Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity Threats. Show all posts
Technology
AI vulnerabilities Cyberattacks Cybersecurity Threats Data Breaches digital economy risks digital infrastructure crisis Technology

The Digital Economy’s Hidden Crisis: How Cyberattacks, AI Risks, and Tech Monopolies Threaten Global Stability

 

People’s dependence on digital systems is deeper than ever, leaving individuals and businesses more exposed to cyber risks and data breaches. From the infamous 2017 Equifax incident to the recent cyberattack on Marks & Spencer, online operations remain highly vulnerable. Experts warn that meaningful action may only come after a large-scale digital crisis.

Research indicates that current strategies for managing risk and fostering innovation are flawed. Digital technologies—ranging from social platforms to artificial intelligence—are reshaping society. While these tools are powerful, they also carry risks of malfunction, manipulation, and exploitation. Yet governments struggle to differentiate between innovations that genuinely benefit society and those that create long-term harm.

The digital economy—defined as “businesses that increasingly rely on information technology, data and the internet”—is effectively running a global social experiment. Tech giants often capture most of the benefits while shifting risks onto society. The potential fallout could include cyberattacks crippling essential services like power grids or communications, or even tampering with infrastructure to create dangerous conditions.

Parallels can be drawn with the 2008 financial crisis. American sociologist Charles Perrow described “tight coupling,” where highly interconnected systems lacking redundancy can spiral into catastrophic failures. Today’s digital economy mirrors that model: rapid expansion, interconnected datasets, and platforms increasing interdependency while eliminating safeguards.

The “move fast and break things” culture intensifies risk, with companies absorbing competitors and erasing analog alternatives. This reduces redundancy and accelerates monopolistic control, making the system more fragile and complex.

Unlike the 2008 financial meltdown, today’s warning signs are visible to all. Attacks like WannaCry and NotPetya caused billions in damages, while the 2024 CrowdStrike outage grounded flights and disrupted TV broadcasts. Ransomware, hacks, and data leaks are constant reminders of the fragility of digital infrastructure.

Artificial intelligence compounds these threats. AI-driven hallucinations, misinformation at scale, and increased vulnerabilities to confidentiality and integrity make digital risks more severe. As AI evolves, it amplifies the speed and impact of these dangers.

The central concern is that despite obvious risks, political and regulatory systems remain reactive rather than preventative. As technology continues to accelerate, the likelihood of a systemic digital crisis grows.
Read more »
Security Bulletin
Android Ecosystem Android Security Cybersecurity Threats device protection Google Security Strategy Mobile Security Mobile Vulnerabilities OEM Patching Risk-Based Updates Security Bulletin

Google plans shift to risk-based security updates for Android phones


 

The Google Android ecosystem is set to undergo a significant transformation in its security posture, with Google preparing to overhaul the method it utilizes to address software vulnerabilities. Google is aiming to strengthen this. 

According to reports by Android Authority, the company plans to develop a new framework known as the Risk-Based Update System (RBUS) which will streamline patching processes for device manufacturers and help end users receive faster protection. According to Google, at present, Android Security Bulletins (ASBs) are published every month, which contain fixes for a variety of vulnerabilities, from minor flaws to severe exploits. 

A notification of hardware partners and Original Equipment Manufacturers (OEMs) is given at least one month in advance. Updates, however, will no longer be bundled together indiscriminately under the new approach. Google intends, instead, to prioritize real-world threats. 

As part of this initiative, Google will ensure vulnerabilities that are actively exploited or that pose the greatest risk to user privacy and data security are patched at the earliest possible opportunity. There will be no longer any delays in the release of essential protections due to less critical issues like low-level denial-of-service bugs. 

If this initiative is fully implemented, not only will OEMs be relieved from the burden of updating their devices, but it also shows Google's commitment to ensuring the safety of Android users by creating an intelligent and responsive update cycle. 

Over the last decade, Google has maintained a consistent rhythm with publishing the Android Security Bulletins on a monthly basis, regardless of whether or not updates for its Pixel devices had yet been released. There has been a tradition for each bulletin to outline a wide range of vulnerabilities, ranging from relatively minor issues to critical ones, with the sheer complexity of Android often leading to a dozen or more vulnerabilities being reported every month as a result of its sheer complexity. 

In July 2025, however, Google disrupted this cadence by publishing an update for the first time in 120 consecutive bulletins that did not document a single vulnerability for the first time. A break in precedent did not mean there were no issues, rather it signaled that Google was shifting how they communicate and distribute security updates in a strategic manner. 

In September 2025, the bulletin recorded an unusually high number of 119 vulnerabilities, underscoring the change in how they communicate and distribute security fixes. According to this contrast, Google has taken steps toward prioritizing high-risk vulnerabilities and ensuring that the device manufacturers are able to respond to emerging threats as quickly as possible, so that users can be shielded from active exploit. 

In spite of the fact that Original Equipment Manufacturers (OEMs) are largely dependent on the Android operating system to power their devices, they frequently operate on separate patch cycles and publish individual security bulletins, which has historically led to a degree of inconsistency across all ecosystems. 

With Google's aim to streamline the number of fixes the manufacturer must deploy each month, it appears Google wants to alleviate the burden on manufacturers, reducing the amount of patches that must be tested and deployed, as well as giving OEMs greater flexibility when and how firmware updates should be rolled out. 

It is possible for device makers to gain a greater sense of control by prioritizing high-risk vulnerabilities, but it also raises concern about possible delays in addressing less severe vulnerabilities that could be exploited if left uncorrected. The larger quarterly bulletins will be able to offset this new cadence. 

The September 2025 bulletin, which included more than 100 vulnerabilities in comparison to the empty or minimal lists of July and August, is indicative of this. According to Google spokesperson, in a statement to ZDNET, Android and Pixel both continuously address known security vulnerabilities, putting an emphasis on the most vulnerable to be fixed. 

In this way, Google emphasizes the platform's hardened protections, such as the adoption of memory-safe programming languages like Rust and the use of advanced anti-exploitation measures built into the platform. It is also being announced that Google will be extending its security posture beyond its system updates. 

Starting next year, developers of Android-certified apps will be required to provide their identities in order to distribute their software, as well as restrictions on sideloading, which are designed to combat fraudulent and malicious app development. There will also be increased pressure on major Android partners, such as Samsung, OnePlus, and other Original Equipment Manufacturers (OEMs) to adjust their update pipelines as a result of the switch to a risk-based update framework. 

According to Android Authority, which was the first to report about Google's plans, Google is actively negotiating with partners in an attempt to ease this shift, potentially reducing the burden on manufacturers who have historically struggled to provide timely updates. Sources cited by the company indicate that the company is actively in discussions with partners in order to ease this transition. 

The model offers users a more robust level of protection against active threats as well as minimizing interruptions from less urgent fixes, which will lead to a better device experience for users. Nevertheless, Google's approach raises some questions about transparency, including how it will determine what constitutes a high-risk flaw, and how it will communicate those judgments in a transparent manner. 

There are critics who warn against the risks of deprioritizing lower-severity vulnerabilities, which, while effective short-term, risks leaving cumulative holes in long-term device security. According to Google’s strategy, outlined in Android Headlines, which was designed to counter mobile exploits with data-driven strategies that aim to outpace attackers who are increasingly targeting smartphones, Google's strategy is a data-driven response. 

There are implications for more than Android phones. It is possible that the decision could be used as a model for rival operating systems, especially as regulators in regions like the European Union push for more consistent and timely patches for consumer devices. Consequently, enterprises and developers need to rethink how patch management works, and OEMs that adopt patch management early may be able to gain an advantage in markets that are sensitive to security. 

