Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Theft. Show all posts
personal data leak
Cyber Attacks Data Leak data security Data Theft employee data exposed Jaguar Jaguar Land Rover cyberattack payroll security breach personal data leak

Jaguar Land Rover Confirms Employee Data Theft After August 2025 Cyberattack

 

British luxury carmaker Jaguar Land Rover has confirmed that a cyberattack uncovered in August 2025 led to the theft of payroll and personal data of thousands of current and former employees. After this disclosure, the company asked the affected people to remain alert about identity theft, phishing attempts, and financial fraud. 

The breach represents the first official acknowledgement from JLR that employee personal information was compromised during the incident. Earlier statements had focused largely on the operational disruption caused by the attack, which forced the temporary shutdown of vehicle production across several manufacturing facilities for several weeks. The company employs more than 38,000 people worldwide. Records pertaining to former employees and contractors were also affected. 

Internal communications shared with staff revealed that forensic investigations determined attackers took unauthorized access to payroll administration systems. These systems would include sensitive employment-related records, including data associated with salaries, pension contributions, employee benefits, and information about dependents. While JLR has stated that there is currently no evidence that the stolen information has been publicly leaked or actively misused, the nature of the exposed data creates a heightened risk profile.  

Cybersecurity experts point out that payroll systems usually host very sensitive identifiers such as bank account details, national insurance numbers, tax information, residential addresses, and compensation records. Even partial data exposure could increase the chances of identity fraud, account takeover attempts, and targeted social engineering attacks by a great degree. In response, JLR has recommended that the affected keep themselves aware of unsolicited communications and enhance passwords related to personal and professional accounts. 

For the sake of mitigation, the company has declared two years of free credit and identity monitoring services for its current and former affected employees. A dedicated helpline is also established for phone support, to assist with queries, advise on protective measures, and take reports of suspected fraudulent activity. This decision by JLR comes after forensic analysis had continued post-restoration of safe production operations. 

The breach has been formally reported to the UK's Information Commissioner's Office (ICO), which has confirmed it is conducting enquiries into the incident. The regulator has asked for more information about the extent of the breach, what security controls were in place at the time of the attack, and what remedial action has been taken since the intrusion was detected. The after-effects of the cyberattack spilled over beyond JLR's workforce. 

The disruption reportedly affected almost 5,000 supplier and partner organizations, reflecting the interconnected nature of modern manufacturing supply chains. Estimates place the overall economic impact of the incident at roughly ₹20,000 crore. Official figures suggest the disruption contributed to a measurable contraction in the UK economy during September 2025. JLR also announced that the attack resulted in the quarterly sales decline of an estimated ₹15,750 crore, along with a one-time recovery and remediation cost of around ₹2,060 crore. 

The costs comprised restoration of systems, security controls enhancement, and incident response. The intrusion, which was earlier claimed by a hacking group named "Scattered Lapsus Hunters" that had earlier been involved with attacks on major retail organizations, has alleged that the organization also accessed customer data. 
However, Jaguar Land Rover claims that evidence supporting those claims has not been found. Investigations are ongoing, and the firm has announced that it will keep informing employees, regulators, and other stakeholders as more information becomes available.
Read more »
Password Security
Compromised Passwords Cyber Security Cyberattacks CyberCrime Data Theft FBI FBI Alert Password Security

FBI Discovers 630 Million Stolen Passwords in Major Cybercrime Investigation

 

A newly disclosed trove of stolen credentials has underscored the scale of modern cybercrime after U.S. federal investigators uncovered hundreds of millions of compromised passwords on devices seized from a single suspected hacker. The dataset, comprising approximately 630 million passwords, has now been integrated into the widely used Have I Been Pwned (HIBP) database, significantly expanding its ability to warn users about exposed credentials. 

The passwords were provided to HIBP by the Federal Bureau of Investigation as part of ongoing cybercrime investigations. According to Troy Hunt, the security researcher behind the service, this latest contribution is particularly striking because it originates from one individual rather than a large breach aggregation. While the FBI has shared compromised credentials with HIBP for several years, the sheer volume associated with this case highlights how centralized and extensive credential theft operations have become. 

Initial analysis suggests the data was collected from a mixture of underground sources, including dark web marketplaces, messaging platforms such as Telegram, and large-scale infostealer malware campaigns. Not all of the passwords were previously unknown, but a meaningful portion had never appeared in public breach repositories. Roughly 7.4% of the dataset represents newly identified compromised passwords, amounting to tens of millions of credentials that were previously undetectable by users relying on breach-monitoring tools. 

Security experts warn that even recycled or older passwords remain highly valuable to attackers. Stolen credentials are frequently reused in credential-stuffing attacks, where automated tools attempt the same password across multiple platforms. Because many users continue to reuse passwords, a single exposed credential can provide access to multiple accounts, amplifying the potential impact of historical data leaks. 

The expanded dataset is now searchable through the Pwned Passwords service, which allows users to check whether a password has appeared in known breach collections. The system is designed to preserve privacy by hashing submitted passwords and ensuring no personally identifiable information is stored or associated with search results. This enables individuals and organizations to proactively block compromised passwords without exposing sensitive data. 

The discovery has renewed calls for stronger credential hygiene across both consumer and enterprise environments. Cybersecurity professionals consistently emphasize that password reuse and weak password creation remain among the most common contributors to account compromise. Password managers are widely recommended as an effective countermeasure, as they allow users to generate and store long, unique passwords for every service without relying on memory. 

In addition to password managers, broader adoption of passkeys and multi-factor authentication is increasingly viewed as essential. These technologies significantly reduce reliance on static passwords and make stolen credential databases far less useful to attackers. Many platforms now support these features, yet adoption remains inconsistent. 

As law enforcement continues to uncover massive credential repositories during cybercrime investigations, experts caution that similar discoveries are likely in the future. Each new dataset reinforces the importance of assuming passwords will eventually be exposed and building defenses accordingly. Regular password audits, automated breach detection, and layered authentication controls are now considered baseline requirements for maintaining digital security.
Read more »
Ransomware
Data Breach Data Theft eCommerce Japan MFA Ransomware

Askul Discloses Scope of Customer Data Theft Following October Ransomware Incident

 



Japanese e-commerce firm Askul Corporation has officially confirmed that a ransomware attack earlier this year led to the unauthorized access and theft of data belonging to nearly 740,000 individuals. The company made the disclosure after completing a detailed investigation into the cyber incident that occurred in October.

Askul operates a large-scale online platform that provides office supplies and logistics services to both corporate clients and individual consumers. The company is part of the Yahoo! Japan corporate group and plays a significant role in Japan’s business-to-business supply chain.

The cyberattack caused serious disruptions to Askul’s internal systems, resulting in an operational shutdown that forced the company to suspend product shipments. This disruption affected a wide range of customers, including major retail partners such as Muji.

