Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Breach. Show all posts
Technology
AI Cloud Data Google Internet Security Breach Technology

Security Breach Reveals "Catwatchful" Spyware is Snooping on Users

Security Breach Reveals "Catwatchful" Spyware is Snooping on Users

A security bug in a stealthy Android spyware operation, “Catwatchful,” has exposed full user databases affecting its 62,000 customers and also its app admin. The vulnerability was found by cybersecurity expert Eric Daigle reported about the spyware app’s full database of email IDs and plaintext passwords used by Catwatchful customers to access stolen data from the devices of their victims. 

Most of the victims were based in India, Argentina, Peru, Mexico, Colombia, Bolivia, and Ecuador. A few records date back to 2018. The leaked database also revealed the identity of the Catwatchful admin called Omar Soca Char.

The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay.

About Catwatchful

Catwatchful is a spyware that pretends to be a child monitoring app, claiming to be “invisible and can not be detected,” while it uploads the victim’s data to a dashboard accessible to the person who planted the app. The stolen data includes real-time location data, victims’ photos, and messages.  The app can also track live ambient audio from the device’s mic and access the phone camera (both front and rear).

Catwatchful and similar apps are banned on app stores, and depend on being downloaded and deployed by someone having physical access to a victim’s phone. These apps are famous as “stalkerware” or “spouseware” as they are capable of unauthorized and illegal non-consensual surveillance of romantic partners and spouses. 

Rise of spyware apps

The Catwatchful incident is the fifth and latest in this year’s growing list of stalkerware scams that have been breached, hacked, or had their data exposed. 

How was the spyware found?

Daigle has previously discovered stalkerware exploits. Catwatchful uses a custom-made API, which the planted app uses to communicate to send data back to Catwatchful servers. The stalkerware also uses Google Firebase to host and store stolen data. 

According to Techradar, the “data was stored on Google Firebase, sent via a custom API that was unauthenticated, resulting in open access to user and victim data. The report also confirms that, although hosting had initially been suspended by HostGator, it had been restored via another temporary domain."

Read more »
Security Breach
Cyber Privacy Cyberhackers Cybersecurity CyberThreat malware messages Security Breach

Recognizing the Messages That Signal a Security Breach

 


Increasingly, cybersecurity experts warn that using traditional antimalware tools can lead to a false sense of security if used in conjunction with a system of prevention. In today's rapidly evolving threat environment, this software remains a staple of personal and enterprise protection strategies. However, its limitations have become painfully obvious as the threat environment rapidly evolves. 

There is no doubt in my mind that signature-based scanners, in particular, are notoriously unreliable, particularly when faced with newly released exploits and malware variants—especially when they have just been released. One way to see the impact of this problem is to submit a suspicious file to Google's VirusTotal service, which aggregates results from 60 of the most trusted anti-malware engines in the world, but the detection rates are sometimes inconsistent and shockingly low even there. 

A major issue facing cybercriminals is the fact that they no longer have to rewrite malicious code in order to evade detection. In many cases, they are only necessary to rearrange a few bytes or make minor adjustments to render the threat completely invisible to traditional scanners, thus enhancing the accuracy of the scan. 

In order to increase accuracy, security vendors have added new layers of defence to their systems. The majority of antimalware solutions are now based on heuristic algorithms, which use analysis of program behaviour in order to identify suspicious activity rather than solely on known signatures in order to identify malicious software. 

Other companies also use virtualised sandboxes to observe files in isolation, monitor system processes in real-time, and analyse network traffic to detect threats. Although there have been significant advances in defending against cyber attacks, attackers continue to develop new techniques faster than defences can respond. The reality is that no single security product matter how advanced-can detect or block every cyber threat with total reliability. 

As malware is constantly mutating and adversaries are constantly refining their techniques at unprecedented speeds, organizations and individuals alike will need to adopt a more comprehensive approach to security. It will go well beyond simply installing antimalware software to ensure security goes well. 

