Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Shai-Hulud 2.0 Breach Exposes 400,000 Secrets After Massive NPM Supply-Chain Attack

  The second wave of the Shai-Hulud malware attack last week led to the exposure of nearly 400,000 raw secrets after compromising hundreds ...

All the recent news you need to know
Salesforce
API Cyber Security Gainsight Google OAuth token compromise Salesforce

Gainsight Breach Spread into Salesforce Environments; Scope Under Investigation

 



An ongoing security incident at Gainsight's customer-management platform has raised fresh alarms about how deeply third-party integrations can affect cloud environments. The breach centers on compromised OAuth tokens connected with Gainsight's Salesforce connectors, leaving unclear how many organizations touched and the type of information accessed.

Salesforce was the first to flag suspicious activity originating from Gainsight's connected applications. As a precautionary measure, Salesforce revoked all associated access tokens and, for some time, disabled the concerned integrations. The company also released detailed indicators of compromise, timelines of malicious activity, and guidance urging customers to review authentication logs and API usage within their own environments.

Gainsight later confirmed that unauthorized parties misused certain OAuth tokens linked to its Salesforce-connected app. According to its leadership, only a small number of customers have so far reported confirmed data impact. However, several independent security teams-including Google's Threat Intelligence Group-reported signs that the intrusion may have reached far more Salesforce instances than initially acknowledged. These differing numbers are not unusual: supply-chain incidents often reveal their full extent only after weeks of log analysis and correlation.

At this time, investigators understand the attack as a case of token abuse, not a failure of Salesforce's underlying platform. OAuth tokens are long-lived keys that let approved applications make API calls on behalf of customers. Once attackers have them, they can access the CRM records through legitimate channels, and the detection is far more challenging. This approach enables the intruders to bypass common login checks, and therefore Salesforce has focused on log review and token rotation as immediate priorities.

To enhance visibility, Gainsight has onboarded Mandiant to conduct a forensic investigation into the incident. The company is investigating historical logs, token behavior, connector activity, and cross-platform data flows to understand the attacker's movements and whether other services were impacted. As a precautionary measure, Gainsight has also worked with platforms including HubSpot, Zendesk, and Gong to temporarily revoke related tokens until investigators can confirm they are safe to restore.

The incident is similar to other attacks that happened this year, where other Salesforce integrations were used to siphon customer records without exploiting any direct vulnerability in Salesforce. Repeated patterns here illustrate a structural challenge: organizations may secure their main cloud platform rigorously, but one compromised integration can open a path to wider unauthorized access.

But for customers, the best steps are as straightforward as ever: monitor Salesforce authentication and API logs for anomalous access patterns; invalidate or rotate existing OAuth tokens; reduce third-party app permissions to the bare minimum; and, if possible, apply IP restrictions or allowlists to further restrict the range of sources from which API calls can be made.

Both companies say they will provide further updates and support customers who have been affected by the issue. The incident served as yet another wake-up call that in modern cloud ecosystems, the security of one vendor often relies on the security practices of all in its integration chain. 



Read more »
Tor Network
Algorithm Cyber Security Security Upgrade Tor Network

Tor Network to Roll Out New Encryption Algorithm in Major Security Upgrade

 

The developers of the Tor network are preparing to replace one of the project’s oldest encryption systems in an effort to defend users against increasingly sophisticated cyberattacks. Tor confirmed that the relay encryption algorithm known as “tor1” will be retired and replaced by a new design called Counter Galois Onion, or CGO. Tor1 has been in use since the early 2000s and encrypts the traffic that travels between the relays that form a user’s circuit inside the Tor network. 

Although the system has been widely relied on for more than two decades, researchers say its design now presents several weaknesses, including exposure to so-called “tagging attacks.” These attacks allow an adversary to alter traffic at one relay and then look for predictable patterns further along the circuit that could help trace a user. The algorithm also reuses the same AES keys throughout a circuit and provides only a small authentication field, which Tor developers say has led to a non-negligible probability of forged data passing undetected. 

CGO has been designed to eliminate these issues. According to Tor, the new protocol adds forward secrecy to messages, prevents tampering, and brings encryption standards in line with modern cryptography. Tor explained in a technical post that the system ensures that if a message is modified, that message and all subsequent messages in the circuit become unreadable. The Tor Project described the upgrade as an effort to “defend users against a broader class of online attackers and form the basis for more encryption work in the future.” 

CGO is already implemented in Arti, Tor’s Rust-based client. A C version is in development to support the current relay infrastructure, since Rust relays are not yet deployed across the network. Developers have not provided a timeline for when CGO will arrive in the Tor Browser, noting that they are still tuning performance for modern processors. They acknowledged that CGO will likely be slower than tor1 initially, though optimizations are ongoing. 

