatch microphones have lower signal-to-noise ratios than phones, making it difficult to decode signals accurately. The orientation of the wrist, speaker type, and physical distance (6–9 meters max) further affect performance. The data transfer rate ranges from 5 to 50 bits per second, with higher rates reducing reliability.

To mitigate this threat, the researchers suggest banning wearable devices like smartwatches in sensitive areas. Removing built-in speakers from secure computers could also neutralize acoustic exfiltration channels entirely. Additional safeguards include ultrasonic jamming, software firewalls, and audio-gapping.

While SmartAttack may sound like science fiction, it highlights the growing sophistication of covert cyberattacks, especially in environments where security is assumed to be airtight.

M&S Faces £300M Loss After Cyberattack Involving DragonForce and Scattered Spider

 

Marks & Spencer has resumed its online services after a serious cyberattack earlier this year that disrupted its operations and is expected to slash profits by £300 million. The British retail giant’s digital operations were hit hard, and recent developments suggest the breach may have been orchestrated by multiple hacker groups. 

A hacking group known as DragonForce is now linked to the incident. According to reports by the BBC, the group sent an email to M&S CEO Stuart Machin shortly after the attack, boasting about their success and demanding ransom. The message, written in aggressive and alarming language, implied the group had encrypted the retailer’s servers. DragonForce, which has rebranded itself as a “Ransomware Cartel,” operates by offering malware tools to affiliates in exchange for a percentage of ransom earnings. 

Originally emerging in 2023, the group has become increasingly active on major dark web forums in recent months. While some cybersecurity experts believe the group is based in Malaysia, others speculate ties to Russia. They have also been linked to a similar attack on the Co-op. Meanwhile, another group, Scattered Spider, had earlier been suspected of executing the attack. Known for its advanced social engineering techniques, the group is composed primarily of young hackers from the US and UK. They have previously impersonated IT personnel and used SIM swapping tactics to breach organizations. 

In 2023, they gained notoriety after cyberattacks on major US casino operators like Caesars Entertainment and MGM Resorts, resulting in multi-million-dollar ransoms. The M&S cyberattack, disclosed on April 22, disrupted online orders and even stopped contactless payments in physical stores. As a result, hundreds of agency workers were temporarily relieved from duty. The company confirmed that customer data—including names, email addresses, addresses, and birth dates—was compromised during the breach. The cause, according to Machin, was human error by a third-party service provider. 

In response to the growing threat, the UK’s National Cyber Security Centre (NCSC) issued industry-wide guidance. Law enforcement agencies, including the National Crime Agency (NCA), are actively investigating the case and considering whether the incidents involving these hacker groups are interconnected. The financial impact has been significant. M&S’s market value dropped by £650 million in the days following the attack. Despite these setbacks, the company has now reopened its standard delivery service in England, Scotland, and Wales, with additional services like click-and-collect and international orders expected to follow soon. 

In a recent statement, M&S emphasized its commitment to restoring customer trust and maintaining high service standards. The company said, “Our stores have remained operational, and we’re now focused on delivering the quality and service our customers expect as we recover from this disruption.”

United Natural Foods Confirms Network Disruption from Cyberattack

 


United Natural Foods Inc.'s operations were disrupted by a serious cybersecurity incident. There have been widespread supply chain issues and widespread product shortages at Whole Foods Market locations all over the United States due to the company's failure to meet the demands of its customers. In addition to serving as the primary distributor of Whole Foods, a flagship grocery chain under the umbrella of Amazon, UNFI also plays a crucial role in the organic food supply chain. 

It is headquartered in Rhode Island. This cyberattack was discovered by the company on June 5, according to a recent filing with the Securities and Exchange Commission. When the company discovered the cyberattack, several internal systems were immediately taken offline to contain the threat, which significantly hindered the company's ability to process and fulfil orders for customers. 

In spite of the ongoing investigation, specifics regarding the nature and origin of the breach remain unadvertised, but it is a troubling development that aligns with a troubling pattern of ransomware attacks recently targeting large retailers and supply chain operators. According to experts, sophisticated cybercriminal groups are likely to have been the perpetrators of the intrusion, using malicious software to compromise critical business systems and extort money in exchange for their recovery. 

A spokesperson for Whole Foods responded to the disruption by apologising briefly for the inconvenience it caused customers and reassuring the public that restocking efforts are underway right now. However, the company declined to comment further on the extent of the impact or if there were any timeframes for full recovery as a result of the disruption. 

