Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach Prevention. Show all posts
Password Security
Browser Vulnerabilities Cyber Threats Cybersecurity awareness Data Breach Prevention digital safety Identity Protection Online Privacy Password Manager Password Security

Why It’s Time to Stop Saving Passwords in the Browser

 


As convenience often takes precedence over caution in the digital age, the humble "Save Password" prompt has quietly become one of the most overlooked security traps of the digital age, one of the most overlooked security threats. The number of users who entrust their most sensitive credentials to their browsers each day is staggering. 

In a bid to relieve themselves of the constant burden of remembering multiple logins every day, millions of people are willing to trust their browsers. As seemingly innocent as it may seem to simplify daily life, this shortcut conceals a significant and growing cybersecurity threat that is rapidly spreading across the globe. The very feature that was designed to make online access effortless has now become a prime target for cybercriminals.

These thieves are able to retrieve the passwords stored on local computers within minutes — often even without the user's knowledge — and sell them for a profit or further exploitation on dark web marketplaces. 

By storing encrypted login information within a user's profile data, browser-based password managers can be reclaimed when needed by storing them in their profile data, automatically recalling them when necessary, and even syncing across multiple devices that are connected to the same account. In addition to improving accessibility and ease of use with this integration, the potential attack surface is multiplied. 

As soon as a single account or system has been compromised, every password saved has been exposed to attack. During an age where digital threats are becoming increasingly sophisticated, experts warn that convenience-driven habits, such as saving passwords in the browser, may end up costing the users much more than the few seconds they save at login time when they save passwords in their browser.

Even though browser-based password storage remains the default choice for many users, experts are increasingly emphasising the advantages of dedicated password managers - tools that can be used across multiple platforms and ecosystems independently. 

Many browser managers do not sync with their own environments; they only sync with their own environments, such as Google and Chrome, Apple and Safari, or Microsoft with Edge. However, standalone password managers surpass these limitations. It is compatible with all major browsers and operating systems, so users will be able to access their credentials on both Macs and Windows computers, as well as Android phones and iPhones, regardless of whether they are using a MacBook or a Windows computer. 

These managers act as independent applications, rather than integrated components of browsers, so that they provide both flexibility and resilience. They provide a safe and secure means of transferring data from one device to another, allowing users to be independent of any single vendor's ecosystem. Modern password managers have more to offer than simply storing credentials. 

Families, friends, and professional teams can use them to share secure passwords among themselves, ensuring critical access during times of crisis or collaboration. Additionally, encrypted local copies of stored data are maintained on the computers, so that users can access their data offline even when their phone or Internet connection is disconnected. 

Using this capability, important credentials are always readily available whenever and wherever they are required, without sacrificing security. Contrary to this, browser-based password saving has continued to attract users around the world — from small business owners trying to maximise efficiency to workers at large corporations juggling multiple logins — because of its ease of use. This convenience is not without its dangers, however. 

Cybercriminals use browser-stored credentials daily as a means of exploiting them via stealer malware, phishing attacks and tools that retrieve autofill information, cookies, and stored sessions. Once these credentials have been obtained, they are quickly circulated and sold on dark web forums and encrypted Telegram channels, allowing attackers to gain access to sensitive corporate and personal data. 

Many consequences can result from a harmless click on the “Save Password” button that can affect not just an individual but entire organisations as well. Despite this appearance of efficiency, there is a fundamental flaw beneath this efficiency: browsers were never intended to serve as secure vaults for passwords. The main purpose of browsers is still web browsing, and password storage is only an optional feature. 

When it comes to strengthening in-browser security, it's crucial to ensure the encryption keys are only held by the device owner by enabling on-device encryption, which is available through services like Google Password Manager. This feature integrates directly with the device's screen lock and creates an additional layer of protection that prevents people from accessing passwords stored on the user; device. 

As a consequence, it comes with a trade-off as well: users who lose access to their Google accounts or devices may be permanently locked out of their saved credentials. Another essential measure is enabling password autofill features on browsers, a feature that remains one of the most easily exploited browser conveniences. 

It is possible, for example, to toggle off "Offer to save passwords" in Chrome by going to "Settings" > "Autofill and passwords" > "Google Password Manager." 

Using Microsoft Edge, users can achieve the same level of protection by enabling the option "Autofill Passwords and Passkeys" in the "Passwords and autofill" section of Settings, while Safari users on macOS Catalina 10.15 and later can use the File menu to export and modify passwords in order to limit their exposure.