Despite a streamlined schedule, smaller manufacturers may be unable to keep up with the pace, underscoring the fragmentation that has long plagued the Android ecosystem. In an effort to mitigate these risks, Google has already signaled plans for providing tools and guidelines, and some industry observers are speculating that future Android versions might even include AI-powered predictive security tools that identify and prevent threats before they occur. 

With the successful implementation of this initiative, a new era of mobile security standards might be dawning and a balance between urgency and efficiency would be established in an era where cyber-attacks are escalating. For the average Android user, it is expected that the practical impact of Google's risk-based approach will be overwhelmingly positive. 

A device owner who receives a monthly patch may not notice much change, but a device owner with a handset that isn't updated regularly will benefit from manufacturers being able to push out fixes in a more structured fashion—particularly quarterly bulletins, which are now responsible for the bulk of security updates. 

There are, however, critics who caution that the consolidation of patches on a quarterly basis could, in theory, create an opportunity for malicious actors to exploit if details of upcoming fixes were leaked. However, industry analysts caution that this is still a very hypothetical risk, as the system is designed to accelerate the vulnerability discovery process in order to make sure that the most dangerous vulnerabilities are quickly exploited before they are widely abused. 

In the aggregate, the strategy demonstrates that Google is taking steps to enhance Android's defenses by prioritizing urgent threats, which aims to improve Android's security and stability across its wide range of devices in order to deliver a more reliable and stable experience for its users. 

Ultimately, the success of Google's risk-based update strategy will be determined not only by how quickly vulnerabilities are identified and patched, but also by how well manufacturers, regulators, and a broader developer community cooperate with Google. Since the Android ecosystem remains among the most fragmented, diverse, and diverse in the world, the effectiveness of this model will ultimately be evaluated based on the consistency and timeliness with which it provides protection across billions of devices, from flagship smartphones to budget models in emerging markets, within a timely manner. 

There are a number of questions that users need to keep in mind in order to get the most out of security: Enabling automatic updates, limiting the use of sideloaded applications, and choosing devices from OEMs that are known for providing timely patches are all ways to make sure users are protected.

The framework offers enterprises a chance to re-calibrate their device management policies, emphasizing risk management and aligning them with quarterly cycles more than ever before. As a result of Google's move, security will become much more than a static checklist. 

Instead, it will become an adaptive, dynamic process that anticipates threats rather than simply responds to them. Obviously, if this approach is executed effectively, it is going to change the landscape in terms of mobile security around the world, turning Android's vast reach from a vulnerability into one of its greatest assets.
Read more »
VPN Blocking
Belt And Road China Great Firewall Cybersecurity Threats Data Breach Deep Packet Inspection Digital Authoritarianism Internet censorship Surveillance Technology VPN Blocking

500GB Leak Marks Largest Exposure of Great Firewall’s Internal Operations


 

There has been a significant breach of one of the world's most sophisticated censorship systems, the Great Firewall, which is considered one of the most tightly controlled systems. This breach has led to the largest data leak to date for China’s Great Firewall. 

Geedge Networks, a company directly responsible for developing and operating China’s internet control infrastructure, released a massive amount of data on September 11, 2025, that included 500 gigabytes of internal files and over 100,000 confidential documents. In the cache, detailed blueprints of the DPI and filtering technologies which underpin Beijing’s digital censorship regime are available. 

As a result of these leaked records, it is clear that not only has the tool been exported and sold to at least four authoritarian governments outside of China, but it has also been used to police information flows in China. It is revealing in a way that no previous insight was available into the inner workings of the Great Firewall, and it raises urgent questions regarding the global spread of surveillance and censorship technologies sponsored by states. 

GFW Report's researchers have found that the trove contains dozens of internal records, including proposals, research papers, and operational logs, as well as source code and RPM packages that were used in developing the filtering infrastructure. In many of the documents, references can be found to projects related to China's Belt and Road Initiative (BRI), suggesting that the censorship technology is not only being considered in China but is often deployed outside the country’s borders as well. 

As detailed by the internal notes of Geedge Networks, they also indicate that they have been providing services to provincial governments in regions like Xinjiang, Jiangsu, and Fujian, as well as exporting surveillance systems to foreign companies. An investigation conducted by Cybernews reveals that the leaked suite of software also includes advanced tools that allow users to analyse traffic, such as Deep Packet Inspection (DPI) for traffic analysis, modules for detecting VPNs, Tor, and other circumvention tools, as well as features for traffic throttling, content monitoring, and potential user tracking, to name just a few. 

Even though these capabilities appear extensive, experts warn that the exact functionality of the software is uncertain based on the fact that the source code has not yet been examined fully and that some of the leaked materials are still not entirely accurate. Researchers discovered that inside the leaks, they have found complete build systems for DPI platforms, as well as code modules designed for identifying and thwarting certain circumvention techniques. 

The technical material focuses mainly on the detection of VPN networks, SSL fingerprinting, and the logging of full sessions of traffic in order to demonstrate how precisely the system has been designed to monitor and control Internet activity with its precision. Great Firewall Report, the first group to authenticate this leak, noted in its report that the documents describe the architecture of Tiangou, a commercialised censorship system which was described internally as a "Great Firewall in a box." When international sanctions were imposed in response to Tiangou's earlier versions, the server was reportedly built on HP and Dell servers, but later switched to Chinese-made equipment. 

A leaked deployment sheet shows how large the system is: according to the information on the leaked deployment sheet, in Myanmar the platform has been installed across 26 data centers that are directly connected to the nation's internet exchange points, making it possible for authorities to monitor 81 million simultaneous TCP connections, as well as enforce sweeping controls over online communication with their live dashboards. 

Moreover, the documents also indicate that Myanmar's state-run telecom company was responsible for operating the installation, highlighting the significance of national carriers in enforcing digital censorship in Myanmar. The evidence also indicates that Geedge's DPI technology has been exported to a number of foreign countries outside Myanmar. It is reported by WIRED and Amnesty International that deployments have occurred in Pakistan, Ethiopia, and Kazakhstan, and that they are often complemented by lawful intercept systems that can monitor mobile communications in real time. 

According to reports, this technology is used to underpin a nationwide monitoring program known as WMS 2.0, which will oversee mobile communications on a massive scale throughout the country. In addition to the leaked documents, earlier findings from May signal a shift in China's censorship architecture to a "provincial firewall" model that signals a move away from strict centralisation towards a more layered approach to regional control that is based on a more regional approach to censorship. 

The decentralisation scheme appears to be aimed at increasing the degree of flexibility and efficiency of monitoring by allowing provincial authorities to tailor censorship and surveillance according to local circumstances, while adhering to the general national directives at the same time. As it turns out, the documents provided by China indicate that, under the Belt and Road Initiative framework, such technologies are being actively exported beyond Chinese borders. 

It has been revealed that Geedge Networks, the company at the centre of the leak, has provided comprehensive censorship and surveillance platforms to Internet providers in Myanmar, Pakistan, Kazakhstan, Ethiopia, as well as to unknown countries—effectively replicating the digital authoritarian model that has become so prevalent in China on a worldwide basis. 

The revelations about advanced surveillance capabilities for individuals and groups have been particularly troubling. This paper demonstrates a variety of deep packet inspection systems, VPN/Tor/Psiphon detection systems, traffic shaping systems, and even malware injection systems, all accompanied by sophisticated dashboards that allow governments to monitor users in real time, and this can result in improved security. 

