Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity. Show all posts
takedown
Cyber Fraud Cyberattack CyberCrime Cybersecurity digitalcrime Europol Fraud Hacking LabHost LabRat lawenforcement phishing phishingkits phishingtools takedown

Global Cybercrime Crackdown Dismantles Major Phishing-as-a-Service Platform ‘LabHost’

 

In a major international crackdown, a law enforcement operation spearheaded by the London Metropolitan Police and coordinated by Europol has successfully taken down LabHost, one of the most notorious phishing-as-a-service (PhaaS) platforms used by cybercriminals worldwide.

Between April 14 and April 17, 2024, authorities carried out synchronized raids across 70 different sites globally, resulting in the arrest of 37 individuals. Among those arrested were four suspects in the UK believed to be the platform’s original creators and administrators. Following the arrests, LabHost’s digital infrastructure was completely dismantled.

LabHost had gained infamy for its ease of use and wide accessibility, making it a go-to cybercrime tool. The service offered more than 170 fake website templates imitating trusted brands from the banking, telecom, and logistics sectors—allowing users to craft convincing phishing campaigns with minimal effort.

According to authorities, LabHost supported over 40,000 phishing domains and catered to approximately 10,000 users across the globe. The coordinated enforcement effort was supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), with 19 countries actively participating in the investigation.

LabHost showcased how cybercrime has become industrialized through subscription-based platforms. For a monthly fee of around $249, subscribers could access phishing kits, fraudulent websites, hosting services, and even tools to interact with victims in real-time.

One of its most dangerous features was LabRat, an integrated dashboard that enabled users to monitor ongoing phishing attacks. This tool also allowed cybercriminals to intercept two-factor authentication codes and login credentials, effectively bypassing modern security measures.

Its user-friendly interface eliminated the need for technical skills—opening the door for anyone with malicious intent and a credit card to launch sophisticated phishing schemes. The platform's popularity contributed to a spike in identity theft, financial fraud, and widespread data breaches.

Authorities hailed the takedown as a milestone in the fight against cybercrime. However, they also cautioned that the commoditization of cybercrime remains a serious concern.

"This is a critical blow to phishing infrastructure," cybersecurity experts said, "but the ease of recreating similar platforms continues to pose a major threat."

Following the seizure of LabHost’s backend systems, law enforcement agencies have begun analyzing the data to identify the perpetrators and their victims. This will mark the beginning of a new wave of investigations and preventative measures.

The operation involved agencies from 19 countries, including the FBI and Secret Service from the United States, as well as cybercrime units in Canada, Germany, the Netherlands, Poland, Spain, Australia, and the UK. This unprecedented level of international cooperation highlights the cross-border nature of cyber threats and the importance of unified global action.

As authorities prepare for a fresh wave of prosecutions, the LabHost takedown stands as a defining moment in cyber law enforcement—both in its impact and its symbolism.
Read more »
Nullbulge hack
CyberCrime Cybersecurity Cyberthreatm Data Threat Disney Slack breach Nullbulge hack

NullBulge Admits to Stealing Internal Slack Data from Disney

 


Earlier this week, Ryan Mitchell Kramer, 25, of Santa Clarita, pleaded guilty in Los Angeles County Superior Court to hacking the personal device of an employee of The Walt Disney Company in 2024. Kramer managed to obtain login information that allowed him to illegally access the employee's Slack account to access confidential data. 

There are several charges against Kramer, including one charge of accessing a computer and obtaining information, and another charge of threatening to damage a computer, each of which carries a maximum sentence of up to five years. Several years ago, a hacker group known as NullBulge claimed on a hacker forum that it had stolen 1.1TB of data from Disney's internal Slack channels in 2024. It is believed that this caused Disney to open an investigation into this matter, in which it is suspected that the information was a combination of unreleased projects and source code, as well as login credentials, as well as information concerning unreleased projects. 

After Kramer stopped responding to the Disney employee, the discussion collapsed, so Kramer posted on July 12, 202,4, 1.1 terabytes of data collected from Disney Slack channels, along with personal, medical, and bank information about the employee. It is believed that the Wall Street Journal first reported the breach. 

According to their report, the cache contained revenue figures for Disney products such as Disney+ and ESPN+, as well as credentials for logging into the cloud infrastructure. In August of 2024, the company admitted the hack occurred but claimed that the incident had not negatively impacted its operations in any material way. 

To gain access to the Disney employee's computer, Kramer uploaded software to platforms like GitHub purporting to make art created by artificial intelligence. As a matter of fact, in July 2024, the cybersecurity company discovered that Nullbulge was Kramer, who, in reality, was Nullbulge, who seeded several online platforms, including Hugging Face, Reddit, and GitHub, with backdoored software. 

Kramer had also exfiltrated data onto a Discord channel. It wasn't long after Kramer had obtained the 1.1 TB of internal data he needed to cash in on the situation, because he claimed to belong to NullBulge, a Russian-based hacker group. He informed the victim that unless a ransom was paid, all information would be released. It is important to note that officials said Kramer only claimed affiliation with NullBulge, but that he was, it would appear, not a member. It seems likely that this is the case, since many hacktivist groups in the Russian Federation have been moving on to bigger and better things in the last few years. 

Kramer then proceeded to fully dox the victim by disclosing their personal information across multiple platforms, including their bank, medical, and other personal details. Kramer's malicious GitHub project appears to have been downloaded by at least two more people, and their computers have been remotely compromised as a result. A statement on the extent to which those victims' data might have been harvested was not released, however, the FBI is still investigating the matter, which was first reported to the FBI. It seems like a busy week for the federal government when it comes to law enforcement, as this guilty plea brings to a close. 

In the early morning hours of the day, officials announced a pair of big moves in regards to Raytheon's data breach penalty of $8.4 million and a rare extradition victory in its case against an alleged Ukrainian malware attacker. In accordance with the Wall Street Journal, one of the people who downloaded the program was a Disney employee by the name of Matthew Van Andel, who used the program to execute on his computer. Kramer gained access to his device and the passwords stored in his 1Password password manager based on the stolen credentials of Van Andel. 

Kramer was able to download 1.1TB of corporate data using Van Andel's stolen credentials, which gave him access to Disney's Slack channels. The plea agreement that BleepingComputer saw says, "The defendant gained access to private Disney Slack channels by gaining access to M.V's Slack account, and in or around May 2024, the defendant downloaded approximately 1.1 terabytes of confidential data from thousands of Disney Slack channels," according to the plea agreement. Kramer then contacted Van Andel in the name of a Russian hacktivist group called "NullBulge", warning him that if he did not cooperate, his personal information and Disney's stolen Slack data would be published. 

According to NullBulge, they claim to be a Russian hacktivist organisation that is protecting artists' rights, ensuring fair compensation for their work, and promoting ethical practices. Researchers from SentinelOne, on the other hand, analysed the threat group's activities and concluded that the group's actions contradicted what it had claimed. Kramer distributed malicious software disguised as a tool for generating art by artificial intelligence, which he used to access the devices of his victims. 

After the Disney employee downloaded Kramer's fake AI tool, he was able to access their device, allowing Kramer to access corporate data that was later confidential to Disney. When he failed to receive a response from the Disney employee, Kramer leaked his personal information along with the stolen Disney files, attempting to extort him. The company, which had been using Slack for communications until after the discovery of the data leak, has since stopped using Slack for communications, fired the employee who downloaded the fake AI tool, and filed a lawsuit against Disney for wrongful termination.  

