Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity Breach. Show all posts
Hacking Attack
Asus Cyber Defence Cyber Security Cybersecurity Breach Everest Ransomware Hackers Hacking Attack

Asus Supplier Breach Sparks Security Concerns After Everest Ransomware Claims Data Theft

 

Asus has confirmed a security breach via one of its third-party suppliers after the Everest ransomware group claimed it had accessed internal materials belonging to the company. In its statement, Asus confirmed that a supply chain vendor "was hacked," and the intrusion impacted portions of the source code relating to cameras for Asus smartphones. The company emphasized that no internal systems, products, or customer data were impacted. It refused to name the breached supplier or detail exactly what was accessed, but it said it is shoring up supply chain defenses to align with cybersecurity best practices. 

The disclosure comes amid brazen claims from the Everest ransomware gang, an established extortion outfit that has traditionally targeted major technology firms. Everest claimed it had pilfered around 1 TB of data related to Asus, ArcSoft, and Qualcomm, leaking screenshots online as evidence of the breach. The group said on its dark-web leak site that it was offering an array of deep technical assets, from segmentation modules to source code, RAM dumps, firmware tools, AI model weights, image datasets, crash logs, and test applications. The cache supposedly also contained calibration files, dual-camera data, internal test videos, and performance evaluation reports, the gang said. 

As it is, Asus hasn't verified the broader claims of Everest and has called the incident isolated to a single external supplier that holds camera-related resources. The company hasn't provided an explanation of whether material that was supposedly exfiltrated by the attackers included its proprietary code or information from the other organizations named by the group. Requests for additional comment from the manufacturer went unreturned, thus leaving various aspects of the breach unexplained. The timing is problematic for Asus, coming just weeks after new research highlighted yet another security issue with the company's consumer networking hardware. Analysts in recent weeks said about 50,000 Asus routers were compromised in what observers believe is a China-linked operation. 

That campaign involved attackers exploiting firmware vulnerabilities to build a relatively large botnet that's able to manipulate traffic and facilitate secondary infections. Although the router exploitation campaign and the supplier breach seem unrelated, taken together the two incidents raise the temperature on Asus' overall security posture. With attackers already targeting its networking devices en masse, the discovery of a supply chain intrusion-one that may have entailed access to source code-only adds to the questions about the robustness of the company's development environments. 

As supply chain compromises remain one of the biggest risks facing the tech sector, the incident serves as a reminder of the need for far better oversight, vetting of vendors, and continuous monitoring to ensure malicious actors do not penetrate upstream partners. For Asus, the breach raises pressure on the company to reassure customers and partners that its software and hardware ecosystems remain secure amid unrelenting global cyberthreat activity.
Read more »
Hacker attack
Cyber Attacks Cybersecurity Breach Data Breaches Data Leaked data security Defaced Website Hacked Hacker attack

Russian-Linked Surveillance Tech Firm Protei Hacked, Website Defaced and Data Published

 

A telecommunications technology provider with ties to Russian surveillance infrastructure has reportedly suffered a major cybersecurity breach. The company, Protei, which builds systems used by telecom providers to monitor online activity and restrict access to websites and platforms, had its website defaced and internal data stolen, according to information reviewed by TechCrunch. The firm originally operated from Russia but is now based in Jordan and supplies technology to clients across multiple regions, including the Middle East, Europe, Africa, Mexico, Kazakhstan and Pakistan. 

Protei develops a range of systems used by telecom operators, including conferencing platforms and connectivity services. However, the company is most widely associated with deep packet inspection (DPI) tools and network filtering technologies — software commonly used in countries where governments impose strict controls on online information flow and communication. These systems allow network providers to inspect traffic patterns, identify specific services or websites and enforce blocks or restrictions. 

It remains uncertain exactly when the intrusion occurred, but archived pages from the Wayback Machine indicate the public defacement took place on November 8. The altered site contained a short message referencing the firm’s involvement in DPI technology and surveillance infrastructure. Although the webpage was restored quickly, the attackers reportedly extracted approximately 182 gigabytes of data from Protei’s systems, including email archives dating back several years. 

A copy of the exposed files was later supplied to Distributed Denial of Secrets (DDoSecrets), an organization known for cataloging leaked data from governments, law enforcement agencies and companies operating in surveillance or censorship markets. DDoSecrets confirmed receiving the dataset and made it available to researchers and journalists. 

Prior to publication, TechCrunch reached out to Protei leadership for clarification. Mohammad Jalal, who oversees the company’s Jordan branch, did not initially respond. After publication, he issued an email claiming the company is not connected to Russia and stating that Protei had no confirmed knowledge of unauthorized data extraction from its servers. 

The message left by the hacker suggested an ideological motive rather than a financial one. The wording referenced SORM — Russia’s lawful interception framework that enables intelligence agencies to access telecommunications data. Protei’s network filtering and DPI tools are believed to complement SORM deployments in regions where governments restrict digital freedoms. 

Reports from research organizations have previously linked Protei technology to censorship infrastructure. In 2023, Citizen Lab documented exchanges suggesting that Iranian telecommunications companies sought Protei’s systems to log network activity and block access to selected websites. Documents reviewed by the group indicated the company’s ability to deploy population-level filtering and targeted restrictions. 

The breach adds to growing scrutiny surrounding technology vendors supplying surveillance capabilities internationally, especially in environments where privacy protections and freedom of expression remain vulnerable.
Read more »
Vulnerability Exploit
Clop Group Cybersecurity Breach Data Breach Enterprise security GlobalLogic Incident response Oracle Zero-Day Ransomware attack SQL Threat Intelligence Vulnerability Exploit

GlobalLogic Moves to Protect Workforce After Oracle-related Data Theft

 


A new disclosure that underscores the increasing sophistication of enterprise-level cyberattacks underscores the need to take proactive measures against them. GlobalLogic has begun notifying more than ten thousand of its current and former employees that their personal information was compromised as a result of a security breach connected to an Oracle E-Business Suite zero-day flaw. 

An engineering services firm headquartered in the United States, owned by Hitachi, announced the breach to regulators after determining that an unknown attacker exploited an unpatched vulnerability in the Oracle platform, the core platform used to manage finance, human resources, and operational processes at the company, so that sensitive data belonging to 10,000 employees was stolen. 

The Maine Attorney General's office reported to the Maine State Attorney General that attackers had infiltrated GlobalLogic's environment with an advanced SQL-injection chain mapped to MITRE techniques T1190 and T1040, deploying a persistent backdoor through an Oracle Forms vulnerability, obtaining extensive employee data, including identification, contact information, passport information, tax and salary data, and bank account numbers, as well as extensive employee records. 

The signs of compromise point to a coordinated data-extortion campaign in which privilege-escalation events were used to maintain prolonged access to data. Indicators like malicious IP ranges and rogue domains indicate that the attack was coordinated. In the aftermath of Oracle's security patches being released, GlobalLogic announced that an immediate investigation had been conducted, and the company is now urging the rapid implementation of vendor updates, enhanced logging, and temporary hardening measures in order to mitigate further risk. 

With Hitachi's acquisition of the company in 2021, it has now served more than 600 enterprise clients around the world, and the company has officially reported the breach to California and Maine regulators, who confirmed that more than 10,500 current and former employees' personal information was exposed in the attack. 

During GlobalLogic's investigation, it was discovered that the intrusion was a part of a larger campaign that was coordinated by the Clop ransomware group, which has been exploiting a zero-day flaw in Oracle's E-Business Suite since at least July in order to snare huge amounts of corporate information. There have been reports that several companies have been caught in this wave of attacks, and many are only aware of their compromise after they receive extortion emails from extortionists. Analysts are claiming that dozens of companies have been compromised.

