Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Accenture Confirms Cyber Breach as Hacker Lists Alleged Company Data

  Accenture, a global IT services firm, has confirmed experiencing a cybersecurity breach as a threat actor claimed to have stolen company d...

All the recent news you need to know

ED Charge Sheet Maps Sriki's Darknet Crypto Laundering Network

 

The Enforcement Directorate (ED) has filed a sprawling 3,500-page prosecution complaint before a special PMLA court in Bengaluru, laying out what it calls a “sophisticated network” blending high-level hacking, darknet operations, cyber extortion and multi-crore cryptocurrency laundering. The charge sheet names serial hacker Srikrishna Ramesh, alias “Sriki”, crypto trader Robin Khandelwal, businessman Sunish Hegde, a private IT firm and two of its officials as accused in a case that spans breached government portals, crypto exchanges and online gaming platforms. 

From government portals to poker sites: the alleged breach chain 

According to the ED, Sriki, described as a highly skilled software programmer, exploited vulnerabilities in national and international cryptocurrency exchanges, online gaming and poker platforms, and corporate servers. He is accused of breaching the Karnataka government’s e-procurement portal and siphoning off about ₹11.5 crore in two transactions, besides hacking the Unocoin exchange and several major online poker platforms. The agency alleges that stolen virtual digital assets such as Bitcoin were then “layered” and offloaded through multiple international crypto platforms to obscure their origin.

The prosecution complaint details how Robin Khandelwal allegedly acted as a key conduit, converting illicit digital assets into fiat currency through over-the-counter deals and crypto-trading channels. Investigators claim Sunish Hegde conspired with Sriki to extort money from hacked companies by negotiating with them after the breaches, while Infinzy Solutions and two officials are accused of facilitating the transfer of funds stolen from a poker site. The three main accused were arrested in May and are in judicial custody at Parappana Agrahara Central Prison, with the ED citing digital evidence, blockchain analysis and bank records to support its case. 

 Darknet links and ongoing money trail probes 

The 3,500-page document reportedly sketches connections between Sriki’s hacking operations and darknet marketplaces, building on earlier investigations that noted his use of the darknet to purchase drugs using Bitcoin. About ₹7 crore of the ₹11.5 crore siphoned from the e-procurement portal has been traced, with around ₹2 crore formally attached and another ₹5 crore frozen in various bank accounts; the remaining ₹4.5 crore is still being tracked. The ED says its probe into the movement and use of the alleged proceeds of crime is continuing, even as the prosecution complaint functions as the equivalent of a police charge sheet under PMLA. 


For regulators, the Sriki case underscores how advanced technical skills, weak spots in government and corporate platforms, and an evolving crypto ecosystem can intersect to create large-scale financial crime. The dossier highlights the need for stronger blockchain forensics capacity, tighter oversight of informal crypto-OCT channels, and better coordination between cybercrime units, the ED and financial intelligence agencies. As India’s digital economy expands, securing e-governance portals, exchanges and gaming platforms is becoming not just an IT issue, but a core element of financial integrity and national cybersecurity strategy.

Romania’s Hospital Cyberattack Highlights Growing Ransomware Threats to Healthcare Systems

 

A large-scale ransomware attack that took place in the healthcare system of Romania in February 2024 makes for textbook material on how to respond to such incidents, as well as the challenges they present. The ransomware attack scenario started when criminals got hold of a hospital management system called Hippocrates and, using it as a vector, distributed BackMyData ransomware to encrypt data. 

One of the software’s main functions is processing and storing information on laboratory results, pharmacy claims, payroll, admission and discharge of patients, doctors, and other medical staff. After being locked, the hospitals had to pay nearly 160 thousand euros to decrypt the data, which is in Bitcoin. When some hospitals reported the ransomware attack, the National Computer Security Center (DNSC) took an extraordinary measure to order over a hundred facilities to disconnect from the internet to prevent the virus from spreading to other institutions. 

Consequently, the hospitals’ systems became unable to provide access to email, the Internet, and interconnected medical devices. To manage patients and keep the critical functions running, doctors and nurses used paper-based solutions to write down and manually input lab results, physician orders, and treatment plans. In parallel, hospital staff worked on taking down the ransomware and securing the system. 

