Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity. Show all posts
takedown
Cyber Fraud Cyberattack CyberCrime Cybersecurity digitalcrime Europol Fraud Hacking LabHost LabRat lawenforcement phishing phishingkits phishingtools takedown

Global Cybercrime Crackdown Dismantles Major Phishing-as-a-Service Platform ‘LabHost’

 

In a major international crackdown, a law enforcement operation spearheaded by the London Metropolitan Police and coordinated by Europol has successfully taken down LabHost, one of the most notorious phishing-as-a-service (PhaaS) platforms used by cybercriminals worldwide.

Between April 14 and April 17, 2024, authorities carried out synchronized raids across 70 different sites globally, resulting in the arrest of 37 individuals. Among those arrested were four suspects in the UK believed to be the platform’s original creators and administrators. Following the arrests, LabHost’s digital infrastructure was completely dismantled.

LabHost had gained infamy for its ease of use and wide accessibility, making it a go-to cybercrime tool. The service offered more than 170 fake website templates imitating trusted brands from the banking, telecom, and logistics sectors—allowing users to craft convincing phishing campaigns with minimal effort.

According to authorities, LabHost supported over 40,000 phishing domains and catered to approximately 10,000 users across the globe. The coordinated enforcement effort was supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), with 19 countries actively participating in the investigation.

LabHost showcased how cybercrime has become industrialized through subscription-based platforms. For a monthly fee of around $249, subscribers could access phishing kits, fraudulent websites, hosting services, and even tools to interact with victims in real-time.

One of its most dangerous features was LabRat, an integrated dashboard that enabled users to monitor ongoing phishing attacks. This tool also allowed cybercriminals to intercept two-factor authentication codes and login credentials, effectively bypassing modern security measures.

Its user-friendly interface eliminated the need for technical skills—opening the door for anyone with malicious intent and a credit card to launch sophisticated phishing schemes. The platform's popularity contributed to a spike in identity theft, financial fraud, and widespread data breaches.

Authorities hailed the takedown as a milestone in the fight against cybercrime. However, they also cautioned that the commoditization of cybercrime remains a serious concern.

"This is a critical blow to phishing infrastructure," cybersecurity experts said, "but the ease of recreating similar platforms continues to pose a major threat."

Following the seizure of LabHost’s backend systems, law enforcement agencies have begun analyzing the data to identify the perpetrators and their victims. This will mark the beginning of a new wave of investigations and preventative measures.

The operation involved agencies from 19 countries, including the FBI and Secret Service from the United States, as well as cybercrime units in Canada, Germany, the Netherlands, Poland, Spain, Australia, and the UK. This unprecedented level of international cooperation highlights the cross-border nature of cyber threats and the importance of unified global action.

As authorities prepare for a fresh wave of prosecutions, the LabHost takedown stands as a defining moment in cyber law enforcement—both in its impact and its symbolism.
Read more »
Nullbulge hack
CyberCrime Cybersecurity Cyberthreatm Data Threat Disney Slack breach Nullbulge hack

NullBulge Admits to Stealing Internal Slack Data from Disney

 


Earlier this week, Ryan Mitchell Kramer, 25, of Santa Clarita, pleaded guilty in Los Angeles County Superior Court to hacking the personal device of an employee of The Walt Disney Company in 2024. Kramer managed to obtain login information that allowed him to illegally access the employee's Slack account to access confidential data. 

There are several charges against Kramer, including one charge of accessing a computer and obtaining information, and another charge of threatening to damage a computer, each of which carries a maximum sentence of up to five years. Several years ago, a hacker group known as NullBulge claimed on a hacker forum that it had stolen 1.1TB of data from Disney's internal Slack channels in 2024. It is believed that this caused Disney to open an investigation into this matter, in which it is suspected that the information was a combination of unreleased projects and source code, as well as login credentials, as well as information concerning unreleased projects. 

After Kramer stopped responding to the Disney employee, the discussion collapsed, so Kramer posted on July 12, 202,4, 1.1 terabytes of data collected from Disney Slack channels, along with personal, medical, and bank information about the employee. It is believed that the Wall Street Journal first reported the breach. 

