Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
PWA
Browser Browser Security Client Accounts Cyber Attacks cybercriminals Data protection data security Data Theft Mobile Security PWA

Cybercriminals Escalate Client-Side Attacks Targeting Mobile Browsers

 

Cybercriminals are increasingly turning to client-side attacks as a way to bypass traditional server-side defenses, with mobile browsers emerging as a prime target. According to the latest “Client-Side Attack Report Q2 2025” by security researchers c/side, these attacks are becoming more sophisticated, exploiting the weaker security controls and higher trust levels associated with mobile browsing. 

Client-side attacks occur directly on the user’s device — typically within their browser or mobile application — instead of on a server. C/side’s research, which analyzed compromised domains, autonomous crawling data, AI-powered script analysis, and behavioral tracking of third-party JavaScript dependencies, revealed a worrying trend. Cybercriminals are injecting malicious code into service workers and the Progressive Web App (PWA) logic embedded in popular WordPress themes. 

When a mobile user visits an infected site, attackers hijack the browser viewport using a full-screen iframe. Victims are then prompted to install a fake PWA, often disguised as adult content APKs or cryptocurrency apps, hosted on constantly changing subdomains to evade takedowns. These malicious apps are designed to remain on the device long after the browser session ends, serving as a persistent backdoor for attackers. 

Beyond persistence, these apps can harvest login credentials by spoofing legitimate login pages, intercept cryptocurrency wallet transactions, and drain assets through injected malicious scripts. Some variants can also capture session tokens, enabling long-term account access without detection. 

To avoid exposure, attackers employ fingerprinting and cloaking tactics that prevent the malicious payload from triggering in sandboxed environments or automated security scans. This makes detection particularly challenging. 

Mobile browsers are a favored target because their sandboxing is weaker compared to desktop environments, and runtime visibility is limited. Users are also more likely to trust full-screen prompts and install recommended apps without questioning their authenticity, giving cybercriminals an easy entry point. 

To combat these threats, c/side advises developers and website operators to monitor and secure third-party scripts, a common delivery channel for malicious code. Real-time visibility into browser-executed scripts is essential, as relying solely on server-side protections leaves significant gaps. 

End-users should remain vigilant when installing PWAs, especially those from unfamiliar sources, and treat unexpected login flows — particularly those appearing to come from trusted providers like Google — with skepticism. As client-side attacks continue to evolve, proactive measures on both the developer and user fronts are critical to safeguarding mobile security.
Read more »
trending news
Cyber Attacks malware Malware Campaign News trending news

New Malware Campaign Using Legitimate-Looking Software Targets Users Worldwide

 

Cybersecurity experts are warning about a new wave of cyberattacks involving PXA Stealer, a sophisticated info-stealing malware now spreading rapidly across multiple countries. Originally detected by Cisco Talos researchers, PXA Stealer, written in Python was initially deployed against government agencies and educational institutions in Europe and Asia. 

However, its operators, believed to be Vietnamese-speaking cybercriminals, have shifted focus to everyday users in the U.S., South Korea, the Netherlands, Hungary, and Austria. 

According to SentinelOne, the campaign has already compromised over 4,000 unique IP addresses in 62 countries. The malware is designed to harvest browser-stored passwords, cookies, credit card information, autofill data, cryptocurrency wallet keys, and credentials from applications like Discord. Sideloading Tactics to Evade Detection The attackers are leveraging “sideloading” techniques to bypass antivirus detection. 

Victims are lured through phishing sites or tricked into downloading ZIP archives containing a legitimate, signed copy of Haihaisoft PDF Reader alongside a malicious DLL file. Once installed, the DLL ensures persistence via the Windows Registry and downloads additional payloads often hosted on platforms like Dropbox. 

When the PDF reader is launched, the malware executes a script that prompts Microsoft Edge to open a booby-trapped PDF file. Although the file triggers an error message instead of displaying content, the infection process is already complete. In another variation of the campaign, a fake Microsoft Word 2013 executable is sent as an email attachment. 

It looks like a standard document but executes a different DLL with the same malicious objective deploying PXA Stealer. Telegram Used for Data Theft Once the malware collects the stolen data, it transmits it via Telegram to the attackers, who then sell the information on underground forums and the dark web. 

Experts advise extreme caution with unsolicited emails, links, and attachments, even when they appear legitimate. Hovering over links to check their destination and avoiding downloads from unknown senders are essential safety steps. Users are also urged not to store sensitive information such as passwords or credit card details in their web browsers. Instead, dedicated password managers and secure payment methods are recommended. 

While antivirus tools remain an important layer of defence, the advanced evasion methods used in this campaign highlight the need for strong user vigilance. With PXA Stealer’s shift from targeting high-profile organisations to everyday users, security professionals warn that more variants of the malware may emerge in future attacks.
Read more »
insurance
Akira Bitcoin Customer Data Cyber Attacks Germany insurance

German Mobile Insurance Giant Falls After Devastating Ransomware Attack

 



A cyberattack has brought down one of Germany’s largest phone insurance and repair networks, forcing the once-thriving Einhaus Group into insolvency. The company, which at its peak generated around €70 million in annual revenue and partnered with big names such as Deutsche Telekom, Cyberport, and 1&1, has been unable to recover from the financial and operational chaos that followed the attack.


The Day Everything Stopped

In March 2023, founder Wilhelm Einhaus arrived at the company’s offices to an unsettling sight. Every printer had churned out the same note: “We’ve hacked you. All further information can be found on the dark web.” Investigations revealed the work of the hacking group known as “Royal.” They had infiltrated the company’s network, encrypting all of its core systems, the very tools needed to process claims, manage customer data, and run daily operations.

Without these systems, business ground to a halt. The hackers demanded around $230,000 in Bitcoin to unlock the computers. Facing immediate and heavy losses, and with no way to operate manually at the same scale, Einhaus Group reportedly agreed to pay. The financial damage, however, was already severe, estimated in the multi-million-euro range. Police were brought in early, but the payment decision was made to avoid even greater harm.


Desperate Measures to Stay Afloat

Before the attack, the company employed roughly 170 people. Within months, more than 100 positions were cut, leaving only eight employees to handle all ongoing work. With so few staff, much of the processing had to be done by hand, slowing operations dramatically.

To raise funds, the company sold its headquarters and liquidated various investments. These moves bought time but did not restore the business to its former state.


Seized Ransom, But No Relief

In a twist, German authorities later apprehended three suspects believed to be linked to the “Royal” group. They also seized cryptocurrency valued in the high six-figure euro range, suspected to be connected to the ransom payments.

However, Einhaus Group has not received its money back. Prosecutors have refused to release the seized funds until investigations are complete — a process that could take years. Other ransomware victims in Germany are in the same position, with no guarantee they will ever recover the full amount.


Final Stages of the Collapse

Three separate companies tied to the Einhaus Group have now formally entered insolvency proceedings. While liquidation is a strong possibility, founder Wilhelm Einhaus, now 72, insists he has no plans to retire. If the business is dissolved, he says he will start again from scratch.

The Einhaus case is not unique. Just recently, the UK’s 158-year-old transport company Knights of Old collapsed after a ransomware attack by a group known as “Akira,” leaving 700 people jobless. Cyberattacks are increasingly proving fatal to established businesses not just through stolen data, but by dismantling the very infrastructure needed to survive.


