Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
Software
adoption agency Data Breach Gladney Center Ransomware Software

Sensitive Records of Over 1 Million People Exposed by U.S. Adoption Organization

 



A large scale data exposure incident has come to light involving the Gladney Center for Adoption, a U.S.-based non-profit that helps connect children with adoptive families. According to a cybersecurity researcher, an unsecured database containing over a million sensitive records was recently discovered online.

The breach was uncovered by Jeremiah Fowler, a researcher who specializes in finding misconfigured databases. Earlier this week, he came across a large file measuring 2.49 gigabytes that was publicly accessible and unprotected by a password or encryption.

Inside the database were more than 1.1 million entries, including names and personal information of children, biological parents, adoptive families, employees, and potential applicants. Details such as phone numbers, mailing addresses, and information about individuals' approval or rejection for adoption were also found. Even private data related to biological fathers was reportedly visible.

Experts warn that this kind of data, if accessed by malicious actors, could be extremely dangerous. Scammers could exploit the information to create convincing fake emails targeting people in the database. These emails could trick individuals into clicking harmful links, revealing banking details, or paying fake fees leading to financial fraud, identity theft, or even ransomware attacks.

To illustrate, a criminal could pretend to be an official from the adoption agency, claiming that someone’s previous application had been reconsidered, but required urgent action and a payment to proceed. Although this is just a hypothetical scenario, it highlights how exposed data could be misused.

The positive takeaway is that there is currently no evidence suggesting that cybercriminals accessed the database before it was found by Fowler. Upon discovering the breach, he immediately alerted the Gladney Center, and the organization took quick action to restrict access.

However, it remains unclear how long the database had been publicly available or whether any information was downloaded by unauthorized users. It’s also unknown whether the database was directly managed by Gladney or by an external vendor. What is confirmed is that the data was generated by a Customer Relationship Management (CRM) system, software used to track and manage interactions with clients.

This incident serves as a strong reminder for organizations handling personal data to regularly review their digital systems for vulnerabilities and to apply proper safeguards like encryption and password protection.

Read more »
SMM
AI/ML vulnerabilities CyberCrime Cyberhacekrs Cybersecurity CyberThreat Gigabyte malware Ransomware SMI SMM

Gigabyte Firmware Vulnerability Enables Stealth UEFI Malware Infection

According to security researchers, a critical set of vulnerabilities has been identified in UEFI firmware for a number of motherboards manufactured by Gigabyte, causing serious concerns about device integrity and long-term system security, as well as serious concerns regarding device integrity. Binarly, a cybersecurity firm, claims that American Megatrends Inc. (AMI) firmware contains four high-severity flaws which allow threat actors to execute stealthily and persistently. 

In a subsequent analysis, it was found that the identified vulnerabilities were exploitable by attackers who possess either local or remote administrative privileges in order to execute arbitrary code within the highly privileged System Management Mode (SMM) if the attackers possess the right credentials. In addition to operating independently of the host operating system, this execution environment is embedded in the firmware itself and gives the firmware considerable power over the hardware that is behind it. 

Hence, sophisticated threat actors often target this system to gain deeper control over compromised computers and establish long-term persistence through establishing deeper control over compromised systems. The System Management Mode is designed to handle low-level system functions and it is activated very early during the boot process, well before the operating system takes over. 

Consequently, code running within SMM has unrestricted access to critical system resources, including memory, processor instructions, and hardware configurations, because it is isolated and has elevated privileges. It is therefore a perfect target for firmware-based malware, including bootkits, that are capable of edging out traditional endpoint protection tools that rely on visibility at the OS level to detect them. 

A compromised SMM can serve as a launch pad for advanced threat campaigns, allowing attackers to remain stealthy, disable security mechanisms, and even reinstall malware after reboots or operating system reinstalls. As a result of the exploit of this layer, the ability to conduct attacks has increased dramatically, highlighting the necessity for improved firmware security practices, regular updates, and hardware integrity verification within both consumer and enterprise environments in order to minimize potential attacks. 

 The CVSS severity ratings for each of these vulnerabilities -- CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029 -- have each been assigned an average of 8.2 out of 10 and are therefore categorized as high-risk vulnerabilities. Through the exploitation of these vulnerabilities, attackers would be able to elevate system privileges, deploy bootkits, and execute malicious code remotely. 

