Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label FBI. Show all posts
SIM Swapping
cryptocurrency Cyber Security FBI phishing Ransomware SIM Swapping

FBI Warns of Rising Online Threats Targeting Youth and Digital Assets





The Federal Bureau of Investigation (FBI) has raised concern over what it describes as a fast-expanding online threat, warning that criminal groups are becoming more organized and dangerous in cyberspace. The activity includes ransomware, phishing scams, cryptocurrency theft, and even violent real-world crimes linked to online networks.

According to the FBI, one of the most concerning groups involved in these activities is part of an online collective often referred to as “The Com,” short for “The Community.” This loosely connected network is made up of several subgroups, including one known as “Hacker Com.” The collective primarily communicates in English and has members spread across different countries.

A striking detail is that many individuals taking part are very young, with ages ranging from early teens to their mid-20s. Recruitment often happens on online gaming platforms, social media channels, or through existing members who look for people with shared interests.

The FBI notes that the scale and sophistication of these groups has increased substantially over the past four years. Members use advanced tools such as phishing kits, voice changers, and other techniques to disguise their identities and hide illegal financial dealings. These methods make it difficult for law enforcement to trace stolen funds or identify those responsible.

Much of the activity is financially motivated, especially through schemes involving cryptocurrency. Offenses include SIM swapping, hacking into networks, and in some cases, direct physical threats. The FBI has reported that criminal actors have resorted to extreme methods such as coercion, intimidation, and even violence to force victims into giving up access to digital accounts.

Beyond theft, some members also carry out dangerous acts such as swatting: making false emergency reports that lead armed law enforcement to a target’s home or issuing bomb threats. These tactics are sometimes used to distract authorities during larger cyberattacks or thefts. Disturbingly, certain groups have extended their activities into the offline world, where crimes can escalate into real-world violence.

Given the scope of the threat, the FBI is advising the public to be cautious when sharing personal details online. Posting photos, videos, or sensitive information on social media, dating platforms, or gaming forums can make individuals and families targets. Parents are especially encouraged to stay alert to their children’s online activity and to have open conversations about the potential risks.

For those who believe they may have been targeted or victimized, the FBI recommends keeping all available evidence, such as messages or transaction details, and reporting incidents promptly through its Internet Crime Complaint Center (ic3.gov) or by contacting a local FBI field office.

The Bureau emphasizes that awareness and vigilance are key defenses against these developing online dangers.


Read more »
Identity Theft
CERT Cyberattack CyberCrime Dark Web Data Breach Digital Vulnerability FBI Hospitality Security Identity Theft

Cybercriminals Steal Thousands of Guest ID Documents from Italian Hotels

 


Thousands of travellers have been left vulnerable to cyberattacks caused by hotel systems that have been breached by a sweeping cyberattack. Identities that have been stolen from hotel systems are now circulating on underground forums. According to the government's Agency for Digital Italy (CERT-AGID), the breach has now become among the most significant data security incidents to have struck the country's tourism industry in recent years due to the breach that has been confirmed by the agency. 

According to an FBI report, a hacker using the alias “mydocs” is suspected of gaining access to hotel reservation platforms from June to August, allowing them to download high-resolution copies of passports, identification cards, and other identity documents obtained during guest check-in. This hacker has been selling a total of over 90,000 documents on well-known cybercrime forums, spread across a number of batches. 

Hotels and Guests Caught Off Guard

A total of ten hotels have been confirmed to have been affected by the theft, but officials warn that this number may increase as the investigation continues. It has been observed that CERT-AGID has already intercepted at least one attempt to resell the data illegally, which suggests that much of the information being offered is genuinely accurate rather than exaggerated, as is often the case within cybercriminal circles. Passports, as well as national identification cards, are of particular value because of their potential for abuse, which means that they are particularly valuable. 

There is a possibility that fraudsters can exploit this information to create false identities, open accounts with banks, or launch sophisticated social engineering attacks in an effort to fool the victim into divulging even more personal information. It is stated in the CERT-AGID public advisory that the possible consequences for those affected are "serious, both legally and financially." 

The Scale of the Breach

Hotels are being questioned about how much information they keep, and for how long, based on the scope of the breach. In spite of the fact that the incidents are believed to have occurred between June and July, investigators can't rule out the possibility that years of archived guest scans were hacked. Several travelers would have been affected beyond the tens of thousands confirmed to have been affected, which is a significant increase in the number of affected travellers. 

There has been a report on the Ca’ dei Conti in Veneto, a four-star hotel in Venice, that was among the properties that were targeted. According to Corriere del Veneto, as many as 38,000 guest records have been gathered at this hotel, which demonstrates just how large the attack has been. It has been reported that stolen data is being offered on the dark web for sale at a price ranging from $937 to $11,714 per tranche, depending on the size and type of the data. 

A Familiar Target for Cybercriminals 

There has been a troubling pattern of attacks in the hospitality sector for some time now. As a result of collecting a combination of financial and identity data from millions of guests each year, hotels have always been a target for hackers. Due to their old IT systems, fragmented digital platforms, and global nature, they are a relatively easy target and high in value. 

In April of this year, CERT-AGID interrupted a separate smishing campaign aimed at stealing Italian citizens' identification documents. It was found that the attackers asked victims to send selfies with their identification cards as a way to increase the value of stolen credentials for fraudulent activity and impersonation schemes. This was done as a result of the fact that multiple, unrelated operations have emerged within the last few months, demonstrating the growing demand for identity data on criminal markets for a variety of reasons. 

How the Data Can Be Abused

It is important to note that cybersecurity experts warn that stolen identity scans can be reused in several ways that travellers might not anticipate. Besides the obvious risks of opening a bank account or applying for a loan, criminals can also use this information to rent properties or commit tax fraud or circumvent identity checks on the web. These documents can form the basis of long-term fraud campaigns when combined with other leaked information, such as email addresses and telephone numbers, that has been leaked. 