Authorities eventually found out that the ransomware infection was confirmed in 26 hospitals, where the ransomware attack response team with the help of the system supplier isolated the contaminated systems from the network. After decrypting files and securing the system, the technicians returned the hospitals to the network and ensured there were no other problems. 

Throughout the ransomware incident, authorities provided the public with updates on the ransomware situation, telling the people to avoid visiting the facilities if possible and advising the hospitals not to give in to the attackers’ demands. Nevertheless, the response to the challenge was far from perfect, as Romania continues to face challenges with cybercrime. The patients complained about the inconvenience of standing in queues and having their tests processed manually, but the government did not go through with paying off the ransom. 

At the same time, it is worth noting that having up-to-date data backups allowed the hospitals to quickly restore their vital functions without having to wait for decrypting tools from hackers. Five days after the ransomware attack, most of the affected facilities had already returned to normal operations. At the same time, there were no reports of patient deaths or damage to health caused by the ransomware attack. Still, doctors and nurses had to manually enter a lot of the patient’s personal data, which took them several more weeks to finish, while some of the relevant information was lost altogether. 

So far, the ones behind the ransomware attack have not been revealed. Still, it has been reported that some of the suspects’ resources in Russia have been shut down by the police, while others are currently detained abroad. It is not yet known whether they will be brought to justice in Romania. The ransomware attack on the healthcare system of Romania serves as a reminder of how fragile our systems are and the importance of protecting them. 

In many ways, hospitals are a critical infrastructure component, meaning that potential attackers will always attempt to take advantage of them by holding vital functions hostage until they get a hefty ransom. Even though the ransomware response team handled the situation in Romania efficiently, the ransomware incidents in the UK and the US show that problems of that sort are far from being exclusive to Romania.

Business Threat Management: Moving from Isolated to Unified Approach


Shifting away from isolated, technical data, to a continuous risk lifecycle can assist organizations in balancing security controls with actual business impact.

A CVSS score of 9.5 may not be significant to a CFO, but when it demonstrates a flaw in a payment system processing $2 million, it becomes a big deal. Therefore, the data must be linked with information about operational barriers that can result in financial damages, product delays, or loop in regulatory agencies.

A robust risk lifecycle

Periodic risk lifecycle cannot keep up with the changing threat scenario, which if further impacted by an unstable geopolitical environment and rising technology like AI and quantum computing. Thus, information risk assessment must be a continuous process that links threats, supervising controls, and the possible repercussions for the business if the controls fail.

Different risks carry different impacts, stakeholder needs, and available data. This means that analysis also changes. You need two analysis tracks for this: qualitative analysis for quick decisions with limited data, and quantitative analysis for investment decisions when they need financial backing. 

The IRAM3 methodology unifies both tracks into a single framework that uses the same process and is built to be modular, so businesses can gain entry at any desirable phase they think fits their demands.

Moving towards business-aligned risk management

A linked risk lifecycle changes how businesses perceive organization threats. It also helps to keep activities such as interpreting threats, evaluating controls, and measuring exposure connected instead of treating each analysis as an isolated process.

Building business impact

Linked assets must be grouped by the business function they assist. This lets the teams conduct risk analysis that connect how the organization actually works and also helps in defining the risk appetite.

Assessing threat incidents

In this step, you identify the risks to your business, map related threats to critical assets, and predict how likely they will materialize. According to Security Week, “From a quantitative standpoint, a three-point frequency estimate—minimum, most likely, and maximum—is assigned instead of a rating. The number of loss events you would anticipate in a year is represented by this estimate.”

Testing control success

A business might have a MFA coverage, but if privileged accounts are not included as allowing MFA disrupted a legacy integration, the gap is a direct pathway into critical systems. Thus, these controls should be carefully mapped to particular threats, checked for implementation, and analyzed if they actually reduce risk. 

