Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Threats. Show all posts
Dragos cybersecurity
Critical Infrastructure critical infrastructure cybersecurity Cyber Security Cyber Threats Dragos Dragos cybersecurity

Dragos Warns of New State-Backed Threat Groups Targeting Critical Infrastructure

 

A fresh wave of state-backed hacking targeted vital systems more aggressively over the past twelve months, as newer collectives appeared while long-known teams kept their campaigns running, per Dragos’ latest yearly analysis. Operating underground until now, three distinct gangs specializing in industrial equipment surfaced in 2025, highlighting an ongoing rise in size and complexity among nation-supported digital intrusions. That count lifts worldwide monitoring efforts to cover 26 such organizations focused on physical machinery networks, eleven of which demonstrated live activity throughout the period. 

One key issue raised in the report involves ongoing operations by Voltzite, which Dragos links directly to Volt Typhoon. Instead of brief cyber intrusions, this group aimed at staying hidden inside U.S. essential systems - especially power, oil, and natural gas networks - for extended periods. Deep infiltration into industrial control setups allowed access beyond standard IT zones, reaching process controls tied to real-world machinery. Evidence shows their goal was less about data theft, more about setting conditions for later interference. Long-term positioning suggests preparation mattered more than immediate gain. 

Starting with compromised Sierra Wireless AirLink devices, hackers gained entry to pipeline operational technology environments during one operation. From there, sensor readings, system setups, and alert mechanisms were pulled - details that might later disrupt functioning processes. Elsewhere, actions tied to Voltzite relied on a network of infected machines scanning exposed energy, defense, and manufacturing systems along with virtual private network hardware. Analysts view such probing as groundwork aimed at eventual breaches. 

One finding highlighted three emerging threat actors. Notably, Sylvanite operates as an access provider - exploiting recently revealed flaws in common business and network-edge systems before passing entry points to Voltzite for further penetration. Following close behind, Azurite displays patterns tied to Chinese-affiliated campaigns, primarily targeting operational technology setups where engineers manage industrial processes; it gathers design schematics, system alerts, and procedural records within heavy industry, power infrastructure, and military-related production environments. 

Meanwhile, a different cluster named Pyroxene surfaced in connection with Iran's digital offensives, using compromised suppliers to breach networks while deploying disruptive actions when global political strain peaks. These developments emerged clearly through recent investigative analysis. Still, Dragos pointed out dangers extending beyond China and Iran. Operations tied to Russia kept challenging systems in power and water sectors. Across various areas, probing efforts focused on industrial equipment left visible online. Even when scans did not lead to verified breaches, their accuracy and reach signaled growing skill. 

The report treated such patterns as signs of advancing tactics. Finding after finding points to an ongoing trend: silent infiltration of vital system networks over extended periods. Instead of causing instant chaos, operations seem built around stealthy placement within core service frameworks, building up danger across nations and sectors alike. Not sudden blows - but slow seepage - defines the growing threat.
Read more »
Olympics
AI threats Cyber Security Cyber Threats Data Privacy Olympics

Italy Steps Up Cyber Defenses as Milano–Cortina Winter Olympics Approach

 



Inside a government building in Rome, located opposite the ancient Aurelian Walls, dozens of cybersecurity professionals have been carrying out continuous monitoring operations for nearly a year. Their work focuses on tracking suspicious discussions and coordination activity taking place across hidden corners of the internet, including underground criminal forums and dark web marketplaces. This monitoring effort forms a core part of Italy’s preparations to protect the Milano–Cortina Winter Olympic Games from cyberattacks.

The responsibility for securing the digital environment of the Games lies with Italy’s National Cybersecurity Agency, an institution formed in 2021 to centralize the country’s cyber defense strategy. The upcoming Winter Olympics represent the agency’s first large-scale international operational test. Officials view the event as a likely target for cyber threats because the Olympics attract intense global attention. Such visibility can draw a wide spectrum of malicious actors, ranging from small-scale cybercriminal groups seeking disruption or financial gain to advanced threat groups believed to have links with state interests. These actors may attempt to use the event as a platform to make political statements, associate attacks with ideological causes, or exploit broader geopolitical tensions.

The Milano–Cortina Winter Games will run from February 6 to February 22 and will be hosted across multiple Alpine regions for the first time in Olympic history. This multi-location format introduces additional security and coordination challenges. Each venue relies on interconnected digital systems, including communications networks, event management platforms, broadcasting infrastructure, and logistics systems. Securing a geographically distributed digital environment exponentially increases the complexity of monitoring, response coordination, and incident containment.

Officials estimate that the Games will reach approximately three billion viewers globally, alongside around 1.5 million ticket-holding spectators on site. This scale creates a vast digital footprint. High-visibility services, such as live streaming platforms, official event websites, and ticket purchasing systems, are considered particularly attractive targets. Disrupting these services can generate widespread media attention, cause public confusion, and undermine confidence in the organizers’ ability to safeguard critical digital operations.

Italy’s planning has been shaped by recent Olympic experience. During the 2024 Paris Summer Olympics, authorities recorded more than 140 cyber incidents. In 22 cases, attackers managed to gain access to information systems. While none of these incidents disrupted the competitions themselves, the sheer volume of hostile activity demonstrated the persistent pressure faced by host nations. On the day of the opening ceremony in Paris, France’s TGV high-speed rail network was also targeted in coordinated physical sabotage attacks involving explosive devices. This incident illustrated how large global events can attract both cyber threats and physical security risks at the same time.

Italian cybersecurity officials anticipate comparable levels of hostile activity during the Milano–Cortina Games, with an additional layer of complexity introduced by artificial intelligence. AI tools can be used by attackers to automate technical tasks, enhance reconnaissance, and support more convincing phishing and impersonation campaigns. These techniques can increase the speed and scale of cyber operations while making malicious activity harder to detect. Although authorities currently report no specific, elevated threat level, they acknowledge that the overall risk environment is becoming more complex due to the growing availability of AI-assisted tools.

The National Cybersecurity Agency’s defensive approach emphasizes early detection rather than reactive response. Analysts continuously monitor open websites, underground criminal communities, and social media channels to identify emerging threat patterns before they develop into direct intrusion attempts. This method is designed to provide early warning, allowing technical teams to strengthen defenses before attackers move from planning to execution.

Operational coordination will involve multiple teams. Around 20 specialists from the agency’s operational staff will focus exclusively on Olympic-related cyber intelligence from the headquarters in Rome. An additional 10 senior experts will be deployed to Milan starting on February 4 to support the Technology Operations Centre, which oversees the digital systems supporting the Games. These government teams will operate alongside nearly 100 specialists from Deloitte and approximately 300 personnel from the local organizing committee and technology partners. Together, these groups will manage cybersecurity monitoring, incident response, and system resilience across all Olympic venues.

