Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label trending cybersecurity news. Show all posts
trending cybersecurity news
Data Breach Data Leakage Data Theft News Ransomware trending cybersecurity news

Chaos Ransomware Strikes Optima Tax Relief, Leaks 69GB of Sensitive Customer Data

 

In a significant cybersecurity incident impacting the financial services sector, U.S.-based tax resolution firm Optima Tax Relief has reportedly suffered a ransomware attack orchestrated by the Chaos ransomware group. The attackers have allegedly exfiltrated and leaked approximately 69GB of data, including confidential corporate records and sensitive personal tax files.

The exposed information reportedly includes Social Security numbers, home addresses, phone contacts, and banking details — all highly valuable to identity fraudsters. Given the nature of tax records, cybersecurity experts caution that the risks for affected individuals could extend for years, as this type of data cannot simply be changed like passwords.

Chaos Group Increases Aggression 

The ransomware group behind the attack, known as Chaos, has been active since March 2025 and is rapidly gaining notoriety for targeting organisations with vast stores of personally identifiable information (PII). Unlike the earlier Chaos ransomware builder seen in 2021, this iteration appears to be a more organised threat actor, employing a strategic approach in selecting its victims. This isn’t their first major claim. In May, Chaos asserted responsibility for a breach involving The Salvation Army, though that incident has yet to be independently verified. 

Silence from Optima Raises Questions 

Optima Tax Relief has yet to release a public statement or acknowledge the breach, prompting concerns among cybersecurity professionals and affected customers. It is still unclear whether the company has reported the incident to federal authorities or regulators. The lack of transparency is drawing criticism over potential lapses in consumer notification, data handling, and compliance with data protection regulations. 

Recommendations for Affected Individuals For anyone who has previously engaged Optima's services, cybersecurity analysts recommend treating their personal information as compromised. Immediate protective steps include: 

1. Enrolling in identity theft protection services that offer credit and SSN monitoring 

2. Reviewing bank statements and credit card activity for suspicious transactions 

3. Requesting credit freezes or fraud alerts from financial institutions 

4. Using data removal tools to reduce digital exposure Installing reputable antivirus software to fend off phishing or malware threats 

5. Enabling two-factor authentication on all financial and sensitive accounts 

A Warning for the Financial Sector 

This breach is part of a growing pattern in which ransomware groups are aggressively targeting organisations that store large volumes of sensitive consumer data — particularly in tax, legal, and healthcare sectors. Experts point out that financial firms, especially those involved in tax resolution, remain prime targets due to their often under-resourced cybersecurity infrastructure.

As investigations continue, pressure is mounting on Optima Tax Relief to disclose the extent of the damage and take accountability for customer safety moving forward.
Read more »
trending cybersecurity news
cyber attack Cyber Attacks cybersecurity news Russian APT28 trending cybersecurity news

Russian APT28 Targets Ukraine Using Signal to Deliver New Malware Families

 

The Russian state-sponsored threat group APT28, also known as UAC-0001, has been linked to a fresh wave of cyberattacks against Ukrainian government targets, using Signal messenger chats to distribute two previously undocumented malware strains—BeardShell and SlimAgent. 

While the Signal platform itself remains uncompromised, its rising adoption among government personnel has made it a popular delivery vector for phishing attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) initially discovered these attacks in March 2024, though critical infection vector details only surfaced after ESET notified the agency in May 2025 of unauthorised access to a “gov.ua” email account. 

Investigations revealed that APT28 used Signal to send a macro-laced Microsoft Word document titled "Акт.doc." Once opened, it initiates a macro that drops two payloads—a malicious DLL file (“ctec.dll”) and a disguised PNG file (“windows.png”)—while modifying the Windows Registry to enable persistence via COM-hijacking. 

These payloads execute a memory-resident malware framework named Covenant, which subsequently deploys BeardShell. BeardShell, written in C++, is capable of downloading and executing encrypted PowerShell scripts, with execution results exfiltrated via the Icedrive API. The malware maintains stealth by encrypting communications using the ChaCha20-Poly1305 algorithm. 