It is important to note that Kramer admitted to his plea agreement that he also admitted that at least two other victims had downloaded his malicious file, enabling him to gain access to unauthorised computers and accounts. However, these two victims have not been identified at this time. As part of its investigation into this matter, the FBI is continuing to work on it. 

In the case of Ryan Mitchell Kramer, the skills of social engineering and malware have become increasingly sophisticated, and the risks posed, especially by those disguised as legitimate artificial intelligence applications, are growing. This guilty plea serves not only as a reminder of the vulnerabilities that can arise from trusted internal platforms such as Slack, but it also serves as a cautionary tale for both businesses and individuals to conduct more rigorous testing on third-party software in the future. 

As the federal investigation is ongoing and broader consequences of the breach are still being assessed, the incident reinforces the importance of proactive cybersecurity measures, robust employee training, and rapid internal response to threats posed by digital technologiTor to stay saorganisationsions need to reevaluate their security protocol and remain vigilant against emerging threats that take advantage of trust and technology to cause harm to them.
Read more »
Push Bombing
Cyber Attacks Cybersecurity MFA MFA bombing MFA Fatigue Attacks Multi-Factor Authentication (MFA) Push Bombing

Push-Bombing: The Silent Threat Undermining Multi-Factor Authentication

 


In the ever-evolving landscape of cybersecurity, Multi-Factor Authentication (MFA) has emerged as a robust defense mechanism, adding layers of security beyond traditional passwords. However, a deceptive tactic known as “push-bombing” is undermining this very safeguard, posing significant risks to individuals and organisations alike. 

Understanding Push-bombing, also referred to as MFA fatigue or MFA spamming, is a social engineering attack that targets the human element of security systems. Attackers initiate this method by obtaining a user’s login credentials, often through phishing or data breaches. Subsequently, they attempt to access the account, triggering a barrage of authentication prompts sent to the user’s device. The relentless stream of notifications aims to confuse or frustrate the user into inadvertently approving one, thereby granting unauthorised access to the attacker.  

Real-World Implications 


The consequences of successful push-bombing attacks are far-reaching. Once inside a system, attackers can exfiltrate sensitive data, deploy malware, or move laterally within networks to compromise additional systems. Such breaches not only result in financial losses but also damage an organisation’s reputation and can lead to regulatory penalties. 

Several high-profile organisations have fallen victim to push-bombing attacks. In September 2022, Uber experienced a breach when attackers used stolen credentials to flood an employee with MFA requests. Overwhelmed, the employee eventually approved one, granting the attackers access to internal systems. Similarly, in May 2022, Cisco faced a breach where attackers combined MFA fatigue with voice phishing to compromise an employee’s account. These incidents underscore the effectiveness of push-bombing tactics and the need for heightened vigilance.  


Mitigation Strategies 


To combat push-bombing, a multifaceted approach is essential: 

• User Education: Informing users about the nature of push-bombing attacks is crucial. Training should emphasise the importance of scrutinising authentication prompts and reporting suspicious activity promptly. 

• Phishing-Resistant MFA: Transitioning to authentication methods that do not rely on push notifications, such as hardware security keys or biometric verification, can eliminate the risk associated with push-bombing. 

• Adaptive Authentication: Implementing systems that assess contextual factors, such as login location, device type, and time of access, can help identify and block anomalous login attempts. 

• Rate Limiting: Configuring MFA systems to limit the number of authentication attempts within a specific timeframe can prevent attackers from overwhelming users with prompts. 

While MFA remains a cornerstone of cybersecurity, awareness of its potential vulnerabilities, like push-bombing, is vital. By adopting advanced authentication methods, educating users, and implementing intelligent security measures, organisations can fortify their defenses against this subtle yet potent threat.
Read more »
Trust
AI Automation Biometrics consent Cybersecurity Data Ethics Intelligence Privacy Regulation Security surveillance Technology Transparency Trust

Public Wary of AI-Powered Data Use by National Security Agencies, Study Finds

 

A new report released alongside the Centre for Emerging Technology and Security (CETaS) 2025 event sheds light on growing public unease around automated data processing in national security. Titled UK Public Attitudes to National Security Data Processing: Assessing Human and Machine Intrusion, the research reveals limited public awareness and rising concern over how surveillance technologies—especially AI—are shaping intelligence operations.

The study, conducted by CETaS in partnership with Savanta and Hopkins Van Mil, surveyed 3,554 adults and included insights from a 33-member citizens’ panel. While findings suggest that more people support than oppose data use by national security agencies, especially when it comes to sensitive datasets like medical records, significant concerns persist.

During a panel discussion, investigatory powers commissioner Brian Leveson, who chaired the session, addressed the implications of fast-paced technological change. “We are facing new and growing challenges,” he said. “Rapid technological developments, especially in AI [artificial intelligence], are transforming our public authorities.”

Leveson warned that AI is shifting how intelligence gathering and analysis is performed. “AI could soon underpin the investigatory cycle,” he noted. But the benefits also come with risks. “AI could enable investigations to cover far more individuals than was ever previously possible, which raises concerns about privacy, proportionality and collateral intrusion.”

The report shows a divide in public opinion based on how and by whom data is used. While people largely support the police and national agencies accessing personal data for security operations, that support drops when it comes to regional law enforcement. The public is particularly uncomfortable with personal data being shared with political parties or private companies.

Marion Oswald, co-author and senior visiting fellow at CETaS, emphasized the intrusive nature of data collection—automated or not. “Data collection without consent will always be intrusive, even if the subsequent analysis is automated and no one sees the data,” she said.

She pointed out that predictive data tools, in particular, face strong opposition. “Panel members, in particular, had concerns around accuracy and fairness, and wanted to see safeguards,” Oswald said, highlighting the demand for stronger oversight and regulation of technology in this space.

Despite efforts by national security bodies to enhance public engagement, the study found that a majority of respondents (61%) still feel they understand “slightly” or “not at all” what these agencies actually do. Only 7% claimed a strong understanding.

Rosamund Powell, research associate at CETaS and co-author of the report, said: “Previous studies have suggested that the public’s conceptions of national security are really influenced by some James Bond-style fictions.”

She added that transparency significantly affects public trust. “There’s more support for agencies analysing data in the public sphere like posts on social media compared to private data like messages or medical data.”
Read more »
Privacy
Ascension Cyber Attacks Cyber Hacking CyberCrime Cybersecurity CyberThreat Healthcare Privacy

Ascension Faces New Security Incident Involving External Vendor

 


There has been an official disclosure from Ascension Healthcare, one of the largest non-profit healthcare systems in the United States, that there has been a data breach involving patient information due to a cybersecurity incident linked to a former business partner. Ascension, which has already faced mounting scrutiny for its data protection practices, is facing another significant cybersecurity challenge with this latest breach, proving the company's commitment to security.

According to the health system, the recently disclosed incident resulted in the compromise of personal identifiable information (PII), including protected health information (PHI) of the patient. A cyberattack took place in December 2024 that was reported to have stolen data from a former business partner, a breach that was not reported publicly until now. This was the second major ransomware attack that Ascension faced since May of 2024, when critical systems were taken offline as a result of a major ransomware attack. 

A breach earlier this year affected approximately six million patients and resulted in widespread disruptions of operations. It caused ambulance diversions in a number of regions, postponements of elective procedures, and temporary halts of access to essential healthcare services in several of these regions. As a result of such incidents recurring repeatedly within the healthcare sector, concerns have been raised about the security posture of third-party vendors and also about the potential risks to patient privacy and continuity of care that can arise. 