Following the conclusion of its internal review, Askul clarified the categories of data that were compromised. According to the company, service-related records of approximately 590,000 business customers were accessed. Data connected to around 132,000 individual customers was also involved. In addition, information related to roughly 15,000 business partners, including outsourcing firms, agents, and suppliers, was exposed. The incident further affected personal data linked to about 2,700 executives and employees, including those from group companies.

Askul stated that it is deliberately limiting the disclosure of specific details related to the stolen data to reduce the risk of further exploitation. The company confirmed that affected customers and business partners will be informed directly through individual notifications.

Regulatory authorities have also been notified. Askul reported the data exposure to Japan’s Personal Information Protection Commission and has implemented long-term monitoring measures to identify and prevent any potential misuse of the compromised information.

System recovery remains ongoing. As of December 15, shipping operations had not fully returned to normal, and the company continues to work toward restoring all affected services.

Responsibility for the attack has been claimed by the ransomware group known as RansomHouse. The group publicly disclosed the breach at the end of October and later released portions of the stolen data in two separate leaks in November and December.

Askul shared limited technical findings regarding how the attackers gained access. The company believes the intrusion began through stolen login credentials associated with an administrator account belonging to an outsourced partner. This account did not have multi-factor authentication enabled, making it easier for attackers to exploit.

After entering the network, the attackers conducted internal reconnaissance, collected additional authentication information, and expanded their access to multiple servers. Askul reported that security defenses, including endpoint detection and response tools, were disabled during the attack. The company also noted that several ransomware variants were deployed, some of which bypassed existing detection mechanisms despite recent updates.

The attack resulted in both data encryption and widespread system failures. The ransomware was executed simultaneously across multiple servers, and backup files were deliberately erased to prevent rapid system recovery.

In response, Askul disconnected affected networks, restricted communication between data centers and logistics facilities, isolated compromised devices, and strengthened endpoint security controls. Multi-factor authentication has since been enforced across critical systems, and all administrator account passwords have been reset.

The financial consequences of the incident have not yet been determined. Askul has postponed its earnings report to allow additional time for a comprehensive assessment of the impact.



Read more »
online privacy concerns
AI Browser Security AI Browsers AI cyberattacks AI technology Cyber Security Data Theft online privacy concerns

AI Browsers Raise Privacy and Security Risks as Prompt Injection Attacks Grow

 

A new wave of competition is stirring in the browser market as companies like OpenAI, Perplexity, and The Browser Company aggressively push to redefine how humans interact with the web. Rather than merely displaying pages, these AI browsers will be engineered to reason, take action independently, and execute tasks on behalf of end users. At least four such products, including ChatGPT's Atlas, Perplexity's Comet, and The Browser Company's Dia, represent a transition reminiscent of the early browser wars, when Netscape and Internet Explorer battled to compete for a role in the shaping of the future of the Internet. 

Whereas the other browsers rely on search results and manual navigation, an AI browser is designed to understand natural language instructions and perform multi-step actions. For instance, a user can ask an AI browser to find a restaurant nearby, compare options, and make a reservation without the user opening the booking page themselves. In this context, the browser has to process both user instructions and the content of each of the webpages it accesses, intertwining decision-making with automation. 

But this capability also creates a serious security risk that's inherent in the way large language models work. AI systems cannot be sure whether a command comes from a trusted user or comes with general text on an untrusted web page. Malicious actors may now inject malicious instructions within webpages, which can include uses of invisible text, HTML comments, and image-based prompts. Unbeknownst to them, that might get processed by an AI browser along with the user's original request-a type of attack now called prompt injection. 

The consequence of such attacks could be dire, since AI browsers are designed to gain access to sensitive data in order to function effectively. Many ask for permission to emails, calendars, contacts, payment information, and browsing histories. If compromised, those very integrations become conduits for data exfiltration. Security researchers have shown just how prompt injections can trick AI browsers into forwarding emails, extracting stored credentials, making unauthorized purchases, or downloading malware without explicit user interaction. One such neat proof-of-concept was that of Perplexity's Comet browser, wherein the researchers had embedded command instructions in a Reddit comment, hidden behind a spoiler tag. When the browser arrived and was asked to summarise the page, it obediently followed the buried commands and tried to scrape email data. The user did nothing more than request a summary; passive interactions indeed are enough to get someone compromised. 

More recently, researchers detailed a method called HashJack, which abuses the way web browsers process URL fragments. Everything that appears after the “#” in a URL never actually makes it to the server of a given website and is only accessible to the browser. An attacker can embed nefarious commands in this fragment, and AI-powered browsers may read and act upon it without the hosting site detecting such commands. Researchers have already demonstrated that this method can make AI browsers show the wrong information, such as incorrect dosages of medication on well-known medical websites. Though vendors are experimenting with mitigations, such as reinforcement learning to detect suspicious prompts or restricting access during logged-out browsing sessions, these remain imperfect. 

The flexibility that makes AI browsers useful also makes them vulnerable. As the technology is still in development, it shows great convenience, but the security risks raise questions of whether fully trustworthy AI browsing is an unsolved problem.
Read more »
Hacker Groups
Cyber Attacks cybercrime gangs CyberSecurity Ransomware Attacks Data protection data security Data Theft Hacker Groups

Rhysida Ransomware Gang Claims Attack on Cleveland County Sheriff’s Office

 

The ransomware gang Rhysida has claimed responsibility for a cyberattack targeting the Cleveland County Sheriff’s Office in Oklahoma. The sheriff’s office publicly confirmed the incident on November 20, stating that parts of its internal systems were affected. However, key details of the breach remain limited as the investigation continues. 

Rhysida claims that sensitive information was extracted during the intrusion and that a ransom of nine bitcoin—about $787,000 at the time of the claim—has been demanded. To support its claim, the group released what it described as sample records taken from the sheriff’s office. The leaked material reportedly includes Social Security cards, criminal background checks, booking documents, court filings, mugshots, and medical information. 

Authorities have not yet confirmed whether the stolen data is authentic or how many individuals may be affected. It also remains unclear how the attackers gained access, whether systems remain compromised, or if the sheriff’s office intends to negotiate with the group. 

In a brief public statement, the agency reported that a “cybersecurity incident” had disrupted its network and that a full investigation was underway. The sheriff’s office emphasized that emergency response and daily law enforcement functions were continuing without interruption. A Facebook post associated with the announcement—later removed—reiterated that 911 services, patrol response, and public safety operations remained operational. County IT teams are still assessing the full extent of the attack. 

Rhysida is a relatively recent but increasingly active ransomware operation, first identified in May 2023. The group operates under a ransomware-as-a-service model, allowing affiliates to deploy its malware in exchange for a share of ransom proceeds. Rhysida’s typical method involves data theft followed by encryption, with the group demanding payment both to delete stolen files and to provide decryption keys. The group has now claimed responsibility for at least 246 ransomware attacks, nearly 100 of which have been confirmed by affected organizations. 

Government agencies continue to be frequent targets. In recent years, Rhysida has claimed attacks on the Maryland Department of Transportation and the Oregon Department of Environmental Quality, although both organizations reported refusing ransom demands. Broader data suggests the trend is escalating, with researchers documenting at least 72 confirmed ransomware attacks on U.S. government entities so far in 2025, affecting nearly 450,000 records. 