Read more »
Ransomwares
Akira Ransomware Business Security Cyber Attacks Cyber Vulnerabilities Cybersecurity Threats Public Wifi ransomware attacks Ransomwares

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks

 

Virtual Private Networks (VPNs) have recently been in the spotlight due to the U.K.’s Online Safety Act, which requires age verification for adult content websites. While many consumers know VPNs as tools for bypassing geo-restrictions or securing public Wi-Fi connections, enterprise-grade VPN appliances play a critical role in business security. 

When researchers issue warnings about possible VPN exploitation, the risk cannot be dismissed. SonicWall has addressed growing concerns after reports surfaced of ransomware groups targeting its devices. According to the company, an investigation revealed that the activity is linked to CVE-2024-40766, a previously disclosed vulnerability documented in their advisory SNWLID-2024-0015, rather than an entirely new zero-day flaw. Fewer than 40 confirmed cases were reported, mostly tied to legacy credentials from firewall migrations. 

Updated guidance includes credential changes and upgrading to SonicOS 7.3.0 with enhanced multi-factor authentication (MFA) protections. Despite these reassurances, Arctic Wolf Labs researcher Julian Tuin observed a noticeable increase in ransomware activity against SonicWall firewall devices in late July. 

Several incidents involved VPN access through SonicWall SSL VPNs. While some intrusions could be explained by brute force or credential stuffing, evidence suggests the possibility of a zero-day vulnerability, as some compromised devices had the latest patches and rotated credentials. 

In several cases, even with TOTP MFA enabled, accounts were breached. SonicWall confirmed it is working closely with threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the incidents are tied to known flaws or a new vulnerability. If a zero-day is confirmed, updated firmware and mitigation steps will be released promptly. 

The urgency is amplified by the involvement of the Akira ransomware group, which has compromised over 300 organizations globally. SonicWall also recently warned of CVE-2025-40599, a serious remote code execution vulnerability in SMA 100 appliances. Experts advise organizations to take immediate precautionary steps, especially given the potential for severe operational disruption. 

Recommended mitigations include disabling SSL VPN services where possible, restricting VPN access to trusted IP addresses, enabling all security services such as botnet protection and geo-IP filtering, removing inactive accounts, enforcing strong password policies, and implementing MFA for all remote access. 

However, MFA alone may not be sufficient in the current threat scenario. The combination of suspected zero-day activity, ransomware escalation, and the targeting of critical remote access infrastructure means that proactive defense measures are essential. 

SonicWall and security researchers continue to monitor the situation closely, urging organizations to act quickly to protect their networks before attackers exploit potential vulnerabilities further.
Read more »
Microsoft report
Chinese cyber espionage Cyber Attacks Cyber Threats Microsoft report

Microsoft Flags Russian ISP-Level Hacking Campaign Targeting Embassies in Moscow

 

Microsoft has revealed that a cyber-espionage group linked to Russia’s Federal Security Service (FSB) is conducting advanced attacks against foreign diplomatic missions in Moscow by exploiting local internet service providers (ISPs). 

The threat actor, tracked by Microsoft as Secret Blizzard also known as Turla, Waterbug, and Venomous Bear has been observed using an adversary-in-the-middle (AiTM) position at the ISP level to deliver a custom malware strain called ApolloShadow. According to Microsoft, the attackers intercept and redirect embassy staff and other high-value targets to deceptive captive portals. 

These portals prompt victims to download what appears to be a legitimate Kaspersky antivirus update but is, in fact, a malware installer. Once executed, the malicious software adds a trusted root certificate, enabling the attackers to disguise harmful websites as safe, maintain persistence, and exfiltrate sensitive data. 

“This is the first time we can confirm Secret Blizzard’s ability to perform espionage at the ISP level in Russia,” Microsoft stated, warning that any diplomatic personnel using local telecommunications networks in Moscow are at heightened risk. 

While Microsoft detected the current wave of attacks in February 2025, the campaign has reportedly been active since at least 2024. Investigators believe the hackers are also exploiting Russia’s domestic interception framework, known as the System for Operative Investigative Activities (SORM), to scale their AiTM operations.

A Veteran Espionage Group with Unconventional Tactics Secret Blizzard has been active since at least 1996, targeting embassies, government bodies, and research institutions in over 100 countries. The group has been linked to the FSB’s Center 16 and to the now-dismantled Snake cyber-espionage network, taken down in a joint operation by the Five Eyes intelligence alliance. 

Turla’s past activities have included infiltrations against high-profile entities such as the U.S. Central Command, NASA, the Pentagon, several Eastern European ministries, the Finnish Foreign Ministry, and multiple EU governments. Known for their creativity, the hackers have hidden malware commands in Instagram photo comments, hijacked Iranian and Pakistani hacking infrastructure to mislead investigators, and targeted Ukrainian military networks connected to Starlink. 

Microsoft’s findings underline the significant cyber risks for foreign embassies and sensitive organisations operating in Russia, especially those reliant on local ISPs for connectivity.
Read more »
trending news
Cyber Attacks Cyberwarfare Russian Hackers trending news

Russia’s Turla Hackers Are Using Local ISPs to Deliver Spyware to Diplomats

 

One of Russia's most sophisticated cyberespionage groups has reportedly been leveraging its country’s internet backbone to deploy spyware—right on its home turf. Turla, a hacking unit tied to Russia’s Federal Security Service (FSB), is known for complex and covert digital operations, often involving satellites and co-opting rival hackers’ infrastructure to avoid detection. 

But a recent investigation reveals a more direct strategy: manipulating Russia’s own internet service providers (ISPs) to infect targets with malware. The operation appears to have taken place in Moscow, where Turla likely used privileged access to local ISPs to intercept and tamper with web traffic. 

This allowed them to stealthily implant spyware on the systems of specific targets, such as foreign diplomats working within Russia. The tactic bypasses traditional phishing or compromised websites, instead exploiting a deep-rooted position within Russia’s internet infrastructure. 

While Turla has previously made headlines for their stealth, such as masking malware communications via satellite links or piggybacking on other hackers’ campaigns, this domestic maneuver reflects a new kind of boldness. 

Leveraging national internet controls to directly manipulate web traffic represents both a technical advantage and a dangerous precedent for global cyber operations.
Read more »
Ransomware
Cyber Attacks Data Leak Dollar Tree Hacking Ransomware

Dollar Tree Refutes Cyberattack Claim, Says Leaked Data Belongs to Another Company

 




Discount retail chain Dollar Tree has denied being the target of a recent cyberattack, following claims by a ransomware group that it stole sensitive company files. According to Dollar Tree, the data allegedly leaked online does not belong to them but appears to be from a completely different company.

The hacking group, which calls itself “INC Ransom,” listed Dollar Tree on its dark web site, stating it had stolen over one terabyte of confidential information, including personal documents such as scanned passports. The group even shared a sample of the files and quoted an old Dollar Tree press release to suggest it had access to internal information.

However, Dollar Tree has firmly denied being hacked. Company officials say the data actually comes from 99 Cents Only, a separate discount chain that went out of business earlier this year.


What really happened?

99 Cents Only, once a popular budget retailer, filed for bankruptcy in April 2024. Rising costs, pandemic aftereffects, and increasing theft were cited among the reasons for its financial collapse. By mid-2024, all 371 of its stores were shut down and assets liquidated.

Dollar Tree later acquired rights to 170 of these store locations, along with their U.S. and Canadian web domains and some store equipment. But according to Dollar Tree, they never purchased the company's internal data, networks, or systems.