When malware such as this has been installed, it may be able to obtain deep-rooted persistence at the firmware level, making it extremely difficult for conventional antivirus software to detect or remove. This discovery underscores the growing threat of firmware-based attacks, especially those aimed at UEFI, the Unified Extensible Firmware Interface, which acts as the basis for a computer system’s operating system, especially when attacked at the firmware level. The ability to compromise this layer enables adversaries to take control of a system before the operating system even loads, effectively subverting all system defenses from the ground up. 

Due to the widespread use of Gigabyte motherboards by both consumer and enterprise organizations, the vulnerability has potentially broad implications, especially for those organizations that rely on hardware trust and boot process integrity to operate. As Binarly's findings show, there are not only technical issues with firmware supply chains, but there are also ongoing challenges in ensuring robust validation of firmware throughout the boot process, which are also highlighted by the findings of Binarly. As a result of extensive analysis conducted by Binarly, a leading firmware security company, researchers discovered these vulnerabilities in-depth. 

It was found that Gigabyte's implementation of UEFI firmware was faulty due to the fact that some of the flaws were rooted in Gigabyte's implementation of the UEFI firmware. The original firmware was developed by American Megatrends Inc. It was the responsibility of the researchers to provide the CERT Coordination Center (CERT/CC) with responsible disclosures of the findings. 

After a private disclosure of security issues, AMI addressed them, but some downstream firmware builds – particularly those for Gigabyte products – did not incorporate the necessary fixes at the moment of discovery. Binary has identified four different vulnerabilities within the affected firmware, each carrying a CVSS severity score of 8.2. These vulnerabilities are contained in System Management Interrupt (SMI) handlers which are an integral part of the System Management Mode (SMM) environment and when exploited will cause the affected firmware to crash. 

Specifically: 

There is a CVE-2025-7029 vulnerability in the OverClockSmiHandler, which can be exploited to elevate privileges within Systems Management Manager while exploiting the flaw. In order to exploit CVE-2025-7028, malware is likely to be installed by unauthorized accessing System Management RAM (SMRAM), a critical memory region. This vulnerability is likely to allow malware to be installed by unapproved means. 

Using CVE-2025-7027, an SMM privilege escalation vulnerability as well as arbitrary code injection into SMRAM is enabled, which compromises the integrity of the firmware as a whole. A vulnerability such as CVE-2025-7026 allows arbitrary write access to SMRAM, opening the way to long-term persistence because it allows attackers to remotely manipulate the firmware layer and exert full control over it. 

It has been reported by Binarly that the vulnerabilities affect more than 240 Gigabyte motherboards, including numerous revisions, regional variants, and product iterations which were released between late 2023 and mid-August 2024, according to Binarly. In spite of the fact that Binarly representatives admit that there are currently over a hundred distinct product lines known to be vulnerable to this vulnerability, the exact number of units affected remains fluid. 

These firmware-level flaws appear to also be affecting other enterprise hardware manufacturers, although the identities of these companies have not yet been disclosed. There has been a report from vendors that they have withheld disclosure until appropriate security patches are developed and deployed in order to mitigate customer risk. A report by Binarly revealed that the vulnerabilities that have been identified by the company affect several of its legacy Intel-based motherboards, including the H110, Z170, Z270, Z370, Z390, and Z590 models.

It appears that newer models of Gigabyte's platforms are not affected by these vulnerabilities, however, new BIOS updates are currently being rolled out for supported devices. It is important to note that end-of-life devices will not receive automatic firmware updates, which leaves the users of those systems with a responsibility to initiate remediation efforts. For tailored assistance, Gigabyte recommends contacting their regional Field Application Engineers for further information. 

 A CERT Coordination Center (CERT/CC) advisory issued last week strongly reminded users that they should visit the Gigabyte support portal to verify whether updated firmware is available and to apply patches without delay in order to avoid security issues --especially if they use hardware that is not supported by Gigabyte. According to CERT/CC, these aren't theoretical vulnerabilities. Instead, they represent a credible and active threat that can be exploited in stealthy, long-term system compromises. Hence, it is imperative that users and organizations act immediately to protect themselves.

American Megatrends Inc (AMI) addressed these issues in the past following private disclosures, however CERT/CC emphasized that the flaws remain in certain OEM implementations, such as those manufactured by Gigabyte, despite these previous disclosures. The above situation highlights a critical weakness in the firmware supply chain—a gap that requires more rigorous downstream verification of AMI's fixes by hardware vendors so that they will be properly integrated and tested. 

