Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Threat actors
Business Resilience cybersecurity risks Data Breach Generative AI Ransomware Surge State-Sponsored Attacks Threat actors

Cybersecurity Landscape Shaken as Ransomware Activity Nearly Triples in 2024

 


Ransomware is one of the most persistent threats in the evolving landscape of cybercrime, but its escalation in 2024 has marked an extremely alarming turning point. Infiltrating hospitals, financial institutions, and even government agencies in a manner that has never been attempted before, attackers extended their reach with unprecedented precision, as if they were no longer restricted to high-profile corporations. These sectors tend to be vulnerable to such crippling disruptions in the first place. 

As cybercriminals employed stronger encryption methods and more aggressive extortion tactics, they demonstrated a ruthless pursuit of maximising damages and financial gain. This shift is demonstrated in the newly released data from threat intelligence firm Flashpoint, which reveals that the number of ransomware attacks observed in the first half of 2025 increased by 179 per cent in comparison to 2024 during the same period, almost tripling in size in just a year. 

Throughout the years 2022 and 2023, the ransomware landscape offered little relief due to the relentless escalation of threat actors’ tactics. As a result of the threat of public exposure and data infiltration, attackers increasingly used threats of data infiltration to force companies to conform to regulations. 

Even companies that managed to restore their operations from backups were not spared, as sensitive information was often leaking onto underground forums and leak sites controlled by criminal groups, which led to an increase in ransomware incidence of 13 per cent in 2021 compared to 2021 – an increase far greater than the cumulative increases of the past five years combined. 

Verizon’s Data Breach Investigations Report underscored the severity of this trend. It is important to note that Statista has predicted that about 70 per cent of businesses will face at least one ransomware attack in 2022, marking the highest rate of ransomware attacks ever recorded. In the 2022 year-over-year analysis, it was highlighted that education, government, and healthcare were the industries with the greatest impact in 2022. 

By 2023, healthcare will emerge as one of the most targeted sectors due to attackers' calculated strategy to target industries that are least able to sustain prolonged disruption. In light of the ongoing ransomware crisis, small and mid-sized businesses are considered to be some of the most vulnerable targets. 

As part of Verizon’s research, 832 ransomware-related incidents were documented by small businesses by 2022, 130 of these incidents resulted in confirmed data loss, and nearly 80 per cent of these events were directly related to the ransomware attacks. In an effort to compound the risks, the fact that only half of U.S. small businesses maintain a formal cybersecurity plan, according to a report quoted by UpCity Globally, amplifies the risks. 

A survey conducted by Statista found that 72 per cent of businesses were impacted by ransomware, with 64.9% of those organisations ultimately yielding to ransom demands. In a recent survey of 1,500 cybersecurity professionals conducted by Cyberreason, there was a similar picture of concern. More than two-thirds of all organisations reported experiencing a ransomware attack, a 33 per cent increase over the previous year, with almost two-thirds of the attacks associated with compromised third parties. 

The consequences for organisations were severe and went beyond financial losses in the most significant way. Approximately 40% of companies had to lay off employees following an attack, 35 percent reported resignations of senior executives, and one third temporarily suspended operations as a result of an attack. 

Unfortunately, the persistence of attackers within networks often went undetected for long periods of time. There was a reported 63 per cent of organisations that had been attacked for as long as six months, and others reported that they had been accessed for a period of over a year without being noticed. The majority of companies decided to pay ransoms despite the risks involved, with 49 per cent doing so to avoid revenue losses and 41 per cent to speed up recovery. 

In spite of this, even payment provided no guarantee of data recovery; over half of all companies paying ransom reported corrupted or unusable data after the decryption, while the majority of financial damages were between $1 million and $10 million. The use of generative artificial intelligence within ransomware operations is also an emerging concern. 

Even though the scope of these experiments remains limited, some groups have begun to explore large language models that have the potential to reduce operational burdens, such as automating the generation of phishing templates.To develop a more comprehensive understanding of this capability, researchers have identified Funksec, a group that surfaced in late 2024 and is believed to have contributed to the WormGPT model, as one of the first groups to experiment with it, so more gangs will likely start incorporating artificial intelligence into their tactics in the near future.