According to Ascension's statement, the organisation is taking additional steps to evaluate and strengthen its cybersecurity infrastructure, including the relationship with external software and partner providers. The hospital chain, which operates 105 hospitals in 16 states and Washington, D.C., informed the public that the compromised data was "likely stolen" after being inadvertently disclosed to the third-party vendor, which, subsequently, experienced a breach as a result of an external software vulnerability. 

In a statement issued by Ascension Healthcare System, it was reported that the healthcare system first became aware of a potential security incident on December 5, 2024. In response to the discovery of the breach, the organisation initiated a thorough internal investigation to assess the extent of the breach. An investigation revealed that patient data had been unintentionally shared with an ex-business partner, who then became the victim of a cybersecurity attack as a result of the data being shared. 

In the end, it appeared that the breach was caused by a vulnerability in third-party software used by the vendor. As a result of the analysis concluded in January 2025, it was determined that some of the information disclosed had likely been exfiltrated during this attack. 

In spite of Ascension failing to disclose the specific types of data that were impacted by the attack, the organization did acknowledge that multiple care sites in Alabama, Michigan, Indiana, Tennessee, and Texas have been affected by the attack. In a statement released by Ascension, the company stressed that it continues to collaborate with cybersecurity experts and legal counsel to better understand the impact of the breach and to inform affected individuals as necessary. 

In addition, the company has indicated that in the future it will take additional steps to improve data sharing practices as well as third party risk management protocols. There is additional information released by Ascension that indicates that the threat actors who are suspected of perpetrating the December 2024 incident likely gained access to and exfiltrated sensitive medical and personal information. 

There are several types of compromised information in this file, including demographics, Social Security numbers, clinical records, and details about visits such as names of physicians, names, diagnoses, medical record numbers, and insurance provider details. Although Ascension has not provided a comprehensive estimate of how many people were affected nationwide, the organization did inform Texas state officials that 114,692 people were affected by the breach here in Texas alone, which was the number of individuals affected by the breach. 

The healthcare system has still not confirmed whether this incident is related to the ransomware attack that occurred in May 2024 across a number of states and affected multiple facilities. It has been reported that Ascension Health's operations have been severely disrupted since May, resulting in ambulances being diverted, manual documentation being used instead of electronic records, and non-urgent care being postponed. 

It took several weeks for the organization to recover from the attack, and the cybersecurity vulnerabilities in its digital infrastructure were revealed during the process. In addition to revealing that 5,599,699 individuals' personal and health-related data were stolen in the attack, Ascension later confirmed this information. 

Only seven of the system's 25,000 servers were accessed by the ransomware group responsible, but millions of records were still compromised. The healthcare and insurance industries continue to be plagued by data breaches. It has been reported this week that a data breach involving 4,052,972 individuals, resulting from a cyberattack in February 2024, has affected 4,052,972 individuals, according to a separate incident reported by VeriSource Services, a company that manages employee administration. 

A number of these incidents highlight the growing threat that organisations dealing with sensitive personal and medical data are facing. Apparently, the December 2024 breach involving Ascension's systems and networks was not caused by an internal compromise of its electronic health records, but was caused by an external attack. Neither the health system nor the former business partner with whom the patient information was disclosed has been publicly identified, nor has the health system identified the particular third-party software vulnerability exploited by the attackers.

Ascension has also recently announced two separate third-party security incidents that are separate from this one. A notice was posted by the organisation on April 14, 2025, concerning a breach that took place involving Scharnhorst Ast Kennard Gryphon, a law firm based in Missouri. The organisation reported that SAKG had detected suspicious activity on August 1, 2024, and an investigation later revealed that there had been unauthorised access between the 17th and the 6th of August 2024. 

Several individuals affiliated with the Ascension health system were notified by SAKG on February 14, 2025, about the breach. In that incident, there were compromised records including names, phone numbers, date of birth and death, Social Security numbers, driver's license numbers, racial data, and information related to medical treatment. 

A number of media inquiries have been received regarding the broader scope of the incident, including whether or not other clients were affected by the breach, as well as how many individuals were affected in total. Separately, Ascension announced another data security incident on March 3, 2025 that involved Access Telecare, a third-party provider of telehealth services in the area of Ascension Seton in Texas. 

As with previous breaches, the Ascension Corporation clarified that the breach did not compromise its internal systems or electronic health records, a report filed with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) confirmed on March 8, 2025, that Access Telecare had experienced a breach of its email system, which was reported on March 8, 2025. It is estimated that approximately 62,700 individuals may have been affected by the breach. 

In light of these successive disclosures, it is becoming increasingly apparent that the healthcare ecosystem is at risk of third-party relationships, as organisations continue to face the threat of cybercriminals attempting to steal sensitive medical and personal information from the internet. As a response to the recent security breach involving a former business partner, Ascension has offered two years of complimentary identity protection services to those who have been affected. This company offers credit monitoring services, fraud consultations, identity theft restoration services, aimed at mitigating potential harm resulting from unauthorized access to personal and health information, including credit monitoring, fraud consultation, and identity theft restoration services. 

Even though Ascension has not provided any further technical details about the breach, the timeline and nature of the incident suggest that it may be related to the Clop ransomware group's widespread campaign against data theft. There was a campaign in late 2024 that exploited a zero-day security vulnerability in the Cleo secure file transfer software and targeted multiple organisations. The company has not officially confirmed any connection between the breach and the Clop group, and a spokesperson has not responded to BleepingComputer's request for comment. 

Ascension has not encountered any major cybersecurity incidents in the past, so it is not surprising that this is not the first time they have experienced one. According to Ascension Healthcare's official report from May 2024, approximately 5.6 million patients and employees were affected by a separate ransomware infection attributed to the Black Basta group of hackers. Several hospitals were adversely affected by a security breach that occurred due to the inadvertent download of a malicious file on a company device by an employee. 

A number of data sets were exposed as a result of that incident, including both personal and health-related information, illustrating how the healthcare industry faces ongoing risks due to both internal vulnerabilities and external cyber threats. Despite the ongoing threat of cybersecurity in the healthcare industry, the string of data breaches involving Ascension illustrates the need to be more vigilant and accountable when managing third-party relationships. 

Even in the case of uncompromised internal systems, vulnerabilities in external networks can still result in exposing sensitive patient information to significant risks, even in cases of uncompromised internal systems. To ensure that healthcare organisations are adequately able to manage vendor risk, implement strong data governance protocols, and implement proactive threat detection and response strategies, organisations need to prioritise robust vendor risk management. 

A growing number of regulatory bodies and industry leaders are beginning to realize that they may need to revisit standards that govern network sharing, third-party oversight, and breach disclosure in an effort to ensure the privacy of patients in the increasingly interconnected world of digital health.
Read more »
WhatsApp
Cyberhackers Cybersecurity CyberThreat Data Breach Data Loss Global Security Telegram WhatsApp

Data Security Alert as Novel Exfiltration Method Emerges


Global cybersecurity experts are raising serious concerns over the newly identified cyber threat known as Data Splicing Attacks, which poses a significant threat to thousands of businesses worldwide. It seems that even the most advanced Data Loss Prevention (DLP) tools that are currently being used are unable to stop the sophisticated data exfiltration technique.