The investigation has highlighted the growing vulnerabilities of the digital infrastructure of essential service providers, which have led to a cascading effect of such breaches on consumer access to everyday goods United Natural Foods Inc. As the investigation continues, the company has revealed that it has suffered a significant cybersecurity breach that has impacted the operations of the company and shaken investor confidence in its stock price. 

UNFI is a leading wholesale distributor for Whole Foods Market, owned by Amazon. According to the company's announcement made public by the Securities and Exchange Commission (SEC), unauthorised access to its IT systems was detected on June 5 of this year. As a result of the intrusion, UNFI immediately deactivated portions of its network, a measure that, since then, has resulted in widespread disruptions and delays in the fulfilment of customer orders due to widespread interruptions to operations.

The stock value of the company fell sharply after the disclosure of the incident, dropping by about 7%. This is indicative of the growing concerns among investors regarding the scope of the incident and the potential business ramifications. According to UNFI, the incident is currently being investigated by cybersecurity teams to assess the scope of the incident, as well as revert to normal operations as quickly and securely as possible. 

There has already been a temporary disruption to the company's business functions, including supply chain and order fulfilment processes, as a result of the cyberattack, and this will probably continue in the future, according to the company. With over 30,000 retail locations serving over $30 billion in annual revenue as one of North America's largest full-service food distributors, UNFI's vulnerability to such an attack highlights what is becoming increasingly evident: even industry giants with vast resources are not exempt from cyber threats in the digital age. 

Although experts are yet to confirm the exact nature of the breach, it appears that it may be part of a broader ransomware campaign that targets major supply chain operators. In light of the growing sophistication and aggressive nature of cybercriminals, essential service providers are faced with an increasing number of cybersecurity risks that should be emphasised to ensure robust digital defences are in place. 

UNITED NATURAL FOODS INC (UNFI) is a leading global food distribution company that operates a range of food brands like Wild Harvest, Culinary Circle, and Essential Everyday, all of which cater to the growing demand for natural, organic, and speciality items. In addition to its vast wholesale operations, Cub Foods and Shoppers also own and operate 76 retail stores that are operated under their respective banners.

It has, however, maintained a strong financial position because it is primarily reliant on its wholesale division for revenue, accounting for over 95% of the company's total revenue, emphasising the vital role it plays in the food supply chain as a whole. A recent earnings call of the UNFI leadership team was challenged on whether certain operational aspects of the business may have contributed to the company being vulnerable to cyberattacks as a result. 

Furthermore, analysts were pressed for more clarity on whether the security breach would prompt a re-evaluation of the company's future investment strategy, especially for IT infrastructure upgrades and cybersecurity improvements. In spite of the fact that the company has not yet provided a detailed response to the incident, there is no doubt that the incident has raised concerns about its digital defences and its risk mitigation protocols, which are undoubtedly being examined both internally and externally. 
Cyber threats are continuing to grow, both in scale and sophistication, as a result of the breach at UNFI. As a consequence, critical infrastructure operators, especially those operating in vital sectors like food distribution, are under increasing pressure to prioritise cybersecurity as an integral part of corporate governance and operational continuity. There is a good chance that the event will act as a catalyst for UNFI to reevaluate and strengthen its technological investments so as to ensure its expansive supply chain and digital ecosystem remain secure in the future. 

As a result of an escalation in cyberattacks within the food and agriculture industry within the past five years, industry data is revealing that over the next five years, cyberattacks will be at a staggering 600%. A growing threat has caused federal authorities to express greater concern, including the Federal Bureau of Investigation, which has issued formal warnings to private businesses concerning this growing threat. 

Specifically, the agency cited ransomware as a critical threat to farms, food processors, manufacturers, and large-scale producers—all of whom play an integral role in the supply chain both nationally and globally. In the past, notable incidents have highlighted the severity of the threat landscape. For example, in 2021, meat processing giant JBS fell victim to a ransomware attack attributed to the REvil (Sodinokibi) group, which is believed to have been linked to Russia as a ransomware-as-a-service operator. 

For JBS to regain access to its systems after the breach, cybercriminals charged it a $11 million fee. It is also important to point out that, in 2023, a large producer company called Dole temporarily stopped processing and distributing its products after it reported a ransomware attack that severely impaired its operational capabilities. 