The term security breach is generally understood as any incident in which sensitive data, networks, computer systems, or devices are accessed, disclosed, or tampered with without the authorization of the party involved. Such breaches do much more than simply cause inconveniences; they threaten data integrity, personal privacy, and organizational confidentiality in a way that goes far beyond mere inconveniences. 

In today's digital society where every aspect of life, including financial transactions, shopping, social interaction, and entertainment, is facilitated through online platforms, the stakes are much higher than ever. In many cases, individuals entrust their most private information with digital services and presume they will be protected by robust safeguards, which is why they trust digital services so much with their sensitive information. 

However, the reality is that as the volume and value of stored data increase, the incentive for malicious actors to exploit vulnerabilities will also increase. It is no secret that cybercriminals have been relentlessly targeting databases and applications to harvest data, such as personal information, payment information, and login credentials, all of which can then be exploited in order to commit identity thefts, financial frauds, and other sophisticated forms of cybercrime. 

For organizations, the impact of a security breach will be even greater. A compromised system does not only disrupt operations immediately, but it can also cause significant financial losses, regulatory penalties, and costly legal actions. Perhaps the most damaging of these effects, however, is the erosion of customer trust and corporate reputation, which can take years to restore. 

There is a growing awareness that security and data breach risks are not abstract threats but are in fact pressing realities that require vigilant prevention, prompt detection, and effective response measures for both businesses and individuals alike. It has been reported recently by cybersecurity company ESET that the frequency of such threats has been on the rise in recent years as a result of the escalation of these threats. 

According to the company's latest Threat Report, this has now occurred in greater numbers. There have been numerous warnings issued over the past few months regarding the increase in spam and viral outbreaks, but one of the most alarming aspects of these campaigns is that they continue to ensnare unsuspecting users despite their obvious simplicity and ease of recognition in theory. 

The ESET report demonstrates the fact that the ClickFix attacks have evolved into a highly adaptable and formidable threat, employing a wide array of malicious payloads, from info stealers to ransomware to sophisticated nation-state malware. While these attack methodologies can be applied to a variety of operating systems, Windows PCs remain the most susceptible and effective targets due to the prevalence and effectiveness of these techniques. 

A key component of ClickFix is a deceptively simple yet remarkably effective method of getting victims to fix their problems. Victims are typically instructed to open the Windows Run dialogue by pressing the Windows key plus "R," paste a string of text using Ctrl + V and press "Enter" – often under the pretext of resolving an urgent issue. 

However, while the initial script may seem harmless, it is often just a way of obtaining and silently executing a much more dangerous payload without the knowledge of the user. Performing this single action can be a gateway to a wide variety of malicious programs, including the Lumma Stealer, VidarStealer, StealC, Danabot, and many more information theft programs; remote access Trojans like VenomRAT, AsyncRAT, and NetSupport RAT; and several other tools designed to attack the user. 

There are crypto miners, clipboard hijackers, post-exploitation frameworks like Havoc and Cobalt Strike, and other specialised attack tools in this category. Security professionals have given unequivocal advice: Users should treat any unsolicited prompt urging them to perform this sequence of commands as an immediate red flag that indicates a deliberate attempt to compromise their system. 

Under any circumstances, users should be cautious of following such instructions, as they can result in a significant compromise. In order to avoid any potential problems with the application in question, users should immediately close, or force-quit, restart their computers, and then run a thorough antivirus scan. Furthermore, it is necessary to change all of the key account passwords and monitor financial statements for signs of suspicious activity. 

While ClickFix attacks are most commonly associated with Windows environments, ESET's findings serve as a timely reminder that Macs are not immune to these attacks either. It has been reported that similar social engineering tactics can be used to entice macOS users to run scripts that appear benign but, in reality, facilitate unauthorized access to their devices. 

It demonstrates how important it is to remain cautious when dealing with uninvited technical instructions, regardless of the platform that users are using. ESET, a cybersecurity company that issued a recent alert regarding the increase in these threats, has indicated in its latest Threat Report that these attacks have now risen dramatically in frequency, which is in line with other previous warnings that have been issued over the past few months. 