It is reported by GlobalLogic that the company discovered the breach on October 9 but it was later discovered that the attackers gained access to the server on July 10, with the most recent malicious activity occurring on August 20 according to GlobalLogic's filings. Despite the fact that the incident was contained to the Oracle platform, the sheer amount of sensitive and high-level data stolen—from contact information to internal identifiers to passports to tax records to salary information to bank account numbers—does not make it easy for the severity of the attack to be noted. 

A spokesperson for the company said that they immediately activated their incident response protocols, notified the law enforcement, and consulted external forensic experts after the zero-day exploit was discovered (CVE-2025-61882) was discovered, and that Oracle's patch for the vulnerability (CVE-2025-61882) was applied once it was released. 

Security researchers later confirmed that Clop hacked numerous victims over a period of several months by exploiting multiple vulnerabilities within the same platform, demanding ransoms that often reached eight-figure sums. It has been reported that nearly 30 organizations are currently listed on Clop's website after a breach of their systems was discovered last week. If these organizations do not pay the restitution, they will face public exposure. The kind of information exposed in the GlobalLogic breach highlights how sophisticated the attackers were. 

According to the company's disclosure, the stolen data was representative of a wide range of personal information that is typically kept in human resources systems, such as names, home addresses, telephone numbers, addresses for emergency contacts, and identifiers for internal employees.

There were a variety of individuals whose exposure to cyber attacks was far more in-depth and involved email addresses, dates and countries of birth, nationalities, passports, tax and national identification numbers such as Social Security details, salary information, and full banking credentials for their online banking accounts. 

A ransomware group known as Clop has been associated with several high-profile Oracle EBS data theft operations, as well as adding major companies to its Tor-based leak site, including Harvard University, Envoy Air, and The Washington Post, whose stolen data is already available via torrent downloads from a number of sources. Despite the fact that GlobalLogic's information has not yet appeared on the leak portal, security analysts have said that the omission may be indicative of ongoing negotiations, or that a ransom has already been paid by the company. 

The company spokesperson refused to comment on whether any demands were being addressed, but confirmed Clop has publicly claimed responsibility for the breach. Now that the gang is being questioned more closely by the U.S. authorities after previously exploiting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer in mass-scale data breaches, they are under greater scrutiny than ever before. 

According to the State Department, there is a reward for intelligence that can be provided tying the group's operations to a foreign government worth up to $10 million. In light of this incident, industry officials are calling for improved patch management, proactive threat hunting, and tighter oversight of third-party platforms supporting critical business operations that are used by critical business units. 

According to GlobalLogic's analyst, the company's experience shows just how quickly a single vulnerability can lead to widespread damage when exploited by highly coordinated ransomware groups, particularly if the vulnerability has not yet been patched. 

Despite continuing to investigate Clop's broader campaign, experts urge organizations to adopt continuous monitoring, strengthen vendor risk controls, and prepare for the likelihood that they will be the victim of future zero day exploits in the following years, as the modern enterprise threat landscape is now characterized by zero-day threats.
Read more »
privacy protection
Automotive Cyberattack Connected Car Security Cybersecurity Breach Data Breach Data Exposure Digital threats Hyundai AutoEver identity theft risk personal data safety privacy protection

Hyundai Faces Security Incident With Potential Data Exposure

 


In the past few months, Hyundai AutoEver America, a division of Hyundai Motor Group, has confirmed a recent data breach that exposed sensitive personal information after hackers infiltrated its internal IT environment earlier this year, revealing a recent data breach. 

A company spokesperson told me that unauthorized access to the company's computer systems began on February 22, 2025 and went undetected until March 2, giving intruders nine days to access confidential data. 

The early breach notices didn't specify how many people were affected, but according to state regulatory disclosures as well as a subsequent statement issued to Kelley Blue Book, approximately 2,000 people—out of the over 2.7 million users HAEA serves across Hyundai, Kia, and Genesis platforms—were impacted. There have been a number of compromises of the data, including names, Social Security numbers, and driving license information. 

In response to the suspicious activity, HAEA contacted an external cybersecurity expert who conducted an investigation, contained the intrusion, and informed law enforcement. As officials continue to assess the full scope of the incident, officials have begun issuing formal notices to those whose information was possibly exposed. 

It was only in the months that followed that it became increasingly clearer and more troubling just what the breach's consequences and the broader risks associated with connected vehicles were in the future. Even though Hyundai AutoEver America eventually acknowledged that the incident could have affected as many as 2.7 million Hyundai, Kia, and Genesis owners, internal assessments and state filings later narrowed the directly affected group to merely 2,000 individuals, yet the sensitive nature of the data involved makes even this smaller number quite significant. 

A nine-day intrusion that took place between February 22 and March 2, 2025, revealed the names, addresses, phone numbers, driver’s license numbers, and Social Security numbers of several automobile manufacturers, revealing to intruders a full range of data and details that underpinned core digital services across the automaker’s brands during that period. 

Among privacy experts, there is no doubt that what has caused concern is not just the scope of information but also that it has taken seven months for customers to be informed about the incident, a timeframe that gave the possibility for stolen identities to be misused or combined with other data circulating from other breaches.

Hyundai is also experiencing a growing pattern of security breaches since 2023, which reinforces concerns that these are not isolated incidents but rather signs of deeper structural problems. As the episode illustrates, modern cars—once purely mechanical devices—now act as sophisticated data hubs, collecting everything from passengers’ financial details to route histories, biometric inputs, driving behaviour, and even information synced from their mobile devices, which is not visible to the driver. 

Manufacturers are expanding their digital ecosystems and the breach has raised questions about the industry's ability to safeguard the vast and intimate data it collects on a regular basis. Immediately following the intrusion, Hyundai AutoEver America made an effort to reassure its customers by offering two years of complimentary identity theft and credit monitoring services through Epiq as a gesture of goodwill.

In spite of this, security analysts note that such measures are rarely sufficient to relieve customers after sensitive information has been stolen. Additionally, Hyundai Motor Europe’s disclosure also brought back memories of a similar experience it suffered just a year earlier when it was attacked by a ransomware gang called Black Basta, which claimed to have taken over 3TB of internal files before appearing dormant in early 2025, when the company lost control of its operations. 

All in all, these incidents emphasize one more uncomfortable reality: automakers now harvest and manage far greater amounts of personal information than most drivers are aware of. Besides the information required for financing or registration of vehicles, companies routinely collect (and in some cases monetize) data regarding the locations of their customers, their driving habits, the biometric patterns they use, and even behavioral patterns that can help them infer consumers' preferences with a remarkable degree of accuracy. 

Following a complaint made by General Motors that it had shared driver data with third-parties to the point of being able to obtain their information from them, the Federal Trade Commission issued a five-year ban on the practice. In July, a U.S. Senate inquiry raised concerns about other manufacturers continuing the same data-sharing practices. 

The HAEA notified the California Attorney General of the incident by notifying them that they had enlisted cybersecurity experts to determine the scope of the breach and confirm that the intrusion had been contained, even though investigators were unable to determine if the information was exfiltrated. Those affected customers have been given 90 days to enroll in monitoring services, and a hotline has also been established to assist customers. 

As Hyundai AutoEver asserts, only a small number of users have been directly impacted by this incident, but the incident has ignited a wider industry debate over precisely how well automakers secure the ever-increasing amount of personal data embedded in most connected vehicles today. After Hyundai AutoEver America found out that a wide range of sensitive data points had been exposed as part of this breach, including a number of customer names, government-issued identification numbers, and passwords, it confirmed that the investigation of the technical footprint was continuing. 

