Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
Phishing Attacks
Account Takeover AI Powered Scams Amazon Scam Alert Consumer Data Protection Cyber Security Cyberthreats Fake Retail Websites Holiday Fraud Risks Online Shopping Safety Phishing Attacks

Amazon Sounds Alarm Over Attack Threatening 300 Million Accounts

 


In the face of looming Black Friday 2025 frenzy, Amazon has unveiled a warning to its large customer base that is expected to overlap the holiday season's busiest shopping week. The warning warns of a surge in sophisticated scams expected to shadow the holiday season's busiest shopping week. On November 24, the company emailed a security advisory to millions of users, one that Forbes first reported on, warning that cybercriminals are increasingly exploiting the seasonal spike in online purchases by impersonating individuals, using fraudulent advertising, and sending unsolicited messages to elicit personal and financial information from them. 

There are approximately 310 million active customers on Amazon, making the retailer a high-value target for attackers looking for easy money during the holiday season, so they outlined five prominent tactics currently used to deceive shoppers, including the use of fake account verification emails and unsolicited phone calls to deceive shoppers. 

As Consumer Protection experts, we agree with these concerns; Mr. Mike Andrews, a representative from National Trading Standards, told Metro that scammers have an advantage over consumers when it comes to the weeks leading up to Christmas, knowing that even a small fraction of successful attempts during peak retail activities can yield significant returns. 

In a new study published in the journal Cybercrime: Science and Technology, a cybercriminal network has stepped up their impersonation campaigns against global companies such as Netflix, PayPal, and many more, with the use of browser-based notification traps and criminal infrastructures, as well as a variety of other methods for deceiving large numbers of users. 

Amidst this background, Amazon’s advisory dated November 24 details how similar tactics have now been employed against Amazon’s own customers, as scammers are attempting to coerce victims into providing them with personal data, financial credentials, and Amazon login information in exchange for money. The fact that such scams aren't new, but they have become more refined and adaptive as they cycle through techniques such as credential-stuffing attacks and malware-assisted account takeovers. 

Fraudsters often carry out such operations by posing as customer service personnel or technical support personnel - a similar tactic that the FBI has also warned about in parallel alerts concerning bank-related scams. The underlying mechanics of the deception are essentially the same: attackers send persuasive text messages, emails, or phone calls that push customers to verify activity, or to resolve a supposed issue, resulting in password disclosures or multifactor authentication codes. 

A fraudster will immediately reset all of the security settings within an account once he has gained access. He will lock out legitimate users' accounts as soon as he gets access. A recent study by the FBI reveals that there have been an increase in lookalike websites and bogus alerts mimicking delivery updates and promotional offers, as well as misleading third-party advertisements and unsolicited calls masquerading as Amazon support. 

These methods are closely related to the patterns outlined in recent FBI investigations. According to FortiGuard Labs, new findings published on November 25 further emphasize the urgency of Amazon's warning. These findings indicate a sharp increase in threats specifically designed for the holiday season, which has already been identified by the researchers. 

Over 18,000 domains were recently registered that included the terms "Black Friday," "Christmas," and "Flash Sale," with over 750 of those domains already confirmed to be malicious. In addition, nearly 3,000 of the 19,000 domains that were designed to mimic major retailers, including Amazon, were verified by the report as fraudulent, of which nearly half were identified as frauds. Decoy sites are often created with subtle spelling variations and visual similarities, which can be easily overlooked by shoppers who are rushing through deals while focusing on them. 

Among the cyber security experts who warn that the threat landscape is changing at a rapid rate, experts like Anne Cutler of Keeper Security point out that many of the latest scams are driven by artificial intelligence. By doing so, attackers are able to generate convincing order confirmations, spoofed customer service conversations, and highly realistic retailer websites with the aid of artificial intelligence. 

A response to these escalating risks has been the adoption by Amazon of stricter digital hygiene guidelines. Amazon has requested that customers rely solely on the Amazon app or website to manage their accounts, enable two-factor authentication or use passkeys to protect their login credentials, and remember that Amazon never solicits your payment or credential information via unsolicited phone calls or email. 

There is no doubt that the retailer stressed the importance of these safeguards as cybercriminals intensify their efforts before the busiest shopping season of the year. In the end, Amazon shoppers should also keep in mind that security experts warn that the threat goes well beyond phishing attacks and fraudulent domains; it is also possible to face threats within the broader online marketplace. 

A researcher, Mike Andrews, explains that artificial intelligence has made it significantly easier for scammers to manipulate product credibility by creating a large volume of convincing fake reviews on popular platforms like Google, Trustpilot, and Amazon in order to create fake reviews for their products. A growing number of bots are capable of flooding product pages with glowing testimonials, making it more difficult for customers to distinguish genuinely well-rated products from items that have been artificially boosted to mask inferior and even dangerous products. 

In addition, Andrews explains that despite the difficulty of quantifying the amount of online reviews that may be misleading, consumers should not rely on them blindly when making purchase decisions. If a high number of reviews appears within a very short period of time, overly vague praise without mentioning product features, or suspiciously generic comments are noticed, it may be a sign that the product is not as good as it sounds. 

It is possible to gain additional perspective using services like TheReviewIndex and RateBud that analyze review authenticity. Such manipulations of customer reviews vary in their goals. However, they are often aimed at convincing shoppers to make a purchase for substandard items or to purchase products that may never arrive in their hands. 

There is also an aggressive scam that seeks personal information, financial information, or Amazon login credentials through fake messages, advertisements, or phone calls. Moreover, Andrews warns that social media advertisers are becoming increasingly sophisticated when it comes to deceptive advertising, with artificial intelligence (AI) often generating storefronts that mimic small businesses or festive markets using fake images and videos. 

Even though these sites sound quite convincing, they often deliver nothing more than cheaply produced goods shipped from overseas, leaving customers disappointed and out of pocket. A surge in seasonal scams, on the other hand, illustrates the importance of taking an active role in one's online security as a shopper. Analysts believe that even simple habits, such as verifying sender addresses, checking URLs, updating passwords, and enabling multi-factor authentication, are enough to prevent the vast majority of attempts to penetrate an online network. 

The consumer is also encouraged to inform Amazon and the relevant authorities of suspicious pages or messages, so that they can be dismantled before they spread. Even though cybercriminals are developing their tactics with artificial intelligence (AI) and precision, the best way to stop them is to have an informed public that shop deliberately, questions what might be unexpected, and prioritizes safety over urgency.
Read more »
Phishing Attacks
Cyber Security Data Digital Scams Identity Thefts Internet Phishing Attacks

Scammers Used Fake WhatsApp Profiles of District Collectors in Kerala


Scammers target government officials 

In a likely phishing attempt, over four employees of Kasaragod and Wayanad Collectorates received WhatsApp texts from accounts imitating their district Collectors and asking for urgent money transfers. After that, the numbers have been sent to the cyber police, according to the Collectorate officials. 

Vietnam scammers behind the operation 

The texts came from Vietnam based numbers but showed the profile pictures of concerned collectors, Inbasekar K in Kasaragod and D R Meghasree. 