Furthermore, analysts at Flashpoint found that gang members are recycling victims from other ransomware groups in order to gain a foothold on underground forums, long after initial breaches. The first half of 2025 has been dominated by a few particularly active operators based on scale: 537 attacks were committed by Akira, 402 attacks were committed by Clop/Cl0p, 345 attacks were committed by Qilin, 233 attacks were committed by Safepay Ransomware, and 23 attacks were performed by RansomHub. 

A significant amount of attention has also been drawn to DragonForce in the United Kingdom after the company targeted household names, including Marks & Spencer and the Co-op Group. Despite being the top target, the United States remained the most vulnerable, with 2,160 attacks, far exceeding Canada’s 249 attacks, Germany’s 154 attacks, and the UK’s 148 attacks—but Brazil, Spain, France, India, and Australia also had high numbers. 

A perspective from the manufacturing and technology industries indicates that these were the industries that were most lucrative, causing 22 and 18 per cent of incidents, respectively. Retail, healthcare, and business services, on the other hand, accounted for 15 per cent. The report also highlighted how the boundaries between hacktivist groups and state-sponsored actors are becoming increasingly blurred, thus illustrating the complexity of today's threat environment. 

During the first half of 2025, 137 threat actor activities tracked were attributed to state-sponsored groups, 9 per cent to hacktivists, while the remaining 51 per cent were attributed to cybercriminal organisations. The Iranian government has shown that a growing focus has been placed on critical infrastructure through entities affiliated with the Iranian state, such as GhostSec and Arabian Ghosts. 

In an attempt to target critical infrastructure, these entities are reported to have targeted programmable logic controllers connected to Israeli media and water systems. As a result, groups such as CyberAv3ngers sought to spread unverified narratives in advance of disruptive technology attacks. As a result, state-aligned operations are often resurfacing under a new identity, such as APT IRAN, demonstrating their shifting strategies and adaptive nature. 

There is a sobering picture of the challenges that lie ahead in light of the increase in ransomware activity as well as the diversification of threat actors. Even though no sector, geography, or organisation size is immune to disruption, it appears that cybercriminals will be able to innovate more rapidly than ever, as well as utilise state-linked tactics to do so in the future, which indicates that the stakes will only get higher as time goes on. 

Proactively managing security goes beyond ensuring compliance or minimising damage; it involves cultivating a culture of security that anticipates threats rather than reacts to them, rather than merely reacting to them. By investing in modern defences like continuous threat intelligence, real-time monitoring, and zero-trust architectures, as well as addressing fundamental weaknesses in supply chains and third-party partnerships, which frequently open themselves up to attacks, companies can significantly reduce their risk exposure as well as their vulnerability to attacks. 

Moreover, it is equally important to address the human aspect of cybersecurity resilience: employees must be aware, incidents should be reported quickly, and leadership needs to be committed to cybersecurity resilience. 

Even though the outlook may seem daunting, organisations that make sure they are prepared rather than complacent will have a better chance of dealing with ransomware as well as the wider range of cyber threats that are reshaping the digital age. A resilient security approach remains the ultimate defence in an environment defined by a persistent attacker and the innovative actions of the attacker.
Read more »
Trail of Bits research
Advanced Technology AI Cyber Attacks Gemini image-scaling vulnerability prompt injection attack Trail of Bits research

Researchers Expose AI Prompt Injection Attack Hidden in Images

 

Researchers have unveiled a new type of cyberattack that can steal sensitive user data by embedding hidden prompts inside images processed by AI platforms. These malicious instructions remain invisible to the human eye but become detectable once the images are downscaled using common resampling techniques before being sent to a large language model (LLM).

The technique, designed by Trail of Bits experts Kikimora Morozova and Suha Sabi Hussain, builds on earlier research from a 2020 USENIX paper by TU Braunschweig, which first proposed the concept of image-scaling attacks in machine learning systems.

Typically, when users upload pictures into AI tools, the images are automatically reduced in quality for efficiency and cost optimization. Depending on the resampling method—such as nearest neighbor, bilinear, or bicubic interpolation—aliasing artifacts can emerge, unintentionally revealing hidden patterns if the source image was crafted with this purpose in mind.