Among the records that were compromised, according to notification letters sent to the individuals affected, were Social Security numbers and driver's license information, with each recipient receiving a customized breakdown of which data elements applied to them in the initial notification. In order to conduct the analysis in a comprehensive way, extensive forensic work and collaboration with external cybersecurity specialists were necessary. 

These specialists helped Hyundai AutoEver reconstruct the intrusion, assess database exposure, and determine which users needed formal notification. Hyundai AutoEver said it immediately terminated the intruder's access and implemented additional safeguards and was continuing to implement a comprehensive remediation program that was intended to prevent similar incidents in the future. 

Consequently, Epiq Privacy Solutions has been contacted by the company to offer complimentary two-year credit monitoring and identity protection services to impacted customers, which will include three-bureau monitoring and fraud detection tools, as well as a 90-day enrollment period. It should be noted that these protections are only a layer of protection, however, according to security experts. 

As a precautionary measure, they advise their customers to review financial statements, to check their credit reports, and to place fraud alerts or credit freezes with the major credit bureaus to reduce the risk of unauthorized account openings. 

In addition, this incident has brought about renewed discussions about digital hygiene for vehicle owners, ranging from updating passwords and enabling multifactor authentication on connected car applications to avoiding stored payment information in the infotainment system.

There are a number of cybercrime analysts who note that incidents of this nature often open the door to secondary scams, as cybercriminals impersonate automakers' support teams in order to steal more personal information from car owners through pages pretending to be account verifications and security updates. 

These developments have been identified by industry observers as part of a dramatic shift in the way in which cars now collect far more information than most drivers are aware of. These include location histories, biometric identifiers, behavioral patterns, and synced mobile data, to name a few. 

The results of this study indicate that consumers should adopt strong cybersecurity practices, including using reputable antivirus software, staying current on device updates, and thinking about data-removal solutions that will reduce exposure to data-broker websites as a result of data misuse. Several automakers have been affected by this new trend; the Federal Trade Commission imposed a five-year ban on General Motors' ability to sell data on drivers earlier this year. 

Additionally, a Senate investigation has raised concerns about similar practices in other automakers, including Hyundai, as well. In spite of Hyundai AutoEver's assertion that only a relatively small number of its customers were directly affected by this breach, the incident has brought to light questions about the effectiveness with which carmakers are safeguarding the growing amounts of data embedded in connected cars, as well as what consumers should do in the rapidly growing digital world in order to protect themselves from the threat of fraud. 

It is clear from the Hyundai AutoEver breach that the automobile industry needs to rethink how it approaches data security in an increasingly interconnected digital age, where vehicles become increasingly interconnected digital ecosystems. It is important to note that meaningful protection depends both on stronger corporate safeguards as well as on proactive vigilance on the part of drivers in light of increased regulatory oversight and consumers' increasing awareness of how their information is being used.

It is vital that consumers play an important role in reducing future risks by practicing stricter digital hygiene, minimizing unnecessary data sharing, and demanding that automakers communicate their information more clearly, in order to ensure that the convenience of connected cars does not come at the expense of their individual privacy rights.
Read more »
Zero Trust
Credential Stuffing Cybersecurity Breach Data Leak Digital Risk Malware Logs Password Security Privacy Stolen Credentials Threat Intelligence Zero Trust

Digital Security Threat Escalates with Exposure of 1.3 Billion Passwords


 

One of the starkest reminders of just how easily and widely digital risks can spread is the discovery of an extensive cache of exposed credentials, underscoring the persistent dangers associated with password reuse and the many breaches that go unnoticed by the public. Having recently clarified the false claims of a large-scale Gmail compromise in the wake of Google’s recent clarification, the cybersecurity community is once again faced with vast, attention-grabbing figures which are likely to create another round of confusion. 

Approximately 2 billion emails were included in the newly discovered dataset, along with 1.3 billion unique passwords that were found in the dataset, and 625 million of them were not previously reported to the public breach repository. It has been emphasised that Troy Hunt, the founder of Have I Been Pwned, should not use sensationalism when discussing this discovery, as he stresses the importance of the disclosure. 

It is important to note that Hunt noted that he dislikes hyperbolic news headlines about data breaches, but he stressed that in this case, it does not require exaggeration since the data speaks for itself. Initially, the Synthient dataset was interpreted as a breach of Gmail before it was clarified to reveal that it was actually a comprehensive collection gathered from stealer logs and multiple past breaches spanning over 32 million unique email domains, and that it was a comprehensive collection. 

There's no wonder why Gmail appears more often than other email providers, as it is the world's largest email service provider. The collection, rather than a single event, represents a very extensive collection of compromised email and password pairs, which is exactly the kind of material that is used to generate credential-stuffing attacks, where criminals use recycled passwords to automate attempts to access their banking, shopping, and other online accounts. 

In addition to highlighting the dangers associated with unpublicized or smaller breaches, this new discovery also underscores the danger that even high-profile breaches can pose when billions of exposed credentials are quietly redirected to attackers. This newly discovered cache is not simply the result of a single hack, but is the result of a massive aggregation of credentials gathered from earlier attacks, as well as malware information thieves' logs, which makes credential-based attacks much more effective.

A threat actor who exploits reused passwords will have the ability to move laterally between personal and corporate services, often turning a compromised login into an entry point into an increasingly extensive network. A growing number organisations are still dependent on password-only authentication, which poses a high risk to businesses due to the fact that exposed credentials make it much easier for attackers to target business systems, cloud platforms, and administrative accounts more effectively. 

The experts emphasised the importance of adopting stronger access controls as soon as possible, including the generation of unique passwords by trusted managers, the implementation of universal two-factor authentication, and internal checks to identify credentials which have been reused or have previously been compromised. 

For attackers to be able to weaponise these massive datasets, enterprises must also enforce zero-trust principles, implement least-privilege access, and deploy automated defences against credential-stuffing attempts. When a single email account is compromised, it can easily cascade into financial, cloud or corporate security breaches as email serves as the central hub for recovering accounts and accessing linked services. 

Since billions of credentials are being circulated, it is clear that both individuals and businesses need to take a proactive approach to authentication, modernise security architecture, and treat every login as if it were a potential entry point for attackers. This dataset is also notable for its sheer magnitude, representing the largest collection of data Have I Been Pwned has ever taken on, nearly triple the volume of its previous collection.

As compiled by Synthient, a cybercriminal threat intelligence initiative run by a college student, the collection is drawn from numerous sources where stolen credentials are frequently published by cybercriminals. There are two highly volatile types of compromised data in this program: stealer logs gathered from malware on infected computers and large credential-stuffing lists compiled from earlier breaches, which are then combined, repackaged and traded repeatedly over the underground networks. 

In order to process the material, HIBP had to use its Azure SQL Hyperscale environment at full capacity for almost two weeks, running 80 processing cores at full capacity. The integration effort was extremely challenging, as Troy Hunt described it as requiring extensive database optimisation to integrate the new records into a repository containing more than 15 billion credentials while maintaining uninterrupted service for millions of people every day.

In the current era of billions of credential pairs being circulated freely between attackers, researchers are warning that passwords alone do not provide much protection any more than they once did. One of the most striking results of this study was that of HIBP’s 5.9 million subscribers, or those who actively monitor their exposure, nearly 2.9 million appeared in the latest compilation of HIBP credentials. This underscores the widespread impact of credential-stuffing troves. The consequences are especially severe for the healthcare industry. 

