Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

smart electricity meters
CRA Cyber Security Data energy systems smart electricity meters

Smart Meters: A Growing Target in Data Security

 



Smart electricity meters, once simple devices for recording household consumption, are now central to modern energy systems. They track usage patterns, support grid balancing, and enable predictive maintenance. But as their role has expanded, so has the volume of sensitive data they collect and store, making these devices an overlooked but critical point of vulnerability in the cybersecurity infrastructure.


Why stored data matters

Cybersecurity discussions usually focus on network protections, but the data inside the meters deserves equal attention. Information such as billing records, diagnostic logs, and configuration files can be misused if tampered with or exposed. Since smart meters often stay in use for decades, even a small compromise can quietly escalate into large-scale billing disputes, compliance failures, or inaccurate demand forecasts.


The cost of weak protection

Safeguarding these devices is not just about technology, it directly affects finances and reputation. A successful cyberattack can drain companies of thousands of dollars per minute, while also damaging customer trust and inviting regulatory penalties. At the same time, manufacturers face rising costs for secure hardware, software optimization, and the dedicated teams required to manage threats over a device’s lifetime.


New rules setting higher standards

In Europe, the upcoming Cyber Resilience Act (CRA) will set stricter requirements for digital products, including smart meters. By 2027, companies selling in the EU must ensure devices launch without known vulnerabilities, arrive with secure default settings, and receive patches throughout their lifespan. Manufacturers will also be obligated to provide transparent documentation, covering everything from software components to lifecycle support.


Building resilience into design

Experts stress that resilience must be engineered from the start. Three pillars define effective smart meter security:

1. Confidentiality: encrypting stored data and managing keys securely.

2. Integrity: ensuring information is not altered or lost during failures.

3. Authenticity: verifying updates and communications through trusted digital signatures.

Together, these measures protect the accuracy and reliability of the data on which modern energy systems depend.


Organisational readiness

Beyond technology, companies must foster a culture of security. That means maintaining software inventories (SBOMs), conducting supply chain risk assessments, preparing incident response plans, and training staff in best practices. Limiting data retention and enforcing role-based access controls reduce exposure further.

The rise of quantum computing could eventually render today’s encryption obsolete. Manufacturers are therefore urged to build cryptographic agility into devices, allowing them to adapt to stronger algorithms as standards evolve.



Read more »
State-Sponsored Monitoring
Authoritarian Technology Cybersecurity Leak Data Breach digital surveillance Great Firewall Internet censorship State-Sponsored Monitoring

Great Firewall of China Compromised in Historic 600GB Data Exposure


 

It has been reported that on September 11, 2025, nearly 600 gigabytes of classified materials linked to the Great Firewall of China have emerged online in a breach of China's closely guarded internet censorship machinery, which is a breach of scale that has never been experienced. This leaked cache of internal GFW documents, which experts have described as the largest exposure of internal GFW documents ever in history, provides a rare opportunity to get a closer look at Beijing's highly automated digital surveillance system. 

It is a collection of data that has been gathered from Geedge Networks, a company founded and led by Fang Binxing, one of the most renowned scientists in the world, along with the MESA Lab at the Institute of Information Engineering of the Chinese Academy of Sciences, which has collected and archived source code, internal communications, development logs, and archives of project management tools for a period of many years. 

According to researchers who examined the document, the revelation not only confirms Chinese national security sweeping domestic control, but reveals how censorship and surveillance technology, packaged as deployable hardware and software systems, has been exported overseas. Geedge's services are indicated in the documents, not only to sensitive domestic regions such as Xinjiang, Jiangsu, and Fujian, but also to governments in Myanmar, Pakistan, Ethiopia, and Kazakhstan, with further signs that the company's services may be deployed under the Belt and Road Initiative.

A 500GB archive of server repositories, detailed manuals, and operational files is one of the details of the breach that indicates not just a compromise of a state secret but also a glimpse into how China's digital authoritarian model of digital authority has been refined and marketed for international use as well. 

There are two pivotal institutions at the heart of China's online censorship regime, which are referred to in the cache of leaked files: Geedge Networks and MESA Lab of the Institute of Information Engineering under the Chinese Academy of Sciences. As a result of the work of Geedge, led by its chief scientist, Fang Binxing— widely known as “Father of the Great Firewall”—Geedge has been seen for decades as the technical brain behind the operation of the firewall system. 

There has been a forensic investigation into the incident, and it appears the attackers have exploited an incorrectly configured private code repository to gain access to backup snapshots, archived communications, and development environments. A single mirror archive of RPM packaging servers was estimated to have accounted for 500 GB of the material that was exposed, along with years' worth of documentation, JIRA project management data, and technical manuals. 

It turned out that the breach exposed nearly 600 gigabytes of data. In the files, scientists found evidence that Geedge was not only located in provinces such as Xinjiang, Jiangsu, and Fujian, which represent some of the worst cases of domestic censorship, but was also supplying censorship as a service to other countries under the Belt and Road Initiative. 

The contract and proposal details the provision of keyword blacklists, real-time traffic monitoring, cloud-based filtering appliances, and other services to the governments of Myanmar, Pakistan, Ethiopia, and Kazakhstan, with diplomatic communications suggesting additional undisclosed customers. 

In the leak, a parallel role also comes to light for MESA Lab, which was established in 2012 as the Processing Architecture Team for "Massive Effective Stream Analysis" and eventually became an international research centre worth millions of yuan. 

The lab maintains internal source code and development records, which expose sophisticated algorithms for packet inspection, dynamic rule enforcement, and evasion detection, including simulated testing against encrypted tunnels circumvention tools as well as testing against encryption tunnels and circumventions. 

The documents, which have been carefully reviewed by organisations such as GFW Report and Net4People on isolated systems, are seen as a groundbreaking intelligence breakthrough by analysts. They provide an unparalleled understanding of the mechanism of state-sponsored internet controls while raising important questions regarding the export of authoritarian surveillance techniques to the global marketplace. 

The leaked cache contains nearly 600 gigabytes and tens of thousands of files and repositories, and together, they provide a rare and intricate insight into the machinery of China's censorship system, with its complex and comprehensive policies governing the internet. In its core lies a massive 500GB mirror archive of RPM packaging servers. This demonstrates to us that, in addition to being a political construct, the Great Firewall is a highly engineered software ecosystem that is maintained to the same standard as a large, corporate-scale IT operation. Additional archives such as geedge_docs.tar.zst and mesalab_docs.tar.zst contain countless internal reports and research proposals. 

A number of the files referencing projects such as “CTF-AWD,” “BRI,” and “CPEC” suggest connections and international collaborations that are based on the Belt and Road Initiative, while project management data and communication drafts show the coordination of researchers and engineers on a daily basis. 

Even though many documents appear mundane, such as reimbursement receipts and documents labelled simply “Print”, censorship is still an institutionalised part of bureaucratic processes and procedures. There are a number of things that distinguish this leak from other types of breaches, the most remarkable being its breadth and granularity. Instead of only a few emails or whistleblower memos, this collection comprises raw operational information that reveals years of investment, research, and development. 