A recent cyberattack on United Natural Foods Inc. reflects this troubling trend, and it highlights how retail and supply chain infrastructure are becoming increasingly vulnerable. Semperis' director of incident response, Jeff Wichman, a cybersecurity expert, said the breach falls within a larger wave of cyberattacks that have recently affected major retailers, such as Sam's Club and Ahold Delhaize, which is one of the largest food retail conglomerates in the world. 

A number of organisations within these sectors, including the food and beverage sector, must be vigilant against cyberattacks in the future. As cyberattacks continue to increase in frequency and sophistication, Wizman explained that this incident is yet another critical reminder that they must enhance their preparedness. In its most recent statement, United Natural Foods confirmed that efforts are underway to reestablish full operational capabilities after restoring affected systems. 

Also, the company reported that the police have been informed of the breach, digital forensics experts have been engaged, as well as several computer systems have been proactively taken offline to contain further exposure. United Natural Foods Inc. stated that the breach has limited its impact on the company's business and contained further exposure in its most recent financial disclosure. A company called UNFI (UNFI) reported net sales of $8.1 billion in the fiscal quarter ending May 3, 2025, demonstrating the company's continued dominance in the wholesale grocery market in North America. 

Despite strong performance on the top line, UNFI has indicated that despite its full-year outlook for 2025, it is expected to report a net loss in income and earnings per share, even though it achieved a strong top-line performance. As a result of terminating a significant supply contract with a large grocery chain located in the northeastern part of the United States, the company's financial prospects have already been severely impacted by this anticipated downturn. 

A recent cyberattack has not prompted UNFI to adjust its fiscal guidance at the present time, as a comprehensive internal assessment must be conducted to evaluate the full scope and potential financial consequences of this attack. Executives at the company stressed that, despite the fact that the breach has brought about operational uncertainty, any changes to the company's financial outlook will be determined based on the comprehensive analysis currently being conducted. 

Even though UNFI has lost contracts and suffered a cyberattack, the multifaceted challenges it is facing are underscored as it attempts to stabilise operations, maintain retailer confidence, and safeguard shareholders' value in an increasingly volatile environment that has made the organisation more vulnerable to cyberattacks. Despite the continuing effects of the cyberattack on United Natural Foods Inc., this incident continues to serve as a crucial lesson for organisations operating within complex supply chain ecosystems. 

As a consequence, it underscores the importance of adopting forward-looking, resilience-driven cybersecurity strategies that integrate digital risk management into the fabric of every company's daily operations as a way of addressing cybersecurity threats in the future. For food and logistics providers whose services directly affect national infrastructure and consumer access to essential goods, cybersecurity is a business-critical function that must not be overlooked as an IT peripheral concern. 

Increasing threat actor sophistication and a widening attack surface posed by increasingly complex digital ecosystems are the reasons why companies need to invest more in advanced threat detection, zero-trust architectures, and employee cyber hygiene in order to be on top of things. UNFI's recent breach may be a turning point in not only the company's history but also in the industry at large. 

This breach might prompt a broader reevaluation of how cybersecurity readiness is integrated into strategic planning, regulatory compliance, as well as stakeholder trust. With the rapidly evolving cyber threat landscape, organisations that take proactive, system-level action are going to be best positioned to mitigate disruption, protect brand integrity, maintain operational continuity, and maintain operational efficiency as they navigate these new, evolving threats.

Sensata Technologies Confirms Data Breach After April Ransomware Attack, Notifies Employees of Exposed Personal Information

 

Sensata Technologies has begun notifying current and former employees of a data breach following the conclusion of an internal investigation into a ransomware attack that took place in April 2025.

A global leader in industrial technology, Sensata specializes in mission-critical sensors, controls, and electrical protection systems, serving sectors such as automotive, aerospace, and defense. The company generates annual revenues exceeding $4 billion.

The breach was initially disclosed in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) after a ransomware attack occurred on Sunday, April 6. At the time, Sensata confirmed that the incident included data exfiltration and disrupted its shipping, manufacturing, and other operations.

While early findings verified that data had been accessed without authorization, the specifics of the stolen information remai5ned unclear. A detailed investigation, supported by external cybersecurity experts, later revealed that the attackers infiltrated Sensata’s systems on March 28, 2025.