As IBM's 2025 Cost of a Data Breach Report indicates, the average financial impact of a healthcare breach has increased to $7.42 million, and a successful credential attack on a medical employee may allow threat actors to access electronic health records, patient information, and systems containing protected health information with consequences that go far beyond financial loss and may have negative economic consequences as well.

There is a growing concern about the threat of credential exposure outpacing traditional security measures, so this study serves as a decisive reminder to modernise digital defences before attackers exploit these growing vulnerabilities. Organisations should be pushing for passwordless authentication, continuous monitoring, and adaptive risk-based access, while individuals should take a proactive approach to maintaining their credentials as an essential rather than an optional task. 

Ultimately, one thing is clear: in a world where billions of credentials circulate unchecked, the key to resilience is to anticipate breaches by strengthening the architecture, optimising the authentication process and maintaining security awareness instead of reacting to them after a breach takes place.
Read more »
Ransomware attack
AlphV Group Australian Government cyber resilience Cybersecurity Breach Data Breach Data Leak Data protection Digital Security Law Firm Hack Ransomware attack

WA Law Firm Faces Cybersecurity Breach Following Ransomware Reports

 


It seems that Western Australia's legal sector and government sectors are experiencing ripples right now following reports that the Russian ransomware group AlphV has successfully hacked the prominent national law firm HWL Ebsworth and extracted a ransom payment from the firm. This has sent shockwaves through the legal and government sectors across Western Australia. 

It has raised serious concerns since May, when the first hints about the breach came to light, concerning the risk of revealing sensitive information, such as information pertaining to over 300 motor vehicle insurance claims filed with the Insurance Commission of Western Australia. In a statement released by the ABC on Monday, the ABC has confirmed that HWL Ebsworth data that was held by the company on behalf of WA government entities may have been compromised after a cybercriminal syndicate claimed to have published a vast repository of the firm’s files earlier this month on the dark web. 

Although the full extent of the breach is unclear, investigations are currently underway to determine how large the data exposure is and what the potential consequences are. It has been reported that an ICWA spokesperson acknowledged in an official statement that there has been an impact on the Commission, which is responsible for providing insurance coverage for all vehicles registered in Western Australia as well as overseeing the government's self-insurance programs for property, workers' compensation, and liability. 

Although the agency indicated that the extent of any data compromise cannot yet be verified because of ongoing investigation restrictions, the agency noted that it cannot verify the extent of any data compromise at the moment. A spokesperson from the Insurance Commission said, “The details of the data that has been accessed are not yet known, but this is part of a live investigation that we are actively supporting. It is important to note that this situation is extremely serious and that the information that may be compromised is sensitive.

Anubis, a ransomware group that was a part of the law firm that has been involved in the cyberattack, escalated the cyberattack by releasing a trove of sensitive information belonging to one of the firm's clients, which caused the cyberattack to take an alarming turn. The leaked material was reportedly containing confidential business correspondence, financial records, and deeply personal correspondence. 

An extensive collection of data was exposed, including screenshots of text messages sent and received by the client and family members, emails, and even Facebook posts - all of which revealed intimate details about private family disputes that surrounded the client. Anubis stated, in its statement on the dark web, that the cache contained “financial information, correspondence, personal messages, and other details of family relationships.” 

Despite this, the company highlighted the possibility of emotional and reputational damage as a result of such exposure. It was pointed out by the group that families already going through difficult circumstances like divorce, adoption, or child custody battles were now going to experience additional stress due to their private matters being made public, even though the full scope of the breach remains unclear, and the ransomware operators have yet to provide a specific ransom amount, making it difficult to speculate about the intentions of the attackers. 

Cyber Daily contacted Paterson & Dowding in response to inquiries it received, and a spokesperson confirmed that there had been unauthorized access to data and exfiltration by the firm. “Our team immediately acted upon becoming aware of unusual activity on our system as soon as we became aware of it, engaging external experts to deal with the incident, and launching an urgent investigation as soon as possible,” said the spokesperson. 

There is no doubt in the minds of the firm that a limited number of personal information had been accessed, but the threat actors had already published a portion of the data online. In addition to notifying affected clients and employees, Paterson & Dowding is coordinating with regulatory bodies, including the Australian Cyber Security Centre and the Office of the Information Commissioner, about the incident.

A representative of the company stated that he regretted the distress the firm had caused as a result of the breach of confidentiality and compliance. Meanwhile, an individual identifying himself as Tobias Keller - a self-proclaimed "journalist" and representative of Anubis - told Cyber Daily that Paterson & Dowding was one of four Australian law firms targeted by a larger cyber campaign, which included Pound Road Medical Center and Aussie Fluid Power, among others. 

While the HWL Ebsworth cyberattack is still unfolding, it has raised increasing concern from the federal and state government authorities as the investigation continues. In addition to providing independent legal services to the Insurance Commission of Western Australia (ICWA), the firm also reviews its systems in order to determine if any client information has been compromised. In this position, one of 15 legal partners serves the Insurance Commission of Western Australia (ICWA). 

A representative of ICWA confirmed that the firm is currently assessing the affected data in order to clarify the situation for impacted parties. However, a court order in New South Wales prohibiting the agency from accessing the leaked files has hampered its own ability to verify possible data loss. 

As ICWA's Chief Executive Officer Rod Whithear acknowledged the Commission's growing concerns, he stated that a consent framework for limited access to the information is being developed as a result of a consent framework being developed. Currently, the Insurance Commission is implementing a consent regime that will allow them to assess whether data has been exfiltrated and if so, will be able to assess the exfiltrated information." He assured that the Commission remains committed to supporting any claimant impacted by the breach. 

In addition to its involvement in insurance-related matters, HWL Ebsworth has established an extensive professional relationship with multiple departments of the State government of Washington. According to the firm's public transportation radio network replacement program, between 2017 and 2020, it was expected that it would receive approximately $280,000 for its role in providing legal advice to the state regarding its replacement of public transport radio networks, a project which would initially involve a $200 million contract with Huawei, the Chinese technology giant. 

A $6.6 million settlement with Huawei and its partner firm was reached in 2020 after U.S. trade restrictions rendered the project unviable, ultimately resulting in Huawei and its partner firm being fined $6.6 million. Aside from legal representation for public housing initiatives and Government Employees Superannuation Board, HWL Ebsworth has provided legal representation for the Government Employees Superannuation Board as well. 

In light of the breach, the state government has clarified, apart from the ICWA, that no other agencies seem to have been directly affected as a result. A significant vulnerability has been highlighted by this incident in the intersection of government operations with private legal service providers, but the incident has also highlighted broader issues related to cyber security. 

Addressing the broader impacts of the attack will also be in the hands of the new Cyber Security Coordinator, Air Marshal Darren Goldie, who was appointed in order to strengthen the national cyber resilience program. The Minister of Home Affairs, Clare O'Neill, has described the breach as one of the biggest cyber incidents Australia has experienced in recent years, placing it alongside a number of major cases such as Latitude, Optus, and Medibank. 

The Australian Federal Police and Victorian Police, working together with the Australian Cyber Security Centre, continue to investigate the root cause and impact of the attack. A number of cyber incidents are unfolding throughout Australia, which serves to serve as an alarming reminder of how fragile digital trust is becoming within the legal and governmental ecosystems of the country. Experts say that while authorities are intensifying their efforts to locate the perpetrators and strengthen defenses, the breach underscores the urgent need for stronger cybersecurity governance among third parties and law firms involved in the handling of sensitive data. 