In one incident, the scammers also shared a Google Pay number, but the target didn't proceed. According to the official, "the employees who received the messages were saved simply because they recognised the Collector’s tone and style of communication." 

Two employees from Wayanad received texts, all from different numbers from Vietnam. In the Kasaragod incident, Collector Inbasekar said a lot of employees received the phishing texts on WhatsApp. Two employees reported the incident. No employee lost the money. 

Scammers used typical scripts

The scam used a similar script in the two districts. The first text read: Hello, how are you? Where are you currently? In the Wayanad incident, the first massage was sent around 4 pm, and in Kasaragod, around 5:30 pm. When the employee replied, a follow up text was sent: Very good. Please do something urgently. This shows that the scam followed the typical pitches used by scammers. 

The numbers have been reported to the cyber police. According to Wayanad officials, "Once the messages were identified as fake, screenshots were immediately circulated across all internal WhatsApp groups." Cyber Unit has blocked both Vietnam-linked and Google Pay numbers.

What needs to be done?

Kasaragod Collector cautioned the public and staff to be careful when getting texts asking for money transfers. Coincidentally, in both the incidents, the texts were sent to staff employed in the Special Intensive Revision of electoral rolls. In this pursuit, the scammers revealed the pressures under which booth-level employees are working.

According to cyber security experts, the fake identity scams are increasingly targeting top government officials. Scammers are exploiting hierarchical structures to trick officials into acting promptly. “Police have urged government employees and the public to avoid responding to unsolicited WhatsApp messages requesting money, verify communication through official phone numbers or email, and report suspicious messages immediately to cybercrime authorities,” the New Indian Express reported.

Read more »
Salesforce
API Cyber Security Gainsight Google OAuth token compromise Salesforce

Gainsight Breach Spread into Salesforce Environments; Scope Under Investigation

 



An ongoing security incident at Gainsight's customer-management platform has raised fresh alarms about how deeply third-party integrations can affect cloud environments. The breach centers on compromised OAuth tokens connected with Gainsight's Salesforce connectors, leaving unclear how many organizations touched and the type of information accessed.

Salesforce was the first to flag suspicious activity originating from Gainsight's connected applications. As a precautionary measure, Salesforce revoked all associated access tokens and, for some time, disabled the concerned integrations. The company also released detailed indicators of compromise, timelines of malicious activity, and guidance urging customers to review authentication logs and API usage within their own environments.

Gainsight later confirmed that unauthorized parties misused certain OAuth tokens linked to its Salesforce-connected app. According to its leadership, only a small number of customers have so far reported confirmed data impact. However, several independent security teams-including Google's Threat Intelligence Group-reported signs that the intrusion may have reached far more Salesforce instances than initially acknowledged. These differing numbers are not unusual: supply-chain incidents often reveal their full extent only after weeks of log analysis and correlation.

At this time, investigators understand the attack as a case of token abuse, not a failure of Salesforce's underlying platform. OAuth tokens are long-lived keys that let approved applications make API calls on behalf of customers. Once attackers have them, they can access the CRM records through legitimate channels, and the detection is far more challenging. This approach enables the intruders to bypass common login checks, and therefore Salesforce has focused on log review and token rotation as immediate priorities.

To enhance visibility, Gainsight has onboarded Mandiant to conduct a forensic investigation into the incident. The company is investigating historical logs, token behavior, connector activity, and cross-platform data flows to understand the attacker's movements and whether other services were impacted. As a precautionary measure, Gainsight has also worked with platforms including HubSpot, Zendesk, and Gong to temporarily revoke related tokens until investigators can confirm they are safe to restore.

The incident is similar to other attacks that happened this year, where other Salesforce integrations were used to siphon customer records without exploiting any direct vulnerability in Salesforce. Repeated patterns here illustrate a structural challenge: organizations may secure their main cloud platform rigorously, but one compromised integration can open a path to wider unauthorized access.

But for customers, the best steps are as straightforward as ever: monitor Salesforce authentication and API logs for anomalous access patterns; invalidate or rotate existing OAuth tokens; reduce third-party app permissions to the bare minimum; and, if possible, apply IP restrictions or allowlists to further restrict the range of sources from which API calls can be made.

Both companies say they will provide further updates and support customers who have been affected by the issue. The incident served as yet another wake-up call that in modern cloud ecosystems, the security of one vendor often relies on the security practices of all in its integration chain. 



Read more »
Tor Network
Algorithm Cyber Security Security Upgrade Tor Network

Tor Network to Roll Out New Encryption Algorithm in Major Security Upgrade

 

The developers of the Tor network are preparing to replace one of the project’s oldest encryption systems in an effort to defend users against increasingly sophisticated cyberattacks. Tor confirmed that the relay encryption algorithm known as “tor1” will be retired and replaced by a new design called Counter Galois Onion, or CGO. Tor1 has been in use since the early 2000s and encrypts the traffic that travels between the relays that form a user’s circuit inside the Tor network. 

Although the system has been widely relied on for more than two decades, researchers say its design now presents several weaknesses, including exposure to so-called “tagging attacks.” These attacks allow an adversary to alter traffic at one relay and then look for predictable patterns further along the circuit that could help trace a user. The algorithm also reuses the same AES keys throughout a circuit and provides only a small authentication field, which Tor developers say has led to a non-negligible probability of forged data passing undetected. 

CGO has been designed to eliminate these issues. According to Tor, the new protocol adds forward secrecy to messages, prevents tampering, and brings encryption standards in line with modern cryptography. Tor explained in a technical post that the system ensures that if a message is modified, that message and all subsequent messages in the circuit become unreadable. The Tor Project described the upgrade as an effort to “defend users against a broader class of online attackers and form the basis for more encryption work in the future.” 

CGO is already implemented in Arti, Tor’s Rust-based client. A C version is in development to support the current relay infrastructure, since Rust relays are not yet deployed across the network. Developers have not provided a timeline for when CGO will arrive in the Tor Browser, noting that they are still tuning performance for modern processors. They acknowledged that CGO will likely be slower than tor1 initially, though optimizations are ongoing. 

The upgrade represents one of the most significant changes to Tor’s core cryptography in years. While the network is widely associated with the dark web and illicit markets, it is also used by journalists, activists and residents of authoritarian states seeking safe access to information. Tor’s history includes involvement from both government research institutions and privacy advocates, and the project continues to position encryption as a key protection against online surveillance.
Read more »
Personal Data
Android Spyware CISA Cyber Security Cyberattacks Data Hacking data security Hacking WhatsApp Mobile Spyware Personal Data

CISA Warns of Rising Targeted Spyware Campaigns Against Encrypted Messaging Users

 

The U.S. Cybersecurity and Infrastructure Security Agency has issued an unusually direct warning regarding a series of active campaigns deploying advanced spyware against users of encrypted messaging platforms, including Signal and WhatsApp. According to the agency, these operations are being conducted by both state-backed actors and financially motivated threat groups, and their activity has broadened significantly throughout the year. The attacks now increasingly target politicians, government officials, military personnel, and other influential individuals across several regions. 