A user can manipulate sensitive information directly within the browser, enabling the attacker to split, encrypt or encode it into smaller fragments that will remain undetected by conventional security measures because they can manipulate data directly within the browser. By fragmenting the data pieces, they circumvent the detection logic of both Endpoint Protection Platforms (EPP) and network-based tools, only to be reassembled seamlessly outside the network environment in which they were found. 

As a further contributing factor to the threat, malicious actors are using alternatives to standard communication protocols, such as grpc and Webrtc, and commonly used encrypted messaging platforms, such as WhatsApp and Telegram, as a means of exfiltrating data. As a result of these channels, attackers can obscure their activities and evade traditional SSL inspection mechanisms, making it much more difficult to detect and respond to them. 

An important shift in the threat landscape has taken place with the introduction of Data Splicing Attacks, which require immediate attention from both enterprises and cybersecurity professionals. Data exfiltration, a growing concern within the cybersecurity industry, refers to the act of transferring, stealing, or removing a specific amount of data from a computer, server, or mobile phone without authorisation. 

Several methods can be used to perform this type of cyberattack, including a variety of cyberattacks such as data leakage, data theft, and information extrusion. The kind of security breach posed by this type of company poses a serious threat to the company, since it can result in significant financial losses, disruptions to operations, and irreparable damage to their reputation. This lack of adequate safeguarding of sensitive information under such threats emphasises the importance of developing effective data protection strategies. 

There are two primary means by which data can be exfiltrated from an organisation's network: external attacks and insider threats. Cybercriminals infiltrate an organisation's network by deploying malware that targets connected devices, which can be the result of a cybercriminal attack. A compromised device can serve as a gateway to broader network exploitation once compromised. 

Some types of malware are designed to spread across corporate networks in search of and extracting confidential information, while others remain dormant for extended periods, eschewing detection and quietly collecting, exfiltrating, and exchanging data in small, incremental amounts as it grows. As well as insider threats, internal threats can be equally dangerous in stealing data. 

A malicious insider, such as a disgruntled employee, may be responsible for the theft of proprietary data, often transferring it to private email accounts or external cloud storage services for personal gain. Furthermore, employees may inadvertently expose sensitive information to external parties due to negligent behaviour, resulting in the disclosure of sensitive information to outside parties. 

The insider-related incidents that take place at a company underscore the importance of robust monitoring, employee training, and data loss prevention (DLP) to safeguard the company's assets from outside threats. As a rule, there are many ways in which data exfiltration can be executed, usually by exploiting technological vulnerabilities, poor security practices, or human error in order to carry out the exfiltration.

When threat actors attempt to steal sensitive data from corporate environments, they use sophisticated methods without raising suspicion or setting off security alarms, to do so covertly. For organisations that wish to improve their security posture and reduce the risk of data loss, they must understand the most common tactics used in data exfiltration. 

Infiltrating a system using malware is one of the most prevalent methods, as it is malicious software that is intentionally installed to compromise it. When malware is installed, it can scan a device for valuable data like customer records, financial data, or intellectual property, and send that information to an external server controlled by the attacker, which makes the process stealthy, as malware is often designed to mask its activity to evade detection by a company. 

Data exfiltration is often accompanied by trojans, keyloggers, and ransomware, each of which is capable of operating undetected within a corporate network for extended periods. A similar method, phishing, relies on social engineering to trick users into revealing their login information or downloading malicious files. A cybercriminal can trick employees into granting them access to internal systems by craftily crafting convincing emails or creating false login pages.

When attackers gain access to a network, they can easily move across the network laterally and gain access to sensitive information. Phishing attacks are particularly dangerous because they rely heavily on human error to exploit human error, bypassing even the most sophisticated technological safeguards. The insider threat represents a challenging aspect of an organisation. 

It can involve malicious insiders, such as employees or contractors, who deliberately leak or sell confidential information for monetary, strategic, or personal gain. As an example, insiders can also compromise data security unintentionally by mishandling sensitive data, sending information to incorrect recipients, or using insecure devices, without realising it. No matter what the intent of an insider threat is, it can be very difficult to detect and prevent it, especially when organisations do not have comprehensive monitoring and security controls in place. 

Lastly, network misconfigurations are a great source of entry for attackers that requires little effort. When an internal system is compromised, it can be exploited by an attacker to gain unauthorised access by exploiting vulnerabilities such as poorly configured firewalls, exposed ports, and unsecured APIS. Once the attacker is inside, he or she can navigate the network by bypassing the traditional security mechanisms to locate and steal valuable information. 

Often, these misconfigurations don't become apparent until a breach has already occurred, so it is very important to conduct continuous security audits and vulnerability assessments. In order to safeguard critical information assets better, organizations must understand these methods so that they may be able to anticipate threats and implement targeted countermeasures. Increasingly, web browsers have become an integral part of workplace productivity, creating a significant threat surface for data leaks. 

As more than 60% of enterprise data is now stored on cloud-based platforms and is accessed primarily through browsers, ensuring browser-level security has become an extremely important concern. However, many existing security solutions have fallen short in addressing this challenge as recent research has revealed. It is very hard for proxy-based protections incorporated into enterprise browsers to identify sophisticated threats because they lack visibility. 

Nevertheless, these solutions are not capable of understanding user interactions, monitoring changes to the Document Object Model (DOM), or accessing deeper browser context, which makes them easily exploitable to attackers. The traditional Data Loss Prevention (DLP) systems on endpoints are also not without limitations. As a result of their dependence on browser-exposed APIs, they are unable to determine the identity of the user, track browser extensions, or control the flow of encrypted content in the browser. 

The constraints are creating a blind spot, which is increasingly being exploited by insider threats and advanced persistent attacks as a result of these constraints. It is especially problematic that these attacks are so adaptable; adversaries can develop new variants with very little coding effort, which will further widen the gap between modern threats and outdated security infrastructure, as well as allowing adversaries to build new variants that bypass existing defences. 

A new toolkit developed specifically for reproducing the mechanics of these emerging data splicing attacks has been developed by researchers to address this growing concern. The tool has been developed to respond to this growing concern. It is designed for security teams, red teams, and vendors to test and evaluate their current defences in a realistic threat environment rigorously to determine whether their current defences are adequate. 

It is the objective of Angry Magpie to help companies discover hidden vulnerabilities by simulating advanced browser-based attack vectors in order to evaluate how resilient their DLP strategies are. It is becoming increasingly apparent that enterprises need a paradigm shift in their approach to browser security, emphasizing proactive assessment and continuous adaptation in order to deal with rapidly changing cyber threats in the future. 

As data splicing attacks have become increasingly prevalent and current security solutions have become increasingly limited, enterprise cybersecurity is at a critical inflexion point. As browser-based work environments become the norm and cloud dependency becomes more prevalent, traditional Data Loss Prevention strategies need to evolve both in scope and sophistication, as well as in scale. As organisations, we need to move away from legacy solutions that do not offer visibility, context, or adaptability that are necessary for detecting and mitigating modern data exfiltration techniques. 

For cybersecurity professionals to remain competitive in the future, they must adopt a proactive and threat-informed defence strategy that includes continuous monitoring, advanced browser security controls, and regular stress testing of their systems through tools such as Angry Magpie. By taking this approach, organisations can identify and close vulnerabilities before they become exploitable, as well as ensure that there is a culture of security awareness throughout the workforce to minimise human error and insider threats. 

