Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label VPN. Show all posts
VPN
CISA Cyber Security FBI Ransomware VPN

FBI Urges Immediate Action as Play Ransomware Attacks Surge

 


The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a critical warning about the sharp rise in Play ransomware attacks. The agencies report that this cyber threat has affected hundreds of organizations across the Americas and Europe, including vital service providers and businesses.

The updated alert comes after the FBI identified over 900 confirmed victims in May alone, which is three times more than previously reported. Cybersecurity experts are urging organizations to act quickly to strengthen their defenses and stay informed about how these cybercriminals operate.


How the Play Ransomware Works

Play ransomware attackers use various advanced methods to break into systems. They often start by targeting services that are accessible from outside, like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once they gain access, they move within the network, stealing login details and aiming to control the system entirely.

The FBI notes that the attackers do not immediately demand payment in their ransom notes. Instead, they leave email addresses that victims must contact. These emails usually come from unique addresses linked to German domains. In some cases, the criminals also make threatening phone calls to pressure victims into paying.


Connections to Other Threat Groups

Investigations suggest that the Play ransomware may be connected to several known hacking groups. Some security researchers believe there could be links to Balloonfly, a cybercrime group involved in earlier ransomware attacks. There have also been reports connecting Play to serious security incidents involving Windows systems and Microsoft Exchange servers.

In the past, attackers have taken advantage of security flaws in popular software, including Microsoft’s Windows and Fortinet’s FortiOS. Most of these security gaps have already been fixed through updates, but systems that remain unpatched are still at risk.


Key Steps to Protect Your Organization

The FBI strongly recommends that all organizations take immediate steps to reduce their risk of falling victim to these attacks. Here are the essential safety measures:

1. Create backup copies of important data and store them in secure, separate locations.

2. Use strong, unique passwords that are at least 15 characters long. Do not reuse passwords or rely on password hints.

3. Enable multi-factor authentication to add extra security to all accounts.

4. Limit the use of admin accounts and require special permissions to install new software.

5. Keep all systems and software up to date by applying security patches and updates promptly.

6. Separate networks to limit how far a ransomware attack can spread.

7. Turn off unused system ports and disable clickable links in all incoming emails.

8. Restrict the use of command-line tools that attackers commonly use to spread ransomware.

Staying alert and following these steps can help prevent your organization from becoming the next target. Cybersecurity is an ongoing effort, and keeping up with the latest updates is key to staying protected.

Read more »
Zero-day Vulnerability and Exploits
Critical security flaw Cyberattacks CyberCrime Cybersecurity CyberThreat FortiGate Fortinet Bugs Qilin Ransomware VPN Zero-day Vulnerability and Exploits

Qilin Ransomware Actors Take Advantage of Newly Discovered Fortinet Bugs

 


The recently observed increase in ransomware activity linked to the Qilin group has sparked alarms throughout the cybersecurity industry. As a result of these sophisticated Ransomware-as-a-Service (RaaS) operations operating under multiple aliases, including Phantom Mantis and Agenda, Fortinet's recent critical vulnerability disclosures have made it possible for this operation to actively exploit two critical Fortinet vulnerabilities. 

Operators of Qilin can exploit these flaws in order to gain unauthorised access to targeted networks and to run malicious code on them, sometimes without any detection by the targeted network. Qilin is stepping up its tactics by exploiting these Fortinet vulnerabilities, signalling a shift in strategy to target enterprise security infrastructure deployed throughout the world. Consequently, organisations from a variety of sectors — ranging from healthcare and finance to government and critical infrastructure — have now become targets of an expanding global threat campaign. 

According to researchers at the company, the group's ability to weaponise newly discovered vulnerabilities so quickly demonstrates both the group's technical sophistication as well as the importance of adopting a proactive, vulnerability-focused security posture as a result of their rapid growth. As the trend of ransomware groups exploiting zero-day or newly patched vulnerabilities to bypass perimeter defences and gain persistent access is growing, this wave of attacks underscores the trend. 

There is no doubt that Qilin's campaign not only proves how effective it is to exploit trusted security platforms like Fortinet, but it also illustrates a more general evolution in the ransomware ecosystem, in which ransomware groups are constantly scaling and refining their methods to maximise their impact and reach within the ecosystem. 

With various aliases — including Phantom Mantis and Agenda — the Qilin ransomware group has increased the level of malicious activity they are able to conduct by exploiting critical Fortinet security vulnerabilities. It has been shown that these exploits provide attackers with the ability to bypass authentication controls, deploy malicious payloads remotely, and compromise targeted networks with alarming ease. 

It is important to note that since Qilin first emerged in August 2022 as a Ransomware-as-a-Service provider (RaaS), the company has been growing rapidly. The company has rolled out sophisticated ransomware toolkits to affiliate actors and is expanding into many different areas. Over 310 organisations around the world have been linked to Qilin breaches, spanning a range of sectors that include the media, healthcare, manufacturing, and government services sectors. 

Court Services Victoria in Australia, Yangfeng, Lee Enterprises, and Synnovis are a few of the most notable victims of the cyberattack. Several companies have been affected by the attack, and the group has demonstrated a high level of operational maturity and the capability to adapt tactics quickly by exploiting newly discovered vulnerabilities in widely used enterprise infrastructure systems. 

Experts consider Qilin's aggressive campaign to be a part of a broader trend in which RaaS actors are increasingly targeting foundational security platforms in order to extort high-value ransoms and maximise disruption. Several threat actors are actively exploiting two highly critical vulnerabilities in Fortinet's network security products, identified as CVE-2024-55591 and CVE-2024-21762, in the latest wave of Qilin ransomware activity. 

Neither of these vulnerabilities is classified as critical, but they do allow remote attackers to bypass authentication mechanisms and execute arbitrary code on compromised systems, allowing them to take complete control of the system. Although there are many cybercriminal groups that have exploited these vulnerabilities in the past, Qilin's use of them underscores that unpatched Fortinet devices are still an entry point into enterprise environments that criminal groups can exploit. 

Although these vulnerabilities have been disclosed publicly and patches have been released, thousands of Fortinet appliances remain vulnerable, which poses a significant risk to a significant number of organisations. IT administrators and security teams must prioritise patch management and hardening of systems at the earliest opportunity in order to prevent vulnerabilities from occurring in the future. 

According to a Fortinet expert, organisations utilising its products should immediately assess their infrastructure for signs of compromise and apply the latest firmware updates or temporary mitigation measures according to the vendor's recommendations. It is important for organisations relying on Fortinet products to address these vulnerabilities immediately, as failure to do so could result in devastating ransomware attacks, data breaches, and prolonged disruptions to operations. 

As the Qilin ransomware group emerged in August 2022 under the alias Phantom Mantis and Agenda, it has steadily increased its presence on the cyber threat landscape, steadily increasing its presence. In addition to operating as a Ransomware-as-a-Service (RaaS) provider, Qilin claims that it has compromised more than 310 organisations in a variety of different industries. 

This company’s most recent campaign reflects a highly targeted and technologically advanced approach, mainly focusing on exploiting known vulnerabilities within Fortinet’s FortiGate appliances, such as CVE-2024-21762 and CVE-2024-55591, found in Fortinet’s security appliances. This vulnerability can act as a critical attack vector, allowing threat actors to breach security controls, penetrate network perimeters, and launch widespread ransomware deployments within the affected environment as a result of these flaws. 

There is one aspect that sets Qilin apart from other ransomware groups: Rather than relying primarily on phishing or brute force methods, its strategic focus is on exploiting vulnerabilities in core enterprise infrastructure. Especially in the ability for the group to identify and exploit architectural weaknesses within widely deployed network security solutions, this evolving threat model exemplifies a high level of sophistication among the group members. 

It appears that this group is attempting to exploit the authentication and session management vulnerabilities of FortiGate systems to establish unauthorised access to networks, as well as maintain persistence within these compromised networks. It is clear from the methodical exploitation that the attackers have a deep understanding of enterprise defence mechanisms and are demonstrating a shift away from ransomware tactics to compromise infrastructure. 

Such attacks pose substantial risks. By infiltrating the first line of defence, which is normally a security infrastructure, Qilin's operations effectively neutralise conventional defence layers, enabling internal systems to be compromised and exposed to data exfiltration through lateral movement. There are a number of consequences for organisations that have been affected by this ransomware attack, including severe operational disruption, the loss of sensitive data, the violation of regulations, as well as long-term reputational damage. 