Several independent researchers, including Net4People, Hackread.com, and others, have noted that the file tree itself tells a great deal about the Firewall's evolution into a distributed, export-ready system. Additionally, the background materials also examine how the MESA Lab grew in 2012 from a small research lab at the Chinese Academy of Sciences into a multi-million dollar operation that contributed to national cybersecurity awards in 2016, which had been opened in 2016. 

Originally created under the guidance of Fang Binxing, who is given credit for designing the Great Firewall, Geedge Networks quickly absorbed the talents of the MESA and has quickly emerged as one of the few private firms capable of supporting state censorship both domestically and internationally. 

The immediate revelations of Chinese internet control infrastructure confirm what many observers have long suspected: that while the full analysis of source code may take months, they already confirm what many observers have long suspected. There is no static or insular Chinese internet control infrastructure. Instead, it is a living system shaped by government contracts, academic research, and private enterprise, and increasingly packaged for export to other countries. 

A hacktivist group behind the disclosure has warned that examining the files should only be done in an isolated environment because there might be embedded malware and tracking elements in them. Despite these dangers, researchers and rights advocates argue that the trove offers the chance to gain a comprehensive understanding of the Great Firewall, both in terms of how it worsens and how its influence is being systematically extended outside of the country. 

This unprecedented exposé of the Great Firewall's inner workings is far more than a breach - it marks an important turning point in the global debate around digital rights, sovereignty, and the export of surveillance technology worldwide. In the context of governments, these files provide an unfiltered look at how authoritarian states operationalised censorship, transforming it into a scaled, almost commodified system that is capable of deploying well outside their own borders. 

As researchers and civil society groups, we find that this material is an invaluable resource unravelling censorship mechanisms, developing countermeasures, and creating stronger tools to circumvent censorship. 

As a result of these revelations, policymakers around the world need to look at how Chinese surveillance infrastructure is spread through initiatives like the Belt and Road initiative, and to weigh the geopolitical implications of supporting regimes that restrict freedom of expression to take appropriate measures. Since the data is subject to potential security risks, it is imperative to handle it carefully. 

However, its availability presents an excellent opportunity to improve transparency, accountability, and resilience against digital authoritarianism, as well as strengthening transparency, accountability, and resilience. If used responsibly, this leak could not only reshape the way people perceive China's censorship model but also help to spark international efforts to safeguard the open internet in general.
Read more »
telemetry.js malware
GitHub Actions vulnerability NPM malware Nx supply chain attack telemetry.js malware

Nx "s1ngularity" Supply Chain Attack Exposes Thousands of Secrets

 

The recent Nx "s1ngularity" NPM supply chain attack has led to a massive security fallout, exposing thousands of account tokens and repository secrets, according to Wiz researchers.

A post-incident analysis revealed that the breach compromised 2,180 accounts and 7,200 repositories in three distinct attack phases. Wiz emphasized that the impact is still unfolding, as many of the leaked secrets remain valid.

Nx, a widely used open-source build system and monorepo management tool in enterprise-scale JavaScript/TypeScript projects, has over 5.5 million weekly downloads on the NPM registry.

How the Attack Happened

On August 26, 2025, threat actors exploited a flawed GitHub Actions workflow in the Nx repository. This enabled them to publish a malicious version of Nx on NPM containing a post-install malware script called telemetry.js.

The telemetry.js malware targeted Linux and macOS systems, attempting to steal sensitive data such as GitHub tokens, npm tokens, SSH keys, .env files, and even crypto wallets. The stolen data was then uploaded to public repositories under the name "s1ngularity-repository."

What made this breach particularly unique was the attacker’s use of AI command-line tools like Claude, Q, and Gemini. These tools were leveraged with changing LLM prompts to hunt for and extract secrets.

"The evolution of the prompt shows the attacker exploring prompt tuning rapidly throughout the attack. We can see the introduction of role-prompting, as well as varying levels of specificity on techniques," explained Wiz.

"These changes had a concrete impact on the success of the malware. The introduction of the phrase ‘penetration testing’, for example, was concretely reflected in LLM refusals to engage in such activity."

Three Phases of the Attack

Phase 1 (Aug 26–27): Backdoored Nx packages impacted around 1,700 users, leaking more than 2,000 unique secrets and exposing 20,000 files from infected systems. GitHub removed attacker-created repositories within eight hours, but the stolen data had already been duplicated.

Phase 2 (Aug 28–29): Using stolen GitHub tokens, attackers flipped private repositories to public, renaming them with the “s1ngularity” tag. This compromised 480 more accounts (mostly organizations) and exposed 6,700 private repositories.

Phase 3 (from Aug 31): The attackers focused on a single organization, using two compromised accounts to publish another 500 private repositories.

Root Cause & Response

The Nx team later confirmed that the breach stemmed from a pull request title injection combined with insecure use of pull_request_target. This flaw allowed attackers to execute arbitrary code with elevated permissions, triggering Nx’s publish pipeline and stealing the npm publishing token.

In response, Nx revoked compromised tokens, adopted two-factor authentication, and migrated to NPM’s Trusted Publisher model, which eliminates token-based publishing. Additionally, manual approvals are now required for pull request-triggered workflows.
Read more »
protecting sensitive data
China Critical Infrastructure cyber espionage Cyber Security Czech data security Data Transfer protecting sensitive data

Czechia Warns of Chinese Data Transfers and Espionage Risks to Critical Infrastructure

 

Czechia’s National Cyber and Information Security Agency (NÚKIB) has issued a stark warning about rising cyber espionage campaigns linked to China and Russia, urging both government institutions and private companies to strengthen their security measures. The agency classified the threat as highly likely, citing particular concerns over data transfers to China and remote administration of assets from Chinese territories, including Hong Kong and Macau. According to the watchdog, these operations are part of long-term efforts by foreign states to compromise critical infrastructure, steal sensitive data, and undermine public trust. 

The agency’s concerns are rooted in China’s legal and regulatory framework, which it argues makes private data inherently insecure. Laws such as the National Intelligence Law of 2017 require all citizens and organizations to assist intelligence services, while the 2015 National Security Law and the 2013 Company Law provide broad avenues for state interference in corporate operations. Additionally, regulations introduced in 2021 obligate technology firms to report software vulnerabilities to government authorities within two days while prohibiting disclosure to foreign organizations. NÚKIB noted that these measures give Chinese state actors sweeping access to sensitive information, making foreign businesses and governments vulnerable if their data passes through Chinese systems. 

Hong Kong and Macau also fall under scrutiny in the agency’s assessment. In Hong Kong, the 2024 Safeguarding National Security Ordinance integrates Chinese security laws into its own legal system, broadening the definition of state secrets. Macau’s 2019 Cybersecurity Law grants authorities powers to monitor data transmissions from critical infrastructure in real time, with little oversight to prevent misuse. NÚKIB argues that these developments extend the Chinese government’s reach well beyond its mainland jurisdiction. 

The Czech warning gains credibility from recent attribution efforts. Earlier this year, Prague linked cyberattacks on its Ministry of Foreign Affairs to APT31, a group tied to China’s Ministry of State Security, in a campaign active since 2022. The government condemned the attacks as deliberate attempts to disrupt its institutions and confirmed a high degree of certainty about Chinese involvement, based on cooperation among domestic and international intelligence agencies. 