In addition to that, Binarly cautioned that System Management Mode (SMM) remains a very attractive attack vector for advanced threat actors because it has elevated privileges and is isolated from the operating system, making it a particularly popular attack vector. The use of this layer allows malicious software to operate covertly beneath the Operating System. As a result, it is incredibly difficult for traditional security tools to detect and remove malware from the system. Security experts shared these concerns as well. 

A firmware-level vulnerability described by Gunter Ollmann, CTO of Cobalt cybersecurity firm, is considered a nightmare scenario for enterprise security professionals. A compromise that takes place below the operating system but is not visible under the surface is the ultimate “ghost in the machine”—a compromise that occurs beneath the operating system and is not visible in conventional ways. 

The security flaws that have been detected indicate persistent, hard-to-detect control over the system, which highlights the importance of companies extending security testing throughout the entire technology stack,” Ollmann said. In his opinion, penetration testing programs should include firmware-level targets as well as ensure red team operators have the abilities to assess hardware-level security threats. A number of developments have occurred as a result of this, and organizations are advised to apply BIOS updates immediately upon release, as well as to phase out unsupported legacy hardware as soon as possible. 

In order to implement a solid hardware security strategy, people should begin by conducting regular firmware audits, working closely with hardware vendors, and conducting deeper security assessments at the firmware level. This situation is particularly concerning since some of the impacted Gigabyte platforms have been marked as end-of-life (EOL) and are no longer eligible for security updates, which means they are always vulnerable to exploitation, leaving them permanently vulnerable. A number of such devices are expected to remain vulnerable indefinitely, resulting in long-term security blind spots for both individuals and enterprise environments still using outdated technology, according to Binarly CEO Alex Matrosov. 

Despite the severity of firmware-level threats, cyber security experts continue to emphasize the importance of these kinds of vulnerabilities, and Gunter Ollmann, the Chief Technology Officer at Cobalt, described these types of vulnerabilities as "a nightmare scenario" for defense teams. "This is the ultimate 'ghost in the machine'—a compromise which takes place below the operating system and exploits a layer of the system that is inherently trusted, and thus is largely invisible to traditional security tools," Ollmann explained in an interview with Help Net Security. 

The evolution of attacker tactics has led to the necessity of more comprehensive testing across the entire technology stack as a result. The scope of security assessments needs to be increased to include firmware-level vulnerabilities, as well as having red teams equipped with the expertise necessary to analyze threats lurking at hardware interfaces in particular. 

A further complexity of the issue is the coordination of the firmware supply chain, which contributes to its complexity. Despite the fact that American Megatrends Inc. (AMI) has privately addressed these vulnerabilities and shared information about the remediation with downstream partners under nondisclosure agreements, it is becoming increasingly apparent that some OEM vendors have not yet completely implemented or validated their own firmware releases to address these vulnerabilities. 

There is a systemic challenge in ensuring a consistent security environment across a wide range of hardware ecosystems, which is highlighted by this gap, and this highlights a need for greater collaboration and transparency among firmware developers, OEMs, and security researchers to ensure this is the case. As a conclusion, the fact that firmware security remains a crucial element of system protection, but it is often overlooked but still of major importance. 

In the context of the continuing innovation of attackers below the operating system-where detection is minimal and trust is implicit-organizations are faced with the need to adopt a holistic, proactive security posture to deal with these threats. Firmware should not be treated as a static component of an infrastructure, but instead as a living entity that requires continuous inspection, patching, and risk assessments from stakeholders. 

Firmware validation should be formalized and incorporated into enterprise vulnerability management workflows, OEM partners should be made more transparent and responsive, and security programs should be developed cross-functionally that cover the entire hardware-software stack in order to effectively manage vulnerabilities. 

Furthermore, the importance of investing in specialized skill sets cannot be overstated—securing teams must be able to assess low-level threats, perform firmware penetration tests, and audit supply chain practices rigorously, so they are equipped with the necessary skills. With today’s rapidly evolving threat landscape, neglecting firmware is no longer a tolerable blind spot; it is becoming a strategic liability for companies.