Phishing Campaign Targets Marketing Professionals Using Fake Job Interviews from Top Global Brands

 

A sophisticated phishing campaign is targeting marketing professionals by posing as recruiters from more than 30 globally recognized brands, including Adobe, Netflix, Coca-Cola, OpenAI, Adidas, and Marriott. The attackers aim to steal Google account credentials by luring victims into fake job interview processes.

According to cybersecurity intelligence and threat hunting company Team Cymru, the operation exploits legitimate cloud-based platforms such as PeopleForce, a human resources service, and domains linked to Salesforce Marketing Cloud before redirecting users to malicious websites. To make the scam appear authentic, the threat actors are also using the names and profile pictures of actual recruiters from the companies they impersonate.

Will Thomas, senior advisor at Team Cymru, investigated the campaign and found that the phishing emails present themselves as recruitment messages. As he noted, the emails appear to be from “a recruiter looking to hire people for marketing roles.”

The investigation revealed that attackers have registered at least 34 domains designed to mimic prominent organizations across multiple industries. These include airlines and travel companies such as American Airlines, Booking.com, Delta Air Lines, and United Airlines; food and beverage giants Coca-Cola, PepsiCo, and Red Bull; fashion and luxury brands Adidas, Louis Vuitton, Sephora, and Levi’s; consulting and technology firms including Adobe, Aquent, ManpowerGroup, McKinsey & Company, and OpenAI; hospitality and marketing companies Marriott and Omnicom Group; as well as entertainment and sports brands like FIFA and Netflix.

Researchers found that the attackers rely on a technique known as nested redirects, where users are routed through several legitimate online services before ultimately reaching a fraudulent webpage. Although the phishing emails appear to originate from PeopleForce, the embedded links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of ExactTarget, now known as Salesforce Marketing Cloud.

From there, victims are redirected through Wise Agent, a cloud-based customer relationship management (CRM) platform for real estate professionals, before arriving at the phishing website.

BleepingComputer reported that the campaign has been active for at least five months. Earlier versions reportedly used Outlook email addresses carrying the names of the companies being impersonated.

In one example, a phishing email claiming to be from Adidas recruiter Paulina Manzo invited recipients to schedule a discussion regarding a potential job opportunity. Clicking the scheduling link redirected users to the fraudulent domain adidas-hiring[.]com.

To proceed with booking the interview, victims are instructed to sign in with their Google accounts. Selecting the “Continue with Google” option launches what appears to be a genuine Google authentication window. However, the pop-up is actually created using HTML and CSS within the phishing page itself, a deception technique known as browser-in-the-browser (BitB).

By leveraging modern web development methods, attackers can closely replicate legitimate authentication prompts, making it difficult for users to distinguish fake login windows from real ones.

Researchers emphasized that the misuse of legitimate platforms does not necessarily indicate those services have been compromised. Instead, threat actors may have created valid accounts specifically for the campaign or used compromised credentials to configure redirect chains and phishing pages.

A complete list of the malicious domains associated with the campaign has been published in Will Thomas' GitHub analysis.

Centre Orders Blocking of Battery Management Apps Exploited to Disable E-Rickshaws


After the Central Government discovered that seven battery management system (BMS) mobile applications were being misused to remotely disable batteries in electric vehicles and e-rickshaws, the Central Government has ordered the blocking of those applications. In multiple locations across India, this disruption disrupted services and enabled extortion. 


MeitY Secretary S. has directed Google and Apple to remove seven identified applications from their respective app stores on Android and iOS by the Ministry of Electronics and Information Technology (MeitY). In order to ensure applications that may threaten public safety or facilitate unlawful activities are not made available to users, Krishnan said app marketplaces must exercise due diligence. 

In response to reports that battery management apps primarily developed by Chinese companies for monitoring lithium-ion battery packs were being exploited by e-rickshaw drivers to shut down the vehicles while passengers were aboard. Authorities stated that while the applications are designed for proper battery management, they can be misused if battery systems are not properly protected by passwords or PINs. 

