Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label cyber attack. Show all posts

FBI Raises Alarm as Scattered Spider Threat Group Expands Target Sectors

 

The Federal Bureau of Investigation (FBI) has issued a high-level cybersecurity alert warning about the growing threat posed by Scattered Spider, a cybercriminal group now targeting the transportation sector specifically the aviation industry and expanding its focus to insurance companies. Previously associated with large-scale ransomware attacks in the retail sector, including a significant breach at Marks & Spencer in the UK that resulted in losses exceeding $600 million, the group is now shifting tactics and industries. 

A recent analysis by cybersecurity firm Halcyon, confirmed by the FBI, highlights how Scattered Spider is using advanced social engineering to bypass multi-factor authentication (MFA), often by impersonating employees or contractors and deceiving IT help desks into adding unauthorized MFA devices. The FBI has urged organizations to strengthen their MFA procedures and report any suspicious activity promptly. Research from Reliaquest shows the group often spoofs technology vendors and specifically targets high-access individuals like system administrators and executives.

Scattered Spider is financially driven and reportedly connected to a broader cybercriminal collective known as The Community. Its collaborations with ransomware operators such as ALPHV, RansomHub, and DragonForce have enabled it to access sophisticated cyber tools. What makes the group particularly dangerous is its ability to blend technical skill with social engineering, recruiting English-speaking attackers with neutral accents and regional familiarity to convincingly impersonate support staff during Western business hours. Real-time coaching and detailed scripts further enhance the success of these impersonation efforts.

Beyond aviation, experts are now seeing signs of similar attacks in the U.S. insurance sector. Google’s Threat Intelligence Group confirmed multiple such incidents, and security leaders warn that these are not isolated cases. Jon Abbott, CEO of ThreatAware, emphasized that this trend signals a broader threat landscape for all industries. 

Richard Orange of Abnormal AI noted that Scattered Spider relies more on manipulating human behaviour than exploiting software vulnerabilities, often moving laterally across systems to gain broader access. The group’s exploitation of supply chain links has been a consistent tactic, making even indirect associations with targeted sectors a point of vulnerability. As the FBI continues to work with affected industries, experts stress that all organizations, regardless of sector, must enhance employee awareness, implement strict identity verification, and maintain vigilance against social engineering threats.

FBI Warns of Scattered Spider Cyberattacks on Airline and Transport Sectors

 

The FBI, along with top cybersecurity firms, has issued a fresh warning that the notorious hacking group Scattered Spider is expanding its targets to include the airline and broader transportation industries. In a statement released Friday and shared with TechCrunch, the FBI said it had “recently observed” cyber activity in the airline sector bearing the hallmarks of Scattered Spider’s tactics. 

Experts from Google’s Mandiant and Palo Alto Networks’ Unit 42 also confirmed they have identified attacks on aviation-related systems linked to the same group. Scattered Spider is widely known in cybersecurity circles as a loosely organized yet highly active group of hackers, believed to be comprised mainly of young, English-speaking individuals. Motivated largely by financial gain, the group is infamous for using sophisticated social engineering techniques, phishing campaigns, and even threats directed at corporate help desks to infiltrate systems. In some cases, their intrusions have led to the deployment of ransomware. 

The FBI’s alert highlighted the group’s pattern of targeting both major corporations and their third-party IT service providers. This broad approach means that anyone within the airline ecosystem from airline staff to external contractors could be a potential target. The warning follows a series of cyber incidents involving airlines. 

Hawaiian Airlines confirmed on Thursday that it was responding to a cyberattack affecting its systems. Meanwhile, Canadian carrier WestJet reported a breach on June 13 that is still ongoing. Media reports suggest that Scattered Spider may be responsible for the WestJet intrusion. 

This latest activity comes after a string of attacks by the group on other industries, including retail chains in the U.K. and several insurance companies. In the past, Scattered Spider has also been linked to breaches involving casinos, hotel groups, and large tech firms. Cybersecurity professionals warn that the group’s evolving methods and willingness to exploit human vulnerabilities make them a significant threat across sectors, especially industries reliant on large-scale digital infrastructure and third-party vendors.

Russian APT28 Targets Ukraine Using Signal to Deliver New Malware Families

 

The Russian state-sponsored threat group APT28, also known as UAC-0001, has been linked to a fresh wave of cyberattacks against Ukrainian government targets, using Signal messenger chats to distribute two previously undocumented malware strains—BeardShell and SlimAgent. 

While the Signal platform itself remains uncompromised, its rising adoption among government personnel has made it a popular delivery vector for phishing attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) initially discovered these attacks in March 2024, though critical infection vector details only surfaced after ESET notified the agency in May 2025 of unauthorised access to a “gov.ua” email account. 

Investigations revealed that APT28 used Signal to send a macro-laced Microsoft Word document titled "Акт.doc." Once opened, it initiates a macro that drops two payloads—a malicious DLL file (“ctec.dll”) and a disguised PNG file (“windows.png”)—while modifying the Windows Registry to enable persistence via COM-hijacking. 

These payloads execute a memory-resident malware framework named Covenant, which subsequently deploys BeardShell. BeardShell, written in C++, is capable of downloading and executing encrypted PowerShell scripts, with execution results exfiltrated via the Icedrive API. The malware maintains stealth by encrypting communications using the ChaCha20-Poly1305 algorithm. 

Alongside BeardShell, CERT-UA identified another tool dubbed SlimAgent. This lightweight screenshot grabber captures images using multiple Windows API calls, then encrypts them with a combination of AES and RSA before local storage. These are presumed to be extracted later by an auxiliary tool. 

APT28’s involvement was further corroborated through their exploitation of vulnerabilities in Roundcube and other webmail software, using phishing emails mimicking Ukrainian news publications to exploit flaws like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641. These emails injected malicious JavaScript files—q.js, e.js, and c.js—to hijack inboxes, redirect emails, and extract credentials from over 40 Ukrainian entities. CERT-UA recommends organisations monitor traffic linked to suspicious domains such as “app.koofr.net” and “api.icedrive.net” to detect any signs of compromise.