According to their report, the cache contained revenue figures for Disney products such as Disney+ and ESPN+, as well as credentials for logging into the cloud infrastructure. In August of 2024, the company admitted the hack occurred but claimed that the incident had not negatively impacted its operations in any material way. 

To gain access to the Disney employee's computer, Kramer uploaded software to platforms like GitHub purporting to make art created by artificial intelligence. As a matter of fact, in July 2024, the cybersecurity company discovered that Nullbulge was Kramer, who, in reality, was Nullbulge, who seeded several online platforms, including Hugging Face, Reddit, and GitHub, with backdoored software. 

Kramer had also exfiltrated data onto a Discord channel. It wasn't long after Kramer had obtained the 1.1 TB of internal data he needed to cash in on the situation, because he claimed to belong to NullBulge, a Russian-based hacker group. He informed the victim that unless a ransom was paid, all information would be released. It is important to note that officials said Kramer only claimed affiliation with NullBulge, but that he was, it would appear, not a member. It seems likely that this is the case, since many hacktivist groups in the Russian Federation have been moving on to bigger and better things in the last few years. 

Kramer then proceeded to fully dox the victim by disclosing their personal information across multiple platforms, including their bank, medical, and other personal details. Kramer's malicious GitHub project appears to have been downloaded by at least two more people, and their computers have been remotely compromised as a result. A statement on the extent to which those victims' data might have been harvested was not released, however, the FBI is still investigating the matter, which was first reported to the FBI. It seems like a busy week for the federal government when it comes to law enforcement, as this guilty plea brings to a close. 

In the early morning hours of the day, officials announced a pair of big moves in regards to Raytheon's data breach penalty of $8.4 million and a rare extradition victory in its case against an alleged Ukrainian malware attacker. In accordance with the Wall Street Journal, one of the people who downloaded the program was a Disney employee by the name of Matthew Van Andel, who used the program to execute on his computer. Kramer gained access to his device and the passwords stored in his 1Password password manager based on the stolen credentials of Van Andel. 

Kramer was able to download 1.1TB of corporate data using Van Andel's stolen credentials, which gave him access to Disney's Slack channels. The plea agreement that BleepingComputer saw says, "The defendant gained access to private Disney Slack channels by gaining access to M.V's Slack account, and in or around May 2024, the defendant downloaded approximately 1.1 terabytes of confidential data from thousands of Disney Slack channels," according to the plea agreement. Kramer then contacted Van Andel in the name of a Russian hacktivist group called "NullBulge", warning him that if he did not cooperate, his personal information and Disney's stolen Slack data would be published. 

According to NullBulge, they claim to be a Russian hacktivist organisation that is protecting artists' rights, ensuring fair compensation for their work, and promoting ethical practices. Researchers from SentinelOne, on the other hand, analysed the threat group's activities and concluded that the group's actions contradicted what it had claimed. Kramer distributed malicious software disguised as a tool for generating art by artificial intelligence, which he used to access the devices of his victims. 

After the Disney employee downloaded Kramer's fake AI tool, he was able to access their device, allowing Kramer to access corporate data that was later confidential to Disney. When he failed to receive a response from the Disney employee, Kramer leaked his personal information along with the stolen Disney files, attempting to extort him. The company, which had been using Slack for communications until after the discovery of the data leak, has since stopped using Slack for communications, fired the employee who downloaded the fake AI tool, and filed a lawsuit against Disney for wrongful termination.  

It is important to note that Kramer admitted to his plea agreement that he also admitted that at least two other victims had downloaded his malicious file, enabling him to gain access to unauthorised computers and accounts. However, these two victims have not been identified at this time. As part of its investigation into this matter, the FBI is continuing to work on it. 

In the case of Ryan Mitchell Kramer, the skills of social engineering and malware have become increasingly sophisticated, and the risks posed, especially by those disguised as legitimate artificial intelligence applications, are growing. This guilty plea serves not only as a reminder of the vulnerabilities that can arise from trusted internal platforms such as Slack, but it also serves as a cautionary tale for both businesses and individuals to conduct more rigorous testing on third-party software in the future. 