Because of this, organisations are required to reassess their vulnerability management strategies, to ensure timely patching of known vulnerabilities, as well as adopt a more proactive security posture to mitigate the threat that advanced ransomware actors like Qilin are posing to their organisations. This latest ransomware campaign from Qilin exploits vulnerabilities that have a troubling history within the security community, particularly CVE-2024-55591 and CVE-2024-21762. CVE-2024-55591, for example, had been exploited as a zero-day vulnerability as early as November 2024 by several threat actors who used it as a zero-day exploit.

It is worth mentioning that the Mora_001 ransomware operator used the vulnerability to deliver the SuperBlack ransomware strain, which is linked by Forescout researchers to the notorious LockBit cybercrime syndicate. By recurring abuse of Fortinet vulnerabilities, we can see how these flaws continue to be appealing to a wide variety of threat actors, from criminal gangs to state-sponsored espionage groups.

Fortinet patched the second vulnerability in early February of 2025, CVE-2024-21762. Upon discovering the threat this vulnerability posed, the U.S Cybersecurity and Infrastructure Security Agency (CISA) swiftly added it to its Known Exploited Vulnerabilities (KEV) catalogue and instructed federal agencies to secure all affected FortiOS and FortiProxy devices by the end of February. However, despite these warnings, widespread vulnerability persisted. 

By the middle of March, the Shadowserver Foundation reported nearly 150,000 devices across the globe remained unpatched and vulnerable. This underscores a critical gap in patch adoption and risk mitigation within corporations. Fortinet's network security products have been a frequent target of exploitation over the years, and they have served as the first point of entry for both cyber-espionage campaigns and financial ransomware attacks over the years. 

It has been revealed recently by Fortinet that in a separate incident earlier this year, Chinese state-sponsored threat group Volt Typhoon exploited two old SSL VPN vulnerabilities (CVEs 2020-22475 and 2022-2997) to deploy a custom remote access trojan, dubbed Coathanger, within the Dutch Ministry of Defense's military network, exploitation two older SSL VPN vulnerabilities. As a result of these repeated and high-impact incidents, the threat pattern is consistently one of Fortinet devices being targeted due to their widespread deployment and their vital role in enterprise network security in enterprises. 

In order to expand their reach and refine their tactics, ransomware groups such as Qilin will likely continue to focus on exploiting foundational security infrastructure such as Fortinet firewalls and VPNs, so it is likely that they will continue to use this technique. Taking into account these developments, it is becoming increasingly apparent that organisations need to put security first, prioritising continuous vulnerability assessment, timely patching, and a robust incident response strategy in order to be able to protect themselves against the increasing sophistication and persistence of threat actors operating in the digital era. 

There has been a noticeable shift in Qilin's operational strategy, according to threat intelligence firm PRODAFT, which has been characterised by a shift to partially automated attacks on FortiGate firewalls that are not patched. It appears that the campaign is influenced by Spanish-speaking regions, but the tactics employed remain largely opportunistic, utilising vulnerable devices regardless of their location, despite the fact that there is a distinct geographic bias toward these regions. 

A key exploit technique identified, CVE-2024-55591, has been linked to the deployment of the SuperBlack ransomware variant, which is closely linked with the LockBit cybercriminal ecosystem, as well as with the deployment of the SuperBlack ransomware. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued urgent patching instructions in February 2025 to patch nearly 150,000 devices vulnerable to the second critical flaw, CVE-2024-21762. 

Even though widespread awareness of this flaw is widespread, nearly 150,000 devices are still vulnerable. Although these devices are still unpatched, this symptom of security lapses that continue to be exploited by ransomware operators illustrates a critical security vulnerability that is still prevalent. Because of their widespread use in enterprise environments, Fortinet appliances remain a high value target, and organizations must act decisively and immediately to minimize those risks in order to reduce them. 

In order to maintain a secure environment, security teams should take a proactive approach and apply security patches as soon as they are released and ensure that FortiGate and FortiProxy appliances are strictly monitored. Among the measures that we should take are the deployment of intrusion detection and prevention systems, the analysis of real-time logs for suspicious behaviour, and the segmentation of high-value assets within networks to prevent lateral movement. 

A defence-in-depth strategy must also be implemented with endpoint protection, segmentation of the network, integration of threat intelligence, and regular audits of security practices in order to boost resilience against increasingly automated and targeted ransomware attacks. With the increasing complexity and scale of cyberattacks, it is becoming increasingly important for organisations to maintain continuous visibility and control of their security infrastructure, so as to protect their organisational integrity. It is no longer optional.

As a result of the escalating threat landscape and the calculated use of core enterprise infrastructure by the Qilin ransomware group, organisations need to move beyond reactive cybersecurity practices and develop a forward-looking security posture. Organisations must keep vigilance on new vulnerabilities to minimise the speed and precision with which threat actors exploit them. Continuous vulnerability intelligence, rigorous patch lifecycle management, and real-time system integrity monitoring are essential to combating these threats.

Organisations need to integrate threat-aware defence mechanisms that account for both technical weakness and adversarial behaviour—merely deploying security solutions is no longer enough. By investing in automated detection systems, segmenting critical assets, multifactor authentication, and creating secure configuration baselines, we can significantly reduce the attack surface. 

Furthermore, establishing a culture of cybersecurity readiness—through continuous workforce training, tabletop exercises, and simulations of an incident response scenario—ensures that when preventative measures do not work, we are resilient. A growing number of ransomware attacks, especially those such as Qilin, which exploit security technologies themselves, are becoming increasingly complex and scaled up, so securing the digital perimeter should become an executive-level priority that is supported by adequate resources, measurable accountability, and executive commitment.
Read more »
VPN
Advanced Technology Cybersecurity Cyberthreats Digital Security Digital threats malicious Mobile Plugging Private Network protect Wi-Fi Public Infrastructure TSA USB VPN

TSA Cautions Passengers Against Plugging Into Public USB Charging Stations


 

Despite the Transportation Security Administration's (TSA) widespread recognition for its role in ensuring air travel security through rigorous passenger screening procedures, the agency is now drawing attention to a lesser-known, yet equally concerning, cybersecurity threat faced by airport travellers. The TSA reports that cybercriminals have been exploiting public USB charging stations in airport terminals as well as unsecured Wi-Fi networks in order to gain unauthorized access to travelers' personal information in order to gain access to their information. 

Malicious actors are using sophisticated techniques that are used to compromise devices connected to public charging ports or unprotected internet connections without the user's knowledge, many of which are used by these actors. Once the device is accessed, sensitive information can be extracted, including passwords, financial details, and personal files, potentially resulting in identity theft or financial fraud for the victim.

It is a well-known fact that even something as seemingly harmless as plugging user's phone into a public charging station carries significant risks, according to the agency. As a result of this technique, known as "juice jacking," malicious software is installed or data is stolen directly from a connected device by tampering with USB ports. In the same way, connecting to public Wi-Fi networks with inadequate security measures can expose users to a man-in-the-middle attack, where hackers intercept the communication between the device and the internet and attack the device. 

Technology is evolving rapidly, but as digital threats grow and evolve, the TSA urges travellers to take security very seriously by using personal charging equipment, portable power banks, and secure internet connections. To protect one's digital identity while on the go, it is crucial to stay informed and vigilant. Among the top concerns that the Transportation Security Administration (TSA) has expressed is the growing cybersecurity threats associated with the use of public USB charging stations at airports. 

While these charging stations are convenient for travellers who have long layovers or delays, they may also serve as a gateway for cybercriminals to gain access to their data through their smartphone, tablet, or other electronic devices. A technique known as "juice jacking," in which malicious software is installed covertly within public USB ports, is among the most concerning threats, as it allows malicious software to be installed covertly within them. 

By simply plugging in their device, an unsuspecting traveller is transferring the malware, which could potentially allow hackers to access, corrupt, or extract sensitive information that could be of great use to them. During these attacks, personal data may be accessed byunauthorisedd parties,, including emails, login credentials, financial details and even private photographs or documents stored on the deviceEven thoughat visible warning signs do not usually accompany these infections, victims are often unaware of their information being compromised until it is very late in the game. 