Security infrastructures must keep up with the rapidly growing threats and innovations in cyberspace as well to maintain a competitive advantage. Businesses need to acknowledge and commit to modern, dynamic defence mechanisms to increase their resilience and ensure the integrity of their most valuable digital assets is better protected as a result of emerging threats.

Read more »
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Sensitive Data Leak
cyber attack Cyber Warfare Cybersecurity Data Breach Data Theft Hacker attack Information Security Personal Data Breach Sensitive Data Leak

Jammu Municipal Corporation Targeted in Major Cyberattack, Sensitive Data Allegedly Stolen

 

In a significant breach of digital infrastructure, the Jammu Municipal Corporation (JMC) has fallen victim to a cyberattack believed to have resulted in the loss of vast amounts of sensitive data. According to high-level intelligence sources, the attackers managed to compromise the website, gaining access to critical records and databases that may include personally identifiable information such as Aadhaar numbers, property ownership documents, tax filings, infrastructure blueprints, and internal administrative communications.  

The breach, which occurred on Friday, has prompted an immediate investigation and system lockdown as cybersecurity teams race to contain the damage and begin recovery operations. Officials involved in the incident response have confirmed that website functionality has been suspended as data restoration processes are initiated. Top intelligence sources indicate that the attack bears hallmarks of Pakistan-sponsored cyber operations aimed at undermining India’s administrative framework. “These tactics are consistent with state-backed cyber warfare efforts targeting strategic and sensitive zones like Jammu and Kashmir,” said a senior intelligence official.

“The objective is often to destabilize public services and spread fear among the populace.” The JMC’s website is a key platform used to manage municipal services, property taxes, and local development projects. Its compromise has raised concerns about the broader implications for civic governance and the potential misuse of the stolen data.  

This latest breach follows a series of unsuccessful but alarming hacking attempts by groups linked to Pakistan. Just a day before the JMC attack, hacker collectives such as ‘Cyber Group HOAX1337’ and ‘National Cyber Crew’ reportedly targeted several Indian websites. Cybersecurity teams were able to detect and neutralize these threats before they could cause any major disruption. Among the recent targets were the websites of Army Public School Nagrota and Army Public School Sunjuwan. These were reportedly subjected to defacement attempts featuring inflammatory messages referencing the victims of the Pahalgam terror attack. 

In another incident, a portal catering to the healthcare needs of retired armed forces personnel was compromised and vandalized. Cybersecurity experts warn that such attacks often aim to disrupt not only public trust but also national morale. The recurring pattern of targeting vulnerable groups—such as schoolchildren and elderly veterans—further emphasizes the psychological warfare tactics employed by these groups. 

As recovery efforts continue, the Indian government is likely to review its cybersecurity protocols across public sector systems, especially in high-risk regions. Enhanced defense measures and greater inter-agency coordination are expected to follow. The investigation remains ongoing, and further updates are expected in the coming days.
Read more »
Ransomware
Akira Attack Breach Cloud Cybersecurity Data Encryption Extortion FBI Hitachi malware Ransomware

Hitachi Vantara Takes Servers Offline Following Akira Ransomware Attack

 

Hitachi Vantara, a subsidiary of Japan's Hitachi conglomerate, temporarily shut down several servers over the weekend after falling victim to a ransomware incident attributed to the Akira group.

The company, known for offering data infrastructure, cloud operations, and cyber resilience solutions, serves government agencies and major global enterprises like BMW, Telefónica, T-Mobile, and China Telecom.

In a statement to BleepingComputer, Hitachi Vantara confirmed the cyberattack and revealed it had brought in external cybersecurity specialists to assess the situation. The company is now working to restore all affected systems.

“On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

Although the company has not officially attributed the breach to any specific threat actor, BleepingComputer reports that sources have linked the attack to the Akira ransomware operation. Insiders allege that the attackers exfiltrated sensitive data and left ransom notes on infiltrated systems.

While cloud services remained unaffected, sources noted that internal platforms at Hitachi Vantara and its manufacturing arm experienced disruption. Despite these outages, clients operating self-hosted systems are still able to access their data.

A separate source confirmed that several government-led initiatives have also been impacted by the cyberattack.

Akira ransomware first appeared in March 2023 and swiftly became notorious for targeting a wide range of sectors worldwide. Since its emergence, the group has reportedly compromised more than 300 organizations, including high-profile names like Stanford University and Nissan (in Oceania and Australia).

The FBI estimates that Akira collected over $42 million in ransom payments by April 2024 after infiltrating over 250 organizations. According to chat logs reviewed by BleepingComputer, the gang typically demands between $200,000 and several million dollars, depending on the scale and sensitivity of the targeted entity.

Keywords: ransomware, cybersecurity, Hitachi, Akira, cloud, breach, data, FBI, malware, attack, encryption, extortion, hacking, disruption, recovery, infrastructure, digital, protection
Read more »
quantumphysics
Computing Cyber Security Cybersecurity Encryption entanglement Network photon Quantum quantumcomputers quantumphysics

Scientists Achieve Groundbreaking Control Over Dual Quantum Light Sources

 

In a major milestone for quantum research, scientists from the University of Copenhagen, in collaboration with Ruhr University Bochum, have achieved what was previously thought impossible—simultaneous control over two quantum light sources. Until now, researchers had only been able to manage one, making this a pivotal step forward for the future of quantum technology.

To those outside the field, the feat may seem modest. But within the realm of quantum, it's a transformational leap. The breakthrough enables entanglement between two light sources, paving the way for future computing, encryption, and network applications powered by quantum systems.

Mastering the interaction of multiple quantum light sources is essential for building scalable quantum networks. Entanglement—the phenomenon where two particles remain interconnected regardless of distance—is central to quantumphysics. Without it, efforts to create ultra-fast quantumcomputers and advanced cybersecurity solutions would stall.

The findings, recently published in Science, mark a turning point. Researchers from the Niels Bohr Institute believe this could accelerate the commercialization of quantum technologies.

Peter Lodahl, who led the initiative, described it as a major step forward. "We can now control two quantum light sources and connect them. It might not sound like much, but it’s a major advancement and builds upon the past 20 years of work," he shared.

Lodahl, who has been investigating the potential of quantum light since 2001, added: "By doing so, we’ve revealed the key to scaling up the technology, which is crucial for the most groundbreaking of quantum hardware applications." This progress propels the global race to develop quantum-based computers, security, and even a new form of the internet.

The innovation stems from a custom-designed nanochip, only slightly wider than a human hair. Developed over several years, this chip has become the foundation for this scientific leap.

Lodahl's team specializes in photon-based quantum communication, where particles of light transport information. Until this breakthrough, the challenge was that these light sources were too sensitive to external disturbances, limiting control to just one at a time. Now, they've succeeded in developing two identical, noise-resistant quantum light sources.

"Entanglement means that by controlling one light source, you immediately affect the other. This makes it possible to create a whole network of entangled quantum light sources, all of which interact with one another, and which you can get to perform quantum bit operations in the same way as bits in a regular computer, only much more powerfully," explained lead author and postdoctoral researcher Alexey Tiranov.

A quantumbit, or qubit, can exist as both a 1 and 0 simultaneously—enabling processing speeds that dwarf traditional systems. As Lodahl notes, 100 photons from a single quantum light source contain more information
 than the world's largest supercomputer can process.

With 20-30 entangled light sources, scientists could construct a universal, error-corrected quantum computer—the ultimate prize in this field. Leading technology companies are already investing billions into this endeavor.