Cyberattack Disrupts WestJet Systems as Investigation Begins


The second-largest airline in Canada, WestJet, is currently investigating an ongoing cyberattack which has compromised its internal systems as well as raising concerns about the risk of data loss to customers. As early as late last week, the airline was notified of the breach, but it has not yet been resolved. 

In order to determine whether any sensitive information, such as customer data, has been compromised, a thorough assessment has been initiated. It has been reported that, although flight operations continue to be unaffected, some customers may occasionally experience technical difficulties, such as intermittent interruptions or errors, when accessing the company's website or mobile application. 

The airline has issued an online advisory which reassured the public that measures are being taken to mitigate the impact of the breach and to determine the extent of the intrusion. Until further notice, it is unclear what type of cyberattack the threat actors have perpetrated, as well as who the threat actors are and what their intent is. 

However, this incident has put the spotlight on what it has to offer when it comes to cybersecurity threats for major transportation and aviation networks. In response to an ongoing investigation, WestJet has announced that it is working closely with cybersecurity experts and relevant authorities as part of a comprehensive investigation, focusing primarily on safeguarding personal information and restoring full digital functionality to customers. 

The situation that is arising in the airline industry highlights the crucial importance of robust cybersecurity measures, especially as threat actors are increasingly targeting infrastructure that holds vast amounts of customer and operational data. In an official statement issued by WestJet, the company said that while the cyberattack was detected late last week, it did not affect core flight operations at all. 

While the airline has warned customers against experiencing intermittent technical problems when using its website or mobile application, it has also warned that some customers may encounter intermittent technical difficulties, including temporary interruptions or errors. The inconveniences mentioned here, although limited in scope, illustrate the impact such incidents can have on user experiences and the quality of the digital experience. 

As part of an ongoing investigation, the airline is cooperating closely with law enforcement agencies and cybersecurity experts, according to WestJet spokesperson Josh Yeats. Although there are no specific details yet regarding the nature of the breach, namely whether it was malware, ransomware, or another type of intrusion, no specific details have yet been revealed. 

As a result of the lack of clarity around the attack vector, questions have been raised regarding its extent and sophistication. The incident happened just days before the G7 summit took place in Kananaskis, an international gathering of dignitaries who were to gather in Alberta for the summit. Despite the fact that no direct connection has been made between the attack and the high-profile event, the timing has further heightened scrutiny and concern. 

With its vast reservoirs of sensitive passenger and financial data, the aviation sector has become an increasingly popular target for cyber criminals as a result of its wide variety of vulnerable vulnerabilities. Due to the global scope of airlines coupled with the dependency of their operations on interlocked digital systems, it is clear that airlines are particularly susceptible to sophisticated cyber threats in order to disrupt services or capture valuable data. 

The preliminary analysis indicates that the attackers exploited a number of vulnerabilities that affected both public-facing applications as well as internal systems of the airline. In light of this, new concerns have been raised regarding the evolving tactics used by cybercriminals to attack the aviation industry. This intrusion was believed to involve advanced spear-phishing techniques as well as exploiting known vulnerabilities, including CVE-2023-12345 that are widely documented. 

These tactics indicate a focused, methodical approach geared towards hacking critical digital infrastructure. It has been determined that several WestJet digital assets may have been compromised based on the investigation, according to cybersecurity experts who have been involved in the investigation. This includes the WestJet Mobile App, the API Backend (version 1.8.9), Oracle Database 19c installation, and Windows Server 2019 environments, among others. 

As a consequence of the attackers’ ability to maneuver laterally across the digital ecosystem and compromise multiple layers of infrastructure, there is a range of impacted systems resulting from the attack. Analysts have completed an extensive technical report covering over 1,000 words in which they have mapped the adversary behavior observed to MITRE's ATT&CK framework, providing insighbehaviourhe the tactics, techniques, and procedures (TTPs) employed during the breach by the adversary.

It is important to map threats methodically to not only understand the nature of the threat but also formulate  informed response strategies that will mitigate and defend against it effectively. According to the report, several remediation steps are prioritised by the severity of the risk. These steps include patching exploited vulnerabilities as soon as possible, strengthening endpoint detection and response (EDR) systems, reviewing access privileges, and enhancing the resilience of employees to phishing attacks. 

Despite the fact that it is extremely difficult for airlines toEven thoughitical infrastructure, the incident underscores that continuous monitoring, rapid threat detection, and layers of cybersecurity controls are imperative when it comes to safeguarding mission-critical infrastructure. As a consequence of the vast amounts of sensitive customer data the aviation industry holds as well as its critical dependence on uninterrupted digital operations, cybercriminals are increasingly targeting this sector as a high-value target.

A great deal of information is handled daily by airlines, and since they handle such a large amount of personally identifiable information, they are both seen as attractive targets for both digital extortionists and data thieves. Additionally, thestry's vulnerability can be further emphasized by historical incidents, which show that they are primarily and widely disruptive because of their limited tolerance for downtime. 

There was a significant ransomware attack on SpiceJet in May 2022, leading to a large number of flight delays and operational disruptions, which resulted in widespread flight delays and disruptions. It was also observed in April of the same year that Canadian low-cost airline Sunwing Airlines suffered multiple days of service disruptions after a cyberattack compromised the security system of a third-party company that was responsible for passenger check-in and boarding.

A number of recent challenges have highlighted the vulnerability of both direct and supply-chain vulnerabilities, which have a significant impact upon airline functionality and customer experience. The threat landscape goes beyond data theft and disruptions in operations. As an alarming example, two El Al flights headed towards Israel have been reportedly targeted by hackers who attempted to manipulate their communication systems, with the apparent aim of diverting the planes from their preprogrammed flight paths, as part of an attempt to steal their passengers' information. 