In addition to the above adjustments, implementing two-factor authentication across all accounts adds a second line of defense, which means that even if credentials are compromised, unauthorized access remains unlikely, even with compromised credentials. 

In order to further reduce potential risks, it is important to review and eliminate stored passwords tied to sensitive or high-value accounts. However, browser-stored passwords are a fraction of the information that is silently accumulated by most browsers. A browser, in addition to storing login credentials, also contains a wealth of personal and corporate data that can be of invaluable use to cybercriminals. 

By saving credit card information, autofilling information like addresses and telephone numbers, cookies, browsing history, and cached files, we can gather a detailed picture of the user's digital life over the course of a lifetime. Using compromised cookies, attackers may be able to hijack active sessions without using a password, while stolen autofill data can serve as a weapon for identity theft or phishing schemes. 

Inadvertently, bookmarks or download histories could reveal sensitive client-related materials or internal systems. In essence, the browser functions as an unsecured vault for financial, professional, and personal information, all enclosed in a convenient layer that is prone to easy breach. 

It would be much safer and more structured to use dedicated password managers such as 1Password, Dashlane, Bitwarden, and LastPass if they were made from the ground up with encryption, privacy, and cross-platform protection as their core design principles. These tools transcend the limitations of browsers by providing a much more secure and structured alternative. 

In addition to safeguarding passwords, they also ensure that the user remains fully in control of their digital credentials. They provide the perfect balance between convenience and uncompromising security in today's connected world. As digital life continues to become more entwined with convenience, protecting one's online identity has never been a higher priority than it has ever been.

To attain a higher level of security, users must move beyond short-term comfort and establish proactive security habits. For instance, they should update their passwords regularly, avoid reusing them, monitor for breaches, and use trusted password management solutions with zero-knowledge encryption. There is an important difference between the use of browser-stored credentials versus secure, dedicated platforms that take care of themselves. 

In a world where cyberthreats are evolving at a rapid pace, users must have a feeling that their data is safe and secure, not only that it is also easy to use and simple to operate.
Read more »
PolarEdge Malware
Advanced Persistent Threats Cloud Security Cyber Attack Trends Cyber Attacks IoT Botnet Cybersecurity Threats Data Breach Prevention Digital Infrastructure Network Security PolarEdge Malware

Cybersecurity Alert as PolarEdge Botnet Hijacks 25,000 IoT Systems Globally

 


Researchers at Censys have found that PolarEdge is rapidly expanding throughout the world, in an alarming sign that connected technology is becoming increasingly weaponised. PolarEdge is an advanced botnet orchestrating large-scale attacks against Internet of Things (IoT) and edge devices all over the world, a threat that has become increasingly prevalent in recent years. 

When the malicious network was first discovered in mid-2023, only around 150 confirmed infections were identified. Since then, the network has grown into an extensive digital threat, compromising nearly 40,000 devices worldwide by August 2025. Analysts have pointed out that PolarEdge's architecture is very similar to Operational Relay Box (ORB) infrastructures, which are covert systems commonly used to facilitate espionage, fraud, and cybercrime. 

PolarEdge has grown at a rapid rate in recent years, and this highlights the fact that undersecured IoT environments are becoming increasingly exploited, placing them among the most rapidly expanding and dangerous botnet campaigns in recent years. PolarEdge has helped shed light on the rapidly evolving nature of cyber threats affecting the hyperconnected world of today. 

PolarEdge, a carefully crafted campaign that demonstrates how compromised Internet of Things (IoT) ecosystems can be turned into powerful weapons of cyber warfare, emerged as an expertly orchestrated campaign. There are more than 25,000 infected devices spread across 40 countries that are a part of the botnet, and the botnet is characterised by its massive scope and sophistication due to its network of 140 command and control servers. 

Unlike many other distributed denial-of-service (DDoS) attacks, PolarEdge is not only a tool for distributing denial-of-service attacks, but also a platform for criminal infrastructure as a service (IaaS), specifically made to support advanced persistent threats (APT). By exploiting vulnerabilities in IoT devices and edge devices through systematic methods, the software constructs an Operational Relay Box (ORB) network, which creates a layer of obfuscating malicious traffic, enabling covert operations such as espionage, data theft, and ransomware.