As the federal investigation is ongoing and broader consequences of the breach are still being assessed, the incident reinforces the importance of proactive cybersecurity measures, robust employee training, and rapid internal response to threats posed by digital technologiTor to stay saorganisationsions need to reevaluate their security protocol and remain vigilant against emerging threats that take advantage of trust and technology to cause harm to them.
Read more »
Push Bombing
Cyber Attacks Cybersecurity MFA MFA bombing MFA Fatigue Attacks Multi-Factor Authentication (MFA) Push Bombing

Push-Bombing: The Silent Threat Undermining Multi-Factor Authentication

 


In the ever-evolving landscape of cybersecurity, Multi-Factor Authentication (MFA) has emerged as a robust defense mechanism, adding layers of security beyond traditional passwords. However, a deceptive tactic known as “push-bombing” is undermining this very safeguard, posing significant risks to individuals and organisations alike. 

Understanding Push-bombing, also referred to as MFA fatigue or MFA spamming, is a social engineering attack that targets the human element of security systems. Attackers initiate this method by obtaining a user’s login credentials, often through phishing or data breaches. Subsequently, they attempt to access the account, triggering a barrage of authentication prompts sent to the user’s device. The relentless stream of notifications aims to confuse or frustrate the user into inadvertently approving one, thereby granting unauthorised access to the attacker.  

Real-World Implications 


The consequences of successful push-bombing attacks are far-reaching. Once inside a system, attackers can exfiltrate sensitive data, deploy malware, or move laterally within networks to compromise additional systems. Such breaches not only result in financial losses but also damage an organisation’s reputation and can lead to regulatory penalties. 

Several high-profile organisations have fallen victim to push-bombing attacks. In September 2022, Uber experienced a breach when attackers used stolen credentials to flood an employee with MFA requests. Overwhelmed, the employee eventually approved one, granting the attackers access to internal systems. Similarly, in May 2022, Cisco faced a breach where attackers combined MFA fatigue with voice phishing to compromise an employee’s account. These incidents underscore the effectiveness of push-bombing tactics and the need for heightened vigilance.  


Mitigation Strategies 


To combat push-bombing, a multifaceted approach is essential: 

• User Education: Informing users about the nature of push-bombing attacks is crucial. Training should emphasise the importance of scrutinising authentication prompts and reporting suspicious activity promptly. 

• Phishing-Resistant MFA: Transitioning to authentication methods that do not rely on push notifications, such as hardware security keys or biometric verification, can eliminate the risk associated with push-bombing. 

• Adaptive Authentication: Implementing systems that assess contextual factors, such as login location, device type, and time of access, can help identify and block anomalous login attempts. 

• Rate Limiting: Configuring MFA systems to limit the number of authentication attempts within a specific timeframe can prevent attackers from overwhelming users with prompts. 

While MFA remains a cornerstone of cybersecurity, awareness of its potential vulnerabilities, like push-bombing, is vital. By adopting advanced authentication methods, educating users, and implementing intelligent security measures, organisations can fortify their defenses against this subtle yet potent threat.
Read more »
Trust
AI Automation Biometrics consent Cybersecurity Data Ethics Intelligence Privacy Regulation Security surveillance Technology Transparency Trust

Public Wary of AI-Powered Data Use by National Security Agencies, Study Finds

 

A new report released alongside the Centre for Emerging Technology and Security (CETaS) 2025 event sheds light on growing public unease around automated data processing in national security. Titled UK Public Attitudes to National Security Data Processing: Assessing Human and Machine Intrusion, the research reveals limited public awareness and rising concern over how surveillance technologies—especially AI—are shaping intelligence operations.

The study, conducted by CETaS in partnership with Savanta and Hopkins Van Mil, surveyed 3,554 adults and included insights from a 33-member citizens’ panel. While findings suggest that more people support than oppose data use by national security agencies, especially when it comes to sensitive datasets like medical records, significant concerns persist.

During a panel discussion, investigatory powers commissioner Brian Leveson, who chaired the session, addressed the implications of fast-paced technological change. “We are facing new and growing challenges,” he said. “Rapid technological developments, especially in AI [artificial intelligence], are transforming our public authorities.”