This advisory marks the first time CISA has publicly grouped together multiple operations that rely on commercial surveillance tools, remote-access malware, and sophisticated exploit chains capable of infiltrating secure communications without alerting the victim. The agency noted that the goal of these campaigns is often to hijack messaging accounts, exfiltrate private data, and sometimes obtain long-term access to devices for further exploitation. 

Researchers highlighted multiple operations demonstrating the scale and diversity of techniques. Russia-aligned groups reportedly misused Signal’s legitimate device-linking mechanism to silently take control of accounts. Android spyware families such as ProSpy and ToSpy were distributed through spoofed versions of well-known messaging apps in the UAE. Another campaign in Russia leveraged Telegram channels and phishing pages imitating WhatsApp, Google Photos, TikTok, and YouTube to spread the ClayRat malware. In more technically advanced incidents, attackers chained recently disclosed WhatsApp zero-day vulnerabilities to compromise fewer than 200 targeted users. Another operation, referred to as LANDFALL, used a Samsung vulnerability affecting devices in the Middle East. 

CISA stressed that these attacks are highly selective and aimed at individuals whose communications have geopolitical relevance. Officials described the activity as precision surveillance rather than broad collection. Analysts believe the increasing focus on encrypted platforms reflects a strategic shift as adversaries attempt to bypass the protections of end-to-end encryption by compromising the devices used to send and receive messages. 

The tactics used in these operations vary widely. Some rely on manipulated QR codes or impersonated apps, while others exploit previously unknown iOS and Android vulnerabilities requiring no user interaction. Experts warn that for individuals considered high-risk, standard cybersecurity practices may no longer be sufficient. 

CISA’s guidance urges those at risk to adopt stronger security measures, including hardware upgrades, phishing-resistant authentication, protected telecom accounts, and stricter device controls. The agency also recommends reliance on official app stores, frequent software updates, careful permission auditing, and enabling advanced device protections such as Lockdown Mode on iPhones or Google Play Protect on Android.  

Officials stated that the rapid increase in coordinated mobile surveillance operations reflects a global shift in espionage strategy. With encrypted messaging now central to sensitive communication, attackers are increasingly focused on compromising the endpoint rather than the encryption itself—a trend authorities expect to continue growing.
Read more »
Internet
Cloud Cyber Security Data hack Google Internet

Google Confirms Data Breach from 200 Companies


Google has confirmed that hackers stole data from more than 200 companies after exploiting apps developed by Gainsight, a customer success software provider. The breach targeted Salesforce systems and is being described as one of the biggest supply chain attacks in recent months. 
 
Salesforce said last week that “certain customers’ Salesforce data” had been accessed through Gainsight applications, which are widely used by companies to manage customer relationships at scale. According to Google’s Threat Intelligence Group, more than 200 Salesforce instances were affected, indicating that the attackers targeted the ecosystem strategically rather than going after individual companies one by one. The incident has already raised deep concern across industries that depend heavily on third-party integrations to run core business functions. 
 
A group calling itself Scattered Lapsus$ Hunters, which includes members of the well-known ShinyHunters gang, has claimed responsibility. This collective has previously targeted prominent global firms and leaked confidential datasets online, earning a reputation for bold, high-impact intrusions. In this case, the hackers have published a list of alleged victims, naming companies such as Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Some of these organisations have denied being affected, while others are still conducting internal investigations to determine whether their environments were touched. 
 
This attack underscores a growing reality: compromising a widely trusted application is often more efficient for attackers than breaching a single company. By infiltrating Gainsight’s software, the threat actors gained access to a broad swath of organisations simultaneously, effectively bypassing individual perimeter defences. TechCrunch notes that supply chain attacks remain among the most dangerous vectors because they exploit deeply rooted trust. Once a vendor’s application is subverted, it can become an invisible doorway leading directly into multiple corporate systems. 
 
Salesforce has stated that it is working closely with affected customers to secure environments and limit the impact, while Google continues to analyse the breadth of data exfiltration. Gainsight has not yet released a detailed public statement, prompting experts to call for greater transparency from vendors responsible for critical integrations. Cybersecurity firms advise all companies using third-party SaaS tools to review access permissions, rotate credentials, monitor logs for anomalies, and ensure stronger compliance frameworks for integrated platforms. 
 
The larger picture here reflects an industry-wide challenge. As enterprises increasingly rely on cloud services and SaaS tools, attackers are shifting their attention to these interconnected layers, where a single weak link can expose hundreds of organisations. This shift has prompted analysts to warn that due diligence on app vendors, once considered a formality, must now become a non-negotiable element of cybersecurity strategy. 
 
In light of the attack, experts believe companies will need to adopt a more vigilant posture, treating all integrations as potential threat surfaces, rather than assuming safety through trust. The Gainsight incident serves as a stark reminder that in a cloud-driven world, security is only as strong as the least protected partner in the chain.
Read more »
phishing
Cyber Security Fake Domains Login Credentials Microsoft phishing

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials

 




A new phishing operation is misleading users through an extremely subtle visual technique that alters the appearance of Microsoft’s domain name. Attackers have registered the look-alike address “rnicrosoft(.)com,” which replaces the single letter m with the characters r and n positioned closely together. The small difference is enough to trick many people into believing they are interacting with the legitimate site.

This method is a form of typosquatting where criminals depend on how modern screens display text. Email clients and browsers often place r and n so closely that the pair resembles an m, leading the human eye to automatically correct the mistake. The result is a domain that appears trustworthy at first glance although it has no association with the actual company.

Experts note that phishing messages built around this tactic often copy Microsoft’s familiar presentation style. Everything from symbols to formatting is imitated to encourage users to act without closely checking the URL. The campaign takes advantage of predictable reading patterns where the brain prioritizes recognition over detail, particularly when the user is scanning quickly.

The deception becomes stronger on mobile screens. Limited display space can hide the entire web address and the address bar may shorten or disguise the domain. Criminals use this opportunity to push malicious links, deliver invoices that look genuine, or impersonate internal departments such as HR teams. Once a victim believes the message is legitimate, they are more likely to follow the link or download a harmful attachment.

The “rn” substitution is only one example of a broader pattern. Typosquatting groups also replace the letter o with the number zero, add hyphens to create official-sounding variations, or register sites with different top level domains that resemble the original brand. All of these are intended to mislead users into entering passwords or sending sensitive information.

Security specialists advise users to verify every unexpected message before interacting with it. Expanding the full sender address exposes inconsistencies that the display name may hide. Checking links by hovering over them, or using long-press previews on mobile devices, can reveal whether the destination is legitimate. Reviewing email headers, especially the Reply-To field, can also uncover signs that responses are being redirected to an external mailbox controlled by attackers.

When an email claims that a password reset or account change is required, the safest approach is to ignore the provided link. Instead, users should manually open a new browser tab and visit the official website. Organisations are encouraged to conduct repeated security awareness exercises so employees do not react instinctively to familiar-looking alerts.


Below are common variations used in these attacks:

Letter Pairing: r and n are combined to imitate m as seen in rnicrosoft(.)com.

Number Replacement: the letter o is switched with the number zero in addresses like micros0ft(.)com.

Added Hyphens: attackers introduce hyphens to create domains that appear official, such as microsoft-support(.)com.