As new technologies are developed, such as geofencing and trajectory mapping, individuals can be automatically flagged for entering specific areas, past movement patterns can be reconstructed, and high-risk individuals can be marked as high risk based on their behaviours, including frequent SIM swaps, use of circumvention tools, and interactions with foreign platforms. In addition to these tools, there are tools for collective monitoring as well. This system can provide governments with unprecedented power to suppress dissent before it reaches the public square by displaying the real-time geographic distribution of monitored groups, detecting unusual gatherings, and identifying potential protests before they occur, which is even more concerning. 

In the past few years, China has been waging a campaign of cybersecurity control and online censorship with its Great Firewall, which was designed to regulate virtually all internet activity within the country for years. In its core is a deep packet inspection engine, which is capable of examining every data packet that passes through a network service provider, cross-referencing it to continuously updated blacklists containing keywords, IP addresses, and protocol signatures, and deciding whether, at any time, the data packet should be permitted, throttled, or blocked. 

The system is enhanced by tampering with DNS, blocking IP addresses, filtering keywords, and real-time traffic shaping. Together, these measures form a comprehensive censorship barrier that obstructs access to foreign news outlets, social media platforms, and politically sensitive content, while at the same time logging user activity for government surveillance purposes. 

It is because Geedge Networks, led by Fang Binxing, often referred to as the "Father of the Great Firewall," is developing the proprietary hardware, firmware, as well as the Secure Gateway software that drives this censorship engine to serve the needs of the US government. There has been a substantial contribution made by the MESA Lab at the Institute of Information Engineering, which has contributed algorithms for detecting and resolving circumvention tools such as VPNs and proxy servers, transforming the technology into a fully functional turnkey product ready to deploy. 
A researcher at the Great Firewall Report describes this exportable kit as “a great firewall in a box.” As investigators pieced together the export trail, they discovered a striking correlation between cargo manifests, data centre footprints, and annotations on code that revealed the delivery of this technology to countries with severe restrictions on digital rights, countries already known for their harsh stance on digital freedoms. 

Thousands of users in these regions suffer immediate and chilling consequences when such infrastructure arrives: news articles can suddenly disappear from their screens, messaging apps may cease working, or video calls to family members abroad can end mid-conversation without any warning. As a consequence of the firewall's capability of surveillance, civil society has been exposed to greater dangers just for speaking freely, which includes activists, journalists, and ordinary citizens. 

In the face of China's layered defences, even the most advanced virtual private networks (VPNs) face mounting challenges. The DPI engine now utilises deep-learning classifiers, which are capable of detecting obfuscation protocols, so that it can throttle or block VPN traffic in real time in order to protect users. Several VPN providers, including NordVPN and Proton VPN, have introduced stealth protocols specifically designed to counter these measures, but the battle remains on. 

As censorship technologies develop, VPN developers are constantly on the lookout for ways to maintain access to a free and open internet, and they must strive to keep up to date with these technologies to ensure they remain a step ahead of them. China's Great Firewall has been exposed in unprecedented ways through this massive leak, forcing the public to reassess China's policies far beyond its borders. 

At its heart lies a troubling reality: these technologies were originally designed to consolidate state power in the domestic sphere, but now are being systematically exported across multiple continents, institutionalising digital authoritarianism. As a result of the global diffusion of surveillance infrastructure, it is imperative to ensure transparency, stronger safeguards for internet freedom, as well as international cooperation, in order to counter this threat. 

This type of turnkey censorship system poses a huge risk to top policymakers, civil society, and technology companies, and we must all work together to deal with it. Not only must we demand accountability from states that deploy them, but we must also strengthen resilient tools that can protect online expression and privacy from them. This revelation should also serve as a warning to democratic nations that they should work hard to develop and support open-source, censorship-resistant technologies and promote policies that prioritise human rights in digital governance in order to combat the threat of censorship. 

As communication is increasingly becoming an integral part of social, political, and economic participation in modern times, it is becoming increasingly apparent that the unchecked spread of such mechanisms threatens to redraw the boundaries of free speech around the globe. As alarming as the leak may be, it offers us a rare opportunity to map these systems and develop countermeasures - before the digital iron curtain becomes the norm for securing our privacy around the world.
Read more »
Social Media Safety
AI Misuse Cyber Fraud Cybersecurity Threats Deepfake Fraud Digital Literacy Financial Fraud Online Scams Social Media Safety

Deepfake Video of Sadhguru Used to Defraud Bengaluru Woman of Rs 3.75 Crore


 

As a striking example of how emerging technologies are used as weapons for deception, a Bengaluru-based woman of 57 was deceived out of Rs 3.75 crore by an AI-generated deepfake video supposedly showing the spiritual leader Sadhguru. The video was reportedly generated by an AI-driven machine learning algorithm, which led to her loss of Rs 3.75 crore. 

During the interview, the woman, identifying herself as Varsha Gupta from CV Raman Nagar, said she did not know that deepfakes existed when she saw a social media reel that appeared to show Sadhguru promoting investments in stocks through a trading platform, encouraging viewers to start with as little as $250. She had no idea what deepfakes were when she saw the reel. 

The video and subsequent interactions convinced her of its authenticity, which led to her investing heavily over the period of February to April, only to discover later that she had been deceived by the video and subsequent interactions. During that time, it has been noted that multiple fake advertisements involving artificial intelligence-generated voices and images of Sadhguru were circulating on the internet, leading police to confirm the case and launch an investigation. 

It is important to note that the incident not only emphasises the escalation of financial risk resulting from deepfake technology, but also the growing ethical and legal issues associated with it, as Sadhguru had recently filed a petition with the Delhi High Court to protect his rights against unauthorised artificial intelligence-generated content that may harm his persona. 

Varsha was immediately contacted by an individual who claimed to be Waleed B, who claimed to be an agent of Mirrox, and who identified himself as Waleed B. In order to tutor her, he used multiple UK phone numbers to add her to a WhatsApp group that had close to 100 members, as well as setting up trading tutorials over Zoom. After Waleed withdrew, another man named Michael C took over as her trainer when Waleed later withdrew. 

Using fake profit screenshots and credit information within a trading application, the fraudsters allegedly constructed credibility by convincing her to make repeated transfers into their bank accounts, in an effort to gain her trust. Throughout the period February to April, she invested more than Rs 3.75 crore in a number of transactions. 

 After she declined to withdraw what she believed to be her returns, everything ceased abruptly after she was informed that additional fees and taxes would be due. When she refused, things escalated. Despite the fact that the investigation has begun, investigators are partnering with banks to freeze accounts linked to the scam, but recovery remains uncertain since the complaint was filed nearly five months after the last transfer, when it was initially filed. 

Under the Bharatiya Nyaya Sanhita as well as Section 318(4) of the Information Technology Act, the case has been filed. Meanwhile, Sadhguru Jaggi Vasudev and the Isha Foundation formally filed a petition in June with the Delhi High Court asking the court to provide him with safeguards against misappropriation of his name and identity by deepfake content publishers. 

Moreover, the Foundation issued a public advisory regarding social media platform X, warning about scams that were being perpetrated using manipulated videos and cloned voices of Sadhguru, while reaffirming that he is not and will not endorse any financial schemes or commercial products. It was also part of the elaborate scheme in which Varsha was added to a WhatsApp group containing almost one hundred members and invited to a Zoom tutorial regarding online trading. 

It is suspected that the organisers of these sessions - who later became known as fraudsters - projected screenshots of profits and staged discussions aimed at motivating participants to act as positive leaders. In addition to the apparent success stories, she felt reassured by what seemed like a legitimate platform, so she transferred a total of 3.75 crore in several instalments across different bank accounts as a result of her confidence in the platform. 