The authorities are warning anyone who stayed in an Italian hotel over the summer to keep an eye out for red flags such as credit inquiries, unusual account activity, or unsolicited bank correspondence. It is not uncommon for the first signs of misuse to emerge weeks or even months after the initial breach has taken place. 

Industry Response and Urgency 

It has been urged that hotels and other organisations that handle identity information take immediate steps to strengthen their defences. In the agency's advisory, it was stressed that businesses had to go beyond simply complying with data processing laws, and should adopt robust digital security practices, from encrypted storage to stronger authentication protocols as well as regular audits of their systems. 

The increase in illicit identity document sales confirms that increased awareness and protective measures should be taken by both the organisations that manage them and the citizens themselves, according to a statement released by the agency. Italy, where tourism is a significant part of its national economy, faces both economic and reputational risks as a consequence of the incident. 

There are millions of visitors who each year submit sensitive information to websites in the hope that their privacy will be protected. Experts warn, however, that if breaches of this scale continue, it will have a long-term impact on public trust in the industry. 

A Warning for the Global Hospitality Industry

There is no doubt that the "mydocs" case is a wake-up call for Italy, but it is also a wake-up call for the entire international hotel industry. Hotels around the world have adopted digital check-in tools and automated identification verification tools for the purpose of protecting sensitive data, often without the required security measures to protect them. 

As investigators continue to uncover the extent of this breach, it is becoming increasingly clear that cybersecurity must now take precedence in an industry where efficiency and convenience often dominate. When there is no stronger protection in place, hotels risk becoming prime hunting grounds for identity thieves, leaving guests to pay for their actions long after they have checked out of their hotel. 

Hotel businesses in Italy are facing a breach that is more than a cautionary tale. It is also an opportunity for their approach to digital trust to be reevaluated. The problem with maintaining guests’ confidence has become increasingly important in an age where privacy and security are key components of customer expectations, and hotels and tourism operators face the challenge of complying with regulatory requirements as well. 

Providing a high-quality service to guests must include a strong emphasis on cybersecurity, just as much as comfort and convenience. Investing in stronger encryption systems, secure data storage, periodic penetration testing, and employee awareness programs can considerably reduce risks, while partnering with cybersecurity firms may allow people to add a further layer of protection.

It is also important for guests to take steps to safeguard themselves against misuse of their credit reports by monitoring credit reports, using identity protection services, and limiting the sharing of unnecessary documents during check-in. The headlines of this incident emphasise the alarming reality of stolen identities, but if this incident prompts meaningful change in the future, it is likely to be one of resilience. 

Taking decisive action now could not only enable Italy's hospitality sector to recover from this blow but also be a driving force in setting a new benchmark for digital safety in global tourism in the future.
Read more »
Software
Android BadBox threat Credential Theft FBI malware Software

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Read more »
User Security
Chrome Updates FBI FBI CISA advisory Mobile Security User Security

FBI Warns Chrome Users Against Unofficial Updates Downloading

 

If you use Windows, Chrome is likely to be the default browser. Despite Microsoft's ongoing efforts to lure users to the Edge and the rising threat of AI browsers, Google's browser remains dominant. However, Chrome is a victim of its own success. Because attackers are aware that you are likely to have it installed, it is the ideal entry point for them to gain access to your PC and your data. 

That is why you are seeing a series of zero-day alerts and emergency updates. This is also why the FBI is warning about the major threat posed by fraudulent Chrome updates. As part of the "ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors," the FBI and CISA, America's cyber defence agency, have issued their latest warning. 

The latest advisory addresses the recent rise in Interlock ransomware attacks. And, while the majority of the advice is aimed at individuals in charge of securing corporate networks and enforcing IT policies, it also includes a caution for PC users. Ransomware assaults require an entry point, or "initial access." And if you have a PC (or smartphone) connected to your employer's network, you are affected. The advisory also recommends that organisations "train users to spot social engineering attempts.”

In the case of Interlock, two of these ways of first entrance leverage the same lures that cybercriminals employ to target your personal accounts, as well as the data and security credentials on your own devices. You should be looking for these anyway. One of the techniques is ClickFix, which is easily detectable. This is where a notice or popup encourages you to paste content into a Windows command and run the script. It's accomplished by impersonating a technical issue, a secure website, or a file that you need to open. Any such directive is always an attack and should be ignored. 

Installing and updating fake Chrome has become commonplace, both on Android smartphones and Windows PCs. As with ClickFix, the guidance is quite explicit. Never use links in emails or texts to access upgrades or new installs. Always get updates and programs from the official websites or shops. Keep in mind that Chrome will automatically download updates and will prompt you to restart your browser to ensure the installation. Although those links are delivered to you, you are not required to look for them or click on random links.
Read more »
Scattered Spider
Cyber Bureau Cyberattacks CyberCrime Cybersecurity CyberThreat FBI FBI warning IT malware MGM Resorts Scattered Spider

FBI Urges Airlines to Prepare for Evolving Threat Scenarios

 


Federal investigators have warned that the cyberextortion collective known as Scattered Spider is steadily expanding its reach to cover airlines and their technology vendors, a fresh alarm that has just been sounded for the aviation sector. According to an FBI advisory, the syndicate, already infamous for having breached high-profile U.S. casinos, Fortune 500 companies, and government agencies, relies more on social engineering tactics than malicious software. 

As it masquerades as a legitimate employee or trusted contractor, its operatives communicate with help desk staff, request credentials to be reset, or convince agents to enrol rogue devices in multi-factor authentication. The carefully orchestrated deceptions enable privileged network access, resulting in data exfiltration and ransomware deployment by enabling the exploitation of malicious malware. 

In a statement published by the Bureau, it stressed that the threat "remains ongoing and rapidly evolving," and encouraged organisations to report intrusions as soon as possible, as well as reiterating its longstanding prohibition against paying ransom. A loosely organised, but extremely effective group of cybercriminals, dominated by English-speaking cybercriminals, many of whom are teenagers or young adults, is regarded by experts as Scattered Spider. 