Travellers are strongly advised not to connect their devices directly to public USB ports located in airport terminals, lounges, or charging kiosks to minimise this risk. To minimise the risk of this occurrence, cybersecurity experts and the TSA strongly suggest travellers don't do so. Instead, passengers should carry and use their own power adapters and plug them into standard electrical outlets whenever necessary. 

The use of portable battery packs is a much more secure option since it eliminates the possibility of any potential hardware exposure occurring. While security authorities have repeatedly warned citizens about the risks associated with juice jacking, there has been a lack of awareness among the general public regarding it. Many travellers may overlook the hidden dangers associated with seemingly innocuous charging stations in pursuit of convenience. 

As technology continues to develop and digital threats become more sophisticated, air passengers need to remain vigilant and adopt preventive measures to ensure their personal and financial information remains secure during transit. As a consequence of the threat of "juice jacking" in public spaces like airports, where travellers are frequently seeking out USB charging ports for convenience, this issue is becoming a serious cybersecurity concern. 

The purpose of this type of cyberattack is to compromise any device that has access to a public USB charging station by installing malware that is discreetly installed into these charging stations with the aim of compromising the device. Suppose the malware catches hold of a device while plugged into an infected port. In that case, it can initiate harmful activities, ranging from data theft to complete control of that device, all without the user having any knowledge of it. 

According to the Federal Communications Commission (FCC), malware that is introduced through tampered USB ports can lock the user's device, collect personal information, or harvest passwords stored on that device, which can then be accessed online accounts or sold on the dark web. As a result of such breaches, individuals may experience identity theft and financial fraud as well as unauthorised surveillance of their private communications and documents. 

The risk is further compounded by the fact that there are typically no external signs that indicate a charging station has been compromised, so a traveller may be unable to detect the compromise. Furthermore, airports are also a significant risk for cybersecurity due to unsecured public Wi-Fi networks. A warning from the Transportation Security Administration (TSA) cautions passengers against using free public Wi-Fi, especially when they are conducting online transactions or accessing accounts that require sensitive information to be entered. 

In order to steal credentials or financial information, cybercriminals often exploit open networks by using methods such as man-in-the-middle attacks. These attacks intercept data exchanges between users and websites to steal data. Travellers should generally refrain from entering any confidential information-such as credit card numbers, personal identifying information, or login details-while connected to public wireless networks, as a general rule. 

Several organisations, including the TSA, the FCC, and other government agencies, recommend adopting safer charging methods to reduce the chances of becoming victims of these threats. If the travellers do not want their devices to be exposed to unknown hardware while charging, they are encouraged to carry TSA-compliant power bricks or personal battery packs that provide secure charging. Additionally, it is far safer to use personal power adapters connected to standard electrical outlets than to use public USB ports. 

Additionally, the FCC suggests that travellers invest in USB data blockers or charging-only cables that allow power to be transferred to and from the device, but do not allow data to be transferred. As the digital landscape continues to become more complex, travellers must stay informed and take precautions to stay safe. If travellers avoid high-risk behaviours, such as using public USB ports and unsecured wireless network connections, they will be able to protect their personal information and devices from harm. 

A growing number of airlines and airports are integrating advanced technologies - ranging from mobile boarding passes and biometric identifications to fully automated check-in and boarding services - into modern travel safety and security has become a crucial component of this landscape. This shift has led to the Transportation Security Administration (TSA) expanding its focus beyond physical security measures to include digital security measures in order to address the shifting landscape. 

A recent advisory issued by the agency shows that securing personal data is just as important as securing passengers and luggage in today’s hyperconnected travel environment, and that the agency is aware of this growing understanding. During this summewhenere there will be a surge in international passenger traffic and a lot of busy travel season ahead of us, the TSA's warning arrives at an extremely critical time.

Besides reminding travellers to ensure their luggage and documents are ready to go, it also serves as a timely reminder to make sure their digital defences are strong as well before leaving the country. Travellers are advised to follow several essential cybersecurity practices that will enhance their protection while they are travelling, including not charging their devices through public USB ports and connecting to unsecured Wi-Fi networks. 

In order to ensure users' devices are fully up-to-date and that they contain the latest operating system patches and antivirus software, make sure that all their devices (phones, tablets, and laptops) are updated before leaving the country. These updates often contain important security enhancements that prevent newly found threats from being exploited. 

It is important to utilise strong authentication measures, which include using strong, unique passwords for all accounts. In addition, multi-factor authentication (MFA) provides a more protective layer, making sure that even if users' login credentials are compromised, users will be significantly less likely to be accessed by unauthorised individuals. 

In order to protect their digital footprint, travellers should always keep their devices physically secure, especially in public places such as airport lounges, cafes, and rest areas where they will not be disturbed by others. They should also never share passwords or access PINs, even with acquaintances, to maintain control over their digital footprints. 

Keeping important data in backups is essential to ensure that information does not get lost if the device is stolen, damaged, or malfunctions during its transport, because data is regularly saved in secure cloud storage or external backup devices. 

It is advisable to disable automatic Wi-Fi connectivity to prevent devices from unknowingly connecting to undeclared or malicious networks, as well as joining familiar and trusted networks. For extra security, travellers ought to use a virtual private network (VPN) for online security. 

There is a lot to be said for integrating these simple yet effective practices into the travel routines of passengers, reducing the risk that they will fall victim to digital threats significantly. In an age when convenience and connectivity dominate the travel experience, people must remain aware of cybersecurity issues to ensure that technology remains a valuable asset throughout the travel rather than a vulnerability. 

Taking into consideration the blurring line between physical and digital security when travelling by air, it is becoming increasingly important for travellers to recognise that cybersecurity is now an essential part of the security process. Cyber threats to public infrastructure reinforce a bigger truth: convenience is often accompanied by a loss of caution when it comes to public infrastructure. 

Airports are constantly enhancing passengers' experiences with innovative digital services, however, it is ultimately the individual's responsibility to ensure that their data is protected. It is important for travellers to cultivate proactive digital habits to safeguard not only their device but also their digital identities. These include checking the legitimacy of charging stations, using encrypted communication channels, and staying up to date on evolving cyber tactics. 

The TSA’s advisory is not just a warning—it’s a call to action. Keeping digital hygiene is an essential part of staying connected in a world in which it is now as common as packing a passport or getting a boarding pass.T Travellers who embrace this mindset will not only enjoy a smoother trip, but they will also be able to ensure their personal data reaches their destination safely.
Read more »
Wireless
Cyber Security CyberCrime CyberThreat Public Wifi safeguard TVS VPN WiFi Wireless

Approaches Users Can Implement to Safeguard Wireless Connections

 


The Wi-Fi network is a wireless gateway that connects homes and businesses to the Internet via the air, and it is typically provided by a router, which transmits data signals across the network. Mobile devices, laptops, and tablets can access online services using this signal without the need for physical cables. However, if these networks are not properly protected by passwords, they are vulnerable to unauthorised access.

The internet can be accessed by any device within range, regardless of whether it belongs to the homeowner, a guest, or an unknown third party. While wireless internet has many advantages over the internet, it also presents significant security risks, and wireless internet is no exception. If an insecure network is in place, nearby users might be able to see users' online activities, and this could lead to an exposure of their personal information to unauthorised sources. 

Moreover, when malicious actors exploit open networks to engage in illegal activities, such as spreading spam or accessing prohibited content, they may be held accountable by the network's registered owner. These risks underscore why Wi-Fi connections need to be securely protected with robust protection measures to prevent these threats from occurring. 

Understanding Wi-Fi Technology and Its Security Implications


There is a widespread use of a wireless networking technology called Wi-Fi that allows devices such as smartphones, laptops, tablets, and computers to connect to the internet without using physical cables at all. It is important to understand that wireless routers are currently the most common way that internet connections are made, serving as a central hub for all Wi-Fi-enabled devices within a range to receive internet access.

Despite the popular belief that Wi-Fi is an acronym, the actual term "Wi-Fi" is a trademark created by a marketing firm for commercial purposes to promote wireless network certification standards. Essentially, the principle behind Wi-Fi is that data is transmitted through radio waves in the form of a signal. To minimise network congestion and reduce signal interference, it uses two radio frequency bands — usually 2.4 GHz and 5 GHz — that are divided into channels so that signal interference can be minimised. 

A device that attempts to connect to a wireless network transmits data in binary form (the fundamental language used by computers) by using these radio waves when it attempts to connect. Upon receiving this data, the router relays it through a physical internet connection, such as a broadband cable, which establishes a connection with the online servers. End users can gain seamless access to the web virtually instantaneously, which allows them to access the web seamlessly. 