"The evidence showed that there was unauthorized activity in our network between March 28, 2025, and April 6, 2025," reads the notice sent to impacted persons.

"During that time, an unauthorized actor viewed and obtained files from our network. We conducted a careful review of the files and, on May 23, 2025, determined that one or more of them may have contained your information."

According to the company, the compromised data may include sensitive personal details such as:
  • Full name
  • Address
  • Social Security Number (SSN)
  • Driver’s license number
  • State ID card number
  • Passport number
  • Financial account and payment card details
  • Medical and health insurance information
  • Date of birth
The breach has affected both current and former employees, as well as their dependents, with the nature of the exposed data varying from person to person.

To support those affected, Sensata is offering one year of complimentary credit monitoring and identity theft protection services.

BleepingComputer has contacted the company to clarify the scale of the breach and the number of individuals impacted, but no response was received as of publication time.

So far, no ransomware group has claimed responsibility for the attack on Sensata Technologies.

FBI Warns of Luna Moth Ransomware Attacks Targeting U.S. Law Firms

 

The FBI said that over the last two years, an extortion group known as the Silent Ransom Group has targeted U.S. law firms through callback phishing and social engineering tactics. 

This threat outfit, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since 2022. It was also responsible for BazarCall campaigns, which provided initial access to corporate networks for Ryuk and Conti ransomware assaults. Following Conti's shutdown in March 2022, the threat actors broke away from the cybercrime syndicate and created their own operation known as the Silent Ransom Group.

In recent attacks, SRG mimics the targets' IT help via email, bogus websites, and phone conversations, gaining access to their networks via social engineering tactics. This extortion group does not encrypt victims' systems and is infamous for demanding ransoms in order to keep sensitive information stolen from hacked devices from being leaked online. 

"SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight," the FBI stated in a private industry notification.

"Once in the victim's device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'” 

After acquiring the victims' data, they use ransom emails to blackmail them, threatening to sell or publish the information. They frequently call employees of breached organisations and force them into ransom negotiations. While they have a dedicated website for disclosing their victims' data, the FBI claims the extortion ring does not always followup on its data leak promises. 

To guard against these attacks, the FBI recommends adopting strong passwords, activating two-factor authentication for all employees, performing regular data backups, and teaching personnel on recognising phishing efforts.

The FBI's warning follows a recent EclecticIQ report detailing SRG attacks targeting legal and financial institutions in the United States, with attackers observed registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”

A recent EclecticIQ report about SRG attacks against American legal and financial institutions revealed that the attackers were registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." The FBI issued the warning in response to this information. 

Malicious emails with fake helpdesk numbers are being sent to victims, prompting them to call in order to fix a variety of non-existent issues. On the other hand, Luna Moth operators would try to deceive employees of targeted firms into installing remote monitoring & management (RMM) software via phoney IT help desk websites by posing as IT staff.

Once the RMM tool is installed and started, the threat actors have direct keyboard access, allowing them to search for valuable documents on compromised devices and shared drivers, which will then be exfiltrated via Rclone (cloud syncing) or WinSCP (SFTP). According to EclecticIQ, the Silent Ransom Group sends ransom demands ranging from one to eight million USD, depending on the size of the hacked company.

Weak Links in Healthcare Infrastructure Fuel Cyberattacks

 


Increasingly, cybercriminals are exploiting systemic vulnerabilities in order to target the healthcare sector as one of the most frequently attacked and vulnerable targets in modern cybersecurity, with attacks growing both in volume and sophistication. These risks go well beyond the theft of personal information - they directly threaten the integrity and confidentiality of critical medical services and patient records, as well as the stability of healthcare operations as a whole. 

There has been an increase in threat actors targeting hospitals and medical institutions due to the outdated infrastructure and limited cybersecurity resources they often have. Threat actors are targeting these organisations to exploit sensitive health information and disrupt healthcare delivery for financial or political gain. The alarming trend reveals that there is an urgent and critical security issue looming within the healthcare industry that needs to be addressed immediately. 

Such breaches have the potential to have catastrophic consequences, from halting life-saving treatments due to system failures to eroding patients' trust in healthcare providers. Considering the rapid pace at which the digital transformation is taking place in healthcare, it is important that the sector remains committed to robust cybersecurity strategies so as to safeguard the welfare of its patients and ensure the resilience of essential medical services in the future. 