Despite their age, the group has demonstrated a level of sophistication that rivals seasoned threat actors. The primary motive of these criminals appears to be financial gain, with most of their operations focused on stealing and extorting corporate data in the form of ransom payments and extortion. Once the attackers obtain access to sensitive data, they often exfiltrate it for ransom or resale it on the underground market, and in many instances, they use ransomware to further compel victims to cooperate. 

The distinctiveness of Scattered Spider from other cybercriminal groups lies in the way it uses social engineering tactics to gain an advantage in cybercrime. Instead of relying heavily on malware, the group utilises psychological manipulation to attack organisations' vulnerabilities. In order to pressure employees, particularly employees who work at the help desk, to surrender their access credentials or override security protocols, phishing campaigns, impersonation schemes, and even direct threats are often used. 

Some reports have indicated that attackers have used coercion or intimidation to access support staff in an attempt to expedite access to the system. As a result of the group's reliance on human engineering rather than technology tools, they have been able to bypass even the most advanced security measures, making them especially dangerous for large organisations that utilise distributed and outsourced IT support services. Their tactical changes reflect a calculated approach to breaching high-value targets swiftly, stealthily, with minimal resistance, and with speed. 

There was a stark public warning released by the Federal Bureau of Investigation on June 27, 2025, stating that the United States aviation industry is now firmly under threat from a wave of cyber-aggression that is escalating rapidly. It has been observed that, unlike traditional threats that involved physical attacks, these new threats come from highly skilled cybercriminals rather than hijackers. 

There is a cybercrime group known as Scattered Spider at the forefront of this escalating threat, widely regarded to be among the most sophisticated and dangerous actors in the digital threat landscape. The group, which was previously known for its high-impact breaches on major hospitality giants such as MGM Resorts and Caesars Entertainment, has now switched its attention to the aviation sector, signalling that the group has taken a key step in changing the way it targets the aviation sector. 

At a time when geopolitical instability worldwide is at its peak, this warning has an even greater urgency than ever. Having large-scale cyberattacks on airline infrastructure is no longer just a theoretical possibility—it has become a credible threat with serious implications for national security, economic stability, and public safety that cannot be ignored. 

A new generation of malware-driven operations, Scattered Spider, utilising advanced social engineering techniques for infiltration into networks, as opposed to traditional malware-based attacks. It has been reported that members of the group impersonate legitimate employees or contractors and make contact with internal help desks by creating convincing narratives that manipulate agents into bypassing multi-factor authentication protocols. 

Once they have entered a network, they usually move laterally with speed and precision to gain access to sensitive data and systems. Researchers from Google's Mandiant division have confirmed the group's advanced capabilities in the field of cybersecurity. According to the Chief Technology Officer of Mandiant, Charles Carmakal, Scattered Spider is adept at maintaining persistence within compromised systems, moving laterally, and elevating privileges as quickly as possible. 

It is common knowledge that a group of individuals capable of deploying ransomware within hours of first access to their computer systems are capable of doing so, thereby leaving very little time for detection and response. As a result of the FBI's warning, airlines and their vendors need to increase access controls, train their staff against social engineering, and report suspicious activity immediately. 

There has been some observation from cybersecurity experts that Scattered Spider has previously targeted a broad range of high-value sectors, such as finance, healthcare, retail, as well as the gaming industry, in the past. However, as the group appears to be shifting its focus to the aviation sector, a domain that possesses an extremely wide-open attack surface and is particularly vulnerable. 

It is important to note that the airline industry heavily relies on interconnected IT infrastructure as well as third-party service providers, which makes it extremely vulnerable to cascading effects in the case of a breach. A single compromised vendor, especially one with access to critical systems like maintenance platforms, reservation networks, or crew scheduling tools, might pose an immediate threat to multiple airline customers. 

It is the FBI's latest advisory, in which they emphasise the urgency and the evolving nature of this threat, encouraging airlines and their related vendors to reevaluate their security protocols internally and to strengthen them. Organisations are encouraged to strengthen their identity verification procedures, particularly when dealing with IT-related requests involving password resets, reconfiguring multi-factor authentication (MFA), or access permissions that are related to IT.

According to the Bureau, stricter controls should be implemented over privileged access, and staff members should be trained and made aware of social engineering tactics, as well as closely monitoring for unusual activity, such as attempts to log in from unfamiliar locations or devices that have not been previously associated with an account. The report of suspected intrusions must also be done quickly and efficiently. 

In addition to the FBI’s emphasis on early notification, law enforcement and intelligence agencies are able to trace malicious activity more effectively, which can limit the damage and prevent further compromise if it is caught in the first place. Scattered Spider has been involved in several previous operations in which not only has it stolen data, but it has also extorted money. It frequently threatens to release or encrypt sensitive data until ransom demands are met. 

Despite the fact that there is no evidence to suggest that flight safety has been directly affected, the nature of the intrusions has raised serious concerns. In light of the potential vulnerability of systems that process passenger information, crew assignments, and operational logistics, the risk for business continuity, and by extension, public trust, remains high. 

Aviation is now being called upon to act decisively in order to combat the threat of cybercriminal groups like Scattered Spider, which is not merely a back-office function but rather a core component of operational resilience. The airline IT departments, the helpdesk teams at the airlines, and third-party vendors must all implement robust identity verification processes as well as technical safeguards in order to combat the growing threat posed by cybercriminal groups like Scattered Spider. 

Among the most urgent priorities right now is strengthening the frontline defences at the level of the help desk, where attackers often exploit human error and the inexperience of employees. According to security experts, callback procedures should be established with only pre-approved internal contact numbers, callers should be required to verify a non-obvious “known secret” such as an internal training code, and a dual-approval policy should be implemented when performing sensitive actions such as resets of multi-factor authentication (MFA), especially when those accounts are privileged. 