If threats keep developing during the Games, the agency will continuously feed intelligence into technical operations teams to support rapid decision-making. The guiding objective remains consistent. Detect emerging risks early, interpret threat signals accurately, and respond quickly and effectively when specific dangers become visible. This approach reflects Italy’s broader strategy to protect the digital infrastructure that underpins one of the world’s most prominent international sporting events.


Read more »
Record DDoS Attack
Aisuru botnet Botnet Infrastructure Cloudflare Mitigation Cyber Attacks Cyber Threats Global DDoS Trends Hyper-Volumetric DDoS IoT Botnets Network Layer Attacks Record DDoS Attack

Aisuru Botnet Drives DDoS Attack Volumes to Historic Highs


Currently, the modern internet is characterized by near-constant contention, in which defensive controls are being continuously tested against increasingly sophisticated adversaries. However, there are some instances where even experienced security teams are forced to rethink long-held assumptions about scale and resilience when an incident occurs. 


There has been an unprecedented peak of 31.4 terabits per second during a recent Distributed Denial of Service attack attributed to the Aisuru botnet, which has proven that the recent attack is firmly in that category. 

Besides marking a historical milestone, the event is revealing a sharp change in botnet orchestration, traffic amplification, and infrastructure abuse, demonstrating that threat actors are now capable of generating disruptions at levels previously thought to be theoretical. As a consequence of this attack, critical questions are raised regarding the effectiveness of current mitigation architectures and the readiness of global networks to withstand such an attack.

Aisuru-Kimwolf is at the center of this escalation, a vast array of compromised systems that has rapidly developed into the most formidable DDoS platform to date. Aisuru and its Kimwolf offshoot are estimated to have infected between one and four million hosts, consisting of a diverse array of consumer IoT devices, digital video recorders, enterprise network appliances, and virtual machines based in the cloud. 

As a result of this diversity, the botnet has been able to generate volumes of traffic which are capable of overwhelming critical infrastructure, destabilizing national connectivity, and surpassing the handling capacities of many legacy cloud-based DDoS mitigation services. As far as operational performance is concerned, Aisuru-Kimwolf has demonstrated its consistency in executing hyper-volumetric and packet-intensive campaigns at a scale previously deemed impractical. 

As documented by the botnet, the botnet is responsible for record-breaking flooding reaches 31.4 Tbps, packet rates exceeding 14.1 billion packets per second, and highly targeted DNS-based attacks, including random prefixes and so-called water torture attacks, as well as application-layer HTTP floods that exceed 200 million requests per second. 

As part of these operations, carpet bombing strategies are used across wide areas and packet headers and payload attributes are randomly randomized, a deliberate design choice meant to frustrate signature-based detection and slow automated mitigation. 

The attack usually occurs rapidly and in high intensity bursts that reach peak throughput almost instantly and subside within minutes, creating a hit-and-run attack that makes attribution and response more difficult. 

There was an increase of more than 700 percent in attack potential observed in the Aisuru-Kimwolf ecosystem between the years 2025 and 2026, demonstrating the rapid development of this ecosystem. Aisuru botnets serve as the architectural core of this ecosystem, which are responsible for this activity. 

In addition to serving as a foundational platform, Aisuru enables the development and deployment of derivative variants, including Kimwolf, which extends the botnet's reach and operational flexibility. By continuously exploiting exposed or poorly secured devices in the consumer and cloud environments, the ecosystem has created a globally distributed attack surface reflective of a larger shift in how modern botnets are designed. 

In contrast to the traditional techniques of DDoS relying solely on persistence, Aisuru-based networks emphasize scalability, rapid mobilization, and adaptive attack techniques, signalling the development of an evolving threat model that is reshaping the upper limits of large-scale DDoS attacks. 

Additionally, people have seen a clear shift from long-duration attacks to short-duration, high-intensity attacks that are designed to maximize disruptions while minimizing exposure. There has been a significant decrease in the number of attacks that persist longer than a short period of time, with only a small fraction lasting longer than that period.

There were overwhelmingly three to five billion packets per second at peak for the majority of incidents, while the overall packet rate was overwhelmingly clustered between one and five terabits per second. It reflects a deliberate operational strategy to concentrate traffic within narrowly defined, yet extremely extreme thresholds, with the goal of promoting rapid saturation over prolonged engagement. 

Although these attacks were large in scope, Cloudflare's defenses were automatically able to identify and mitigate them without initiating internal escalation procedures, highlighting the importance of real-time, autonomous mitigation systems in combating modern DDoS threats. 

Although Cloudflare's analysis indicates a notable variation in attack sourcing during the so-called "Night Before Christmas" campaign as compared to previous waves of Aisuru botnet activity originating from compromised IoT devices and consumer routers, Cloudflare's analysis shows a significant change in attack sourcing. 

As part of that wave of activity, Android-based television devices became the primary source of traffic, which highlights how botnet ecosystems continue to engulf non-traditional endpoints. In addition to expanding attack capacity, this diversity of compromised hardware complicates defensive modeling, as traffic originates from devices which blend into legitimate consumer usage patterns, increasing the complexity of defensive modeling. 

These findings correspond to broader trends documented in Cloudflare's fourth-quarter 2025 DDoS Threat Report, which documented a 121 percent increase in attack volume compared with the previous year, totaling 47.1 million incidents. 

A Cloudflare application has been able to mitigate over 5,300 DDoS attacks a day, nearly three quarters of which occurred on the network layer and the remainder targeting HTTP application services. During the final quarter, the number of DDoS attacks accelerated further, increasing by 31 percent from the previous quarter and 58 percent from the previous year, demonstrating a continuing increase in both frequency and intensity. 

A familiar pattern of industry targeting was observed during this period, but it was becoming increasingly concentrated, with telecommunications companies, IT and managed services companies, online gambling platforms and gaming companies experiencing the greatest levels of sustained pressure. Among attack originators, Bangladesh, Ecuador, and Indonesia appeared to be the most frequently cited sites, with Argentina becoming a significant source while Russia's position declined. 

Throughout the year, organizations located in China, Hong Kong, Germany, Brazil, and the United States experienced the largest amount of DDoS attacks, reflecting the persistent focus on regions with dense digital infrastructure and high-value online services. 

According to a review of attack source distribution in the fourth quarter of 2025, there have been notable changes in the geographical origins of malicious traffic, which supports the emergence of a fluid global DDoS ecosystem.

A significant increase was recorded in attack traffic by Bangladesh during the period, displace Indonesia, which had maintained the top position throughout the previous year but subsequently fell to third place. Ecuador ranked second, while Argentina climbed twenty positions to take the fourth position, regaining its first place in attack traffic. 

In addition to Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru, there were other high-ranking origins, which emphasize the wide international dispersion of attack infrastructure. The relative activity of Russia declined markedly, falling several positions, while the United States also declined, reflecting shifting operational preferences rather than a decline in regional engagement. 