The average ransom demand across these incidents is estimated at $1.18 million. The Cleveland County Sheriff’s Office serves approximately 280,000 residents in Oklahoma and has around 200 employees. As the investigation remains active, officials say additional updates will be shared as more information becomes available.
Read more »
Ransomware
Akira Cyber Crime Data Theft it services Ransomware

Virtual Machines on Nutanix AHV now in Akira’s Crosshairs; Enterprises must Close Gaps

 



Security agencies have issued a new warning about the Akira ransomware group after investigators confirmed that the operators have added Nutanix AHV virtual machines to their list of targets. This represents a significant expansion of the group’s capabilities, which had already included attacks on VMware ESXi and Microsoft Hyper-V environments. The update signals that Akira is no longer limiting itself to conventional endpoints or common hypervisors and is now actively pursuing a wider range of virtual infrastructure used in large organisations.

Although Akira was first known for intrusions affecting small and medium businesses across North America, Europe and Australia, the pattern of attacks has changed noticeably over the last year. Incident reports now show that the group is striking much larger companies, particularly those involved in manufacturing, IT services, healthcare operations, banking and financial services, and food-related industries. This shift suggests a strategic move toward high-value victims where disruptions can cause substantial operational impact and increase the pressure to pay ransom demands.

Analysts observing the group’s behaviour note that Akira has not simply created a few new variants. Instead, it has invested considerable effort into developing ransomware that functions across multiple operating systems, including Windows and Linux, and across several virtualisation platforms. Building such wide-reaching capability requires long-term planning, and researchers interpret this as evidence that the group aims to remain active for an extended period.


How attackers get into networks 

Investigations into real-world intrusions show that Akira typically begins by taking advantage of weak points in remote access systems and devices connected to the internet. Many victims used VPN systems that lacked multifactor authentication, making them vulnerable to attackers trying common password combinations or using previously leaked credentials. The group has also exploited publicly known vulnerabilities in networking products from major vendors and in backup platforms that had not been updated with security patches.

In addition to these weaknesses, Akira has used targeted phishing emails, misconfigured Remote Desktop Protocol portals, and exposed SSH interfaces on network routers. In some breaches, compromising a router allowed attackers to tunnel deeper into internal networks and reach critical servers, especially outdated backup systems that had not been maintained.

Once inside, the attackers survey the entire environment. They run commands designed to identify domain controllers and trust relationships between systems, giving them a map of how the network is structured. To avoid being detected, they often use remote-access tools that are normally employed by IT administrators, making their activity harder to differentiate from legitimate work. They also disable security software, create administrator-level user accounts for long-term access, and deploy tools capable of running commands on multiple machines at once.


Data theft and encryption techniques 

Akira uses a double-extortion method. The attackers first locate and collect sensitive corporate information, which they compress and transfer out of the network using well-known tools such as FileZilla, WinRAR, WinSCP or RClone. Some investigations show that this data extraction process can be completed in just a few hours. Once the information has been removed, they launch the ransomware encryptor, which uses modern encryption algorithms that are designed to work quickly and efficiently. Over time, the group has changed the file extensions that appear after encryption and has modified the names and placement of ransom notes. The ransomware also removes Windows shadow copies to block easy recovery options.


Why the threat continues to succeed 

Cybersecurity experts point out that Akira benefits from long-standing issues that many organisations fail to address. Network appliances, remote access devices, and backup servers often remain unpatched for months, giving attackers opportunities to exploit vulnerabilities that should have been resolved. These overlooked systems create gaps that remain unnoticed until an intrusion is already underway.


How organisations can strengthen defences 

While applying patches, enabling multifactor authentication, and keeping offline backups remain essential, the recent wave of incidents shows that more comprehensive measures are necessary. Specialists recommend dividing networks into smaller segments to limit lateral movement, monitoring administrator-level activity closely, and extending security controls to backup systems and virtualisation consoles. Organisations should also conduct complete ransomware readiness exercises that include not only technical recovery procedures but also legal considerations, communication strategies, and preparations for potential data leaks.

Security researchers emphasise that companies must approach defence with the same mindset attackers use to find vulnerabilities. Identifying weaknesses before adversaries exploit them can make the difference between a minor disruption and a large-scale crisis.



Read more »
Spyware
Android Security Data Theft malware Payment Faud Spyware

Android Malware Hits 42 Million Downloads, Risking Mobile Payments

 

Android malware is surging globally, with attackers increasingly targeting mobile payments and IoT devices, exposing critical vulnerabilities in systems heavily relied upon for communication, work, and financial activity. 

Recent findings from Zscaler indicate that 239 malicious Android apps were discovered on Google Play, amassing a staggering 42 million downloads, mainly by users seeking productivity and workflow solutions trusted in hybrid work settings. This reflects a pronounced shift away from traditional card-based fraud toward abuse of mobile payment channels using various social engineering tactics—such as phishing, smishing, and SIM-swapping.

Mobile compromise incidents are escalating rapidly, highlighted by a 67% year-over-year spike in Android malware transactions. Spyware, banking trojans, and adware are the dominant threats, with adware constituting 69% of all malware detections, indicating evolving monetization strategies among cybercriminals while the notorious 'Joker' family has sharply declined to only 23% of activity. The report outlines a trend of attackers focusing on high-value sectors, with the energy industry experiencing a dramatic 387% increase in attack attempts compared to the previous year.

IoT environments remain highly vulnerable, particularly in manufacturing and transportation, which saw over 40% of IoT-related malware activity. IoT attacks are primarily driven by botnet malware families such as Mirai, Mozi, and Gafgyt—collectively responsible for about 75% of observed malicious payloads within this space. Routers, in particular, are heavily targeted, making up 75% of all IoT attacks, as attackers use them for botnet building and proxy networks.

Geographically, India is the prime target for mobile malware, receiving 26% of analyzed attacks, followed by the United States (15%) and Canada (14%). In IoT, the United States is most affected, seeing 54.1% of all malicious traffic. Certain threats like the Android Void backdoor have infected at least 1.6 million Android TV boxes, mostly in India and Brazil, exposing the dangers linked to widespread use of inexpensive devices and outdated software. Malware families like Anatsa and Xnotice continue to refine tactics for financial theft and regional targeting.

To defend against these threats, experts recommend maintaining regularly updated devices, using reputable antivirus apps, enabling ransomware protection, limiting unnecessary app installations, scrutinizing permissions, running frequent malware scans, and utilizing Google Play Protect. The article stresses the need for a "zero trust everywhere" approach combined with AI-driven threat detection to counter the evolving cyber landscape.
Read more »
Vidar
cyber attack Cyber Security Data Theft Vidar

New Vidar Variant Uses API Hooking to Steal Data Before Encryption

 

A recent investigation by Aryaka Threat Research Labs has revealed a new version of the Vidar infostealer that demonstrates how cybercriminals are refining existing malware to make it more discreet and effective. Vidar, which has circulated for years through malware-as-a-service platforms, is known for its modular structure that allows operators to customize attacks easily. 