Domain Substitution: similar names are created by altering only the top level domain, for example microsoft(.)co.


This phishing strategy succeeds because it relies on human perception rather than technical flaws. Recognising these small changes and adopting consistent verification habits remain the most effective protections against such attacks.



Read more »
North Korea Cyber Operations
APT Cyber Crime cyber espionage Cyber Security Financial crime Financial Cybersecurity North Korea North Korea Cyber Operations

North Korean APT Collaboration Signals Escalating Cyber Espionage and Financial Cybercrime

 

Security analysts have identified a new escalation in cyber operations linked to North Korea, as two of the country’s most well-known threat actors—Kimsuky and Lazarus—have begun coordinating attacks with unprecedented precision. A recent report from Trend Micro reveals that the collaboration merges Kimsuky’s extensive espionage methods with Lazarus’s advanced financial intrusion capabilities, creating a two-part operation designed to steal intelligence, exploit vulnerabilities, and extract funds at scale. 

Rather than operating independently, the two groups are now functioning as a complementary system. Kimsuky reportedly initiates most campaigns by collecting intelligence and identifying high-value victims through sophisticated phishing schemes. One notable 2024 campaign involved fraudulent invitations to a fake “Blockchain Security Symposium.” Attached to the email was a malicious Hangul Word Processor document embedded with FPSpy malware, which stealthily installed a keylogger called KLogEXE. This allowed operators to record keystrokes, steal credentials, and map internal systems for later exploitation. 

Once reconnaissance was complete, data collected by Kimsuky was funneled to Lazarus, which then executed the second phase of attacks. Investigators found Lazarus leveraged an unpatched Windows zero-day vulnerability, identified as CVE-2024-38193, to obtain full system privileges. The group distributed infected Node.js repositories posing as legitimate open-source tools to compromise server environments. With this access, the InvisibleFerret backdoor was deployed to extract cryptocurrency wallet contents and transactional logs. Advanced anti-analysis techniques, including Fudmodule, helped the malware avoid detection by enterprise security tools. Researchers estimate that within a 48-hour window, more than $30 million in digital assets were quietly stolen. 

Further digital forensic evidence reveals that both groups operated using shared command-and-control servers and identical infrastructure patterns previously observed in earlier North Korean cyberattacks, including the 2014 breach of a South Korean nuclear operator. This shared ecosystem suggests a formalized, state-aligned operational structure rather than ad-hoc collaboration.  

Threat activity has also expanded beyond finance and government entities. In early 2025, European energy providers received a series of targeted phishing attempts aimed at collecting operational power grid intelligence, signaling a concerning pivot toward critical infrastructure sectors. Experts believe this shift aligns with broader strategic motivations: bypassing sanctions, funding state programs, and positioning the regime to disrupt sensitive systems if geopolitical tensions escalate. 

Cybersecurity specialists advise organizations to strengthen resilience through aggressive patch management, multi-layered email security, secure cryptocurrency storage practices, and active monitoring for indicators of compromise such as unexpected execution of winlogon.exe or unauthorized access to blockchain-related directories. 

Researchers warn that the coordinated activity between Lazarus and Kimsuky marks a new phase in North Korea’s cyber posture—one blending intelligence gathering with highly organized financial theft, creating a sustained and evolving global threat.
Read more »
X Location Feature
Cyber Security Foreign Influence Political Misinformation US Politics X Location Feature

X’s New Location Feature Exposes Foreign Manipulation of US Political Accounts

 

X's new location feature has revealed that many high-engagement US political accounts, particularly pro-Trump ones, are actually operated from countries outside the United States such as Russia, Iran, and Kenya. 

This includes accounts that strongly claim to represent American interests but are based abroad, misleading followers and potentially influencing US political discourse. Similarly, some anti-Trump accounts that seemed to be run by Americans are also found to be foreign-operated. For example, a prominent anti-Trump account with 52,000 followers was based in Kenya and was deleted after exposure. 

The feature exposed widespread misinformation and deception as these accounts garner millions of interactions, often resulting in financial compensation through X's revenue-sharing scheme, allowing both individuals and possibly state-backed groups to exploit the platform for monetary or political gain.

Foreign influence and misinformation

The new location disclosure highlighted significant foreign manipulation of political conversations on X, which raises concerns about authenticity and trust in online discourse. Accounts that present themselves as authentic American voices may actually be linked to troll farms or nation-state actors aiming to amplify divisive narratives or to profit financially. 

This phenomenon is exacerbated by X’s pay-for-play blue tick verification system, which some experts, including Alexios Mantzarlis from Cornell Tech, criticize as a revenue scheme rather than a meaningful validation effort. Mantzarlis emphasizes that financial incentives often motivate such deceptive activities, with operators stoking America's cultural conflicts on social media.

Additional geographic findings

Beyond US politics, BBC Verify found accounts supporting Scottish independence that are purportedly based in Iran despite having smaller followings. This pattern aligns with previous coordinated networks flagged for deceptive political influence. Such accounts often use AI-generated profile images and post highly similar content, generating substantial views while hiding their actual geographic origins.

While the location feature is claimed to be about 99% accurate, there are limitations such as the use of VPNs, proxies, and other methods that can mask true locations, causing some data inaccuracies. The tool's launch also sparked controversy as some users claim their locations are inaccurately displayed, causing breaches of user trust. Experts caution that despite the added transparency, it is a developing tool, and bad actors will likely find ways to circumvent these measures.

Platform responses and transparency efforts

X’s community notes feature, allowing users to add context to viral posts, is viewed as a step toward enhanced transparency, though deception remains widespread. The platform indicates ongoing efforts to introduce more ways to authenticate content and maintain integrity in the "global town square" of social media.

However, researchers emphasize the need for continuous scrutiny given the high stakes of political misinformation and manipulation.This new feature exposes deep challenges in ensuring authenticity and trust in political discourse on X, uncovering foreign manipulation that spans multiple political ends, and revealing the complexities of combating misinformation amid financial and geopolitical motives.
Read more »
Personal Data
AI Privacy AI Systems AI technology ChatGPT Cyber Security Employee Data monitoring Personal Data

AI Emotional Monitoring in the Workplace Raises New Privacy and Ethical Concerns

 

As artificial intelligence becomes more deeply woven into daily life, tools like ChatGPT have already demonstrated how appealing digital emotional support can be. While public discussions have largely focused on the risks of using AI for therapy—particularly for younger or vulnerable users—a quieter trend is unfolding inside workplaces. Increasingly, companies are deploying generative AI systems not just for productivity but to monitor emotional well-being and provide psychological support to employees. 

This shift accelerated after the pandemic reshaped workplaces and normalized remote communication. Now, industries including healthcare, corporate services and HR are turning to software that can identify stress, assess psychological health and respond to emotional distress. Unlike consumer-facing mental wellness apps, these systems sit inside corporate environments, raising questions about power dynamics, privacy boundaries and accountability. 

Some companies initially introduced AI-based counseling tools that mimic therapeutic conversation. Early research suggests people sometimes feel more validated by AI responses than by human interaction. One study found chatbot replies were perceived as equally or more empathetic than responses from licensed therapists. This is largely attributed to predictably supportive responses, lack of judgment and uninterrupted listening—qualities users say make it easier to discuss sensitive topics. 