Also, every identity enrollment should be logged and audited, with a Security Information and Event Management (SIEM) system able to trigger real-time alerts that flag suspicious behaviour. In addition, airlines are being advised to implement enhanced access controls immediately on a technical front. In combination with velocity rules, conditional access policies can be used to block login attempts and MFA enrollments from geographically improbable or high-risk locations. 

A just-in-time (JIT) privilege management process should replace static administrative access, limiting access to restricted areas of the system within limited time windows, sometimes just minutes, so that attack opportunities are reduced. Endpoint detection and response (EDR) tools must be deployed on virtual desktop environments and jump hosts so as to detect credential theft in real time. DNS-layer isolation will also provide a way for you to block outbound connections to attacker-controlled command-and-control (C2) servers, thereby preventing outbound connections from the attacker. 

There are five crucial pillars necessary to build an incident response plan tailored to aviation: identification, containment, eradication, recovery, and communication. It is essential to monitor the logs of identity providers continuously, 24 hours a day, 7 days a week, in order to detect suspicious activity early on. If an account is compromised, immediate containment measures should be triggered, including the disabling of affected accounts and the freezing of new MFA enrollments. 


In the eradication phase, compromised endpoints are reimaged and credentials are rotated in both on-premise and cloud-based identity management systems, and in the recovery phase, systems must be recovered from immutable, clean backups, and sensitive passenger data must be validated to ensure that the data is accurate. A crucial part of the process has to do with communication, which includes seamless coordination with regulatory organisations such as the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as internal stakeholders inside and outside the organisation.

Additionally, third-party vendors, such as IT service providers, ground handlers, and catering contractors, must also be stepped up in terms of their security posture. These organisations are often exploited as entry points for island-hopping attacks, which must be taken into account. This risk can be reduced by aligning vendor identity verification protocols with those of the airlines they serve, reporting any suspicious activity related to MFA within four hours, and performing regular penetration tests, especially those that simulate social engineering attacks, in order to reduce this risk. 

Ultimately, the broader transportation sector must acknowledge that people are the weakest link in today’s threat landscape and not passwords. A zero-trust approach to help desk operations must be adopted, including scripted callbacks, rigorous identification verifications, and mandatory dual-approval processes. 

Managing coordinated threats can become increasingly challenging as ISACs (Information Sharing and Analysis Centres) play an important role in enabling rapid, industry-wide information sharing. As isolated organisations are often the first to fall victim, ISACs can play an essential role in protecting against coordinated threats. Furthermore, security budgets need to prioritise human-centred investments, such as training and resilient response procedures, rather than just the latest security technologies. 

Currently, the aviation industry faces a rapidly evolving landscape of cyber threats, particularly from adversaries as resourceful and determined as Scattered Spider. To counter these threats, both airlines and the broader ecosystem should adopt a proactive cybersecurity posture that is forward-looking. Security is no longer reactive. A proactive, intelligently driven defence must now take precedence, combining human vigilance, procedural discipline, and adaptive technology to ensure its effectiveness. 

In order to achieve this, organisations need to develop zero-trust architectures, foster a culture of security at every operational level, and integrate cybersecurity into every strategic decision they make. As a result, cross-sector cooperation should transcend compliance checklists and regulatory requirements, but instead evolve into a dynamic exchange of threat intelligence, defence tactics, and incident response insights that transcend compliance checklists and regulatory obligations. 

In the era of convergent digital and physical infrastructures, cyber complacency could lead to catastrophic outcomes that will undermine not only the continuity of operations but also public trust as well as national resilience. There is now an opportunity for aviation leaders to rethink cybersecurity as not just a technical issue, but as a strategic imperative integral to ensuring global air travel is safe, reliable, and profitable into the future.
Read more »
Scattered Spider Threat Group
cyber attack Cyber Fraud cyberattacks trending news FBI Scattered Spider Threat Group

FBI Raises Alarm as Scattered Spider Threat Group Expands Target Sectors

 

The Federal Bureau of Investigation (FBI) has issued a high-level cybersecurity alert warning about the growing threat posed by Scattered Spider, a cybercriminal group now targeting the transportation sector specifically the aviation industry and expanding its focus to insurance companies. Previously associated with large-scale ransomware attacks in the retail sector, including a significant breach at Marks & Spencer in the UK that resulted in losses exceeding $600 million, the group is now shifting tactics and industries. 

A recent analysis by cybersecurity firm Halcyon, confirmed by the FBI, highlights how Scattered Spider is using advanced social engineering to bypass multi-factor authentication (MFA), often by impersonating employees or contractors and deceiving IT help desks into adding unauthorized MFA devices. The FBI has urged organizations to strengthen their MFA procedures and report any suspicious activity promptly. Research from Reliaquest shows the group often spoofs technology vendors and specifically targets high-access individuals like system administrators and executives.

Scattered Spider is financially driven and reportedly connected to a broader cybercriminal collective known as The Community. Its collaborations with ransomware operators such as ALPHV, RansomHub, and DragonForce have enabled it to access sophisticated cyber tools. What makes the group particularly dangerous is its ability to blend technical skill with social engineering, recruiting English-speaking attackers with neutral accents and regional familiarity to convincingly impersonate support staff during Western business hours. Real-time coaching and detailed scripts further enhance the success of these impersonation efforts.

Beyond aviation, experts are now seeing signs of similar attacks in the U.S. insurance sector. Google’s Threat Intelligence Group confirmed multiple such incidents, and security leaders warn that these are not isolated cases. Jon Abbott, CEO of ThreatAware, emphasized that this trend signals a broader threat landscape for all industries. 