BlackCat, also referred to as ALPHV, is at the centre of a recent significant cybersecurity incident. In recent months, it has gained prominence as a highly organised, sophisticated ransomware group that has been linked to the high-profile attack on Change Healthcare. As a result of the infiltration of the organisation's IT infrastructure and the theft of highly sensitive healthcare data by the group, the group has claimed responsibility for obtaining six terabytes of data.

As a result of this breach, not only did it send shockwaves throughout the healthcare sector, but it also highlighted the devastating power of modern ransomware when targeting critical systems. It has been reported that the attack was triggered by known vulnerabilities in ConnectWise's ScreenConnect remote access application, a tool that is frequently employed in many industries, including healthcare, as a remote access tool. 

Having this connection has given rise to more concern about the broader cybersecurity risks posed by third-party vendors as well as software providers, showing that even if one compromised application is compromised, it can lead to widespread data theft and operational disruption as a result. This incident has served as a stark reminder that digital ecosystems in healthcare are fragile and interconnected, with a breach in one component leading to cascading effects across the entire healthcare service network. 

There is a growing concern in the healthcare sector that, as investigations continue and new details emerge, healthcare providers are still on high alert, coping with the aftermath of the attack as well as the imperative necessity of strengthening their defensive infrastructure in order to prevent similar intrusions in the future. As one of the most frequently targeted sectors of the economy by cybercriminals, healthcare continues to be one of the most highly sensitive data centres in the world. 

It is important to note that even though industry leaders often fail to rank cybersecurity as one of their top challenges, Mike Fuhrman, CEO of Omega Systems, pointed out that despite this growing concern, there are already significant consequences resulting from insufficient cyber risk management, including putting patient safety at risk, disrupting care delivery, and making compliance with regulations even more difficult. Even though perceived priorities are not aligned with actual vulnerabilities, this misalignment poses an increasing and significant risk for the entire healthcare system. 

Fuhrman stressed the necessity of improving visibility into security threats and organisational readiness, as well as increasing cybersecurity resources, to bridge this gap. As long as healthcare organisations fail to take proactive and comprehensive steps to ensure cyber resilience, they may continue to experience setbacks that are both detrimental to operational continuity as well as eroding public trust, as well as putting patient safety at risk. 

As cybersecurity has become more and more important to the leadership, it has never been more important to elevate it from a back-office issue to an imperative. As a result of the growing number of cyberattacks targeting the healthcare sector in the past few years, the scale and frequency of these attacks have reached alarming levels.

According to the Office for Civil Rights (OCR), the number of security breaches reported by the healthcare industry between 2018 and 2023 has increased by a staggering 239%. Over the same period, there was a 278% increase in ransomware incidents, which suggests that cybercriminals are increasingly looking for disruptive, extortion-based attacks against healthcare providers as a means of extorting money. 

There is a likelihood that nearly 67% of healthcare organisations will have been attacked by ransomware at some point shortly, which indicates that such threats are no longer isolated events but rather a persistent and widespread threat. According to experts within the health care industry, one of the primary contributing factors to this vulnerability is the lack of preparedness at all levels. In fact, 37% of healthcare organisations do not have an incident response plan in place, leaving them dangerously vulnerable to ever-evolving cyberattacks. 

Health care institutions are appealing to malicious actors because they manage a huge amount of valuable data. Cybercriminals and even nation-state threat actors are gaining an increasing level of interest in electronic health records (EHRs), which contain comprehensive information about patient health, financial health, and medical history.

As a result of outdated cybersecurity protocols, legacy IT infrastructure, and operational pressures of high-stress environments, these records are frequently inadequately protected due to the likelihood that human error will occur more often. These factors together create an ideal storm for exploitation, making the healthcare industry a very vulnerable and frequently targeted industry in today's digital threat landscape.

Despite the growing frequency and complexity of cyberattacks, healthcare organisations face a critical crossroads as 2025 unfolds. Patient safety, data security, and regulatory compliance all intersect at the same time, resulting in a crucial crossroads more than ever before. Enhancing cyber resilience has become a strategic priority and a fundamental requirement, not just a strategic priority. 

Healthcare institutions must proactively adopt forward-looking security practices and technologies to secure sensitive patient data and ensure continuous care delivery. As a key trend influencing the healthcare cybersecurity landscape, zero-trust architectures are a growing trend that challenges traditional security models by requiring all users and devices to be verified before they are allowed access. 