As much as Wi-Fi is popular, it can also expose a network to potential vulnerabilities, as well as its convenience. The security of unsecured networks and poorly configured networks can lead to unauthorised access, data theft, or surveillance by unauthorised users. If an internet connection extends beyond the boundaries of a property—also known as a "signal footprint"—it becomes available for use by anyone nearby, including potentially malicious individuals. 

Depending on the actor, network traffic may be intercepted, credentials may be captured, or even devices may be taken over if they are connected to the network. Users must manage their Wi-Fi settings and ensure that they are secure to reduce these risks. Several basic practices can be employed to improve digital safety and prevent intrusions, including monitoring connected devices, adjusting router configurations, and minimising signal exposure. 

In the past, home security has always been viewed in terms of physical safeguards like door locks, alarms, and surveillance cameras; however, as everyday life becomes increasingly digital, the protection of a household's online presence has become equally important. The risk of a cyber-attack on a home Wi-Fi network that is not secured poses a serious cybersecurity threat, but it often goes unnoticed. If cybercriminals are not adequately protected, they are capable of exploiting network vulnerabilities to gain unauthorised access.

In these cases, the attacker may install malicious software, intercept confidential information like credit card numbers, or even gain access to live camera feeds that compromise both privacy and safety. In extreme cases, attackers may install malicious software, intercept credit card information, or even hijack connected devices. To mitigate these risks, it is crucial to strengthen the security of users' home Wi-Fi networks. 

As a result of a properly secured network, users reduce the possibility of unauthorised access, prevent sensitive data from being exploited, and act as a barrier against hackers. As well as protecting the homeowner's digital footprint, it ensures that only trusted users and devices can access the internet, thus preserving speed and bandwidth and protecting the homeowner's digital footprint. 

In today's connected world, robust Wi-Fi security is no longer optional—it is now an integral part of modern home security.

Configuring a Wi-Fi network to maximise security is an essential step. 


It is important to remember that in addition to adopting general security habits, configuring the router correctly is also an important part of maintaining a reliable and secure wireless network. Numerous key measures are often overlooked by users but are essential in preventing unauthorised access to personal data. 

Set up strong network encryption. 


To keep Wi-Fi communication secure, all modern routers should support WPA3 Personal, which is the industry standard that offers enhanced protection from brute force attacks and unauthorised interceptions. When this standard is not available, there is always the possibility of using WPA2 Personal, which is a strong alternative to WPA3. In the case of older routers, users who have not updated their firmware or have not replaced their router hardware should take note that outdated protocols like WEP and WPA are no longer enough to provide safe and secure connections. 

Change the default router credentials immediately. 


The router manufacturer usually assigns a default username, password, and network name (SSID) to its routers, which information is widely available online, and which can be easily exploited. By replacing these default credentials with unique, complex ones, unauthorised access risk is significantly reduced. In addition to the password used by devices to connect to the Wi-Fi network, the router's administrative password is used to manage the router's settings.

Maintain an up-to-date firmware.


Keeping the router software or firmware up-to-date is one of the most important aspects of keeping it secure. If users intend to configure a new router or make changes, they should visit the manufacturer's website to verify the latest firmware version. 

When users register their routers with the manufacturer and choose to receive updates, they are assured to be informed about critical patches promptly. Users of routers provided by Internet Service Providers (ISPS) should verify whether the updates are automatically handled or if they need to be manually performed. 

Disable High-Risk Features by Default 


There is no denying that certain convenience features, such as Remote Management, Wi-Fi Protected Setup (WPS), and Universal Plug and Play (UPnP), can introduce security weaknesses. Though they simplify the process of connecting devices to a network, they are vulnerable to malicious actors if left active for extended periods. To minimise the potential for attack surfaces, these functions should be disabled during initial setup. 

Establish a Segmented Guest Network


The guest network is a unique way of enabling visitors to use the internet without gaining access to the main network or its connected devices by creating a separate guest network. This segmentation minimises the chance that a guest device could be compromised unintentionally by malware or spyware. Assigning a separate network name and password to the guest network reinforces this layer of isolation, so the guest network doesn't get compromised by the main network. 

The administrator should log out and lock down access to the system.


To prevent unauthorised changes to users' router settings, it is important to log out of the administrative interface after they have configured it. Leaving the administrative interface logged in increases the probability of accidental or malicious changes being made. There are other measures in place to protect their router. 

Turn on the router's built-in firewall.


In most modern routers, a built-in firewall prevents malicious traffic from reaching connected devices, as it filters suspicious traffic before it reaching the device. A router’s firewall can provide additional protection against malware infections, intrusion attempts, and other cyber threats. Users need to verify that the firewall is active in the router’s settings. 

Keep all connected devices secure.

A network's security is just one part of the equation. All connected devices, including laptops, smartphones, smart TVS, and Internet of Things appliances, should be updated with the latest software and protected by anti-virus or anti-malware software. In most cases, an intruder can gain access to a larger network using a compromised device. 

With a blurring of the lines between the physical and digital worlds and the ongoing blurring of the boundaries in which they exist, protecting users' home or office Wi-Fi network has become not just an issue of convenience but a necessity as well. Cybersecurity threats are on the rise, often targeting vulnerabilities within household networks that have been overlooked. 

As a precautionary measure to protect personal data, maintain control over bandwidth, and maintain digital privacy, users need to take a proactive, layered approach to wireless security, so that they can protect themselves against unauthorised access. As well as updating firmware, restricting access, monitoring device activity, and disabling exploitable features, it is crucial that users go beyond default settings. 

Users can create a resilient digital environment by treating Wi-Fi networks in the same manner as physical home security systems do—one that is resistant to intrusion, protects sensitive information, and guarantees uninterrupted, safe connectivity. By doing this, users can build a resilient digital environment. When it comes to protecting themselves against emerging cyber threats, it remains paramount to stay informed and vigilant about the latest developments in technology.
Read more »
VPN
Companies Online Services Privacy Switzerland VPN

Switzerland’s New Law Proposal Could Put VPN Privacy at Risk


Switzerland is thinking about changing its digital surveillance laws, and privacy experts are worried. The new rules could force VPN companies and secure messaging services to track their users and give up private information if requested.

At the center of the issue is a proposed change that would expand government powers over online services like email platforms, messaging apps, VPNs, and even social media sites. These services could soon be required to collect and store personal details about their users and hand over encrypted data when asked.

This move has sparked concern among privacy-focused companies that operate out of Switzerland. If the law is approved, it could prevent them from offering the same level of privacy they are known for.


What Could the New Rules Mean?

The suggested law says that if a digital service has over 5,000 users, it must collect and verify users’ identities and store that information for half a year after they stop using the service. This would affect many platforms, even small ones run by individuals or non-profits.

Another part of the law would give authorities the power to access encrypted messages, but only if the company has the key needed to unlock them. This could break the trust users have in these services, especially those who rely on privacy for safety or security.


Why VPN Providers Are Speaking Out

VPN services are designed to hide user activity and protect data from being tracked. They usually don’t keep any records that could identify a user. But if Swiss law requires them to log personal data, that goes against the very idea of privacy that VPNs are built on.

Swiss companies like Proton VPN, Threema, and NymVPN are all worried. They say the law could damage Switzerland’s reputation as a country that supports privacy and secure digital tools.


NymVPN’s Warning

NymVPN, a newer VPN service backed by privacy activist Chelsea Manning, has raised strong objections. Alexis Roussel, the company’s Chief Operating Officer, explained that the new rules would not only hurt businesses but could also put users in danger—especially people in sensitive roles, like journalists or activists.

Roussel added that this law may try to go around earlier court rulings that protected privacy rights, which could hurt Switzerland’s fast-growing privacy tech industry.


What People Can Do

Swiss citizens have time to give feedback on the proposal until May 6, 2025. NymVPN is encouraging people to spread the word, take part in the consultation process, and contact government officials to share their concerns. They’re also warning people in other countries to stay alert in case similar ideas start appearing elsewhere.