In one demonstration by Trail of Bits, carefully engineered dark areas within a malicious image shifted colors when processed through bicubic downscaling. This transformation exposed black text that the AI system interpreted as additional user instructions. While everything appeared normal to the end user, the model silently executed these hidden commands, potentially leaking data or performing harmful tasks.

In practice, the team showed how this vulnerability could be exploited in Gemini CLI, where hidden prompts enabled the extraction of Google Calendar data to an external email address. With Zapier MCP configured to trust=True, the tool calls were automatically approved without requiring user consent.

The researchers emphasized that the success of such attacks depends on tailoring the malicious image to the specific downscaling algorithm used by each AI system. Their testing confirmed the method’s effectiveness against:

  1. Google Gemini CLI
  2. Vertex AI Studio (Gemini backend)
  3. Gemini’s web interface
  4. Gemini API via llm CLI
  5. Google Assistant on Android
  6. Genspark

Given the broad scope of this vulnerability, the team developed Anamorpher, an open-source tool (currently in beta) that can generate attack-ready images aligned with multiple downscaling methods.

To defend against this threat, Trail of Bits recommends that AI platforms enforce image dimension limits, provide a preview of the downscaled output before submission to an LLM, and require explicit user approval for sensitive tool calls—especially if text is detected in images.

"The strongest defense, however, is to implement secure design patterns and systematic defenses that mitigate impactful prompt injection beyond multi-modal prompt injection," the researchers said, pointing to their earlier paper on robust LLM design strategies.
Read more »
Windows
Apple ClickFix macOS Technology Windows

ClickFix Attack Targeting Windows and Mac Users to Steal User Data


“Think before you click”: Microsoft warns all Windows PC users and as well as macOS users, from a series of attacks that are “targeting thousands of enterprise and end-user devices globally every day.”

The scripts deploy malware on these devices, and the “payloads affect Windows and macOS devices,” according to Microsoft, which leads to “information theft and data exfiltration.” The malware, however, can be anything from a type of initial access for ransomware to an entry point for attacking a larger enterprise network.

Initially, ClickFix surfaced as a technical assistance pop-up before moving to Captchas. Fake challenges to use a website are now using a copy, paste, and run command instead of your standard ‘choosing the correct cars and bus’ challenge. The user is instructed to click prompts and copy, paste, and run commands “directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell,” Microsoft says, and it’s usually blended with “delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to reduce suspicion from their targets further.”

Users should be careful not to run these prompts. You may be lured in various ways that seem innocent, but never copy and paste and run a script in Windows. You can be safe this way. However, as it happens, due to the advancement of these attacks, the awareness part is lacking on the users’ end. 

As ClickFix depends on human prompts to start the malicious commands, it can dodge traditional and automated security checks. Organizations can limit the effect of this tactic by “educating users in recognizing its lures and by implementing policies that will harden device configurations,” Microsoft says.

Microsoft’s latest report provides in-depth details about the various baits and attack techniques cybercriminals are using. According to Microsoft, “A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure — usually a landing page — and trick them into executing a malicious command themselves.”

Read more »
trending news
Digital Identity digital identity protection online threats Privacy trending news

Age Checks Online: Privacy at Risk?

 

Across the internet, the question of proving age is no longer optional, it’s becoming a requirement. Governments are tightening rules to keep children away from harmful content, and platforms are under pressure to comply. 

From social media apps and online games to streaming services and even search engines, users are now being asked to show they are over 18 before they can continue. Whether in the UK, US, EU, or Australia, more and more websites now demand proof that users are over 18. In Britain, the Online Safety Act introduced strict rules from July 25, 2025.

People must now verify their age by scanning their face, uploading an official ID, or using a credit card. The aim is to keep children away from harmful content, but experts warn these steps could create serious risks by collecting and storing large amounts of sensitive information. 

A Possible Fix

To reduce these risks, governments and companies are exploring digital ID wallets. These apps could confirm a user’s age without exposing full identity details. 

Evin McMullen, Co-Founder of Privado ID, argues that current UK rules are flawed. She warns they build “a centralised honey pot of data” that hackers could exploit. Instead, she believes age checks should be quick, safe, and forgetful." 