Richard Orange of Abnormal AI noted that Scattered Spider relies more on manipulating human behaviour than exploiting software vulnerabilities, often moving laterally across systems to gain broader access. The group’s exploitation of supply chain links has been a consistent tactic, making even indirect associations with targeted sectors a point of vulnerability. As the FBI continues to work with affected industries, experts stress that all organizations, regardless of sector, must enhance employee awareness, implement strict identity verification, and maintain vigilance against social engineering threats.
Read more »
Scattered Spider ransomware
airline industry Cyber Attacks cyberattacks on airline FBI Hacker attack Hawaii MFA Palo Alto Networks Scattered Spider Scattered Spider ransomware

Scattered Spider Hackers Target Airline Industry Amid FBI and Cybersecurity Warnings

 

The FBI has issued a new warning about the cybercriminal group known as Scattered Spider, which is now actively targeting the airline industry. Recent cyber incidents at Hawaiian Airlines and Canadian carrier WestJet underscore the growing threat. 

According to the FBI’s advisory released late last week, Scattered Spider is known for using advanced social engineering tactics, often posing as employees or contractors. Their goal is to manipulate IT help desk teams into granting unauthorized access—frequently by requesting the addition of rogue multi-factor authentication (MFA) devices to compromised accounts.  

The group’s typical targets include large enterprises and their third-party service providers. “That puts the entire aviation supply chain at risk,” the FBI noted. Once they gain entry, the hackers typically exfiltrate sensitive information for extortion purposes and sometimes deploy ransomware as part of their attacks. The agency confirmed that it is working closely with industry partners to contain the threat and support affected organizations.  

Hawaiian Airlines reported late last week that it had detected suspicious activity in some of its IT systems. While full flight operations were not disrupted, the airline stated it was taking protective steps. “We’ve engaged with authorities and cybersecurity experts to investigate and remediate the incident,” the company said in a statement, adding that it’s focused on restoring systems and will share further updates as the situation evolves. 

Earlier in June, WestJet disclosed that it had experienced a cybersecurity event, which led to restricted access for certain users. The airline has brought in third-party experts and digital forensic analysts to investigate the breach. 

Although the culprits haven’t been officially named, recent analysis from security firm Halcyon indicates that Scattered Spider has broadened its scope, now targeting not only aviation but also sectors like food production and manufacturing. 

“These attacks are fast-moving and devastating,” Halcyon warned. “They can cripple an entire organization in just a few hours, with impacts on everything from operations to consumer trust.”

Other experts echoed these concerns. Palo Alto Networks’ Unit 42 recently advised aviation companies to be extra cautious, particularly regarding suspicious MFA reset requests and socially engineered phishing attempts.  

Darren Williams, founder and CEO of cybersecurity company BlackFog, emphasized the high value of the airline sector for cybercriminals. “Airlines manage immense volumes of sensitive customer data, making them an extremely attractive target,” he said. “With international travel surging, attackers are exploiting this pressure point.” 

Williams added that the disruptions caused by such attacks can ripple across the globe, affecting travelers, business continuity, and public confidence. “These incidents show that airlines need to invest more heavily in cybersecurity infrastructure that can protect passenger data and maintain operational integrity.”
Read more »
FBI
cyber attack Cyber Security cyberattacks news cyberattacks on airline cyberattacks on transportation FBI

FBI Warns of Scattered Spider Cyberattacks on Airline and Transport Sectors

 

The FBI, along with top cybersecurity firms, has issued a fresh warning that the notorious hacking group Scattered Spider is expanding its targets to include the airline and broader transportation industries. In a statement released Friday and shared with TechCrunch, the FBI said it had “recently observed” cyber activity in the airline sector bearing the hallmarks of Scattered Spider’s tactics. 

Experts from Google’s Mandiant and Palo Alto Networks’ Unit 42 also confirmed they have identified attacks on aviation-related systems linked to the same group. Scattered Spider is widely known in cybersecurity circles as a loosely organized yet highly active group of hackers, believed to be comprised mainly of young, English-speaking individuals. Motivated largely by financial gain, the group is infamous for using sophisticated social engineering techniques, phishing campaigns, and even threats directed at corporate help desks to infiltrate systems. In some cases, their intrusions have led to the deployment of ransomware. 

The FBI’s alert highlighted the group’s pattern of targeting both major corporations and their third-party IT service providers. This broad approach means that anyone within the airline ecosystem from airline staff to external contractors could be a potential target. The warning follows a series of cyber incidents involving airlines. 

Hawaiian Airlines confirmed on Thursday that it was responding to a cyberattack affecting its systems. Meanwhile, Canadian carrier WestJet reported a breach on June 13 that is still ongoing. Media reports suggest that Scattered Spider may be responsible for the WestJet intrusion. 

This latest activity comes after a string of attacks by the group on other industries, including retail chains in the U.K. and several insurance companies. In the past, Scattered Spider has also been linked to breaches involving casinos, hotel groups, and large tech firms. Cybersecurity professionals warn that the group’s evolving methods and willingness to exploit human vulnerabilities make them a significant threat across sectors, especially industries reliant on large-scale digital infrastructure and third-party vendors.
Read more »
Smart Devices
Badbox Cyber Crime FBI Smart Devices

FBI Warns: Millions of Everyday Smart Devices Secretly Hijacked by Cybercriminals

 



The FBI recently raised concerns about a large-scale cybercrime network that has quietly taken control of millions of smart gadgets used in homes across the United States. This cyber threat, known as BADBOX 2.0, targets everyday devices such as TV streaming boxes, digital projectors, tablets, and even entertainment systems in cars.


What is BADBOX 2.0?

Unlike common malware that slows down or damages devices, BADBOX 2.0 silently turns these gadgets into part of a hidden network called a residential proxy network. This setup allows cybercriminals to use the victim's internet connection to carry out illegal activities, including online advertising fraud and data theft, without the device owner realizing anything is wrong.


Which Devices Are at Risk?

According to the FBI, the types of devices most affected include:

1. TV streaming boxes

2. Digital projectors

3. Aftermarket car infotainment systems

4. Digital photo frames

Many of these products are imported, often sold under unfamiliar or generic brand names. Some specific models involved in these infections belong to device families known as TV98 and X96, which are still available for purchase on popular online shopping platforms.


How Does the Infection Spread?