These warnings align with broader global moves to limit reliance on Chinese technologies. Countries such as Germany, Italy, and the Netherlands have already imposed restrictions, while the Five Eyes alliance has issued similar advisories. For Czechia, the implications are serious: NÚKIB highlighted risks across devices and systems such as smartphones, cloud services, photovoltaic inverters, and health technology, stressing that disruptions could have wide-reaching consequences. The agency’s message reflects an ongoing effort to secure its digital ecosystem against foreign influence, particularly as geopolitical tensions deepen in Europe.
Read more »
VirusTotal
Colombia JavaScript malware phishing SVG VirusTotal

SVG Phishing Campaign Bypasses Antivirus, Targets Colombian Judiciary

 

VirusTotal has uncovered a sophisticated phishing campaign that leverages SVG (Scalable Vector Graphics) files to bypass traditional antivirus detection while impersonating Colombia's judicial system. The campaign was discovered after VirusTotal added SVG support to its AI Code Insight platform, which uses machine learning to analyze suspicious behavior in uploaded files. 

Campaign discovery and scale 

The malicious SVG files initially showed zero detections by conventional antivirus scans but were flagged by VirusTotal's AI-powered Code Insight feature for suspicious JavaScript execution and HTML rendering capabilities. Following the initial discovery, VirusTotal identified 523 previously uploaded SVG files that were part of the same campaign, all of which had evaded detection by traditional security software. 

Modus operandi 

The SVG files exploit the element to display HTML content and execute JavaScript when loaded. These files create convincing fake portals impersonating Colombia's Fiscalía General de la Nación (Office of the Attorney General), complete with case numbers, security tokens, and official government branding to build victim trust. 

When users interact with these fake portals, they see a phony download progress bar that simulates an official government document download process. While victims believe they are downloading legitimate legal documents, the malware simultaneously triggers the download of a password-protected ZIP archive in the background . 

Malware payload

Analysis of the extracted ZIP files reveals a multi-component attack containing four files: a legitimate Comodo Dragon web browser executable renamed to appear as an official judicial document, a malicious DLL, and two encrypted files. When the user opens the executable, the malicious DLL is sideloaded to install additional malware on the system. 

Evasion techniques

The campaign demonstrates sophisticated evasion tactics including obfuscation, polymorphism, and substantial amounts of dummy code designed to increase file entropy and avoid static detection methods. The attackers evolved their payloads over time, with earlier samples being larger (around 25 MB) and later versions becoming more streamlined. 

Detection challenges

SVG files present unique security challenges because they can contain executable JavaScript while appearing as harmless image files to users and many security tools. Traditional antivirus solutions struggle to analyze the XML-based SVG format effectively, making AI-powered behavioral analysis crucial for detection. 

The campaign highlights the growing trend of threat actors exploiting SVG files for phishing attacks, as these files can embed malicious scripts that execute automatically while maintaining the appearance of legitimate graphics. VirusTotal's AI Code Insight platform proved essential in exposing this campaign, demonstrating how machine learning can identify threats that traditional signature-based detection methods miss .
Read more »
Vietnam
AI Artificial Intelligence Cloud Cyber Attacks Internet Panama Ransomware Vietnam

Panama and Vietnam Governments Suffer Cyber Attacks, Data Leaked


Hackers stole government data from organizations in Panama and Vietnam in multiple cyber attacks that surfaced recently.

About the incident

According to Vietnam’s state news outlet, the Cyber Emergency Response Team (VNCERT) confirmed reports of a breach targeting the National Credit Information Center (CIC) that manages credit information for businesses and people, an organization run by the State Bank of Vietnam. 

Personal data leaked

Earlier reports suggested that personal information was exposed due to the attack. VNCERT is now investigating and working with various agencies and Viettel, a state-owned telecom. It said, “Initial verification results show signs of cybercrime attacks and intrusions to steal personal data. The amount of illegally acquired data is still being counted and clarified.”

VNCERT has requested citizens to avoid downloading and sharing stolen data and also threatened legal charges against people who do so.

Who was behind the attack?

The statement has come after threat actors linked to the Shiny Hunters Group and Scattered Spider cybercriminal organization took responsibility for hacking the CIC and stealing around 160 million records. 

Threat actors put up stolen data for sale on the cybercriminal platforms, giving a sneak peek of a sample that included personal information. DataBreaches.net interviewed the hackers, who said they abused a bug in end-of-life software, and didn’t offer a ransom for the stolen information.

CIC told banks that the Shiny Hunters gang was behind the incident, Bloomberg News reported.

The attackers have gained the attention of law enforcement agencies globally for various high-profile attacks in 2025, including various campaigns attacking big enterprises in the insurance, retail, and airline sectors. 

The Finance Ministry of Panama also hit

The Ministry of Economy and Finance in Panam was also hit by a cyber attack, government officials confirmed. “The Ministry of Economy and Finance (MEF) informs the public that today it detected an incident involving malicious software at one of the offices of the Ministry,” they said in a statement. 

The INC ransomware group claimed responsibility for the incident and stole 1.5 terabytes of data, such as emails, budgets, etc., from the ministry.

Read more »
Vulnerabilities and Exploits
Akira Ransomware CVE-2024-40766 SonicOS 7.3.0 SonicWall firewall vulnerability SonicWall Gen 7 SSLVPN exploit Vulnerabilities and Exploits

Ransomware Groups Still Exploiting SonicWall Firewall Vulnerability Despite Patch

 

More than a year after SonicWall released a patch for CVE-2024-40766, a critical vulnerability affecting its next-generation firewalls, attackers linked to the Akira ransomware-as-a-service operation continue to exploit the flaw to breach organizations.

Similar to incidents in September 2024 and earlier this year, affiliates of the Akira group are behind the latest wave of attacks. The spike observed in July 2025 was partly due to organizations upgrading from Gen 6 to Gen 7 SonicWall firewalls without resetting local user passwords as recommended by SonicWall.

Attackers have also expanded their techniques. According to Rapid7’s Incident Response team, there has been “an uptick in intrusions involving SonicWall appliances” since early August 2025. Their findings indicate that the Akira group may be chaining together three different security weaknesses to gain access and deploy ransomware.

CVE-2024-40766, which remains unpatched in some environments.

A misconfiguration in the SSLVPN Default Users Group setting. SonicWall explains:

“This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.”
“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.”

Abuse of the Virtual Office Portal feature in SonicWall appliances, which attackers are using to configure MFA/TOTP on already compromised accounts.

The Australian Cyber Security Centre (ACSC) has also issued warnings about increased Akira activity targeting Australian entities via CVE-2024-40766.

According to Rapid7, the attackers’ method remains consistent: they gain entry through the SSLVPN component, escalate privileges to elevated or service accounts, exfiltrate sensitive data from file servers and network shares, disable or delete backups, and finally execute ransomware at the hypervisor layer.

Recommended Mitigations

Organizations relying on SonicWall firewalls are advised to:

  • Rotate passwords on all SonicWall local accounts and delete unused ones.
  • Enforce MFA/TOTP for SSLVPN services.
  • Set the Default LDAP User Group to “None.”
  • Restrict Virtual Office Portal access to trusted local networks and closely monitor usage.
  • Ensure all appliances run the latest firmware updates.