Read more »
Ransomware
Businesses Cyber Attacks nord stellar RaaS Ransomware

Ransomware Attacks Surge in 2025, With Smaller Businesses and Manufacturers Most Affected

 



Ransomware threats are rising fast in 2025, with the first half of the year already showing a sharp increase in attacks. New research shows that U.S.-based companies, small and medium-sized businesses, and firms in the manufacturing sector are currently among the top targets for these cybercriminal campaigns.

Between January and June this year, nearly 4,200 ransomware incidents were made public on the dark web. That’s a 49% jump compared to the same time period in 2024, according to recent findings by cybersecurity firm NordStellar.

Experts suggest that several factors may be driving this rise. These include the growing use of Ransomware-as-a-Service (RaaS) — a model where criminal groups rent out ransomware tools to others, as well as challenges related to remote or hybrid working setups. Additionally, ongoing economic struggles may be pushing more individuals toward illegal activities, including cybercrime.

In terms of geography, the United States experienced the highest number of attacks, with 596 cases. This accounted for nearly half of all reported incidents worldwide. Other affected countries included Germany (84 cases), Canada (74), the UK (40), and Spain (37). Analysts believe that U.S. companies are often targeted because of their size, visibility, and the potential financial damage of a public attack. These businesses are more likely to pay the ransom quickly to avoid reputational harm.

Tight regulations around data privacy and system availability may also push organizations to resolve incidents faster, especially if they fear penalties or losing client trust.

The manufacturing sector was hit particularly hard, with 223 reported cases. Construction (97 incidents) and the IT industry (88) followed close behind. Experts point out that many of these organizations rely on older systems that lack regular updates, and they often operate in multiple locations, making cybersecurity harder to manage across the board.

Small to mid-sized firms, especially those with 51 to 200 employees and annual revenue between $5 million and $25 million, faced the most ransomware attempts. Researchers say this may be because these companies often depend on third-party IT providers and don’t always have strong internal security policies.

As for which ransomware gangs are most active in 2025, the group known as Qilin leads with 214 reported attacks. SafePay, allegedly linked to a recent incident involving a global tech distributor, followed with 201 cases, and Akira came in third with 200.

Cybersecurity professionals continue to emphasize basic but crucial practices: employee training on phishing threats, use of multi-factor authentication, and better password protection. Beyond that, building a full-scale cybersecurity plan is key to identifying and stopping threats early, before they cause widespread damage.

Read more »
Vulnerabilities
Al Technology Cyber Security Cyber Tools CyberCrime CyberThreat Ransomware Vulnerabilities

The Alarming Convergence of Cyber Crime and Real-World Threats

 


It is becoming increasingly evident that every aspect of everyday life relies on digital systems in today’s hyper-connected world, from banking and shopping to remote work and social media, as well as cloud-based services. With more and more people integrating technology into their daily lives, cybercriminals have become increasingly successful in hunting down and exploiting them. 

Malicious actors are exploiting vulnerabilities in both systems as well as human behaviour to launch sophisticated attacks, ranging from identity theft and phishing scams to massive ransomware campaigns and financial frauds, and the list goes on. There is no doubt that cybercrime has become a pervasive and damaging threat in the modern era. 

It affects both individuals, businesses, and governments. As lone hackers once dominated the market, this has now developed into a globally organized, organised industry that is driven by profit and armed with ever-evolving tools, including artificial intelligence, that are transforming the cybersecurity industry. 

The risk of falling victim to cyber-enabled crime continues to rise as billions of people interact with digital platforms daily, thereby making cybersecurity not only a technical matter but a fundamental necessity of our time. In the years that have followed, cybercrime has continued to grow in scope and sophistication, causing unprecedented damage to the global economy through phishing attacks and artificial intelligence-driven scams, now over $1 trillion annually. 

There is no doubt that cybercriminals are becoming more and more sophisticated as technology advances, and this alarming trend indicates that a coordinated, long-term response needs to take place that transcends the boundaries of individual organisations. A recognition of the systemic nature of cybercrime has led the Partnership against Cybercrime and the Institute for Security and Technology to launch the Systemic Defence initiative, which is in collaboration with the Institute for Security and Technology.

In this global effort, companies will be developing a multi-stakeholder, forward-looking, multi-layered approach to cybersecurity threats, especially phishing and cyber-enabled fraud, that will redefine how people deal with these threats in the future. There is a strong argument made by the project that instead of relying solely on reactive measures, that responsibility should be moved upstream, where risks can be mitigated before they become major problems before they become larger. 