However, what is even more alarming about these campaigns is the persistent manner in which they continue to ensnare unsuspecting users, even though these campaigns, in theory, should be easily recognised and avoided. The ESET report demonstrates the fact that the ClickFix attacks have evolved into a highly adaptable and formidable threat, employing a wide array of malicious payloads, from info stealers to ransomware to sophisticated nation-state malware.

While these attack methodologies can be applied to a variety of operating systems, Windows PCs remain the most susceptible and effective targets due to the prevalence and effectiveness of these techniques. Despite its deceptive simplicity, ClickFix's core tactic is remarkably effective as well. When victims are contacted to resolve an urgent issue, they are typically instructed to open the Windows Run dialogue by pressing the Windows key plus the "R" and then to paste a string of text using "Ctrl + V" before pressing "Enter." 

Although it may initially seem harmless or routine, the script usually serves as a conduit for retrieving and silently executing a far more dangerous payload, without the user being aware of it. By taking this action, users will be allowing themselves to be infected by a wide variety of malicious programs, such as Lumma Stealers, Vidar Stealers, StealC, Danabots, and many more. Remote Access Trojans, such as VenomRAT, AsyncRAT, and NetSupport RA, are some of the most prominent ones, along with cryptominers, clipboard hijackers, post-exploitation frameworks like Havoc and Cobalt Strike, and a variety of other specialised tools. 

Security professionals have given unequivocal advice: Users should treat any unsolicited prompt urging them to perform this sequence of commands as an immediate red flag that indicates a deliberate attempt to compromise their system. Under any circumstances, users should be cautious of following such instructions, as they can result in a significant compromise. As a matter of fact, they should close or force-quit the application in question, reboot the system, and carry out a thorough antivirus scan immediately. 

Additionally, it is essential that all critical account passwords be changed and that all financial statements be monitored closely for signs of suspicious activity. It has been found that ClickFix attacks are most common on Windows-based operating systems, but ESET's findings serve as a timely reminder that Mac users are not entirely immune to these attacks. 

The same social engineering techniques are used to trick Mac users into running scripts ostensibly benign by guiding them in a way that facilitates unauthorized access to their devices. This reinforces the crucial need to be vigilant and sceptical when dealing with any unsolicited technical instructions, regardless of the platform. For security breaches to be minimized and an effective response mounted promptly, it is important to recognize early signs of a breach. 

Several warning signs often point towards unauthorized activity within a system or network. Unusual network behaviour, such as sudden spikes in data traffic, irregular transfers, or sudden surges in bandwidth, can be a sign of an intentional data exfiltration or malicious probing of the network. In addition to unexplained system problems, including unexplained slowdowns, frequent crashes, or prolonged downtime, it is possible for malware to exploit these vulnerabilities. 

Suspicious account activity can also raise concerns. It is usually a sign of active compromise or credential theft when a user account appears unfamiliar, logins are made at odd hours, or repeated attempts are made to log in at odd hours. As a last point to note, data anomalies can be an indication that there has been a security breach. Missing, altered, or corrupted files are evidence that there has been an attack, as are access logs that indicate the entry of unauthorized individuals into sensitive databases.

By recognizing these signs and responding swiftly, organizations can better protect their data, operations, and reputation against the increasing threats of cyber-attacks. The threat landscape is becoming increasingly complex, and as a result, individuals and organisations are faced with a need to take an increasingly proactive and layered approach to cybersecurity. It has never been more important. 

As a result, we must go beyond conventional security tools and take deliberate steps to harden systems, train users, and prepare for contingencies besides conventional tools. When users create robust incident response procedures, conduct regular security audits, and invest in employee training, they can significantly reduce the chance that simple social engineering techniques or undetected malware will succeed, thereby reducing the likelihood that they will succeed. 