Read more »
zero Day vulnerability
Cyber intrusion Cyber Security CyberThreat DDoS FortiGate IoT IP Address Networkk Infrastructure ransomware-as-a-service (RaaS) VPN Vulnerabilities Firewalls zero Day vulnerability

Firewalls and VPNs Under Siege as Businesses Report Growing Cyber Intrusions

 


A security researcher has discovered an ongoing cyberattack that is active, exploiting a newly discovered vulnerability in Fortinet's FortiGate Firewalls to infiltrate corporate and enterprise networks and has been conducting this activity for some time. A security advisory published on Tuesday by Fortinet confirmed the existence of the critical security flaw known as CVE-2024-55591 and indicated that the vulnerability is currently being exploited in the wild. 

Nevertheless, cybersecurity experts are voicing their concerns over the possibility that malicious actors are exploiting this flaw as a zero-day vulnerability - a term that refers to a software vulnerability exploited before the vendor is made aware of or has issued a patch for it. According to a report by Fortinet, attackers may have actively targeted this vulnerability since at least December, many months before it was publicly disclosed and patched. 

In particular, organisations that heavily rely on FortiGate Firewalls for perimeter defence face a significant threat when the vulnerability is exploited by exploiting CVE-2024-55591. As a result of the vulnerability's criticality, enterprises should apply security updates as soon as possible and examine their systems for any indications of unauthorized access as soon as possible. Even though zero-day exploits remain a threat, this development highlights the fact that cybercriminals are increasingly focusing on foundational network infrastructure to gain a foothold in high-value environments. 

The use of virtual private networks (VPNs) as a critical defence mechanism against a variety of cyber threats has long been regarded as a crucial aspect of protecting digital communications from a wide range of threats. VPNs are effective in neutralising the risks associated with man-in-the-middle attacks, which involve unauthorised parties trying to intercept or manipulate data while it is in transit by encrypting the data transmissions. Through this layer of encryption, sensitive data remains secure, even across unsecured networks. 

One of the most prominent use cases for VPNs is that they serve the purpose of protecting people using public Wi-Fi networks, which are often vulnerable to unauthorised access. It has been shown that VPNs are significantly less likely to expose or compromise data in such situations because they route traffic through secure tunnels. Additionally, VPNs hide the IP addresses of users, thereby providing greater anonymity to users and reducing the possibility of malicious actors tracking or monitoring them. 

As a result of this concealment, network resources are also protected against distributed denial-of-service (DDoS) attacks, which often use IP addresses as a method of overloading network resources. Even though VPNs have been around for decades, their use today does not suffice as a standalone solution due to the increasingly complex threat landscape that exists in today's society. To ensure comprehensive protection against increasingly sophisticated attack vectors, it is important to integrate their capabilities with more advanced, adaptive cybersecurity measures. 

It seems that conventional security frameworks, such as Firewalls and VPN,s are becoming increasingly outpaced as the cybersecurity landscape continues to evolve due to the sophistication and frequency of modern threats, which have increased significantly over the past few years. Businesses across many industries are experiencing an increasing number of breaches and vulnerabilities, and traditional methods of addressing these vulnerabilities are no longer capable of doing so. 

Due to the widespread transition from on-premises infrastructure to remote and digitally distributed work environments, legacy security architectures have become increasingly vulnerable, forcing enterprises to reassess and update their defence strategies. Firewalls and VPNs were once considered to be the cornerstones of enterprise network security; however, in today's increasingly complex threat environment, they are having trouble meeting the demands. 

In the past, these technologies have played an important role in securing organisational boundaries, but today, the limitations of those technologies are becoming increasingly apparent as organisations transition to a cloud-based environment and undergo rapid digital transformation. In the year 2025, technological advances are expected to change the way industry operations are conducted—for instance, the adoption of generative artificial intelligence, automation, and the proliferation of Iot and OT systems. 

Despite these innovations, there are also unprecedented risks associated with them. For example, malicious actors use artificial intelligence to automate spear-phishing efforts, craft highly evasive malware, and exploit vulnerabilities more quickly and accurately than they could previously. In addition, as Ransomware-as-a-Service (Raas) is on the rise, the barrier to entry for hackers is dropping, enabling a broader set of threat actors to conduct sophisticated, scalable attacks on businesses. To respond effectively to the complexities of a digitally driven world, organisations must adopt proactive, adaptive cybersecurity models that are capable of responding to the challenges of this dynamic threat environment and moving beyond legacy security tools.

There has been a significant shift in cybersecurity dynamics that has led to a worrying trend: malicious actors are increasingly exploiting Virtual Private Networks (VPNs) as a strategy to gain an advantage over their adversaries. Since VPNs were originally developed as a way to enhance privacy and protect data, they are increasingly being repurposed by cybercriminals to facilitate complex attacks while masking their identity digitally. Because VPNs are dual-purpose devices, they have become instruments of exploitation, which poses a significant challenge for cybersecurity professionals as well as digital forensics teams to deal with. 

There is one particularly alarming technique for using VPN software to exploit vulnerabilities, which involves deliberately exploiting these vulnerabilities to bypass perimeter defences, infiltrate secure systems, and deploy malware without being it. When attackers identify and target these vulnerabilities, they can easily bypass perimeter defences, infiltrate secure systems, and deploy malware without being detected. 

Frequently, such breaches act as entry points into larger campaigns, such as coordinated phishing campaigns that attempt to trick individuals into revealing confidential information. Further, VPNs are known for the ability to mask the actual IP addresses of threat actors, a technique known as IP address masquerading, which enables them to evade geographical restrictions, mislead investigators, and remain anonymous when they launch cyberattacks.

In addition to enabling adversaries to circumvent Firewalls, VPNs also offer the option of encrypting and tunnelling, thus enabling them to penetrate networks that would otherwise be resistant to unauthorised access with greater ease. As a matter of fact, VPNs are often used as a means of spreading malicious software across unreliable networks. By using an encrypted VPN traffic, malware can be able to bypass traditional detection methods, thereby circumventing traditional detection methods. The shield of anonymity provided by VPNs can also be used by threat actors to impersonate legitimate organisations and initiate phishing campaigns, compromising the privacy and integrity of users. 

VPNs can also facilitate the spreading of Distributed Denial-of-Service (DDoS) attacks, which is equally troubling. As these networks are anonymised, it makes it difficult to trace the origin of such attacks, which hinders the development of appropriate response strategies and mitigation strategies. This paradox underscores the complexity of modern cybersecurity, since one security tool can serve both as a tool for cybercrime and a tool for security. 

Even though VPNs remain an important tool to keep users safe and anonymous, their misuse requires a proactive and multifaceted response. To combat this misuse, people need robust technological defences combined with ongoing awareness and education initiatives, which will help us address this misuse effectively. Only through such comprehensive measures can organisations ensure the integrity of VPN technology and ensure trust in the digital privacy infrastructure as long as the technology remains intact. 

Check Point has issued a formal warning regarding the active targeting of its VPN devices as part of an ongoing increase in cyber threats against enterprise infrastructure. As a result of this disclosure, people have been reminded again that there is a sustained campaign aimed at compromising remote access technologies and critical network defences. It is the second time in recent months that a major cybersecurity vendor has released such an alert in the past couple of months. 

According to Cisco, in April 2024, organisations are being warned about a widespread wave of brute-force attacks against VPNs and Secure Shell (SSH) services that are likely to impact several devices from Cisco, Check Point, SonicWall, Fortinet, and Ubiquiti, among others. In the first observed attack around March 18, attackers used anonymised tools, such as TOR exit nodes, proxy networks, and other techniques to obfuscate and avoid detection and block lists, to launch the attacks. 

In March of this year, Cisco had also noticed that passwords were being sprayed at their Secure Firewall appliances that were running Remote Access VPN (RAVPN) services. According to analysts, this is a reconnaissance phase, likely intended to lay the groundwork for more advanced intrusions to follow. Following a subsequent analysis by cybersecurity researcher Aaron Martin, these incidents were linked to a malware botnet dubbed "Brutus", which was previously undocumented. 

Over 20,000 IP addresses were found to be associated with this botnet that was deployed from both residential and cloud-hosted environments, which greatly complicated the process of attribution and mitigation. The threat landscape has only been compounded by Cisco's announcement that a state-sponsored hacker group, also known as UAT4356, has been utilising zero-day vulnerabilities found within its Firepower Threat Defence (FTD) and Adaptive Security Appliances to exploit zero-day vulnerabilities. 