Through this initiative, the government, industry leaders, law enforcement, and civil society members are encouraged to collaborate in order to create a more resilient digital ecosystem in which cyber threats can be anticipated and neutralised. There has never been a better time than now to share intelligence, deploy proactive defences, and establish unified standards in response to the growing use of artificial intelligence by threat actors to launch more deceptive and scalable attacks. 

As part of the Systemic Defence project, poeples will be able to identify and protect the global digital infrastructure from a rapidly evolving threat landscape as people move towards this goal. As cybercrime scales and impacts, experts warn of an increasing financial toll that could soon overshadow even the most devastating global events. This alarming pace has caused experts to warn that cybercrime could become more prevalent than ever before. 

According to projections by Cybersecurity Ventures, the cost of cybercrime worldwide will increase by 15 per cent annually by 2025, reaching $10.5 trillion per year in 2025 - an increase of 15 per cent from the $3 trillion in 2015. A dramatic escalation of this situation is widely considered to be the largest transfer of wealth in human history, putting a direct threat to global innovation, economic stability, and long-term investment. 

This forecast is not based on speculation, but rather on an in-depth analysis of historical data, combined with an increased number of state-sponsored cyberattacks and organized cybercrime syndicates, and an exponential increase in the number of digital attacks, all of which have led to this forecast. Increasingly, as the world becomes increasingly dependent on interconnected technologies, such as personal devices and enterprise systems, there are more opportunities for exploitation. This results in an ever-evolving landscape of risks in the world of cybercrime. 

There are far-reaching and multifaceted economic costs associated with cybercrime. Among the most significant losses are the destruction or theft of data, direct financial loss, disruption to operations, productivity losses, theft of intellectual property and confidential data, embezzlement and fraud, as well as the high costs associated with legal and forensic investigation. Additionally, organisations suffer long-term reputational damage as well as a loss of customer trust, which can be difficult to recover from for quite some time. 

In addition to its potential financial impact, cybercrime will have a much larger economic impact than all major illegal drugs combined, making it even more pressing. Cybercrime is expected to be more costly than the combined global trade of all major illegal drugs, and its economic impact will be exponentially larger than all natural disasters combined. As a consequence, cybercrime is no longer a niche security problem; it is now regarded as a systemic global threat that requires urgent, coordinated, and sustained attention from every sector. 

In the last decade or so, the cyber threat landscape has been transformed fundamentally, as a result of the rapid evolution of cybercrime and the increasing use of advanced persistent threat (APT) tactics by criminal actors. In 2024, Critical Start's Cyber Research Unit (CRU) is expecting a significant shift in cyber criminal activity, as they will be refining and using APT-level techniques that were once primarily associated with nation states. 

Using advanced methods, such as artificial intelligence, machine learning, social engineering, as well as spear-phishing campaigns, cyberattacks are becoming more effective, stealthier, and harder to detect or contain, as they now make use of smart methodologies. The APT tactic enables criminals, in contrast to traditional cyberattacks, which often rely on quick attacks and brute-force intrusion, to establish a long-term foothold within networks, carry out sustained surveillance, and carry out highly precise, calculated operations. 

As a result of the ability to remain undetected while gathering intelligence or gradually executing malicious objectives, governments, businesses, critical infrastructure companies, as well as individuals have been increasingly threatened. Despite the fact that cybercriminals have evolved in tactics, there has also been a fundamental shift in the scale, scope, and motivation of cybercrime as a whole. Cybercrime has since grown into a profitable enterprise mimicking the structure and strategy of legitimate businesses, which has evolved from a business largely driven by prestige or mischief during the early internet era of the 1990s. 

During the 1990s and 2006, cybercriminals began to capitalise on the economic potential of the internet, resulting in a period in which digital crime was being monetised. According to the World Economic Forum, cybercrime represents the third-largest economy in the world, illustrating its tremendous financial impact. Even more alarming about this evolution is the easy access to cybercriminal tools and services that make cybercrime so common. 

As a result of the democratisation of cybercrime, individuals with little or no technical expertise can now purchase malware kits, rent access to compromised networks, or utilise ransomware-as-a-service platforms at very low costs. Because of this, sophisticated attacks have increased in sophistication, especially in sectors such as healthcare, education, and commerce, as a result of this democratisation of cybercrime.