It is equally important for the organisation to utilise threat intelligence feeds, maintain current software, and enforce strong access controls to remain on top of an adversary that is continually refining its methods. A culture of security awareness is crucial for organizations to create where all users are aware that vigilance is not optional but rather a shared responsibility, which is why organizations should cultivate it. 

The businesses, as well as the individuals, can strengthen their defenses, and make sure that when the next attempt comes—and it will—they will be ready to detect, contain, and recover quickly, as the next attempt will be a result of the combination of modern technologies, disciplined operational practices, and a mindset that emphasizes continuous improvement.
Read more »
United States
Data Breach Military Operations National Security Security Breach Signal app United States

Experts Warn Trump Officials Using Signal for War Plans Risk Massive Leaks

 

Reports that senior Trump administration officials discussed classified military operations using the encrypted texting app Signal have raised serious security concerns. Although Signal provides encryption, lawmakers and cybersecurity specialists have warned that it is still susceptible to hacking and should never be used for private government communications. 

When journalist Jeffrey Goldberg of The Atlantic was accidentally included in a Signal group discussion where senior Trump officials were discussing military operations in Yemen, the issue became apparent. Goldberg called the conversation an act of "shocking recklessness" and said it included "precise information about weapons packages, targets, and timing.” 

Mark Montgomery, senior director of the Foundation for Defence of Democracies, criticised the decision, saying, "I guess Signal is a few steps above leaving a copy of your war plan at the Chinese Embassy—but it's far below the standards required for discussing any elements of a war plan.” 

Signal has become increasingly popular in Washington despite cybersecurity concerns after Chinese-affiliated hackers significantly compromised U.S. telecommunications networks. To safeguard against spying, officials recommend using encrypted services such as Signal. Experts warn that even while the app has robust encryption and deletes messages automatically, it is not approved for use in government-level sensitive communications. 

Lawmakers call for investigation

Top Democrats have slammed the use of Signal for military discussions, describing it as a significant security breach. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, criticised the Trump administration for failing to vet group chat users. “It should go without saying that administration officials should not be using Signal for discussing intelligence matters,” Thompson noted. 

House Foreign Affairs Committee Ranking Member Gregory Meeks (D-N.Y.) has requested a hearing, calling the episode "the most astonishing breach of our national security in recent history." Ranking member of the House Intelligence Committee, Jim Himes (D-Conn.), said he was "horrified" by the usage of an insecure app. He cautioned that lower-level officials might risk criminal charges for such a failure. 

Michael Waltz, Trump's National Security Adviser, admits to organising the Signal group chat, which inadvertently included writer Jeffrey Goldberg. Waltz first blamed a staff member, but later admitted that he founded the group himself. "It is embarrassing, definitely. We're going to get to the bottom of it," he added, adding that he was engaging Elon Musk on technical matters. 

In support of Waltz, Trump described him as a "good man" who had only "learnt a lesson." "The leak was the only glitch in two months, and it turned out not to be a serious one," he said, downplaying the breach as a small mistake. But there has been a quick pushback, with lawmakers and security experts voicing serious concerns.
Read more »
Vulnerabiliies
Cyber Security Cyberattacks GitHub Security Breach Supply Chain. CI/CD Vulnerabiliies

GitHub Action Security Breach Raises Concerns Over Supply Chain Risks

 


An attack of a cascading supply chain was recently triggered by the compromise of the GitHub action "reviewdog/action-setup@v1", which ultimately led to the security breach of the "tj-actions/changed-files" repository. As a result of this breach, unintended secrets about continuous integration and delivery were exposed, raising concerns about the integrity of software supply chains. 

There was a malicious code in the tj-actions/changed-files application last week, which introduced malicious code that was capable of extracting CI/CD secrets from the workflow logs and logging them within the log files. This incident affected approximately 23,000 repositories. Even though these logs were not accessible to the public, this exposure highlights significant security risks. In the case that the logs had become public, the attacker would have been able to gain unauthorized access to vital credentials.