Yet the workplace context changes everything. Studies show many employees hesitate to use employer-provided mental health tools due to fear that personal disclosures could resurface in performance reviews or influence job security. The concern is not irrational: some AI-powered platforms now go beyond conversation, analyzing emails, Slack messages and virtual meeting behavior to generate emotional profiles. These systems can detect tone shifts, estimate personal stress levels and map emotional trends across departments. 

One example involves workplace platforms using facial analytics to categorize emotional expression and assign wellness scores. While advocates claim this data can help organizations spot burnout and intervene early, critics warn it blurs the line between support and surveillance. The same system designed to offer empathy can simultaneously collect insights that may be used to evaluate morale, predict resignations or inform management decisions. 

Research indicates that constant monitoring can heighten stress rather than reduce it. Workers who know they are being analyzed tend to modulate behavior, speak differently or avoid emotional honesty altogether. The risk of misinterpretation is another concern: existing emotion-tracking models have demonstrated bias against marginalized groups, potentially leading to misread emotional cues and unfair conclusions. 

The growing use of AI-mediated emotional support raises broader organizational questions. If employees trust AI more than managers, what does that imply about leadership? And if AI becomes the primary emotional outlet, what happens to the human relationships workplaces rely on? 

Experts argue that AI can play a positive role, but only when paired with transparent data use policies, strict privacy protections and ethical limits. Ultimately, technology may help supplement emotional care—but it cannot replace the trust, nuance and accountability required to sustain healthy workplace relationships.
Read more »
Google security
AI Risks AI Security AI Systems AI technology critical infrastructure risk Cyber Security Financial Security Google security

Google’s High-Stakes AI Strategy: Chips, Investment, and Concerns of a Tech Bubble

 

At Google’s headquarters, engineers work on Google’s Tensor Processing Unit, or TPU—custom silicon built specifically for AI workloads. The device appears ordinary, but its role is anything but. Google expects these chips to eventually power nearly every AI action across its platforms, making them integral to the company’s long-term technological dominance. 

Pichai has repeatedly described AI as the most transformative technology ever developed, more consequential than the internet, smartphones, or cloud computing. However, the excitement is accompanied by growing caution from economists and financial regulators. Institutions such as the Bank of England have signaled concern that the rapid rise in AI-related company valuations could lead to an abrupt correction. Even prominent industry leaders, including OpenAI CEO Sam Altman, have acknowledged that portions of the AI sector may already display speculative behavior. 

Despite those warnings, Google continues expanding its AI investment at record speed. The company now spends over $90 billion annually on AI infrastructure, tripling its investment from only a few years earlier. The strategy aligns with a larger trend: a small group of technology companies—including Microsoft, Meta, Nvidia, Apple, and Tesla—now represents roughly one-third of the total value of the U.S. S&P 500 market index. Analysts note that such concentration of financial power exceeds levels seen during the dot-com era. 

Within the secured TPU lab, the environment is loud, dominated by cooling units required to manage the extreme heat generated when chips process AI models. The TPU differs from traditional CPUs and GPUs because it is built specifically for machine learning applications, giving Google tighter efficiency and speed advantages while reducing reliance on external chip suppliers. The competition for advanced chips has intensified to the point where Silicon Valley executives openly negotiate and lobby for supply. 

Outside Google, several AI companies have seen share value fluctuations, with investors expressing caution about long-term financial sustainability. However, product development continues rapidly. Google’s recently launched Gemini 3.0 model positions the company to directly challenge OpenAI’s widely adopted ChatGPT.  

Beyond financial pressures, the AI sector must also confront resource challenges. Analysts estimate that global data centers could consume energy on the scale of an industrialized nation by 2030. Still, companies pursue ever-larger AI systems, motivated by the possibility of reaching artificial general intelligence—a milestone where machines match or exceed human reasoning ability. 

Whether the current acceleration becomes a long-term technological revolution or a temporary bubble remains unresolved. But the race to lead AI is already reshaping global markets, investment patterns, and the future of computing.
Read more »
Synthient
Credential Stuffing Cyber Security Data Breach exposed emails Have I Been Pwned password leak Synthient

Massive Leak Exposes 1.3 Billion Passwords and 2 Billion Emails — Check If Your Credentials Are at Risk

 

If you haven’t recently checked whether your login details are floating around online, now is the time. A staggering 1.3 billion unique passwords and 2 billion unique email addresses have surfaced publicly — and not due to a fresh corporate breach.

Instead, this massive cache was uncovered after threat-intelligence firm Synthient combed through both the open web and the dark web for leaked credentials. You may recognize the company, as they previously discovered 183 million compromised email accounts.

Much of this enormous collection is made up of credential-stuffing lists, which bundle together login details stolen from various older breaches. Cybercriminals typically buy and trade these lists to attempt unauthorized logins across multiple platforms.

This time, Synthient pulled together all 2 billion emails and 1.3 billion passwords, and with help from Troy Hunt and Have I Been Pwned (HIBP), the entire dataset can now be searched so users can determine if their personal information is exposed.

The compilation was created by Synthient founder Benjamin Brundage, who spent months gathering leaked credentials from countless sources across hacker forums and malware dumps. The dataset includes both older breach data and newly stolen information harvested through info-stealing malware, which quietly extracts passwords from infected devices.

According to Troy Hunt, Brundage provided the raw data while Hunt independently verified its authenticity.

To test its validity, Hunt used one of his old email addresses — one he already knew had appeared in past credential lists. As expected, that address and several associated passwords were included in the dataset.

After that, Hunt contacted a group of HIBP subscribers for verification. By choosing some users whose data had never appeared in a breach and others with previously exposed data, he confirmed that the new dataset wasn’t just recycled information — fresh, previously unseen credentials were indeed present.

HIBP has since integrated the exposed passwords into its Pwned Passwords service. Importantly, this database never links email addresses to passwords, maintaining privacy while still allowing users to check if their passwords are compromised.

To see if any of your current passwords have been leaked, visit the Pwned Passwords page and enter them. Your passwords are never sent to a server — the entire check is processed locally in your browser through an anonymity-preserving method.

If any password you use appears in the results, change it immediately. You can rely on a password manager to generate strong replacements, or use free password generators from tools like Bitwarden, LastPass, and ProtonPass.

The single most important cybersecurity rule remains the same: never reuse passwords. When criminals obtain one set of login credentials, they try them across other platforms — an attack method known as credential stuffing. Because so many people still repeat passwords, these attacks remain highly successful.

Make sure every account you own uses a strong, complex, and unique password. Password managers and built-in password generators are the easiest way to handle this.

Even the best password may not protect you if it’s stolen through a breach or malware. That’s why Two-Factor Authentication (2FA) is crucial. With a second verification step — such as an authenticator app or security key — criminals won’t be able to access your account even if they know the password.

You should also safeguard your devices against malware using reputable antivirus tools on Windows, Mac, and Android. Info-stealing malware, often spread through phishing attacks, remains one of the most common ways passwords are siphoned directly from user devices.