There are two main ways these devices become part of the BADBOX 2.0 network:

Pre-installed Malware: Some gadgets are already infected before they are even sold. This happens when malicious software is added during the manufacturing or shipping process.

Dangerous App Downloads: When setting up these devices, users are sometimes directed to install apps from unofficial sources. These apps can secretly install harmful software that gives hackers remote access.

This method shows how BADBOX 2.0 has advanced from its earlier version, which focused mainly on malware hidden deep within the device's firmware.


Signs Your Device May Be Infected

Users should watch for warning signs such as:

• The device asks to disable security protections like Google Play Protect.

• The brand is unfamiliar or seems generic.

• The device promises free access to paid content.

• You are prompted to download apps from unknown stores.

• Unusual or unexplained internet activity appears on your home network.


How to Stay Safe

The FBI recommends several steps to protect your home network:

1. Only use trusted app stores, like Google Play or Apple’s App Store.

2. Be cautious with low-cost, no-name devices. Extremely cheap gadgets are often risky.

3. Monitor your network regularly for unfamiliar devices or strange internet traffic.

4. Keep devices updated by installing the latest security patches and software updates.

5. If you believe one of your devices may be compromised, it is best to disconnect it immediately from your network and report the issue to the FBI through their official site at www.ic3.gov.

6. Be Careful with Cheap Deals


As experts warn, extremely low prices can sometimes hide dangerous risks. If something seems unusually cheap, it could come with hidden cyber threats.

Read more »
Social Engineering
Cyber Attacks Extortion FBI Luna Moth Ransomware attack Social Engineering

FBI Warns of Luna Moth Ransomware Attacks Targeting U.S. Law Firms

 

The FBI said that over the last two years, an extortion group known as the Silent Ransom Group has targeted U.S. law firms through callback phishing and social engineering tactics. 

This threat outfit, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since 2022. It was also responsible for BazarCall campaigns, which provided initial access to corporate networks for Ryuk and Conti ransomware assaults. Following Conti's shutdown in March 2022, the threat actors broke away from the cybercrime syndicate and created their own operation known as the Silent Ransom Group.

In recent attacks, SRG mimics the targets' IT help via email, bogus websites, and phone conversations, gaining access to their networks via social engineering tactics. This extortion group does not encrypt victims' systems and is infamous for demanding ransoms in order to keep sensitive information stolen from hacked devices from being leaked online. 

"SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight," the FBI stated in a private industry notification.

"Once in the victim's device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'” 

After acquiring the victims' data, they use ransom emails to blackmail them, threatening to sell or publish the information. They frequently call employees of breached organisations and force them into ransom negotiations. While they have a dedicated website for disclosing their victims' data, the FBI claims the extortion ring does not always followup on its data leak promises. 

To guard against these attacks, the FBI recommends adopting strong passwords, activating two-factor authentication for all employees, performing regular data backups, and teaching personnel on recognising phishing efforts.

The FBI's warning follows a recent EclecticIQ report detailing SRG attacks targeting legal and financial institutions in the United States, with attackers observed registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”

A recent EclecticIQ report about SRG attacks against American legal and financial institutions revealed that the attackers were registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." The FBI issued the warning in response to this information. 

Malicious emails with fake helpdesk numbers are being sent to victims, prompting them to call in order to fix a variety of non-existent issues. On the other hand, Luna Moth operators would try to deceive employees of targeted firms into installing remote monitoring & management (RMM) software via phoney IT help desk websites by posing as IT staff.

Once the RMM tool is installed and started, the threat actors have direct keyboard access, allowing them to search for valuable documents on compromised devices and shared drivers, which will then be exfiltrated via Rclone (cloud syncing) or WinSCP (SFTP). According to EclecticIQ, the Silent Ransom Group sends ransom demands ranging from one to eight million USD, depending on the size of the hacked company.
Read more »
VPN
CISA Cyber Security FBI Ransomware VPN

FBI Urges Immediate Action as Play Ransomware Attacks Surge

 


The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a critical warning about the sharp rise in Play ransomware attacks. The agencies report that this cyber threat has affected hundreds of organizations across the Americas and Europe, including vital service providers and businesses.

The updated alert comes after the FBI identified over 900 confirmed victims in May alone, which is three times more than previously reported. Cybersecurity experts are urging organizations to act quickly to strengthen their defenses and stay informed about how these cybercriminals operate.


How the Play Ransomware Works

Play ransomware attackers use various advanced methods to break into systems. They often start by targeting services that are accessible from outside, like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once they gain access, they move within the network, stealing login details and aiming to control the system entirely.

The FBI notes that the attackers do not immediately demand payment in their ransom notes. Instead, they leave email addresses that victims must contact. These emails usually come from unique addresses linked to German domains. In some cases, the criminals also make threatening phone calls to pressure victims into paying.


Connections to Other Threat Groups

Investigations suggest that the Play ransomware may be connected to several known hacking groups. Some security researchers believe there could be links to Balloonfly, a cybercrime group involved in earlier ransomware attacks. There have also been reports connecting Play to serious security incidents involving Windows systems and Microsoft Exchange servers.

In the past, attackers have taken advantage of security flaws in popular software, including Microsoft’s Windows and Fortinet’s FortiOS. Most of these security gaps have already been fixed through updates, but systems that remain unpatched are still at risk.


Key Steps to Protect Your Organization

The FBI strongly recommends that all organizations take immediate steps to reduce their risk of falling victim to these attacks. Here are the essential safety measures:

1. Create backup copies of important data and store them in secure, separate locations.

2. Use strong, unique passwords that are at least 15 characters long. Do not reuse passwords or rely on password hints.

3. Enable multi-factor authentication to add extra security to all accounts.

4. Limit the use of admin accounts and require special permissions to install new software.

5. Keep all systems and software up to date by applying security patches and updates promptly.

6. Separate networks to limit how far a ransomware attack can spread.

7. Turn off unused system ports and disable clickable links in all incoming emails.

8. Restrict the use of command-line tools that attackers commonly use to spread ransomware.

Staying alert and following these steps can help prevent your organization from becoming the next target. Cybersecurity is an ongoing effort, and keeping up with the latest updates is key to staying protected.