The monitoring of threats, employee awareness, and robust data protection frameworks, the nation's foremost challenge is now to rebuild trust in institutions and information integrity, beyond just restoring the systems. Beyond just restoring systems, rebuilding confidence in institutions and information integrity are the most urgent tasks facing us today.
Read more »
Supply chain vulnerability
Airport Cyberattack Aviation Cyber Threats Collins Aerospace Hack Critical Infrastructure Security Cybersecurity Breach Data Extortion Digital Resilience Ransomware attack Supply chain vulnerability

Collins Aerospace Deals with Mounting Aftermath of Hack


One of the most disruptive cyber incidents to have hit Europe's aviation sector in recent years was a crippling ransomware attack that occurred on September 19, 2025, causing widespread chaos throughout the continent's airports.  

The disruption was not caused by adverse weather, labour unrest or mechanical failure but by a digital breakdown at the heart of the industry's technological core. The Collins Aerospace MUSE platform, which is used for passenger check-ins and baggage operations at major airport hubs including Heathrow, Brussels, Berlin, and Dublin, unexpectedly went down, leading airports to revert to paper-based, manual procedures. 

There was confusion in the terminals and gate agents resorted to handwritten manifests and improvised coordination methods to handle the surge, while thousands of passengers stranded in transit faced flight cancellations and delays. While flight safety systems remained unaffected, and a suspect (a British national) was apprehended within a few days of the attack, it also exposed an increasingly frightening vulnerability in aviation's growing reliance on interconnected digital infrastructure. 

This ripple effect revealed how one breach of security could cause shockwaves throughout the entire ecosystem of insurers, logistics companies, and national transport networks that are all intertwined with the digital backbone of air travel itself, far beyond an aviation issue. 

In the aftermath of the Collins Aerospace cyberattack, the crisis became worse when on Sunday, a group linked to Russian intelligence and known as the Everest Group claimed to have accessed sensitive passenger information allegedly stolen by Dublin Airport and claimed to have been possessed by the group. This group, which operates on the dark web, announced that they had acquired 1.5 million passenger records and threatened to release the data unless a ransom was paid by Saturday evening before releasing the data. 

It has been reported that Everest, which had earlier claimed credit for breaching systems connected to Collins Aerospace's MUSE software on October 17, believes that the security breach occurred between September 10 and 11, using credentials obtained from an insecure FTP server in order to infiltrate the company's infrastructure. 

On September 19, Collins Aerospace shut down affected servers that blocked cybercriminals from accessing these servers, according to the cybercriminals who claimed their access to those servers was later stopped. This move occurred simultaneously with a wide array of operational outages in major European airports including Heathrow, Berlin Brandenburg, Brussels, and Dublin. 

A spokesperson for the Dublin Airport Authority (DAA) confirmed that a probe has been initiated in response to the mounting concerns regarding the incident, as well as in coordination with regulators and impacted airlines. It should be pointed out that as of yet no evidence has been found of a direct hacking attack on DAA's internal systems, indicating that the dataset exposed primarily consists of details regarding passenger boarding for flights departing Dublin Airport during the month of August.

While this happened, ENISA, the European Union Agency for Cybersecurity, categorised the Collins Aerospace hack as a ransomware attack, which underlined the escalation of sophistication and reach of cybercriminals targeting critical aviation infrastructure across the globe. There have been signs of gradual recovery as European airports have struggled to regain operational stability since the Collins Aerospace cyber incident. 

Although challenges persisted throughout the days of the cyberattack, signs of gradual recovery did emerge. While flight schedules at London's Heathrow airport and Berlin Brandenburg airport had begun to stabilize on Sunday, Brussels Airport continued to experience significant disruptions. A statement issued by Brussels Airport on Monday stated that it had requested airlines cancel about half of the 276 departures scheduled for Monday due to the non-availability of Collins Aerospace's new secure check-in software, which had not been available for the previous few days.

As manual check-in procedures remained in place, the airport warned that cancellations and delays were likely to continue until full digital functionality had been restored. In spite of the ongoing disruptions, airport authorities reported that roughly 85% of weekend flights operated, which was made possible by ensuring additional staffing from airline partners and ensuring that the online check-in and self-service baggage system were still operational, according to Airport Authority reports. 

The airport’s spokesperson Ihsane Chioua Lekhli explained that the cyberattack impacted only the computer systems being used at the counters staffed by employees, and that in order to minimize the inconvenience to passengers, backup processes and even laptops have been used as workarounds.

It is important to note that RTX Corporation, the parent company of Collins Aerospace, refused to comment on this matter in a previous statement issued on Saturday, when RTX Corporation acknowledged the disruption and said it was working to fully restore its services as soon as possible. According to the company, the impact will only be felt by electronic check-in and baggage drop and can be minimized by manual operations. 

During the weekend, Heathrow and Brandenburg airports both encouraged passengers to check their flight statuses before arriving at the airport, as well as to take advantage of online or self-service options to cut down on traffic. In its latest communication, Heathrow Airport stated that it was working with airlines "to recover from Friday's outage," stressing that despite the delays, a majority of scheduled flights were able to run throughout the weekend despite the delay. 

There has been a broader discussion around the fragility of digital supply chains and the increasing risk that comes with vendor dependency as a result of the Collins Aerospace incident. Increasingly, ransomware and data extortion groups are exploiting third-party vulnerabilities in order to increase the likelihood of a systemic outage, rather than an isolated cyber event. 

An analysis by industry analysts indicates that the true differentiator between organizations that are prepared, visible, and quick to respond during such crises lies in their ability to deal with them quickly, and in the ability to anticipate problems before they arise. According to Resilience's cybersecurity portfolio, only 42% of ransomware attacks in 2025 were followed by incurred claims, a significant decrease from 60% in 2024.

According to experts, this progress is largely due to the adoption of robust backup protocols, periodic testing, and well-defined business continuity frameworks, which are the foundation of this improvement. However, broader industry figures paint a more worrying picture. Approximately 46% of organizations that have been affected by ransomware opted to pay ransoms to retrieve data, according to Sophos' State of Ransomware report, while in the Resilience dataset, the number of affected organizations paid ransoms fell from 22% in 2024 to just 14% in 2025.

This contrast illustrates the fact that companies that have tested recovery capabilities are less likely to succumb to extortion demands because they have viable options for recovering their data. A new approach to cybersecurity has emerged – one that is based on early detection, real-time threat intelligence, and preemptive mitigation. Eye Security uncovered a critical vulnerability in Microsoft SharePoint in July 2025 and issued targeted alerts in response to the vulnerability. This proactive approach enabled Eye Security to scan its client ecosystem, alert its clients, and contain active exploitation attempts before significant damage could occur. 

According to experts, Collins Aerospace's breach serves as a lesson for what happens when critical vendors fail in a network that is interconnected. A recent outage that crippled airports across Europe was more than just an aviation crisis; it was an alarming reminder of the concentration risk that cloud-based and shared operating technologies carry across industries as well. 

Organizations are increasingly reliant on specialized vendors to manage essential systems in order to ensure their success, so the question isn't if a major outage will occur again, but whether businesses have the resilience infrastructure to stay operational if it happens again. It is clear from the Collins Aerospace incident that cybersecurity is no longer a separate IT concern, but rather a core component of operational continuity. 

It stands as a defining moment for digital resilience in the evolving narrative. The emphasis in navigating this era of global infrastructure disruption must shift to building layered defense ecosystems, combining predictive intelligence, rigorous vendor vetting, and a real-time crisis response framework, as businesses navigate through the challenges of a single vendor outage disrupting global infrastructure. 