SonicWall recently highlighted that SonicOS 7.3.0 introduces additional protections against brute-force attacks and enhanced MFA controls, providing stronger defense against ransomware intrusions.
Read more »
spatial data
Cyber Security Encryption GPS Spoofing Location spatial data

Why Cybersecurity is Critical for Protecting Spatial Data



In a world where almost every service depends on digital connections, one type of information underpins much of our daily lives: spatial data. This data links activities to a place and time, revealing not just “where” something happens, but also “when,” “how,” and sometimes even “why.” Its importance spans a wide range of fields, including transportation, agriculture, climate science, disaster management, urban planning, and national security.


The power of spatial data

Spatial data is collected constantly by satellites, GPS receivers, drones, advanced sensors, and connected devices. Combined with 5G networks, cloud platforms, and artificial intelligence, this information is transformed from raw coordinates into actionable insights. It enables predictive models, smart city planning, and digital twins, virtual copies of physical systems that simulate real-world conditions. In short, spatial data is no longer static; it drives decisions in real time.


The security challenges

Its value, however, makes it a prime target for cyber threats. Three major risks stand out:

Loss of confidentiality: Unauthorized access to location data can expose sensitive details, from an individual’s daily routine to the supply routes of critical industries. This creates openings for stalking, fraud, corporate espionage, and even threats to national security.

Manipulation of data: One of the most dangerous scenarios is GPS spoofing, where attackers send fake signals to alter a device’s calculated position. If navigation systems on ships, aircraft, or autonomous vehicles are misled, the consequences can be catastrophic.

Denial of access: When spatial services are disrupted through jamming signals or cyberattacks: emergency responders, airlines, and logistics companies may be forced to halt operations. In some cases, entire networks have been shut down for days to contain breaches.

Securing spatial data requires a mix of governance, technical safeguards, and intelligence-led defences. Organizations must classify datasets by their sensitivity, since the location of a retail outlet carries far less risk than the coordinates of critical infrastructure. Training specialists to handle spatial data responsibly is equally important.

On the technical front, strong encryption, strict access controls, and continuous monitoring are basic necessities. Integrity checks and tamper detection can ensure that location records remain accurate, while well-tested recovery plans help reduce downtime in case of an incident.

Finally, intelligence-driven security shifts the focus from reacting to threats to anticipating them. By analysing attacker behaviour and emerging vulnerabilities, organizations can strengthen weak points in advance. Privacy-preserving techniques such as masking or differential privacy allow data to be used without exposing individuals. At the same time, technologies like blockchain add tamper resistance, and AI tools help detect anomalies at scale.

Spatial data has the power to make societies more efficient, resilient, and sustainable. But without strong cybersecurity, its benefits can quickly turn into risks. Recognizing its vulnerabilities and implementing layered protections is no longer optional, it is the only way to ensure that this valuable resource continues to serve people safely.



Read more »
Pin
Bank Account Fraud Cyber Fraud Cyber Scammers cybercrime awareness eSIM eSIM security I4C OTP Pin

Fake eSIM Activation Fraud in India Raises Cybersecurity Concerns

 

The Indian Cybercrime Coordination Centre (I4C), operating under the Ministry of Home Affairs, has issued a warning about a new and highly sophisticated digital scam that leverages fake eSIM activation to commit financial fraud. Unlike traditional methods of cybercrime that require OTPs or ATM PINs, this scheme enables criminals to bypass such checks entirely, making it one of the most dangerous fraud tactics currently emerging.  

Authorities revealed that the scam typically begins with fraudsters making calls to potential victims, convincing them to click on a deceptive eSIM activation link. Once the user follows through, the individual’s physical SIM card is disabled and the number is seamlessly transferred to an eSIM-enabled device controlled by the attacker. This maneuver effectively gives the fraudster complete control over the victim’s mobile number, allowing them to intercept bank OTPs and authorize financial transactions without the user’s knowledge. In one case under investigation, close to ₹4 lakh was illegally withdrawn from an account using this method. 

The fraud takes advantage of the rising adoption of eSIM technology, which has been promoted as a convenient alternative to physical SIM cards since it allows remote provisioning. However, the same convenience has created a new opportunity for exploitation by cybercriminals. By seizing control of a victim’s number, scammers gain access to digital banking and payment systems with alarming ease. 

The alert follows closely after the Department of Telecommunications’ Financial Fraud Risk Indicator system flagged and blacklisted between 300,000 and 400,000 SIM cards suspected of being tied to financial scams. This system, supported by AI-driven tools, identifies around 2,000 high-risk numbers every day, with many linked to fraudulent activities such as fake investment opportunities and bogus job offers. 

Authorities have urged citizens to remain cautious when receiving unexpected calls or links related to eSIM activation. They emphasized that if a mobile device suddenly loses connectivity without explanation, users should treat it as a red flag. Immediate reporting to the telecom operator and the bank could prevent financial losses by cutting off the criminal’s access to transactions.  

Since its launch in January 2020, the I4C portal has functioned as a central platform for reporting and monitoring cybercrimes across the country. As digital transactions continue to grow and smartphones dominate personal and professional life, India has witnessed a sharp increase in online fraud cases. The latest warning from I4C highlights the need for vigilance as technology evolves, reminding users that convenience must always be balanced with awareness of potential risks.
Read more »
VoidProxy
Adversary In The Middle CloudFlare Cyber Attacks Cybersecurity identity management MFA Multi Factor Authentication phishing Session Hijacking VoidProxy

VoidProxy Phishing Platform Emerges as Threat Capable of Bypassing MFA


 

Researchers in the field of cybersecurity are warning that a sophisticated phishing-as-a-service (PhaaS) platform known as VoidProxy is being used by criminal groups for the purpose of evading widespread security controls and is demonstrating just how far this technology has advanced in criminal groups' ability to circumvent widely deployed security controls. 

In the form of a specialised tool developed by cybercriminals to target high-value accounts neutralising the defences of multi-factor authentication (MFA), VoidProxy is specifically designed and marketed for cybercriminals. There is no question that VoidProxy, developed by researchers at Okta, the identity and access management company, is different from any other phishing kit out there. 

Rather than relying on advanced infrastructures and evasion techniques, it combines these attributes with commoditised accessibility to make it both effective and dangerous even for relatively low-skilled attackers. In particular, VoidProxy makes a great deal of sense because it relies heavily on adversary-in-the-middle (AiTM) phishing, a method of intercepting authentication flows in real time, which makes it particularly alarming. 

Using this method, cybercriminals are not only able to capture credentials, but they can also take possession of multi-factor authentication codes and session tokens generated during legitimate sign-in transactions. By bypassing these common authentication methods, VoidProxy can bypass the security measures offered by SMS-based codes and one-time passwords from authenticator apps, which are typically relied upon by organisations and individuals as a last resort. 

When it comes to VoidProxy's infrastructure, it demonstrates a combination of sophistication and cost-effectiveness that is second to none. This phishing site is hosted by its operators using low-cost top-level domains like .icu, .sbs, .cfd, .xyz, .top, and .home, making it easy to use and easily trackable. It is also important to note that the phishing content, delivered through Cloudflare's reverse proxy services, further obscures the phishing site's actual infrastructure. 