The upgrade represents one of the most significant changes to Tor’s core cryptography in years. While the network is widely associated with the dark web and illicit markets, it is also used by journalists, activists and residents of authoritarian states seeking safe access to information. Tor’s history includes involvement from both government research institutions and privacy advocates, and the project continues to position encryption as a key protection against online surveillance.
Read more »
NCA
cryptocurrency cyber attack Cyber Attacks NCA

UK Crime Agency Uncovers Money Laundering Network That Bought Kyrgyzstan Bank to Move Ransom Payments to Russia

 

The UK’s National Crime Agency (NCA) has revealed that a billion-dollar money laundering network operating in Britain purchased a majority stake in a bank in Kyrgyzstan to process the proceeds of cybercrime and convert them into cryptocurrency that could evade Western sanctions and support Russia’s war in Ukraine. 

The development emerged as part of Operation Destabilise, an international investigation targeting two major Russian-run money laundering groups known as TGR and Smart. The networks allegedly handled ransom proceeds for some of the world’s most aggressive cybercrime groups, including Evil Corp, Conti, Ryuk and LockBit. According to the NCA, cash-to-crypto swaps have become a crucial layer of the global criminal ecosystem, allowing ransom funds to be converted into digital currency and transferred across borders with minimal oversight. 

The NCA said that a company tied to alleged TGR ringleader George Rossi, called Altair Holding SA, acquired a 75 percent stake in Keremet Bank in Kyrgyzstan on 25 December 2024. Investigators later concluded that Keremet had conducted extensive cross-border transactions on behalf of Russia’s state-owned Promsvyazbank, an institution sanctioned by the US and UK after the invasion of Ukraine and previously linked to political interference in Moldova. 

The Kyrgyzstan connection came after UK authorities sanctioned Altair Holding in August 2024 in an effort to block Russian attempts to exploit the Kyrgyz financial system as a workaround to Western restrictions. The laundering route involved converting ransom proceeds into cryptocurrency, including a ruble-backed stablecoin known as A7A5, before sending funds to Russia. The NCA believes the system helped channel money into Russia’s military-industrial network. 

“Today, we can reveal the sheer scale at which these networks operate and draw a line between crimes in our communities, sophisticated organised criminals and state-sponsored activity…” 

“...The networks disrupted through Destabilise operate at all levels of international money laundering, from collecting the street cash from drug deals, through to purchasing banks and enabling global sanctions breaches, said Sal Melki, NCA deputy director for economic crime. ” 

Operation Destabilise has resulted in 128 arrests since launch, including 45 suspects detained in the past 12 months. More than £25 (US $33.25) million in cash and cryptocurrency has been seized in the UK, with additional funds seized abroad. The investigation has also uncovered links between cybercrime proceeds and other UK-based criminal markets, including drugs trafficking, firearms sales and immigration fraud. The NCA said the laundering networks not only funneled money to the Russian state but also acted as a high-end financial concierge for wealthy Russians living in Europe. 

Investigators also tracked part of the profits back into the UK economy, including small construction businesses and vehicle exports. Two Russian nationals were arrested for purchasing cars and vans in the UK and exporting them to Ukraine, where the vehicles were sold to the Ukrainian government, which was unaware that the payments indirectly helped finance the Russian war effort. 

Operation Destabilise also exposed the role of low-level cash couriers working for TGR and Smart. Several UK nationals were arrested, including former professional footballer James Keatings, who admitted possessing and transferring criminal property after investigators saw him moving boxes of cash during a £400,000 ( roughly US $526,500) handover in June 2024. 

Melki said the NCA has intentionally targeted the network from top to bottom. “To the launderers who will have seen our messages, your choice is simple, either stop this line of work, or prepare to come face to face with one of our officers and the reality of your choices. Easy money leads to hard time,” he concludes.
Read more »
WhatsApp
Android Trojan Encrypted Chats malware Signal Sturnus WhatsApp

New Android Malware ‘Sturnus’ Bypasses Encrypted Messaging Protections

 

Researchers at MTI Security have unearthed a particularly advanced strain of Android malware called Sturnus, which threatens to compromise the data and security of mobile phone owners. The malware reportedly employs advanced interception techniques to capture data and circumvent even the best application-level encryption, making the security features of popular messaging apps like WhatsApp, Telegram and Signal pointless. 

The Sturnus malware does not need to crack encryption, according to MTI. Instead, it uses a sophisticated trick: the malware takes a screenshot once the messages have been decrypted for viewing.By exploiting a device’s ability to read the on-screen contents in real time, Sturnus can steal private message texts without leaving a trace. This means that scammers can access sensitive chats, and potentially collect personally identifiable information (PII) or financial data if shared in secure chats. 