In the end, the lesson is clear: resilience is not built when disruption happens but in anticipation of it, ensuring that when the next digital storm hits, we are prepared, not panicked.
Read more »
Telecom Security
Critical Infrastructure Cyber Threats Cybersecurity Breach Data Threats Cyber Espionage nation-state hackers Network Resilience Ribbon Communications Telecom Security

Ribbon Targeted in Cyber Espionage Campaign by Nation-State Actors


 

Among the many revelations which illustrate how sophisticated state-backed cyber intrusions are, Ribbon Communications has confirmed that its internal network was compromised by government-backed hackers who kept unauthorised access for almost a year before they were detected, a revelation that emphasises the growing sophistication of state-backed cyber intrusions. 

The company disclosed in its 10-Q filing with the Securities and Exchange Commission (SEC) that a suspected nation-state actor was suspected to have infiltrated their IT systems in December of 2024, but the threat was undetected until this year, according to Ribbon. 

Ribbon stated in its statement that it has since informed federal law enforcement agencies and believes that its environment has been cleared of the attackers. With its headquarters in Texas, Ribbon stands out in the global telecom ecosystem as one of the key players. 

Ribbon provides voice, networking, and internet infrastructure solutions to a diverse clientele, including Fortune 500 companies, government bodies, and critical infrastructure sectors such as the transportation and energy sectors. 

It is important to note that the company's acknowledgement of the long-lasting breach raises concerns about the resilience of the telecom infrastructure, as well as highlighting the persistence and stealthy nature of modern cyber-espionage campaigns targeting strategic and important organisations throughout the United States.

Ribbon Communications disclosed, in its October 23 filing with the U.S Securities and Exchange Commission (SEC), that the breach had been discovered in early September 2025 when the company had been notified. This immediately prompted the company to activate its incident response plan in conjunction with a number of independent cybersecurity experts and federal law enforcement agencies. 

There is evidence in the company's filing that points to an initial compromise occurring as early as December 2024, when the initial compromise was first noticed by the company, regardless of the firm's internal review. Ultimately, the timeframe remains unclear. 

In its disclosure, Ribbon claims that it did not find evidence indicating that the attackers had gained access to or exfiltrated any material corporate data, although the company admits that a limited number of customer files stored outside its main network, specifically on two laptop computers, were accessed during the intrusion. 

The affected clients were notified after the incident. In an attempt to determine the full extent of the breach, the telecom firm stressed its ongoing forensic investigation will reveal as much as possible, emphasising its commitment to transparency and compliance amid what appears to be more than a typical cyber attack aimed at specific targets and carried out methodically. 

There has been no confirmation from Ribbon Communications' spokesperson, Catherine Berthier, as to which customers have been directly affected by the data breach; however, she declined to identify any of the affected companies because of client confidentiality and ongoing investigations. As a result of the unauthorised access to personally identifiable information (PII) and other sensitive corporate data, it is still unclear if that information was exfiltrated by the attackers. 

According to the company's SEC filing, a limited number of customer files that were stored outside the primary network - on two laptops - were accessed during the intrusion, and Ribbon stated that all impacted customers have been notified in accordance with the regulations and contractual obligations of the company.

In an official statement, Ribbon Communications has stated that it is actively collaborating with federal law enforcement agencies and leading cybersecurity specialists in order to determine the full extent of the breach and its implications. In the company's words, the current findings indicate that the attackers did not acquire any material corporate information or exfiltrate it, based on current findings. 

Despite this, Ribbon's investigation confirmed that the threat actors managed to access a limited number of customer files from two laptops tucked away outside Ribbon's primary network infrastructure, which had been affected. Ribbon notified these affected clients, and they have been informed subsequently. 

During its recent disclosure, Ribbon acknowledged that it would have to incur additional expenses during the fourth quarter of 2025 in order to carry out its ongoing investigation and to improve network resilience. However, Ribbon does not anticipate that these costs will materially affect its financial results. 

Reuters reports that three smaller customers were also impacted by the incident, although their names have not been made public. Ribbon has not yet disclosed the identity of the threat group that has targeted the company, but cybersecurity experts have concluded that there are strong parallels between this breach and a wave of telecom-focused espionage campaigns linked to Salt Typhoon, the Chinese hacking collective. 

There was a report last year that Chinese state-sponsored hackers had infiltrated several telecommunications networks, including AT&T, Verizon, Lumen, Consolidated Communications, Charter Communications and Windstream, as well as several international operators, by infiltrating the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). In a series of subsequent reports, it was revealed that Comcast, Digital Realty, and Viasat were also compromised as part of this same, coordinated campaign. 

It was determined that there was a broader and coordinated effort to infiltrate the global communications infrastructure. As the telecommunications sector has grown increasingly complex over the past decade, it has experienced an increasing number of alarming incidents and policy changes that have highlighted both the magnitude of the threat and the difficulties in mounting a unified response. 

Last year, U.S. A former US Army soldier, Cameron John Wagenius, admitted hacking into 15 telecom companies and stealing call records from prominent individuals, including former President Donald Trump, and later pleaded guilty to multiple charges after being arrested. This case illustrated how insider knowledge and access can be exploited in order to break into critical communication systems, which further reinforced the concern that the sector is vulnerable to both internal and external threats. 

Although the federal government has made great efforts to enhance cybersecurity protections across the industry, policy inconsistencies and bureaucratic obstacles have hindered progress. The Trump administration, in January, disbanded a body known as the Cyber Safety Review Board, which had been reviewing the Salt Typhoon espionage campaign as part of its oversight othe f the Cybersecurity and Infrastructure Security Agency (CISA). 

It is important to note that the board had previously issued a critical assessment of Microsoft's security practices, describing the earlier China-linked breach in a manner that described the breach as a “cascade of security failures.” In recent years, this has become an increasingly important finding among the cybersecurity community. 

A previous order that mandated that telecom operators comply with cybersecurity requirements has been rescinded by the Federal Communications Commission (FCC) Chairman Brendan Carr. By implementing the order under the Biden administration, it was clarified that under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), companies are legally responsible for securing their networks. 

Criticised the measure as regulatory overreach, asserting that it overstepped the agency's authority and failed to mitigate cyber threats effectively, asserting that it had exceeded the agency's. There has been a lot of controversy surrounding the FCC's decision to repeal the order next month, as well as a renewed discussion on the best way to balance regulatory authority, industry autonomy, and national security imperatives. 

Ribbon Communication's breach serves as an excellent reminder of the fragile state of global telecom cybersecurity as a whole, a complex area that is constantly challenging even the most established players when it comes to national security, corporate accountability, and technological complexity. 

There is a growing awareness that state-sponsored actors are refining their tactics and exploiting long-standing vulnerabilities in critical communications infrastructure, requiring governments and industry to move beyond reactive containment toward proactive defence. Taking steps to mitigate the scale and sophistication of such incursions can be achieved through facilitating cross-sector intelligence sharing, mandating transparency in cybersecurity audits, and investing in zero-trust architectures.

Achieving long-term resilience across the telecom ecosystem depends on the maintenance of regulatory consistency and policy continuity, regardless of political transitions. It is important for companies such as Ribbon trecoto gniseze that cybersecurity is not only a compliance requirement but a critical component of operational and national security that needs to be considered. 