According to a network-level analysis, threat actors continue to favor infrastructure that is scalable, flexible and easy to deploy. A significant part of attacks observed in the past few months have been generated by cloud computing platforms, with providers such as DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner dominating the higher tiers of originating networks with their offerings. 

Throughout the trend, there has been a sustained use of on-demand virtual machines to generate high-volume attack traffic on a short notice basis. In addition to cloud services, traditional telecommunications companies remained prominent players as well, especially in parts of the Asia-Pacific region, including Vietnam, China, Malaysia, and Taiwan.

Large-scale DDoS operations are heavily reliant on both modern cloud environments and legacy carrier infrastructure. The Cloudflare global mitigation infrastructure was able to absorb the unprecedented intensity of the "Night Before Christmas" campaign without compromising service quality. 

In spite of 330 points of presence and a total mitigation capacity of 449 terabits per second, only a small fraction of the total mitigation capacity was consumed, which left the majority of defensive capacity untouched during the record-setting flood of 31.4 Tbps. 

It is noteworthy that detection and mitigation were performed autonomously, without the need for internal alerts or manual intervention, thus underscoring the importance of machine-learning-driven systems for responding to attacks that unfold at a rapid pace. 

As a whole, the campaign illustrates the widening gap between hackers’ growing capability and the defensive limitations of organizations relying on smaller-scale protection services, many of which would have been theoretically overwhelmed by an attack of this magnitude if it had taken place. 

An overall examination of the Aisuru campaign indicates that a fundamental shift has taken place in the DDoS threat landscape, with attack volumes no longer constrained by traditional assumptions about bandwidth ceilings and device types.

The implications for defenders are clear: resilience cannot be treated as a static capability, but must evolve concurrently with adversaries operating at a machine-scale and speed that is increasingly prevalent. 

Due to the complexity of the threats that are becoming more prevalent in the world, organizations have been forced to reevaluate not only their mitigation capabilities, but also the architectural assumptions that lay behind their security strategies, particularly when latency, availability, and trust are essential factors. 

Hypervolumetric attacks are becoming shorter, sharper, and more automated over time. Therefore, effective defense will be dependent on global infrastructure, real-time intelligence, and automated response mechanisms that are capable of absorbing disruptions without human intervention. Accordingly, the Aisuru incident is less of an anomaly and more of a preview of the operational baseline against which modern networks must prepare.
Read more »
Department of Homeland Security
AI Systems CISA Cyber Security Cyber Threats data security Department of Homeland Security

CISA Issues New Guidance on Managing Insider Cybersecurity Risks

 



The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance warning that insider threats represent a major and growing risk to organizational security. The advisory was issued during the same week reports emerged about a senior agency official mishandling sensitive information, drawing renewed attention to the dangers posed by internal security lapses.

In its announcement, CISA described insider threats as risks that originate from within an organization and can arise from either malicious intent or accidental mistakes. The agency stressed that trusted individuals with legitimate system access can unintentionally cause serious harm to data security, operational stability, and public confidence.

To help organizations manage these risks, CISA published an infographic outlining how to create a structured insider threat management team. The agency recommends that these teams include professionals from multiple departments, such as human resources, legal counsel, cybersecurity teams, IT leadership, and threat analysis units. Depending on the situation, organizations may also need to work with external partners, including law enforcement or health and risk professionals.

According to CISA, these teams are responsible for overseeing insider threat programs, identifying early warning signs, and responding to potential risks before they escalate into larger incidents. The agency also pointed organizations to additional free resources, including a detailed mitigation guide, training workshops, and tools to evaluate the effectiveness of insider threat programs.

Acting CISA Director Madhu Gottumukkala emphasized that insider threats can undermine trust and disrupt critical operations, making them particularly challenging to detect and prevent.

Shortly before the guidance was released, media reports revealed that Gottumukkala had uploaded sensitive CISA contracting documents into a public version of an AI chatbot during the previous summer. According to unnamed officials, the activity triggered automated security alerts designed to prevent unauthorized data exposure from federal systems.

CISA’s Director of Public Affairs later confirmed that the chatbot was used with specific controls in place and stated that the usage was limited in duration. The agency noted that the official had received temporary authorization to access the tool and last used it in mid-July 2025.

By default, CISA blocks employee access to public AI platforms unless an exception is granted. The Department of Homeland Security, which oversees CISA, also operates an internal AI system designed to prevent sensitive government information from leaving federal networks.

Security experts caution that data shared with public AI services may be stored or processed outside the user’s control, depending on platform policies. This makes such tools particularly risky when handling government or critical infrastructure information.

The incident adds to a series of reported internal disputes and security-related controversies involving senior leadership, as well as similar lapses across other US government departments in recent years. These cases are a testament to how poor internal controls and misuse of personal or unsecured technologies can place national security and critical infrastructure at risk.

While CISA’s guidance is primarily aimed at critical infrastructure operators and regional governments, recent events suggest that insider threat management remains a challenge across all levels of government. As organizations increasingly rely on AI and interconnected digital systems, experts continue to stress that strong oversight, clear policies, and leadership accountability are essential to reducing insider-related security risks.

Read more »
Innovation
AI Deepfakes Artificial Intelligence Cyber Security Cyber Threats Financial Data Innovation

Why Cybersecurity Threats in 2026 Will Be Harder to See, Faster to Spread, And Easier to Believe

 


The approach to cybersecurity in 2026 will be shaped not only by technological innovation but also by how deeply digital systems are embedded in everyday life. As cloud services, artificial intelligence tools, connected devices, and online communication platforms become routine, they also expand the surface area for cyber exploitation.

Cyber threats are no longer limited to technical breaches behind the scenes. They increasingly influence what people believe, how they behave online, and which systems they trust. While some risks are still emerging, others are already circulating quietly through commonly used apps, services, and platforms, often without users realizing it.

One major concern is the growing concentration of internet infrastructure. A substantial portion of websites and digital services now depend on a limited number of cloud providers, content delivery systems, and workplace tools. This level of uniformity makes the internet more efficient but also more fragile. When many platforms rely on the same backbone, a single disruption, vulnerability, or attack can trigger widespread consequences across millions of users at once. What was once a diverse digital ecosystem has gradually shifted toward standardization, making large-scale failures easier to exploit.

Another escalating risk is the spread of misleading narratives about online safety. Across social media platforms, discussion forums, and live-streaming environments, basic cybersecurity practices are increasingly mocked or dismissed. Advice related to privacy protection, secure passwords, or cautious digital behavior is often portrayed as unnecessary or exaggerated. This cultural shift creates ideal conditions for cybercrime. When users are encouraged to ignore protective habits, attackers face less resistance. In some cases, misleading content is actively promoted to weaken public awareness and normalize risky behavior.

Artificial intelligence is further accelerating cyber threats. AI-driven tools now allow attackers to automate tasks that once required advanced expertise, including scanning for vulnerabilities and crafting convincing phishing messages. At the same time, many users store sensitive conversations and information within browsers or AI-powered tools, often unaware that this data may be accessible to malware. As automated systems evolve, cyberattacks are becoming faster, more adaptive, and more difficult to detect or interrupt.