If you’re interested in going beyond passwords altogether, consider switching to passkeys. These use cryptographic key pairs rather than passwords, making them unguessable, non-reusable, and resistant to phishing attempts.

Think of your password as the lock on your home’s front door: the stronger it is, the harder it is for intruders to break in. But even with strong habits, your information can still be exposed through breaches outside your control — one reason many experts, including Hunt, see passkeys as the future.

While it’s easy to panic after reading about massive leaks like this, staying consistent with good digital hygiene and regularly checking your exposure will keep you one step ahead of cybercriminals.
Read more »
Sensitive data
AI Chatbots Artificial Intelligence Corporate data Cyber Security data compliance Google OpenAI Sensitive data

Why Long-Term AI Conversations Are Quietly Becoming a Major Corporate Security Weakness

 



Many organisations are starting to recognise a security problem that has been forming silently in the background. Conversations employees hold with public AI chatbots can accumulate into a long-term record of sensitive information, behavioural patterns, and internal decision-making. As reliance on AI tools increases, these stored interactions may become a serious vulnerability that companies have not fully accounted for.

The concern resurfaced after a viral trend in late 2024 in which social media users asked AI models to highlight things they “might not know” about themselves. Most treated it as a novelty, but the trend revealed a larger issue. Major AI providers routinely retain prompts, responses, and related metadata unless users disable retention or use enterprise controls. Over extended periods, these stored exchanges can unintentionally reveal how employees think, communicate, and handle confidential tasks.

This risk becomes more severe when considering the rise of unapproved AI use at work. Recent business research shows that while the majority of employees rely on consumer AI tools to automate or speed up tasks, only a fraction of companies officially track or authorise such usage. This gap means workers frequently insert sensitive data into external platforms without proper safeguards, enlarging the exposure surface beyond what internal security teams can monitor.

Vendor assurances do not fully eliminate the risk. Although companies like OpenAI, Google, and others emphasize encryption and temporary chat options, their systems still operate within legal and regulatory environments. One widely discussed court order in 2025 required the preservation of AI chat logs, including previously deleted exchanges. Even though the order was later withdrawn and the company resumed standard deletion timelines, the case reminded businesses that stored conversations can resurface unexpectedly.

Technical weaknesses also contribute to the threat. Security researchers have uncovered misconfigured databases operated by AI firms that contained user conversations, internal keys, and operational details. Other investigations have demonstrated that prompt-based manipulation in certain workplace AI features can cause private channel messages to leak. These findings show that vulnerabilities do not always come from user mistakes; sometimes the supporting AI infrastructure itself becomes an entry point.

Criminals have already shown how AI-generated impersonation can be exploited. A notable example involved attackers using synthetic voice technology to imitate an executive, tricking an employee into transferring funds. As AI models absorb years of prompt history, attackers could use stylistic and behavioural patterns to impersonate employees, tailor phishing messages, or replicate internal documents.

Despite these risks, many companies still lack comprehensive AI governance. Studies reveal that employees continue to insert confidential data into AI systems, sometimes knowingly, because it speeds up their work. Compliance requirements such as GDPR’s strict data minimisation rules make this behaviour even more dangerous, given the penalties for mishandling personal information.

Experts advise organisations to adopt structured controls. This includes building an inventory of approved AI tools, monitoring for unsanctioned usage, conducting risk assessments, and providing regular training so staff understand what should never be shared with external systems. Some analysts also suggest that instead of banning shadow AI outright, companies should guide employees toward secure, enterprise-level AI platforms.

If companies fail to act, each casual AI conversation can slowly accumulate into a dataset capable of exposing confidential operations. While AI brings clear productivity benefits, unmanaged use may convert everyday workplace conversations into one of the most overlooked security liabilities of the decade.

Read more »
DDoS attack suspicion
Cloudflare downtime Cloudflare internal error Cloudflare outage Cyber Security DDoS attack suspicion

Cloudflare Outage Traced to Internal File Error After Initial Fears of Massive DDoS Attack

Cloudflare experienced a major disruption yesterday that knocked numerous websites and online services offline. At first, the company suspected it was under a massive “hyper-scale” DDoS attack.

“I worry this is the big botnet flexing,” Cloudflare co-founder and CEO Matthew Prince wrote in an internal chat, referring to concerns that the Aisuru botnet might be responsible. However, the team later confirmed that the issue originated from within Cloudflare’s own infrastructure: a critical configuration file unexpectedly grew in size and spread across the network.

This oversized file caused failures in software responsible for reading the data used by Cloudflare’s bot management system, which relies on machine learning to detect harmful traffic. As a result, Cloudflare’s core CDN, security tools, and other services were impacted.

“After we initially wrongly suspected the symptoms we were seeing were caused by a hyper-scale DDoS attack, we correctly identified the core issue and were able to stop the propagation of the larger-than-expected feature file and replace it with an earlier version of the file,” Prince explained in a post-mortem.

According to Prince, the issue began when changes to database permissions caused the system to generate duplicate entries inside a “feature file” used by the company’s bot detection model. The file then doubled in size and automatically replicated across Cloudflare’s global network.

Machines that route traffic through Cloudflare read this file to keep the bot management system updated. But the software had a strict size limit for this configuration file, and the bloated version exceeded that threshold, causing widespread failures. Once the old version was restored, traffic began returning to normal — though it took another 2.5 hours to stabilize the network after the sudden surge in requests.

Prince apologized for the downtime, noting the heavy dependence many online platforms have on Cloudflare. “On behalf of the entire team at Cloudflare, I would like to apologize for the pain we caused the Internet today,” he wrote, adding that outages are especially serious due to “Cloudflare’s importance in the Internet ecosystem.”

Cloudflare’s bot management system assigns bot scores using machine learning, helping customers filter legitimate traffic from malicious requests. The configuration file powering this system is updated every five minutes to adapt quickly to changing bot behaviors.

The faulty file was generated by a query on a ClickHouse database cluster. After new permissions were added, the query began returning additional metadata—duplicating columns and producing more rows than expected. Because the system caps features at 200, the oversized file triggered a panic state once deployed across Cloudflare’s servers.

The result was a dramatic surge in 5xx server errors. The pattern appeared irregular at first because only some database nodes were generating the bad file. Every five minutes, the system could push either a correct or incorrect version depending on which node handled the query, creating cyclical failures that initially resembled a distributed attack.

Eventually, all ClickHouse nodes began producing the faulty file consistently. Cloudflare resolved the issue by stopping the distribution of the corrupted file, manually injecting a stable version, and restarting its core proxy services. The network returned to normal later that day.

Prince called this Cloudflare’s most significant outage since 2019. To prevent similar incidents, the company plans to strengthen safeguards around internal configuration files, introduce more global kill switches, prevent system overloads caused by error logs, and review failure points across core components.

While Prince emphasized that no system can be guaranteed immune to outages, he noted that past failures have led Cloudflare to build more resilient systems each time.
Read more »
DOE
AI Advancements AI cybersecurity AI Models AI Systems AI technology critical infrastructures Cyber Security DOE

Genesis Mission Launches as US Builds Closed-Loop AI System Linking National Laboratories

 

The United States has announced a major federal scientific initiative known as the Genesis Mission, framed by the administration as a transformational leap forward in how national research will be conducted. Revealed on November 24, 2025, the mission is described by the White House as the most ambitious federal science effort since the Manhattan Project. The accompanying executive order tasks the Department of Energy with creating an interconnected “closed-loop AI experimentation platform” that will join the nation’s supercomputers, 17 national laboratories, and decades of research datasets into one integrated system. 