In addition to message interception, Sturnus employs complex social engineering to steal credentials. The malware is capable to display fake login screens that looks like real banking apps, and can be very convincing. Users can inadvertently provide their information to the hackers if they use their login details on these fake sites. 

Sturnus can also simulate an Android system update screen, making the victim believe a normal update is being installed while malicious operations take place in the background. Perhaps most disturbingly, the researchers warn that Sturnus can also increase its privileges by tracking unlock attempts and recording device passwords or PINs. This allows the malware to gain root access which lets the attackers prevent the victims from removing the malicious code or regaining control of their devices. 

The majority of Sturnus infections detected so far are positively grouped in Southern and Central Europe, according to surveillance and analysis by the cybersecurity firm Threat Fabric. Such a restricted geography suggests that threat actors are still experimenting with the capabilities of the malware and the way it operates before potentially launching a worldwide campaign. 

Experts recommend users of Android to be cautious, refrain from downloading apps from unknown sources and be wary when asked accessibility or overlay permissions to apps they don’t know. But with its progress, Sturnus also exhibits the increasing complexity of Android malware and the difficulty in keeping users safe in a landscape of continuously evolving mobile threats.
Read more »
Hacker Groups
Cyber Attacks cybercrime gangs CyberSecurity Ransomware Attacks Data protection data security Data Theft Hacker Groups

Rhysida Ransomware Gang Claims Attack on Cleveland County Sheriff’s Office

 

The ransomware gang Rhysida has claimed responsibility for a cyberattack targeting the Cleveland County Sheriff’s Office in Oklahoma. The sheriff’s office publicly confirmed the incident on November 20, stating that parts of its internal systems were affected. However, key details of the breach remain limited as the investigation continues. 

Rhysida claims that sensitive information was extracted during the intrusion and that a ransom of nine bitcoin—about $787,000 at the time of the claim—has been demanded. To support its claim, the group released what it described as sample records taken from the sheriff’s office. The leaked material reportedly includes Social Security cards, criminal background checks, booking documents, court filings, mugshots, and medical information. 

Authorities have not yet confirmed whether the stolen data is authentic or how many individuals may be affected. It also remains unclear how the attackers gained access, whether systems remain compromised, or if the sheriff’s office intends to negotiate with the group. 

In a brief public statement, the agency reported that a “cybersecurity incident” had disrupted its network and that a full investigation was underway. The sheriff’s office emphasized that emergency response and daily law enforcement functions were continuing without interruption. A Facebook post associated with the announcement—later removed—reiterated that 911 services, patrol response, and public safety operations remained operational. County IT teams are still assessing the full extent of the attack. 

Rhysida is a relatively recent but increasingly active ransomware operation, first identified in May 2023. The group operates under a ransomware-as-a-service model, allowing affiliates to deploy its malware in exchange for a share of ransom proceeds. Rhysida’s typical method involves data theft followed by encryption, with the group demanding payment both to delete stolen files and to provide decryption keys. The group has now claimed responsibility for at least 246 ransomware attacks, nearly 100 of which have been confirmed by affected organizations. 

Government agencies continue to be frequent targets. In recent years, Rhysida has claimed attacks on the Maryland Department of Transportation and the Oregon Department of Environmental Quality, although both organizations reported refusing ransom demands. Broader data suggests the trend is escalating, with researchers documenting at least 72 confirmed ransomware attacks on U.S. government entities so far in 2025, affecting nearly 450,000 records. 

The average ransom demand across these incidents is estimated at $1.18 million. The Cleveland County Sheriff’s Office serves approximately 280,000 residents in Oklahoma and has around 200 employees. As the investigation remains active, officials say additional updates will be shared as more information becomes available.
Read more »
Scam Networks
Crypto Scam Cyber Fraud Cybercrime Prevention Cybersecurity DOJ Action Financial crime Investment fraud Online Safety Scam Networks

DOJ Disrupts Major Myanmar-Based Scam Targeting TickMill Users

 


Taking action to demonstrate the United States' commitment to combating transnational cyber-fraud networks, the Department of Justice has announced a decisive seizure of tickmilleas.com, a domain allegedly used by a sophisticated cryptocurrency investment scam originating in Burma, as a decisive step to underscore its intensifying campaign against cyber-fraud networks. 

Investigators have determined that the site, linked to the notorious Tai Chang scam compound, a hub favored by Burmese groups previously designated by the U.S Treasury for connections to Chinese organized crime and large-scale Southeast Asian scam operations, was intentionally crafted to lure foreign investors with fabricated promises of high returns, based on fabricated information provided to the investigators. A further manipulation took place to induce the victim to download fraudulent mobile applications that were part of the scheme's broader ecosystem. 