By adopting this model, the cybercrime economy is reshaped in a way that enables even moderately skilled adversaries to access capabilities that were once exclusively the domain of elite threat groups. As further investigation into PolarEdge's evolving infrastructure was conducted, it turned out that a previously unknown component known as RPX_Client was uncovered, which is an integral part of the botnet that transforms vulnerable IoT devices into proxy nodes. 

In May 2025, XLab's Cyber Threat Insight and Analysis System detected a suspicious activity from IP address 111.119.223.196, which was distributing an ELF file named "w," a file that initially eluded detection on VirusTotal. The file was identified as having the remote location DNS IP address 111.119.223.196. A deeper forensic analysis of the attack was conducted to uncover the RPX_Client mechanism and its integral role in the construction of Operational Relay Box networks. 

These networks are designed to hide malicious activity behind layers of compromised systems to make it appear as if everything is normal. An examination of the device logs carried out by the researchers revealed that the infection had spread all over the world, with the highest concentration occurring in South Korea (41.97%), followed by China (20.35%) and Thailand (8.37%), while smaller clusters emerged in Southeast Asia and North America. KT CCTV surveillance cameras, Shenzhen TVT digital video recorders and Asus routers have been identified as the most frequently infected devices, whereas other devices that have been infected include Cyberoam UTM appliances, Cisco RV340 VPN routers, D-Link routers, and Uniview webcams have also been infected. 

140 RPX_Server nodes are running the campaign, which all operate under three autonomous system numbers (45102, 37963, and 132203), and are primarily hosted on Alibaba Cloud and Tencent Cloud virtual private servers. Each of these nodes communicates via port 55555 with a PolarSSL test certificate that was derived from version 3.4.0 of the Mbed TLS protocol, which enabled XLab to reverse engineer the communication flow so that it would be possible to determine the validity and scope of the active servers.

As far as the technical aspect of the RPX_Client is concerned, it establishes two connections simultaneously. One is connected to RPX_Server via port 55555 for node registration and traffic routing, while the other is connected to Go-Admin via port 55560 for remote command execution. As a result of its hidden presence, this malware is disguised as a process named “connect_server,” enforces a single-instance rule by using a PID file (/tmp/.msc), and keeps itself alive by injecting itself into the rcS initialisation script. 

In light of these efforts, it has been found that the PolarEdge infrastructure is highly associated with the RPX infrastructure, as evidenced by overlapping code patterns, domain associations and server logs. Notably, IP address 82.118.22.155, which was associated with PolarEdge distribution chains in the early 1990s, was found to be related to a host named jurgencindy.asuscomm.com, which is the same host that is associated with PolarEdge C2 servers like icecreand.cc and centrequ.cc. 

As the captured server records confirmed that RPX_Client payloads had been delivered, as well as that commands such as change_pub_ip had been executed, in addition to verifying its role in overseeing the botnet's distribution framework, further validated this claim. Its multi-hop proxy architecture – utilising compromised IoT devices as its first layer and inexpensive Virtual Private Servers as its second layer – creates a dense network of obfuscation that effectively masks the origin of attacks. 

This further confirms Mandiant's assessment that cloud-based infrastructures are posing a serious challenge to conventional indicator-based detection techniques. Several experts emphasised the fact that in order to mitigate the growing threat posed by botnets, such as PolarEdge, one needs to develop a comprehensive and layered cybersecurity strategy, which includes both proactive defence measures and swift incident response approaches. In response to the proliferation of connected devices, organisations and individuals need to realise the threat landscape that is becoming more prevalent. 

Therefore, IoT and edge security must become an operational priority rather than an afterthought. It is a fundamental step in making sure that all devices are running on the latest firmware, since manufacturers release patches frequently to address known vulnerabilities regularly. Furthermore, it is equally important to change default credentials immediately with strong, unique passwords. This is an essential component of defence against large-scale exploitation, but is often ignored.

Security professionals recommend that network segmentation be implemented, that IoT devices should be isolated within specific VLANs or restricted network zones, so as to minimise lateral movement within networks. As an additional precaution, organisations are advised to disable non-essential ports and services, so that there are fewer entry points that attackers could exploit. 

The continuous monitoring of the network, with a strong emphasis on intrusion detection and prevention (IDS/IPS) systems, has a crucial role to play in detecting suspicious traffic patterns that are indicative of active compromises. The installation of a robust patch management program is essential in order to make sure that all connected assets are updated with security updates promptly and uniformly. 