While no damage was caused, the incident highlighted the growing sophistication of threat actors as well as the potential for cyber intrusions to evolve into physical safety threats. It is in recognition of these growing risks that regulatory bodies have begun strengthening sector-wide defences. Specifically, the European Aviation Safety Agency (EASA) introduced its first comprehensive Easy Access Rules (EAR) for Information Security (Part IS) in 2024 as a response to these increasing risks. 

By updating these cybersecurity regulations, the aviation industry will be able to protect aircraft systems and data across all member states, reflecting a proactive move towards enhancing resilience as the world becomes increasingly digitized and vulnerable to cybercrime. A particularly compelling aspect of the WestJet cyber incident is the possibility that foreign nation-states may have been involved in the attack. 

There has been no official acknowledgment of the breach by its perpetrators, however the timing of the attack, which occurred just days before the G7 summit in Kananaskis, Alberta, has prompted some scrutiny on whether or not the breach could have geopolitical overtones. The correlation between such an intrusion and a major international event raises the possibility of questions regarding motives, strategic intentions, and the wider context in which the attack may have been carried out, as well as the question of motives. 

In history, state-sponsored threat actors have historically targeted symbolic infrastructure during high-profile global events, such as political summits and international sporting competitions, as a form of political leverage or disruption. These activities are often designed as a means of creating disruption, embarrassment, or political leverage for a particular cause. 

 It has been proposed that WestJet, given its status as a major national carrier and its proximity to the summit site, is a strategically appealing target for actors looking to signal power or create distraction without engaging directly with the military. Suppose investigations reveal evidence of foreign involvement in the breach. 

In that case, it may escalate into a diplomatic crisis with significant international repercussions, turning the breach into a cybersecurity incident that will affect the entire world. It would also mark a paradigm shift in the perception of cyberattacks on civilian transportation systems, as they would move from being viewed solely as criminal activity to possible acts of cyber warfare or political signaling, respectively, and also from a perception of cyber warfare. 

The implications for WestJet from a business perspective are equally as severe. Even without confirmation of a data breach, the potential erosion of customer trust poses an enormous reputational risk to the company. In a highly trusting industry, airlines require that consumers have confidence in the handling of sensitive personal and financial data. 

Moreover, a single breach - especially a breach that has garnered international attention - can result in customer attrition, increased regulatory scrutiny, and a significant increase in insurance premiums. Any perceived vulnerability in the airline's cybersecurity posture can have long-term financial and operational consequences, since the airline's margins are razor thin and consumers have high expectations. 

As well as this, new regulations may require the airline to strengthen its cybersecurity framework in the future. PIPEDA is a Canadian Act that requires organizations to report breaches in security safeguards and to take steps to mitigate the harm they cause. Organizations are required to do so under this law. A failure to comply with these laws not only carries legal consequences, but can also adversely affect the company's reputation and reputation with the public. 

The WestJet breach has been a critical lesson in the wider aviation industry. In the first place, cybersecurity must be seen as a core component of mission-critical infrastructure rather than something that is confined to the IT department. Secondly, it is important to enhance cyber resilience among leadership and boards so that cyber risk management becomes integrated into core strategic decision-making. 

As part of this process, zero trust architectures are adopted, continuous network monitoring is performed, and regular simulations are conducted to prepare for incident response incidents. In addition to robust access controls, such as mandatory multi-factor authentication, and proactive vulnerability management practices that include penetration testing, effective defense requires implementing robust access controls. 

Secondly, supply chain security is a strategic concern that airlines must put forth. Airlines are reliant upon a huge ecosystem of third-party vendors, each of which can be an entry point for attackers. Managing indirect threats is essentially a matter of ensuring that all of your partners follow stringent cybersecurity practices. 

The final component is to maintain public confidence in the organization through transparent and timely communication with customers during and after a cyber event. In the wake of a breach, it is important to provide regular updates, responsive support channels, and proactive measures, such as identity monitoring services, that can assist in restoring trust and showing organizational accountability. 

According to the investigation into the WestJet cyberattack, it is not only proving the importance of cybersecurity in the organization's business, but it serves as a powerful reminder as well that cybersecurity cannot be treated as a back-office function or a reactive expenditure anymore; it is a pillar of national resilience, operational integrity, and customer trust. 

A challenge that the aviation industry faces is not a mere abstract risk, but one that is present at the crossroads of critical infrastructure and global mobility; it is a threat that is real and persistent as well as changing at an unprecedented rate and level of sophistication. 

There is a critical need for airlines to see cybersecurity as more than just a compliance checkbox going forward, but rather an imperative that is embedded in every aspect of their operations, including boardroom discussions and procurement processes, as well as their day-to-day operations and customer interactions in the future. 

By investing in threat intelligence, building resilient IT architectures, and fostering a culture of constant vigilance amongst employees, the organization can accomplish its goals. A comprehensive security baseline and collaborative defense mechanism are also essential for establishing industry-wide security baselines, in collaboration with regulators, cybersecurity experts and supply chain partners. 

As a result of this event, regulators and policymakers were reminded of the urgency of harmonizing aviation-specific security frameworks worldwide to ensure that digitization does not outpace security governance at the same time. 

Lastly, proactive legislative and enforcement efforts combined with incentives for robust cybersecurity investments can be a powerful combination to boost a stronger, more resilient transportation sector. After all, the WestJet breach is not only one isolated incident, but is also a wake-up call to everyone involved. 

It is becoming increasingly obvious that in response to the increasingly targeted, political, and disruptive nature of cyber threats, only those organizations that treat cybercrime as a business enabler - not only as a cost center - will be able to maintain trust, ensure safety, and compete in a world that is increasingly technologically interconnected.

How Banks Are Battling Digital Fraud

 

“Unusual activity detected in your account.” A message like this, often accompanied by a suspicious link, is the new face of digital fraud. While you may pause before clicking, banks are already working behind the scenes to block such threats before they reach you. 