Read more »
TrickBot
Conti Cyber Crime Dark Web FBI ID Leak Internet Ransomware TrickBot

Mysterious Entity ExposedGang Exposes Cyber Criminals


An anonymous leaker is exposing the identities of the world’s most wanted cybercriminals. 

Recently, a mysterious leaker exposed leaders behind Trickbot and Conti ransomware, hacking groups that are known for some of the biggest extortions in recent times. 

Recently, The Register contacted an anonymous individual known by the alias GangExposed, who is on a personal mission to “fight against an organized society of criminals known worldwide”. GangExposed takes pleasure in thinking he can rid society of at least some of the cybercriminals. "I simply enjoy solving the most complex cases,” he said. 

Stern doxxed

One of the criminals doxxed is Stern, the mastermind of Conti ransomware operations and TrickBot. GangExposed claims Stern is Vitaly Nikolaevich, CySecurity reported about this case recently.

After the doxxing of Stern, GangExposed went after another important criminal, AKA professor, who is a 39-year-old Russian called Vladimir Viktorovich Kvitko. He is living in Dubai. Apart from exposing important individuals, GangExposed also leaked videos, ransom negotiations, and chat logs. 

About GangExposed

The leaker said it was not an “IT guy,” it just observed patterns that other people missed. 

"My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don't even notice," the leaker said. 

"I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than most of my investigations' subjects."

Leaked bought info to expose IDs

To expose the IDs of infamous threat actors, GangExposed used information received via “semi-closed databases, darknet services,” and through purchases. It has “access to the leaked FSB border control database.” GangExposed claims it purchased the database from the dark web for $250,000. 

GangExposed could have gotten at least $10 million in bounty from the FBI if it wanted to, but it has decided not to demand money.  This suggests the leakers may be resentful of former members looking for revenge, while some experts think taking the bounty would make them criminal as well. 

CySecurity had earlier reported on this incident, you can read the full story about the international crackdown on cybercrime gangs here

Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks cybercriminal group data security FBI FBI cybersecurity advisory Law Firms Luna Moth phishing techniques ransomware attacks Ransomwares

FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.
Read more »
Operation Endgame
Anti Virus Dark Web FBI Internet malware Operation Endgame

Undercover Operation Shuts Down Website Helping Hackers Internationally


Hackers used AVCheck to see malware efficiency

International police action has shut down AVCheck, an anti-virus scanning website used by threat actors to check whether their malware was detected by mainstream antivirus before using it in the attacks. The official domain “avcheck.net” now shows a seizure banner with the logos of the U.S. Secret Service, the U.S. Department of Justice, the FBI, and the Dutch Police (Politie).  

The site was used globally by threat actors

According to the announcement, AVCheck was a famous counter antivirus (CAV) website globally that enabled hackers to check the efficiency of their malware. Politie’s Matthijs Jaspers said, “Taking the AVCheck service offline marks an important step in tackling organized cybercrime." With the collaborative effort, the agencies have disrupted the “cybercriminals as early as possible in their operations and prevent victims." 

The officials also discovered evidence linking AVCheck’s administrators to encrypting services Cryptor.biz  (seized) and Crypt.guru (currently offline). Crypting services allow threat actors to hide their payloads from antivirus, blending them in the ecosystem. Hackers also use a crypting service to hide their malware, check it on AVCheck or other CAV services to see if is detected, and finally launch it against their targets. 

Details about the operation

Before the shutdown of AVCheck, the police made a fake login page warning users of the legal risks when they log in to such sites. The FBI said that “cybercriminals don't just create malware; they perfect it for maximum destruction.” Special Agent Douglas Williams said threat actors leverage antivirus services to “refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems."

Operation Endgame

The undercover agents exposed the illegal nature of AVCheck and its links to ransomware attacks against the U.S. by purchasing these services as clients. According to the U.S. DoJ, in the “affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime.”

The crackdown was part of Operation Endgame, a joint international law enforcement action that captured 300 servers and 650 domains used in assisting ransomware attacks. Earlier, the operation cracked down on the infamous Danabot and Smokeloader malware operations.

Read more »
operation raptor
Cyber Crime Dark Web Drug Trafficking FBI operation raptor

FBI Cracks Down on Dark Web Drug Dealers

 


A major criminal network operating on the dark web has been disrupted in a large international operation led by the FBI. Over 270 individuals have been arrested for their involvement in the online trade of dangerous illegal drugs such as fentanyl, meth, and cocaine. This operation involved law enforcement teams from the United States, Europe, South America, and Asia.


What is the dark web?

The dark web is a hidden part of the internet that isn’t available through standard search engines or browsers. It requires special tools to access and is often used to hide users’ identities. While it can offer privacy to those in danger or under surveillance, it is also known for being a place where criminals carry out illegal activities — from drug dealing to selling stolen data and weapons.


What was Operation RapTor?

The FBI’s mission, called Operation RapTor, focused on stopping the sale of illegal drugs through online black markets. Authorities arrested hundreds of people connected to these sites — not just the sellers, but also the buyers, website managers, and people who handled the money.

One of the most alarming parts of this case was the amount of fentanyl recovered. Authorities seized more than 317 pounds of it. According to FBI estimates, just 2 pounds of fentanyl could potentially kill about 500,000 people. This shows how serious the danger was.


Why this matters

These drug sellers operated from behind screens, often believing they were untouchable because of the privacy the dark web provides. But investigators were able to find out who they were and stop them from doing more harm. According to FBI leaders, these criminals contributed to drug addiction and violence in many communities across the country.

Aaron Pinder, a key official in the FBI’s cybercrime unit, said the agency has improved at identifying people hiding behind dark web marketplaces. Whether someone is managing the site, selling drugs, moving money, or simply buying drugs, the FBI is now better equipped to track them down.