As the U.S. faces an intensifying climate of digital espionage, it is believed that this breach will provide valuable lessons that the nation can use to protect its communications equipment from the next generation of silent, persistent cyber adversaries.
Read more »
supply chain security
Automotive Industry Cyberattack cyber attack Cyber Attacks cyber resilience Cyber Risk Management Cybersecurity Breach Data Breach impact industrial cybersecurity Jaguar Land Rover Hack supply chain security

Analysts Place JLR Hack at Top of UKs Most Costly Cyber Incidents


 

It has been said by experts that Jaguar Land Rover (JLR) has found itself at the epicentre of the biggest cyber crisis in UK history, an event that has been described as a watershed moment for British industrial resilience. It was in late August that hackers breached the automaker's computer system, causing far more damage than just crippling its computers. 

The breach caused a sudden and unexpected halt for the nation's largest car manufacturer, revealing how vulnerable modern manufacturing networks really are. Jaguar Land Rover's cyberattack has been classified as a Category 3 systemic event by the Cyber Monitoring Centre (CMC), the third-highest severity level on the five-point scale, emphasising the magnitude of the disruption that resulted. 

According to estimates, the company lost between £1.6 billion ($2.1 billion) and £2.1 billion ($2.8 billion) in losses, but experts warned that losses could climb higher if production setbacks persist or deep damage arises to the company's operational technology. It appears by some distance to be, by some distance, that this incident has had a financial impact on the United Kingdom that has been far greater than any other cyber incident that has occurred, according to Ciaran Martin, chairman of the CMC Technical Committee, in a statement to Cybersecurity Dive.

As the British authorities expressed growing concern after a sobering national cybersecurity review which urged organisations to strengthen their digital defences at the board and executive level, his comments came at the same time that the British government was growing increasingly concerned. National Cyber Security Centre reports that in the past year, 204 national-level cyberattacks have been recorded in the United Kingdom, and there have been 18 major incidents in the country. These include a coordinated social-engineering campaign that targeted major retailers, causing hundreds of millions of dollars worth of damage. 

Taking into account the severity level of the cyberattack on Jaguar Land Rover, the Cyber Monitoring Centre (CMC) has officially classified it as a Category 3 event on its five-point severity scale, which indicates the cyberattack resulted in a loss of between £1 billion and £5 billion and affected over 2,700 UK-based businesses.

During the late August break-up of JLR, which began in late August, an extended production freeze was imposed at the company's Solihull, Halewood, and Wolverhampton facilities, which disrupted the manufacturing of approximately 5,000 vehicles every week. As a result of this paralysis, thousands of smaller contractors and dealerships were affected as well, and local businesses that relied upon factory operations were put under severe financial strain.

A £1.5 billion ($2 billion) loan package was approved in September by British officials in response to the automaker's supplier network issues that had stalled the company's recovery efforts. Executives from the company declined to comment on the CMC's findings. However, they confirmed that production has gradually resumed at several plants, including Halewood and its Slovakia operation, indicating that after weeks of costly downtime, there has been some sign of operational restoration. 

Unlike widespread malware outbreaks, which often target a range of sectors indiscriminately in the hope of spreading their malicious code, this was a targeted attack that exposed vulnerabilities deep within one of Britain's most advanced manufacturing ecosystems in a concentrated area. 

While there was no direct threat to human life from the incident, analysts predicted substantial secondary effects on employment and industrial stability, with reduced demand for manufacturing likely to hurt job security, as production capacities remain underutilised despite the incident. 

As a way of cushioning the blow, the Government of the UK announced it would provide a £1.5 billion loan to help the automaker rebuild its supply chain, and JLR itself offered an additional £500 million to help stabilise operations. Based on the data collected by the CMC as of October 17, the estimated financial damage is about £1.9 billion - a figure that is likely to increase as new information becomes available.

However, the Centre clarified that the conclusions it came to were not based on internal JLR disclosures, but on independent financial modelling, public filings, expert analysis and benchmarks specific to each sector. As a consequence, JLR is expected to be unable to fully recover from the incident until January 2026. However, additional shifts may be introduced, and production will be increased to 12 per cent of pre-incident capacity in an effort to speed the company's recovery. 

In a concluding paragraph, the report urges both UK industries to strengthen their IT and operational systems to ensure a successful recovery from large-scale cyber disruptions. It also urged the government to develop a dedicated framework for the provision of assistance to those victims. It has thus far been agreed that Jaguar Land Rover has declined to comment on the CMC’s evaluation of the issue. 

However, the magnitude of the Jaguar Land Rover breach has been heightened by the intricate network of suppliers that make up the British automotive industry. As an example of what a Range Rover luxury vehicle entails, almost 30,000 individual components are sourced from a vast ecosystem of businesses that together sustain more than 104,000 jobs in the UK.

The majority of these firms are small and medium-sized businesses that are heavily reliant on JLR's production schedules and procurement processes. Approximately 5,000 domestic organisations were disrupted as a result of the cyberattack, which was conducted by the Cyber Monitoring Centre (CMC). This includes more than 1,000 tier-one suppliers, as well as thousands more at tiers two and three. 

Based on early data, approximately a quarter of these companies have already had to lay off employees, with another 20 to 25 per cent in danger of experiencing a similar situation if the slowdown continues. In addition to the manufacturing floor, the consequences have rippled out to other parts of the world as well. 

Dealerships have reported sharp declines in sales and commissions; logistics companies have been faced with idle transport fleets and underutilised shipping capacity; and the local economies around the major JLR plants have been affected as restaurants, hotels, and service providers have lost their customers as a result of the recession. 

The disruption has even affected aftermarket specialists, resulting in the inaccessibility of digital parts ordering systems, which caused them to lose access to their online systems. Though there was no direct threat to human lives, the incident has left a profound human impact—manifesting itself in job insecurity, financial strain, and heightened anxiety among the communities that were affected. 

There is a risk that prolonged uncertainty will exacerbate regional inequalities and erode the socioeconomic stability of towns heavily reliant on the automotive supply chain for their livelihoods, according to analysts. Jaguar Land Rover's unprecedented scale breach underscores the close ties that exist between cybersecurity and the stability of the global economy, which is why it is so sobering that there is a deep relationship between cybersecurity and the success of any business. 

Several analysts believe that this incident serves as a reminder that Britain's corporate and policy leadership should emphasise the importance of stronger digital defences, as well as adaptive crisis management frameworks that can protect interconnected supply networks from cyberattacks.

The automotive giant is rebuilding its operations at the moment, and experts stress the importance of organisations anticipating threats, integrating digital infrastructures across sectors, and collaborating across sectors in order to share intelligence and strengthen response mechanisms in order to remain resilient in the modern era. 

Governments are facing increasing pressure to make industrial cybersecurity a part of their national strategy, including providing rapid financial assistance and technical support to prevent systemic failures. Although JLR's recovery roadmap may have the power to restore production on schedule, the wider takeaway is clear: in an age when code and machine are inseparably linked, the health of the nation's manufacturing future is dependent on the security of its digital infrastructure.
Read more »
VMO Incident
cyber resilience Cybersecurity Breach Data Privacy Data protection Digital Infrastructure Hong Kong Security Network Security Privacy Ransomware attack VMO Incident

Mobdro Pro VPN Under Fire for Compromising User Privacy

 


A disturbing revelation that highlights the persistent threat that malicious software poses to Android users has been brought to the attention of cybersecurity researchers, who have raised concerns over a deceptive application masquerading as a legitimate streaming and VPN application. Despite the app's promise that it offers free access to online television channels and virtual private networking features—as well as the name Modpro IPTV Plus VPN—it hides a much more dangerous purpose.