With financial fraud becoming more sophisticated, banks today operate like cybersecurity battalions — encrypting data, analysing behavioural patterns, and detecting threats using artificial intelligence. Their mission is to safeguarding customer trust and protecting billions in assets. Why this urgency? The stakes are high. A single breach can destroy reputations, trigger regulatory backlash, and lead to massive financial losses. 

In 2024 alone, data breaches accounted for $16.6 billion in reported losses. Regulatory bodies such as the Federal Reserve and Consumer Financial Protection Bureau demand stringent compliance pushing banks to invest heavily in fraud prevention. As physical card fraud declines due to chip security, cybercriminals are moving online. 

In Q3 2024, command prompt scams surged by 614%, often tricking users into downloading malware through fake software tutorials. Scams like phishing and smishing are also growing, with the latter causing $330 million in reported losses in 2022. More alarmingly, deepfake technology is now being used to mimic voices and video calls, fooling even trained professionals. 

To counter these, banks are deploying tools like 3D Secure authentication, virtual card numbers, transaction alerts, and graph-based fraud detection. AI plays a key role, learning customers’ typical behaviours to detect anomalies within milliseconds. But fraud prevention isn’t just digital. Trained bank staff, especially in contact centres, help intercept red flags like rushed withdrawals or mismatched identification. Public-private partnerships with agencies like the FBI further bolster defences. 

Still, no system is foolproof without user awareness. Customers must monitor accounts regularly, enable multi-factor authentication, avoid clicking suspicious links, and use secure passwords. Future innovations like quantum-resistant encryption, continuous authentication, and blockchain-based identity promise more security. But ultimately, staying vigilant is your strongest defence. Banks are fighting fraud on all fronts, and you are their most important ally.

TCS Investigates Possible Link to M&S Cyberattack

 

Tata Consultancy Services (TCS), a leading Indian IT services firm under the Tata Group umbrella, is reportedly investigating whether its systems played any role in the recent ransomware attack that disrupted operations at British retail giant Marks & Spencer (M&S). 

The cyberattack, which occurred in late April 2025, was initially described by M&S as a “cyber incident.” However, subsequent reports confirmed it to be a ransomware assault that severely affected both in-store and online operations. Key services such as contactless payments and Click and Collect were disabled, while online orders came to a standstill. 

Several internal systems were reportedly taken offline as a containment measure. The prolonged disruption, lasting several weeks, had a significant impact on M&S’s business. The company’s market capitalization is estimated to have dropped by £1 billion, and there are allegations that customer data may have been compromised in the breach. 

As M&S continues recovery efforts, TCS is conducting a thorough internal investigation to determine whether any part of its infrastructure might have been involved in the incident. TCS has long been a key technology partner for M&S, which adds urgency to the ongoing review. The attack has once again brought cybersecurity solutions into focus. 

Platforms like Keeper Security, known for their zero-knowledge encryption-based password managers and digital vaults, are gaining traction. Keeper offers features such as two-factor authentication, secure file storage, dark web monitoring, and real-time breach alerts—tools that are increasingly vital in defending against sophisticated cyber threats like ransomware. 

Co-op Cyberattack Exposes Member Data in Major Security Breach

 

Millions of Co-op members are being urged to remain vigilant following a significant cyberattack that led to a temporary shutdown of the retailer’s IT infrastructure. The company confirmed that the breach resulted in unauthorized access to sensitive customer data, although it emphasized that no financial or account login information was compromised. 

Shirine Khoury-Haq, Chief Executive Officer of Co-op, addressed members directly, expressing regret and concern over the breach. She assured customers that the company’s core operations were largely unaffected by the attack and that members could continue to use their accounts and services as normal. However, she acknowledged the seriousness of the data exposure, which has affected both current and past members of the Co-op Group. 

“We deeply regret that personal member information was accessed during this incident. While we’ve been able to prevent disruption to our services, we understand how unsettling this news can be,” Khoury-Haq stated. “I encourage all members to take standard security precautions, including updating their passwords and ensuring they are not reused across platforms.” 

According to an official statement from Co-op, the malicious activity targeted one of their internal systems and successfully extracted customer data such as names, contact information, and dates of birth. Importantly, the company clarified that no passwords, payment details, or transactional records were included in the breach. They also emphasized that their teams are actively investigating the incident in coordination with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA). 

The company said that it has implemented enhanced security measures to prevent further unauthorized access, while minimizing disruption to business operations and customer services. Forensic specialists are currently assessing the full scope of the breach, and affected individuals may be contacted as more information becomes available. In response to the incident, Stephen Bonner, Deputy Commissioner of the UK Information Commissioner’s Office (ICO), offered guidance to concerned members. “Cyberattacks like this can be very unsettling for the public. 

If you’re concerned about your data, we recommend using strong, unique passwords for each of your online accounts and enabling two-factor authentication wherever possible,” he advised. “Customers should also stay alert to updates from Co-op and follow any specific instructions they provide.” The Co-op has apologized to its customers and pledged to continue prioritizing data protection as it works to resolve the issue. While the investigation continues, members are encouraged to remain cautious and take proactive steps to safeguard their personal information online.

UK Retail Sector Hit by String of Cyberattacks, NCSC Warns of Wake-Up Call

 

The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains. Calling the incidents a “wake-up call,” the agency urged organisations to strengthen their cybersecurity posture amid growing threats. 

The NCSC, a division of GCHQ responsible for cybersecurity guidance across the UK’s public and private sectors, confirmed it is working closely with the impacted retailers to understand the scope and impact of the attacks. 

“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,” said NCSC CEO Dr Richard Horne. 

“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.” 

In the past two weeks, major British retailers Marks & Spencer, Co-op, and Harrods have all reported cybersecurity breaches. Harrods confirmed that threat actors attempted to infiltrate its systems on May 1st, prompting the luxury department store to restrict access to certain websites—a move that suggests defensive measures were enacted during an active threat. Around the same time, the Co-operative Group revealed it was also the target of a cyberattack. 