It is a layering of concealment that ensures researchers and defenders cannot determine the true IP address. The combination of this layering of concealment, in combination with its highly deceptive email campaigns, makes VoidProxy one of the most troubling emergences in the phishing service industry. In spite of the fact that the operation has never been reported until now, it demonstrates a level of maturity that is not often found in other phishing kits. 

Researchers at OKTA found that VoidProxy is capable of scaling attacks against large groups of victims, targeting enterprise users, who represent an invaluable entry point for fraud and data theft. In order to intercept authentication traffic, the service inserts itself between the victim and the authenticating service, thereby intercepting authentication traffic. As soon as credentials and multi-factor authentication data are captured, attackers can gain persistent access to a victim’s account, bypassing any protections that would otherwise make it difficult for them to access their account. 

It was only after Okta’s FastPass technology, a passwordless authentication service, identified and blocked a suspicious sign-in attempt via VoidProxy’s proxy network that a discovery of this kind was made. Researchers were able to unravel a much larger ecosystem of campaigns as a result of that single discovery, revealing a set of administrative panels and dashboards that cybercriminals were renting access to the service through the use of this service.

In recent days, the senior vice president of threat intelligence at Okta, Brett Winterford, described VoidProxy as “an example of phishing infrastructure that has been observed in recent years.” Both its ability to bypass the multi-factor authentication and its elaborate anti-analysis mechanisms have been criticised by Winterford. 

The VoidProxy phishing kit offers many layers of obfuscation, which differs from traditional phishing kits that can often be dismantled by tracking servers and blocking malicious domains. Phishing lures are sent through compromised email accounts, multiple redirect chains that make analysis a challenge, Cloudflare CAPTCHA, Workers that inspect and filter incoming traffic, and dynamic DNS that ensures the infrastructure is fast-moving. 

Using these techniques, the operation remained a secret until Okta discovered the operation, but the sophistication of the kit extended far beyond its technical defences. There are many ways attackers can distribute VoidProxy campaigns. The first is by sending phishing emails from compromised accounts linked to legitimate marketing and communication systems, such as Constant Contact, Active Campaign, and Notify Visitors, that are connected to VoidProxy campaigns. 

It is based on the reputation of established service providers that these lures will have a higher probability of escaping spam filters, allowing them to reach the inboxes of targeted users as soon as they click through, providing credentials. VoidProxy's response depends on what authentication the victim has configured.

Users who authenticate through single sign-on (SSO) are forwarded to phishing websites that are designed to harvest additional information from users, while non-federated users are directed directly to legitimate Microsoft and Google servers, while the phishing sites are designed to harvest additional information from users. In the end, affiliates deployed VoidProxy to harvest cookies through the AiTM proxy, which is hosted on an ephemeral infrastructure supported by dynamic DNS, thereby completing the final stage of the attack. 

By hijacking authenticated sessions through session cookies, attackers are able to gain access to the same level of functionality as legitimate users without the need to submit credentials repeatedly. Therefore, attackers can operate undetected until security teams detect unusual behaviour, resulting in the attacker inheriting trusted access. 

In addition to its accessibility, VoidProxy offers an administrative panel that enables paying affiliates to monitor the progress of their campaigns, as well as victim data. Due to the ease with which advanced phishing campaigns are conducted, a broader set of actors—from organised cybercrime groups to less sophisticated attackers- can engage in them as they become more familiar with the technology. 

Despite the fact that VoidProxy is a new and dangerous entrant into the phishing landscape, researchers emphasise the fact that not all defences against it are ineffective. Authenticators which are phishing-resistant, such as hardware security keys, passkeys, and smart cards, are proven to be able to block attackers from hijacking credentials or signing in through proxy infrastructure by preventing the attack. 

As a result of the research conducted by OKTA, it has been demonstrated that users equipped with these advanced authentication systems are less likely to be hacked or to be compromised via VoidProxy, but most organisations continue to rely on weaker methods of multi-factor authentication, such as SMS codes, which leaves them vulnerable to data interception. 

It has been Okta's intention to inform Google and Microsoft of VoidProxy's operations, to share intelligence with its SaaS partners, as well as to issue a customer advisory in response to the discovery. In addition to adopting phishing-resistant authentication, the company recommended that enterprises also take a broad set of security measures. 

There are several ways to do this, including limiting access to devices and networks based on trust, monitoring sign-in behaviour for anomalies, and providing users with streamlined mechanisms for reporting suspicious emails or log-in attempts. Additionally, it is crucial to cultivate a culture of cybersecurity awareness at the company. 

Employees should be trained on how to recognise phishing emails, suspicious login prompts, and common social engineering techniques, which can often lead to compromise in the organisation. Additionally, VoidProxy's rise also demonstrates a wider industry problem that the industry faces today: the proliferation of platform-based PHaaS that commoditises advanced attack techniques into a commodity. 

Other kits, such as EvilProxy, which was first reported in 2022, and Salty2FA, which was discovered earlier this year, have also demonstrated similar capabilities to bypass multi-factor authentication and hijack sessions in the past few years. In each successive platform, the stakes are raised for defenders, as techniques that were once reserved for highly skilled adversaries have become widely accessible to anyone willing to pay for access, which has raised the stakes for defenders. 

By lowering the technical barrier, these services are increasing the pool of attackers, resulting in an increase in phishing campaigns that are more effective than ever before, harder to detect, and more persistent in nature, and have a greater impact. With the emergence of VoidProxy, a critical change has been wrought in the cyber threat landscape that calls for a new approach to enterprise security. 

Legacy defences that depend solely on passwords or basic multiple-factor authentication methods will not suffice in the face of such adaptive adversaries. As a result of these threats, organisations need to create layers of security strategies, which are combined with proactive resilience, in order to protect themselves. 

Authenticators that can resist phishing attacks are essential for protecting the network from cyber threats, but in addition to them, businesses must be able to detect anomalies continuously, implement rapid incident response capabilities, and train their employees adequately. Collaboration across the cybersecurity ecosystem is also crucial. 

There is nothing more important than the importance of intelligence-sharing between vendors, enterprises, and researchers, as early detection of emerging threats and coordinated action can significantly reduce the damage caused by them. 

In today's rapidly evolving PhaaS platforms, enterprises have to change their approach from reactive defence to proactive adaptation, ensuring they are not just prepared to withstand today's attacks, but also prepared to anticipate tomorrow's attacks. Getting the most out of security is crucial in a digital world where trust itself has become one of the main targets. To be secure, one must be able to maintain agility and resilience.
Read more »
zero-day
AI Cloud Internet malware WeepSteel zero-day

Hackers Exploit Zero-Day Bug to Install Backdoors and Steal Data


Sitecore bug abused

Threat actors exploited a zero-day bug in legacy Sitecore deployments to install WeepSteel spying malware. 

The bug, tracked as CVE-2025-53690, is a ViewState deserialization flaw caused by the addition of a sample ASP.NET machine key in pre-2017 Sitecore guides. 