A Dollar Tree spokesperson clarified the situation:

"The files mentioned in these cyberattack claims appear to be linked to former employees of 99 Cents Only. Dollar Tree only acquired certain real estate leases and select assets not their data or technology infrastructure. Any suggestion that we were breached is simply not true."

Because 99 Cents Only is no longer operational, its customer support lines and emails are inactive, making it difficult to get an official response from the company itself.


Is Dollar Tree affected?

Dollar Tree says there’s no indication its own systems were accessed or compromised. The company remains one of the largest and most profitable players in the U.S. discount retail sector, reporting over $17 billion in sales last year.

While the ransomware group has not clarified the confusion, cybersecurity experts suggest the mix-up may stem from Dollar Tree’s acquisition of 99 Cents Only store leases, which may have led attackers or observers to wrongly associate the two companies.

This incident is a testament to how misleading information can spread quickly, especially when legacy data from bankrupt companies becomes part of a broader breach.

Dollar Tree is continuing to monitor the situation but insists there is no current threat to its systems or customer data.

Read more »
Software
Cyber Attacks Cyberhackers Cybersecurity CyberThreat Infrastructure PyPI python Software

Hackers Deploy Lookalike PyPI Platform to Lure Python Developers


The Python Package Index (PyPI) website is being used to launch sophisticated phishing campaigns targeting Python developers, highlighting the ongoing threats that open-source ecosystems face. The phishing campaign is utilising a counterfeit version of the website to target Python developers. 

In an official advisory issued earlier this week by the Python Software Foundation (PSF), attackers have warned developers against defrauding them of their login credentials by using the official PyPI domain for their phishing campaign. 

Despite the fact that PyPI's core infrastructure has not been compromised, the threat actors are distributing deceptive emails directing recipients to a fake website that closely resembles the official repository of PyPI. Because PyPI is the central repository for publishing and installing third-party Python libraries, this campaign poses a significant threat to developers' accounts as well as to the entire software supply chain as a whole.

In addition to using subtle visual deception, social engineering techniques are also used by attackers to craft phishing emails that appear convincingly legitimate to unsuspecting recipients of the emails. A subject line of the email normally reads "[PyPI] Email verification." These emails are typically sent to addresses harvested from the Python Package Index metadata of packages. 

A noteworthy aspect of the spam emails is that they are coming from email addresses using the domain @pypj.org, a nearly identical spoof of the official @pypi.org domain—only one character in the spoof differs, where the legitimate “i” is replaced by a lowercase “j”. 

To verify the authenticity of the email address, developers are asked to click a link provided in the email that directs them to a fake website that is meticulously designed to emulate the authentic PyPI interface in every way possible. This phishing site takes the victims’ passwords and forwards them to PyPI's official website in a particularly deceptive way, effectively logging them in and masking the fact that they have been cheated, which leaves many unaware of the security breach.

As a result, PyPI maintainers have urged all users who have interacted with the fraudulent email to change their passwords as soon as possible and to review their "Security History" in order to look for unauthorised access signs. 

Among the many examples of targeted deception within the developer ecosystem, threat actors have not only impersonated trusted platforms such as PyPI but also expanded their phishing campaigns to include developers of Firefox add-ons as part of a broader pattern of targeted deception. As part of the PyPI-focused attacks, developers are required to verify their email addresses by clicking on a link that takes them to a fake PyPI site that has an interface that is nearly identical to the legitimate PyPI site.

One of the most insidious aspects of this scam is the ability of the hacker to harvest login credentials and transmit them directly to PyPI's real site, thereby seamlessly logging in victims and concealing the breach. This clever redirection often leaves developers unaware that their credentials were compromised due to this clever redirection. 

There have been several reports this week about phishing campaigns targeting Firefox extension developers, including a parallel phishing campaign that has been launched to target Firefox extension developers as well. The PyPI team has advised any affected users to change their passwords immediately and check the Security History section for any signs of unauthorised access. 

Despite the fact that these emails falsely claim to originate from Mozilla or its Add-ons platform (AMO), they are instructing recipients to update their account details to maintain access to developer features. Upon closer examination, however, it is evident that these messages are not sophisticated at all: some of them are sent from generic Gmail accounts, and sometimes the word "Mozilla" is even misspelt, missing one letter from the “l” on some occasions. 

As a result of these warnings, the exploitation of platform trust remains one of the most powerful ways in which developers can compromise their accounts across a wide range of ecosystems. As social engineering threats have increased across the software supply chain, the Python Software Foundation (PSF) and other ecosystem stewards continue to face increasingly sophisticated phishing and malware attacks regularly. 

The PyPI Foundation has introduced a new feature known as Project Archival, which allows PyPI publishers to formally archive their projects, signalling to users that they will not be receiving any further updates shortly. In March 2024, PyPI was forced to temporarily suspend new user registrations as well as the creation of new projects due to a malware campaign in which hundreds of malicious packages disguised as legitimate tools were uploaded. 

These efforts were soon tested by PyPI. A response to the issue has been issued by PyPI, which has urged users to be vigilant by inspecting browser URLs carefully before logging in to their accounts and not clicking links from suspicious emails. It's interesting to note that similar attacks have also been aimed at the NPM registry recently. This time, however, they are using typosquatted domains-npnjs[.]com instead of npmjs[.]com-to send credential-stealing email verification messages to the registry. 

Several npm packages were compromised as a result of that campaign, which were then weaponised to deliver malware dubbed Scavenger Stealer. With this malicious payload, sensitive data could be extracted from browsers, system information could be captured, and it could be exfiltrated through a WebSocket connection in order for it to be exfiltrated. 

It has been documented that similar threats have been encountered across GitHub and other developer platforms, using a combination of typosquatting, impersonation, and reverse proxy phishing techniques. It is important to note that these attacks, despite appearing to be so simple to execute, are meant to compromise accounts that maintain widely used packages, which poses a systemic security risk. 

For best results, security experts suggest that users verify domain names, use browser extensions that flag suspicious URLs, and use password managers with auto-fill that only allow for trusted domains in order to reduce the possibility of exposure. There has been an increase in phishing and typosquatting campaigns targeting software registries like PyPI, npm, and GitHub, which is indicative of a larger and more serious trend in exploiting developer trust by hacking. 

In light of these incidents, developers, maintainers, and platform providers must establish enhanced security hygiene measures. Even though open-source ecosystems continue to serve as the foundation for modern software infrastructure, it is clear that the consequences of compromised developer accounts are no longer limited to individual projects. They are now threatening the integrity of the global software supply chain as a whole. 

Developers must take proactive measures in light of this shifting landscape by treating unexpected account verification requests with scepticism, verifying domain identity character by character, and implementing multi-layered security safeguards such as two-factor authentication and password managers that are security-conscious. 

A push is also being made for platform operators to accelerate investment in the detection of threats, communication transparency, and education of their users. Ultimately, the community will be able to defend itself against these low-tech, but highly impactful, attacks by recognising deception before it can cause damage. 

The sophistication of threat actors is allowing them to exploit familiarity and automation to their advantage, making security the first principle to be put forward across the development ecosystem to ensure resilience to attacks.