Despite everything, however, the illusion collapsed when she attempted to withdraw her supposed earnings from her account. A new demand was made by the scammers for payment of tax and processing charges, but she refused to pay it, and when she did, all communication was abruptly cut off. It has been confirmed by police officials that her complaint was filed almost five months after the last transaction, resulting in a delay which has made it more challenging to recover the funds, even though efforts are currently being made to freeze the accounts involved in the scam. 

It was also noted that the incident occurred during a period when concern over artificial intelligence-driven fraud is on the rise, with deepfake technology increasingly being used to enhance the credibility of such schemes, authorities noted. In April of this year, Sadhguru Jaggi Vasudev and the Isha Foundation argued that the Delhi High Court should be able to protect them from being manipulated against their likeness and voice in deepfake videos. 

In a public advisory issued by the Foundation, Sadhguru was advised to citizens not to promote financial schemes or commercial products, and to warn them against becoming victims of fraudulent marketing campaigns circulating on social media platforms. Considering that artificial intelligence is increasingly being used for malicious purposes in this age, there is a growing need for greater digital literacy and vigilance in the digital age. 

Despite the fact that law enforcement agencies are continuing to strengthen their cybercrime units, the first line of defence continues to be at the individual level. Experts suggest that citizens exercise caution when receiving unsolicited financial offers, especially those appearing on social media platforms or messaging applications. It can be highly effective to conduct independent verification through official channels, maintain multi-factor authentication on sensitive accounts, and avoid clicking on suspicious links on an impulsive basis to reduce exposure to such traps. 

Financial institutions and banks should be equally encouraged to implement advanced artificial intelligence-based monitoring systems that can detect irregular patterns of transactions and identify fraudulent networks before they cause significant losses. Aside from technology, there must also be consistent public awareness campaigns and stricter regulations governing digital platforms that display misleading advertisements. 

It is now crucial that individuals keep an eye out for emerging threats such as deepfakes in order to protect their personal wealth and trust from these threats. Due to the sophistication of fraudsters, as demonstrated in this case, it is becoming increasingly difficult to protect oneself in this digital era without a combination of diligence, education, and more robust systemic safeguards.
Read more »
Zero Day exploit
Apple Security CVSS Cybersecurity Threats iOS Mobile Device Protection Spyware Campaign Vulnerabilities and Exploits WhatsApp Vulnerability Zero Click Attack Zero Day exploit

WhatsApp 0-Day Exploited in Targeted Attacks on Mac and iOS Platforms

 


Providing a fresh reminder of the constant threat to widespread communication platforms, WhatsApp has disclosed and patched a vulnerability affecting its iOS and macOS applications. The vulnerability has already been exploited in real-world attacks, according to WhatsApp, which warns it may already have been exploited in the past. 

It has a CVSS score of 5.4 and is tracked as CVE-2025-55177. The vulnerability is caused by an insufficient level of authorisation when handling linked device synchronization messages. As a result of the vulnerability, WhatsApp has warned that a malicious actor could potentially compromise the security of users by manipulating content processing using arbitrary URLs on the target device. 

In a statement, the Meta-owned company credited its in-house security team with discovering and analyzing this bug, which is thought to have been exploited in combination with a recently revealed Apple zero-day vulnerability as part of targeted attacks on the company. The incident was deemed to be the result of an "advanced spyware campaign" by Donncha Cearbhaill of Amnesty International's Security Lab, which notes it had been active for approximately 90 days and used zero-click delivery techniques. 

Through this technique, attackers were able to spread malicious exploits through WhatsApp without requiring any interaction from the victim, allowing them to steal data from Apple devices silently and raising serious concerns about the resilience of even highly secure platforms. By way of spokesperson Margarita Franklin, Meta, the parent company of WhatsApp, confirmed that the flaw had been identified and patched several weeks ago, with notification sent to less than 200 users who had been affected. 

Even though the company has not attributed the operation to any specific threat actor or spyware vendor, the lack of attribution highlights how difficult it may be to trace such sophisticated campaigns when it comes to tracking them down. Technology providers are facing increasingly complex and stealthy attacks on popular communication tools, which is why the episode emphasizes the mounting challenges they face in defending them against such attacks. 

Recently, a critical flaw has been discovered in WhatsApp which has been catalogued as CVE-2025-55177, which has once again brought to the fore the security landscape around widely used communication platforms. Based on initial CVSS scores of 5.4 and 8.0, the vulnerability highlights how zero-day exploits continue to pose a challenge to users and device integrity, as well as undermine privacy and device integrity. 

It is believed that the root of the flaw is due to incomplete authorization in the handling of synchronization messages between linked devices. This weakness was the basis of the attack, which could be exploited as a tool to override the expected security features. Using this vulnerability, a malicious actor who has no legitimate association with the target could force a victim's device to process content from an arbitrary URL on its own behalf if exploited. 

The manipulation of trusted communication channels could serve as an entry point for remote code execution, or unauthorized delivery of malicious content, directly from the attacker's infrastructure, which can then be used to deliver malicious content. In such a scenario, users' trust is not only compromised, but it also highlights how vulnerable application-level security measures can be if authorization mechanisms are not properly enforced. 

There is an added level of seriousness to this discovery, since the exploit appears to have been a zero-click attack. In contrast to conventional attacks that require the user to open a file or click on a link, zero-click exploits do not require the user to interact with them whatsoever, which significantly reduces the chances of detection. 

As a result of silent compromises, attackers are able to install spyware or malicious code swiftly, discreetly, and with little or no trace until the damage has been done. WhatsApp's internal security team believes that the CVE-2025-55177 vulnerability was not an isolated occurrence. Rather than being isolated from the other vulnerability within Apple's ecosystem, it is thought to have been chained together with a separate vulnerability within the Apple ecosystem – CVE-2025-43300 – to allow sophisticated, targeted attacks.

In the Apple case, a CVSS score of 8.8 was assigned to the ImageIO framework that was characterized by an out-of-bounds write condition. When these vulnerabilities occur during the processing of images, they can corrupt memory, giving way to deeper system-level vulnerabilities. An exploit chaining strategy, whereby an application-level bug is paired up with an operating system vulnerability in order to maximize the scope and stealth of a campaign, is an increasingly popular strategy among advanced adversaries as a means of maximizing the scope and stealth of their operations. 

On August 20, Apple updated its entire product line in order to address CVE-2025-43300, issuing patches for iOS 18.6.2, iPadOS 18.6.2, and 17.7.10, Mac OS Sequoia 15.6.1, Mac OS Sonoma 14.7.2, and Mac OS Ventura 13.7.1. It was noted in the advisory that while the company had refrained from providing detailed technical details, they had been aware of reports that the flaw had already been exploited against specific individuals by users in the wild.

In line with the tactics used by state-sponsored groups and well-funded spyware vendors, these attacks were highly targeted and not indiscriminate, as they suggest that these attacks were highly targeted and not indiscriminate. In addition to mitigating the threat quickly, WhatsApp has also quickly rolled out patches that fix CVE-2025-55177 on all its platforms, rolling it out in late July and early August 2025. As with Apple, WhatsApp's version of iOS 2.2.21.73, WhatsApp Business, and WhatsApp for Mac all came with the patches. 

However, as Apple did, WhatsApp did not provide details of the observed attacks, and provided limited commentary on the nature or scale of the exploitation. The reticence that occurs when a zero-day exploitation is being actively exploited is not unusual, as revealing too much could help threat actors improve their techniques inadvertently. 