Leveson warned that AI is shifting how intelligence gathering and analysis is performed. “AI could soon underpin the investigatory cycle,” he noted. But the benefits also come with risks. “AI could enable investigations to cover far more individuals than was ever previously possible, which raises concerns about privacy, proportionality and collateral intrusion.”

The report shows a divide in public opinion based on how and by whom data is used. While people largely support the police and national agencies accessing personal data for security operations, that support drops when it comes to regional law enforcement. The public is particularly uncomfortable with personal data being shared with political parties or private companies.

Marion Oswald, co-author and senior visiting fellow at CETaS, emphasized the intrusive nature of data collection—automated or not. “Data collection without consent will always be intrusive, even if the subsequent analysis is automated and no one sees the data,” she said.

She pointed out that predictive data tools, in particular, face strong opposition. “Panel members, in particular, had concerns around accuracy and fairness, and wanted to see safeguards,” Oswald said, highlighting the demand for stronger oversight and regulation of technology in this space.

Despite efforts by national security bodies to enhance public engagement, the study found that a majority of respondents (61%) still feel they understand “slightly” or “not at all” what these agencies actually do. Only 7% claimed a strong understanding.

Rosamund Powell, research associate at CETaS and co-author of the report, said: “Previous studies have suggested that the public’s conceptions of national security are really influenced by some James Bond-style fictions.”

She added that transparency significantly affects public trust. “There’s more support for agencies analysing data in the public sphere like posts on social media compared to private data like messages or medical data.”
Read more »
Privacy
Ascension Cyber Attacks Cyber Hacking CyberCrime Cybersecurity CyberThreat Healthcare Privacy

Ascension Faces New Security Incident Involving External Vendor

 


There has been an official disclosure from Ascension Healthcare, one of the largest non-profit healthcare systems in the United States, that there has been a data breach involving patient information due to a cybersecurity incident linked to a former business partner. Ascension, which has already faced mounting scrutiny for its data protection practices, is facing another significant cybersecurity challenge with this latest breach, proving the company's commitment to security.

According to the health system, the recently disclosed incident resulted in the compromise of personal identifiable information (PII), including protected health information (PHI) of the patient. A cyberattack took place in December 2024 that was reported to have stolen data from a former business partner, a breach that was not reported publicly until now. This was the second major ransomware attack that Ascension faced since May of 2024, when critical systems were taken offline as a result of a major ransomware attack. 

A breach earlier this year affected approximately six million patients and resulted in widespread disruptions of operations. It caused ambulance diversions in a number of regions, postponements of elective procedures, and temporary halts of access to essential healthcare services in several of these regions. As a result of such incidents recurring repeatedly within the healthcare sector, concerns have been raised about the security posture of third-party vendors and also about the potential risks to patient privacy and continuity of care that can arise. 

According to Ascension's statement, the organisation is taking additional steps to evaluate and strengthen its cybersecurity infrastructure, including the relationship with external software and partner providers. The hospital chain, which operates 105 hospitals in 16 states and Washington, D.C., informed the public that the compromised data was "likely stolen" after being inadvertently disclosed to the third-party vendor, which, subsequently, experienced a breach as a result of an external software vulnerability. 

In a statement issued by Ascension Healthcare System, it was reported that the healthcare system first became aware of a potential security incident on December 5, 2024. In response to the discovery of the breach, the organisation initiated a thorough internal investigation to assess the extent of the breach. An investigation revealed that patient data had been unintentionally shared with an ex-business partner, who then became the victim of a cybersecurity attack as a result of the data being shared. 

In the end, it appeared that the breach was caused by a vulnerability in third-party software used by the vendor. As a result of the analysis concluded in January 2025, it was determined that some of the information disclosed had likely been exfiltrated during this attack. 

In spite of Ascension failing to disclose the specific types of data that were impacted by the attack, the organization did acknowledge that multiple care sites in Alabama, Michigan, Indiana, Tennessee, and Texas have been affected by the attack. In a statement released by Ascension, the company stressed that it continues to collaborate with cybersecurity experts and legal counsel to better understand the impact of the breach and to inform affected individuals as necessary. 