Federal statements position the initiative as a way to speed scientific breakthroughs in areas such as quantum engineering, fusion, advanced semiconductors, biotechnology, and critical materials. DOE has called the system “the most complex scientific instrument ever built,” describing it as a mechanism designed to double research productivity by linking experiment automation, data processing, and AI models into a single continuous pipeline. The executive order requires DOE to progress rapidly, outlining milestones across the next nine months that include cataloging datasets, mapping computing capacity, and demonstrating early functionality for at least one scientific challenge. 

The Genesis Mission will not operate solely as a federal project. DOE’s launch materials confirm that the platform is being developed alongside a broad coalition of private, academic, nonprofit, cloud, and industrial partners. The roster includes major technology companies such as Microsoft, Google, OpenAI for Government, NVIDIA, AWS, Anthropic, Dell Technologies, IBM, and HPE, alongside aerospace companies, semiconductor firms, and energy providers. Their involvement signals that Genesis is designed not only to modernize public research, but also to serve as part of a broader industrial and national capability. 

However, key details remain unclear. The administration has not provided a cost estimate, funding breakdown, or explanation of how platform access will be structured. Major news organizations have already noted that the order contains no explicit budget allocation, meaning future appropriations or resource repurposing will determine implementation. This absence has sparked debate across the AI research community, particularly among smaller labs and industry observers who worry that the platform could indirectly benefit large frontier-model developers facing high computational costs. 

The order also lays the groundwork for standardized intellectual-property agreements, data governance rules, commercialization pathways, and security requirements—signaling a tightly controlled environment rather than an open-access scientific commons. Certain community reactions highlight how the initiative could reshape debates around open-source AI, public research access, and the balance of federal and private influence in high-performance computing. While its long-term shape is not yet clear, the Genesis Mission marks a pivotal shift in how the United States intends to organize, govern, and accelerate scientific advancement using artificial intelligence and national infrastructure.
Read more »
UK cybersecurity policy
Cyber Security cyberattack surge 2025 MSP cybersecurity ransomware payments UK ban ransomware prevention UK cybersecurity policy

UK’s Proposed Ban on Ransomware Payments Sparks Debate as Attacks Surge in 2025

 

Ransomware incidents continue to escalate, reigniting discussions around whether organizations should ever pay attackers. Cybercriminals are increasingly leveraging ransomware to extort significant sums from companies desperate to protect their internal and customer data.

Recent research revealed a 126% jump in ransomware activity in the first quarter of 2025, compared to the previous quarter — a spike that has prompted urgent attention.

In reaction to this rise, the UK government has proposed banning ransomware payments, a move intended to curb organizations from transferring large sums to cybercriminals in hopes of restoring their data or avoiding public scrutiny. Under the current proposal, the ban would initially apply to public sector bodies and Critical National Infrastructure (CNI) organizations, though there is growing interest in extending the policy across all UK businesses.

If this wider ban takes effect, organizations will need to adapt to a reality where paying attackers is no longer an option. Instead, they will have to prioritize robust resilience measures, thorough incident response planning, and faster recovery capabilities.

This raises a central debate: Are ransomware payment bans the right solution? And if implemented, how can organizations protect themselves without relying on a financial “escape route”?

Many organizations have long viewed ransom payments as a convenient way to restore operations — a perceived “get out of jail free” shortcut that avoids lengthy reporting, disclosure, or regulatory scrutiny.

But the reality is stark: when dealing with criminals, there are no guarantees. Paying a ransom reinforces an already thriving network of cybercriminal operations.

In spite of this, organizations continue to pay. Recent studies indicate that 41% of organizations in 2025 admitted to paying ransom demands, although only 67% of those who paid actually regained full access to their data. These figures highlight the willingness of companies to divert large budgets to ransom fees — investments that could otherwise strengthen cyber defenses and prevent attacks altogether.

There are strong arguments on both sides of the UK proposal. A payment ban removes the burden of negotiating with threat actors who have no obligation to keep their word. It also eliminates the possibility of paying for data that attackers may never return after receiving the funds.

Another issue is the ongoing stigma around publicly acknowledging a ransomware attack. To protect their reputation, many organizations choose to quietly meet attackers’ demands — enabling criminals to operate undetected and without law enforcement involvement.

A ban would change this dynamic entirely. Without the option to pay, organizations would be forced to report incidents, helping authorities investigate and track cybercriminal activity more effectively.

The broader hope behind the proposal is that, without profit incentives, ransomware attacks will eventually fade out. While optimistic, the UK government views this approach as one of the few viable long-term strategies to reduce ransomware incidents.

However, the near-term outlook is more complex. Attacks are unlikely to stop immediately, and eliminating the option to pay could leave organizations without a practical mechanism for retrieving highly sensitive data — including customer information — in the aftermath of an attack.

If ransomware payments become illegal, organizations must proactively invest in stronger cyber resilience. Small and medium businesses, which often lack internal cybersecurity expertise, can significantly benefit from partnering with a Managed Service Provider (MSP). MSPs manage IT systems and cybersecurity operations, allowing business leaders to focus on growth and innovation. Research shows that over 80% of SMEs now rely on MSPs for cybersecurity support.

Regular security awareness training is also essential. Educating employees on identifying phishing attempts and suspicious activity helps reduce human errors that often lead to ransomware breaches.

Furthermore, a tested and well-structured incident response plan is critical. Many organizations overlook this step, but it plays a major role in containing damage during an attack.

With the UK edging closer to implementing a nationwide ransomware payment ban, organizations cannot afford to wait. Strengthening cyber resilience is the most effective path forward. This includes deploying advanced security tools, working with MSPs, and building a thorough — and regularly tested — incident response strategy.

Businesses that act early will be far better equipped to withstand attacks in a world where paying ransom is no longer an option.
Read more »
Ransomware
Akira Cyber Security Data Extortion Ransomware

Akira Ramps up Ransomware Activity With New Variant And More Aggressive Intrusion Methods

 


Akira, one of the most active ransomware operations this year, has expanded its capabilities and increased the scale of its attacks, according to new threat intelligence shared by global security agencies. The group’s operators have upgraded their ransomware toolkit, continued to target a broad range of sectors, and sharply increased the financial impact of their attacks.

Data collected from public extortion portals shows that by the end of September 2025 the group had claimed roughly 244.17 million dollars in ransom proceeds. Analysts note that this figure represents a steep rise compared to estimates released in early 2024. Current tracking data places Akira second in overall activity among hundreds of monitored ransomware groups, with more than 620 victim organisations listed this year.

The growing number of incidents has prompted an updated joint advisory from international cyber authorities. The latest report outlines newly observed techniques, warns of the group’s expanded targeting, and urges all organisations to review their defensive posture.