Read more »
Zscaler
Cyber Attacks CyberCrime Cybersecurity Data Exploit Digital Security Ransomware Security Infrastructure Security Vulnerabilities VPN Zero Trust Zscaler

Sharp Increase in Ransomware Incidents Hits Energy Sector

 


The cyber threat landscape is constantly evolving, and ransomware attacks have increased in both scale and sophistication, highlighting how urgent it is for enterprises to take a strategic approach to cybersecurity. A survey conducted by Zscaler in 2025 found that ransomware incidents increased 146% over the past year. 

Ten prominent groups took 238 terabytes of data from their servers over the past year, nearly doubling the 123 terabytes they stole a year ago. There has been an alarming 900% increase in attacks in the oil and gas industry, largely attributed to the development of digital infrastructure as well as unresolved security vulnerabilities. Additionally, manufacturing, technology, and healthcare have all been affected by this increase, resulting in more than 2,600 reported incidents combined. 

A large percentage of ransomware cases were reported in the United States, which accounts for more than twice the total number of cases reported in the next 14 most affected countries combined. According to experts, threat actors are increasingly turning to generative artificial intelligence (AI) in order to streamline operations and perform more targeted and efficient attacks. This shift corresponds with the growing preference for data extortion over traditional file encryption, resulting in more effective attacks. 

In response to these evolving tactics, cybersecurity leaders are advocating the widespread adoption of Zero Trust architecture in order to prevent large-scale data loss and contain lateral movement within networks. The rise of digital transformation is accelerating the use of ransomware actors to launch increasingly sophisticated attacks on critical infrastructure sectors while automating and leveraging vulnerable industrial control systems as a source of attack. 

A dramatic increase in the number of attacks on the oil and gas industry was attributed to expanding digital footprints and security lapses, whereas Zscaler's latest research indicates that manufacturing, information technology, and healthcare are the sectors that are most frequently targeted by cybercriminals. This attack disproportionately affected the United States, as there were 3,671 ransomware incidents registered in this country, which is more than any of the next 14 most targeted countries combined. 

Over the past year, 238 terabytes of data were exfiltrated in ransomware campaigns, a 92% increase over last year. In the April-to-April period, RansomHub emerged as the most active ransomware group, followed by Akira and Clop in a close second place. These intrusions were largely caused by vulnerabilities that were known to exist in widely used enterprise technologies, such as VMware hypervisors, Fortinet and SonicWall VPNs, and Veeam backup software, making the critical need for proactive vulnerability management and real-time threat detection to be implemented across all levels of IT and operational infrastructure even clearer.

In recent years, cybercriminal groups have adopted more targeted and scalable approaches to extortion, which is reshaping the global ransomware landscape. According to Zscaler's ThreatLabz Ransomware Report for 2025, RansomHub, Akira, and Clop are the three most prolific groups, each of which has claimed more than 850 victims, 520 victims, and 488 victims, respectively. 

The success of Ariara is attributed primarily to its affiliate-based operation model and close collaboration with initial access brokers, while Clop has continued to exploit vulnerabilities in commonly used third-party software to execute impactful supply chain attacks in the last few years. In spite of the high-profile actors involved in this reporting period, Zscaler tracked 425 ransomware groups, so this is just a small part of a much broader and rapidly growing ecosystem. 34 new ransomware groups were created during the reporting period. 

In addition, according to this report, a significant proportion of ransomware campaigns were exploiting a limited range of critical software vulnerabilities, primarily in internet-facing technologies such as SonicWall VPNs and Fortinet VPNs, VMware hypervisors, Veeam backup tools, and SimpleHelp remote access servers. 

It is due to their widespread deployment and ease of discovery through simple scanning techniques that these vulnerabilities remain so attractive. This allows both veteran and newly formed groups of hackers to launch high-impact attacks more effectively and with greater precision. The ransomware ecosystem continues to grow at an alarming rate, and there have been unprecedented numbers of groups launching ransomware attacks. 

There have been 34 new ransomware gangs reported by Zscaler between April 2024 and April 2025, totalling 425 groups that have been tracked so far. Clearly, the significant growth in ransomware over recent years is a reflection of the enduring appeal of ransomware as an attractive criminal model, and it demonstrates how sophisticated and agile cybercriminal organisations have become over the last few years. 

Even though the continued rise in new ransomware actors is a concern, some signs sustained law enforcement action and stronger cybersecurity frameworks are beginning to help counteract this trend, as well as strong cybersecurity frameworks. To dismantle ransomware infrastructures, sixteen illicit assets, and disrupt cybercrime networks, international efforts are increasing pressure on cybercriminals. Not only can these actions impede operational capabilities, but they may also serve as a psychological deterrent, preventing emerging gangs from maintaining momentum or evading detection. 

Experts suggest, even in spite of the complexity and evolution of ransomware threats, that efforts by law enforcement agencies, cybersecurity professionals, and private sector stakeholders are beginning to make a meaningful contribution to combating ransomware threats. In spite of the growth of the number of threat groups, it is becoming increasingly difficult for these groups to sustain operations over the long run. 

In the face of the global ransomware threat, there is a cautious but growing sense of optimism, as long as we continue to collaborate and be vigilant. In terms of ransomware activity, there is still a stark imbalance in the distribution of attacks across the globe. The United States remains, by a wide margin, the nation that has been hit the most frequently. 

The 2025 ThreatLabz report from Zscaler indicates that 50 per cent of all ransomware attacks originated from U.S.-based organisations, totalling 3,671 incidents - more than double the total number of attacks reported across the next 14 most targeted countries combined. The United Kingdom and Canada ranked distantly behind the US and Canada, respectively, with only 5 and 4 per cent of global incidents.
This concentration of attacks is a result of the strategic targeting of highly dense, high-value economies by threat actors looking for maximum disruption and financial gain as a result of their actions. In this surge, several prominent ransomware groups were at the forefront, including RansomHub, which had 833 victims publicly identified by the media. 

As an affiliate program and partnership with initial access brokers helped Akira rise to prominence, involving 520 victims, it became a leading ransomware group. A close second was Clop, which had 488 victims, using its proven tactics to leverage vulnerable third-party software, in order to carry out large-scale supply chain attacks using vulnerable third-party software. 

Zscaler identified 34 new ransomware families in the past year, increasing the total number of tracked groups from 425 to 425. There are more than 1,000 ransomware notes available on GitHub, with 73 new samples being added every day within the past year, highlighting the scale of the threat and its persistence. With the increasing threat landscape, Zscaler continues to advance its Zero Trust Exchange framework, powered by artificial intelligence, to combat ransomware at every stage of its lifecycle. 

By replacing legacy perimeter-based security models with this platform, you will be able to minimise attack surfaces, block initial compromises, eliminate lateral movement, and stop data exfiltration that was previously possible. 

As part of Zscaler’s architecture, which is enhanced with artificial intelligence-driven capabilities like breach prediction, phishing and command and control detection, inline sandboxing, segmentation, dynamic policy enforcement, and robust data loss prevention, we can take an active and scalable approach to ransomware mitigation, aligning with the evolving needs of modern cybersecurity. 

Increasingly, ransomware is becoming a systemic risk across digital economies, which makes it essential for enterprises and governments to develop comprehensive, forward-looking cyber defence strategies. As a result of the convergence of industrial digitisation, widespread software vulnerabilities, and the emergence of ransomware-as-a-service (RaaS) models, the global threat landscape is changing in ways that require both public and private sectors to take immediate action. 