It is known as Mobdro Pro IPTV Plus VPN. Cleafy conducted an in-depth analysis of this software program and found that, as well as functioning as a sophisticated Trojan horse laced with Klopatra malware, it is also able to compromise users' financial data, infiltrating devices, securing remote controls, and infecting devices with Klopatra malware. 

Even though it is not listed in Google Play, it has spread through sideloaded installations that appeal to users with the lure of free services, causing users to download it. There is a serious concern among experts that those who install this app may unknowingly expose their devices, bank accounts, and other financial assets to severe security risks. At first glance, the application appears to be an enticing gateway to free, high-quality IPTV channels and VPN services, and many Android users find the offer hard to refuse. 

It is important to note, however, that beneath its polished interface lies a sophisticated banking Trojan with a remote-access toolkit that allows cybercriminals to control almost completely infected devices through a remote access toolkit. When the malware was installed on the device, Klopatra, the malware, exploiting Android's accessibility features, impersonated the user and accessed banking apps, which allowed for the malicious activity to go unnoticed.

Analysts have described the infection chain in a way that is both deliberate and deceptive, using social engineering techniques to deceive users into downloading an app from an unverified source, resulting in a sideload process of the app. Once installed, what appears to be a harmless setup process is, in fact, a mechanism to give the attacker full control of the system. 

In analyzing Mobdro Pro IPTV Plus VPN further, the researchers have discovered that it has been misusing the popularity of the once popular streaming service Mobdro (previously taken down by Spanish authorities) to mislead users and gain credibility, by using the reputation of the once popular streaming service Mobdro. 

There are over 3,000 Android devices that have already been compromised by Klopatra malware, most of which have been in Italy and Spain regions, according to Cleafy, and the operation was attributed to a Turkish-based threat group. A group of hackers continue to refine their tactics and exploit public frustration with content restrictions and digital surveillance by using trending services, such as free VPNs and IPTV apps. 

The findings of Cleafy are supported by Kaspersky's note that there is a broader trend of malicious VPN services masquerading as legitimate tools. For example, there are apps such as MaskVPN, PaladinVPN, ShineVPN, ShieldVPN, DewVPN, and ProxyGate previously linked to similar attacks. In an effort to safeguard privacy and circumvent geo-restrictions online, the popularity of Klopatra may inspire an uproar among imitators, making it more critical than ever for users to verify the legitimacy of free VPNs and streaming apps before installing them. Virtual Private Networks (VPNs) have been portrayed for some time as a vital tool for safeguarding privacy and circumventing geo-restrictions. 

There are millions of internet users around the world who use them as a way to protect themselves from online threats — masking their IP addresses, encrypting their data traffic, and making sure their intercepted communications remain unreadable. But security experts are warning that this perception of safety can sometimes be false.

In recent years, it has become increasingly difficult to select a trustworthy VPN, even when downloading it directly from official sites, such as the Google Play Store, since many apps are allegedly compromising the very privacy they claim to protect, which has made the selection process increasingly difficult. In the VPN Transparency Report 2025, published by the Open Technology Fund, significant security and transparency issues were highlighted among several VPN applications that are widely used around the world. 

During the study, 32 major VPN services collectively used by over a billion people were examined, and the findings revealed opaque ownership structures, questionable operational practices, and the misuse of insecure tunnelling technologies. Several VPN services, which boasted over 100 million downloads each, were flagged as particularly worrying, including Turbo VPN, VPN Proxy Master, XY VPN, and 3X VPN – Smooth Browsing. 

Several providers utilised the Shadowsocks tunnelling protocol, which was never intended to be private or confidential, and yet was marketed as a secure VPN solution by researchers. It emphasises the importance of doing users' due diligence before choosing a VPN provider, urging users to understand who operates the service, how it is designed, and how their information is handled before making a decision. 

It is also strongly advised by cybersecurity experts to have cautious digital habits, including downloading apps from verified sources, carefully reviewing permission requests, installing up-to-date antivirus software, and staying informed on the latest cybersecurity developments through trusted cybersecurity publications. As malicious VPNs and fake streaming platforms become increasingly important gateways to malware such as Klopatra, awareness and vigilance have become increasingly important defensive tools in the rapidly evolving online security landscape. 

As Clearafy uncovered in its analysis of the Klopatra malware, the malware represents a new level of sophistication in Android cyberattacks, utilising several sophisticated mechanisms to help evade detection and resist reverse engineering. As opposed to typical smartphone malware, Klopatra permits its operators to fully control an infected device remotely—essentially enabling them to do whatever the legitimate user is able to do on the device. 

It has a hidden VNC mode, which allows attackers to access the device while keeping the screen black, making them completely unaware of any active activities going on in the device. This is one of the most insidious features of this malware. If malicious actors have access to such a level of access, they could open banking applications without any visible signs of compromise, initiate transfers, and manipulate device settings without anyone noticing.

A malware like Klopatra has strong defensive capabilities that make it very resilient. It maintains an internal watchlist of popular Android security applications and automatically attempts to uninstall them once it detects them, ensuring that it stays hidden from its victim. Whenever a victim attempts to uninstall a malicious application manually, they may be forced to trigger the system's "back" action, which prevents them from doing so. 

The code analysis and internal operator comments—primarily written in Turkish—led investigators to trace the malware’s origins to a coordinated threat group based in Turkey, where most of their activities were directed towards targeting Italian and Spanish financial institutions. Cleafy's findings also revealed that the third server infrastructure is carrying out test campaigns in other countries, indicating an expansion of the business into other countries in the future. 

With Klopatra, users can launch legitimate financial apps and a convincing fake login screen is presented to them. The screen gives the user the appearance of a legitimate login page, securing their credentials via direct operator intervention. The campaign evolved from a prototype created in early 2025 to its current advanced form in 2035. This information is collected and then used by the attackers in order to access accounts, often during the night when the device is idle, making suspicions less likely. 

A few documented examples illustrate that operators have left internal notes in the app's code in reference to failed transactions and victims' unlock patterns, which highlights the hands-on nature of these attacks. Cybersecurity experts warn that the best defence against malware is prevention - avoiding downloading apps from unverified sources, especially those that offer free IPTV or VPN services. Although Google Play Protect is able to identify and block many threats, it cannot detect every emerging threat. 

Whenever an app asks for deep system permissions or attempts to install secondary software, users are advised to be extremely cautious. According to Cleafy's research, curiosity about "free" streaming services or privacy services can all too easily serve as a gateway for full-scale digital compromise, so consumers need to be vigilant about these practices. In a time when convenience usually outweighs caution, threats such as Klopatra are becoming increasingly sophisticated.

A growing number of cybercriminals are exploiting popular trends such as free streaming and VPN services to ensnare unsuspecting users into ensnaring them. As a result, it is becoming increasingly essential for each individual to take steps to protect themselves. Experts recommend that users adopt a multi-layered security approach – pairing a trusted VPN with an anti-malware tool and enabling multi-factor authentication on their financial accounts to minimise damage should their account be compromised. 

The regular review of system activity and app permissions can also assist in detecting anomalies before they occur. Additionally, users should cultivate a sense of scepticism when it comes to offers that seem too good to be true, particularly when they promise unrestricted access and “premium” services without charge. In addition, organisations need to increase awareness campaigns so consumers are able to recognise the warning signs of fraudulent apps. 

The cybersecurity incidents serve as a reminder that cybersecurity is not a one-time safeguard, but must remain constant through vigilance and informed decisions throughout the evolving field of mobile security. Awareness of threats remains the first and most formidable line of defence as the mobile security battlefield continues to evolve.
Read more »
Subscribe to: Comments (Atom)