While the extent of the campaign is still unknown, the operational sophistication implied by these exploits suggests that an adversary with adequate resources has been engaged in this operation. This is because of the fact that zero-click vectors are being used as well as the seamless chaining of vulnerabilities across both application and operating system layers, which illustrates how complex cyber threats are becoming. 

In the broader context of these incidents, it is important to recognize that attackers are increasingly using multi-layered exploit chains to get around user defenses, get past traditional detection methods, and implant spyware in a highly precise manner. Taking a broader perspective of the WhatsApp and Apple vulnerabilities, it is important to note that today's interconnected digital environment creates a precarious balance between convenience and security. 

With the rapid expansion of messaging platforms, the attack surface is inevitably bound to increase, allowing adversaries to find weaknesses more easily. According to recent disclosures, it is imperative that timely patches, rigorous vulnerability management, and ongoing collaboration between vendors be implemented so that coordinated, high-level exploitation campaigns are limited in impact. 

In order to defend against zero-click exploit campaigns that leverage zero-click exploits, security specialists advise that a routine patch application does not suffice. There is a growing need for organizations to adopt a layered defense strategy that integrates technical safeguards with operational discipline in order to reduce exposure. 

Among the steps to take is updating WhatsApp and other messaging platforms to the most recent patched versions, enforcing mobile device management (MDM) baselines, and implementing solutions for detection and response of mobile endpoints (EDR) that can be used to detect as well as analyse the data. To further enhance resilience, system logs can be monitored for unusual activity, command-and-control traffic can be blocked at the network level, and threat intelligence data can be utilized. 

To eliminate possible persistence mechanisms, factory resets should be recommended when a compromise is suspected. Likewise, it is crucial to build user awareness by providing training on spyware risks and incident reporting, in addition to reviewing incident response playbooks to ensure they address zero-day and zero-click exploitation scenarios. In addition to these practices, organizations should adopt strict communication security policies, and conduct regular third-party risk assessments in order to strengthen their defense against stealthy spyware operations and reduce the impact of sophisticated intrusion attempts on their systems. 

There has been a sharp reminder resulting from the revelations surrounding WhatsApp and Apple vulnerabilities that no platform, no matter how popular or secure it appears to be, is immune to exploitation. In this day and age, zero-click spyware is becoming increasingly sophisticated, which underscores the necessity to treat mobile device security as a strategic priority rather than something people take for granted. 

The best way to do this for individuals would be to develop the habit of downloading and installing software updates as soon as they become available, to exercise caution when unusual behavior occurs on their mobile devices, and to consider the use of trusted mobile security tools. 

Organizations need to shift from compliance checklists and develop a culture of proactive resilience rather than relying on compliance checklists. This means investing in multiple defenses, continuous monitoring, and cross-team collaboration between the IT, security, and legal departments in order to better detect and contain incidents.

It is imperative that technology vendors, independent researchers, and civil society organisations collaboratively work together in order to hold spyware operators accountable for their actions and ensure that users retain trust in their digital communications in the future. 

In spite of vulnerabilities continuing to be found in the digital ecosystem, a combination of rapid response, transparency, and a security-first mindset can turn such incidents into opportunities for stronger defenses and more resilient digital ecosystems by eliminating vulnerabilities as quickly as possible.
Read more »
VPN
Agent AI AI Anthropic Anthropic Report Artificial Intelligence Cryptocurrency Crime Cybersecurity Threats FBI IT North Korea Cybercrime Ransomware Technology Vibe Hacking VPN

Misuse of AI Agents Sparks Alarm Over Vibe Hacking


 

Once considered a means of safeguarding digital battlefields, artificial intelligence has now become a double-edged sword —a tool that can not only arm defenders but also the adversaries it was supposed to deter, giving them both a tactical advantage in the digital fight. According to Anthropic's latest Threat Intelligence Report for August 2025, shown below, this evolving reality has been painted in a starkly harsh light. 

It illustrates how cybercriminals are developing AI as a product of choice, no longer using it to support their attacks, but instead executing them as a central instrument of attack orchestration. As a matter of fact, according to the report, malicious actors are now using advanced artificial intelligence in order to automate phishing campaigns on a large scale, circumvent traditional security measures, and obtain sensitive information very efficiently, with very little human oversight needed. As a result of AI's precision and scalability, the threat landscape is escalating in troubling ways. 

By leveraging AI's accuracy and scalability, modern cyberattacks are being accelerated, reaching, and sophistication. A disturbing evolution of cybercrime is being documented by Anthropologic, as it turns out that artificial intelligence is no longer just used to assist with small tasks such as composing phishing emails or generating malicious code fragments, but is also serving as a force multiplier for lone actors, giving them the capacity to carry out operations at scale and with precision that was once reserved for organized criminal syndicates to accomplish. 

Investigators have been able to track down a sweeping extortion campaign back to a single perpetrator in one particular instance. This perpetrator used Claude Code's execution environment as a means of automating key stages of intrusion, such as reconnaissance, credential theft, and network penetration, to carry out the operation. The individual compromised at least 17 organisations, ranging from government agencies to hospitals to financial institutions, and he has made ransom demands that have sometimes exceeded half a million dollars in some instances. 

It was recently revealed that researchers have conceived of a technique called “vibe hacking” in which coding agents can be used not just as tools but as active participants in attacks, marking a profound shift in both cybercriminal activity’s speed and reach. It is believed by many researchers that the concept of “vibe hacking” has emerged as a major evolution in cyberattacks, as instead of exploiting conventional network vulnerabilities, it focuses on the logic and decision-making processes of artificial intelligence systems. 

In the year 2025, Andrej Karpathy started a research initiative called “vibe coding” - an experiment in artificial intelligence-generated problem-solving. Since then, the concept has been co-opted by cybercriminals to manipulate advanced language models and chatbots for unauthorised access, disruption of operations, or the generation of malicious outputs, originating from a research initiative. 

By using AI, as opposed to traditional hacking, in which technical defences are breached, this method exploits the trust and reasoning capabilities of machine learning itself, making detection especially challenging. Furthermore, the tactic is reshaping social engineering as well: attackers can create convincing phishing emails, mimic human speech, build fraudulent websites, create clones of voices, and automate whole scam campaigns at an unprecedented level using large language models that simulate human conversations with uncanny realism. 

With tools such as artificial intelligence-driven vulnerability scanners and deepfake platforms, the threat is amplified even further, creating a new frontier of automated deception, according to experts. In one notable variant of scamming, known as “vibe scamming,” adversaries can launch large-scale fraud operations in which they generate fake portals, manage stolen credentials, and coordinate follow-up communications all from a single dashboard, which is known as "vibe scamming." 

Vibe hacking is one of the most challenging cybersecurity tasks people face right now because it is a combination of automation, realism, and speed. The attackers are not relying on conventional ransomware tactics anymore; they are instead using artificial intelligence systems like Claude to carry out all aspects of an intrusion, from reconnaissance and credential harvesting to network penetration and data extraction.

A significant difference from earlier AI-assisted attacks was that Claude demonstrated "on-keyboard" capability as well, performing tasks such as scanning VPN endpoints, generating custom malware, and analysing stolen datasets to prioritise the victims with the highest payout potential. As soon as the system was installed, it created tailored ransom notes in HTML, containing the specific financial requirements, workforce statistics, and regulatory threats of each organisation, all based on the data that had been collected. 

The amount of payments requested ranged from $75,000 to $500,000 in Bitcoin, which illustrates that with the assistance of artificial intelligence, one individual could control the entire cybercrime network. Additionally, the report emphasises how artificial intelligence and cryptocurrency have increasingly become intertwined. For example, ransom notes include wallet addresses in ransom notes, and dark web forums are exclusively selling AI-generated malware kits in cryptocurrency. 