The biggest obstacle? Scaling from one to two light sources. This required crafting ultra-quiet nanochips and achieving precise control over both light sources. With that now achieved, the foundational research is in place. The next step: transitioning from lab success to real-world quantum systems.

"It is too expensive for a university to build a setup where we control 15-20 quantum light sources. So, now that we have contributed to understanding the fundamental quantum physics and taken the first step along the way, scaling up further is very much a technological task," said Lodahl.

The research was conducted at the Danish National Research Foundation's Center of Excellence for Hybrid Quantum Networks (Hy-Q), a joint effort between the University of Copenhagen’s Niels Bohr Institute and Ruhr University Bochum in Germany.
Read more »
IDX
CyberCrime Cybersecurity CyberThreat Dark Web Data Breach Data Leak Exposed Patient Records IDX

Large-Scale Data Breach at Frederick Health Exposes Patient Records

 


Two separate ransomware incidents have recently affected healthcare providers in Maryland and California and exposed sensitive information belonging to more than 1.1 million patients as a result, according to disclosures filed with federal regulators that recently broke the story. During one of the attacks, cybercriminals reportedly released approximately 480 gigabytes of data that had been unauthorised to be released by a method unknown to them. 

A filing by Frederick Health was filed with the US Department of Health and Human Services on March 28 the confirming that 934,326 individuals were affected by the cybersecurity breach. As reported by the Maryland-based healthcare organisation, the incident occurred on January 27, and it was a result of a ransomware attack that disrupted its computer infrastructure and contributed to the breach of sensitive information. 

It is still unclear how much information was compromised, but affected entities are still engaged in assessment and coordination of response efforts in compliance with federal laws regarding data protection, to find out the extent of the damage done. In the investigation that followed, it became evident that the attackers had gained access to a file-sharing server, which gave them access to various sensitive documents. This data varied from individual to individual, but included a mix of information that can be identified as identifying and data that can be protected by law. 

An attack on the network resulted in hackers obtaining patient names, addresses, birthdays, Social Security numbers, and driver's license information. Additionally, health-related information such as medical records, insurance policy information, and clinical care details was also snipped during the breach. 

There has been no public claim of responsibility for this breach at this point, and the stolen data has not yet been made available on dark web forums or marketplaces, making it possible to speculate that Frederick Health complied with a ransom demand to prevent the data from becoming public. Several steps have been taken by Frederick Health, which employs approximately 4,000 people and operates over 25 facilities, to minimise the negative impact of this security breach on its employees and facilities. 

In response to the incident, the organisation has offered complimentary credit monitoring and identity theft protection services through IDX to individuals who have been affected as part of its response. There were no official comments available, as no official commentary has yet been provided, because trying to contact a spokesperson for Frederick Health was unsuccessful at the time of reporting. 

The incident follows a growing trend in recent years of major data breaches in the healthcare sector. Recently, Blue Shield of California released a surprise announcement that they had been inadvertently exposed to 4.7 million members' protected health information by Google's analytics and advertising tools in the course of a breach announced earlier in the week. 

According to a recent report by Yale New Haven Health System (YNHHS), cybercriminals have gained access to the personal data of approximately 5.5 million patients as a result of an unrelated cyberattack. As a result of these events, the healthcare industry is facing increasingly escalating cybersecurity threats and their resulting consequences. 

Frederick Health was the victim of a ransomware attack in which no threat actor has officially claimed responsibility for the cyberattack, and it is not clear whether a ransom was ultimately paid in response to the cyberattack. As of late March, Frederick Health began sending individual notification letters to those affected, as well as offering complimentary credit monitoring and identity theft protection services to those affected by the disease. 

Upon learning of the breach, the organisation stated that it had since strengthened its cybersecurity infrastructure to protect data and increase monitoring for potential unauthorised access in response to the breach. Frederick Health Medical Group has been slammed in the wake of the breach after at least five class action lawsuits were filed. According to the allegations in the complaint, the organisation failed to implement adequate cybersecurity measures by industry standards, resulting in a significant risk of exposed patient data. 

Aside from this, plaintiffs have argued that the breach notification letters failed to provide adequate transparency, omitting details such as the type of data involved and the specific steps taken to prevent future incidents from being repeated. It was filed by Frederick Health patients Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary to bring this action against Frederick Health.

In the lawsuits, it is claimed that a breach in confidentiality has resulted in an ongoing and increased risk of identity theft and financial fraud, as well as additional personal financial burdens that were incurred as a result of efforts to mitigate the impact. A jury trial would supposedly be the best thing that could be done if the plaintiffs could prove negligence on the part of the healthcare provider, which may result in damages, attorney's fees, and punitive measures. 

Taking into account the Frederick Health data breach, it's important to note that it signifies a stark reminder of the growing cybersecurity vulnerabilities facing the healthcare sector-an industry that becomes increasingly reliant on the interconnected digital networks to provide necessary healthcare. Despite the fact that threat actors are continuously evolving their methods of attack, healthcare providers are required to take steps to protect sensitive patient information by adopting advanced security protocols, regularly auditing their systems, and implementing robust incident response strategies. 

In addition to the technical disruptions, such breaches may also affect patient trust, operational integrity and legal liability beyond the technical disruptions they cause. As a result of this incident, patients are reminded that it is important to exercise vigilance — monitoring credit reports, brokerage accounts, and insurance statements for unusual activity, as well as making use of identity protection services when available. 

There is also a responsibility that rests with legislators and regulators to determine whether existing cybersecurity regulations are adequate for creating a safe and secure environment, given the high-risk environment in which healthcare organizations operate today. 

There is no doubt that the Frederick Health case highlights the urgent need for an effective and proactive infrastructure for cybersecurity, one that is capable of not only responding to breaches, but also anticipating and neutralizing them prior to a breach having wide-ranging consequences.
Read more »
Privacy Breach
Boulanger Cyberhackers Cybersecurity Darknet Data Breach Data Leak data threat Privacy Breach

Millions Affected by Suspected Data Leak at Major Electronics Chain

 


Cybersecurity experts and users alike are worried about a recent report that the hacking group ShinyHunters is offering more stolen data on the darknet marketplace in a concerning development. It has been reported that the group is attempting to sell four additional datasets following the sale of three large databases of compromised user information last week. Boulanger Electroménager & Multimédia, a long-established French retailer specialising in household appliances and multimedia products, has attempted to sell four additional databases. 

Since its establishment in 1954, Boulanger has operated a nationwide network of physical stores in addition to delivering goods across the country. As well as offering digital retail channels, the company offers a mobile application that has been downloaded more than one million times from both Google Play store and Apple's App store, demonstrating its broad consumer reach and ability to engage consumers digitally. 

Upon discovering the compromised data related to Boulanger through a forum post located on the open internet, cybersecurity researchers concluded that the breach was a consequence of cybercrime. The platform on which this message board is located is a well-known platform that distributes a wide variety of digital content, such as leaked databases, cracked software, and other illicit materials. 

Since the stolen information is available on such an easily accessible and public site, there are serious concerns that the customer data could be exposed to the public domain and misused if it were to be misused. In this respect, this discovery highlights the challenges that companies face when it comes to data protection, especially in the retail sector, where both online and offline companies operate at a large scale. As a result of the alleged exposure of these platforms, there are serious concerns raised about the privacy of users and the security measures that are in place at these companies. 