Different Approaches Across Regions The European Union is already running pilot projects in five countries. This forms part of the upcoming European Digital Identity Wallet, expected to roll out by 2026. Supporters say it could protect both children and privacy. 

However, concerns remain because EU lawmakers are also debating rules that might weaken encryption, the very technology that keeps data safe. In the United States, there is no single standard. Instead, several states have passed their own age-verification laws. 

This patchwork has left companies struggling to adapt. Some, such as Bluesky, have even withdrawn services from states where rules were too complex or costly to follow. 

What We Should Expect ? 

Technology exists to make age checks secure and private, but trust depends on how governments implement the laws. If privacy protections are weakened, digital ID wallets could end up being more of a surveillance tool than a safety solution. For now, the debate continues, will these wallets safeguard users or become another risk to online privacy?
Read more »
Stolen Data
AI Cyber Security Financial Loss IT Professional organisation Stolen Data

Cybersecurity: The Top Business Risk Many Firms Still Struggle to Tackle

 



Cybersecurity has emerged as the biggest threat to modern enterprises, yet most organizations remain far from prepared to handle it. Business leaders are aware of the risks — financial losses, reputational harm, and operational disruptions but awareness has not translated into effective readiness.

A recent global survey conducted in early 2025 across North America, Western Europe, and Asia-Pacific highlights this growing concern. With 600 respondents, including IT and security professionals, the study found that while executives admit to weak points in their defenses, they often lack a unified plan to build true resilience.


Where businesses fall short

Companies tend to focus heavily on protecting their data, ensuring quality, security, and proper governance. While crucial, these efforts alone are not enough. A resilient business must also address application security, identity management, supply chain safeguards, infrastructure defenses, and the ability to continue operations during an attack. Unfortunately, many firms still fall behind in tying all these dimensions into a cohesive strategy.


Why this matters now

Cyberattacks are no longer rare, one-off incidents. Nearly two-thirds of the organizations surveyed experienced at least one damaging cyber event in the past year. About one-third suffered multiple breaches in that period. These attacks caused not just stolen data but also costly downtime, compliance issues, and long-lasting damage to trust.

The survey’s findings revealed that:

• 38% of organizations faced major operational disruption, with outages and downtime hitting productivity hardest.

• 33% reported financial losses linked directly to an attack.

• Around 30% to 31% saw personal or sensitive data exposed or compromised.

• Nearly a quarter of cases involved data corruption or encryption that could not be fully reversed.

• Legal consequences, public backlash, and compliance failures added further damage.

The message is clear: cybersecurity is not just a technical concern, it is a business survival issue.


The study also shows that three once-separate areas are beginning to merge. Backup and recovery systems, once viewed as insurance, are now central to cyber resilience. Cybersecurity tools are extending beyond perimeter defense to include recovery and continuity. At the same time, data governance and compliance pressures have become inseparable from security practices.

As artificial intelligence gains ground in enterprise operations, this convergence is likely to intensify. AI requires clean, reliable data to function, but it also introduces fresh security risks. Companies that cannot safeguard and recover their data risk losing competitiveness in an economy increasingly powered by digital intelligence.


No safe corners in digital infrastructure

Attackers are methodical and opportunistic. They exploit weak points wherever they exist whether in data systems, applications, or even AI workloads. Defenders must therefore strengthen every layer of their infrastructure. Yet, according to the survey, most organizations still leave gaps that skilled adversaries can exploit.

Cybersecurity is now the most significant risk enterprises face. And while business leaders are no longer in denial about the threat, too many remain underprepared. Building resilience requires more than just securing data; it demands a comprehensive, ongoing effort across every layer of the digital ecosystem.



Read more »
Transparent Tribe
Cyber Attacks Indian Government Linux OS Malicious Files Pakistan Hacker Transparent Tribe

Transparent Tribe Target Indian Government's Custom Linux OS with Weaponized Desktop Files

 

Transparent Tribe, a cyber-espionage group believed to originate from Pakistan and also known as APT36, has stepped up its attacks on Indian government entities by using malicious desktop shortcuts designed to compromise both Windows and BOSS Linux systems. 