In a hyperconnected digital environment where cyber threats exploit even the most subtle of system weaknesses, a model such as this is becoming increasingly important. IoT devices are becoming increasingly popular, and many of them were not originally designed with cybersecurity in mind, so we must secure them as soon as possible. Providing robust protections for these devices will be crucial if we are to reduce the attack surfaces of these devices. 

AI has been rapidly integrated into healthcare, and it has brought new benefits as well as new vulnerabilities to the healthcare sector. In order for organisations to meet emerging risks and ensure a responsible deployment, they must now develop AI-specific safety frameworks. Meanwhile, the challenge of dealing with technological sprawl, an increasingly fragmented IT environment with disparate security tools, calls for a more unified, centralised cybersecurity management approach.

A good way to prepare for 2025 is to install core security measures like multi-factor authentication, strong firewalls, and data backups, as well as advanced measures like endpoint detection and response (EDR), segmentation of the network, and real-time AI threat monitoring. In addition to strengthening third-party risk management, it will also be imperative to adhere to global compliance standards like HIPAA and GDPR.

There is only one way to protect both healthcare infrastructure and the lives that are dependent on it in this ever-evolving threat landscape, and that is by implementing a comprehensive, proactive, and adaptive cybersecurity strategy. Healthcare organisations must take proactive measures rather than reactive measures and adopt a forward-looking mindset so they can successfully navigate the increasing cybersecurity storm. 

Embedding cybersecurity into healthcare operations' DNA is the path to ensuring patient safety, operational resilience, and institutional trust in healthcare organisations, not treating it as a standalone IT concern, but as a critical pillar of patient safety, operational resilience, and institutional trust in healthcare organisations.

To achieve this, leadership must take the initiative to champion security from the boardroom level, integrate threat intelligence into strategic planning, and invest in people and technology that will be able to anticipate, detect, and neutralise emerging threats before they become a major issue. As part of the process of fostering cyber maturity, it is also essential to cultivate a culture of shared responsibility among all stakeholders, ranging from clinicians to administrative personnel to third-party vendors, who understand the importance of keeping data and systems secure. 

Training on cybersecurity hygiene, cross-functional collaboration, and continuous vulnerability assessment must become standard operating procedures in the healthcare industry. As attackers become more sophisticated and bold, the costs of inaction do not stop at regulatory fines or reputational damage. Rather, inaction may mean interruptions of care, delays in treatments, and the risk to human life. 

Only organisations that recognise cybersecurity as a strategic imperative will be in the best position to deliver uninterrupted, trustworthy, and secure care in an age when digital transformation is accelerating. This is a sector that is built on the pillars of trust, a sector that offers life-saving services, which does not allow for room for compromise. They have to act decisively, investing today in the defensive measures that will ensure the future of their industry.

AI-Driven Cyberattacks Surge Globally as Stolen Credentials Flood the Dark Web: Fortinet Report

 

Artificial intelligence is accelerating the scale and sophistication of cyberattacks, according to Fortinet’s latest 2025 Global Threat Landscape Report. The cybersecurity firm observed a significant 16.7% rise in automated scanning activity compared to last year, with a staggering 36,000 scans occurring every second worldwide. The report emphasizes that attackers are increasingly "shifting left" — targeting vulnerable digital entry points such as Remote Desktop Protocol (RDP), Internet of Things (IoT) devices, and Session Initiation Protocols (SIP) earlier in the attack cycle.

Infostealer malware remains a major concern, with a dramatic 500% increase in compromised system logs now available online. This translates to over 1.7 billion stolen credentials circulating on the dark web. The report warns, “this flood of stolen data has led to a sharp increase in targeted cyberattacks against businesses and individuals.” Cybercriminals are actively exploiting this data, leading to a 42% jump in credentials listed for sale on underground forums.

Interestingly, zero-day vulnerabilities only make up a minor portion of the current threat landscape. Instead, attackers are leveraging “living off the land” tactics — exploiting built-in system tools and overlooked weaknesses — to stay hidden and avoid detection.

The ransomware ecosystem is also evolving. New groups are emerging while established ones strengthen their presence. In 2024, Ransomhub led the charts, accounting for 13% of ransomware victims. It was followed closely by LockBit 3.0 (12%), Play (8%), and Medusa (4%).