Even though there has been an ongoing investigation into tj-actions/changed files, its developers have been unable to determine exactly how the attackers compromised GitHub's Personal Access Token (PAT) to gain access to critical data. For the unauthorized changes to be made, this token, which was used by an automated bot to modify code, appears to have played a pivotal role in the process. GitHub Actions and CI/CD pipelines need to be enhanced to prevent the spread of software supply chain vulnerabilities. This incident underscores the increasing threat of software supply chain vulnerabilities. 

A critical security breach has been identified in the widely used third-party GitHub Action, tj-actions/changed-files, that has been assigned the CVE-2025-30066 vulnerability. When a supply chain attack compromises the action that tracks file changes in pull requests and commits, it results in unauthorized disclosure of sensitive credentials since this action tracks file modifications. Among the secrets that were exposed were valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. 

A security patch was implemented in version 46.0.1 as a response to the incident to mitigate the risk associated with it. As a result of an updated analysis from March 19, 2025, security researchers have suggested that this breach may have been the result of a similar compromise of another GitHub action, reviewdog/action-setup@v1, identified as CVE-2025-30154 by security researchers. Considering the timing of both incidents and the growing threat landscape surrounding software supply chains, there is a strong likelihood that there is a connection between them. 

The developments highlighted in this article underscore the importance of conducting rigorous security audits and maintaining enhanced monitoring practices within the GitHub ecosystem to prevent future threats. In the recent past, there was a security breach affecting GitHub Action tj-actions/changed-files that exposed critical security vulnerabilities in software supply chains, emphasizing the risks associated with third-party dependencies in continuous integration/continuous delivery. 

Through GitHub Actions, a widely used automation platform, developers can optimize their workflows through reusable components, allowing them to save time and money. However, due to the compromise of tj-actions/changed-files—a tool that detects changes in files in pull requests and commits—over 23,000 repositories were accessed unauthorized, resulting in the theft of sensitive workflow secrets. A security researcher first noticed unusual activity related to the repository on March 14, 2025, which led to the discovery of the breach. 

A malicious payload has been injected into CI/CD runners in an attempt to extract CI/CD runner memory, which exposed critical environment variables and workflow secrets within logs, which were discovered to have been injected by the attackers. An exploit like this could result in unauthorized access to confidential credentials, thereby posing a significant security risk to the organization. Having been provided with a critical lead by security researcher Adnan Khan, it has been confirmed that the root cause of this compromise stems from another GitHub Action called reviewdog/action-setup, which an independent organization maintains. 

The investigation revealed that the tj-actions/changed-files action was compromised because it was dependent on the tj-actions/eslint-changed-files action, which was itself dependent on the reviewdog/action-setup action. In addition to the attack on the review dog organization, multiple activities were also affected within that organization, indicating that the attack was more widespread than that. Maintainers of TJ-actions and Review Dog quickly mitigated this incident by implementing security patches and reducing further risks. 

To counteract growing threats within software supply chains, continuous security monitoring, dependency validation, and rapid mitigation strategies must be implemented to protect continuous integration/continuous delivery pipelines from future attacks. Wiz, one of the leading security firms, recommended that developers evaluate their potential exposure by performing a GitHub query to determine if any references to reviewdog/action-setup@v1 were found in their repositories. 

As part of this process, it is important to determine if any of the projects might have been compromised by the recent supply chain compromise. It would be prudent to treat the detection of double-encoded base64 payloads within workflow logs as a confirmation of the leakage of sensitive information. If this happens, immediate remediation measures are required to prevent further security incidents. 

To reduce the risks associated with compromised actions, developers are advised to remove all references to these actions across branches, remove workflow logs that might contain exposed credentials, and rotate any potentially compromised secrets so that unauthorized access cannot occur. There is a need to take proactive security measures, such as pin GitHub Actions to specific commit hashes rather than version tags to reduce the probability that similar breaches will occur in the future. Furthermore, by utilizing GitHub's allow-listing feature, we can restrict unauthorized actions and enhance the security of our repositories. 