In an internal memo, Co-op’s Chief Digital and Information Officer Rob Elsey warned staff to exercise caution with email and Microsoft Teams usage, adding that VPN access had been shut down as part of containment efforts. Marks & Spencer, one of the UK’s most iconic retail brands, faced disruptions across its online ordering platform and in-store services such as contactless payments and Click & Collect. The incident has since been identified as a ransomware attack, with sources confirming the involvement of threat actors linked to the Scattered Spider group. 

The attackers reportedly used DragonForce ransomware—tactics that have also been deployed in previous high-profile breaches at companies like MGM Resorts, Coinbase, and Reddit. In light of these incidents, the UK Parliament’s Business and Trade Committee has sought clarification from the CEOs of Marks & Spencer and Co-op on the level of support received from government agencies such as the NCSC and the National Crime Agency.

Jammu Municipal Corporation Targeted in Major Cyberattack, Sensitive Data Allegedly Stolen

 

In a significant breach of digital infrastructure, the Jammu Municipal Corporation (JMC) has fallen victim to a cyberattack believed to have resulted in the loss of vast amounts of sensitive data. According to high-level intelligence sources, the attackers managed to compromise the website, gaining access to critical records and databases that may include personally identifiable information such as Aadhaar numbers, property ownership documents, tax filings, infrastructure blueprints, and internal administrative communications.  

The breach, which occurred on Friday, has prompted an immediate investigation and system lockdown as cybersecurity teams race to contain the damage and begin recovery operations. Officials involved in the incident response have confirmed that website functionality has been suspended as data restoration processes are initiated. Top intelligence sources indicate that the attack bears hallmarks of Pakistan-sponsored cyber operations aimed at undermining India’s administrative framework. “These tactics are consistent with state-backed cyber warfare efforts targeting strategic and sensitive zones like Jammu and Kashmir,” said a senior intelligence official.

“The objective is often to destabilize public services and spread fear among the populace.” The JMC’s website is a key platform used to manage municipal services, property taxes, and local development projects. Its compromise has raised concerns about the broader implications for civic governance and the potential misuse of the stolen data.  

This latest breach follows a series of unsuccessful but alarming hacking attempts by groups linked to Pakistan. Just a day before the JMC attack, hacker collectives such as ‘Cyber Group HOAX1337’ and ‘National Cyber Crew’ reportedly targeted several Indian websites. Cybersecurity teams were able to detect and neutralize these threats before they could cause any major disruption. Among the recent targets were the websites of Army Public School Nagrota and Army Public School Sunjuwan. These were reportedly subjected to defacement attempts featuring inflammatory messages referencing the victims of the Pahalgam terror attack. 

In another incident, a portal catering to the healthcare needs of retired armed forces personnel was compromised and vandalized. Cybersecurity experts warn that such attacks often aim to disrupt not only public trust but also national morale. The recurring pattern of targeting vulnerable groups—such as schoolchildren and elderly veterans—further emphasizes the psychological warfare tactics employed by these groups. 

As recovery efforts continue, the Indian government is likely to review its cybersecurity protocols across public sector systems, especially in high-risk regions. Enhanced defense measures and greater inter-agency coordination are expected to follow. The investigation remains ongoing, and further updates are expected in the coming days.

Bitdefender Warns of Surge in Subscription Scams Disguised as Online Stores and Mystery Boxes

 

Cybersecurity researchers at Bitdefender have uncovered a sharp increase in deceptive online subscription scams, with fraudsters disguising themselves as legitimate e-commerce platforms and mystery box vendors. These sophisticated schemes are luring unsuspecting users into handing over sensitive credit card details under the guise of low-cost purchases. 

Unlike older, more obvious fraud attempts, this new wave of scams involves meticulously crafted fake websites that mimic real online shops. Bitdefender’s investigation revealed over 200 fraudulent sites offering goods such as footwear, apparel, and electronic gadgets. 

The catch? Victims unknowingly agree to recurring subscription charges cleverly hidden in the fine print. One tactic gaining traction is the so-called “mystery box” scam. These scams entice consumers with a small upfront fee in exchange for a surprise package, often marketed as unclaimed luggage or packages left behind at airports or post offices. 
However, the real goal is to harvest personal and payment information, often enrolling victims in recurring payment plans before the transaction is even finalized. The scams are widely advertised on social media platforms, including Facebook, through sponsored posts. 

In many cases, scammers pose as content creators or use fake influencer pages to build trust. Bitdefender researchers found more than 140 websites pushing these scams, with many traced back to a recurring address in Limassol, Cyprus—an address also linked to entities named in the Paradise Papers by the ICIJ Offshore Leaks Database. 

Some websites go further, advertising discounted “member prices” that require account top-ups, like a charge of €44 every two weeks, often concealed in promotional offers. These scams frequently promote multiple membership levels, using store credits and promises of steep discounts to mask overpriced or outdated products. 

Bitdefender warns that the evolving nature of these scams—complete with high-quality websites, paid advertising, and fake brand endorsements—makes them harder to detect. With the profitability of subscription fraud rising, scammers are scaling their operations, expanding beyond mystery boxes into bogus product sales and investment offers. 

Researchers caution users to stay vigilant while shopping online, especially when prompted to enter payment information for deals that seem too good to be true. As these tactics grow more elaborate, consumers are urged to read the fine print and verify the authenticity of online shops before completing any transactions.

Massive 1Tbps DDoS Attack Cripples Online Betting Site, Exposes Industry’s Ongoing Cybersecurity Failures

 

An online betting company has been knocked offline by a colossal 1-terabit-per-second Distributed Denial of Service (DDoS) attack, exposing glaring weaknesses in the digital defences of the gambling industry. Reported by TechRadar, the attack unleashed a massive flood of junk traffic that overwhelmed the site’s infrastructure, rendering its services inaccessible for hours. 