Law enforcement authorities have already taken coordinated actions that led to the removal of malicious apps from major app stores and the eradication of more than 2,000 scam-related accounts across Meta platforms as a result of coordinated actions. A renewed global alert has also been issued by Interpol, warning that such criminal activities are rapidly on the rise due to the rapidly developing use of technology and, in some cases, trafficking of forced labor in order to sustain these criminal enterprises. 

Using a counterfeit platform, the scammers deceived their victims into transferring their savings, and they usually presented fabricated dashboards that showed handsome, albeit fictional, gains from their investments, using the counterfeit platform. 

A number of victims reported seeing supposed deposits that were entered by the criminals themselves, according to the FBI. This was done in order to create the appearance that the money would be in a good position and to encourage further contributions. Even though the domains were registered only in early November 2025, investigators have already identified multiple individuals who have been induced to contribute cryptocurrency to the scam in recent weeks. 

Additionally, users were directed to download mobile applications which were alleged to be related to the platform through the website, prompting the FBI to alert both Google and Apple; some of the fraudulent apps have since been removed from the market. As the domain has been seized, visitors are met with an official law enforcement notice, eschewing what once looked like an impressive facade for an international fraud operation.

As the FBI San Diego Field Office continues its investigations, as well as the newly formed Scam Center Strike Force, it has been revealed that the seized domain was not an isolated fraud, but rather an extension of a scam infrastructure in Southeast Asia which is well-entrenched in the digital world. Tickmilleas.com, a website that sells pig meat and related products, was identified by authorities as having been built inside the Tai Chang compound in Burma, a fortified enclave located on the Thai-Myanmar border known for violent enforcement tactics, coerced labor, and large-scale "pig butchering" schemes. 

Associated with the Democratic Karen Benevolent Army, this compound has become a central engine within a multibillion dollar fraud economy, which targets Americans through sophisticated cryptocurrency investment traps that are disguised as professional trading platforms operated by affiliates of the Democratic Karen Benevolent Army, as well as broader Chinese transnational crime syndicates.

In order to be convincing to the victims, the website which was taken down by U.S. officials was designed as a convincing imitation of the legitimate TickMill trading service. It was decorated with fake trading dashboards, staged deposits, and fraudulent mobile applications aimed at luring victims deeper into the con. The investigators noted that there was a high degree of trafficking among the individuals working for the scam, as they were forced to engage in scripted interactions that were meant to reassure victims and extract increasing amounts of money from them. 

Despite the domain having been active for just a short time, federal agents were able to quickly map its infrastructure, identify the investors who had been deceived, and cut off the digital channels used for siphoning funds within minutes of its activeness. There had been three successful domain seizures linked to Tai Chang within the past few weeks, with the rapid intervention marking the third in the region—a sign that the U.S. efforts are becoming more aggressive, and the criminal networks operating around the region are experiencing a greater degree of disruption.

These operations are part of a broader criminal ecosystem known as pig butchering, which is a long-con scam in which perpetrators build trust with victims before stealing from them their savings. Officials from the U.S. estimate that these types of fraud schemes are draining approximately $9 to $10 billion from Americans every year, underscoring both their scale and sophistication in the way they are developed and executed. 

However, the human cost of such fraud schemes goes far beyond financial loss. Human rights groups, investigators, and experts have all repeatedly gathered evidence that a substantial number of these scam centers' staff members are trafficking victims who have been coerced, threatened, and violently forced into participating. As a result of the expansion of scam compounds across parts of Southeast Asia, it is reportedly estimated that they account for a substantial share of the country's economic output as well. 

According to the FBI's Internet Crime Complaint Center, there were more than 41,000 reports of cryptocurrency investment fraud in 2024, involving losses of over $5.8 billion, but investigators believe that the actual numbers don't even come close to the true damages, as many victims are too embarrassed or scared to come forward. 

A growing number of cross-border fraud networks are being uncovered by U.S. authorities. Officials are warning the public to be vigilant against platforms that promise effortless returns or encourage the download of unfamiliar apps - tactics that have been repeatedly used in these types of schemes. Experts note that if early skepticism, independent verification, and prompt reporting are utilized, they can significantly reduce the reach of such criminal organizations. 

Despite the fact that tickmilleas.com has been dismantled, investigators stress the importance of sustained international cooperation and ensuring that consumers remain informed in order to disrupt the larger ecosystem that provides the basis for these schemes to flourish.
Read more »
Subscribe to: Comments (Atom)

Featured