The attacks have not only caused immediate financial and operational losses, but they have also now threatened national security, supply chain resilience, and public infrastructure, particularly within high-value, interconnected industries like the energy industry, manufacturing industry, healthcare industry, and technology industry. Leaders in cybersecurity have increasingly advocated for a paradigm shift from reactive control measures to proactive cyber resilience strategies. 

Embedding zero trust principles into organization infrastructure, modernising legacy systems, and investing in artificial intelligence-driven threat detection are some of the steps that are required to achieve this objective, as well as building intelligence-sharing ecosystems between private companies, governments, and law enforcement agencies. 

There is also a constant need to evaluate the role of artificial intelligence in both attack and defence cycles, where defenders have the need to outperform their adversaries by automating, analysing, and enforcing policy in real time. As for the policy level, the increased use of ransomware underscores the need for globally aligned cybersecurity standards and enforcement frameworks. 

Isolated responses cannot be relied upon anymore when transnational threat actors leverage decentralized infrastructure and exploit jurisdictional loopholes in order to exploit them. In order to disrupt the ransomware economy and regain trust in the digital world, a holistic collaboration is essential that involves advanced technologies, legal deterrents, and public awareness.

While there is no indication that ransomware is going away anytime soon, the progress being made in detecting threats, managing vulnerabilities, and coordinating cross-border responses offers a path forward as long as we work together on these improvements. The need to protect digital assets and ensure long-term operational continuity is not just a matter of IT hygiene anymore – it has become a foundational pillar of enterprise risk management, and therefore a crucial component for the management of business continuity in today's environment.
Read more »
trending news
cyber attack Cyber Attacks Cybercrime. Cybercriminal. Cyberthreats National emergency trending news

St. Paul Extends State of Emergency After Devastating Cyberattack


August 5, 2025 | St. Paul, Minnesota The City of St. Paul is in the midst of one of the most disruptive cyber incidents in its history, prompting officials to extend a local state of emergency by 90 days as authorities continue efforts to recover from the attack. The breach, which began on July 25, has crippled digital infrastructure across city departments and forced officials to take the unprecedented step of disconnecting all systems from the internet. Mayor Melvin Carter, who first declared the emergency last week, now has expanded authority to fast-track recovery contracts and coordinate response efforts without standard bureaucratic delays. 

The decision to prolong the emergency was backed unanimously by the City Council on Friday, citing the need for continued access to external cybersecurity support. 

“This attack is unlike anything we’ve dealt with before—targeted, deliberate, and highly complex,” Carter said. “Our priority is restoring essential services while ensuring the safety and integrity of our systems.” 

Cyber Forensics, Shutdowns, and Gradual Recovery 

As a defensive measure, the city effectively “unplugged” itself from the internet early last week, halting online water bill payments, internal email communications, and police database lookups. Even municipal phone lines, which rely on VoIP technology, went dark temporarily. 

City officials have been slowly bringing services back online only after thorough inspection and clearance from forensic investigators, who are working alongside national cybersecurity firms, the FBI, and the Minnesota National Guard. 

Cloud-based systems and customer service lines for departments such as Parks and Recreation and the Public Library have already been restored, but many internal digital operations remain offline. 

While 911 and other emergency services were not impacted, day-to-day governance has been significantly hindered. Staff across departments have reverted to manual processes, echoing the response seen earlier this year in Abilene, Texas, when a separate cyberattack led to a complete IT overhaul. 

No Ransom Demand Yet 

Unlike many recent municipal cyberattacks, St. Paul has not received a ransom demand, leaving questions about the motive and intent behind the intrusion. Mayor Carter noted that no evidence has yet surfaced indicating that sensitive data was accessed or exfiltrated, but investigations are still underway. 

The FBI and the Minnesota National Guard’s cybersecurity unit are leading the probe into the origins and scale of the breach. Meanwhile, the city’s own Office of Technology and Communications has acknowledged that the incident quickly overwhelmed its response capacity. 

“This was not something we could handle internally,” said a city spokesperson. “It required a level of expertise and scale we simply didn’t have in-house.” 

Ramsey County, which operates several shared services with St. Paul, is also preparing to vote on its own emergency declaration this week. 

While the county’s systems have not been compromised, officials believe the measure would help streamline future coordination and potentially open avenues for financial reimbursement from state and federal agencies. “This isn’t just about technology—it’s about ensuring continuity of essential services and protecting public trust,” said City Council President Rebecca Noecker. 

A Widening Threat Landscape 

St. Paul’s experience reflects a broader and increasingly urgent trend. According to cybersecurity analysts at Comparitech, U.S. public institutions have suffered over 500 ransomware attacks since 2018, costing more than $1 billion in downtime and recovery. The number of such attacks doubled in 2024 alone, with 88 recorded incidents—up from 41 in 2022. Cybersecurity experts warn that as municipalities continue to digitize operations, they are becoming prime targets for sophisticated cybercriminals, especially those seeking to exploit gaps in funding, training, and infrastructure. 

Looking Ahead 

City officials have urged residents to remain patient as systems are carefully restored over the coming weeks. A dedicated resource hub for updates and service availability has been made available on the city’s official website, stpaul.gov. “This is a marathon, not a sprint,” Mayor Carter said. “We’re working around the clock to restore our systems safely and build stronger defenses for the future.”
Read more »
Malware Threat
Browser Credential Theft Cyber Attacks CyberThreat Data Theft Information Security Infostealer Infostealer Malware Malicious Browsers Malware Attack Malware Threat

Shuyal Malware Targets 19 Browsers with Advanced Data Theft and Evasion Capabilities

 

A newly discovered infostealing malware named “Shuyal” has entered the cyber threat landscape, posing a serious risk to users by targeting a wide range of web browsers and deploying sophisticated evasion methods. Identified by researchers at Hybrid Analysis, Shuyal is capable of stealing credentials and sensitive information from 19 different browsers, including lesser-known privacy-focused options like Tor and Brave. 

The malware is named after identifiers found in its code path and represents a new generation of data stealers with expanded surveillance capabilities. Unlike traditional malware that only focuses on login credentials, Shuyal goes deeper—harvesting system-level information, capturing screenshots, monitoring clipboard activity, and sending all of it to cybercriminals using a Telegram bot-controlled infrastructure. 

In his analysis, Vlad Pasca from Hybrid Analysis highlighted that Shuyal performs extensive system reconnaissance. Once it infects a device, it disables the Windows Task Manager to prevent users from detecting or ending the malware’s process. It also hides its tracks by removing evidence of its activities through self-deleting mechanisms, including batch scripts that erase runtime files once the data has been exfiltrated. 

Among the browsers targeted by Shuyal are mainstream options such as Chrome and Edge, but it also compromises more obscure browsers like Waterfox, OperaGx, Comodo, Falko, and others often marketed as safer alternatives. This wide reach makes it particularly concerning for users who believe they are using secure platforms. 

Shuyal collects technical details about the system, including hard drive specifications, connected input devices like keyboards and mice, and display configurations. It compresses all collected data using PowerShell into a temporary folder before transmitting it to the attackers. This organized method of data collection and transfer demonstrates the malware’s highly stealthy design. 

The malware also ensures it remains active on compromised machines by copying itself into the Startup folder, allowing it to launch each time the system is rebooted. 

Although researchers have not yet pinpointed the exact methods attackers use to distribute Shuyal, common delivery vectors for similar malware include phishing emails, malicious social media posts, and deceptive captcha pages. Experts caution that infostealers like Shuyal often serve as precursors to more serious threats, including ransomware attacks and business email compromises. 