What makes the incident more concerning is the lack of sophistication behind it—this wasn’t a complex, stealthy operation but rather a brute-force flood that succeeded purely through scale. Despite the growing prevalence of such attacks in recent years, many companies in high-risk sectors like online gambling continue to treat cybersecurity as an afterthought. 

With their operations heavily reliant on constant uptime and revenue tied to every second online, gambling platforms remain prime targets for attackers, yet many fail to invest in fundamental protections like cloud-based DDoS mitigation, real-time monitoring, and incident response planning. 

Cybersecurity experts are baffled by this ongoing negligence, especially when previous headline-grabbing attacks—such as the 1.3Tbps assault on GitHub in 2018 or AWS’s 2.3Tbps encounter in 2020—should have prompted serious change. 
Compounding the issue is the role of Internet Service Providers (ISPs), who continue to shy away from proactive upstream filtering, allowing these massive data floods to reach their targets unchecked. The financial impact of such downtime is severe, with potential losses not only in revenue but also in user trust, legal exposure, and long-term brand damage. 

Security professionals stress that effective DDoS defence requires more than just faith in hosting providers; it demands deliberate investment in scalable protection tools like AWS Shield, Cloudflare, or Akamai, along with robust infrastructure redundancy and tested incident response strategies. 

In 2025, DDoS attacks are no longer anomalies—they’re a constant threat woven into the fabric of the internet. Ignoring them is not cost-saving; it’s gambling with disaster.

Smishing Surge Expected in 2025 Driven by Sophisticated Phishing-as-a-Service Platform

Security researchers are sounding the alarm on a looming global wave of smishing attacks, warning that a powerful phishing-as-a-service (PhaaS) platform named Lucid—run by Chinese-speaking threat actors—is enabling cybercriminals to scale operations across 88 countries. 

According to threat intelligence firm Catalyst, Lucid has evolved from local-level operations into a globally disruptive tool, with a sharp increase in activity anticipated by early 2025. The platform allows attackers to send malicious links via Apple iMessage and Android’s Rich Communication Services, bypassing traditional telecom network filters. It also features a credit card validator, helping criminals confirm stolen financial information in real time. 

Lucid’s architecture offers an automated, subscription-based model that supports customizable phishing campaigns, leveraging anti-detection strategies like IP blocking, user-agent filtering, and time-limited URLs to avoid scrutiny. Threat actors using Lucid are increasingly impersonating trusted entities—such as government agencies, postal services, and toll collection services—to deceive victims and steal sensitive data. 

The U.S. has been hit particularly hard, with smishing scams prompting alerts from the FBI, FTC, state governments, and attorneys general. What sets Lucid apart is its efficiency and scale: researchers say it can send over 100,000 phishing messages per day. Its structure includes roles ranging from administrators to guest users, with weekly licensing options and automatic suspensions for non-renewal. 

These campaigns are notably effective, with a reported success rate of 5%. By operating over the internet and using device fingerprinting and geo-targeted phishing pages, Lucid boosts its reach while staying under the radar. 

It sources phone numbers through data breaches, OSINT, and darknet markets, making it one of the most sophisticated PhaaS platforms today—alongside others like Darcula and Lighthouse. As cybercriminals continue to embrace this plug-and-play model, experts fear smishing will become an even more pervasive threat in the months ahead.

Check Point Downplays Hacker’s Claims Amid Alleged Data Breach

 

A hacker using the alias “CoreInjection” has claimed responsibility for stealing what they describe as a “highly sensitive” dataset from cybersecurity firm Check Point. 
According to several media reports, the alleged stolen data includes user login credentials, employee contracts, and internal network blueprints. Despite these claims, Check Point has downplayed the incident, describing it as an outdated and isolated event involving a single account with restricted access. 

The company emphasized that no customer systems, production environments, or core security infrastructure were affected. In an official statement, Check Point clarified that the incident had occurred months ago and was addressed at the time. 

The firm criticized the hacker’s claims as misleading, suggesting they are reusing old data to create a false narrative. Cybersecurity expert Alon Gal, CTO of Hudson Rock, expressed concerns over the situation, noting that there is a strong possibility the breach involved access to a privileged administrator account—though he acknowledged that the event has yet to be fully confirmed. 

This isn’t the first time Check Point has faced such scrutiny. In 2024, its VPN software was targeted by attackers attempting to exploit it to breach corporate networks. However, those efforts were largely unsuccessful, and the company quickly issued a straightforward fix. 

While Check Point continues to reassure stakeholders that no major security risk was posed, the incident highlights the persistent threats facing even the most established cybersecurity firms.

New Polymorphic Attack Enables Malicious Chrome Extensions to Impersonate Password Managers and Banking Apps

Researchers at SquareX Labs have uncovered a sophisticated “polymorphic” attack targeting Google Chrome extensions, allowing malicious extensions to seamlessly morph into trusted ones, such as password managers, cryptocurrency wallets, and banking apps. The attack exploits Chrome’s ‘chrome.management’ API to gain insights into the user’s installed extensions and then impersonates them to steal sensitive information. 

The attack begins when an unsuspecting user installs a seemingly legitimate extension—such as an AI-powered marketing tool—through the Chrome Web Store. Once installed, the extension gains access to the list of other installed extensions using the ‘chrome.management’ API. If this permission is not granted, attackers can use a stealthier approach, injecting malicious code into web pages to detect installed extensions based on unique resource requests. 

This information is then sent to an attacker-controlled server, which determines whether a targeted extension is present. If a high-value target, such as a password manager, is detected, the malicious extension initiates the impersonation process. SquareX demonstrated how attackers could disable a legitimate extension, like 1Password, using the ‘chrome.management’ API or by manipulating the user interface to hide it. Simultaneously, the malicious extension changes its name, icon, and behavior to mimic the real one. 
To lure victims into entering their credentials, attackers deploy deceptive tactics, such as displaying fake session expiration messages that prompt users to log back in via a phishing form.