One must respond quickly to supply chain attacks, which may have far-reaching consequences as well as leak CI/CD secrets. Immediately following the breach, organizations must take steps to contain the breach, and they must develop long-term security strategies to protect themselves against future threats as well. The companies that are potentially impacted by this GitHub Actions supply chain attack should take immediate measures to protect their systems from further harm. To effectively counteract unauthorized access and further exploitation, all exposed secrets must be rotated. This is especially true for those secrets that were used between March 14 and March 15, 2025. 

Failure to replace compromised credentials could result in further exploitation. Further, security teams need to thoroughly review CI/CD workflows, paying close attention to unexpected outputs, particularly within the section on "changed files". There is a good chance that any anomalies may indicate an unauthorized modification or possible data leak. All workflow references should be updated to point to specific commit hashes rather than mutable tags so that they can be used to enhance security and mitigate the risk of a similar incident in the future. This will reduce the risk that attackers may inject malicious code into widely used GitHub Actions in the future. 

A robust security policy is also crucial for organizations. For this reason, organizations must utilize GitHub's allow-listing feature to restrict access to unauthorized actions, and they should conduct regular security audits of their third-party dependencies before integrating them into workflows. This kind of prevention measure can greatly reduce the chances of an attack on the supply chain or an unauthorized change in the source code. As a result of the recent breach, it has been highlighted how widely used automation tools are prone to vulnerabilities, which emphasizes the need to maintain continuous security monitoring and develop proactive defence strategies. 

Although some organizations, like Coinbase, successfully mitigated the impact of this incident, it serves as a reaffirmation that all organizations should continue strengthening their security postures and remain vigilant when it comes to evolving threats in the software industry. Recent information about a security breach with GitHub Actions confirms that the threats associated with supply chain attacks are continuing to grow in the modern software development industry. It has become increasingly important for organizations to enforce strong security frameworks for the sake of preventing cyber threats by implementing continuous monitoring mechanisms, thorough dependency audits, and enhanced access controls as cyber threats become more sophisticated. 

CI/CD pipelines need to be protected against unauthorized intrusions at all costs, and this incident highlights the urgency for proactive defense strategies to prevent this type of activity. Teams can mitigate vulnerabilities and ensure their workflows are protected by adopting secure coding best practices, enforcing strict authentication policies, and utilizing GitHub's security features, if they implement secure coding practices and enforce strict authentication policies. As software supply chain security has become a world-wide concern, maintaining vigilance and immediate response to incidents is crucial to ensuring operational integrity and resilience against evolving threats in an era when it has become paramount.
Read more »
Security Breach
Clothing Firm Cyber Attacks IT Breach Raymond Security Breach

Raymond Cyberattack: IT Teams, Authorities Investigate Massive Breach

 

Raymond Limited, a leading textile and apparel firm, acknowledged a cyberattack on its IT infrastructure on February 19. The company quickly segregated affected systems to protect essential business operations and avoid disruptions to customer-facing platforms or shop networks.

Rakesh Darji, Raymond's Company Secretary and Compliance Officer, stated in a regulatory filing that its retail and physical store operations will continue unchanged. While the filing provided no details on the attackers or confirmed any ransomware involvement, the company noted that "necessary precautions and protocols" were implemented to mitigate the impact. 

Raymond reassured stakeholders that its critical manufacturing and retail systems are safe despite the security intrusion, and that there haven't been any notable service interruptions. To determine the attack's entry points, length, and any threats of data exposure, the company's cybersecurity specialists and internal IT teams are performing forensic investigation. An inquiry is also in progress after notification was sent to India's cybersecurity organisation, CERT-In. 

The incident highlights the growing significance of strong cybersecurity measures for multinational organisations, especially those with complicated supply networks. It serves as a warning to firms to always improve their cyber defences against evolving threats. 

Raymond's disclosure is aligned with India's new cybersecurity standards, which demand the timely notification of major IT issues to regulatory bodies and investors. Shortly after discovering the breach, the company followed compliance measures and notified stock markets under the scrip codes BSE:500330 and NSE:RAYMOND. 