Hybrid Analysis encourages cybersecurity professionals to study the published indicators of compromise (IOCs) associated with Shuyal to strengthen their defense strategies. As cyber threats evolve, early detection and proactive protection remain essential.
Read more »
Phishing Scams
account protection Account security Amazon Customer Data Cyber Attacks Cyberscams Cybertheft data security Data Theft Login Login Security Passkey Passkey Security Phishing Scams

Amazon Customers Face Surge in Phishing Attacks Through Fake Emails and Texts

 

Cybercriminals are actively targeting Amazon users with a sharp increase in phishing scams, and the company is sounding the alarm. Fraudsters are sending deceptive emails that appear to originate from Amazon, prompting users to log in via a counterfeit Amazon webpage. Once a person enters their credentials, attackers steal the information to take over the account. The urgency to secure your Amazon account has never been greater.  

These scam emails often warn customers about unexpected Amazon Prime renewal charges. What makes them particularly dangerous is the use of stolen personal data to make the emails appear genuine. Amazon’s warning reached over 200 million users, emphasizing the widespread nature of this threat. 

Adding to the concern, cybersecurity firm Guardio reported a dramatic spike in a related scam—this time delivered through SMS. This variant claims to offer fake refunds, again luring users to a fraudulent Amazon login page. According to Guardio, these text-based scams have jumped by 5000% in just two weeks, showing how aggressively attackers are adapting their tactics. 

Amazon says it is actively fighting back, having removed 55,000 phishing websites and 12,000 scam phone numbers involved in impersonation schemes over the past year. Despite these efforts, scammers persist. To combat this, Amazon issued six practical tips for customers to recognize and avoid impersonation fraud.  

The U.S. Federal Trade Commission (FTC) has also issued alerts, noting that scammers are pretending to be Amazon representatives. These fake messages typically claim there’s a problem with a recent purchase. But there’s no refund or issue—just a trap designed to steal money or private data. 

To stay protected, Amazon strongly recommends two major security measures. First, enable two-step verification (2SV) via the “Login & Security” settings in your account. Avoid using SMS-based verification, which is more vulnerable. Instead, use a trusted authenticator app such as Google Authenticator or Apple’s Passwords. If you’ve already set up SMS verification, disable it and reset your 2SV preferences to switch to an app-based method. 

Second, add a passkey to your account. This provides a stronger layer of defense by linking your login to your device’s biometric or PIN-based security, making phishing attacks far less effective. Unlike traditional methods, passkeys cannot be intercepted through fake login pages. 

Cyberattacks are growing more sophisticated and aggressive. By updating your account with these safety tools today, you significantly reduce the risk of being compromised.
Read more »
Submarine
Black Web Cyber Attacks Cyberbreach Cyberhackers CyberThreat Dark Web Gigabyte Naval Group Submarine

Hackers Compromise French Submarine Engineering Company



One of the most chilling reminders of how threat landscapes are evolving even to the most fortified sectors is a major cyber breach that has hit the core of France’s naval defence ecosystem, the Naval Group. Naval Group—widely regarded as one of the nation’s key innovators in the maritime industry—has been compromised by a calculated cyberattack that compromised its reputation for operational secrecy. 

Almost 13 gigabytes of highly sensitive data, including technical documentation, submarine combat software components, internal communications, as well as decades-old audio recordings from submarine monitoring systems, were discovered on the internet. It was discovered that virtual machine containers, detailed architecture schematics, and proprietary system blueprints belonging to Naval Group engineers were found in the leak, as well as virtual machine containers. 

A silent and strategic adversary was responsible for the intrusion, as it lacked digital vandalism or extortion demands. In spite of the fact that attribution is still unclear, there is speculation that nation-state actors could have been involved in espionage as well as independent threat groups that were seeking disruption or strategic leverage. 

However, what remains undeniable is the scale and intent of the breach. This was a precise attack against an impenetrable defence network that was once considered impenetrable and unbreakable. Adding to the fragility of national defence and digital security, French naval defence contractor Naval Group has been the target of scrutiny after claims of a significant cyberattack that have raised concerns about the company's operations.

An anonymous group operating on the dark web, known as the Black Web forum, has claimed it has accessed and exfiltrated classified information related to key French naval platforms, including the nuclear-powered submarines of the Barracuda class. A month ago, the group released approximately 30 gigabytes of data, including software code from combat management systems, and issued a demand that they be contacted within 72 hours or risk leaking more information. 

Despite the fact that the authenticity of these files is still uncertain, cybersecurity experts warn that even partial exposure to such sensitive source code could allow adversaries to gain valuable insight into the performance of weapons, their system architecture, and any vulnerabilities they may be able to exploit. It has been confirmed that Naval Group, owned by the French government in the majority, has begun an urgent technical investigation into the alleged breach. 

In response to the incident, the company spokesperson described it as a PR attack rather than a confirmed intrusion into its internal infrastructure, stating that operations across shipyards and naval projects remain undisturbed. However, the strategic implications of this incident remain significant. With the creation of some of France's most advanced maritime defence assets, including the Charles de Gaulle aircraft carrier and the Triomphant submarines, Navy Group has played a crucial role in the nation's defence and that of allies. 

The potential impact of a confirmed compromise could include both the threat to homeland security as well as the threat to international trade agreements between Australia, India, and Brazil. The Ministry of Armed Forces has yet to release a statement on the matter, but it has been reported that French cybersecurity agencies are helping to conduct the forensic analysis. In light of increasing concerns about global security in the defense supply chain, Naval Group has issued a formal statement stating that no intrusion has yet been detected on its internal information technology infrastructure, as of yet. 

In a statement, the company announced that all of its resources had been mobilised to investigate whether the recently leaked data are authentic, provenance, or owned by the Indian Navy, as they had partnered with Mazagon Dock Shipbuilders to deliver six Scorpene-class submarines to the Indian Navy. In order to conduct the forensic investigation, we are collaborating with French authorities. 

A similar incident occurred in 2016, when more than 22,000 classified pages of India's Scorpene submarines were leaked, raising serious concerns over the integrity of India's underwater warfare capabilities, a breach that has echoed this recent incident. 

A recent breach could have far-reaching implications, as well as threaten the operational security of other nations that operate Scorpene-class submarines, such as Malaysia, Indonesia, and Chile, if it is verified. According to analysts, such a compromise would have a devastating effect on the international defence manufacturing ecosystem, undermining trust in the protection of military technologies and exposing transnational arms collaborations to systemic vulnerabilities. 

Geopolitical tensions are increasingly raging in grey zone conflict - a territory where cyberattacks and information warfare blur the line between peace and hostility, as global defence contractors are becoming very valuable targets. The Naval Group is a cornerstone of France's naval industrial base and is now found at the nexus of this strategic vulnerability. 

In addition to providing advanced maritime platforms worldwide to nations like France, France's Nuclear Attack submarines (SSNs) and the Scorpene-class diesel-electric submarines (SSKs) in service with the Indonesian Navy, the company is also a major supplier of advanced military systems. There are also multipurpose French-Italian frigates, the FREMM, which are based in France. 

In addition to serving as a technological leader and economic engine, Naval Group also supports tens of thousands of indirect jobs in France since 90% of its added value is generated within the country. The ownership structure of the company further reflects its national significance as well. 62.25 per cent of the company's shareholdings are held by the French state, 35 per cent by Thales, and the rest by its former employees through structured corporate shareholdings. 