Known by the codename ArcaneDoor, the cyber-espionage campaign has been ongoing since November 2023, targeting critical infrastructure networks as well as governments around the world as part of a broader cyber-espionage campaign. As the frequency and complexity of cyber attacks continue to increase, it is apparent that legacy perimeter defences are no longer adequate in terms of security. 

A layered, intelligence-driven approach to security includes detecting threats in real time, hardening systems continuously, and responding to incidents in a proactive manner. As well as strengthening cybersecurity resilience, fostering collaboration between public and private sectors, sharing threat intelligence, and providing ongoing training to employees can make sure that they remain ahead of their adversaries. There is no doubt that the future of secure enterprise operations is going to be determined by the ability to anticipate, adapt, and remain vigilant in this rapidly evolving digital age.
Read more »
VPN
At-Bay Cyber Security CyberCrime Cyberhackers CyberThreat Digital Threat RaaS Ransomware remote access VPN

Increasing Exploitation of Remote Access Tools Highlights Ransomware Risks

 


Among the latest findings from cybersecurity insurance provider At-Bay, ransomware incidents witnessed a significant resurgence in 2024, with both the frequency and the severity of these attacks escalating significantly. Based on the firm's 2025 InsurSec Report, ransomware activity rose 20 percent from the previous year, returning to the high level of threat that had been experienced in 2021, when ransomware activity soared to 20 per cent. 

There is an overwhelmingly large number of remote access tools and virtual private networks (VPNS) that have been exploited as entry points for these attacks, according to the report. In particular, mid-market organisations, particularly those with annual revenues between $25 million and $100 million, have been severely hit by this surge, with targeted incidents on the rise by 46 per cent. As a result of the At-Bay claims data, it is apparent that the severity of ransomware breaches has increased by 13 per cent year over year, highlighting how sophisticated and financially destructive these threats are becoming. 

It was also found that attacks originating from third parties, such as vendors and service providers, have increased by 43 per cent, compounding the risk. It is also important to note that the economic toll of these supply chain-related incidents increased by 72 per cent on average, which increased the overall cost associated with them. This study highlights the need to reassess the cybersecurity postures of businesses, especially those that are reliant on remote access infrastructure, as well as strengthen defences across the entire digital ecosystem. 

A study published by At-Bay highlights the widespread misuse of conventional cybersecurity tools, particularly those intended to enhance remote connectivity, as well as the deterioration of the effectiveness of traditional cybersecurity tools. Virtual private networks (VPNS) and remote access software, which are frequently deployed to ensure secure access to internal systems from off-site, are increasingly being repurposed as a gateway for malicious activities. 

As a matter of fact, At-Bay’s analysis illustrates a concerning trend that threatens the flexibility of work environments. Threat actors are frequently exploiting these same tools to get access to corporate networks, extract sensitive data, and carry out disruptive operations. Due to their visibility on the public internet, cybercriminals are actively searching for potential vulnerabilities in these systems to attack them. 

The Remote Access Tools are essentially a front door that provides access to your company's network and can typically be viewed by the general public. For that reason, remote access tools are prone to being attacked by attackers, according to Adam Tyra, Chief Information Security Officer for At-Bay's customer service department. In addition to this, the report highlights the disproportionately high risk posed by mid-sized enterprises, which generate annual revenue of between $25 million and $100 million. 

The number of direct ransomware claims has increased significantly within the segment, which highlights both the increased exposure to cyber threats as well as the potential limitations in resources available to defend against them. As part of this report, the authors point out that “remote” ransomware activity has increased dramatically, a tactic that has gained considerable traction among threat actors over the past few years. 

In 2024, this type of attack is expected to have increased by 50 per cent compared to the year before, representing an astounding 141 per cent increase since the year 2022. As far as traditional endpoint detection systems are concerned, remote ransomware campaigns are typically carried out by unmanaged or personal devices. In these kinds of attacks, rather than deploying a malicious payload directly onto the victim's machine, networks file-sharing protocols are used to access and encrypt data between connected systems by using the network file-sharing protocol. Therefore, the encryption process is often undetected by conventional security tools, such as malware scanners and behaviour-based defences. 

These stealth-oriented methodologies pose a growing challenge to organizations, particularly small and medium-sized businesses (SMBS), as a result of this stealth-oriented methodology. In the study conducted by Sophos Managed Detection and Response (MDR), the most common threat vector in the SMB sector is ransomware and data exfiltration, which accounted for nearly 30 per cent of all cases tracked within this sector. 

Even though sophisticated attack techniques are on the rise, the overall volume of ransomware-related events in 2024 saw a slight decline in volume compared with 2023 despite the rise in sophisticated attack techniques. There has been a marginal decrease in ransomware-as-a-service (Raas) incidents. 

The advancement of defensive technologies and the dismantling of several of the most high-profile ransomware-as-a-service (Raas) operations have both contributed to this decline. This combined study emphasises the urgent need for businesses to modernise their cybersecurity strategies, invest in proactive threat detection, and strengthen the security of their remote access infrastructure to combat cybercrime. 

With the development of ransomware tactics in complexity and scale, the resilience of organisations targeted by these threats has also evolved. As a result of these developments, organisations are increasingly expected to reevaluate their risk management frameworks to adopt a more proactive cybersecurity policy. To ensure that a robust defense strategy is implemented, it is imperative that remote access security systems are secured and access controls are implemented and advanced monitoring capabilities are deployed. 

Besides raising awareness of cybersecurity throughout the workforce and fostering close cooperation between technology and insurance partners, it is also possible to significantly reduce the risk of ransomware being a threat to organisations. In the wake of cyber adversaries that keep improving their methods, businesses will have to take not only technical measures to strengthen their resilience, but also a wide range of strategic measures to anticipate and neutralise emergent attack vectors before they can cause significant damage.
Read more »
VPN
Breach Cyber Security DomainControllers Hackers Ransomware Reconnaissance VPN

Majority of Human-Operated Cyberattacks Target Domain Controllers, Warns Microsoft

 

Microsoft has revealed that nearly 80% of human-operated cyberattacks involve compromised domain controllers, according to a recent blog post published on Wednesday. Alarmingly, in over 30% of these incidents, attackers use the domain controller—a central system in corporate IT networks—to spread ransomware across the organization.

A breached domain controller can give hackers access to password hashes for every user in the system. With these credentials, cybercriminals can identify and exploit privileged accounts, including those held by IT administrators. Gaining control of these accounts allows attackers to escalate their access levels.

"This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack," Microsoft stated.

One such attack, observed by the tech giant, involved a group known as Storm-0300. The hackers infiltrated a company’s systems by exploiting its virtual private network (VPN). After acquiring administrator credentials, they tried to access the domain controller through the remote desktop protocol (RDP). Once inside, they carried out a series of actions including reconnaissance, bypassing security measures, and escalating their privileges.

Despite the growing frequency of attacks, Microsoft emphasized the difficulty in protecting domain controllers due to their critical role in network management and authentication.

Defenders often face the challenge of “striking the right balance between security and operational functionality,” the blog noted.

To improve protection, Microsoft suggested enhancing domain controllers’ ability to differentiate between legitimate and malicious activity—an essential step toward minimizing server compromises.

Jason Soroko, senior fellow at cybersecurity firm Sectigo, stressed the importance of proactive security measures.

"Ultimately, even the most advanced defense mechanisms may falter if misconfigured or if legacy systems create vulnerabilities. Hence, vigilant customer-side security practices are critical to fortifying these systems against modern cyberthreats," Sectigo said.

While Microsoft offers strong protective tools, their success hinges on users maintaining up-to-date systems and activating features like multifactor authentication.


Read more »
Vulnerability
China Cybersecurity espionage Ivanti malware VPN Vulnerability

Chinese Cyber Espionage Suspected in New Ivanti VPN Malware Attack

 

A newly discovered cyberattack campaign targeting Ivanti VPN devices is suspected to be linked to a Chinese cyberespionage group. Security researchers believe the attackers exploited a critical vulnerability in Ivanti Connect Secure, which was patched by the Utah-based company in February. The attack is yet another example of how state-backed Chinese threat actors are rapidly taking advantage of newly disclosed vulnerabilities and frequently targeting Ivanti’s infrastructure.