Cybercriminals have continued to blur the lines between criminal enterprises and nation-state tactics, making ransomware one of the most effective and preferred attack vectors. In today's cyber world, cybercriminals are often able to deliver malicious software through exploited security gaps. As such, it has become increasingly important to implement proactive, intelligence-driven, and systemic cybersecurity measures. This evolving digital warfront does not remain limited to high-profile organisations any longer. 

Every connected device and vulnerable system now represents a potential entry point into this digital war. In today's cybercrime ecosystem, there are a number of alarming aspects that are highlighting the use of the dark web by sophisticated threat actors, including state-sponsored organisations, which is becoming more prevalent. 

Based on the IBM X-Force 2025 Threat Intelligence Index, it is reported that actors are exploiting the anonymity and the decentralized nature of the dark web to acquire high-end cyber tools, exploit kits, stolen credentials, and services that will enable them to increase the scope and precision of their attacks by acquiring cutting-edge cyber tools. 

Cybercriminal innovation has been fueled by this hidden marketplace, enabling a level of coordination, automation, and operational sophistication that has reshaped the global threat landscape for the better. A threat from this adversary is no longer an isolated hacker working in a silo, but rather a group of highly organised, collaborative cybercriminals whose structure and efficiency are similar to that of legitimate businesses. 

In recent years, cybercriminals have been evolving in a rapid fashion, with unprecedented technical sophistication that allows them to go beyond simple data breaches to launch widespread disruptions in the digital world. Cybersecurity attacks include attacks on critical infrastructure, supply chains, and services that are essential to our daily lives, often with devastating consequences. Parallel to this growing threat, cyberattacks are posing a much greater financial toll than they ever have. 

According to IBM's latest report on the Cost of Data Breach, the average cost of a data breach is rising steadily at an alarming rate. The average cost of a data breach has increased by 10% from USD 4.45 million in 2023, which is the sharpest spike ever since the beginning of COVID-19. In addition to the increasing complexity and severity of cyber incidents, organisations are under increasing pressure to respond quickly and effectively to these incidents. 

The costs associated with business breaches are increasing, ranging from direct financial losses to forensic investigations, legal fees, customer notification, and identity protection services. During the past year, these post-incident expenses had increased by nearly 11%, and there has been a growing number of regulatory penalties that have been imposed. 

Throughout the report, it is highlighted that the number of organisations that have been fined more than USD 50,000 jumped 22.7%, and the number of organisations facing penalties over USD 100,000 increased by 19.5%. Therefore, organisations should think beyond traditional cybersecurity strategies to achieve the most effective results. 

The emergence of increasingly elusive and well-equipped threat actors has made it essential for businesses to develop an adaptable, intelligence-led, and resilience-focused approach so that they can mitigate long-term damage to digital assets and protect business continuity as well. It is well known that cybercrime is a resilient ecosystem, with actors who are financially driven specialising in specific roles, such as malware development, the brokerage of initial access, or the laundering of money. 

In general, these actors often work together fluidly, forming flexible alliances but maintaining multiple partners for the same service. This means that when one ransomware-as-a-service provider or malware hub is taken down, the disruption is only temporary, and others will quickly fill in to take over. There is no doubt that this adaptability illustrates the importance of broad, coordinated strategies geared towards dismantling the infrastructure that makes such operations possible, focusing instead on removing the individuals who facilitate these operations.

Organisations, governments, and individuals must adopt a proactive security mindset based on continuous adaptation to effectively combat the rising tide of cybercrime. It is not enough to deploy advanced technologies to accomplish this; it is essential that people foster cyber literacy at all levels, build cross-sectoral alliances, and incorporate security as a part of the DNA of digital transformation as a whole.

As threat landscapes change, regulatory frameworks must evolve in tandem, encouraging transparency, accountability and security-by-design across all sectors of technology. As the global digital economy becomes increasingly reliant on digital technology, cybersecurity is becoming a strategic imperative—an investment in long-term trust, innovation, and stability that can be achieved by building a resilient cyber workforce capable of anticipating and responding to threats quickly and with agility. 

As digital dependence deepens, cybersecurity must become a strategic imperative instead of just an operational consideration. Taking no action today will not only embolden the threat actors but will also undermine the very infrastructure that is at the heart of modern society if people do not act decisively.
Read more »
Windows
AI Android Apple Extortion Internet malware Ransomware Windows

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Latest Malware "Mamona" Attacks Locally, Hides by Self Deletion

Cybersecurity experts are tracing Mamona, a new ransomware strain that is famous for its stripped-down build and silent local execution. Experts believe that the ransomware prevents the usual command-and-control (C2) servers, choosing instead a self-contained method that moves past tools relying on network traffic analysis.  