What’s next?

While this operation won’t shut down the dark web completely, it will definitely make a difference. Removing major players from the drug trade can slow down their operations and make it harder for others to take their place — at least for now.

This is a strong reminder that the dark web, no matter how hidden, is not out of reach for law enforcement. And efforts like these could help save many lives by cutting off the supply of deadly drugs.

Read more »
FBI. Cyberespionage
Cyber Security CyberCrime cybercrime awareness Dark Web Dark web marketplace Dark Web Monitoring FBI FBI. Cyberespionage

FBI Busts 270 in Operation RapTor to Disrupt Dark Web Drug Trade

 

Efforts to dismantle the criminal networks operating on the dark web are always welcome, especially when those networks serve as hubs for stolen credentials, ransomware brokers, and cybercrime gangs. However, the dangers extend far beyond digital crime. A substantial portion of the dark web also facilitates the illicit drug trade, involving some of the most lethal substances available, including fentanyl, cocaine, and methamphetamine. In a major international crackdown, the FBI led an operation targeting top-tier drug vendors on the dark web. 

The coordinated effort, known as Operation RapTor, resulted in 270 arrests worldwide, disrupting a network responsible for trafficking deadly narcotics. The operation spanned the U.S., Europe, South America, and Asia, and confiscated over 317 pounds of fentanyl—a quantity with the potential to cause mass fatalities, given that just 2 pounds of fentanyl can be lethal to hundreds of thousands of people. While the dark web does provide a secure communication channel for those living under oppressive regimes or at risk, it also harbors some of the most heinous activities on the internet. 

From illegal arms and drug sales to human trafficking and the distribution of stolen data, this hidden layer of the web has become a haven for high-level criminal enterprises. Despite the anonymity tools used to access it, such as Tor browsers and encryption layers, law enforcement agencies have made significant strides in infiltrating these underground markets. According to FBI Director Kash Patel, many of the individuals arrested believed they were untouchable due to the secrecy of their operations. “These traffickers hid behind technology, fueling both the fentanyl epidemic and associated violence in our communities. But that ends now,” he stated. 

Aaron Pinder, unit chief of the FBI’s Joint Criminal Opioid and Darknet Enforcement team, emphasized the agency’s growing expertise in unmasking those behind darknet marketplaces. Whether an individual’s role was that of a buyer, vendor, administrator, or money launderer, authorities are now better equipped than ever to identify and apprehend them. Although this operation will not completely eliminate the drug trade on the dark web, it marks a significant disruption of its infrastructure. 

Taking down major players and administrators sends a powerful message and temporarily slows down illegal operations—offering at least some relief in the fight against drug-related cybercrime.
Read more »
Technology
AI ChatGPT CISA FBI GenAI NSA Technology

Governments Release New Regulatory AI Policy


Regulatory AI Policy 

The CISA, NSA, and FBI teamed with cybersecurity agencies from the UK, Australia, and New Zealand to make a best-practices policy for safe AI development. The principles laid down in this document offer a strong foundation for protecting AI data and securing the reliability and accuracy of AI-driven outcomes.

The advisory comes at a crucial point, as many businesses rush to integrate AI into their workplace, but this can be a risky situation also. Governments in the West have become cautious as they believe that China, Russia, and other actors will find means to abuse AI vulnerabilities in unexpected ways. 

Addressing New Risks 

The risks are increasing swiftly as critical infrastructure operators develop AI into operational tech that controls important parts of daily life, from scheduling meetings to paying bills to doing your taxes.

From foundational elements of AI to data consulting, the document outlines ways to protect your data at different stages of the AI life cycle such as planning, data collection, model development, installment and operations. 

It requests people to use digital signature that verify modifications, secure infrastructure that prevents suspicious access and ongoing risk assessments that can track emerging threats. 

Key Issues

The document addresses ways to prevent data quality issues, whether intentional or accidental, from compromising the reliability and safety of AI models. 

Cryptographic hashes make sure that taw data is not changed once it is incorporated into a model, according to the document, and frequent curation can cancel out problems with data sets available on the web. The document also advises the use of anomaly detection algorithms that can eliminate “malicious or suspicious data points before training."

The joint guidance also highlights issues such as incorrect information, duplicate records and “data drift”, statistics bias, a natural limitation in the characteristics of the input data.

Read more »
Microsoft
cyberattacks trending news cybercrime news FBI malware Microsoft

U.S. Shuts Down LummaC2 Malware Network in Major Takedown

 

In a major crackdown on cybercrime, the U.S. Department of Justice (DOJ), in coordination with the FBI and Microsoft, has dismantled a global malware operation known as LummaC2 by seizing five internet domains used to deploy the infostealer malware. LummaC2, notorious for stealing personal and financial data such as browser history, login credentials, and cryptocurrency wallet information, had compromised at least 1.7 million systems worldwide. 

The takedown occurred over three days in May 2025, with two domains seized on May 19, followed by the rapid seizure of three additional domains after the malware operators attempted to restore access. These domains acted as user panels for cybercriminals leasing or buying access to the malware, allowing them to deploy it across networks and extract stolen data. 

FBI Assistant Director Bryan Vorndran said, “We took action against the most popular infostealer service available in online criminal markets. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels.” 

DOJ Criminal Division head Matthew R. Galeotti added, “This type of malware is used to steal personal data from millions, facilitating crimes such as fraudulent bank transfers and cryptocurrency theft.” In a parallel move, Microsoft launched a civil legal action to take down 2,300 more domains believed to be linked to LummaC2 actors or their proxies. 

Emphasising the value of collaboration, Sue J. Bai, chief of the DOJ’s National Security Division, said, “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country.” 

The operation, led by the FBI’s Dallas Field Office and supported by several DOJ divisions, forms part of a broader U.S. strategy to counter cyber threats, including a State Department programme offering up to $10 million for information on individuals targeting U.S. critical infrastructure.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
Subscribe to: Posts (Atom)