An investigation by the FBI has revealed that North Korea is increasingly using artificial intelligence (AI) to evade sanctions, which is used to secure fraudulent positions at Western tech companies by state-backed IT operatives who use it for the fabrication of summaries, passing interviews, debugging software, and managing day-to-day tasks. 

According to officials in the United States, these operations channel hundreds of millions of dollars every year into Pyongyang's technical weapon program, replacing years of training with on-demand artificial intelligence assistance. This reveals a troubling shift: artificial intelligence is not only enabling cybercrime but is also amplifying its speed, scale, and global reach, as evidenced by these revelations. A report published by Anthropological documents how Claude Code has been used not just for breaching systems, but for monetising stolen information at large scales as well. 

As a result of using the software, thousands of records containing sensitive identifiers, financial information, and even medical information were sifted through, and then customised ransom notes and multilayered extortion strategies were generated based on the victim's characteristics. As the company pointed out, so-called "agent AI" tools now provide attackers with both technical expertise and hands-on operational support, which effectively eliminates the need to coordinate teams of human operators, which is an important factor in preventing cyberattackers from taking advantage of these tools. 

Researchers warn that these systems can be dynamically adapted to defensive countermeasures, such as malware detection, in real time, thus making traditional enforcement efforts increasingly difficult. There are a number of cases to illustrate the breadth of abuse that occurs in the workplace, and there is a classifier developed by Anthropic to identify the behaviour. However, a series of case studies indicates this behaviour occurs in a multitude of ways. 

In the North Korean case, Claude was used to fabricate summaries and support fraudulent IT worker schemes. In the U.K., a criminal known as GTG-5004 was selling ransomware variants based on artificial intelligence on darknet forums; Chinese actors utilised artificial intelligence to compromise Vietnamese critical infrastructure; and Russian and Spanish-speaking groups were using the software to create malicious software and steal credit card information. 

In order to facilitate sophisticated fraud campaigns, even low-skilled actors have begun integrating AI into Telegram bots around romance scams as well as false identity services, significantly expanding the number of fraud campaigns available. A new report by Anthropic researchers Alex Moix, Ken Lebedev, and Jacob Klein argues that artificial intelligence, based on the results of their research, is continually lowering the barriers to entry for cybercriminals, enabling fraudsters to create profiles of victims, automate identity theft, and orchestrate operations at a speed and scale that is unimaginable with traditional methods. 

It is a disturbing truth that is highlighted in Anthropic’s report: although artificial intelligence was once hailed as a shield for defenders, it is now increasingly being used as a weapon, putting digital security at risk. Nevertheless, people must not retreat from AI adoption, but instead develop defensive strategies in parallel that are geared toward keeping up with AI adoption. Proactive guardrails must be set up in order to prevent artificial intelligence from being misused, including stricter oversight and transparency by developers, as well as continuous monitoring and real-time detection systems to recognise abnormal AI behaviour before it escalates into a serious problem. 

A company's resilience should go beyond its technical defences, and that means investing in employee training, incident response readiness, and partnerships that enable data sharing across sectors. In addition to this, governments are also under mounting pressure to update their regulatory frameworks in order to keep pace with the evolution of threat actors in terms of policy.

By harnessing artificial intelligence responsibly, people can still make it a powerful ally—automating defensive operations, detecting anomalies, and even predicting threats before they are even visible. In order to ensure that it continues in a manner that favours protection over exploitation, protecting not just individual enterprises, but the overall trust people have in the future of the digital world. 

A significant difference from earlier AI-assisted attacks was that Claude demonstrated "on-keyboard" capability as well, performing tasks such as scanning VPN endpoints, generating custom malware, and analysing stolen datasets in order to prioritise the victims with the highest payout potential. As soon as the system was installed, it created tailored ransom notes in HTML, containing the specific financial requirements, workforce statistics, and regulatory threats of each organisation, all based on the data that had been collected. 

The amount of payments requested ranged from $75,000 to $500,000 in Bitcoin, which illustrates that with the assistance of artificial intelligence, one individual could control the entire cybercrime network. Additionally, the report emphasises how artificial intelligence and cryptocurrency have increasingly become intertwined. 

For example, ransom notes include wallet addresses in ransom notes, and dark web forums are exclusively selling AI-generated malware kits in cryptocurrency. An investigation by the FBI has revealed that North Korea is increasingly using artificial intelligence (AI) to evade sanctions, which is used to secure fraudulent positions at Western tech companies by state-backed IT operatives who use it for the fabrication of summaries, passing interviews, debugging software, and managing day-to-day tasks. 

According to U.S. officials, these operations funnel hundreds of millions of dollars a year into Pyongyang's technical weapons development program, replacing years of training with on-demand AI assistance. All in all, these revelations indicate an alarming trend: artificial intelligence is not simply enabling cybercrime, but amplifying its scale, speed, and global reach. 

According to the report by Anthropic, Claude Code has been weaponised not only to breach systems, but also to monetise stolen data. This particular tool has been used in several instances to sort through thousands of documents containing sensitive information, including identifying information, financial details, and even medical records, before generating customised ransom notes and layering extortion strategies based on each victim's profile. 

The company explained that so-called “agent AI” tools are now providing attackers with both technical expertise and hands-on operational support, effectively eliminating the need for coordinated teams of human operators to perform the same functions. Despite the warnings of researchers, these systems are capable of dynamically adapting to defensive countermeasures like malware detection in real time, making traditional enforcement efforts increasingly difficult, they warned. 

Using a classifier built by Anthropic to identify this type of behaviour, the company has shared technical indicators with trusted partners in an attempt to combat the threat. The breadth of abuse is still evident through a series of case studies: North Korean operatives use Claude to create false summaries and maintain fraud schemes involving IT workers; a UK-based criminal with the name GTG-5004 is selling AI-based ransomware variants on darknet forums. 

Some Chinese actors use artificial intelligence to penetrate Vietnamese critical infrastructure, while Russians and Spanish-speaking groups use Claude to create malware and commit credit card fraud. The use of artificial intelligence in Telegram bots marketed for romance scams or synthetic identity services has even reached the level of low-skilled actors, allowing sophisticated fraud campaigns to become more accessible to the masses. 

A new report by Anthropic researchers Alex Moix, Ken Lebedev, and Jacob Klein argues that artificial intelligence, based on the results of their research, is continually lowering the barriers to entry for cybercriminals, enabling fraudsters to create profiles of victims, automate identity theft, and orchestrate operations at a speed and scale that is unimaginable with traditional methods. In the report published by Anthropic, it appears to be revealed that artificial intelligence is increasingly being used as a weapon to challenge the foundations of digital security, despite being once seen as a shield for defenders. 

There is a solution to this, but it is not in retreating from AI adoption, but by accelerating the parallel development of defensive strategies that are at the same pace as AI adoption. According to experts, proactive guardrails are necessary to ensure that AI deployments are monitored, developers are held more accountable, and there is continuous monitoring and real-time detection systems available that can be used to identify abnormal AI behaviour before it becomes a serious problemOrganisationss must not only focus on technical defences; they must also invest in employee training, incident response readiness, and partnerships that facilitate intelligence sharing between sectors as well.