The exact nature and extent of the compromised information have not yet been publicly confirmed by all the affected organisations, but early reports suggest that this information could include email addresses, hashed passwords, as well as other personal information. Security researchers and organisations affected by the breaches continue to assess the full scope of the breaches, as the situation continues to unfold. Cyble made its disclosure to keep tabs on cybercrime forums and darknet marketplaces, where stolen data can often be bought and sold. 

A team of security researchers at Safety Detectives has confirmed the presence of sensitive customer information that was stolen from a French electronics retailer in 2024 and is currently available online for free distribution. By analysing some samples of the exposed data, researchers were able to verify its validity and trace its origins to Boulanger Electroménager & Multimédia, a well-established French retailer established in 1954. In addition to offering an extensive selection of household appliances and multimedia products through both physical stores as well as through its online platform, Boulanger also provides a variety of electronic products. 

There is a report that Safety Detectives discovered that leaked information was found in a public forum thread on Clearweb, where a user had posted two download links to the compromised database that contained the leaked information. One link was able to provide access to a 16GB unparsed dataset contained in a 16GB JSON file that was reportedly containing more than 27 million records. Using the second link, one could access a parsed version.SV file of around 500MB in size, which contained a subset of five million records contained in a subset. 

In both datasets, sensitive customer information appears, but the full scope and specific nature of the information exposed have not yet been disclosed, although it is believed they contain sensitive customer information. According to reports, Boulanger was targeted by a coordinated ransomware attack in September 2024 that affected several French retailers, including Truffaut and Cultura, as well as several well-known French brands.  It was the cyber threat actor known as Horrormar44 who claimed responsibility for the breach. 

At the time, the stolen data had been listed for sale on a separate, clear web forum, which is no longer available, for €2,000 as a price. It is unclear whether any transactions have successfully taken place, although there were some indications that potential buyers were interested. In recent times, the compromised data has resurfaced and is now being offered for free on another publicly accessible site. 

A careful analysis of the data revealed that there were just over a million unique customer records within the cleaned version of the dataset with a few instances of duplicate records. This number, which is significantly lower than the five million claimed by the original author of the post, suggests that the original listing may have been either exaggerated or inflated. 

There are still over a million verified customer entries in the system, which is still a significant data exposure incident, and it raises serious concerns about how retailers will handle and protect personal data over the long term. As a result of the fact that a significant amount of verified individual data is currently being circulated openly online, there has been an increasing concern about data security in the retail industry. 

Both the parsed as well as the raw versions of the data are available online, which implies that there was a deliberate intent to make the stolen information accessible to those who may misuse it. There are still investigations going on, and cybersecurity experts are calling upon affected individuals and organizations to take immediate precautions. As far as the hacking group ShinyHunters is concerned, it remains unclear whether they are directly responsible for the initial breaches, but they have been actively brokering the sale of multiple stolen databases. 

The cybersecurity firm ZeroFox has recently published a report that reveals ShinyHunters have been linked to a high-profile data breach that has affected Tokopedia, a major Indonesian e-commerce platform, with the claim that approximately 15 million users' records have been compromised. In addition to this, there has been some press coverage that indicates that this group has allegedly taken over 500 gigabytes of private Microsoft GitHub repositories to steal data. There is still a considerable amount of investigation to be conducted on this alleged breach, but a Microsoft spokesperson confirmed to Information Security Media Group that the company is aware of the claim and will be investigating it immediately. 

A number of large databases have been sold on darknet forums by ShinyHunters, an organization associated with this group. There is a database that costs $2,500, and is reportedly made up of around 8 million user records allegedly sourced from HomeChef, a meal delivery service. The dataset includes information that can be used to identify a user, including phone numbers, zip codes, email addresses, IP addresses, and passwords hashed using the Bcrypt algorithm, among other things. 

Additionally, it contains entries that include the last four digits of the Social Security numbers for users. A sample of this information can be found on a darknet marketplace by searching for the name "First Stage: HomeChef [8M]" One more database that is listed for $2,500 is said to contain 15 million records, allegedly the result of a breach of Chatbooks, which is a platform for creating photo books. Among the items in the dataset are email addresses, social media access tokens, passwords hashed using the SHA-512 algorithm, as well as other personally identifiable information. 

ShinyHunters is also promoting the purchase of a third database allegedly containing 3 million records that were allegedly sourced from an incident at The Chronicle of Higher Education. Despite the fact that ZeroFox does not know what type of data is included in this set, which is priced at $1,500, there has been no mention of sample or specifics.

In light of these ongoing sales, ShinyHunters demonstrates the magnitude and sophistication of data trafficking operations connected to ShinyHunters and reinforces the urgent need for stronger security measures, especially among high-profile organisations and digital platforms. Leaked user data linked to ShinyHunters and similar threat actors is becoming increasingly available and more accessible, which is indicative of the troubling escalation of cybersecurity threats worldwide. 

There are many risks associated with the open sale of sensitive information, even free sharing of sensitive data on both the darknet and clearweb platforms. As a result, the risks to individuals and organisations have increased in recent years. Cyber threats are no longer just a threat to the corporate world; they affect every industry and location equally. The security professionals in the industry suggest that businesses prioritise proactive defence strategies, such as data encryption, continuous security audits, employee training, and protocols for responding to breaches as soon as possible. 

A consumer's vigilance is equally important, as is regularly updating their passwords, activating multi-factor authentication, and monitoring their identities for signs of identity misuse. In an increasingly vulnerable digital environment, this is the most important protection. It is becoming increasingly apparent that investigations will continue into these incidents, underscoring the urgent need for a coordinated, resilient and national approach to data security.
Read more »
Hacking
Crypto Cyber Attacks Cybersecurity Hacking

‘Elusive Comet’ Hackers Exploit Zoom to Target Crypto Users in Sophisticated Scam

 

A newly identified hacking group known as Elusive Comet is targeting cryptocurrency users through a deceptive campaign that leverages Zoom’s remote control feature to gain unauthorized access to victims' systems.

The remote control tool, built into Zoom, enables meeting participants to take control of another person's computer — a capability now being manipulated by cybercriminals to bypass technical defenses through social engineering rather than traditional code exploitation.

According to a report from cybersecurity firm Trail of Bits, the group’s tactics closely resemble those used in the $1.5 billion Bybit crypto heist believed to be linked to the Lazarus group.

"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.

Trail of Bits uncovered the campaign when attackers attempted to target their CEO via a direct message on X (formerly Twitter), posing as representatives of Bloomberg Crypto.

The ruse begins with a fraudulent invitation to a "Bloomberg Crypto" interview, sent to high-profile individuals either through email (bloombergconferences[@]gmail.com) or social media. The attackers use sock-puppet accounts, mimicking journalists or crypto media outlets, and send Calendly links to schedule the meeting.

Because both Calendly and Zoom links are genuine, the setup appears trustworthy to the victims. During the meeting, the attackers launch a screen-sharing session and issue a remote control request — with a crucial twist: their Zoom display name is changed to “Zoom.”

This results in a misleading prompt that reads:
"Zoom is requesting remote control of your screen,"
— tricking the target into thinking the request is from the app itself.

Granting access allows the attacker full remote control, enabling data theft, malware installation, unauthorized file access, or even the initiation of crypto transactions. In some cases, attackers establish persistence through hidden backdoors, remaining unnoticed even after disconnecting.

"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits.
"Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."

To guard against such threats, Trail of Bits recommends the use of Privacy Preferences Policy Control (PPPC) profiles to restrict system accessibility permissions. For highly sensitive environments — particularly those handling digital assets or crypto transactions — the firm advises removing the Zoom desktop client entirely.