The latest tactics involve spear-phishing emails featuring fake meeting notices. These emails contain desktop shortcut files disguised as PDF documents (e.g., “Meeting_Ltr_ID1543ops.pdf.desktop”). When recipients attempt to open what appears to be a typical PDF, they instead activate a shell script that initiates the attack chain. 

The malicious script fetches a hex-encoded file from an attacker-controlled domain (“securestore[.]cv”), decodes it to an ELF binary, and saves it to the target computer's disk. During this process, the victim is shown a decoy PDF hosted on Google Drive, launched in Firefox, to avoid suspicion.

The dropped Go-based ELF binary then connects to a command-and-control (C2) server (“modgovindia[.]space:4000”), allowing attackers to issue commands, deliver additional malicious payloads, and steal sensitive data. 

Transparent Tribe’s campaign ensures persistence by setting up a cron job that automatically runs the main payload after reboots or process terminations. The malware is equipped with reconnaissance capabilities and includes dummy anti-debugging and anti-sandbox techniques to dodge detection by analysts and automated analysis platforms.

A known backdoor associated with the group, Poseidon, is deployed for deeper intrusion. Poseidon enables long-term access, data exfiltration, credential theft, and lateral movement within compromised environments. 

CloudSEK and Hunt.io, two cybersecurity firms, reported that this sophisticated campaign reflects APT36’s ongoing adaptation—modifying attacks based on the victim's operating system to maximize the success rate and persistence. 

In recent weeks, similar attacks by Transparent Tribe targeted Indian defense organizations using spoofed login pages intended to collect credentials and two-factor authentication (2FA) codes, especially the Kavach 2FA system widely adopted within Indian government agencies. 

The phishing pages, designed to closely resemble official Indian government sites, prompt users to enter both their email credentials and Kavach code. Typo-squatted domains and Pakistan-based infrastructure are consistently used, aligning with the group’s established tactics. 

Recent campaigns have also targeted countries such as Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey using spear-phishing emails that mimic governmental communication and leverage lookalike pages for credential theft. Another South Asian group, SideWinder, has employed similar techniques, using fake Zimbra and portal pages to gather government users’ login information, illustrating the widespread threat landscape in the region.
Read more »
Cyber Security
AI Advancements AI in assessments AI innovation challenges AI Risks AI Systems AI technology Cyber Security

Congress Questions Hertz Over AI-Powered Scanners in Rental Cars After Customer Complaints

 

Hertz is facing scrutiny from U.S. lawmakers over its use of AI-powered vehicle scanners to detect damage on rental cars, following growing reports of customer complaints. In a letter to Hertz CEO Gil West, the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation requested detailed information about the company’s automated inspection process. 

Lawmakers noted that unlike some competitors, Hertz appears to rely entirely on artificial intelligence without human verification when billing customers for damage. Subcommittee Chair Nancy Mace emphasized that other rental car providers reportedly use AI technology but still include human review before charging customers. Hertz, however, seems to operate differently, issuing assessments solely based on AI findings. 

This distinction has raised concerns, particularly after a wave of media reports highlighted instances where renters were hit with significant charges once they had already left Hertz locations. Mace’s letter also pointed out that customers often receive delayed notifications of supposed damage, making it difficult to dispute charges before fees increase. The Subcommittee warned that these practices could influence how federal agencies handle car rentals for official purposes. 

Hertz began deploying AI-powered scanners earlier this year at major U.S. airports, including Atlanta, Charlotte, Dallas, Houston, Newark, and Phoenix, with plans to expand the system to 100 locations by the end of 2025. The technology was developed in partnership with Israeli company UVeye, which specializes in AI-driven camera systems and machine learning. Hertz has promoted the scanners as a way to improve the accuracy and efficiency of vehicle inspections, while also boosting availability and transparency for customers. 

According to Hertz, the UVeye platform can scan multiple parts of a vehicle—including body panels, tires, glass, and the undercarriage—automatically identifying possible damage or maintenance needs. The company has claimed that the system enhances manual checks rather than replacing them entirely. Despite these assurances, customer experiences tell a different story. On the r/HertzRentals subreddit, multiple users have shared frustrations over disputed damage claims. One renter described how an AI scanner flagged damage on a vehicle that was wet from rain, triggering an automated message from Hertz about detected issues. 