Trust itself has become a central target. Technologies such as voice cloning, deepfake media, and synthetic digital identities enable criminals to impersonate real individuals or create believable fake personas. These identities can bypass verification systems, open accounts, and commit fraud over long periods before being detected. As a result, confidence in digital interactions, platforms, and identity checks continues to decline.

Future computing capabilities are already influencing present-day cyber strategies. Even though advanced quantum-based attacks are not yet practical, some threat actors are collecting encrypted data now with the intention of decrypting it later. This approach puts long-term personal, financial, and institutional data at risk and underlines the need for stronger, future-ready security planning.

As digital and physical systems become increasingly interconnected, cybersecurity in 2026 will extend beyond software and hardware defenses. It will require stronger digital awareness, better judgment, and a broader understanding of how technology shapes risk in everyday life.

Read more »
Infrastructure Security
Critical Infrastructure Security Cyber Attacks Cyber Security Ransomware Attacks Cyber Threats Hypervisor Infrastructure Security

Hypervisor Ransomware Attacks Surge as Threat Actors Shift Focus to Virtual Infrastructure

 

Hypervisors have emerged as a highly important, yet insecure, component in modern infrastructural networks, and attackers have understood this to expand the reach of their ransomware attacks. It has been observed by the security community that the modes of attack have changed, where attackers have abandoned heavily fortified devices in favor of the hypervisor, the platform through which they have the capability to regulate hundreds of devices at one time. In other words, a compromised hypervisor forms a force multiplier in a ransomware attack. 

Data from Huntress on threat hunting indicates the speed at which this trend is gathering pace. Initially in the early part of 2025, hypervisors were involved in just a few percent of ransomware attacks. However, towards the latter part of the year, this number had risen substantially, with hypervisor-level encryption now contributing towards a quarter of these attacks. This is largely because the Akira ransomware group is specifically leveraging vulnerabilities within virtualized infrastructure.  

Hypervisors provide attackers the opportunity by typically residing outside the sight of traditional security software. For this reason, bare-metal hypervisors are of particular interest to attackers since traditional security software cannot be set up on these environments. Attacks begin after gaining root access, and the attackers will be able to encrypt the disks on the virtual machines. Furthermore, attackers will be able to use the built-in functions to execute the encryption process without necessarily setting up the ransomware. 

In this case, security software would be rendered unable to detect the attacks. These attacks often begin with loopholes in credentials and network segmentation. With the availability of Hypervisor Management Interfaces on the larger internets inside organizations, attackers can launch lateral attacks when they gain entry and gain control of the virtualization layer. Misuse of native management tools has also been discovered by Huntress for adjusting Machine Settings, degrading defenses, and preparing the environment for massive Ransomware attacks. 

Additionally, the increased interest in hypervisors has emphasized that this layer must be afforded the equivalent security emphasis on it as for servers and end-points. Refined access controls and proper segmentation of management networks are required to remediate this. So too is having current and properly maintained patches on this infrastructure, as it has been shown to have regularly exploited vulnerabilities for full administrative control and rapid encryption of virtualized environments. While having comprehensive methods in place for prevention, recovery planning is essential in this scenario as well. 

A hypervisor-based ransomware is meant for environments, which could very well go down, hence the need for reliable backups, ideally immutables. This is especially true for organizations that do not have a recovery plan in place. As ransomware threats continue to evolve and become more sophisticated, the role of hypervisors has stepped up to become a focal point on the battlefield of business security. 

This is because by not securing and protecting the hypervisor level against cyber threats, what a business will essentially present to the cyber attackers is what they have always wanted: control of their whole operation with a mere click of their fingers.
Read more »
Vulnerability Exploits
AWS Cloud Outage Risks Cyber Threats DDOS Attacks Firmware Security IOT Security malware Mirai Network Defense ShadowV2 Botnet Vulnerability Exploits

ShadowV2 Botnet Activity Quietly Intensified During AWS Outage

 


The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries. 

Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity. 

During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375. 

A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future. 

ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle. 

The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched. 

The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore. 

During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended. 

Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways.

A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key. 

As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away. 

According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion. 

An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks. 

Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns. 

Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service. 

By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events. 

Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few. 

Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish. 

As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored. 

Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded. 

As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows. 

Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots. 

Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed. 

Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets. 

In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.
Read more »
Scams
2FA Cyber Threats Digital ID Digital identification Passwords Privacy Ransomware Scams

How Oversharing, Weak Passwords, and Digital IDs Make You an Easy Target and What You Can Do




The more we share online, the easier it becomes for attackers to piece together our personal lives. Photos, location tags, daily routines, workplace details, and even casual posts can be combined to create a fairly accurate picture of who we are. Cybercriminals use this information to imitate victims, trick service providers, and craft convincing scams that look genuine. When someone can guess where you spend your time or what services you rely on, they can more easily pretend to be you and manipulate systems meant to protect you. Reducing what you post publicly is one of the simplest steps to lower this risk.

Weak passwords add another layer of vulnerability, but a recent industry assessment has shown that the problem is not only with users. Many of the most visited websites do not enforce strong password requirements. Some platforms do not require long passwords, special characters, or case sensitivity. This leaves accounts easier to break into through automated attacks. Experts recommend that websites adopt stronger password rules, introduce passkey options, and guide users with clear indicators of password strength. Users can improve their own security by relying on password managers, creating long unique passwords, and enabling two factor authentication wherever possible.

Concerns about device security are also increasing. Several governments have begun reviewing whether certain networking devices introduce national security risks, especially when the manufacturers are headquartered in countries that have laws allowing state access to data. These investigations have sparked debates over how consumer hardware is produced, how data flows through global supply chains, and whether companies can guarantee independence from government requests. For everyday users, this tension means it is important to select routers and other digital devices that receive regular software updates, publish clear security policies, and have a history of addressing vulnerabilities quickly.

Another rising threat is ransomware. Criminal groups continue to target both individuals and large organisations, encrypting data and demanding payment for recovery. Recent cases involving individuals with cybersecurity backgrounds show how profitable illicit markets can attract even trained professionals. Because attackers now operate with high levels of organisation, users and businesses should maintain offline backups, restrict access within internal networks, and test their response plans in advance.

Privacy concerns are also emerging in the travel sector. Airline data practices are also drawing scrutiny. Travel companies cannot directly sell passenger information to government programs due to legal restrictions, so several airlines jointly rely on an intermediary that acts as a broker. Reports show that this broker had been distributing data for years but only recently registered itself as a data broker, which is legally required. Users can request removal from this data-sharing system by emailing the broker’s privacy address and completing identity verification. Confirmation records should be stored for reference. The process involves verifying identity details, and users should keep a copy of all correspondence and confirmations. 