A few users reused this key, which allowed hackers who knew about the key to create valid, but infected '_VIEWSTATE' payloads that fooled the server into deserializing and executing them, which led to remote code execution (RCE). 

The vulnerability isn’t a bug in ASP.NET; however, it is a misconfiguration flaw due to the reuse of publicly documented keys that were never intended for production use.

About exploitation

Mandiant experts found the exploit in the wild and said that the threat actors have been exploiting the bug in various multi-stage attacks. Threat actors target the '/sitecore/blocked.Aspx' endpoint, which consists of an unauthorized ViewState field, and get RCE by exploiting CVE-2025-53690. 

The malicious payload threat actors deploy is WeepSteel, a spying backdoor that gets process, system, disk, and network details, hiding its exfiltration as standard ViewState responses. Mendiant experts found the RCE of monitoring commands on compromised systems- tasklist, ipconfig/all, whoami, and netstat-ano. 

Mandiant observed the execution of reconnaissance commands on compromised environments, including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. 

In the next attack stage, the threat actors installed Earthworm (a network tunneling and reverse SOCKS proxy), Dwagent (a remote access tool), and 7-Zip, which is used to make archives of the stolen information. After this, the threat actors increased access privileges by making local administrator accounts ('asp$,' 'sawadmin'), “cached (SAM and SYSTEM hives) credentials dumping, and attempted token impersonating via GoTokenTheft,” Bleeping Computer said. 

Threat actors secured persistence by disabling password expiration, which gave them RDP access and allowed them to register Dwagent as a SYSTEM service. 

“Mandiant recommends following security best practices in ASP.NET, including implementing automated machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets within the web.config file,” the company said.

Read more »
U.S. Schools
Cyber Security Cybersecurity Education phishing Threat Landscape U.S. Schools

Beyond Firewalls: How U.S. Schools Are Building a Culture of Cyber Safety

 

U.S. district schools are facing a surge in sophisticated cyberattacks, but districts are pushing back by combining strong fundamentals, people-centered training, state partnerships, and community resilience planning to build cyber safety into everyday culture . 

Rising threat landscape 

An Arizona district’s 2024 near-miss shows how fast attacks unfold and why incident response planning and EDR matter; swift VPN cutoff and state-provided CrowdStrike support helped prevent damage during a live intrusion window of mere hours . 

Broader data from the 2025 CIS MS-ISAC K-12 report underscores the scale: 82% of reporting schools experienced cyber impacts between July 2023 and December 2024, with more than 9,300 confirmed incidents, reflecting increased adversary sophistication and strategic timing against educational operations . Districts hold sensitive student and family data, making identity theft, fraud, and extortion high-risk outcomes from breaches . 

AI-boosted phishing and the human firewall 

Technology leaders report that generative AI has made phishing emails far more convincing, even fooling seasoned staff, shifting emphasis to continuous, culture-wide awareness training . 

Districts are reframing users as the first line of defense, deploying role-based training through platforms like KnowBe4 and CyberNut, and reinforcing desired behaviors with incentives that make reporting suspicious emails a source of pride rather than punishment . 

This people-first approach aligns with expert guidance that “cybersecurity is really cybersafety,” requiring leadership beyond IT to model and champion safe digital practices . 

Tools, partnerships, and equity

Well-resourced or larger districts layer EDR/MDR/NDR, AI email filtering, vendor monitoring, and regular penetration testing, demonstrating rapid detection and response in live red-team exercises . 

Smaller systems rely critically on state-backed programs—such as Arizona’s Statewide Cyber Readiness Program or Indiana’s university-led assessments—that supply licenses, training, and risk guidance otherwise out of reach . 

Nationally, MS-ISAC provides no-cost incident response, advisory services, and threat intelligence, with assessments like the NCSR linked to measurable maturity gains, reinforcing the value of shared services for K-12 . 

Back to basics and resilience

Experts stress fundamentals—timely patching, account audits, strong passwords, and MFA—block a large share of intrusions, with mismanaged legacy accounts and unpatched systems frequently exploited . 

Recovery costs swing widely, but preparation and in-house response can dramatically reduce impact, while sector-wide averages show high breach costs and constrained cyber budgets that heighten the need for prioritization . 

Looking forward, districts are institutionalizing tabletop exercises, mutual aid pacts, and statewide collaboration so no school faces an incident alone, operationalizing community resilience as a strategic defense layer .
Read more »
Social Media Safety
AI Misuse Cyber Fraud Cybersecurity Threats Deepfake Fraud Digital Literacy Financial Fraud Online Scams Social Media Safety

Deepfake Video of Sadhguru Used to Defraud Bengaluru Woman of Rs 3.75 Crore


 

As a striking example of how emerging technologies are used as weapons for deception, a Bengaluru-based woman of 57 was deceived out of Rs 3.75 crore by an AI-generated deepfake video supposedly showing the spiritual leader Sadhguru. The video was reportedly generated by an AI-driven machine learning algorithm, which led to her loss of Rs 3.75 crore. 

During the interview, the woman, identifying herself as Varsha Gupta from CV Raman Nagar, said she did not know that deepfakes existed when she saw a social media reel that appeared to show Sadhguru promoting investments in stocks through a trading platform, encouraging viewers to start with as little as $250. She had no idea what deepfakes were when she saw the reel. 

The video and subsequent interactions convinced her of its authenticity, which led to her investing heavily over the period of February to April, only to discover later that she had been deceived by the video and subsequent interactions. During that time, it has been noted that multiple fake advertisements involving artificial intelligence-generated voices and images of Sadhguru were circulating on the internet, leading police to confirm the case and launch an investigation. 

It is important to note that the incident not only emphasises the escalation of financial risk resulting from deepfake technology, but also the growing ethical and legal issues associated with it, as Sadhguru had recently filed a petition with the Delhi High Court to protect his rights against unauthorised artificial intelligence-generated content that may harm his persona. 

Varsha was immediately contacted by an individual who claimed to be Waleed B, who claimed to be an agent of Mirrox, and who identified himself as Waleed B. In order to tutor her, he used multiple UK phone numbers to add her to a WhatsApp group that had close to 100 members, as well as setting up trading tutorials over Zoom. After Waleed withdrew, another man named Michael C took over as her trainer when Waleed later withdrew. 

Using fake profit screenshots and credit information within a trading application, the fraudsters allegedly constructed credibility by convincing her to make repeated transfers into their bank accounts, in an effort to gain her trust. Throughout the period February to April, she invested more than Rs 3.75 crore in a number of transactions. 

 After she declined to withdraw what she believed to be her returns, everything ceased abruptly after she was informed that additional fees and taxes would be due. When she refused, things escalated. Despite the fact that the investigation has begun, investigators are partnering with banks to freeze accounts linked to the scam, but recovery remains uncertain since the complaint was filed nearly five months after the last transfer, when it was initially filed. 

Under the Bharatiya Nyaya Sanhita as well as Section 318(4) of the Information Technology Act, the case has been filed. Meanwhile, Sadhguru Jaggi Vasudev and the Isha Foundation formally filed a petition in June with the Delhi High Court asking the court to provide him with safeguards against misappropriation of his name and identity by deepfake content publishers. 