Upon inspection, the renter found no visible damage and even recorded a video to prove the car’s condition, but Hertz employees insisted they had no control over the system and directed the customer to corporate support. Such incidents have fueled doubts about the fairness and reliability of fully automated damage assessments. 

The Subcommittee has asked Hertz to provide a briefing by August 27 to clarify how the company expects the technology to benefit customers and how it could affect Hertz’s contracts with the federal government. 

With Congress now involved, the controversy marks a turning point in the debate over AI’s role in customer-facing services, especially when automation leaves little room for human oversight.
Read more »
Malicious Code
Corporate Sabotage Cybersecurity Breach Data Breach data security Federal Sentencing Insider Threat IT Infrastructure Attack Malicious Code

Worker Sentenced to Four Years for Compromising Company IT Infrastructure


 

It is the case of a Chinese-born software developer who has been sentenced to four years in federal prison after hacking into the internal systems of his former employer, in a stark warning of the dangers of insider threats that corporations across the globe should be aware of. Known as Davis (David) Lu, 55, of Houston, Texas, the disgruntled employee allegedly committed one of the most devastating forms of digital retaliation, embedding hidden malicious code into Eaton Corporation's computer network that crippled their operations. 

In 2019, after Lu had been demoted and suspended, the attack disrupted global operations, locked out thousands of employees, and caused severe financial losses that resulted in the demotion and suspension being followed by the attack. As reported by the Department of Justice, Lu’s actions illustrate how even the most resilient enterprises can face crippling risks when they are mistrustful and unchecked with insider access. 

According to Lu's investigation, after he was cut off from his responsibilities in 2018 as a result of a corporate reorganisation, his dissatisfaction began in 2018. A professional setback, prosecutors argued, was the inspiration for a carefully orchestrated sabotage campaign. By planting malicious Java code within Eaton's production environment, he planted the code to wreak maximum havoc once it was activated. 

It was the logic bomb labeled IsDLEnabledinAD that was the most detrimental element of this scheme. This logic bomb was designed to remain dormant until Eaton terminated his employment on September 9, 2019 by disabling his account and then executing on that day, causing Eaton to terminate his employment as a result of the logic bomb.

In the instant after it exploded, thousands of employees across global systems were locked out of their offices, widespread disruptions were caused, and a cascading series of failures were set off across corporate networks, showing the devastating impact of a single insider on the company. According to court filings, Lu's actions went far beyond just a single sabotage attack. Eventually, he had injected routines into the code that was designed to overload the infrastructure by mid-2019.

These routines included infinite loops in the source code that forced Java virtual machines to create threads indefinitely, ultimately leading to the crash of production servers as a result of resource exhaustion, and also the deletion of employee profiles within the Active Directory directory. This further destabilized the company's workforce. t was his intention to carefully engineer his plan, which was evident in the embedded kill switch activating when it was revoked in September, demonstrating that his plan had been carefully devised for many years. 

In short, the result was swift and severe: thousands of employees were locked out of their systems, key infrastructure came to a complete halt, and losses quickly soared into the hundreds of thousands. In a later investigation, it became evident that Lu was not only intent on disrupting production, but also implementing a sabotage campaign. 

Logs of his malicious execution drew attention to a unique user ID and a Kentucky-based machine, revealing the extent to which he attempted to conceal the attack. During the course of investigating Lu's code, officials learned that portions were named Hakai—the Japanese word for destruction—and HunShui—the Chinese word for sleep and lethargy. These are clear signals that Lu's intention was destructive. 

Lu escalated his retaliation on the very same day he was instructed to return his company-issued laptop by trying to delete encrypted volumes, wipe Linux directories, and erase two separate projects in his attempt to evade the company's demands. The search history of the individual documents a meticulous effort on the part of the man to find ways to obstruct recovery efforts, demonstrating his determination to escalating privileges, concealing processes, and erasing digital evidence.