"For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
Read more »
Twitter
Cyberattacks Cybersecurity CyberThreat DarkStorm DDoS Elon Musk malware Meta Twitter

Investigating the Role of DarkStorm Team in the Recent X Outage

 


It has been reported that Elon Musk’s social media platform, X, formerly known as Twitter, was severely disrupted on Monday after a widespread cyberattack that has caused multiple service disruptions. Data from outage monitoring service Downdetector indicates that at least three significant disruptions were experienced by the platform throughout the day, affecting millions of users around the world. During this time, over 41,000 people around the world, including Europe, North America, the Middle East, and Asia, reported outages. 
 
The most common technical difficulties encountered by users were prolonged connection failures and a lack of ability to fully load the platform. According to a preliminary assessment, it is possible that the disruptions were caused by a coordinated and large-scale cyber attack. While cybersecurity experts are still investigating the extent and origin of the incident, they have pointed to the growing trend of organised cyber-attacks targeting high-profile digital infrastructures, which is of concern. A number of concerns have been raised regarding the security framework of X following the incident, especially since the platform plays a prominent role in global communications and information dissemination. Authorities and independent cybersecurity analysts continue to analyze data logs and attack signatures to identify the perpetrators and to gain a deeper understanding of the attack methodology. An Israeli hacktivist collective known as the Dark Storm Team, a collective of pro-Palestinian hacktivists, has emerged as an important player in the cyberwarfare landscape. Since February 2010, the group has been orchestrating targeted cyberattacks against Israeli entities that are perceived as supportive of Israel. 
 
In addition to being motivated by a combination of political ideology and financial gain, this group is also well known for using aggressive tactics in the form of Distributed Denial-of-Service (DDoS) attacks, database intrusions, and other disruptive cyber attacks on government agencies, public infrastructure, and organizations perceived to be aligned with Israeli interests that have gained widespread attention. 
 
It has been reported that this group is more than just an ideological movement. It is also a cybercrime organization that advertises itself openly through encrypted messaging platforms like Telegram, offering its services to a variety of clients. It is rumored that it sells coordinated DDoS attacks, data breaches, and hacking tools to a wide range of clients as part of its offerings. It is apparent that their operations are sophisticated and resourceful, as they are targeting both vulnerable and well-protected targets. A recent activity on the part of the group suggests that it has escalated both in scale and ambition in the past few months. In February 2024, the Dark Storm Team warned that a cyberattack was imminent, and threatened NATO member states, Israel, as well as countries providing support for Israel. This warning was followed by documented incidents that disrupted critical government and digital infrastructure, which reinforced the capability of the group to address its threats. 
 
According to intelligence reports, Dark Storm has also built ties with pro-Russian cyber collectives, which broadens the scope of its operations and provides it with access to advanced hacking tools. In addition to enhancing their technical reach, this collaboration also signals an alignment of geopolitical interests. 

Among the most prominent incidents attributed to the group include the October 2024 DDoS attack against the John F Kennedy International Airport's online systems, which was a high-profile incident. As part of their wider agenda, the group justified the attack based on the airport's perceived support for Israeli policies, showing that they were willing to target essential infrastructure as part of their agenda. Dark Storm, according to analysts, combines ideological motivations with profit-driven cybercrime, making it an extremely potent threat in today's cyber environment, as well as being a unique threat to the world's cybersecurity environment. 
 
An investigation is currently underway to determine whether or not the group may have been involved in any of the recent service disruptions of platform X which occured. In order to achieve its objectives, the DarkStorm Team utilizes a range of sophisticated cyber tactics that combine ideological activism with financial motives in cybercrime. They use many of their main methods, including Distributed Denial-of-Service (DDoS) platforms, ransomware campaigns, and leaking sensitive information for a variety of reasons. In addition to disrupting the operations of their targeted targets, these activities are also designed to advance specific political narratives and generate illicit revenue in exchange for the disruption of their operations. In order to coordinate internally, recruit new members, and inform the group of operating updates, the group heavily relies on encrypted communication channels, particularly Telegram. Having these secure platforms allows them to operate with a degree of anonymity, which complicates the efforts of law enforcement and cybersecurity firms to track and dismantle their networks. 

Along with the direct cyberattacks that DarkStorm launches, the company is actively involved in the monetization of stolen data through the sale of compromised databases, personal information, and hacking tools on the darknet, where it is commonly sold. Even though DarkStorm claims to be an organization that consists of grassroots hackers, cybersecurity analysts are increasingly suspecting the group may have covert support from nation-state actors, particularly Russia, despite its public position as a grassroots hacktivist organization. Many factors are driving this suspicion, including the complexity and scale of their operations, the strategic choice of their targets, and the degree of technical sophistication evident in their attacks, among others. A number of patterns of activity suggest the groups are coordinated and well resourced, which suggests that they may be playing a role as proxy groups in broader geopolitical conflicts, which raises concerns about their possible use as proxies. 
 
It is evident from the rising threat posed by groups like DarkStorm that the cyber warfare landscape is evolving, and that ideological, financial, and geopolitical motivations are increasingly intertwined. Thus, it has become significantly more challenging for targeted organisations and governments to attribute attacks and defend themselves, as Elon Musk has become increasingly involved in geopolitical affairs, adding an even greater degree of complexity to the recent disruption of platform X cyberattack narrative. When Russian troops invaded Ukraine in February 2022, Musk has been criticized for publicly mocking Ukrainian President Volodymyr Zelensky, and for making remarks considered dismissive of Ukraine's plight. Musk was the first to do this in the current political environment. The President of the Department of Government Efficiency (DOGE), created under the Trump administration, is the head of the DOGE, an entity created under Trump’s administration that has been reducing U.S. federal employment in an unprecedented way since Trump returned to office. There is a marked change in the administration's foreign policy stance, signaling a shift away from longstanding US support for Ukraine, and means that the administration is increasingly conciliatory with Russia. Musk has a geopolitical entanglement that extends beyond his role at X as well. 
 
A significant portion of Ukraine's digital communication has been maintained during the recent wartime thanks to the Starlink satellite internet network, which he operates through his aerospace company SpaceX. It has been brought to the attention of the public that these intersecting spheres of influence – spanning national security, communication infrastructure, and social media – have received heightened scrutiny, particularly as X continues to be a central node in global politics. According to cybersecurity firms delving into the technical aspects of the Distributed Denial-of-Service (DDoS) attack, little evidence suggests that Ukrainian involvement may have been involved in the attack. 
 
It is believed that a senior analyst at a leading cybersecurity firm spoke on the condition of anonymity because he was not allowed to comment on X publicly because of restrictions on discussing X publicly. This analyst reported that no significant traffic was originating from Ukraine and that it was absent from the top 20 sources of malicious IPs linked to the attack. Despite the fact that Ukrainian IP addresses are rarely spotted in such data due to the widespread practice of IP spoofing and the widespread distribution of compromised devices throughout the world, the absence of Ukrainian IP addresses is significant since it allows attention to be directed to more likely sources, such as organized cybercrime groups and state-related organizations. 
 
There is no denying the fact that this incident reflects the fragile state of digital infrastructure in a politically polarized world where geopolitical tensions, corporate influence, and cyberwarfare are convergent, and as investigations continue, experts are concerned that actors such as DarkStorm Team's role and broader implications for global cybersecurity policy will continue to be a source of controversy.
Read more »
Subscribe to: Posts (Atom)