Finally, several governments are exploring digital identity systems that would allow residents to store official identification on their phones. Although convenient, this approach raises significant privacy risks. Digital IDs place sensitive information in one central location, and if the surrounding protections are weak, the data could be misused for tracking or monitoring. Strong legal safeguards, transparent data handling rules, and external audits are essential before such systems are implemented.

Experts warn that centralizing identity increases the potential impact of a breach and may facilitate tracking unless strict limits, independent audits, and user controls are enforced. Policymakers must balance convenience with strong technical and legal protections. 


Practical, immediate steps one should follow:

1. Reduce public posts that reveal routines or precise locations.

2. Use a password manager and unique, long passwords.

3. Turn on two factor authentication for important accounts.

4. Maintain offline backups and test recovery procedures.

5. Check privacy policies of travel brokers and submit opt-out requests if you want to limit data sharing.

6. Prefer devices with clear update policies and documented security practices.

These measures lower the chance that routine online activity becomes a direct route into your accounts or identity. Small, consistent changes will greatly reduce risk.

Overall, users can strengthen their protection by sharing less online, reviewing how their travel data is handled, and staying informed about the implications of digital identification. Small and consistent actions reduce the likelihood of becoming a victim of cyber threats.

Read more »
Password Security
Browser Vulnerabilities Cyber Threats Cybersecurity awareness Data Breach Prevention digital safety Identity Protection Online Privacy Password Manager Password Security

Why It’s Time to Stop Saving Passwords in the Browser

 


As convenience often takes precedence over caution in the digital age, the humble "Save Password" prompt has quietly become one of the most overlooked security traps of the digital age, one of the most overlooked security threats. The number of users who entrust their most sensitive credentials to their browsers each day is staggering. 

In a bid to relieve themselves of the constant burden of remembering multiple logins every day, millions of people are willing to trust their browsers. As seemingly innocent as it may seem to simplify daily life, this shortcut conceals a significant and growing cybersecurity threat that is rapidly spreading across the globe. The very feature that was designed to make online access effortless has now become a prime target for cybercriminals.

These thieves are able to retrieve the passwords stored on local computers within minutes — often even without the user's knowledge — and sell them for a profit or further exploitation on dark web marketplaces. 

By storing encrypted login information within a user's profile data, browser-based password managers can be reclaimed when needed by storing them in their profile data, automatically recalling them when necessary, and even syncing across multiple devices that are connected to the same account. In addition to improving accessibility and ease of use with this integration, the potential attack surface is multiplied. 

As soon as a single account or system has been compromised, every password saved has been exposed to attack. During an age where digital threats are becoming increasingly sophisticated, experts warn that convenience-driven habits, such as saving passwords in the browser, may end up costing the users much more than the few seconds they save at login time when they save passwords in their browser.

Even though browser-based password storage remains the default choice for many users, experts are increasingly emphasising the advantages of dedicated password managers - tools that can be used across multiple platforms and ecosystems independently. 

Many browser managers do not sync with their own environments; they only sync with their own environments, such as Google and Chrome, Apple and Safari, or Microsoft with Edge. However, standalone password managers surpass these limitations. It is compatible with all major browsers and operating systems, so users will be able to access their credentials on both Macs and Windows computers, as well as Android phones and iPhones, regardless of whether they are using a MacBook or a Windows computer. 

These managers act as independent applications, rather than integrated components of browsers, so that they provide both flexibility and resilience. They provide a safe and secure means of transferring data from one device to another, allowing users to be independent of any single vendor's ecosystem. Modern password managers have more to offer than simply storing credentials. 

Families, friends, and professional teams can use them to share secure passwords among themselves, ensuring critical access during times of crisis or collaboration. Additionally, encrypted local copies of stored data are maintained on the computers, so that users can access their data offline even when their phone or Internet connection is disconnected. 

Using this capability, important credentials are always readily available whenever and wherever they are required, without sacrificing security. Contrary to this, browser-based password saving has continued to attract users around the world — from small business owners trying to maximise efficiency to workers at large corporations juggling multiple logins — because of its ease of use. This convenience is not without its dangers, however. 

Cybercriminals use browser-stored credentials daily as a means of exploiting them via stealer malware, phishing attacks and tools that retrieve autofill information, cookies, and stored sessions. Once these credentials have been obtained, they are quickly circulated and sold on dark web forums and encrypted Telegram channels, allowing attackers to gain access to sensitive corporate and personal data. 

Many consequences can result from a harmless click on the “Save Password” button that can affect not just an individual but entire organisations as well. Despite this appearance of efficiency, there is a fundamental flaw beneath this efficiency: browsers were never intended to serve as secure vaults for passwords. The main purpose of browsers is still web browsing, and password storage is only an optional feature. 

When it comes to strengthening in-browser security, it's crucial to ensure the encryption keys are only held by the device owner by enabling on-device encryption, which is available through services like Google Password Manager. This feature integrates directly with the device's screen lock and creates an additional layer of protection that prevents people from accessing passwords stored on the user; device. 

As a consequence, it comes with a trade-off as well: users who lose access to their Google accounts or devices may be permanently locked out of their saved credentials. Another essential measure is enabling password autofill features on browsers, a feature that remains one of the most easily exploited browser conveniences. 

It is possible, for example, to toggle off "Offer to save passwords" in Chrome by going to "Settings" > "Autofill and passwords" > "Google Password Manager." 

Using Microsoft Edge, users can achieve the same level of protection by enabling the option "Autofill Passwords and Passkeys" in the "Passwords and autofill" section of Settings, while Safari users on macOS Catalina 10.15 and later can use the File menu to export and modify passwords in order to limit their exposure.

In addition to the above adjustments, implementing two-factor authentication across all accounts adds a second line of defense, which means that even if credentials are compromised, unauthorized access remains unlikely, even with compromised credentials. 

In order to further reduce potential risks, it is important to review and eliminate stored passwords tied to sensitive or high-value accounts. However, browser-stored passwords are a fraction of the information that is silently accumulated by most browsers. A browser, in addition to storing login credentials, also contains a wealth of personal and corporate data that can be of invaluable use to cybercriminals. 

By saving credit card information, autofilling information like addresses and telephone numbers, cookies, browsing history, and cached files, we can gather a detailed picture of the user's digital life over the course of a lifetime. Using compromised cookies, attackers may be able to hijack active sessions without using a password, while stolen autofill data can serve as a weapon for identity theft or phishing schemes. 

Inadvertently, bookmarks or download histories could reveal sensitive client-related materials or internal systems. In essence, the browser functions as an unsecured vault for financial, professional, and personal information, all enclosed in a convenient layer that is prone to easy breach. 

It would be much safer and more structured to use dedicated password managers such as 1Password, Dashlane, Bitwarden, and LastPass if they were made from the ground up with encryption, privacy, and cross-platform protection as their core design principles. These tools transcend the limitations of browsers by providing a much more secure and structured alternative. 