As strategic autonomy becomes increasingly important in a world where defence is regarded as an important component of economic growth, entities such as Naval Group symbolise more than just the capability to defend oneself; they represent a nation's industrial and strategic sovereignty in an era when strategic autonomy is increasingly emphasised. 

In spite of a growing number of high-profile cyber intrusions that target both corporations and governments, the allegations of a breach involving Naval Group are yet another disturbing global trend. Days before, Microsoft disclosed a critical vulnerability in its widely used SharePoint platform, which is believed to have been exploited by Chinese threat actors to gain access to this platform. 

Among the affected entities was the U.S. It is the responsibility of the National Nuclear Security Administration to maintain the American nuclear arsenal. This incident did not compromise any classified information, however the growing frequency and ambition of such attacks have raised alarm within international security communities because of the increased frequency and ambition. 

With a workforce of more than 15,000 and generating revenue over €4.4 billion annually, Naval Group stands out as one of the world’s leading naval shipbuilders in an increasingly volatile threat landscape. It is an essential industrial asset for the government as a whole. Almost two-thirds of the company is controlled by the French government (holding nearly two-thirds of the equity), and the remainder is controlled by Thales, one of the leading defence conglomerates in the country. 

It is not only the incident that has raised concerns about cyber-vulnerabilities within critical infrastructure, but it also emphasises the importance of coordinating resilient strategies across global defence supply chains to reduce the risk of a cyber attack. This incident involving Naval Group happens to fall at a critical moment in the global cybersecurity landscape, as the digital battlefield has become as important as traditional combat zones in terms of importance. 

Despite the fact that governments and private companies invest billions in safeguarding technological superiority, the threat of real or perceived exposure of sensitive defence assets is amplifying strategic fears. The reputational and diplomatic fallout for France might be substantial, especially if defence partners start questioning the ability of collaborative programs to survive. 

A key concern about the breach is that it has the potential to have a ripple effect: it strikes at the intersection of national security, industrial sovereignty, and global defence cooperation. As a consequence of Naval Group's integral role in multinational defence programs, any compromise could negatively impact not only France but also all of the nations which rely on its software frameworks and platforms. 

It is becoming increasingly clear that in an era dominated by digitally enabled espionage, where classified data can be weaponised both for disruption and to provide intelligence, the protection of defence research and development is no longer a siloed responsibility, but rather a shared imperative across allies and defence ecosystems. 

Aside from that, this breach serves as a stark reminder that cyber intrusions don't necessarily show up in the form of ransomware or defacing websites. There were motives underlying the leak in this case that were geopolitical manoeuvres, competitive sabotage, or intelligence collection, based on the absence of financial extortion and the precision of the leak. Therefore, the Naval Group episode should serve as a call to action for the broader defence community, emphasising the urgent need for robust, coordinated cybersecurity defences, cross-border intelligence sharing, and a renewed commitment to both legacy systems and new defence technologies that are being developed. 

The Naval Group breach, which occurred in a high-stakes theatre of modern security where digital compromises could undermine years of strategic advantage, goes way beyond just an isolated incident in a theatre with high stakes. It represents not only the vulnerability of defence digitisation and the fragility of strategic partnerships, but also the persistent threats posed by adversaries operating in the shadows that exist today.

Read more »
Scattered Spider
AI news Cyber Attacks cyberattacks trending news malware Scattered Spider

Scattered Spider Targets VMware ESXi Hosts in Rapid, High-Impact Cyber Attacks Across North America

 

A notorious cybercrime group known as Scattered Spider is ramping up sophisticated attacks on VMware ESXi hypervisors, zeroing in on critical infrastructure across North America’s retail, airline, and transportation sectors. Also referred to as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the group is renowned for bypassing traditional security measures through elaborate social engineering campaigns rather than exploiting software vulnerabilities. 

In a recent in-depth analysis, Google’s Mandiant unit revealed that the group’s hallmark tactic involves impersonating employees during phone calls to IT help desks. Once initial access is secured, attackers proceed with highly targeted and well-organized operations, focusing on core enterprise systems and sensitive data. "Their campaigns are aggressive, precise, and driven by human engineering more than by code,” noted Mandiant researchers. 

Rather than launching broad opportunistic attacks, Scattered Spider operates with an almost surgical approach. The group frequently mimics legitimate IT infrastructure by registering domain names resembling official portals — including variations like victimname-sso[.]com, victimname-servicedesk[.]com, and sso-victimname[.]com. 

To counter the evolving tactics of groups like Scattered Spider, cybersecurity experts advise a layered and proactive defense strategy. At the infrastructure level, organizations should enable lockdown mode in VMware vSphere, enforce the use of only signed binaries through execInstalledOnly, apply VM encryption, retire outdated virtual machines, and strengthen help desk protocols to prevent social engineering exploits. 

Identity security is equally crucial, companies must implement phishing-resistant multi-factor authentication, segregate critical identity systems, and avoid authentication loops that could be exploited by attackers. 

Additionally, effective monitoring and backup practices are essential. This includes centralizing log collection for better threat visibility, ensuring backups are stored separately from production Active Directory environments, and making them inaccessible to compromised administrators. These measures collectively form a more resilient defense posture, helping organizations detect, contain, and recover from sophisticated intrusion attempts targeting their virtual infrastructure.
Read more »
Ransomware
AI Bugs ChatGPT Cyber Attacks Generative AI Internet Ransomware

AI-supported Cursor IDE Falls Victim to Prompt Injection Attacks


Experts have found a bug called CurXecute that is present in all variants of the AI-supported code editor Cursor and can be compromised to run remote code execution (RCE), along with developer privileges. 

About the bug

The security bug is now listed as CVE-2025-54135 and can be exploited by giving the AI agent a malicious prompt to activate threat actor control commands. 

The Cursor combined development environment (IDE) relies on AI agents to allow developers to code quicker and more effectively, helping them to connect with external systems and resources using Model Context Protocol (MCP).

According to the experts, a threat actor effectively abusing the CurXecute bug could trigger ransomware and ransomware data theft attacks. 

Prompt-injection 

CurXecute shares similarities to the EchoLeak bug in Microsoft 365 CoPilot that hackers can use to extort sensitive data without interacting with the users. 

After finding and studying EchoLeak, the experts from the cybersecurity company Aim Security found that hackers can even exploit the local AI agent.

Cursor IDE supports the MCP open-standard framework, which increases an agent’s features by connecting it to external data tools and sources.

Agent exploitation

But the experts have warned that doing so can exploit the agent, as it is open to external, suspicious data that can impact its control flow. The threat actor can take advantage by hacking the agent’s session and features to work as a user.

According to the experts, Cursor doesn’t need permission to run new entries to the ~/.cursor/mcp.json file. When the target opens the new conversation and tells the agent to summarize the messages, the shell payload deploys on the device without user authorization.

“Cursor allows writing in-workspace files with no user approval. If the file is a dotfile, editing it requires approval, but creating one if it doesn't exist doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file, don't already exist in the workspace, an attacker can chain an indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval,” Cursor said in a report.