The latest strain introduces a significant upgrade: the ability to intercept sensitive information directly through API hooking. 

This method lets the malware capture credentials, authentication tokens, and encryption keys from Windows systems at the precise moment they are accessed by legitimate applications, before they are encrypted or secured. 

By hooking into cryptographic functions such as CryptProtectMemory, Vidar injects its own code into running processes to momentarily divert execution and extract unprotected data before resuming normal operations. 

This process enables it to gather plaintext credentials silently from memory, avoiding noisy file activity that would typically trigger detection. Once harvested, the stolen data which includes browser passwords, cookies, payment information, cryptocurrency wallets, and two-factor tokens is compressed and sent through encrypted network channels that mimic legitimate internet traffic. 

The malware also maintains persistence by using scheduled tasks, PowerShell loaders, and randomized installation paths, while employing in-memory execution to reduce forensic traces. 

These refinements make it harder for traditional antivirus or behavioral tools to identify its presence. The evolution of Vidar highlights the need for defenders to rethink detection strategies that depend solely on file signatures or activity volume. 

Security teams are encouraged to implement Zero Trust principles, monitor API calls for evidence of hooking, and apply runtime integrity checks to detect tampering within active processes. Using endpoint detection and response tools that analyze process behavior and adopting memory-safe programming practices can further strengthen protection. 

Experts warn that Vidar’s development may continue toward more advanced capabilities, including kernel-level hooking, fileless operations, and AI-based targeting that prioritizes valuable data depending on the victim’s environment. 

The findings reflect a broader shift in cybercrime tactics, where minor technical improvements have a major impact on stealth and efficiency. Defending against such threats requires a multi-layered security approach that focuses on process integrity, vigilant monitoring, and consistent patch management.
Read more »
Ransomware attack
Data Breach Data Theft DCS J Group Ransomware attack

Ransomware Gang Claims Boeing, Samsung Supplier Breach in 11GB Data Theft

 

A ransomware group named J GROUP claims to have breached Dimensional Control Systems (DCS), stealing 11GB of sensitive data, including proprietary software architecture, client metadata, and internal security procedures. 

DCS, a Michigan-based provider of dimensional engineering software, serves major clients such as Boeing, Samsung, Siemens, and Volkswagen across aerospace, automotive, and electronics sectors.

Alleged data exposure

J GROUP published sample files on its leak site to substantiate the attack, comprising a text file and a compressed folder containing documents with employee names and expense reports. Cybernews researchers analyzed the samples but could not verify their authenticity, cautioning that cybercriminals often reuse data from past breaches to falsely support new extortion claims.

Company response and risks

As of the report, DCS has neither confirmed nor denied the breach, maintaining public silence. Local media outlets in Michigan contacted the company for comment but received no response. 

If the breach is confirmed, it could lead to severe consequences, including intellectual property theft, supply chain vulnerabilities, exposure of client data, and regulatory repercussions. The incident may also damage DCS’s reputation, eroding client trust and questioning its technical and security reliability.

Rising threat 

This incident aligns with a growing trend of ransomware attacks targeting third-party vendors to access high-value industrial clients. Previous attacks on firms like Nissan and Dell highlight similar tactics, where threat actors exploit service providers to infiltrate larger organizations. 

The alleged breach underscores the need for stringent cybersecurity measures across extended supply chains, particularly in manufacturing and engineering sectors reliant on specialized software. 

Organizations are urged to audit vendor security protocols and enhance monitoring for early threat detection. The situation remains ongoing, with no official statement from DCS as of publication.
Read more »
harrods
cyber attack cyberattack news Data Breach Data Theft harrods

Harrods Confirms Data Breach Exposing 430,000 Customer Records

 

Luxury retailer Harrods has confirmed a new data breach that exposed the personal details of around 430,000 e-commerce customers after hackers compromised one of its third-party suppliers. 

The company clarified that this incident is separate from the cyberattack it faced in May, which was attributed to the hacker group Scattered Spider. 

In a statement to publications, Harrods said it informed affected customers on Friday that their personal details, including names and contact information, were accessed following a breach at a third-party provider. 

The retailer did not disclose the name of the compromised vendor but said it has taken immediate steps to contain the situation and alert authorities. The company reassured customers that the leaked data does not include passwords, payment details, or purchase histories. 

However, some customer records contained internal tags and marketing labels used by Harrods for service management. These labels may reference customer tier levels or affiliations with Harrods’ co-branded credit cards, though the company said such information would be difficult for unauthorised parties to interpret accurately. 

Cybersecurity experts have linked the breach to a wider supply chain attack that affected multiple companies globally over the summer. The incident, believed to involve the Salesloft platform, saw hackers use stolen OAuth tokens to access Salesforce systems and extract customer data. 

Harrods also confirmed that the threat actor behind the latest breach had reached out to the company directly, apparently seeking extortion. 

The retailer stated it would not engage in any communication or negotiation with the attacker. Authorities and cybersecurity professionals have been notified, and Harrods said it continues to work closely with them to ensure customer protection and prevent future incidents. 

The company has also advised customers to remain alert to phishing attempts and avoid clicking on links or sharing information with unknown sources. 

Despite the breach, Harrods’ online services remain operational. The company said it remains committed to maintaining the trust of its customers and strengthening its digital security systems to safeguard sensitive information.
Read more »
Red Hat
Cyberattacks Data Breach Data Theft Red Hat

Red Hat Confirms Breach of GitLab Instance Linked to Consulting Team

 

Red Hat has acknowledged a cybersecurity incident involving one of its GitLab instances after a hacker group calling itself Crimson Collective claimed to have stolen a significant amount of company data. 

The enterprise software provider clarified that the breach did not affect its GitHub repositories, as initially reported, but rather a GitLab instance used internally by its Consulting division. 

According to the attackers, they obtained around 570 GB of compressed data from roughly 28,000 private repositories, which allegedly contained source code, credentials, configuration files, and customer engagement reports (CERs). 

The group also asserted that the stolen information gave them access to customer systems. Reports indicate that the hackers attempted to extort Red Hat, but the company did not comply. 

Sources told International Cyber Digest that Red Hat had minimal contact with the threat actors and refused to meet their demands. A separate analysis by SOCRadar suggested that data from as many as 800 Red Hat customers could have been exposed. 

The list of potentially affected entities reportedly includes large corporations such as IBM, Siemens, Verizon, and Bosch, as well as several U.S. government bodies, including the Department of Energy, NIST, and the NSA. 

In a blog post addressing the incident, Red Hat explained that the compromised GitLab system was used mainly for collaborative consulting work and contained materials such as sample code, project details, and internal communications. 

The company emphasised that the instance does not usually store personal or highly confidential information and that no evidence of sensitive data exposure has been found so far. 

“At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain,” Red Hat said in a statement shared with SecurityWeek. 

While Red Hat has not directly addressed claims that customer infrastructure was accessed, cybersecurity experts note that ransomware and extortion groups often exaggerate such assertions to increase pressure on victims. 