The stolen credentials are then sent to the attackers, after which the malicious extension reverts to its original state and re-enables the genuine extension, making detection nearly impossible. 

SquareX Labs has responsibly disclosed the vulnerability to Google, warning that it remains exploitable even in the latest Chrome version. The researchers recommend that Google strengthen security measures by restricting abrupt extension modifications, such as icon or HTML changes, or at the very least, issuing user alerts when such modifications occur. They also criticize Google’s classification of the ‘chrome.management’ API as a “medium risk,” given its extensive use in widely trusted extensions, including ad blockers and password managers. 

As of now, Google has not implemented any direct countermeasures against this attack. BleepingComputer has reached out to the company for a statement and will update its report accordingly. Meanwhile, users are advised to exercise caution when installing Chrome extensions and to be wary of unusual login prompts that could be phishing attempts.

Lee Enterprises Confirms Ransomware Attack Impacting 75+ Publications

 

Lee Enterprises, a major newspaper publisher and the parent company of The Press of Atlantic City, has confirmed a ransomware attack that disrupted operations across at least 75 publications. The cybersecurity breach caused widespread outages, impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack, first disclosed to the Securities and Exchange Commission (SEC) on February 3, led to significant technology failures, affecting essential business functions. In an official update to the SEC, Lee Enterprises reported that hackers gained access to its network, encrypted key applications, and extracted files—common tactics associated with ransomware incidents.

As a result of the attack, the company's ability to deliver newspapers, process billing and collections, and manage vendor payments was severely affected. “The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments,” Lee Enterprises stated in its SEC filing.

With a vast portfolio of 350 weekly and specialty publications spanning 25 states, Lee Enterprises is now conducting a forensic investigation to assess the extent of the data breach. The company aims to determine whether hackers accessed personal or sensitive information belonging to subscribers, employees, or business partners.

By February 12, the company had successfully restored distribution for its core publications. However, weekly and ancillary publications are still facing disruptions, accounting for approximately five percent of the company's total operating revenue. While recovery efforts are underway, full restoration of all affected services is expected to take several weeks.

Cybersecurity experts have warned that ransomware attacks targeting media organizations can have severe consequences, including financial losses, reputational damage, and compromised data security. The increasing frequency of such incidents highlights the urgent need for media companies to strengthen their cybersecurity defenses against evolving cyber threats.

Growing Cybersecurity Threats in the Media Industry


The publishing industry has become an attractive target for cybercriminals due to its reliance on digital infrastructure for content distribution, subscription management, and advertising revenue. Recent high-profile cyberattacks on media organizations have demonstrated the vulnerability of traditional and digital publishing operations.

While Lee Enterprises has not yet disclosed whether a ransom demand was made, ransomware attacks typically involve hackers encrypting critical data and demanding payment for its release. Cybersecurity experts caution against paying ransoms, as it does not guarantee full data recovery and may encourage further attacks.

As Lee Enterprises continues its recovery process, the company is expected to implement stronger cybersecurity measures to prevent future breaches. The incident serves as a reminder for organizations across the media sector to enhance their security protocols, conduct regular system audits, and invest in advanced threat detection technologies.

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.

Chinese Hackers Exploit SSH Daemon to Maintain Persistent Access in Cyber-Espionage Operations

 

A sophisticated cyber-espionage campaign attributed to the Chinese hacking group Evasive Panda, also known as DaggerFly, has been uncovered, targeting network appliances through a newly identified attack suite. According to cybersecurity researchers at Fortinet’s FortiGuard Labs, the attackers are leveraging a malicious toolkit named ELF/Sshdinjector.A!tr, injecting malware into the SSH daemon (SSHD) to establish long-term access and execute covert operations. 

Active since at least mid-November 2024, this attack method enables unauthorized control over compromised systems. While the initial entry point remains unclear, once infiltrated, a dropper module determines whether the device is already infected and assesses its privilege level. If running under root permissions, the malware deploys multiple binaries, including libssdh.so, which serves as the primary backdoor responsible for command-and-control (C2) communication and data exfiltration. 

Additional components such as “mainpasteheader” and “selfrecoverheader” are used to maintain persistence. The injected SSH library covertly monitors and executes commands received from a remote C2 server, allowing the attackers to conduct system reconnaissance, steal credentials, manipulate files, and execute arbitrary commands. 

The malware supports fifteen different functions, ranging from collecting system details and listing active processes to reading sensitive user data and gaining remote shell access. It can also upload and download files, delete specific records, rename files, and notify the attacker when the malware is active. 

Despite previous detections of similar threats, FortiGuard’s research is the first to provide a detailed analysis of how ELF/Sshdinjector.A!tr operates. The group behind this attack, Evasive Panda, has been active since 2012 and has previously conducted cyber-espionage campaigns, including supply chain attacks via ISPs in Asia and targeted intelligence collection from U.S. organizations. 

The group was also recently linked to deploying a novel macOS backdoor. Notably, Fortinet researchers leveraged AI-assisted tools to aid in the malware’s reverse engineering process. While challenges such as hallucinations, extrapolation errors, and omissions were encountered, the experiment demonstrated AI’s growing potential in cybersecurity research. 

Fortinet assures that its customers are already protected against this threat through its FortiGuard AntiVirus service, which detects the malware as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The company has also provided hashes of identified samples on VirusTotal for further investigation by the security community.

Globe Life Data Breach Affects 850,000 Customers, Investigation Reveals

Insurance provider Globe Life has revealed that a data breach from June 2024 was far more extensive than initially believed. While early reports in October 2024 suggested that around 5,000 customers were impacted, the company’s latest investigation indicates that approximately 850,000 policyholders may have had their personal data compromised. 

The breach was initially detected in a subsidiary, American Income Life Insurance Company. At the time, Globe Life reported a limited impact but acknowledged the possibility of more affected individuals. 