In the government's view, removing these apps from digital platforms will not eliminate the vulnerability completely, since Bluetooth connectivity is required in place of internet access to exploit this vulnerability. Thus, even after apps are blocked, unsecured battery management systems remain vulnerable to unauthorized access. Video clips circulated on social media showing e-rickshaws suddenly stopping on public roads attracted nationwide attention to this issue. 

The existing certification standards for e-rickshaws in India do not include cybersecurity requirements, which can result in potential misuse of connected battery systems. This vulnerability has already led to criminal activity. Police in Ujjain, Madhya Pradesh, arrested a suspect who has been accused of remotely disabling batteries from e-rickshaws and demanding compensation from their drivers. 

Local authorities claim the accused abused the flaw by deliberately immobilizing vehicles and charging drivers for assistance. A criminal offence involving intentionally disabling vehicles is considered to be an offence and can be prosecuted under applicable provisions of the Bharatiya Nyaya Sanhita (BNS) relating to criminal mischief. 

Concerns have been raised regarding the cybersecurity risk associated with connected electric vehicles and battery management systems following the incident. In order to prevent such misuse and safeguard public transportation operations, observers say stronger security controls are needed to prevent similar misuse, including authentication mechanisms and cybersecurity standards for electric vehicle components. 

A government intervention highlights the challenges facing connected electric mobility in terms of cybersecurity. Since software increasingly controls the functions of critical vehicle systems, stronger security standards, authenticated access controls, and continuous oversight will be critical in protecting drivers, passengers, and public infrastructure.

Researchers Expose Veil#Drop: A Stealthy Malware Chain Delivering PureLog Stealer via Blogspot

 

 
Threat researchers at Securonix have identified an advanced, multi-layered malware delivery operation that leans on hacked websites and social-engineering tactics to plant information-stealing malware on victims' systems.

Tracked under the name Veil#Drop, the campaign chains together JavaScript launchers and PowerShell download routines to fetch and run malicious code hosted on Blogspot — a platform sitting on Google's reputable infrastructure, which helps the activity blend in with legitimate traffic.

The attack kicks off when a target opens a JavaScript file disguised to look like an ordinary document. Once triggered, the script fires off PowerShell commands built to slip past execution-policy restrictions, then reaches out to attacker-run Blogspot pages to pull down further payloads.

Those Blogspot-hosted stages carry out several actions at once: they show a decoy document to keep the victim unaware, shut down certain running processes, and decrypt hidden content. The unpacked code then spins up more Blogspot links and runs the next payloads straight from memory, leaving little behind on disk.

According to Securonix, a follow-on loader stores XOR-scrambled .NET assemblies inside oversized embedded data blocks. These are rebuilt and unscrambled only while the malware is running, a technique that frustrates static inspection and weakens signature-based defenses.

The operation is also engineered with redundancy in mind, relying on backup execution paths and misusing legitimate, Microsoft-signed Windows binaries (living-off-the-land binaries, or LOLBINs) to run code while sidestepping security tools. Securonix notes that the mix of compromised sites, files masquerading with multiple extensions, trusted cloud hosting, obfuscated payloads, reflective in-memory .NET loading, and LOLBIN abuse reflects a calculated push to dodge conventional antivirus products, minimize forensic traces, and stay hidden throughout the intrusion.

The endgame is infection with PureLog Stealer, a .NET-based data thief. Once installed, it profiles the compromised machine and begins scraping data from a wide range of browsers, including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and other Chromium-based options.

Its targets include saved credentials, cookies, autofill entries, session tokens, and browsing history, and it actively hunts for cryptocurrency wallet data on the device. Beyond browsers, PureLog Stealer can pull information from messaging apps, email clients, remote-access utilities, FTP tools, cloud-storage software, developer applications, and password managers. Everything it collects is bundled up and transmitted to attacker-controlled servers in encrypted form.

Because the stealer casts such a wide net, Securonix warns that compromising a single endpoint could open the door to a much larger breach, depending on the secrets — credentials, tokens, and keys — stored on that machine. In corporate settings, the firm points out, info-stealers often serve as the opening move in bigger campaigns, with harvested logins later fueling ransomware deployment, data-theft operations, business email compromise, or drawn-out espionage.

Featured