The company has confirmed that an internal investigation is ongoing to assess the full extent of the breach and strengthen its systems against future threats.
Read more »
State-Sponsored Espionage
AI Misuse Cybersecurity Data Theft Deepfake Attacks Generative AI Kimsuky malware North Korean Hackers Phishing Campaigns State-Sponsored Espionage

North Korean Threat Actors Leverage ChatGPT in Deepfake Identity Scheme


North Korean hackers Kimsuky are using ChatGPT to create convincing deepfake South Korean military identification cards in a troubling instance of how artificial intelligence can be weaponised in state-backed cyber warfare, indicating that artificial intelligence is becoming increasingly useful in cyber warfare. 

As part of their cyber-espionage campaign, the group used falsified documents embedded in phishing emails targeting defence institutions and individuals, adding an additional layer of credibility to their espionage activities. 

A series of attacks aimed at deceiving recipients, delivering malicious software, and exfiltrating sensitive data were made more effective by the use of AI-generated IDs. Security monitors have categorised this incident as an AI-related hazard, indicating that by using ChatGPT for the wrong purpose, the breach of confidential information and the violation of personal rights directly caused harm. 

Using generative AI is becoming increasingly common in sophisticated state-sponsored operations. The case highlights the growing concerns about the use of generative AI in sophisticated operations. As a result of the combination of deepfake technology and phishing tactics, these attacks are harder to detect and much more damaging. 

Palo Alto Networks' Unit 42 has observed a disturbing increase in the use of real-time deepfakes for job interviews, in which candidates disguise their true identities from potential employers using this technology. In their view, the deepfake tactic is alarmingly accessible because it can be done in a matter of hours, with just minimal technical know-how, and with inexpensive consumer-grade hardware, so it is alarmingly accessible and easy to implement. 

The investigation was prompted by a report that was published in the Pragmatic Engineer newsletter that described how two fake applicants who were almost hired by a Polish artificial intelligence company raised suspicions that the candidates were being controlled by the same individual as deepfake personas. 

As a result of Unit 42’s analysis, these practices represent a logical progression from a long-standing North Korean cyber threat scheme, one in which North Korean IT operatives attempt to infiltrate organisations under false pretences, a strategy well documented in previous cyber threat reports. 

It has been repeatedly alleged that the hacking group known as Kimsuky, which operated under the direction of the North Korean state, was involved in espionage operations against South Korean targets for many years. In a 2020 advisory issued by the U.S. Department of Homeland Security, it was suggested that this group might be responsible for obtaining global intelligence on Pyongyang's behalf. 

Recent research from a South Korean security firm called Genians illustrates how artificial intelligence is increasingly augmented into such operations. There was a report published in July about North Korean actors manipulating ChatGPT to create fake ID cards, while further experiments revealed that simple prompt adjustments could be made to override the platform's built-in limitations by North Korean actors. 

 It follows a pattern that a lot of people have experienced in the past: Anthropic disclosed in August that its Claude Code software was misused by North Korean operatives to create sophisticated fake personas, pass coding assessments, and secure remote positions at multinational companies. 

In February, OpenAI confirmed that it had suspended accounts tied to North Korea for generating fraudulent resumes, cover letters, and social media content intended to assist with recruitment efforts. These activities, according to Genians director Mun Chong-hyun, highlight the growing role AI has in the development and execution of cyber operations at many stages, from the creation of attack scenarios, the development of malware, as well as the impersonation of recruiters and targets. 

A phishing campaign impersonating an official South Korean military account (.mil.kr) has been launched in an attempt to compromise journalists, researchers, and human rights activists within this latest campaign. To date, it has been unclear how extensive the breach was or to what extent the hackers prevented it. 

Officially, the United States assert that such cyber activities are a part of a larger North Korea strategy, along with cryptocurrency theft and IT contracting schemes, that seeks to provide intelligence as well as generate revenue to circumvent sanctions and fund the nuclear weapons program of the country. 

According to Washington and its allies, Kimsuky, also known as APT43, a North Korean state-backed cyber unit that is suspected of being responsible for the July campaign, was already sanctioned by Washington and its allies for its role in promoting Pyongyang's foreign policy and sanction evasion. 

It was reported by researchers at South Korean cybersecurity firm Genians that the group used ChatGPT to create samples of government and military identification cards, which they then incorporated into phishing emails disguised as official correspondence from a South Korean defense agency that managed ID services, which was then used as phishing emails. 

Besides delivering a fraudulent ID card with these messages, they also delivered malware designed to steal data as well as allow remote access to compromised systems. It has been confirmed by data analysis that these counterfeit IDs were created using ChatGPT, despite the tool's safeguards against replicating government documents, indicating that the attackers misinterpreted the prompts by presenting them as mock-up designs. 

There is no doubt that Kimsuky has introduced deepfake technology into its operations in such a way that this is a clear indication that this is a significant step toward making convincing forgeries easier by using generative AI, which significantly lowers the barrier to creating them. 

It is known that Kimsuky has been active since at least 2012, with a focus on government officials, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe, and Russia, as well as those affected by North Korea's policy and human rights issues. 

As research has shown, the regime is highly reliant on artificial intelligence to create fake summaries and online personas. This enables North Korean IT operatives to secure overseas employment as well as perform technical tasks once they are embedded. There is no doubt that such operatives are using a variety of deceptive practices to obscure their origins and evade detection, including artificial intelligence-powered identity fabrication and collaboration with foreign intermediaries. 

The South Korean foreign ministry has endorsed that claim. It is becoming more and more evident that generative AI is increasingly being used in cyber-espionage, which poses a major challenge for global cybersecurity frameworks: assisting citizens in identifying and protecting themselves against threats not solely based on technical sophistication but based on trust. 

Although platforms like ChatGPT and other large language models may have guardrails in place to protect them from attacks, experts warn that adversaries will continue to seek out weaknesses in the systems and adapt their tactics through prompt manipulation, social engineering, and deepfake augmentation in an effort to defeat the system. 

Kimsuky is an excellent example of how disruptive technologies such as artificial intelligence and cybercrime erode traditional detection methods, as counterfeit identities, forged credentials, and distorted personas blur the line between legitimate interaction and malicious deception, as a result of artificial intelligence and cybercrime. 

The security experts are urging the public to take action by using a multi-layered approach that combines AI-driven detection tools, robust digital identity verification, cross-border intelligence sharing, and better awareness within targeted sectors such as defence, academia, and human rights industries. 

Developing AI technologies together with governments and private enterprises will be critical to ensuring they are harnessed responsibly while minimising misuse of these technologies. It is clear from this campaign that as adversaries continue to use artificial intelligence to sharpen their attacks, defenders must adapt just as fast to maintain trust, privacy, and global security as they do against adversaries.
Read more »
Sim Cloning
Aadhaar Scam Amroha Cyber Crime Data Theft Sim Cloning

SIM Cloning and Aadhaar Data Theft Expose Massive Cyber Heist in Amroha

 

A sophisticated cyber heist in Amroha, Uttar Pradesh, has exposed critical vulnerabilities in India's Aadhaar biometric identification system, where cybercriminals successfully cloned SIM cards and stole biometric data from over 1,500 citizens across 12 states. This elaborate fraud network, operating primarily from Badaun and Amroha districts, represents one of the most significant identity theft operations uncovered in recent years.