On Thursday, researchers from Mandiant revealed that a group tracked as UNC5221 exploited a stack-based buffer overflow vulnerability to deploy malicious code from the Spawn malware ecosystem—an attack technique often associated with Chinese state-sponsored activity. Mandiant also identified two previously unknown malware families, which they've named Trailblaze and Brushfire. As seen in earlier attacks tied to Chinese hackers, this group attempted to manipulate Ivanti’s internal Integrity Checker Tool to avoid detection.

The vulnerability, officially tracked as CVE-2025-22457, was used to compromise multiple Ivanti products, including Connect Secure version 22.7R2.5 and earlier, the legacy Connect Secure 9.x line, Policy Secure (Ivanti’s network access control solution), and Zero Trust Access (ZTA) gateways. Ivanti released a patch for Connect Secure on February 11, emphasizing that Policy Secure should not be exposed to the internet, and that "Neurons for ZTA gateways cannot be exploited when in production."

Ivanti acknowledged the attack in a statement: "We are aware of a limited number of customers whose appliances have been exploited." The incident follows warnings from Western intelligence agencies about China's increasing speed and aggression in leveraging newly disclosed software vulnerabilities—often before security teams have time to deploy patches.

Many of the devices targeted were legacy systems no longer receiving software updates, such as the Connect Secure 9.x appliance, which reached end-of-support on December 31, 2024. Older versions of the Connect Secure product line, which were set to be replaced by version 22.7R2.6 as of February 11, were also compromised.

This marks the second consecutive year Ivanti has had to defend its products from persistent attacks by suspected Chinese state-backed hackers. Thursday’s advisory from Mandiant and Ivanti highlights a vulnerability separate from the one flagged in late March by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which had allowed attackers to install a Trojan variant linked to Spawn malware in Ivanti systems.
Read more »
VPN
Apple Data Privacy Data Regulation Google Internet Privacy VPN

Apple and Google App Stores Host VPN Apps Linked to China, Face Outrage

Apple and Google App Stores Host VPN Apps Linked to China, Face Outrage

Google (GOOGL) and Apple (AAPL) are under harsh scrutiny after a recent report disclosed that their app stores host VPN applications associated with a Chinese cybersecurity firm, Qihoo 360. The U.S government has blacklisted the firm. The Financial Times reports that 5 VPNs still available to U.S users, such as VPN Proxy master and Turbo VPN, are linked to Qihoo. It was sanctioned in 2020 on the charges of alleged military ties. 

Ilusion of Privacy: VPNs collecting data 

In 2025 alone, three VPN apps have had over a million downloads on Google Play and  Apple’s App Store, suggesting these aren’t small-time apps, Sensor Tower reports. They are advertised as “private browsing” tools, but the VPNs provide the companies with complete user data of their online activity. This is alarming because China’s national security laws mandate that companies give user data if the government demands it. 

Concerns around ownership structures

The intricate web of ownership structures raises important questions; the apps are run by Singapore-based Innovative Connecting, owned by Lemon Seed, a Cayman Islands firm. Qihoo acquired Lemon Seed for $69.9 million in 2020. The company claimed to sell the business months late, but FT reports the China-based team making the applications were still under Qihoo’s umbrella for years. According to FT, a developer said, “You could say that we’re part of them, and you could say we’re not. It’s complicated.”

Amid outrage, Google and Apple respond 

Google said it strives to follow sanctions and remove violators when found. Apple has removed two apps- Snap VPN and Thunder VPN- after FT contacted the business, claiming it follows strict rules on VPN data-sharing.

Privacy scare can damage stock valuations

What Google and Apple face is more than public outage. Investors prioritise data privacy, and regulatory threat has increased, mainly with growing concerns around U.S tech firms’ links to China. If the U.S government gets involved, it can result in stricter rules, fines, and even more app removals. If this happens, shareholders won’t be happy. 

According to FT, “Innovative Connecting said the content of the article was not accurate and declined to comment further. Guangzhou Lianchuang declined to comment. Qihoo and Chen Ningyi did not respond to requests for comment.”

Read more »
VPN
AI Cyber Attacks cyber resilience Internet phishing VPN

Experts Suggest Evolving Cyber Attacks Not Ending Anytime Soon

Experts Suggest Evolving Cyber Attacks Not Ending Anytime Soon

In a series of unfortunate events, experts suggest the advancement of cybercrime isn’t ending anytime soon.

Every day, the digital landscape evolves, thanks to innovations and technological advancements. Despite this growth, it suffers from a few roadblocks, cybercrime being a major one and not showing signs of ending anytime soon. Artificial Intelligence, large-scale data breaches, businesses, governments, and rising target refinement across media platforms have contributed to this problem. However, Nord VPN CTO Marijus Briedis believes, “Prevention alone is insufficient,” and we need resilience. 

VPN provider Nord VPN experienced first-hand the changing cyber threat landscape after the spike in cybercrime cases attacking Lithuania, where the company is based, in the backdrop of the Ukraine conflict. 

Why cyber resilience is needed

In the last few years, we have witnessed the expansion of cybercrime gangs and state-sponsored hackers and also the abuse of digital vulnerabilities. What is even worse is that “with little resources, you can have a lot of damage,” Briedis added. Data breaches reached an all-time high in 2024. The infamous “mother of all data breaches” incident resulted in a massive 26 billion record leak. Overall, more than 1 billion records were leaked throughout the year, according to NordLayer data

Google’s Cybersecurity Forecast 2025 included Generative AI as a main threat, along with state-sponsored cybercriminals and ransomware.

Amid these increasing cyber threats, companies like NordVPN are widening the scope of their security services. A lot of countries have also implemented laws to safeguard against cyberattacks as much as possible throughout the years. 

Over the years, governments, individuals, and organizations have also learned to protect their important data via vpn software, antivirus, firewall, and other security software. Despite these efforts, it’s not enough. According to Briedis, this happens because cybersecurity is not a fixed goal. "We have to be adaptive and make sure that we are learning from these attacks. We need to be [cyber] resilience."

The plan forward

In a RightsCon panel that Briedis attended, the discourse was aimed at NGOs, activists, and other small businesses, people take advantage of Nord’s advice to be more cyber-resilient. He gives importance to education, stressing it’s the “first thing.”

Read more »
VPN
BackLock Black Basta Cyberhacekrs Cybersecurity CyberThreat malware Ransomware ransomware-as-a-service (RaaS) VBS VPN

Black Basta's Slowdown Coincides with BlackLock's Growth

 


The activity level of ransomware groups with "black" in their name has varied greatly over the early months of the new year. Despite the significant increase in attacks caused by the BlackLock ransomware group, the long-established Black Basta ransomware group appears to be about to break up, although it is still posing a persistent cybersecurity threat even so. 

Even though BlackLock was first identified as a ransomware-as-a-service operation in March 2024, the cyber-criminals have been actively targeting multiple platforms in the past few months, including Windows, VMware ESXi, and Linux systems, according to a report by cybersecurity firm ReliaQuest. According to a report by ReliaQuest, BlackLock, also known as El Dorado or Eldorado, utilizes a double-extortion strategy, which involves exfiltration of sensitive data from a victim before the encryption of their computer systems. 

With this approach, threat actors can demand a ransom in addition to the decryption of compromised files to obtain a promise that they will not reveal the stolen data once they have decrypted it. As reported by ReliaQuest, BlackLock has also reported a substantial increase in its activities over the last three months, with its data leak site registering fourteen times as many victims as it did in the previous three months of 2024. In light of this sharp increase, it is evident that BlackLock is becoming a greater threat to organizations, as it continues to expand its operations and refine its extortion tactics, which are becoming increasingly sophisticated. 

To enhance an enterprise's cybersecurity posture, it is crucial to have a thorough understanding of the Black Basta attack methodologies. The Black Basta ransomware group attacks targeted organizations by exploiting known vulnerabilities, system misconfigurations, and inadequate security controls. It has been determined that the group systematically focused on exposed Remote Desktop Protocol servers, weak authentication mechanisms, malware droppers disguised as legitimate files, and exposed RDP servers through analyzing its internal communications. 

In April 2022, blackBasta, a ransomware-as-a-service (RaaS) operation based in Russian, was first discovered. It is safe to say that Black Basta expanded quickly after the dismantling of the Conti ransomware group, taking advantage of the void left behind and including former Conti affiliates in its ranks in an effort to exploit the void left behind. Through this strategic expansion, the group was able to orchestrate attacks against hundreds of organizations throughout the world, establishing itself as an elite cybercriminal organization. 