In addition to safeguarding passwords, they also ensure that the user remains fully in control of their digital credentials. They provide the perfect balance between convenience and uncompromising security in today's connected world. As digital life continues to become more entwined with convenience, protecting one's online identity has never been a higher priority than it has ever been.

To attain a higher level of security, users must move beyond short-term comfort and establish proactive security habits. For instance, they should update their passwords regularly, avoid reusing them, monitor for breaches, and use trusted password management solutions with zero-knowledge encryption. There is an important difference between the use of browser-stored credentials versus secure, dedicated platforms that take care of themselves. 

In a world where cyberthreats are evolving at a rapid pace, users must have a feeling that their data is safe and secure, not only that it is also easy to use and simple to operate.
Read more »
Svenska Kraftnät
Critical Infrastructure Cyber Threats Cybersecurity Data Breach Everest Ransomware Network Protection Power Grid Security Ransomware attack Svenska Kraftnät

Sweden Confirms Power Grid Breach Amid Growing Ransomware Concerns

 


Swedish power grid operator, Suderland, has confirmed it is investigating a security incident related to a potential ransomware attack aimed at decrypting sensitive data as part of its ongoing cybersecurity investigation, a revelation that has stirred alarm across Europe's critical infrastructure community.

It has been revealed by Svenska kraftnät, the state-owned company in charge of ensuring the nation's electricity transmission networks, that a criminal group has threatened to release what it claims to be hundreds of gigabytes of internal data allegedly stolen from the organization's computer system in order to sell it to the public. It appears, based on initial findings, that the breach occurred solely through a limited external file transfer platform, and officials stressed that the electricity supply and core grid of Sweden have not been affected.

In spite of this, the revelation has raised alarm about the threat to critical energy infrastructure from cyber extortion, which has increased as authorities continue to figure out exactly how extensive and damaging the cyber extortion attack has been. A breach which took place on October 26, 2025, reverberated throughout the cybersecurity landscape across Europe, highlighting the fragility of digital defences protecting critical infrastructure for the first time. 

In response to claims made by the notorious Everest ransomware group, Sweden's government-owned electricity transmission company, which plays a crucial role in the stability of the country's power grid, confirmed a data compromise had been confirmed by Svenska kraftnät. In spite of the fact that the full scope of the intrusion is still being investigated, early indications suggest that the attackers may have obtained or exfiltrated sensitive internal data as part of the intrusion. 

It has been reported that the Everest group, notorious for coordinated extortion campaigns and sophisticated methods of network infiltration, has publicly accepted responsibility, increasing scrutiny of both national and international cybersecurity authorities. Such attacks on critical national infrastructure (CNI), according to experts, have far-reaching consequences, threatening both operational continuity as well as economic stability and public confidence, among others. 

It has rekindled the need to strengthen cyber resilience frameworks, to collaborate on threat intelligence, and to increase vigilance across essential service providers to prevent similar disruptions in the future. Despite the intrusion, officials have assured that the nation's power transmission and supply operations remain fully operational, with no signs that mission-critical infrastructure will be affected by the intrusion. 

The extent to which the organisation has been compromised is still being investigated while securing affected systems and assessing the nature of the leaked information. In spite of the fact that it is still uncertain to what extent the breach has affected the organisation, early reports suggest that around 280 gigabytes of internal data may have been stolen. An established cybercrime group known as Everest has claimed responsibility for the recent attack on Svenska Kraftnät, and they have listed Svenska Kraftnät among their victims on a Tor-based data leak website, which was launched in late 2020. 

A notorious group for extortion and cyberattacks, the group has been previously linked to high-profile incidents such as Collins Aerospace's cyberattack, which disrupted operations at several European airports as a result. Despite the increasing boldness of ransomware actors to attack key entities of national infrastructure, the latest claim against Sweden's key power operator is a clear indication of what is happening. 

In the process of investigating the incident, Svenska kraftnät continues to maintain close coordination with law enforcement and cybersecurity agencies to identify the perpetrators and mitigate further risks. Despite the fact that this incident has been isolated, it is nonetheless an indication of the escalating cyber threat landscape affecting critical infrastructure providers, where even isolated system failures can pose significant risks to national stability and public confidence. 

Svenska kraftnät has confirmed to the media that Cem Göcgoren, Head of Information Security at Svenska kraftnät, is leading a comprehensive forensic investigation to determine the nature and extent of the data compromised during the cyberattack, as well as to assess the level of damage that has been caused. It has been determined that the breach of security did not affect Sweden's transmission or distribution systems, with officials reassuring that the country's electricity systems should continue to operate uninterrupted during the investigation. 

The aforementioned distinction highlights that the attackers probably targeted administrative or corporate data, not the systems responsible for managing real-time power flo,whichat are responsible for preventing potential disruptions from occurring, which is a critical factor in preventing potentially severe damagSvenska kraftnät must informrms the national law enforcement authorities of the intrusion immediately after it discovers the intrusion and coordinates with the appropriate government agencies to safeguard the infrastructure and cybersecurity of the network. 

As a result of the swift escalation, power grid operators are becoming increasingly regarded as prime targets by ransomware groups, given the strategic and economic leverage they hold. There is a known ransomware gang, Everest, that has claimed responsibility for the attack. This group is notorious for its "double extortion" tactics, in which they encrypt the data of victims while simultaneously threatening to publish the stolen files in the absence of the ransom payment. 

According to cybersecurity experts, this incident has served to underscore the importance of vigilant security governance within critical infrastructure sectors. In terms of countermeasures, it is recommended that robust incident response protocols be activated, as well as users be isolated from compromised systems, and detailed forensic assessments be conducted in order to identify vulnerabilities exploited during the breach. 

The strengthening of the defenders through multi-factor authentication, network segmentation, and the disciplined management of patches is of utmost importance at this time, especially as ransomware operators target flaws in enterprise software products such as VMware vCenter and Ivanti software with increasing frequency. Furthermore, keeping immutable offline backups, making employees aware of phishing and social engineering threats, and leveraging real-time threat intelligence can all help to strengthen resilience against similar attacks in the future. 

Thus, the Svenska kraftnät breach serves both as a warning and a lesson in the ongoing fight against the cyberattacks of modern societies, both in the sense that they serve as a warning and a lesson. In the energy sector, the incident serves as a defining reminder that cybersecurity is no longer only a technical issue, but is also a matter of national resilience. With ransomware actors becoming more sophisticated and audacious, power grid operators have to take a proactive approach and move from reactive defence to predictive intelligence - by adopting continuous monitoring and zero-trust architectures, as well as collaborating with multiple agencies to strengthen digital ecosystems. 