The criminal enterprise was masterminded by Ashish Kumar, a BTech dropout, who developed sophisticated counterfeit websites that closely resembled official Aadhaar and Passport Seva portals. These fake platforms enabled the gang to input fraudulent data and generate forged documents, including passports, with access sold to a network of 200 to 300 agents spread across multiple states.

The cybercriminals employed advanced technical methods to bypass UIDAI security systems, including cloning credentials of authorized Aadhaar operators and copying sensitive biometrics like iris scans. They utilized specialized software to overcome geo-fencing restrictions that normally prevent remote access to Aadhaar portals, allowing them to upload tampered biometric data from unauthorized locations. 

A key component of their operation involved manipulating fingerprint scanners to accept silicone-molded fingerprints created from impressions collected from legitimate operators and vulnerable individuals, many from underprivileged backgrounds. These altered scanners successfully fooled the system's biometric authentication, bypassing Aadhaar's real-time security locks. 

The fraud network charged clients between ₹2,000 and ₹5,000 for illegally updating personal details such as names, birth dates, addresses, or mobile numbers on Aadhaar cards. The operation extended beyond Aadhaar manipulation to include creating fake birth certificates and ration cards to support fraudulent identity changes. 

Following stricter verification protocols introduced in December 2024, the gang adapted their tactics, using forged documents on third-party platforms to create over 20 fake passports, several of which were successfully uploaded into the UIDAI system. Investigators recovered at least 400 forged supporting documents during the investigation.

The joint cyber team, supervised by SP Sambhal Krishna Kumar Bishnoi and ASP Anukriti Sharma, arrested four key players: Ashish Kumar, Dharmender Singh, and Raunak Pal from Badaun, and Kasim Hussain from Amroha. All accused face charges under the Aadhaar Act, Information Technology Act, and Passport Act for identity theft, cheating, and unauthorized access to protected systems. 

This case highlights significant security gaps in India's digital identity infrastructure and the sophisticated methods employed by cybercriminals to exploit biometric authentication systems.
Read more »
Phishing Attack
Browser Security Browser Vulnerability Cyber Attacks cybercriminals data attacks data security Data Theft Phishing Attack

Browser-Based Attacks in 2025: Key Threats Security Teams Must Address

 

In 2025, the browser has become one of the primary battlefields for cybercriminals. Once considered a simple access point to the internet, it now serves as the main gateway for employees into critical business applications and sensitive data. This shift has drawn attackers to target browsers directly, exploiting them as the weakest link in a highly connected and decentralized work environment. With enterprises relying heavily on SaaS platforms, online collaboration tools, and cloud applications, the browser has transformed into the focal point of modern cyberattacks, and security teams must rethink their defenses to stay ahead. 

The reason attackers focus on browsers is not because of the technology itself, but because of what lies beyond them. When a user logs into a SaaS tool, an ERP system, or a customer database, the browser acts as the entryway. Incidents such as the Snowflake customer data breach and ongoing attacks against Salesforce users demonstrate that attackers no longer need to compromise entire networks; they simply exploit the session and gain direct access to enterprise assets. 

Phishing remains one of the most common browser-driven threats, but it has grown increasingly sophisticated. Attackers now rely on advanced Attacker-in-the-Middle kits that steal not only passwords but also active sessions, rendering multi-factor authentication useless. These phishing campaigns are often cloaked with obfuscation and hosted on legitimate SaaS infrastructure, making them difficult to detect. In other cases, attackers deliver malicious code through deceptive mechanisms such as ClickFix, which disguises harmful commands as verification prompts. Variants like FileFix are spreading across both Windows and macOS, frequently planting infostealer malware designed to harvest credentials and session cookies. 

Another growing risk comes from malicious OAuth integrations, where attackers trick users into approving third-party applications that secretly provide them with access to corporate systems. This method proved devastating in recent Salesforce-related breaches, where hackers bypassed strong authentication and gained long-term access to enterprise environments. Similarly, compromised or fraudulent browser extensions represent a silent but dangerous threat. These can capture login details, hijack sessions, or inject malicious scripts, as highlighted in the Cyberhaven incident in late 2024. 

File downloads remain another effective attack vector. Malware-laced documents, often hidden behind phishing portals, continue to slip past traditional defenses. Meanwhile, stolen credentials still fuel account takeovers in cases where multi-factor authentication is weak, absent, or improperly enforced. Attackers exploit these gaps using ghost logins and bypass techniques, highlighting the need for real-time browser-level monitoring. 

As attackers increasingly exploit the browser as a central point of entry, organizations must prioritize visibility and control at this layer. By strengthening browser security, enterprises can reduce identity exposure, close MFA gaps, and limit the risks of phishing, malware delivery, and unauthorized access. The browser has become the new endpoint of enterprise defense, and protecting it is no longer optional.
Read more »
Zscaler
Cybersecurity Attack Data Breach Data Theft trending news Zscaler

Zscaler Confirms Data Breach Linked to Salesloft Drift Supply-Chain Attack

 

Cybersecurity firm Zscaler has revealed it suffered a data breach after attackers exploited a compromise in Salesloft Drift, an AI-driven Salesforce integration tool. The incident is part of a larger supply-chain attack in which stolen OAuth and refresh tokens were leveraged to gain unauthorized access to Salesforce environments across multiple organizations. 

Zscaler confirmed that its Salesforce instance was one of the targets, resulting in the exposure of sensitive customer details. According to the company, the information accessed by threat actors included customer names, job titles, business email addresses, phone numbers, and geographic details. In addition, data related to Zscaler product licensing, commercial agreements, and content from certain support cases was also stolen. 

While Zscaler has not disclosed the number of affected customers, it emphasized that the breach was limited to its Salesforce system and did not compromise any of its products, services, or underlying infrastructure. 

The company stated that the unauthorized data access primarily took place between August 13 and 16, 2025, with some attempts occurring earlier. Although Zscaler has not detected any misuse of the stolen data, it has urged its customers to remain cautious of phishing emails and social engineering campaigns that could exploit the compromised information. 

In response to the incident, Zscaler has taken several steps to mitigate risks, including revoking all Salesloft Drift integrations with Salesforce, rotating API tokens across its systems, and implementing stricter customer authentication protocols when handling support requests. 

An internal investigation into the full scope of the breach is ongoing. The attack has been linked to a campaign attributed to the threat group UNC6395, which was previously flagged by Google Threat Intelligence. This group is believed to have targeted Salesforce support cases to collect highly sensitive credentials such as AWS access keys, passwords, and Snowflake tokens. 