Alongside BeardShell, CERT-UA identified another tool dubbed SlimAgent. This lightweight screenshot grabber captures images using multiple Windows API calls, then encrypts them with a combination of AES and RSA before local storage. These are presumed to be extracted later by an auxiliary tool. 

APT28’s involvement was further corroborated through their exploitation of vulnerabilities in Roundcube and other webmail software, using phishing emails mimicking Ukrainian news publications to exploit flaws like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641. These emails injected malicious JavaScript files—q.js, e.js, and c.js—to hijack inboxes, redirect emails, and extract credentials from over 40 Ukrainian entities. CERT-UA recommends organisations monitor traffic linked to suspicious domains such as “app.koofr.net” and “api.icedrive.net” to detect any signs of compromise.
Read more »
trending cybersecurity news
Data threats malware News Palo Alto Networks' Unit 42 research Phising Attacks Social Media threats trending cybersecurity news

Cybercriminals Leverage LLMs to Generate 10,000 Malicious Code Variants

Cybersecurity researchers are raising alarms over the misuse of large language models (LLMs) by cybercriminals to create new variants of malicious JavaScript at scale. A report from Palo Alto Networks Unit 42 highlights how LLMs, while not adept at generating malware from scratch, can effectively rewrite or obfuscate existing malicious code.

This capability has enabled the creation of up to 10,000 novel JavaScript variants, significantly complicating detection efforts.

Malware Detection Challenges

The natural-looking transformations produced by LLMs allow malicious scripts to evade detection by traditional analyzers. Researchers found that these restructured scripts often change classification results from malicious to benign.

In one case, 88% of the modified scripts successfully bypassed malware classifiers.

Despite increased efforts by LLM providers to impose stricter guardrails, underground tools like WormGPT continue to facilitate malicious activities, such as phishing email creation and malware scripting.

OpenAI reported in October 2024 that it had blocked over 20 attempts to misuse its platform for reconnaissance, scripting, and debugging purposes.

Unit 42 emphasized that while LLMs pose significant risks, they also present opportunities to strengthen defenses. Techniques used to generate malicious JavaScript variants could be repurposed to create robust datasets for improving malware detection systems.

AI Hardware and Framework Vulnerabilities

In a separate discovery, researchers from North Carolina State University revealed a side-channel attack known as TPUXtract, which can steal AI model hyperparameters from Google Edge Tensor Processing Units (TPUs) with 99.91% accuracy.

The attack exploits electromagnetic signals emitted during neural network inferences to extract critical model details. Although it requires physical access and specialized equipment, TPUXtract highlights vulnerabilities in AI hardware that determined adversaries could exploit.

Study author Aydin Aysu explained that by extracting architecture and layer configurations, the researchers were able to recreate a close surrogate of the target AI model, potentially enabling intellectual property theft or further cyberattacks.

Exploiting AI Frameworks

Morphisec researchers disclosed another AI-targeted threat involving the Exploit Prediction Scoring System (EPSS), a framework used to evaluate the likelihood of software vulnerabilities being exploited.

By artificially boosting social media mentions and creating GitHub repositories with placeholder exploits, attackers manipulated EPSS outputs.

This resulted in the exploitation likelihood for certain vulnerabilities increasing from 0.1 to 0.14 and shifting their percentile ranking from the 41st to the 51st percentile.

Ido Ikar from Morphisec warned that such manipulation misguides organizations relying on EPSS for vulnerability management, enabling adversaries to distort vulnerability assessments and mislead defenders.

The Double-Edged Sword of Generative AI

While generative AI offers significant potential for bolstering cybersecurity defenses, its misuse by cybercriminals presents a formidable threat.

Organizations must:

  • Invest in advanced AI-driven detection systems capable of identifying obfuscated threats;
  • Implement robust physical security measures to protect AI hardware from side-channel attacks;
  • Continuously monitor and validate AI framework outputs to mitigate manipulation risks.

As adversaries innovate, businesses and researchers must push their operations to stay ahead, leveraging the same AI advancements to fortify their defenses.

Read more »
Subscribe to: Posts (Atom)