Aside from immediate containment efforts, it will be essential to invest in cybersecurity training, international alliances for information sharing, and next-generation defence technologies to prevent future cyber threats. While alarming, the Svenska kraftnät breach presents a unique opportunity for governments and industries alike to strengthen their digital trust and operational stability by using this breach.
Read more »
Telecom Security
Critical Infrastructure Cyber Threats Cybersecurity Breach Data Threats Cyber Espionage nation-state hackers Network Resilience Ribbon Communications Telecom Security

Ribbon Targeted in Cyber Espionage Campaign by Nation-State Actors


 

Among the many revelations which illustrate how sophisticated state-backed cyber intrusions are, Ribbon Communications has confirmed that its internal network was compromised by government-backed hackers who kept unauthorised access for almost a year before they were detected, a revelation that emphasises the growing sophistication of state-backed cyber intrusions. 

The company disclosed in its 10-Q filing with the Securities and Exchange Commission (SEC) that a suspected nation-state actor was suspected to have infiltrated their IT systems in December of 2024, but the threat was undetected until this year, according to Ribbon. 

Ribbon stated in its statement that it has since informed federal law enforcement agencies and believes that its environment has been cleared of the attackers. With its headquarters in Texas, Ribbon stands out in the global telecom ecosystem as one of the key players. 

Ribbon provides voice, networking, and internet infrastructure solutions to a diverse clientele, including Fortune 500 companies, government bodies, and critical infrastructure sectors such as the transportation and energy sectors. 

It is important to note that the company's acknowledgement of the long-lasting breach raises concerns about the resilience of the telecom infrastructure, as well as highlighting the persistence and stealthy nature of modern cyber-espionage campaigns targeting strategic and important organisations throughout the United States.

Ribbon Communications disclosed, in its October 23 filing with the U.S Securities and Exchange Commission (SEC), that the breach had been discovered in early September 2025 when the company had been notified. This immediately prompted the company to activate its incident response plan in conjunction with a number of independent cybersecurity experts and federal law enforcement agencies. 

There is evidence in the company's filing that points to an initial compromise occurring as early as December 2024, when the initial compromise was first noticed by the company, regardless of the firm's internal review. Ultimately, the timeframe remains unclear. 

In its disclosure, Ribbon claims that it did not find evidence indicating that the attackers had gained access to or exfiltrated any material corporate data, although the company admits that a limited number of customer files stored outside its main network, specifically on two laptop computers, were accessed during the intrusion. 

The affected clients were notified after the incident. In an attempt to determine the full extent of the breach, the telecom firm stressed its ongoing forensic investigation will reveal as much as possible, emphasising its commitment to transparency and compliance amid what appears to be more than a typical cyber attack aimed at specific targets and carried out methodically. 

There has been no confirmation from Ribbon Communications' spokesperson, Catherine Berthier, as to which customers have been directly affected by the data breach; however, she declined to identify any of the affected companies because of client confidentiality and ongoing investigations. As a result of the unauthorised access to personally identifiable information (PII) and other sensitive corporate data, it is still unclear if that information was exfiltrated by the attackers. 

According to the company's SEC filing, a limited number of customer files that were stored outside the primary network - on two laptops - were accessed during the intrusion, and Ribbon stated that all impacted customers have been notified in accordance with the regulations and contractual obligations of the company.

In an official statement, Ribbon Communications has stated that it is actively collaborating with federal law enforcement agencies and leading cybersecurity specialists in order to determine the full extent of the breach and its implications. In the company's words, the current findings indicate that the attackers did not acquire any material corporate information or exfiltrate it, based on current findings. 

Despite this, Ribbon's investigation confirmed that the threat actors managed to access a limited number of customer files from two laptops tucked away outside Ribbon's primary network infrastructure, which had been affected. Ribbon notified these affected clients, and they have been informed subsequently. 

During its recent disclosure, Ribbon acknowledged that it would have to incur additional expenses during the fourth quarter of 2025 in order to carry out its ongoing investigation and to improve network resilience. However, Ribbon does not anticipate that these costs will materially affect its financial results. 

Reuters reports that three smaller customers were also impacted by the incident, although their names have not been made public. Ribbon has not yet disclosed the identity of the threat group that has targeted the company, but cybersecurity experts have concluded that there are strong parallels between this breach and a wave of telecom-focused espionage campaigns linked to Salt Typhoon, the Chinese hacking collective. 

There was a report last year that Chinese state-sponsored hackers had infiltrated several telecommunications networks, including AT&T, Verizon, Lumen, Consolidated Communications, Charter Communications and Windstream, as well as several international operators, by infiltrating the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). In a series of subsequent reports, it was revealed that Comcast, Digital Realty, and Viasat were also compromised as part of this same, coordinated campaign. 

It was determined that there was a broader and coordinated effort to infiltrate the global communications infrastructure. As the telecommunications sector has grown increasingly complex over the past decade, it has experienced an increasing number of alarming incidents and policy changes that have highlighted both the magnitude of the threat and the difficulties in mounting a unified response. 

Last year, U.S. A former US Army soldier, Cameron John Wagenius, admitted hacking into 15 telecom companies and stealing call records from prominent individuals, including former President Donald Trump, and later pleaded guilty to multiple charges after being arrested. This case illustrated how insider knowledge and access can be exploited in order to break into critical communication systems, which further reinforced the concern that the sector is vulnerable to both internal and external threats. 

Although the federal government has made great efforts to enhance cybersecurity protections across the industry, policy inconsistencies and bureaucratic obstacles have hindered progress. The Trump administration, in January, disbanded a body known as the Cyber Safety Review Board, which had been reviewing the Salt Typhoon espionage campaign as part of its oversight othe f the Cybersecurity and Infrastructure Security Agency (CISA). 

It is important to note that the board had previously issued a critical assessment of Microsoft's security practices, describing the earlier China-linked breach in a manner that described the breach as a “cascade of security failures.” In recent years, this has become an increasingly important finding among the cybersecurity community. 

A previous order that mandated that telecom operators comply with cybersecurity requirements has been rescinded by the Federal Communications Commission (FCC) Chairman Brendan Carr. By implementing the order under the Biden administration, it was clarified that under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), companies are legally responsible for securing their networks. 

Criticised the measure as regulatory overreach, asserting that it overstepped the agency's authority and failed to mitigate cyber threats effectively, asserting that it had exceeded the agency's. There has been a lot of controversy surrounding the FCC's decision to repeal the order next month, as well as a renewed discussion on the best way to balance regulatory authority, industry autonomy, and national security imperatives. 

Ribbon Communication's breach serves as an excellent reminder of the fragile state of global telecom cybersecurity as a whole, a complex area that is constantly challenging even the most established players when it comes to national security, corporate accountability, and technological complexity. 

There is a growing awareness that state-sponsored actors are refining their tactics and exploiting long-standing vulnerabilities in critical communications infrastructure, requiring governments and industry to move beyond reactive containment toward proactive defence. Taking steps to mitigate the scale and sophistication of such incursions can be achieved through facilitating cross-sector intelligence sharing, mandating transparency in cybersecurity audits, and investing in zero-trust architectures.