In addition, the company has indicated that in the future it will take additional steps to improve data sharing practices as well as third party risk management protocols. There is additional information released by Ascension that indicates that the threat actors who are suspected of perpetrating the December 2024 incident likely gained access to and exfiltrated sensitive medical and personal information. 

There are several types of compromised information in this file, including demographics, Social Security numbers, clinical records, and details about visits such as names of physicians, names, diagnoses, medical record numbers, and insurance provider details. Although Ascension has not provided a comprehensive estimate of how many people were affected nationwide, the organization did inform Texas state officials that 114,692 people were affected by the breach here in Texas alone, which was the number of individuals affected by the breach. 

The healthcare system has still not confirmed whether this incident is related to the ransomware attack that occurred in May 2024 across a number of states and affected multiple facilities. It has been reported that Ascension Health's operations have been severely disrupted since May, resulting in ambulances being diverted, manual documentation being used instead of electronic records, and non-urgent care being postponed. 

It took several weeks for the organization to recover from the attack, and the cybersecurity vulnerabilities in its digital infrastructure were revealed during the process. In addition to revealing that 5,599,699 individuals' personal and health-related data were stolen in the attack, Ascension later confirmed this information. 

Only seven of the system's 25,000 servers were accessed by the ransomware group responsible, but millions of records were still compromised. The healthcare and insurance industries continue to be plagued by data breaches. It has been reported this week that a data breach involving 4,052,972 individuals, resulting from a cyberattack in February 2024, has affected 4,052,972 individuals, according to a separate incident reported by VeriSource Services, a company that manages employee administration. 

A number of these incidents highlight the growing threat that organisations dealing with sensitive personal and medical data are facing. Apparently, the December 2024 breach involving Ascension's systems and networks was not caused by an internal compromise of its electronic health records, but was caused by an external attack. Neither the health system nor the former business partner with whom the patient information was disclosed has been publicly identified, nor has the health system identified the particular third-party software vulnerability exploited by the attackers.

Ascension has also recently announced two separate third-party security incidents that are separate from this one. A notice was posted by the organisation on April 14, 2025, concerning a breach that took place involving Scharnhorst Ast Kennard Gryphon, a law firm based in Missouri. The organisation reported that SAKG had detected suspicious activity on August 1, 2024, and an investigation later revealed that there had been unauthorised access between the 17th and the 6th of August 2024. 

Several individuals affiliated with the Ascension health system were notified by SAKG on February 14, 2025, about the breach. In that incident, there were compromised records including names, phone numbers, date of birth and death, Social Security numbers, driver's license numbers, racial data, and information related to medical treatment. 

A number of media inquiries have been received regarding the broader scope of the incident, including whether or not other clients were affected by the breach, as well as how many individuals were affected in total. Separately, Ascension announced another data security incident on March 3, 2025 that involved Access Telecare, a third-party provider of telehealth services in the area of Ascension Seton in Texas. 

As with previous breaches, the Ascension Corporation clarified that the breach did not compromise its internal systems or electronic health records, a report filed with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) confirmed on March 8, 2025, that Access Telecare had experienced a breach of its email system, which was reported on March 8, 2025. It is estimated that approximately 62,700 individuals may have been affected by the breach. 

In light of these successive disclosures, it is becoming increasingly apparent that the healthcare ecosystem is at risk of third-party relationships, as organisations continue to face the threat of cybercriminals attempting to steal sensitive medical and personal information from the internet. As a response to the recent security breach involving a former business partner, Ascension has offered two years of complimentary identity protection services to those who have been affected. This company offers credit monitoring services, fraud consultations, identity theft restoration services, aimed at mitigating potential harm resulting from unauthorized access to personal and health information, including credit monitoring, fraud consultation, and identity theft restoration services. 

Even though Ascension has not provided any further technical details about the breach, the timeline and nature of the incident suggest that it may be related to the Clop ransomware group's widespread campaign against data theft. There was a campaign in late 2024 that exploited a zero-day security vulnerability in the Cleo secure file transfer software and targeted multiple organisations. The company has not officially confirmed any connection between the breach and the Clop group, and a spokesperson has not responded to BleepingComputer's request for comment. 