The malware is executed locally on a Windows system as a standalone binary file. The offline approach reveals a blind spot in traditional defenses, raising questions about how even the best antivirus and detection mechanisms will work when there is no network.

Self-deletion and escape techniques make detection difficult

Once executed, it starts a three-second delay via a modified ping command, ”cmd.exe /C ping 127.0.0.7 -n 3 > Nul & Del /f /q.” After this, it self-deletes. The self-deletion helps to eliminate forensic artifacts that make it difficult for experts to track or examine the malware after it has been executed. 

The malware uses 127.0.0.7 instead of the popular 127.0.0.1, which helps in evading detection measures. This tactic escapes simple detection tests and doesn’t leave digital traces that older file-based scanners might tag. The malware also drops a ransom note titled README.HAes.txt and renames impacted files with the .HAes extension. This means the encryption was successful. 

“We integrated Sysmon with Wazuh to enrich logs from the infected endpoint and created Wazuh detection rules to identify malicious behaviour associated with Mamona ransomware,” said Wazuh in a blog post.

Spotting Mamona

Wazuh has alerted that the “plug-and-play” nature of the malware makes it easy for cybercriminals and helps in the commodization of ransomware. This change highlights an urgent need for robust inspections of what stands as the best ransomware protection when such attacks do not need remote control infrastructure. Wazu’s method to track Mamona involves combining Sysom for log capture and employing custom rules to flag particular behaviours like ransom note creation and ping-based delays.

According to TechRadar, “Rule 100901 targets the creation of the README.HAes.txt file, while Rule 100902 confirms the presence of ransomware when both ransom note activity and the delay/self-delete sequence appear together.”

Read more »
Ransomware
Cyber Attacks Cybersecurity Hypervisor News Ransomware

Hypervisor Ransomware Threat Grows: MITRE ATT&CK v17 Puts C-Suite on Alert

 

The latest update to the MITRE ATT&CK framework—version 17—has brought hypervisor security into sharp focus, prompting a necessary shift in how organizations view the core of their virtualized infrastructure. For the first time, VMware ESXi hypervisors have received a dedicated matrix within the widely adopted framework, underscoring their growing vulnerability to targeted cyberattacks. This move serves as a wake-up call for executive leadership: hypervisor security is no longer just a technical concern, but a strategic imperative. 

As enterprises increasingly rely on virtual machines to run mission-critical workloads and store sensitive data, any compromise at the hypervisor level can have devastating consequences. A single attack could trigger operational downtime, lead to failed audits, and expose the organization to compliance violations and regulatory scrutiny. Experts warn that unaddressed ESXi vulnerabilities may even be classified as preventable lapses in due diligence. 

Compounding the issue is the fact that many organizations still lack defined incident response playbooks tailored to hypervisor attacks. With MITRE ATT&CK now mapping tactics used to breach, move laterally, and deploy ransomware within hypervisors, the risks are no longer theoretical—they are measurable and real. 

To mitigate them, leadership must champion a security strategy that includes robust access controls such as multi-factor authentication, role-based permissions, lockdown policies, and virtual patching to cover unpatched or zero-day vulnerabilities. Additionally, organizations are urged to deploy runtime monitoring and align defences with the MITRE ATT&CK framework to improve security posture and audit readiness. Failing to address this blind spot could cost companies more than just operational delays—it could lead to loss of customer trust and reputational damage. 

As threat actors grow more sophisticated, overlooking the hypervisor layer is no longer an acceptable risk. The inclusion of ESXi in ATT&CK v17 represents a broader industry recognition that hypervisors must be part of the core cybersecurity conversation. For the C-suite, this means embracing their role in driving hypervisor resilience across security, infrastructure, and governance functions before an attack makes that decision for them.
Read more »
Ransomware
AI Cyber Security Dark Web Extortion Internet Ransomware

Investigation Reveals Employee Secretly Helped in Extortion Payments

Investigation Reveals Employee Secretly Helped in Extortion Payments

Employee helped in ransomware operations

Federal agents are investigating allegations that a former employee of a Chicago-based firm, DigitalMint, which specializes in cryptocurrency payments and ransomware negotiations, may have profited by collaborating with hackers in extortion cases. Founded in 2014, DigitalMint operates under the name Red Leaf Chicago and is recognized for securing cryptocurrency payments for companies that face ransomware threats. 