Achieving long-term resilience across the telecom ecosystem depends on the maintenance of regulatory consistency and policy continuity, regardless of political transitions. It is important for companies such as Ribbon trecoto gniseze that cybersecurity is not only a compliance requirement but a critical component of operational and national security that needs to be considered. 

As the U.S. faces an intensifying climate of digital espionage, it is believed that this breach will provide valuable lessons that the nation can use to protect its communications equipment from the next generation of silent, persistent cyber adversaries.
Read more »
Nation-State Attacks
CISOs Cyber Attacks Cyber Awareness cyber resilience Cyber Threats Cybersecurity CyberWar Digital Defense Identity Security Nation-State Attacks

The Silent Guardians Powering the Frontlines of Cybersecurity

 


There is no doubt that a world increasingly defined by invisible battles and silent warriors has led to a shift from trenches to terminals on which modern warfare is now being waged. As a result, cyberwarfare is no longer a distant, abstract threat; now it is a tangible, relentless struggle with real-world consequences.

Power grids fail, hospitals go dark, and global markets tremble as a result of unseen attacks. It is at this point that a unique breed of defenders stands at the centre of this new conflict: cyber professionals who safeguard the fragile line between digital order and chaos. The official trailer for Semperis Midnight in the War Room, an upcoming documentary about the hidden costs of cyber conflict, has been released, bringing this hidden war to sharp focus. 

Semperis is a provider of AI-powered identity security and cyber resilience. It has an extraordinary lineup of voices – including Chris Inglis, the first U.S. National Cyber Director; General (Ret.) David Petraeus, the former Director of the CIA; Jen Easterly, former Director of the CISA; Marcus Hutchins, one of the WannaCry heroes; and Professor Mary Aiken, a globally recognised cyber psychologist – all of whom are highly respected for their expertise in cybersecurity. 

The film examines the high-stakes battle between attackers, defenders, and reformed hackers who have now taken the risk of exploiting for themselves. As part of this documentary, leading figures from the fields of cybersecurity and national defence gather together in order to present an unprecedented view of the digital battlefield. 

Using their insights into cyber conflicts, Midnight in the War Room explores the increasing threat that cybercrime poses to international relations as well as corporate survival today. A film that sheds light on the crucial role of chief information security officers (CISOs), which consists of who serve as the frontlines of protecting critical infrastructure - from power grids to financial networks - against state-sponsored and criminal cyber threats, is a must-see. 

It is the work of more than fifty international experts, including cyber journalists, intelligence veterans, and reformed hackers, who provide perspectives which demonstrate the ingenuity and exhaustion that those fighting constant digital attacks have in the face. Even though the biggest threat lies not only with the sophistication of adversaries but with complacency itself, Chris Inglis argues that global resilience is an urgent issue at the moment. 

It has been reported that Semperis' Chief Marketing Officer and Executive Producer, Thomas LeDuc, views the project as one of the first of its kind to capture the courage and pressure experienced by defenders. The film is richly enriched by contributions from Professor Mary Aiken, Heath Adams, Marene Allison, Kirsta Arndt, Grace Cassy and several former chief information security officers, such as Anne Coulombe and Simon Hodgkinson, and it provides a sweeping and deeply human perspective on modern cyber warfare. 

With its powerful narrative, Midnight in the War Room explores the human side of cyberwarfare—a struggle that is rarely acknowledged but is marked by courage, resilience and sacrifice in a way that is rarely depicted. A film about those defending the world's most vital systems is a look at the psychological and emotional toll they endure, in which trust is continually at risk and a moment of complacency can trigger devastating consequences. 

The film explores the psychological and emotional tolls endured by those defending those systems. During his remarks at Semperis, Vice President for Asia Pacific and Japan, Mr Sillars, points out that cyber threats do not recognise any borders, and the Asia Pacific region is at the forefront of this digital conflict as a result of cyber threats. 

During the presentation, he emphasises that the documentary seeks to highlight the common challenges cybersecurity professionals face worldwide, as well as to foster collaboration within critical sectors to build identity-driven resilience. As the Chief Marketing Officer at Semperis and Executive Producer, LeDuc describes the project as one of the most ambitious in cybersecurity history—bringing together top intelligence leaders, chief information security officers, journalists, victims and reformed hackers as part of a rare collaborative narrative.

In the film, Cyber Defenders' lives are portrayed through their own experiences as well as the relentless pressure and unwavering resolve they face every day. Among the prominent experts interviewed for the documentary are Marene Allison, former Chief Information Security Officer of Johnson & Johnson; Grace Cassy, co-founder of CyLon; Heather M. Costa, Director of Technology Resilience at the Mayo Clinic; Simon Hodgkinson, former Chief Information Security Officer of BHP; and David Schwed, former Chief Information Security Officer of Robinhood. 

Among those on the panel are Richard Staunton, Founder of IT-Harvest, BBC Cyber Correspondent Joe Tidy, as well as Jesse McGraw, a former hacktivist who has turned his expertise towards safeguarding the internet, known as Ghost Exodus. As Jen Easterly, former Chief Information Security Officer of the U.S. Department of Homeland Security (CISA), points out, defeating malicious cyberattacks requires more than advanced technology—it demands the human mind's ingenuity and curiosity to overcome them. 

A global collaboration was exemplified through the production of this documentary, which was filmed in North America and Europe by cybersecurity and professional organisations, including the CyberRisk Alliance, Cyber Future Foundation, Institute for Critical Infrastructure Technology, (ISC)2 Eastern Massachusetts Chapter, Michigan Council of Women in Technology, and Women in CyberSecurity (WiCyS) Delaware Valley Chapter. 

As part of these partnerships, private screenings, expert discussions, and public outreach will be conducted in order to increase public awareness and cooperation regarding building digital resilience. By providing an insight into the human narratives that underpin cybersecurity, Midnight in the War Room hopes to give a deeper understanding of the modern battlefield and to inspire a collective awareness in the safeguarding of society's systems. 

There is something special about Midnight in the War Room, both as a wake-up call and as a tribute - a cinematic reflection of those who stand up to the threats people face in today's digital age. The film focuses on cyber conflict and invites governments, organisations, and individuals to recognise the importance of cybersecurity not just as a technical problem, but as a responsibility that people all share. 

In light of the continuous evolution of threats, people need stronger international collaborations, investments in identity security, and the development of psychological resilience among those on the front lines to help combat these threats. Semperis' initiative illustrates the power of storytelling to bridge the gap between awareness and action, transforming technical discourse into a powerful narrative that inspires vigilance, empathy, and unity among the community.

Providing a critical insight into the human aspect behind the machines, Midnight in the War Room reinforces a fundamental truth: that is, cybersecurity is not just about defending data, but also about protecting the people, systems, and values that make modern society what it is today.
Read more »
Subscribe to: Comments (Atom)