While the full scope of the assault is unknown, Raymond's proactive response and transparency demonstrate its commitment to ensuring company continuity and consumer trust.
Read more »
Threat Intelligence
Online Security Quantum Computers Security Breach Technology Threat Intelligence

Quantum Computers Threaten to Breach Online Security in Minutes

 

A perfect quantum computer could decrypt RSA-2048, our current strongest encryption, in 10 seconds. Quantum computing employs the principle of quantum physics to process information using quantum bits (qubits) rather than standard computer bits. Qubits can represent both states at the same time, unlike traditional computers, which employ bits that are either 0 or 1. This capacity makes quantum computers extremely effective in solving complicated problems, particularly in cryptography, artificial intelligence, and materials research. 

While this computational leap opens up incredible opportunities across businesses, it also raises serious security concerns. When quantum computers achieve their full capacity, they will be able to break through standard encryption methods used to safeguard our most sensitive data. While the timescale for commercial availability of fully working quantum computers is still uncertain, projections vary widely.

The Boston Consulting Group predicts a significant quantum advantage between 2030 and 2040, although Gartner believes that developments in quantum computing could begin to undermine present encryption approaches as early as 2029, with complete vulnerability by 2034. Regardless of the precise timetable, the conclusion is unanimous: the era of quantum computing is quickly approaching. 

Building quantum resilience 

To address this impending threat, organisations must: 

  • Adopt new cryptographic algorithms that are resistant against impending quantum attacks, such as post-quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) recently published its first set of PQC algorithm standards (FIPS 203, FIPS 204, and FIPS 205) to assist organisations in safeguarding their data from quantum attacks. 
  • Upgrades will be required across the infrastructure. Develop crypto agility to adapt to new cryptographic methods without requiring massive system overhauls as threats continue to evolve. 

This requires four essential steps: 

Discover and assess: Map out where your organisation utilises cryptography and evaluate the quantum threats to its assets. Identify the crown jewels and potential business consequences. 

Strategise: Determine the current cryptography inventory, asset lives against quantum threat timelines, quantum risk levels for essential business assets, and create an extensive PQC migration path. 

Modernise: Implement quantum-resilient algorithms while remaining consistent with overall company strategy.

Enhance: Maintain crypto agility by providing regular updates, asset assessments, modular procedures, continual education, and compliance monitoring. 

The urgency to act 

In the past, cryptographic migrations often took more than ten years to finish. Quantum-resistant encryption early adopters have noticed wide-ranging effects, such as interoperability issues, infrastructure rewrites, and other upgrading challenges, which have resulted in multi-year modernisation program delays. 

The lengthy implementation period makes getting started immediately crucial, even though the shift to PQC may be a practical challenge given its extensive and dispersed distribution throughout the digital infrastructure. Prioritising crypto agility will help organisations safeguard critical details before quantum threats materialise.
Read more »
Security Breach
Crypto Exchange Crypto Hack cryptocurrency Cyber Attacks Digital Assets Lazarus Group Security Breach

Bybit Crypto Exchange Hacked for $1.5 Billion in Largest Crypto Heist

 

Bybit, one of the world’s largest cryptocurrency exchanges, has suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack, now considered the largest in crypto history, compromised the exchange’s cold wallet—an offline storage system designed to provide enhanced security against cyber threats. 

Despite the breach, Bybit CEO Ben Zhou assured users that other cold wallets remain secure and that withdrawals continue as normal. Blockchain analysis firms, including Elliptic and Arkham Intelligence, traced the stolen funds as they were quickly moved across multiple wallets and laundered through various platforms. Most of the stolen assets were in ether, which were liquidated swiftly to avoid detection. 

The scale of the attack far exceeds previous high-profile crypto thefts, including the $611 million Poly Network hack in 2021 and the $570 million stolen from Binance’s BNB token in 2022. Investigators later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking organization known for targeting cryptocurrency platforms. The group has a history of siphoning billions from the digital asset industry to fund the North Korean regime. 