Enterprises should also conduct due diligence when it comes to the supply chain: they should choose vendors who have demonstrated a commitment to transparency, timely security updates, and disclosure of vulnerabilities responsibly. As far as the technical aspect of IoT defence is concerned, several tools have proven to be effective in detecting and counteracting IoT-based threats. Nessus, for instance, provides comprehensive vulnerability scanning services, and Shodan provides analysts with a way to identify exposed or misconfigured internet-connected devices. 

Among the tools that can be used for deeper network analysis is Wireshark, which is a protocol inspection tool used by most organisations, and Snort or Suricata are powerful IDS/IPS systems that can detect malicious traffic in real-time. In addition to these, IoT Inspector offers comprehensive assessments of device security and privacy, giving us a much better idea of what connected hardware is doing and how it behaves. 

By combining these tools and practices, a critical defensive framework can be created - one that is capable of reducing the attack surface and curbing the propagation of sophisticated botnets, such as PolarEdge, resulting in a reduction in the number of attacks. In a comprehensive geospatial study of PolarEdge's infection footprint, it has been revealed that it has been spread primarily in Southeast Asia and North America, with South Korea claiming 41.97 percent of the total number of compromised devices to have been compromised. 

The number of total infections in China comes in at 20.35 per cent, while Thailand makes up 8.37 per cent. As part of the campaign, there are several key victims, including KT CCTV systems, Shenzhen TVT digital video recorders (DVRs), Cyberoam Unified Threat Management (UTM) appliances, along with a variety of router models made by major companies such as Asus, DrayTek, Cisco, and D-Link. Virtual private servers (VPS) are used primarily to control the botnet's command-and-control ecosystem, which clusters within autonomous systems 45102, 37963, and 132203. 

The vast majority of the botnet's operations are hosted by Alibaba Cloud and Tencent Cloud infrastructure – a reflection of the botnet's dependency on commercial, scalable cloud environments for maintaining its vast operations. PolarEdge's technical sophistication is based on a multi-hop proxy framework, RPX, a multi-hop proxy framework meticulously designed to conceal attack origins and make it more difficult for the company to attribute blame. 

In the layered communication chain, traffic is routed from a local proxy to RPX_Server nodes to RPX_Client instances on IoT devices that are infected, thus masking the true source of command, while allowing for fluid, covert communication across global networks. It is the malware's strategy to maintain persistence by injecting itself into initialisation scripts. Specifically, the command echo "/bin/sh /mnt/mtd/rpx.sh &" >> /etc/init.d/rcS ensures that it executes automatically at the start-up of the system. 

Upon becoming active, it conceals itself as a process known as “connect_server” and enforces single-instance execution using the PID file located at /tmp/.msc to enforce this. This client is capable of configuring itself by accessing a global configuration file called “.fccq” that extracts parameters such as the command-and-control (C2) address, communication ports, device UUIDs, and brand identifiers, among many others. 

As a result, these values have been obfuscated using a single-byte XOR encryption (0x25), an effective yet simple method of preventing static analysis of the values. This malware uses two network ports in order to establish two network channels—port 55555 for node registration and traffic proxying, and port 55560 for remote command execution via the Go-Admin service. 

Command management is accomplished through the use of “magic field” identifiers (0x11, 0x12, and 0x16), which define specific operational functions, as well as the ability to update malware components self-aware of themselves using built-in commands like update_vps, which rotates C2 addresses.

A server-side log shows that the attackers executed infrastructure migration commands, which demonstrates their ability to dynamically switch proxy pools to evade detection each and every time a node is compromised or exposed, which is evidence of the attacker’s ability to evade detection, according to the log. It is evident from network telemetry that PolarEdge is primarily interested in non-targeted activities aimed at legitimate platforms like QQ, WeChat, Google, and Cloudflare. 

It suggests its infrastructure may be used as both a means for concealing malicious activity as well as staging it as a form of ordinary internet communication. In light of the PolarEdge campaign, which highlights the fragility of today's interconnected digital ecosystem, it serves as a stark reminder that cybersecurity must evolve in tandem with the sophistication of today's threats, rather than just react to them. 

A culture of cyber awareness, cross-industry collaboration, and transparent threat intelligence sharing is are crucial component of cybersecurity, beyond technical countermeasures. Every unsecured device, whether it is owned by governments, businesses, or consumers, can represent a potential entryway into the digital world. Therefore, governments, businesses, and consumers all must recognise this. The only sustainable way for tomorrow's digital infrastructure to be protected is through education, accountability, and global cooperation.
Read more »
Subscribe to: Comments (Atom)