Moreover, the Foundation issued a public advisory regarding social media platform X, warning about scams that were being perpetrated using manipulated videos and cloned voices of Sadhguru, while reaffirming that he is not and will not endorse any financial schemes or commercial products. It was also part of the elaborate scheme in which Varsha was added to a WhatsApp group containing almost one hundred members and invited to a Zoom tutorial regarding online trading. 

It is suspected that the organisers of these sessions - who later became known as fraudsters - projected screenshots of profits and staged discussions aimed at motivating participants to act as positive leaders. In addition to the apparent success stories, she felt reassured by what seemed like a legitimate platform, so she transferred a total of 3.75 crore in several instalments across different bank accounts as a result of her confidence in the platform. 

Despite everything, however, the illusion collapsed when she attempted to withdraw her supposed earnings from her account. A new demand was made by the scammers for payment of tax and processing charges, but she refused to pay it, and when she did, all communication was abruptly cut off. It has been confirmed by police officials that her complaint was filed almost five months after the last transaction, resulting in a delay which has made it more challenging to recover the funds, even though efforts are currently being made to freeze the accounts involved in the scam. 

It was also noted that the incident occurred during a period when concern over artificial intelligence-driven fraud is on the rise, with deepfake technology increasingly being used to enhance the credibility of such schemes, authorities noted. In April of this year, Sadhguru Jaggi Vasudev and the Isha Foundation argued that the Delhi High Court should be able to protect them from being manipulated against their likeness and voice in deepfake videos. 

In a public advisory issued by the Foundation, Sadhguru was advised to citizens not to promote financial schemes or commercial products, and to warn them against becoming victims of fraudulent marketing campaigns circulating on social media platforms. Considering that artificial intelligence is increasingly being used for malicious purposes in this age, there is a growing need for greater digital literacy and vigilance in the digital age. 

Despite the fact that law enforcement agencies are continuing to strengthen their cybercrime units, the first line of defence continues to be at the individual level. Experts suggest that citizens exercise caution when receiving unsolicited financial offers, especially those appearing on social media platforms or messaging applications. It can be highly effective to conduct independent verification through official channels, maintain multi-factor authentication on sensitive accounts, and avoid clicking on suspicious links on an impulsive basis to reduce exposure to such traps. 

Financial institutions and banks should be equally encouraged to implement advanced artificial intelligence-based monitoring systems that can detect irregular patterns of transactions and identify fraudulent networks before they cause significant losses. Aside from technology, there must also be consistent public awareness campaigns and stricter regulations governing digital platforms that display misleading advertisements. 

It is now crucial that individuals keep an eye out for emerging threats such as deepfakes in order to protect their personal wealth and trust from these threats. Due to the sophistication of fraudsters, as demonstrated in this case, it is becoming increasingly difficult to protect oneself in this digital era without a combination of diligence, education, and more robust systemic safeguards.
Read more »
User Privacy
AI Cloud Cyber Security Data Data Leak data security Internet User Privacy

Massive database of 250 million data leaked online for public access


Around a quarter of a billion identity records were left publicly accessible, exposing people located in seven countries- Saudi Arabia, the United Arab Emirates, Canada, Mexico, South Africa, Egypt, and Turkey. 

According to experts from Cybernews, three misconfigured servers, registered in the UAE and Brazil, hosting IP addresses, contained personal information such as “government-level” identity profiles. The leaked data included contact details, dates of birth, ID numbers, and home addresses. 

Cybernews experts who found the leak said the databases seemed to have similarities with the naming conventions and structure, which hinted towards the same source. But they could not identify the actor who was responsible for running the servers. 

“These databases were likely operated by a single party, due to the similar data structures, but there’s no attribution as to who controlled the data, or any hard links proving that these instances belonged to the same party,” they said. 

The leak is particularly concerning for citizens in South Africa, Egypt, and Turkey, as the databases there contained full-spectrum data. 

The leak would have exposed the database to multiple threats, such as phishing campaigns, scams, financial fraud, and abuses.

Currently, the database is not publicly accessible (a good sign). 

This is not the first incident where a massive database holding citizen data (250 million) has been exposed online. Cybernews’ research revealed that the entire Brazilian population might have been impacted by the breach.

Earlier, a misconfigured Elasticsearch instance included the data with details such as sex,  names, dates of birth, and Cadastro de Pessoas Físicas (CPF) numbers. This number is used to identify taxpayers in Brazil. 

Read more »
Technology
AI training threat Artists&Clients hack LunaLock ransomware Ransomware attack stolen artwork Technology

Ransomware Group Uses AI Training Threats in Artists & Clients Cyberattack

 

Cybercriminals behind ransomware attacks are adopting new intimidation methods to push victims into paying up. In a recent case, the LunaLock ransomware gang has escalated tactics by threatening to sell stolen artwork for AI training datasets.

The popular platform Artists&Clients, which connects artists with clients for commissioned projects, was hacked around August 30. According to reports, a ransom note appeared on the site’s homepage stating: “All files have been encrypted and the site has been breached.” The attackers demanded at least $50,000 in Bitcoin or Monero, promising to delete stolen data and restore access once payment was made.

What sets this attack apart is the warning that stolen artwork could be handed over to “AI companies” to train large language models. This is especially alarming as Artists&Clients explicitly prohibits AI involvement on its platform. Security researcher Tammy Harper highlighted, “this is the first known instance of a ransomware group explicitly using AI training as a threat to extort victims.”

If the ransom is not paid, LunaLock claims it will leak sensitive information including personal data, commissions, and payment records—potentially triggering GDPR violations in Europe. While the group did not clarify how they would provide the artwork to AI firms, experts suggest they might simply publish an open database accessible to AI crawlers.

Currently, the Artists&Clients website is offline, leaving users anxious about compromised messages, transactions, and commissioned work. No official statement has been released by the platform. Harper emphasized that this tactic may hit creators especially hard, as many strongly oppose their work being exploited for AI training without consent or compensation.
Read more »
Phishing Attack
Browser Security Browser Vulnerability Cyber Attacks cybercriminals data attacks data security Data Theft Phishing Attack

Browser-Based Attacks in 2025: Key Threats Security Teams Must Address

 

In 2025, the browser has become one of the primary battlefields for cybercriminals. Once considered a simple access point to the internet, it now serves as the main gateway for employees into critical business applications and sensitive data. This shift has drawn attackers to target browsers directly, exploiting them as the weakest link in a highly connected and decentralized work environment. With enterprises relying heavily on SaaS platforms, online collaboration tools, and cloud applications, the browser has transformed into the focal point of modern cyberattacks, and security teams must rethink their defenses to stay ahead. 

The reason attackers focus on browsers is not because of the technology itself, but because of what lies beyond them. When a user logs into a SaaS tool, an ERP system, or a customer database, the browser acts as the entryway. Incidents such as the Snowflake customer data breach and ongoing attacks against Salesforce users demonstrate that attackers no longer need to compromise entire networks; they simply exploit the session and gain direct access to enterprise assets. 