Ascension has not encountered any major cybersecurity incidents in the past, so it is not surprising that this is not the first time they have experienced one. According to Ascension Healthcare's official report from May 2024, approximately 5.6 million patients and employees were affected by a separate ransomware infection attributed to the Black Basta group of hackers. Several hospitals were adversely affected by a security breach that occurred due to the inadvertent download of a malicious file on a company device by an employee. 

A number of data sets were exposed as a result of that incident, including both personal and health-related information, illustrating how the healthcare industry faces ongoing risks due to both internal vulnerabilities and external cyber threats. Despite the ongoing threat of cybersecurity in the healthcare industry, the string of data breaches involving Ascension illustrates the need to be more vigilant and accountable when managing third-party relationships. 

Even in the case of uncompromised internal systems, vulnerabilities in external networks can still result in exposing sensitive patient information to significant risks, even in cases of uncompromised internal systems. To ensure that healthcare organisations are adequately able to manage vendor risk, implement strong data governance protocols, and implement proactive threat detection and response strategies, organisations need to prioritise robust vendor risk management. 

A growing number of regulatory bodies and industry leaders are beginning to realize that they may need to revisit standards that govern network sharing, third-party oversight, and breach disclosure in an effort to ensure the privacy of patients in the increasingly interconnected world of digital health.
Read more »
WhatsApp
Cyberhackers Cybersecurity CyberThreat Data Breach Data Loss Global Security Telegram WhatsApp

Data Security Alert as Novel Exfiltration Method Emerges


Global cybersecurity experts are raising serious concerns over the newly identified cyber threat known as Data Splicing Attacks, which poses a significant threat to thousands of businesses worldwide. It seems that even the most advanced Data Loss Prevention (DLP) tools that are currently being used are unable to stop the sophisticated data exfiltration technique.

A user can manipulate sensitive information directly within the browser, enabling the attacker to split, encrypt or encode it into smaller fragments that will remain undetected by conventional security measures because they can manipulate data directly within the browser. By fragmenting the data pieces, they circumvent the detection logic of both Endpoint Protection Platforms (EPP) and network-based tools, only to be reassembled seamlessly outside the network environment in which they were found. 

As a further contributing factor to the threat, malicious actors are using alternatives to standard communication protocols, such as grpc and Webrtc, and commonly used encrypted messaging platforms, such as WhatsApp and Telegram, as a means of exfiltrating data. As a result of these channels, attackers can obscure their activities and evade traditional SSL inspection mechanisms, making it much more difficult to detect and respond to them. 

An important shift in the threat landscape has taken place with the introduction of Data Splicing Attacks, which require immediate attention from both enterprises and cybersecurity professionals. Data exfiltration, a growing concern within the cybersecurity industry, refers to the act of transferring, stealing, or removing a specific amount of data from a computer, server, or mobile phone without authorisation. 

Several methods can be used to perform this type of cyberattack, including a variety of cyberattacks such as data leakage, data theft, and information extrusion. The kind of security breach posed by this type of company poses a serious threat to the company, since it can result in significant financial losses, disruptions to operations, and irreparable damage to their reputation. This lack of adequate safeguarding of sensitive information under such threats emphasises the importance of developing effective data protection strategies. 

There are two primary means by which data can be exfiltrated from an organisation's network: external attacks and insider threats. Cybercriminals infiltrate an organisation's network by deploying malware that targets connected devices, which can be the result of a cybercriminal attack. A compromised device can serve as a gateway to broader network exploitation once compromised. 

Some types of malware are designed to spread across corporate networks in search of and extracting confidential information, while others remain dormant for extended periods, eschewing detection and quietly collecting, exfiltrating, and exchanging data in small, incremental amounts as it grows. As well as insider threats, internal threats can be equally dangerous in stealing data. 

A malicious insider, such as a disgruntled employee, may be responsible for the theft of proprietary data, often transferring it to private email accounts or external cloud storage services for personal gain. Furthermore, employees may inadvertently expose sensitive information to external parties due to negligent behaviour, resulting in the disclosure of sensitive information to outside parties. 