According to cyber-intelligence firm Prodaft, the group's campaigns have declined steadily over the past couple of months, with its last known operations occurring in December, according to the firm. Since this group was previously one of the most dominant players in the ransomware landscape, it has been the subject of considerable attention within the cybersecurity community during this abrupt downturn in activity. There are numerous sophisticated attack vectors employed by Black Basta to compromise systems, which include the following. 

Among its primary tactics has been scanning for exposed RDP and VPN services around the world. This group frequently takes advantage of the default credentials available for VPN connections, or they use brute-force attacks to establish initial access by exploiting previously compromised credentials. Black Basta is also actively exploiting known Common Vulnerabilities and Exposures (CVEs) in unpatched systems, taking advantage of organizations that are not updated with security patches, or are behind in updating their security systems. 

To make malware deployment much easier, ransomware operators often use MSI (Microsoft Installer) and VBS (Visual Basic Script) malware droppers that deliver malicious payloads discreetly to make malware deployments easier. The majority of these payloads are executed by misusing system utilities such as Rundll32.exe, which can be used to execute harmful DLL files as a result. Additionally, this group focuses on credential harvesting and privilege escalation, which allows them to gain a deeper understanding of a compromised network and to increase their impact.

Black Bastion’s tactics have been evolving over the years and are becoming more persistent. This is why organizations should adopt a proactive cybersecurity strategy, ensuring regular patching, robust authentication protocols, and continuous network monitoring to minimize the risks posed by this malware. There is no denying that the sophistication of malware used by threat actors greatly influences the effectiveness of ransomware operations. 

As a result of developing and maintaining proprietary crypters, prominent ransomware groups like Play, Qilin, and BlackLock have distinguished themselves from the competition. It has been widely believed that leading cybercriminal organizations have used customized crypters to enhance the stealth and operational efficiency of their malware, making security systems more difficult to detect and mitigate. 


A strategic advantage for these organizations is the ability to market their malware as faster and more evasive than the competitors, which will help them attract high-level affiliates. However, other ransomware groups, such as Bl00dy, Dragonforce, and RA World, rely on leaked ransomware builders that were originally developed by Babuk or LockBit. In his opinion, Jim Wilson, a ReliaQuest security analyst, believes such groups are either lacking the technical expertise required to develop proprietary malware or they are not able to afford to pay skilled developers to develop proprietary malware. From a cybersecurity perspective, the reliance on publicly available tools creates opportunities for defenders, as it enables them to analyze code and develop targeted countermeasures based on that analysis. 

Recently, BlackLock has become increasingly popular within cybercriminal forums. Wilson has noted that the group actively recruits affiliates, initial access brokers, and experienced developers through the Ramp forum. The alias "$$$" is used to identify this group as active within the Ramp cybercrime forums. The BlackLock group also frequently recruits "traffers" which are cybercriminals who send victims to malicious websites before passing them off to more experienced operatives for execution. According to incident response firms, ransomware groups typically gain their first access to enterprise networks through phishing campaigns as well as by utilizing remote access tools. 

Cybercriminals often use known software vulnerabilities to attack systems by infiltrating them. Sophisticated ransomware groups are constantly trying to improve their attack strategies through utilizing innovative methods. There was a post made by "$$$" on Ramp on January 28, 2025, in which he asked hackers who had experience exploiting Microsoft's Entra Connect Sync, a software that allows Active Directory to be synchronized with Entra (formerly Azure Active Directory), to be exploited. 

Research published by SpecterOps in December 2024 was referenced as the basis for this request. As part of the research, attackers were able to inject their own Windows Hello for Business (WHFB) key into a victim's account to exploit Entra's synchronization mechanisms. Additionally, cybersecurity expert Garrity noted that Black Basta has demonstrated a proactive approach to vulnerability exploitation. 

The group reportedly discusses new vulnerabilities within days of security advisories being released and, while hesitant, considers purchasing exploits from emerging threat actors. Furthermore, there is evidence suggesting that Black Basta possesses the necessary resources to develop new exploits. Garrity’s analysis of Black Basta’s chat logs indicates a strategic yet opportunistic approach that prioritizes well-known vulnerabilities and high-value targets. 

While the group primarily leverages established exploit frameworks and widely available tools, discussions within their network suggest a potential for new exploit development and tactical evolution. For cybersecurity defenders, the key takeaway is the importance of prioritizing vulnerability remediation through an evidence-based security strategy. Cybersecurity firm Rapid7 has reported that Black Basta has continuously refined its social engineering techniques, incorporating enhanced malware payloads, improved delivery mechanisms, and advanced evasion tactics. 

The group has been observed leveraging Microsoft Teams to impersonate IT personnel, often masquerading as help desk or customer support representatives. Upon engaging a victim, attackers attempt to install remote management tools such as AnyDesk, TeamViewer, or ScreenConnect, deploy malicious QR codes, or establish a reverse shell using OpenSSH. Once access is secured, malware such as Zbot or DarkGate is used to escalate privileges, harvest credentials, and bypass multifactor authentication, ultimately leading to data exfiltration and ransomware deployment. 

A December 2024 attack investigated by ReliaQuest involved a Microsoft lookalike domain sending a flood of phishing emails to employees, followed by direct calls through Teams. Within minutes of gaining access via Quick Assist, the attacker established communication with a command-and-control server and began lateral movement within 48 minutes, successfully exfiltrating data from a manufacturing firm. Despite these ongoing attacks, intelligence from deep and dark web sources suggests that Black Basta’s leadership has exhibited signs of fatigue since mid-2024. 

According to RedSense analyst Bohuslavskiy, key members, including a critical administrator, have reportedly lost interest in ransomware operations, possibly due to prolonged involvement since 2019 or 2020. While the group appears to be scaling down, its infrastructure remains operational, with continued victim negotiations and ransomware deployments. However, declining operational standards have led to increased failures in decryption, rendering attacks even more destructive due to the group's growing negligence.

As well, Cybersecurity expert Garrity noted that Black Basta has been proactive when it comes to exploiting vulnerabilities. It has been reported that the group discusses new vulnerabilities as soon as security advisories are released, and while it is reluctant to buy exploits from emerging threat actors, the group is still considering doing so. Several pieces of evidence suggest that Black Basta possesses the necessary resources to develop new exploits based on evidence. 

According to Garrity's analysis of Black Basta's chat logs, the group takes a strategic yet opportunistic approach, prioritizing well-known vulnerabilities and high-value targets. Although the group primarily relies on established exploit frameworks and readily available tools, discussions within the group suggest that new exploits could be developed and tactically evolved in the future. 

Among the key takeaways for cybersecurity defenders is the importance of prioritizing vulnerability remediation as part of an evidence-based security strategy. According to Rapid7, Black Basta has continuously reworked its social engineering techniques, including enhancing malware payloads, improving delivery mechanisms, and incorporating evasion tactics to make it more effective than before. Observations have indicated that the group uses Microsoft Teams to impersonate IT employees, often masquerading as help desk or customer support representatives. 

As soon as the attacker engages a victim, he or she attempts to install remote management tools such as AnyDesk, TeamViewer, or ScreenConnect to deploy malicious QR codes, or to establish a reverse shell via OpenSSH in the event of an attack. Malware, such as Zbot, DarkGate, and other malicious programs, is then employed to escalate privileges, harvest credentials, and bypass multifactor authentication, resulting in data exfiltration and ransomware deployment. This attack is believed to have been perpetrated by a Microsoft-like domain that sent phishing emails to employees in December 2024, followed by direct calls through Teams. 

After gaining access via Quick Assist in less than five minutes, the attacker established a connection with a command and control server, started moving laterally within 48 minutes, and successfully extracted information from a manufacturing company within 48 minutes. However, information from deep and dark web sources suggests that the leadership of Black Basta has shown signs of fatigue since mid-2024 despite these ongoing attacks. 

It has been reported that RedSense analyst Bohuslavskiy believes key members, including a critical administrator, have lost interest in ransomware operations, possibly due to their prolonged involvement in the ransomware campaign from 2019 or 2020. Although the group appears to be reducing its operations, it has been continuing to negotiate with victims and deploy ransomware, despite its apparent scaling down. It is important to note that while operational standards are decreasing, more and more failures in decryption have arisen during the last few years, which has rendered attacks even more destructive due to the growing negligence of the group.
Read more »
Subscribe to: Posts (Atom)