Read more »
telecom outage
4G 5G network failure Cyber Attacks emergency Huawei router vulnerability POST Luxembourg investigation telecom cybersecurity telecom outage

Luxembourg Probes Cyberattack Behind Telecom Outage, Cites “Exceptionally Sophisticated” Assault

 

The Luxembourg government has launched a formal investigation into a major nationwide telecom outage that occurred on July 23, following what officials say was a deliberate cyberattack. The disruption, which lasted over three hours, knocked out the country’s 4G and 5G mobile networks, severely hampering internet access, emergency service communications, and electronic banking.

Authorities revealed that the fallback 2G network was overwhelmed, leaving significant portions of the population unable to make emergency calls. “The attack was designed to be disruptive, not to compromise or infiltrate systems,” officials clarified in statements made to the national parliament.

The vulnerability was traced to a “standardised software component” utilized by POST Luxembourg—the state-owned telecom operator responsible for most of the country’s network infrastructure. Luxembourg’s national alert system also failed during the incident, as it relied on the same mobile infrastructure for communication.

POST’s Director-General characterized the cyberattack as “exceptionally advanced and sophisticated,” emphasizing that internal systems and user data were not breached. Both POST and the national Computer Security Incident Response Team (CSIRT) are currently conducting a thorough forensic analysis to determine the exact vector of attack.

Although the government has refrained from naming any specific vendors, local media outlet Paperjam reported that the breach may have involved software used in Huawei routers. The magazine also noted that Luxembourg’s critical infrastructure regulator is urging organizations using Huawei enterprise routers to contact CSIRT for assessment.

Historically, remote denial-of-service (DoS) vulnerabilities have been found in the VRP operating system powering Huawei’s enterprise networking gear, although no new public disclosures have been made recently. Huawei has not responded to media inquiries regarding the incident.

In response, the government assembled a crisis team within the High Commission for National Protection (HCPN), in coordination with CSIRT and the public prosecutor, to manage the fallout and assess the legal implications of the attack.

This incident has fast-tracked Luxembourg’s ongoing national resilience review. Authorities are now scrutinizing whether telecom fallback protocols are sufficiently robust and are considering regulatory reforms. Among the proposals: allowing mobile devices to switch automatically to other network providers during outages—a capability already active in the UK, Germany, and the US to ensure emergency call availability.

The outcome of the forensic investigation and the prosecutor’s review will determine whether criminal charges can be filed and if those responsible can be identified.
Read more »
Ransomwares
breach recovery Cyber Attacks Cyber-recovery cybercriminals Ransomware Attack paid ransoms Ransom Demands Ransomware attack Ransomwares

Singapore Companies Struggle to Recover from Ransomware Despite Paying Hackers

 

Many businesses in Singapore continue to face prolonged and expensive recovery periods after ransomware attacks, even when they choose to pay the ransom. A new report from cybersecurity firm Sophos reveals that 50% of local organizations affected by ransomware opted to pay to regain access to their encrypted data. 

Despite this, more than half of these companies needed at least a week to resume operations, and nearly a quarter faced recovery times stretching up to six months. While paying the ransom is often viewed as a quick fix, the real costs and complications extend far beyond the initial transaction. The average total expense incurred by Singaporean firms to fully recover from a ransomware incident this year has reached an estimated US$1.54 million. 

Although the median ransom payment has decreased to approximately US$365,565—down from US$760,000 last year—this reduction in ransom size hasn’t translated into faster recoveries. Interestingly, around 39% of companies were able to negotiate lower ransom amounts, often by working with external experts or negotiators. According to Chester Wisniewski, Field CISO at Sophos, an increasing number of businesses are turning to incident response professionals to manage damage, contain threats, and potentially stop attacks mid-process. 

These experts not only help reduce the ransom amounts but also accelerate recovery timelines and fortify defences against future incidents. The study also sheds light on the primary causes of ransomware infections in Singapore. Phishing scams were identified as the top cause, accounting for 36% of cases, followed closely by malicious email attachments at 29% and compromised user credentials at 17%. 

On an organizational level, common challenges include insufficient cybersecurity tools and a shortage of trained personnel—issues that 47% and 43% of respondents, respectively, cited as major weaknesses. Experts emphasize that mitigating ransomware threats begins with addressing these underlying vulnerabilities. Proactive strategies such as implementing multi-factor authentication, keeping software up to date, and investing in Managed Detection and Response (MDR) services can significantly reduce the likelihood of a breach. 

MDR services, in particular, offer constant threat monitoring and rapid response, making them an increasingly popular choice for companies with limited in-house cybersecurity capacity. Additional findings highlight how Singapore firms differ from global counterparts. They are more likely to pay ransoms without attempting negotiation and are less transparent about breaches. 

Verizon Business reports further confirm that attackers are increasingly targeting software supply chains and exploiting known vulnerabilities. According to Robert Le Busque, the integration of Singapore’s economy into global trade networks and supply chains makes its companies especially vulnerable, with 72% having encountered email-based threats. 

Despite falling ransom demands, the broader financial and operational toll of ransomware in Singapore continues to rise, stressing the importance of preventive action and stronger cyber resilience.
Read more »
Software
Businesses Cyber Attacks Finance Healthcare Online Safety organisations Software

Don’t Wait for a Cyberattack to Find Out You’re Not Ready

 



In today’s digital age, any company that uses the internet is at risk of being targeted by cybercriminals. While outdated software and unpatched systems are often blamed for these risks, a less obvious but equally serious problem is the false belief that buying security tools automatically means a company is well-protected.

Many businesses think they’re cyber resilient simply because they’ve invested in security tools or passed an audit. But overconfidence without real testing can create blind spots leaving companies exposed to attacks that could lead to data loss, financial damage, or reputational harm.


Confidence vs. Reality

Recent years have seen a rise in cyberattacks, especially in sectors like finance, healthcare, and manufacturing. These industries are prime targets because they handle valuable and sensitive information. A report by Bain & Company found that while 43% of business leaders felt confident in their cybersecurity efforts, only 24% were actually following industry best practices.

Why this mismatch? It often comes down to outdated evaluation methods, overreliance on tools, poor communication between technical teams and leadership, and a natural human tendency to feel “safe” once something has been checked off a list.


Warning Signs of Overconfidence

Here are five red flags that a company may be overestimating its cybersecurity readiness:

1. No Real-World Testing - If an organization has never run a simulated attack, like a red team exercise or breach test, it may not know where its weaknesses are.

2. Rare or Outdated Risk Reviews - Cyber risks change constantly. Companies that rely on yearly or outdated assessments may be missing new threats.

3. Mistaking Compliance for Security - Following regulations is important, but it doesn’t mean a system is secure. Compliance is only a baseline.

4. No Stress Test for Recovery Plans - Businesses need to test their recovery strategies under pressure. If these plans haven’t been tested, they may fail when it matters most.

5. Thinking Cybersecurity Is Only an IT Job - True resilience requires coordination across departments. If only IT is involved, the response to an incident will likely be incomplete.


Building Stronger Defenses

To improve cyber resilience, companies should:

• Test and monitor security systems regularly, not just once.

• Train employees to recognize threats like phishing, which remains a common cause of breaches.

• Link cybersecurity to overall business planning, so that recovery strategies are realistic and fast.

• Work with outside experts when needed to identify hidden vulnerabilities and improve defenses.


If a company hasn’t tested its cybersecurity defenses in the past six months, it likely isn’t as prepared as it thinks. Confidence alone won’t stop a cyberattack but real testing and ongoing improvement can.

Read more »
Subscribe to: Posts (Atom)