The insider-related incidents that take place at a company underscore the importance of robust monitoring, employee training, and data loss prevention (DLP) to safeguard the company's assets from outside threats. As a rule, there are many ways in which data exfiltration can be executed, usually by exploiting technological vulnerabilities, poor security practices, or human error in order to carry out the exfiltration.

When threat actors attempt to steal sensitive data from corporate environments, they use sophisticated methods without raising suspicion or setting off security alarms, to do so covertly. For organisations that wish to improve their security posture and reduce the risk of data loss, they must understand the most common tactics used in data exfiltration. 

Infiltrating a system using malware is one of the most prevalent methods, as it is malicious software that is intentionally installed to compromise it. When malware is installed, it can scan a device for valuable data like customer records, financial data, or intellectual property, and send that information to an external server controlled by the attacker, which makes the process stealthy, as malware is often designed to mask its activity to evade detection by a company. 

Data exfiltration is often accompanied by trojans, keyloggers, and ransomware, each of which is capable of operating undetected within a corporate network for extended periods. A similar method, phishing, relies on social engineering to trick users into revealing their login information or downloading malicious files. A cybercriminal can trick employees into granting them access to internal systems by craftily crafting convincing emails or creating false login pages.

When attackers gain access to a network, they can easily move across the network laterally and gain access to sensitive information. Phishing attacks are particularly dangerous because they rely heavily on human error to exploit human error, bypassing even the most sophisticated technological safeguards. The insider threat represents a challenging aspect of an organisation. 

It can involve malicious insiders, such as employees or contractors, who deliberately leak or sell confidential information for monetary, strategic, or personal gain. As an example, insiders can also compromise data security unintentionally by mishandling sensitive data, sending information to incorrect recipients, or using insecure devices, without realising it. No matter what the intent of an insider threat is, it can be very difficult to detect and prevent it, especially when organisations do not have comprehensive monitoring and security controls in place. 

Lastly, network misconfigurations are a great source of entry for attackers that requires little effort. When an internal system is compromised, it can be exploited by an attacker to gain unauthorised access by exploiting vulnerabilities such as poorly configured firewalls, exposed ports, and unsecured APIS. Once the attacker is inside, he or she can navigate the network by bypassing the traditional security mechanisms to locate and steal valuable information. 

Often, these misconfigurations don't become apparent until a breach has already occurred, so it is very important to conduct continuous security audits and vulnerability assessments. In order to safeguard critical information assets better, organizations must understand these methods so that they may be able to anticipate threats and implement targeted countermeasures. Increasingly, web browsers have become an integral part of workplace productivity, creating a significant threat surface for data leaks. 

As more than 60% of enterprise data is now stored on cloud-based platforms and is accessed primarily through browsers, ensuring browser-level security has become an extremely important concern. However, many existing security solutions have fallen short in addressing this challenge as recent research has revealed. It is very hard for proxy-based protections incorporated into enterprise browsers to identify sophisticated threats because they lack visibility. 

Nevertheless, these solutions are not capable of understanding user interactions, monitoring changes to the Document Object Model (DOM), or accessing deeper browser context, which makes them easily exploitable to attackers. The traditional Data Loss Prevention (DLP) systems on endpoints are also not without limitations. As a result of their dependence on browser-exposed APIs, they are unable to determine the identity of the user, track browser extensions, or control the flow of encrypted content in the browser. 

The constraints are creating a blind spot, which is increasingly being exploited by insider threats and advanced persistent attacks as a result of these constraints. It is especially problematic that these attacks are so adaptable; adversaries can develop new variants with very little coding effort, which will further widen the gap between modern threats and outdated security infrastructure, as well as allowing adversaries to build new variants that bypass existing defences. 

A new toolkit developed specifically for reproducing the mechanics of these emerging data splicing attacks has been developed by researchers to address this growing concern. The tool has been developed to respond to this growing concern. It is designed for security teams, red teams, and vendors to test and evaluate their current defences in a realistic threat environment rigorously to determine whether their current defences are adequate. 