Google researchers also noted that the attackers attempted to cover their tracks by deleting query jobs, although audit logs remained available for review. The compromise of Salesloft Drift has had wide-reaching consequences across the SaaS ecosystem, impacting companies including Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries. 

In many of these cases, attackers used vishing tactics to trick employees into authorizing malicious OAuth applications, enabling large-scale data theft later exploited in extortion schemes. 

Both Google and Salesforce have since suspended their Drift integrations while investigations continue. Security experts warn that this incident highlights the growing risks of supply-chain attacks and the urgent need for stronger oversight of third-party integrations.
Read more »
Personal Information
Dark Web Data Breach data security Data Theft Discord Discord Users leaked sensitive data personal data security Personal Information

Nearly Two Billion Discord Messages Scraped and Sold on Dark Web Forums

 

Security experts have raised alarms after discovering that a massive collection of Discord data is being offered for sale on underground forums. According to researchers at Cybernews, who reviewed the advertisement, the archive reportedly contains close to two billion messages scraped from the platform, alongside additional sensitive information. The dataset allegedly includes 1.8 billion chat messages, records of 35 million users, 207 million voice sessions, and data from 6,000 servers, all available to anyone willing to pay. 

Discord, a platform widely used for gaming, social communities, and professional groups, enables users to connect via text, voice, and video across servers organized around different interests. Many of these servers are open to the public, meaning their content—including usernames, conversations, and community activity—can be accessed by anyone who joins. While much of this information is publicly visible, the large-scale automated scraping of data still violates Discord’s Terms of Service and could potentially breach data protection regulations such as the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA).

The true sensitivity of the dataset remains unclear, as no full forensic analysis has been conducted. It is possible that a significant portion of the messages and voice records were collected from publicly accessible servers, which would reduce—but not eliminate—the privacy concerns. However, the act of compiling, distributing, and selling this information at scale introduces new risks, such as the misuse of user data for surveillance, targeted phishing, or identity exploitation. 

Discord has faced similar challenges before. In April 2024, a service known as Spy.Pet attempted to sell billions of archived chat logs from the platform. That operation was swiftly shut down by Discord, which banned the associated accounts and confirmed that the activity violated its rules. At the time, the company emphasized that automated scraping and self-botting were not permitted under its Terms of Service and stated it was exploring possible legal action against offenders. 

The recurrence of large-scale scraping attempts highlights the ongoing tension between the open nature of platforms like Discord and the privacy expectations of their users. While public servers are designed for accessibility and community growth, they can also be exploited by malicious actors seeking to harvest data en masse. Even if the information being sold in the latest case is largely public, the potential to cross-reference user activity across communities raises broader concerns about surveillance and abuse. 

As of now, Discord has not issued an official statement on this latest incident, but based on previous responses, it is likely the company will take steps to disrupt the sale and enforce its policies against scraping. The incident serves as another reminder that users on open platforms should remain mindful of the visibility of their activity and that service providers must continue to balance openness with strong protections against data misuse.
Read more »
Passkeys
browser extensions Browser Security Cyber Security data security Data Theft Malicious Browser Extension Passkey Security Passkeys

SquareX Warns Browser Extensions Can Steal Passkeys Despite Phishing-Resistant Security

 

The technology industry has long promoted passkeys as a safer, phishing-resistant alternative to passwords. Major firms such as Microsoft, Google, Amazon, and Meta are encouraging users to abandon traditional login methods in favor of this approach, which ties account security directly to a device. In theory, passkeys make it almost impossible for attackers to gain access without physically having an unlocked device. However, new research suggests that this system may not be as unbreakable as promised. 

Cybersecurity firm SquareX has demonstrated that browser-based attacks can undermine the integrity of passkeys. According to the research team, malicious extensions or injected scripts are capable of manipulating the passkey setup and login process. By hijacking this step, attackers can trick users into registering credentials controlled by the attacker, undermining the entire security model. SquareX argues that this development challenges the belief that passkeys cannot be stolen, calling the finding an important “wake-up call” for the security community. 

The proof-of-concept exploit works by taking advantage of the fact that browsers act as the intermediary during passkey creation and authentication. Both the user’s device and the online service must rely on the browser to transmit authentication requests accurately. If the browser environment is compromised, attackers can intercept WebAuthn calls and replace them with their own code. SquareX researchers demonstrated how a seemingly harmless extension could activate during a passkey registration process, generate a new attacker-controlled key pair, and secretly send a copy of the private key to an external server. Although the private key remains on the victim’s device, the duplicate allows the attacker to authenticate into the victim’s accounts elsewhere. 

This type of attack could also be refined to sabotage existing passkeys and force users into creating new ones, which are then stolen during setup. SquareX co-founder Vivek Ramachandran explained that although enterprises are adopting passkeys at scale, many organizations lack a full understanding of how the underlying mechanisms work. He emphasized that even the FIDO Alliance, which develops authentication standards, acknowledges that passkeys require a trusted environment to remain secure. Without ensuring that browsers are part of that trusted environment, enterprise users may remain vulnerable to identity-based attacks. 

The finding highlights a larger issue with browser extensions, which remain one of the least regulated parts of the internet ecosystem. Security professionals have long warned that extensions can be malicious from the outset or hijacked after installation, providing attackers with direct access to sensitive browser activity. Because an overwhelming majority of users rely on add-ons in Chrome, Edge, and other browsers, the potential for exploitation is significant. 

SquareX’s warning comes at a time when passkey adoption is accelerating rapidly, with estimates suggesting more than 15 billion passkeys are already in use worldwide. The company stresses that despite their benefits, passkeys are not immune to the same types of threats that have plagued passwords and authentication codes for decades. As the technology matures, both enterprises and individual users are urged to remain cautious, limit browser extensions to trusted sources, and review installed add-ons regularly to minimize exposure.
Read more »
Ransom Demands
Azure Cloud Cloud Attacks Cloud Security Cyber Security Data Theft Microsoft Microsoft Azure Ransom Demands

Microsoft Warns Storm-0501 Shifts to Cloud-Based Encryption, Data Theft, and Extortion

 

Microsoft has issued a warning about Storm-0501, a threat actor that has significantly evolved its tactics, moving away from traditional ransomware encryption on devices to targeting cloud environments for data theft, extortion, and cloud-based encryption. Instead of relying on conventional ransomware payloads, the group now abuses native cloud features to exfiltrate information, delete backups, and cripple storage systems, applying pressure on victims to pay without deploying malware in the traditional sense. 

Storm-0501 has been active since at least 2021, when it first used the Sabbath ransomware in attacks on organizations across multiple industries. Over time, it adopted ransomware-as-a-service (RaaS) tools, deploying encryptors from groups such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. In September 2024, Microsoft revealed that the group was expanding into hybrid cloud environments, compromising Active Directory and pivoting into Entra ID tenants. During those intrusions, attackers established persistence with malicious federated domains or encrypted on-premises devices with ransomware like Embargo. 