Governments are also under increasing pressure to update regulatory frameworks to keep pace with the evolving threat actors, in order to ensure that policy is updated at the same pace as they evolve. By harnessing artificial intelligence responsibly, people can still make it a powerful ally—automating defensive operations, detecting anomalies, and even predicting threats before they are even visible. In order to ensure that it continues in a manner that favours protection over exploitation, protecting not just individual enterprises, but the overall trust people have in the future of the digital world.
Read more »
Ransomwares
acronis AI cyberattacks AI technology Cyber Defenses Cyber Security Cybersecurity Threats Indian Cyber Security Malwares Phishing Attacks Ransomwares

India Most Targeted by Malware as AI Drives Surge in Ransomware and Phishing Attacks

 

India has become the world’s most-targeted nation for malware, according to the latest report by cybersecurity firm Acronis, which highlights how artificial intelligence is fueling a sharp increase in ransomware and phishing activity. The findings come from the company’s biannual threat landscape analysis, compiled by the Acronis Threat Research Unit (TRU) and its global network of sensors tracking over one million Windows endpoints between January and June 2025. 

The report indicates that India accounted for 12.4 percent of all monitored attacks, placing it ahead of every other nation. Analysts attribute this trend to the rising sophistication of AI-powered cyberattacks, particularly phishing campaigns and impersonation attempts that are increasingly difficult to detect. With Windows systems still dominating business environments compared to macOS or Linux, the operating system remained the primary target for threat actors. 

Ransomware continues to be the most damaging threat to medium and large businesses worldwide, with newer criminal groups adopting AI to automate attacks and enhance efficiency. Phishing was found to be a leading driver of compromise, making up 25 percent of all detected threats and over 52 percent of those aimed at managed service providers, marking a 22 percent increase compared to the first half of 2024. 

Commenting on the findings, Rajesh Chhabra, General Manager for India and South Asia at Acronis, noted that India’s rapidly expanding digital economy has widened its attack surface significantly. He emphasized that as attackers leverage AI to scale operations, Indian enterprises—especially those in manufacturing and infrastructure—must prioritize AI-ready cybersecurity frameworks. He further explained that organizations need to move away from reactive security approaches and embrace behavior-driven models that can anticipate and adapt to evolving threats. 

The report also points to collaboration platforms as a growing entry point for attackers. Phishing attempts on services like Microsoft Teams and Slack spiked dramatically, rising from nine percent to 30.5 percent in the first half of 2025. Similarly, advanced email-based threats such as spoofed messages and payload-less attacks increased from nine percent to 24.5 percent, underscoring the urgent requirement for adaptive defenses. 

Acronis recommends that businesses adopt a multi-layered protection strategy to counter these risks. This includes deploying behavior-based threat detection systems, conducting regular audits of third-party applications, enhancing cloud and email security solutions, and reinforcing employee awareness through continuous training on social engineering and phishing tactics. 

The findings make clear that India’s digital growth is running parallel to escalating cyber risks. As artificial intelligence accelerates the capabilities of malicious actors, enterprises will need to proactively invest in advanced defenses to safeguard critical systems and sensitive data.
Read more »
Ransomwares
Akira Ransomware Business Security Cyber Attacks Cyber Vulnerabilities Cybersecurity Threats Public Wifi ransomware attacks Ransomwares

SonicWall VPN Zero-Day Vulnerability Suspected Amid Rising Ransomware Attacks

 

Virtual Private Networks (VPNs) have recently been in the spotlight due to the U.K.’s Online Safety Act, which requires age verification for adult content websites. While many consumers know VPNs as tools for bypassing geo-restrictions or securing public Wi-Fi connections, enterprise-grade VPN appliances play a critical role in business security. 

When researchers issue warnings about possible VPN exploitation, the risk cannot be dismissed. SonicWall has addressed growing concerns after reports surfaced of ransomware groups targeting its devices. According to the company, an investigation revealed that the activity is linked to CVE-2024-40766, a previously disclosed vulnerability documented in their advisory SNWLID-2024-0015, rather than an entirely new zero-day flaw. Fewer than 40 confirmed cases were reported, mostly tied to legacy credentials from firewall migrations. 

Updated guidance includes credential changes and upgrading to SonicOS 7.3.0 with enhanced multi-factor authentication (MFA) protections. Despite these reassurances, Arctic Wolf Labs researcher Julian Tuin observed a noticeable increase in ransomware activity against SonicWall firewall devices in late July. 

Several incidents involved VPN access through SonicWall SSL VPNs. While some intrusions could be explained by brute force or credential stuffing, evidence suggests the possibility of a zero-day vulnerability, as some compromised devices had the latest patches and rotated credentials. 

In several cases, even with TOTP MFA enabled, accounts were breached. SonicWall confirmed it is working closely with threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, to determine whether the incidents are tied to known flaws or a new vulnerability. If a zero-day is confirmed, updated firmware and mitigation steps will be released promptly. 

The urgency is amplified by the involvement of the Akira ransomware group, which has compromised over 300 organizations globally. SonicWall also recently warned of CVE-2025-40599, a serious remote code execution vulnerability in SMA 100 appliances. Experts advise organizations to take immediate precautionary steps, especially given the potential for severe operational disruption. 

Recommended mitigations include disabling SSL VPN services where possible, restricting VPN access to trusted IP addresses, enabling all security services such as botnet protection and geo-IP filtering, removing inactive accounts, enforcing strong password policies, and implementing MFA for all remote access. 

However, MFA alone may not be sufficient in the current threat scenario. The combination of suspected zero-day activity, ransomware escalation, and the targeting of critical remote access infrastructure means that proactive defense measures are essential. 

SonicWall and security researchers continue to monitor the situation closely, urging organizations to act quickly to protect their networks before attackers exploit potential vulnerabilities further.
Read more »
phishing risks
AI Artificial Intelligence Cybersecurity Threats Data Breach gambling accounts online betting platforms phishing risks

AI-Driven Phishing Threats Loom After Massive Data Breach at Major Betting Platforms

 

A significant data breach impacting as many as 800,000 users from two leading online betting platforms has heightened fears over sophisticated phishing risks and the growing role of artificial intelligence in exploiting compromised personal data.

The breach, confirmed by Flutter Entertainment, the parent company behind Paddy Power and Betfair, exposed users’ IP addresses, email addresses, and activity linked to their gambling profiles.

While no payment or password information was leaked, cybersecurity experts warn that the stolen details could still enable highly targeted attacks. Flutter, which also owns brands like Sky Bet and Tombola, referred to the event as a “data incident” that has been contained. The company informed affected customers that there is, “nothing you need to do in response to this incident,” but still advised them to stay alert.

With an average of 4.2 million monthly users across the UK and Ireland, even partial exposure poses a serious risk.

Harley Morlet, chief marketing officer at Storm Guidance, emphasized: “With the advent of AI, I think it would actually be very easy to build out a large-scale automated attack. Basically, focusing on crafting messages that look appealing to those gamblers.”

Similarly, Tim Rawlins, director and senior adviser at the NCC Group, urged users to remain cautious: “You might re-enter your credit card number, you might re-enter your bank account details, those are the sort of things people need to be on the lookout for and be conscious of that sort of threat. If it's too good to be true, it probably is a fraudster who's coming after your money.”

Rawlins also noted that AI technology is making phishing emails increasingly convincing, particularly in spear-phishing campaigns where stolen data is leveraged to mimic genuine communications.

Experts caution that relying solely on free antivirus tools or standard Android antivirus apps offers limited protection. While these can block known malware, they are less effective against deceptive emails that trick users into voluntarily revealing sensitive information.