A majority of these ransomware incidents targeted U.S.-based entities, which experienced 61% of the reported cases. The United Kingdom and Canada followed with 6% and 5% respectively, suggesting a disproportionate focus on American organizations.

“Our 2025 Global Threat Landscape Report makes it clear: cybercriminals are scaling faster than ever, using AI and automation to gain the upper hand,” stated Derek Manky, Chief Security Strategist and Global Vice President of Threat Intelligence at FortiGuard Labs.

He added, “Defenders must abandon outdated security playbooks and transition to proactive, intelligence-driven strategies that incorporate AI, zero trust architectures, and continuous threat exposure management.”

London Startup Allegedly Deceived Microsoft with Fake AI Engineers

 


There have now been serious allegations of fraud against London-based startup Builder.ai, once considered a disruptor of software development and valued at $1.5 billion. Builder.ai is now in bankruptcy. The company claims that its artificial intelligence-based platform will revolutionise app development. With the help of its AI-assisted platform, Natasha, the company claims that building software will be easier than ordering pizza. 

The recent revelations, however, have revealed a starkly different reality: instead of employing cutting-edge AI technology, Builder.ai reportedly relies on hundreds of human developers in India, who manually execute customer requests while pretending to be AI-generated results.

Having made elaborate misrepresentations about this company, Microsoft and Qatar Investment Authority invested $445 million, led by the false idea that they were backed by a scalable, AI-based solution, which resulted in over $445 million in funding being raised. This scandal has sparked a wider conversation about transparency, ethics, and the hype-driven nature of the startup ecosystem, as well as raised serious concerns about due diligence in the AI investment landscape. 

In 2016, Builder.ai, which was founded by entrepreneur Sachin Dev Duggal under the name Engineer.ai, was conceived with a mission to revolutionise app development. In the company's brand, the AI-powered, no-code platform was touted to be able to dramatically simplify the process of creating software applications by cutting down on the amount of code required. 

Founded by a group of MIT engineers and researchers, Builder.ai quickly captured the attention of investors worldwide, as the company secured significant funding from high-profile companies including Microsoft, the Qatar Investment Authority, the International Finance Corporation (IFC), and SoftBank's DeepCore. 

The company highlighted its proprietary artificial intelligence assistant, Natasha, as the technological breakthrough that could be used to build custom software without human intervention. This innovative approach was a central part of the company's value proposition. With the help of a compelling narrative, the startup secured more than $450 million in funding and achieved unicorn status with a peak valuation of $1.5 billion. 

It was widely recognised in the early stages of the evolution of Builder.ai that it was a pioneering force that revolutionised software development, reducing the reliance on traditional engineering teams and democratizing software development. However, underneath the surface of the company's slick marketing campaigns and investor confidence lay a very different operational model—one which relied heavily on human engineers, rather than advanced artificial intelligence. 

Building.ai's public image unravelled dramatically when its promotional promises diverged from its internal practices. It was inevitable that the dramatic collapse of Builder.ai, once regarded as a rising star in the global tech industry, would eventually lead to mounting scrutiny and a dramatic unravelling of its public image. This has revealed troubling undercurrents in the AI startup sector.

In its beginnings, Builder.ai was marketed as a groundbreaking platform for creating custom applications, but it also promised automation, scale, and cost savings, and was positioned as a revolutionary platform for developing custom applications. Natasha was the company's flagship artificial intelligence assistant, which was widely advertised as enabling it to develop software with no code. Yet internal testimonies, lawsuits, and investigation findings have painted a much more troubling picture since then. 

According to its claims of integrating sophisticated artificial intelligence, Natasha was only used as a simple interface for collecting client requirements, whereas the actual development work was done by large engineering teams in India, despite Natasha's claims of sophisticated artificial intelligence integration. According to whistleblowers, including former executives, Builder.ai did not have any genuine AI infrastructure in place. 

As it turns out, internal documentation indicates that applications are being marketed as “80% built by AI” when in fact their underlying tools are rudimentary at best, when they are actually built with artificial intelligence. Former CEO Robert Holdheim filed a $5 million lawsuit alleging wrongful termination after raising concerns about deceptive practices and investor misrepresentation in the company. Due to his case catalysing broader scrutiny, allegations of financial misconduct, as well as technological misrepresentations, were made, resulting in allegations of both. 