Further findings now confirm that an unidentified cybercriminal gained access to databases maintained by independent agency owners, exposing a wide range of sensitive customer information. Stolen data includes full names, Social Security numbers, phone numbers, email addresses, home addresses, birth dates, health records, and insurance policy details. 

In response, Globe Life took immediate action to secure its systems, restricting external access to the compromised portal. According to its SEC filing, the company was targeted by an extortion attempt but chose not to meet the ransom demands. The insurer maintains that its primary IT infrastructure and data encryption systems remained intact despite the breach. 

As a precaution, Globe Life is offering credit monitoring services to potentially affected customers. However, cybersecurity experts recommend that policyholders take extra steps to protect themselves, including signing up for identity theft protection, keeping a close watch on financial statements, and being alert to phishing attempts. Cybercriminals frequently use stolen data to create deceptive emails and messages aimed at obtaining further personal or financial information. 

Customers are advised to be cautious when receiving unexpected communications via email, text, or social media. Any unsolicited messages containing links or attachments should be avoided. Installing reliable antivirus software on personal devices can also help protect against malware that may be embedded in phishing attempts. 

Despite the scale of the breach, Globe Life has stated that it does not expect any disruptions to its business operations. However, customers should update their passwords and remain vigilant against potential fraud in the coming months.

Ransomware Attack Disrupts New York Blood Center Operations Amid Critical Shortage

 

The New York Blood Center (NYBC), a major provider of blood products and transfusion services in the U.S., suffered a ransomware attack on Sunday, leading to operational disruptions and the cancellation of some donor appointments. 

The cyberattack comes at a time when the center is already struggling with a significant drop in blood donations, further straining supply levels. 

NYBC, which collects approximately 4,000 units of blood daily and supports over 500 hospitals across multiple states, detected the security breach over the weekend of January 26. 
After noticing unusual activity within its IT systems, the organization swiftly enlisted cybersecurity experts to investigate. Their findings confirmed that ransomware was responsible for the disruption. 

In response, NYBC took immediate measures to contain the attack, including temporarily shutting down certain systems while working toward a secure restoration. Despite the ongoing challenges, the organization continues to accept blood donations but warned that some appointments may need to be rescheduled. 

The attack comes just days after NYBC issued a blood emergency following a dramatic 30% decline in donations, resulting in 6,500 fewer units collected and severely impacting regional blood supplies. At this time, it remains unclear whether the attackers accessed or stole sensitive donor information. No ransomware group has claimed responsibility yet.

As NYBC works to restore its systems, it is urging donors to continue making appointments to help address the ongoing blood shortage and ensure hospitals receive the critical supplies they need.

Critical Zero-Day Vulnerability in Zyxel Devices Sparks Widespread Exploitation


Cybersecurity researchers at GreyNoise have uncovered widespread exploitation of a critical zero-day vulnerability in Zyxel CPE Series devices, months after it was initially reported to the manufacturer. The flaw, identified as CVE-2024-40891, allows attackers to execute arbitrary commands on affected devices, potentially leading to data breaches, network infiltration, and complete system compromise. GreyNoise has disclosed the issue to raise awareness among organizations and individuals at risk, as mass exploitation attempts have already been observed.

Details of the Vulnerability and Exploitation

The vulnerability, CVE-2024-40891, was first reported to Zyxel by researchers at VulnCheck in August 2024. However, Zyxel has yet to release a public advisory or an official CVE entry for the flaw, leaving users without a patch to mitigate the risk. GreyNoise collaborated with VulnCheck to disclose the issue, following standard security policies. A GreyNoise spokesperson stated, “Due to first-hand, confirmed mass exploitation attempts for this vulnerability, we chose to disclose this to raise awareness among those who may be impacted.”

Security analysts at Censys estimate that approximately 1,500 devices are online and potentially vulnerable, though definitive confirmation of affected versions is still pending. The National Vulnerability Database (NVD) has not yet provided additional details about the issue. To assess the extent of malicious activity, GreyNoise and VulnCheck conducted a joint investigation, revealing that attackers are actively targeting the flaw.

Researchers noted that CVE-2024-40891 shares similarities with another Zyxel vulnerability, CVE-2024-40890, which also involves authentication and command injection exploits. The key difference is that CVE-2024-40891 is exploited via telnet, while CVE-2024-40890 is HTTP-based. This latest vulnerability follows a recent warning from the Cybersecurity and Infrastructure Security Agency (CISA) and German authorities about another security flaw in Zyxel firewalls, CVE-2024-11667, which was exploited to deploy Helldown ransomware in early December.

Mitigation Strategies and Recommendations

With no official patch available, Zyxel users remain vulnerable to exploitation. Security experts urge organizations to implement temporary mitigation strategies to reduce the risk of compromise. Key recommendations include:

  1. Monitor Network Traffic: Closely monitor network traffic for unusual activity, particularly on devices running Zyxel CPE Series firmware.
  2. Restrict Access: Limit access to potentially affected devices by disabling unnecessary services, such as telnet, and implementing strict access controls.
  3. Apply Workarounds: If possible, apply any available workarounds or configuration changes recommended by cybersecurity experts until an official patch is released.
  4. Stay Informed: Keep track of updates from Zyxel and cybersecurity agencies like CISA for the latest information on vulnerability and mitigation measures.

A VulnCheck spokesperson confirmed that the firm is actively working with Zyxel on the disclosure process and expects to share further insights in the coming week. In the meantime, organizations are advised to remain vigilant and take proactive steps to protect their networks.

The widespread exploitation of CVE-2024-40891 highlights the critical importance of timely vulnerability disclosure and patch management. As attackers continue to target Zyxel devices, organizations must prioritize cybersecurity measures to safeguard their systems and data. While waiting for an official patch, implementing temporary mitigation strategies and staying informed about updates can help reduce the risk of exploitation. This incident serves as a reminder of the ongoing challenges in securing network devices and the need for collaboration between manufacturers, researchers, and users to address vulnerabilities effectively.