A stronger defense involves practicing layered security—maintaining skepticism, exercising caution, and following strict cyber hygiene habits to minimize exposure
Read more »
Veeam vulnerability
Cybersecurity Threats Fog Ransomware GC2 backdoor malware SonicWall VPN exploit Syteca software unusual ransomware tools Veeam vulnerability

Fog Ransomware Attackers Use Unusual Mix of Legitimate Software and Open-Source Hacking Tools

 

The Fog ransomware group is leveraging a distinctive and rarely seen combination of tools, including legitimate employee monitoring software Syteca and open-source penetration testing utilities, to carry out targeted attacks.

This threat group first emerged in May last year, breaching networks by using compromised VPN credentials. Once inside, they executed “pass-the-hash” attacks to escalate privileges, disabled Windows Defender, and encrypted systems — including virtual machine files. Subsequently, they exploited known vulnerabilities in Veeam Backup & Replication (VBR) and SonicWall SSL VPN endpoints to expand their reach.

Discovery of a New Toolset

Researchers from Symantec and Carbon Black’s Threat Hunter team recently uncovered an unconventional collection of tools during an incident response investigation involving a financial institution in Asia. Although the exact method of initial access remains undetermined, the attackers used several utilities rarely observed in ransomware operations.

One notable inclusion is Syteca (formerly Ekran), a legitimate tool designed to monitor employee activity through screen recording and keystroke logging. Attackers could have used this to stealthily collect sensitive data such as login credentials.

Syteca was delivered covertly using Stowaway, an open-source proxy for stealth communication and file movement, and was executed through SMBExec, a lateral movement tool from the Impacket framework.

Another rare component used was GC2, an open-source backdoor that communicates via Google Sheets or Microsoft SharePoint, providing both command-and-control (C2) and data exfiltration capabilities. While GC2 has previously been linked to the Chinese state-sponsored APT41 group, it’s seldom found in ransomware operations.

In addition to these, Symantec identified several other tools in Fog’s arsenal:

  • Adapt2x C2 – an open-source alternative to Cobalt Strike
  • Process Watchdog – utility for maintaining system process stability
  • PsExec – Microsoft’s tool for executing processes remotely
  • Impacket SMB – Python library for direct SMB access, likely used to deploy ransomware

To facilitate data exfiltration, Fog attackers also employed 7-Zip, MegaSync, and FreeFileSync.

“The toolset deployed by the attackers is quite atypical for a ransomware attack,” comments Symantec in the report.

“The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before, while the Stowaway proxy tool and Adap2x C2 Agent Beacon are also unusual tools to see being used in a ransomware attack,” the researchers say.

The report underscores how the Fog ransomware group’s choice of obscure and legitimate software can help evade traditional detection mechanisms. Symantec’s analysis includes indicators of compromise (IOCs) to help organizations defend against such sophisticated threats.
Read more »
Ransomwares
agentic AI AI Agent AI technology AI threats AI tools Cyber Security Cybersecurity Threats IABs Malicious Code Ransomwares

Agentic AI and Ransomware: How Autonomous Agents Are Reshaping Cybersecurity Threats

 

A new generation of artificial intelligence—known as agentic AI—is emerging, and it promises to fundamentally change how technology is used. Unlike generative AI, which mainly responds to prompts, agentic AI operates independently, solving complex problems and making decisions without direct human input. While this leap in autonomy brings major benefits for businesses, it also introduces serious risks, especially in the realm of cybersecurity. Security experts warn that agentic AI could significantly enhance the capabilities of ransomware groups. 

These autonomous agents can analyze, plan, and execute tasks on their own, making them ideal tools for attackers seeking to automate and scale their operations. As agentic AI evolves, it is poised to alter the cyber threat landscape, potentially enabling more efficient and harder-to-detect ransomware attacks. In contrast to the early concerns raised in 2022 with the launch of tools like ChatGPT, which mainly helped attackers draft phishing emails or debug malicious code, agentic AI can operate in real time and adapt to complex environments. This allows cybercriminals to offload traditionally manual processes like lateral movement, system enumeration, and target prioritization. 

Currently, ransomware operators often rely on Initial Access Brokers (IABs) to breach networks, then spend time manually navigating internal systems to deploy malware. This process is labor-intensive and prone to error, often leading to incomplete or failed attacks. Agentic AI, however, removes many of these limitations. It can independently identify valuable targets, choose the most effective attack vectors, and adjust to obstacles—all without human direction. These agents may also dramatically reduce the time required to carry out a successful ransomware campaign, compressing what once took weeks into mere minutes. 

In practice, agentic AI can discover weak points in a network, bypass defenses, deploy malware, and erase evidence of the intrusion—all in a single automated workflow. However, just as agentic AI poses a new challenge for cybersecurity, it also offers potential defensive benefits. Security teams could deploy autonomous AI agents to monitor networks, detect anomalies, or even create decoy systems that mislead attackers. 

While agentic AI is not yet widely deployed by threat actors, its rapid development signals an urgent need for organizations to prepare. To stay ahead, companies should begin exploring how agentic AI can be integrated into their defense strategies. Being proactive now could mean the difference between falling behind or successfully countering the next wave of ransomware threats.
Read more »
ransomware attacks
Cybersecurity Threats Document converter malware Fake file converters malware Online Scams ransomware attacks

FBI Warns Against Fake Online Document Converters Spreading Malware

 

iThe FBI Denver field office has issued a warning about cybercriminals using fake online document converters to steal sensitive data and deploy ransomware on victims' devices. Reports of these scams have been increasing, prompting authorities to urge users to be cautious and report incidents.

"The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam," the agency stated.

Cybercriminals create fraudulent websites that offer free document conversion, file merging, or media download services. While these sites may function as expected, they secretly inject malware into downloaded files, enabling hackers to gain remote access to infected devices.

"To conduct this scheme, cybercriminals across the globe are using any type of free document converter or downloader tool," the FBI added.

These sites may claim to:
  • Convert .DOC to .PDF or other file formats.
  • Merge multiple .JPG files into a single .PDF.
  • Offer MP3 or MP4 downloads.
Once users upload their files, hackers can extract sensitive information, including:
  • Names and Social Security Numbers
  • Cryptocurrency wallet addresses and passphrases
  • Banking credentials and passwords
  • Email addresses
Scammers also use phishing tactics, such as mimicking legitimate URLs by making slight alterations (e.g., changing one letter or replacing "CO" with "INC") to appear trustworthy.

“Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams,” said Vikki Migoya, Public Affairs Officer for FBI Denver.

Cybersecurity experts have confirmed that these fraudulent websites are linked to malware campaigns. Researcher Will Thomas recently identified fake converter sites, such as docu-flex[.]com, distributing malicious executables like Pdfixers.exe and DocuFlex.exe, both flagged as malware.

Additionally, a Google ad campaign in November was found promoting fake converters that installed Gootloader malware, a malware loader known for:

  1. Stealing banking credentials
  2. Installing trojans and infostealers
  3. Deploying Cobalt Strike beacons for ransomware attacks

"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip," explained a cybersecurity researcher.

Instead of receiving a legitimate document, users were given a JavaScript file that delivered Gootloader, which is often used in ransomware attacks by groups like REvil and BlackSuit.

In order to stay safe,
  • Avoid unknown document conversion sites. Stick to well-known, reputable services.
  • Verify file types before opening. If a downloaded file is an .exe or .JS instead of the expected document format, it is likely malware.
  • Check reviews before using any online converter. If a site has no reviews or looks suspicious, steer clear
  • Report suspicious sites to authorities. Victi
  • ms can file reports at IC3.gov.
  • While not all file converters are malicious, thorough research and caution are crucial to staying safe online.
Read more »
Subscribe to: Posts (Atom)