Researchers confirm that Akira has introduced a new ransomware strain, commonly referenced as Akira v2. This version is designed to encrypt files at higher speeds and make data recovery significantly harder. Systems affected by the new variant often show one of several extensions, which include akira, powerranges, akiranew, and aki. Victims typically find ransom instructions stored as text files in both the main system directory and user folders.

Investigations show that Akira actors gain entry through several familiar but effective routes. These include exploiting security gaps in edge devices and backup servers, taking advantage of authentication bypass and scripting flaws, and using buffer overflow vulnerabilities to run malicious code. Stolen or brute forced credentials remain a common factor, especially when multi factor authentication is disabled.

Once inside a network, the attackers quickly establish long-term access. They generate new domain accounts, including administrative profiles, and have repeatedly created an account named itadm during intrusions. The group also uses legitimate system tools to explore networks and identify sensitive assets. This includes commands used for domain discovery and open-source frameworks designed for remote execution. In many cases, the attackers uninstall endpoint detection products, change firewall rules, and disable antivirus tools to remain unnoticed.

The group has also expanded its focus to virtual and cloud based environments. Security teams recently observed the encryption of virtual machine disk files on Nutanix AHV, in addition to previous activity on VMware ESXi and Hyper-V platforms. In one incident, operators temporarily powered down a domain controller to copy protected virtual disk files and load them onto a new virtual machine, allowing them to access privileged credentials.

Command and control activity is often routed through encrypted tunnels, and recent intrusions show the use of tunnelling services to mask traffic. Authorities warn that data theft can occur within hours of initial access.

Security agencies stress that the most effective defence remains prompt patching of known exploited vulnerabilities, enforcing multi factor authentication on all remote services, monitoring for unusual account creation, and ensuring that backup systems are fully secured and tested.



Read more »
threats
Automation Cyber Security Cybersecurity Germany Recruitment Shortage threats

Germany’s Cyber Skills Shortage Leaves Companies Exposed to Record Cyberattacks

 

Germany faces a critical shortage of cybersecurity specialists amid a surge in cyberattacks that caused record damages of €202.4 billion in 2024, according to a study by Strategy&, a unit of PwC. The study found that nine out of 10 organizations surveyed reported a shortage of cybersecurity experts, a sharp increase from two-thirds in 2023. 

Key institutions such as German air traffic control, the Federal Statistical Office, and the Society for Eastern European Studies were targeted by foreign cyberattacks, highlighting the nation’s digital vulnerability. Russia and China were specifically identified as significant cyber threats.

The overall damage to German organizations from cyber-related incidents in 2024 reached €267 billion, with cyberattacks themselves accounting for about €179 billion. Other forms of damage included theft of data, IT equipment, and various acts of espionage and sabotage. Despite the growing threat, the recruitment landscape for cybersecurity roles is bleak.

Only half of the public sector's job ads for cybersecurity specialists attracted more than 10 applicants, and a decline in applications has been noted. Over two-thirds of organizations reported that applicants either partially met or failed to meet the qualifications, with notable gaps in knowledge about cybersecurity standards and data protection.

The most acute shortage exists in critical roles such as risk management, where 57% of respondents identified major gaps in positions responsible for recognizing and responding to cyber threats. Financial constraints pose another barrier to hiring, especially in the public sector, where 78% cited budget issues as a reason for not filling positions, compared to 48% in the private sector. 

Low pay contributes significantly to high staff turnover. Many experts in urgent demand in the public sector are moving to tech companies offering better salaries, exacerbating the problem. The study also revealed that only about 20% of organizations have strategically employed AI to alleviate staff shortages. Experts recommend using bonuses, allowances, outsourcing, and automation to retain talent and improve efficiency. 

Without these interventions, the study warns that bottlenecks in security-critical roles will persist, potentially crippling the ability of institutions to operate and jeopardizing Germany’s overall digital resilience. Strengthening cyber expertise through targeted incentives and international recruitment is urgent to counter these growing challenges. This situation poses a serious risk to the country's cybersecurity defenses and operational readiness .
Read more »
vulnerability exploitation
AI cyberattacks Cyber Security Cybersecurity Threats fileless ransomware nation-state hackers Ransomware Groups Rapid7 report vulnerability exploitation

Cybercriminals Speed Up Tactics as AI-Driven Attacks, Ransomware Alliances, and Rapid Exploitation Reshape Threat Landscape

 

Cybercriminals are rapidly advancing their attack methods, strengthening partnerships, and harnessing artificial intelligence to gain an edge over defenders, according to new threat intelligence. Rapid7’s latest quarterly findings paint a picture of a threat environment that is evolving at high speed, with attackers leaning on fileless ransomware, instant exploitation of vulnerabilities, and AI-enabled phishing operations.

While newly exploited vulnerabilities fell by 21% compared to the previous quarter, threat actors are increasingly turning to long-standing unpatched flaws—some over a decade old. These outdated weaknesses remain potent entry points, reflected in widespread attacks targeting Microsoft SharePoint and Cisco ASA/FTD devices via recently revealed critical bugs.

The report also notes a shrinking window between public disclosure of vulnerabilities and active exploitation, leaving organisations with less time to respond.

"The moment a vulnerability is disclosed, it becomes a bullet in the attacker's arsenal," said Christiaan Beek, Senior Director of Threat Intelligence and Analytics, Rapid7.
"Attackers are no longer waiting. Instead, they're weaponising vulnerabilities in real time and turning every disclosure into an opportunity for exploitation. Organisations must now assume that exploitation begins the moment a vulnerability is made public and act accordingly," said Beek.

The number of active ransomware groups surged from 65 to 88 this quarter. Rapid7’s analysis shows increasing consolidation among these syndicates, with groups pooling infrastructure, blending tactics, and even coordinating public messaging to increase their reach. Prominent operators such as Qilin, SafePay, and WorldLeaks adopted fileless techniques, launched extensive data-leak operations, and introduced affiliate services such as ransom negotiation assistance. Sectors including business services, healthcare, and manufacturing were among the most frequently targeted.

"Ransomware has evolved significantly beyond its early days to become a calculated strategy that destabilises industries," said Raj Samani, Chief Scientist, Rapid7.
"In addition, the groups themselves are operating like shadow corporations. They merge infrastructure, tactics, and PR strategies to project dominance and erode trust faster than ever," said Samani.

Generative AI continues to lower the barrier for cybercriminals, enabling them to automate and scale phishing and malware development. The report points to malware families such as LAMEHUG, which now have advanced adaptive features, allowing them to issue new commands on the fly and evade standard detection tools.

AI is making it easier for inexperienced attackers to craft realistic, large-volume phishing campaigns, creating new obstacles for security teams already struggling to keep pace with modern threats.

State-linked actors from Russia, China, and Iran are also evolving, shifting from straightforward espionage to intricate hybrid operations that blend intelligence collection with disruptive actions. Many of these campaigns focus on infiltrating supply chains and compromising identity systems, employing stealthy tactics to maintain long-term access and avoid detection.

Overall, Rapid7’s quarterly analysis emphasises the urgent need for organisations to modernise their security strategies to counter the speed, coordination, and technological sophistication of today’s attackers.
Read more »
Subscribe to: Comments (Atom)