It is the objective of Angry Magpie to help companies discover hidden vulnerabilities by simulating advanced browser-based attack vectors in order to evaluate how resilient their DLP strategies are. It is becoming increasingly apparent that enterprises need a paradigm shift in their approach to browser security, emphasizing proactive assessment and continuous adaptation in order to deal with rapidly changing cyber threats in the future. 

As data splicing attacks have become increasingly prevalent and current security solutions have become increasingly limited, enterprise cybersecurity is at a critical inflexion point. As browser-based work environments become the norm and cloud dependency becomes more prevalent, traditional Data Loss Prevention strategies need to evolve both in scope and sophistication, as well as in scale. As organisations, we need to move away from legacy solutions that do not offer visibility, context, or adaptability that are necessary for detecting and mitigating modern data exfiltration techniques. 

For cybersecurity professionals to remain competitive in the future, they must adopt a proactive and threat-informed defence strategy that includes continuous monitoring, advanced browser security controls, and regular stress testing of their systems through tools such as Angry Magpie. By taking this approach, organisations can identify and close vulnerabilities before they become exploitable, as well as ensure that there is a culture of security awareness throughout the workforce to minimise human error and insider threats. 

Security infrastructures must keep up with the rapidly growing threats and innovations in cyberspace as well to maintain a competitive advantage. Businesses need to acknowledge and commit to modern, dynamic defence mechanisms to increase their resilience and ensure the integrity of their most valuable digital assets is better protected as a result of emerging threats.

Read more »
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Sensitive Data Leak
cyber attack Cyber Warfare Cybersecurity Data Breach Data Theft Hacker attack Information Security Personal Data Breach Sensitive Data Leak

Jammu Municipal Corporation Targeted in Major Cyberattack, Sensitive Data Allegedly Stolen

 

In a significant breach of digital infrastructure, the Jammu Municipal Corporation (JMC) has fallen victim to a cyberattack believed to have resulted in the loss of vast amounts of sensitive data. According to high-level intelligence sources, the attackers managed to compromise the website, gaining access to critical records and databases that may include personally identifiable information such as Aadhaar numbers, property ownership documents, tax filings, infrastructure blueprints, and internal administrative communications.  

The breach, which occurred on Friday, has prompted an immediate investigation and system lockdown as cybersecurity teams race to contain the damage and begin recovery operations. Officials involved in the incident response have confirmed that website functionality has been suspended as data restoration processes are initiated. Top intelligence sources indicate that the attack bears hallmarks of Pakistan-sponsored cyber operations aimed at undermining India’s administrative framework. “These tactics are consistent with state-backed cyber warfare efforts targeting strategic and sensitive zones like Jammu and Kashmir,” said a senior intelligence official.

“The objective is often to destabilize public services and spread fear among the populace.” The JMC’s website is a key platform used to manage municipal services, property taxes, and local development projects. Its compromise has raised concerns about the broader implications for civic governance and the potential misuse of the stolen data.  

This latest breach follows a series of unsuccessful but alarming hacking attempts by groups linked to Pakistan. Just a day before the JMC attack, hacker collectives such as ‘Cyber Group HOAX1337’ and ‘National Cyber Crew’ reportedly targeted several Indian websites. Cybersecurity teams were able to detect and neutralize these threats before they could cause any major disruption. Among the recent targets were the websites of Army Public School Nagrota and Army Public School Sunjuwan. These were reportedly subjected to defacement attempts featuring inflammatory messages referencing the victims of the Pahalgam terror attack. 

In another incident, a portal catering to the healthcare needs of retired armed forces personnel was compromised and vandalized. Cybersecurity experts warn that such attacks often aim to disrupt not only public trust but also national morale. The recurring pattern of targeting vulnerable groups—such as schoolchildren and elderly veterans—further emphasizes the psychological warfare tactics employed by these groups. 

As recovery efforts continue, the Indian government is likely to review its cybersecurity protocols across public sector systems, especially in high-risk regions. Enhanced defense measures and greater inter-agency coordination are expected to follow. The investigation remains ongoing, and further updates are expected in the coming days.
Read more »
Subscribe to: Posts (Atom)