About DigitalMint

DigitalMint has taken over 2,000 ransomware cases since 2017, offering services like direct negotiations with hackers and incident response. The clients range from small firms to Fortune 500 companies. 

DigitalMint President Marc Jason told partner firms that the US Department of Justice (DoJ) is investigating the allegations. The employee (identity unknown) was sacked soon after the scam was found. According to Bloomberg, Grens said, “As soon as we were able, we began communicating the facts to affected stakeholders.” 

About the investigation

DigitalMint is currently working with the DoJ, and it clarified that the company is not the target of investigation. Grens did not provide more details as the investigation is ongoing. The DoJ declined to offer any comments. 

The incident has led a few firms to warn clients against dealing with DigitalMint, concerned about the dangers involved in ransomware deals. Ransomware attacks can compromise systems, leak sensitive information, and encrypt data. The ransom demands sometimes go upto millions of dollars, worldwide, the extortion attacks cost billions of dollars every year.

Is ransomware negotiation worth it?

The controversy has also raised questions about conflicts of interest in the ransomware negotiation industry. According to James Talientoo, chief executive of the cyber intelligence services company AFTRDRK, “A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid. Plain and simple.”

Security experts cautioned that paying ransom is a dangerous effort, even when done by expert ransom negotiation firms. A payment helps in furthering the operations of ransomware gangs, and sometimes it can also lead to further attacks.

Read more »
trending cybersecurity news
Data Breach Data Leakage Data Theft News Ransomware trending cybersecurity news

Chaos Ransomware Strikes Optima Tax Relief, Leaks 69GB of Sensitive Customer Data

 

In a significant cybersecurity incident impacting the financial services sector, U.S.-based tax resolution firm Optima Tax Relief has reportedly suffered a ransomware attack orchestrated by the Chaos ransomware group. The attackers have allegedly exfiltrated and leaked approximately 69GB of data, including confidential corporate records and sensitive personal tax files.

The exposed information reportedly includes Social Security numbers, home addresses, phone contacts, and banking details — all highly valuable to identity fraudsters. Given the nature of tax records, cybersecurity experts caution that the risks for affected individuals could extend for years, as this type of data cannot simply be changed like passwords.

Chaos Group Increases Aggression 

The ransomware group behind the attack, known as Chaos, has been active since March 2025 and is rapidly gaining notoriety for targeting organisations with vast stores of personally identifiable information (PII). Unlike the earlier Chaos ransomware builder seen in 2021, this iteration appears to be a more organised threat actor, employing a strategic approach in selecting its victims. This isn’t their first major claim. In May, Chaos asserted responsibility for a breach involving The Salvation Army, though that incident has yet to be independently verified. 

Silence from Optima Raises Questions 

Optima Tax Relief has yet to release a public statement or acknowledge the breach, prompting concerns among cybersecurity professionals and affected customers. It is still unclear whether the company has reported the incident to federal authorities or regulators. The lack of transparency is drawing criticism over potential lapses in consumer notification, data handling, and compliance with data protection regulations. 

Recommendations for Affected Individuals For anyone who has previously engaged Optima's services, cybersecurity analysts recommend treating their personal information as compromised. Immediate protective steps include: 

1. Enrolling in identity theft protection services that offer credit and SSN monitoring 

2. Reviewing bank statements and credit card activity for suspicious transactions 

3. Requesting credit freezes or fraud alerts from financial institutions 

4. Using data removal tools to reduce digital exposure Installing reputable antivirus software to fend off phishing or malware threats 

5. Enabling two-factor authentication on all financial and sensitive accounts 

A Warning for the Financial Sector 

This breach is part of a growing pattern in which ransomware groups are aggressively targeting organisations that store large volumes of sensitive consumer data — particularly in tax, legal, and healthcare sectors. Experts point out that financial firms, especially those involved in tax resolution, remain prime targets due to their often under-resourced cybersecurity infrastructure.

As investigations continue, pressure is mounting on Optima Tax Relief to disclose the extent of the damage and take accountability for customer safety moving forward.
Read more »
Subscribe to: Posts (Atom)