Phishing remains one of the most common browser-driven threats, but it has grown increasingly sophisticated. Attackers now rely on advanced Attacker-in-the-Middle kits that steal not only passwords but also active sessions, rendering multi-factor authentication useless. These phishing campaigns are often cloaked with obfuscation and hosted on legitimate SaaS infrastructure, making them difficult to detect. In other cases, attackers deliver malicious code through deceptive mechanisms such as ClickFix, which disguises harmful commands as verification prompts. Variants like FileFix are spreading across both Windows and macOS, frequently planting infostealer malware designed to harvest credentials and session cookies. 

Another growing risk comes from malicious OAuth integrations, where attackers trick users into approving third-party applications that secretly provide them with access to corporate systems. This method proved devastating in recent Salesforce-related breaches, where hackers bypassed strong authentication and gained long-term access to enterprise environments. Similarly, compromised or fraudulent browser extensions represent a silent but dangerous threat. These can capture login details, hijack sessions, or inject malicious scripts, as highlighted in the Cyberhaven incident in late 2024. 

File downloads remain another effective attack vector. Malware-laced documents, often hidden behind phishing portals, continue to slip past traditional defenses. Meanwhile, stolen credentials still fuel account takeovers in cases where multi-factor authentication is weak, absent, or improperly enforced. Attackers exploit these gaps using ghost logins and bypass techniques, highlighting the need for real-time browser-level monitoring. 

As attackers increasingly exploit the browser as a central point of entry, organizations must prioritize visibility and control at this layer. By strengthening browser security, enterprises can reduce identity exposure, close MFA gaps, and limit the risks of phishing, malware delivery, and unauthorized access. The browser has become the new endpoint of enterprise defense, and protecting it is no longer optional.
Read more »
Protocols
Bridgestone Americas Cyber Attacks Industrial Cyberattack Protocols

Bridgestone Investigates Cyber Incident Affecting North American Operations

 


Bridgestone Americas has confirmed it is investigating a cyber incident that disrupted operations at several of its tire manufacturing plants in North America. The company emphasized that its response team contained the issue quickly, limiting the scope of the attack.


Disruptions in Two Countries

The first reports of trouble emerged on September 2, 2025, when two factories in Aiken County, South Carolina, were affected by an incident linked to the company’s IT systems. By the following day, Canadian media reported that operations at Bridgestone’s plant in Joliette, Quebec, were also interrupted.

In response to press questions, Bridgestone confirmed that the matter is under investigation and described it as a “limited cyber incident.”


Company’s Official Position

According to the company’s statement, teams acted immediately in line with established security protocols. “Our team responded quickly to contain the issue in keeping with our established protocols,” the statement noted.

Bridgestone added that while forensic analysis is still in progress, there is no indication that customer information or external-facing systems were accessed. Employees are working “around the clock” to minimize disruption and maintain operations.

“Maintaining business continuity and protecting data and interfaces has been, and continues to be, our top priority,” a spokesperson said. The company added that it is taking steps to ensure customer obligations are met and to address any possible further impacts.


Scale of Operations

Bridgestone Americas is one of the largest business units of the global Bridgestone Corporation, headquartered in Japan. It operates 50 production facilities across North America and employs approximately 55,000 people. In 2024 alone, the division generated $12 billion in sales and $1.2 billion in operating profit.

With such a large footprint, any disruption to its plants can have a ripple effect on the supply chain. The company acknowledged that the incident could temporarily affect product availability but stressed that mitigation measures are already in place.


No Confirmation of Ransomware

At this stage, Bridgestone has not confirmed whether ransomware was involved, and no criminal group has publicly claimed responsibility. The lack of attribution makes it unclear whether this was a financially motivated attack or another form of intrusion.

The company has faced similar threats before. In 2022, it was hit by a ransomware attack that exposed sensitive data and disrupted business operations, a reminder of the ongoing risks faced by manufacturers worldwide.

Cyber incidents targeting manufacturing stresses upon the vulnerability of industrial systems, where disruptions can extend beyond computers to the machines that run production lines. For consumers, such events may lead to supply shortages and delayed deliveries. For companies, this is wake-up call to invest in proactive security measures to safeguard both operations and customer trust.

Bridgestone has agreed to share updates as the investigation continues.



Read more »
Telecom
Banking Cyber Fraud Ghaziabad OTP phishing Telecom

Ghaziabad eSIM Fraud: Woman Loses ₹18.5 Lakh in Sophisticated SIM Swap Scam

 

A 54-year-old resident of Shipra Suncity, Indirapuram, Ghaziabad, fell victim to a sophisticated eSIM fraud that resulted in the loss of ₹18.48 lakh from her bank accounts. Arti Kaul was targeted by cybercriminals who posed as Airtel customer service representatives to execute an elaborate SIM swap scam. 

Fraudulent call 

On August 29, 2025, at approximately 1:00 PM, Kaul received a phone call from fraudsters claiming to be Airtel representatives. The callers convinced her that she needed to upgrade her SIM card from 4G to 5G as per company policy, presenting the upgrade as mandatory. Unaware of the deceptive nature of the call, Kaul stayed on the line with the fraudsters throughout the process.

Technical manipulation

At 1:10 PM, Kaul received an SMS from Airtel containing an OTP for eSIM card activation. Following this, she received a long numerical message on WhatsApp, along with subsequent SIM card update-related messages and additional calls from both the fraudsters and legitimate Airtel representatives. The victim shared the OTP with the callers, inadvertently giving them access to activate an eSIM on their own device, effectively hijacking her phone number. 

Once the fraudsters gained control of Kaul's phone number through the eSIM activation, they systematically drained her bank accounts. The theft occurred through more than 50 separate transactions between August 31 and September 1, 2025, targeting both her Axis Bank and HDFC Bank accounts. The total amount stolen reached ₹18.48 lakh. 

Discovery and legal action

Kaul discovered the fraud when her SIM card became inactive and she stopped receiving messages. Upon visiting her banks, employees informed her about the unauthorized transactions that had occurred over the previous days. She subsequently filed a complaint with the cyber crime police station, and an investigation has been launched.

This incident highlights the growing threat of eSIM-based fraud in India, where criminals exploit the convenience of digital SIM technology to rapidly hijack mobile numbers and access victims' financial accounts through intercepted OTPs. 

Safety tips 

Never share OTPs or activation codes: Avoid sharing one-time passwords (OTPs), eSIM activation codes, or QR codes with anyone, even if they claim to be from your telecom provider. No legitimate company will request these details over phone or SMS. 

Use only official channels: Always request eSIM conversions or upgrades directly through official carrier apps, websites, or physical stores. Do not click on unknown links, and never proceed with eSIM activation from unsolicited messages or calls . 

Act fast on signal loss: If your phone unexpectedly loses network signal or displays “No Service,” immediately report the issue to your mobile operator and notify your bank. This could indicate that your number has been hijacked.

Stay alert for phishing attempts: Be wary of calls, emails, or texts asking for personal, banking, or SIM-related information. Always verify the identity of the sender by reaching out through the provider’s verified customer care number. 

Monitor account activity: Regularly review bank and mobile account activity for unauthorized transactions or account changes. Set up alerts where available for any transaction or SIM change activity.

Following these safety steps drastically reduces the risk of eSIM-based fraud and helps in swift detection of account compromise.
Read more »
Subscribe to: Posts (Atom)