In its latest report, Microsoft highlights that Storm-0501 is now conducting attacks entirely in the cloud. Unlike conventional ransomware campaigns that spread malware across endpoints and then negotiate for decryption, the new approach leverages cloud-native tools to quickly exfiltrate large volumes of data, wipe storage backups, and encrypt files within the cloud itself. This strategy both accelerates the attack and reduces reliance on detectable malware deployment, making it more difficult for defenders to identify the threat in time. 

Recent cases show the group compromising multiple Active Directory domains and Entra tenants by exploiting weaknesses in Microsoft Defender configurations. Using stolen Directory Synchronization Accounts, Storm-0501 enumerated roles, users, and Azure resources with reconnaissance tools such as AzureHound. The attackers then identified a Global Administrator account without multifactor authentication, reset its password, and seized administrative control. With these elevated privileges, they maintained persistence by adding their own federated domains, which allowed them to impersonate users and bypass MFA entirely. 

From there, the attackers escalated further inside Azure by abusing the Microsoft.Authorization/elevateAccess/action capability, granting themselves Owner-level roles and taking complete control of the target’s cloud infrastructure. Once entrenched, they began disabling defenses and siphoning sensitive data from Azure Storage accounts. In many cases, they attempted to delete snapshots, restore points, Recovery Services vaults, and even entire storage accounts to prevent recovery. When these deletions failed, they created new Key Vaults and customer-managed keys to encrypt the data, effectively locking companies out unless a ransom was paid. 

The final stage of the attack involved contacting victims directly through Microsoft Teams accounts that had already been compromised, delivering ransom notes and threats. Microsoft warns that this shift illustrates how ransomware operations may increasingly migrate away from on-premises encryption as defenses improve, moving instead toward cloud-native extortion techniques. The report also includes guidance for detection, including Microsoft Defender XDR hunting queries, to help organizations identify the tactics used by Storm-0501.
Read more »
Open Source
Brute-force attack Credential stealing Data Breach data security Data Theft Golang Malicious Bots Open Source

Malicious Go Package Disguised as SSH Tool Steals Credentials via Telegram

 

Researchers have uncovered a malicious Go package disguised as an SSH brute-force tool that secretly collects and transmits stolen credentials to an attacker-controlled Telegram bot. The package, named golang-random-ip-ssh-bruteforce, first appeared on June 24, 2022, and was linked to a developer under the alias IllDieAnyway. Although the GitHub profile tied to this account has since been removed, the package is still accessible through Go’s official registry, raising concerns about supply chain security risks for developers who might unknowingly use it. 

The module is designed to scan random IPv4 addresses in search of SSH services operating on TCP port 22. Once it detects a running service, it attempts brute-force login using only two usernames, “root” and “admin,” combined with a list of weak and commonly used passwords. These include phrases such as “root,” “test,” “password,” “admin,” “12345678,” “1234,” “qwerty,” “webadmin,” “webmaster,” “techsupport,” “letmein,” and “Passw@rd.” If login succeeds, the malware immediately exfiltrates the target server’s IP address, username, and password through Telegram’s API to a bot called @sshZXC_bot, which forwards the stolen information to a user identified as @io_ping. Since Telegram communications are encrypted via HTTPS, the credential theft blends into ordinary web traffic, making detection much more difficult. 

The design of the tool helps it remain stealthy while maximizing efficiency. To bypass host identity checks, the module disables SSH host key verification by setting ssh.InsecureIgnoreHostKey as its callback. It continuously generates IPv4 addresses while attempting concurrent logins in an endless loop, increasing the chances of finding vulnerable servers. Interestingly, once it captures valid credentials for the first time, the malware terminates itself. This tactic minimizes its exposure, helping it avoid detection by defenders monitoring for sustained brute-force activity. 

Archival evidence suggests that the creator of this package has been active in the underground hacking community for years. Records link the developer to the release of multiple offensive tools, including an IP port scanner, an Instagram parser, and Selica-C2, a PHP-based botnet for command-and-control operations. Associated videos show tutorials on exploiting Telegram bots and launching SMS bomber attacks on Russian platforms. Analysts believe the attacker is likely of Russian origin, based on the language, platforms, and content of their activity. 

Security researchers warn that this Trojanized Go module represents a clear supply chain risk. Developers who unknowingly integrate it into their projects could unintentionally expose sensitive credentials to attackers, since the exfiltration traffic is hidden within legitimate encrypted HTTPS connections. This case underscores the growing threat of malicious open-source packages being planted in widely used ecosystems, where unsuspecting developers become conduits for large-scale credential theft.
Read more »
images
Adversarial attacks AI tools algorithms Data Breach Data Theft images

How Image Resizing Could Expose AI Systems to Attacks



Security experts have identified a new kind of cyber attack that hides instructions inside ordinary pictures. These commands do not appear in the full image but become visible only when the photo is automatically resized by artificial intelligence (AI) systems.

The attack works by adjusting specific pixels in a large picture. To the human eye, the image looks normal. But once an AI platform scales it down, those tiny adjustments blend together into readable text. If the system interprets that text as a command, it may carry out harmful actions without the user’s consent.

Researchers tested this method on several AI tools, including interfaces that connect with services like calendars and emails. In one demonstration, a seemingly harmless image was uploaded to an AI command-line tool. Because the tool automatically approved external requests, the hidden message forced it to send calendar data to an attacker’s email account.

The root of the problem lies in how computers shrink images. When reducing a picture, algorithms merge many pixels into fewer ones. Popular methods include nearest neighbor, bilinear, and bicubic interpolation. Each creates different patterns when compressing images. Attackers can take advantage of these predictable patterns by designing images that reveal commands only after scaling.

To prove this, the researchers released Anamorpher, an open-source tool that generates such images. The tool can tailor pictures for different scaling methods and software libraries like TensorFlow, OpenCV, PyTorch, or Pillow. By hiding adjustments in dark parts of an image, attackers can make subtle brightness shifts that only show up when downscaled, turning backgrounds into letters or symbols.

Mobile phones and edge devices are at particular risk. These systems often force images into fixed sizes and rely on compression to save processing power. That makes them more likely to expose hidden content.

The researchers also built a way to identify which scaling method a system uses. They uploaded test images with patterns like checkerboards, circles, and stripes. The artifacts such as blurring, ringing, or color shifts revealed which algorithm was at play.

This discovery also connects to core ideas in signal processing, particularly the Nyquist-Shannon sampling theorem. When data is compressed below a certain threshold, distortions called aliasing appear. Attackers use this effect to create new patterns that were not visible in the original photo.

According to the researchers, simply switching scaling methods is not a fix. Instead, they suggest avoiding automatic resizing altogether by setting strict upload limits. Where resizing is necessary, platforms should show users a preview of what the AI system will actually process. They also advise requiring explicit user confirmation before any text detected inside an image can trigger sensitive operations.

This new attack builds on past research into adversarial images and prompt injection. While earlier studies focused on fooling image-recognition models, today’s risks are greater because modern AI systems are connected to real-world tools and services. Without stronger safeguards, even an innocent-looking photo could become a gateway for data theft.


Read more »
Subscribe to: Comments (Atom)