After Sachin Dev Duggal had taken over as CEO in mid-2025, Manpreet Ratia took over as CEO, starting things off in a positive manner by stabilising operations. An independent financial audit was ordered under Ratia's leadership that revealed massive discrepancies between the reported revenue and the actual revenue. 

Builder.ai claimed that it had generated more than $220 million in revenues for 2024, while the true figure was closer to $50 million. As a result, Viola Credit, a company's loan partner, quickly seized $37 million in the company's accounts and raised alarm among creditors and investors alike. A final-ditch measure was to release a press release acknowledging Builder.ai had been unable to sustain payroll or its global operations, with only $5 million remaining in restricted funds. 

In the statement, it acknowledged that it had not been able to recover from its past decisions and historic challenges. Several bankruptcy filings were initiated across multiple jurisdictions within a short period of time, including India, the United Kingdom, and the United States. The result was the layoff of over 1,000 employees and the suspension of a variety of client projects. 

The controversy exploded as new allegations were made about revenue roundtrips with Indian technology company VerSe, which was believed to be a strategy aimed at inflating financial performance and attracting new investors. Further, reports revealed that Builder.ai has defaulted on substantial payments to Amazon and Microsoft, owing approximately $85 million to Amazon and $30 million to Microsoft for unpaid cloud services. 

As a result of these developments, a federal investigation has been launched, with authorities requesting access to the company's finances and client contracts as well. As a result of the Builder.ai scandal, a broader issue is at play in the tech sector — "AI washing", where startups exaggerate or misstate their artificial intelligence capabilities to get funding and market traction. 

In an interview with Info-Tech Research Group, Principal Analyst Phil Brunkard summarised this crisis succinctly: "Many of these so-called AI companies scaled based on narrative rather than infrastructure." There is a growing concern among entrepreneurs, investors, and the entire technology industry that Builder.ai could be serving as a cautionary tale for investors, entrepreneurs, and the entire technology industry as regulatory bodies tighten scrutiny of AI marketing claims. 

There have been concerns regarding the legitimacy of Builder.ai's artificial intelligence capabilities ever since a report published by The Wall Street Journal in 2019 raised questions about how heavily the company relies on human labour over artificial intelligence. It has been reported that, despite the company's marketing narrative emphasising automation and machine learning, the company's internal operations paint a different picture. 

The article quotes former employees of Builder.ai saying that Builder.ai was a platform that was primarily engineering, and not AI-driven. This statement starkly contradicted the company's claim to be an AI-first, no-coding platform. Even though many investors and stakeholders ignored these early warnings, they hinted that there might be deeper structural inconsistencies with the startup's operations than what the initial warnings indicated. 

When Manpreet Ratia took on the role of CEO of the company in February 2025, succeeding founder Sachin Dev Duggal, the extent to which the company's internal dysfunction was revealed. It became apparent to Ratia quickly that the company had been misreported and that data had been manipulated for years in order to increase its valuation and public image, despite the fact that it had been tasked with restoring investor confidence and operational transparency. 

Following the revelations in this case, U.S. federal prosecutors immediately began an investigation into the company's business practices in response to the disclosures. Earlier this week, the authorities formally requested access to Builder.AI's financial records, internal communications, and its customer data. The request is part of a broader investigation looking into the possibility of fraud, deception of investors, and violations related to false descriptions of AI capabilities.

It should be noted that the failure of Builder.AI serves as an obvious sign that the investment and innovation ecosystems surrounding artificial intelligence need to be recalibrated urgently and sharply. Capital is continuing to flow into AI-powered ventures at a rapid pace, and stakeholders need to raise their standards in regards to due diligence, technical validation and governance oversight as a result. 

It is important to temper investor enthusiasm for innovative startups by rigorously evaluating the company's technical capabilities beyond polished pitch decks and strategic storytelling. The case reinforces the importance of transparency and sustainability over short-term hype for founders, as well as the need for regulators to develop frameworks aimed at holding companies accountable if they make misleading claims in their product representations and financial disclosures. 

Regulators are becoming increasingly aware of what is being called "AI washing" and are developing strategies to address it. Credibility in a sector built upon trust has become an essential cornerstone of long-term viability, and the collapse of Builder.ai illustrates that this is no longer just a case of a singular failure; rather, it has become a call to action in the tech industry to place substance above spectacle in the age of artificial intelligence.