Experts say Lazarus employs advanced laundering techniques to hide the stolen funds, making recovery difficult. Elliptic’s chief scientist, Tom Robinson, confirmed that the hacker’s addresses have been flagged in an attempt to prevent further transactions or cash-outs on other exchanges. However, the sheer speed and sophistication of the operation suggest that a significant portion of the funds may already be out of reach. The news of the breach sent shockwaves through the crypto community, triggering a surge in withdrawals as users feared the worst. 

While Bybit has managed to stabilize outflows, concerns remain over the platform’s ability to recover from such a massive loss. To reassure customers, Bybit announced that it had secured a bridge loan from undisclosed partners to cover any unrecoverable losses and maintain operations. The Lazarus Group’s involvement highlights the persistent security risks in the cryptocurrency industry. Since 2017, the group has orchestrated multiple cyberattacks, including the theft of $200 million in bitcoin from South Korean exchanges. 

Their methods have become increasingly sophisticated, exploiting vulnerabilities in crypto platforms to fund North Korea’s financial needs. Industry experts warn that large-scale thefts like this will continue unless exchanges implement stronger security measures. Robinson emphasized that making it harder for criminals to profit from these attacks is the best deterrent against future incidents. 

Meanwhile, law enforcement agencies and crypto-tracking firms are working to trace the stolen assets in hopes of recovering a portion of the funds. While exchanges have made strides in improving security, cybercriminals continue to find ways to exploit weaknesses, making robust protections more crucial than ever.
Read more »
Security Breach
browser hijacking Chrome Extension Cyber Security Cybersecurity Data Theft Google Workspace Hacking phishing Security Breach

New 'Browser Syncjacking' Attack Exploits Chrome Extensions for Full Device Takeover

 

'Browser Syncjacking,' which allows threat actors to hijack Google profiles, compromise browsers, and eventually gain full control over a victim's device—all through a seemingly harmless Chrome extension.

This stealthy multi-stage attack requires minimal permissions and almost no user interaction beyond installing a malicious Chrome extension. The attack begins with:

1. Fake Google Workspace Setup – Attackers create a fraudulent Google Workspace domain with pre-configured user profiles where security features like multi-factor authentication are disabled.

2. Publishing a Malicious Extension – A Chrome extension, disguised as a useful tool, is uploaded to the Chrome Web Store.

3. Social Engineering Trap – Victims are tricked into installing the extension, which then secretly logs them into an attacker's managed Google Workspace profile via a hidden browser session.

4. Sync Activation – The extension opens a legitimate Google support page and injects content instructing users to enable Chrome Sync. Once activated, attackers gain access to stored credentials, browsing history, and other sensitive data.

5. Full Browser Takeover – Using deceptive tactics, such as a fake Zoom update prompt, the extension delivers an executable file containing an enrollment token. This grants attackers full control over the browser.

"Once enrolled, the attacker gains full control over the victim's browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, monitor/modify file downloads, and many more," explains SquareX researchers.

By leveraging Chrome's Native Messaging API, attackers establish a direct communication channel between the malicious extension and the victim's operating system. This enables them to:
  • Browse directories
  • Modify files
  • Install malware
  • Execute commands
  • Capture keystrokes
  • Extract sensitive data
  • Activate the webcam and microphone
The Browser Syncjacking attack is difficult to detect. Unlike traditional extension-based threats that require extensive social engineering, this method operates with minimal user interaction.

"Unless the victim is extremely security paranoid and is technically savvy enough to constantly navigate the Chrome settings to look for managed browser labels, there is no real visual indication that a browser has been hijacked," the report warns.

Recent incidents, including hijacks of legitimate Chrome extensions, have demonstrated that browser extensions pose significant cybersecurity risks.

BleepingComputer has reached out to Google for comments on this new attack and will provide updates as soon as a response is received.
Read more »
Subscribe to: Posts (Atom)