There is a strong belief among federal authorities that the losses incurred were in the millions of dollars, with the FBI stating that the case serves as a reminder of how much damage insiders can cause in systems that do not have the appropriate safeguards in place. Lu's actions were strongly condemned by the Justice Department, describing it as a grave betrayal of professional trust by Lu. He was credited with technical expertise that used to serve as an asset to the organization at one point, but ultimately was weaponized against that very infrastructure he was supposed to protect, according to officials. 

According to the prosecutors in court, the sabotage was a clear example of insider threats circumventing traditional cybersecurity protections by exploiting privileges and bypassing traditional cybersecurity defenses in order to deliver maximum disruptions. In their view, the sentencing reflects the seriousness with which the United States takes corporate sabotage as a threat that destabilizes operations and undermines trust within critical industries. 

In an era of increased digital dependence, Davis Lu's convictions reinforce a broader lesson for businesses that are in business today. There is no doubt that firewalls, encryption standards, and intrusion detection systems remain essential; however, the case emphasizes that the most dangerous risks are often not the result of faceless hackers in the outside, but rather of individuals with privileged access within a organization. 

As a central component of an organization's cybersecurity strategy, insider threat detection must be considered as a central pillar to mitigate such risks. To minimize exposure, continuous monitoring systems need to be implemented, user activity audits conducted on a regular basis, stricter access controls must be implemented, and role-based privileges need to be adopted. 

Aside from the technical measures, experts emphasize how important it is to build work cultures rooted in accountability, transparency, and communication, which will reduce the likelihood that professional grievances will escalate into retaliation if they occur. According to cybersecurity analysts, companies need to prioritize behavioral analytics and employee training programs to be able to detect subtle warning signs before they spiral into damaging actions. 

In order to be proactive in security, companies need to recognize and address vulnerabilities that have been found within their organization and address them before they are exploited by external adversaries. Technology continues to become increasingly integrated into every aspect of a global organization, so the ability to remain resilient depends on establishing a strong security infrastructure that is backed up by sound governance and a culture of vigilance. 

In addition to being a sobering example of what one insider can create, the Lu case also serves as a reminder that it takes foresight, diligence, and a relentless commitment to safeguarding trust to build digital resilience.
Read more »
Technology
Android System Key Verifier Google Messages beta Google RCS security QR code verification RCS chat encryption Technology

Google Testing QR Code-Based Encryption Key Verification in Messages Beta

 

Google is reportedly rolling out a new security feature in Google Messages, aimed at giving users stronger protection for their RCS chats. According to a report by 9to5Google, the latest beta version of the app introduces a QR code-based key verification system, designed to enhance message encryption.

The feature is powered by the Android System Key Verifier and can be accessed in the Messages beta under a new "Security & Privacy" sub-menu. When users tap “verify encryption” in an RCS conversation, a pop-up appears with the option to "verify keys for this contact."

A large “Your QR Code” button is displayed in the center, showing the contact details associated with the code. To verify encryption, both users must scan each other’s QR codes, or alternatively, compare numerical verification codes—similar to the existing option in the Messages app. Testing also revealed that the Android System Key Verifier launches the scanner with a colorful viewfinder.

Google has been developing this upgrade since November, with the Android System Key Verifier app serving as the backbone of the process. As explained by Google, these encryption keys “help ensure only you and your contact can read the RCS messages you send each other.”

The keys are exchanged securely through QR codes, ensuring that only the intended parties can access conversations. If one user switches to a new phone, the keys may no longer match, requiring the verification process to be repeated.

Reports suggest the feature will only be available on devices running Android 10 or later. Since it’s still in beta, a wider rollout may take a few months. With Android 16’s QPR2 Beta 1 recently released, the new verification tool could be officially introduced toward the end of the year, possibly in December.
Read more »
Ransomwares
acronis AI cyberattacks AI technology Cyber Defenses Cyber Security Cybersecurity Threats Indian Cyber Security Malwares Phishing Attacks Ransomwares

India Most Targeted by Malware as AI Drives Surge in Ransomware and Phishing Attacks

 

India has become the world’s most-targeted nation for malware, according to the latest report by cybersecurity firm Acronis, which highlights how artificial intelligence is fueling a sharp increase in ransomware and phishing activity. The findings come from the company’s biannual threat landscape analysis, compiled by the Acronis Threat Research Unit (TRU) and its global network of sensors tracking over one million Windows endpoints between January and June 2025. 

The report indicates that India accounted for 12.4 percent of all monitored attacks, placing it ahead of every other nation. Analysts attribute this trend to the rising sophistication of AI-powered cyberattacks, particularly phishing campaigns and impersonation attempts that are increasingly difficult to detect. With Windows systems still dominating business environments compared to macOS or Linux, the operating system remained the primary target for threat actors. 

Ransomware continues to be the most damaging threat to medium and large businesses worldwide, with newer criminal groups adopting AI to automate attacks and enhance efficiency. Phishing was found to be a leading driver of compromise, making up 25 percent of all detected threats and over 52 percent of those aimed at managed service providers, marking a 22 percent increase compared to the first half of 2024. 

Commenting on the findings, Rajesh Chhabra, General Manager for India and South Asia at Acronis, noted that India’s rapidly expanding digital economy has widened its attack surface significantly. He emphasized that as attackers leverage AI to scale operations, Indian enterprises—especially those in manufacturing and infrastructure—must prioritize AI-ready cybersecurity frameworks. He further explained that organizations need to move away from reactive security approaches and embrace behavior-driven models that can anticipate and adapt to evolving threats. 

The report also points to collaboration platforms as a growing entry point for attackers. Phishing attempts on services like Microsoft Teams and Slack spiked dramatically, rising from nine percent to 30.5 percent in the first half of 2025. Similarly, advanced email-based threats such as spoofed messages and payload-less attacks increased from nine percent to 24.5 percent, underscoring the urgent requirement for adaptive defenses. 

Acronis recommends that businesses adopt a multi-layered protection strategy to counter these risks. This includes deploying behavior-based threat detection systems, conducting regular audits of third-party applications, enhancing cloud and email security solutions, and reinforcing employee awareness through continuous training on social engineering and phishing tactics. 

The findings make clear that India’s digital growth is running parallel to escalating cyber risks. As artificial intelligence accelerates the capabilities of malicious actors, enterprises will need to proactively invest in advanced defenses to safeguard critical systems and sensitive data.
Read more »
phishing cyber attack
.desktop file abuse Advanced Persistent Threat APT36 hackers cyber espionage India Linux malware phishing cyber attack

APT36 Exploits Linux .desktop Files for Espionage Malware in Ongoing Cyber Attacks

 


The Pakistani threat group APT36 has launched new cyber-espionage attacks targeting India’s government and defense sectors by abusing Linux .desktop files to deploy malware.

According to recent reports from CYFIRMA and CloudSEK, the campaign—first detected on August 1, 2025—is still active. Researchers highlight that this activity focuses on data theft, long-term surveillance, and persistent backdoor access. Notably, APT36 has a history of using .desktop files in espionage operations across South Asia.
Abuse of Linux Desktop Files

Victims receive phishing emails containing ZIP archives with a disguised .desktop file masquerading as a PDF. Once opened, the file triggers a hidden bash command that fetches a hex-encoded payload from an attacker-controlled server or Google Drive, writes it into /tmp/, makes it executable with chmod +x, and launches it in the background.

To avoid suspicion, the malware also opens Firefox to display a decoy PDF hosted online. Attackers manipulated fields like Terminal=false to hide terminal windows and X-GNOME-Autostart-enabled=true for persistence at every login.

While .desktop files are typically harmless text-based launchers defining icons and commands, APT36 weaponized them as malware droppers and persistence mechanisms—a method similar to how Windows LNK shortcuts are exploited.

The dropped malware is a Go-based ELF executable with espionage capabilities. Despite obfuscation, researchers confirmed it can:
  • Remain hidden,
  • Achieve persistence via cron jobs and systemd services,
  • Establish C2 communication through a bi-directional WebSocket channel for remote command execution and data exfiltration.
Both cybersecurity firms conclude that APT36 is evolving its tactics, becoming increasingly evasive, stealthy, and sophisticated, making detection on Linux environments difficult since .desktop abuse is rarely monitored by security tools.
Read more »
Subscribe to: Comments (Atom)