Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

US Cybersecurity Strategy Shifts Toward Prevention and AI Security

  Early next month, changes to how cyber breaches are reported will begin to surface, alongside a broader shift in national cybersecurity pl...

All the recent news you need to know
Russia
Cyber Attacks Cyberattack Cybersecurity Threats Germany Russia

A New Twist on Old Cyber Tricks

 


Germany’s domestic intelligence and cybersecurity agencies have warned of a covert espionage campaign that turns secure messaging apps into tools of surveillance without exploiting any technical flaws. The Federal Office for the Protection of the Constitution and the Federal Office for Information Security said the operation relies instead on social engineering carried out through the Signal messaging service. In a joint advisory, the agencies said the campaign targets senior figures in politics, the military and diplomacy, as well as investigative journalists in Germany and elsewhere in Europe. 

By hijacking messenger accounts, attackers can gain access not only to private conversations but also to contact networks and group chats, potentially widening the scope of compromise. The operation does not involve malware or the exploitation of vulnerabilities in Signal. Instead, attackers impersonate official support channels, posing as “Signal Support” or a so-called security chatbot. 

Targets are urged to share a PIN or verification code sent by text message, often under the pretext that their account will otherwise be lost. Once the victim complies, the attackers can register the account on a device they control and monitor incoming messages while impersonating the user. In an alternative approach, victims are tricked into scanning a QR code linked to Signal’s device-linking feature. 

This grants attackers access to recent messages and contact lists while allowing the victim to continue using the app, unaware that their communications are being mirrored elsewhere. German authorities warned that similar tactics could be applied to WhatsApp, which uses comparable features for account linking and two-step verification. 

They urged users not to engage with unsolicited support messages and to enable registration locks and regularly review linked devices. Although the perpetrators have not been formally identified, the agencies noted that comparable campaigns have previously been attributed to Russia-aligned threat groups. Reports last year from Microsoft and the Google Threat Intelligence Group documented similar methods used against diplomatic and political targets. 

The warning comes amid a flurry of state-linked cyber activity across Europe. Norway’s security services recently accused Chinese-backed groups of penetrating multiple organisations by exploiting vulnerable network equipment, while also citing Russian monitoring of military targets and Iranian cyber operations against dissidents. 

Separately, CERT Polska said a Russian-linked group was likely behind attacks on energy facilities that relied on exposed network devices lacking multi-factor authentication. 

Taken together, the incidents highlight a shift in cyber espionage away from technical exploits towards psychological manipulation. As secure messaging becomes ubiquitous among officials and journalists, the weakest link increasingly lies not in encryption, but in the trust users place in what appears to be help.
Read more »
Ransomware
cyber attack Data Breach Hacking Information Security IT Security Italy Law Enforcement Ransomware

La Sapienza University’s Digital Systems Remain Shut After Cyber Intrusion Disrupts Services

 




Rome’s La Sapienza University is continuing to experience major operational disruption after a cyber intrusion forced administrators to take its digital infrastructure offline as a safety measure. The shutdown began on February 2 and has affected core online services used by students, faculty, and administrative staff.

Since the incident, students have been unable to complete basic academic and administrative tasks such as registering for examinations, viewing tuition-related records, or accessing official contact information for teaching staff. With internal platforms unavailable, the university has relied mainly on its social media channels to share updates. These notices have acknowledged the disruption but have not provided detailed technical explanations or a confirmed date for when full access will be restored.

University officials confirmed that their systems were deliberately powered down to contain the threat and to prevent malicious software from spreading to other parts of the network. Emergency shutdowns of this kind are typically used when there is a risk that an attack could compromise additional servers, user accounts, or stored data. This response suggests that the incident involved harmful software capable of moving across connected systems.

According to publicly available reporting, the disruption was caused by ransomware, a category of cyber attack in which criminals attempt to lock organizations out of their own systems or data. Some media sources have claimed that a newly observed cybercrime group may be linked to the breach and that a ransomware variant referred to in security research as Bablock, also known as Rorschach, may have been involved. These attributions are part of ongoing assessments and have not been formally confirmed by authorities.

Technical analyses cited in public reporting describe this malware family as drawing components from previously leaked cybercrime tools, allowing attackers to combine multiple techniques into a single, highly disruptive program. Such ransomware is designed to operate rapidly and can spread across large digital environments, which helps explain the scale of the disruption experienced by one of Europe’s largest universities by student enrollment.

The university has formally reported the incident to Italian law enforcement and to the National Cybersecurity Agency, both of which are now involved in the investigation and response. Administrators have stated that emergency management is being coordinated across academic offices, administrative departments, and student representatives, with discussions underway to introduce deadline extensions and flexible arrangements to limit academic harm.

Due to the ongoing shutdown of internal systems, campus information desks are currently unable to access digital records that would normally support student inquiries. Updates about service availability and office hours are being shared through official faculty social media pages.

Meanwhile, technical teams are examining the full scope of the breach before restoring systems from backups. This step is necessary to ensure that no malicious code remains active. It is still unclear whether all stored data can be fully recovered or whether some information may remain inaccessible following the attack.


Read more »
Romania National Oil Pipeline
Cybersecurity Attack Data Breach data threat Romania National Oil Pipeline

Romania’s National Oil Pipeline Joins a Growing Cyberattack list

Romania’s national oil pipeline operator, Conpet, has disclosed that it suffered a cyberattack that disrupted its corporate IT systems and temporarily knocked its website offline, adding to a growing series of digital incidents affecting the country’s critical infrastructure. 

In a statement issued on Wednesday, the company said the attack affected its business information systems but did not interfere with pipeline operations or its ability to meet contractual obligations. 

Conpet operates almost 4,000 kilometres of pipelines, transporting domestically produced and imported crude oil, gasoline and other petroleum derivatives to refineries across Romania, making it a key component of the country’s energy infrastructure. 

The firm sought to reassure customers and authorities that its core operational technologies were not compromised. Systems responsible for supervising and controlling pipeline flows, as well as telecommunications networks, continued to function normally throughout the incident. 

As a result, the transport of crude oil and fuel through the national pipeline system was not disrupted. Conpet’s public website, however, remained inaccessible as recovery efforts were under way. 

Conpet said it is investigating the breach in cooperation with national cybersecurity authorities and has notified Romania’s Directorate for Investigating Organised Crime and Terrorism, filing a formal criminal complaint. 

The company has not provided details on how the attackers gained access or the specific techniques used, citing the ongoing investigation. Despite this lack of official confirmation, the ransomware group Qilin has claimed responsibility for the attack. 

The group has listed Conpet on its dark web leak site and alleges it exfiltrated close to one terabyte of data from the company’s systems. 

To support its claim, Qilin published a selection of images said to show internal documents, including financial information and scans of passports. Qilin emerged in 2022 as a ransomware-as-a-service operation, initially operating under the name Agenda. 

Since then, it has built a long list of alleged victims across the world, targeting private companies and public institutions alike. Such groups typically combine data theft with extortion, threatening to publish stolen material unless a ransom is paid. 

The attack on Conpet follows a spate of ransomware incidents in Romania over the past year. Water authorities, major energy producers, electricity distributors and dozens of hospitals have all reported disruptive cyberattacks. 

Together, these cases underline a persistent weakness in the corporate IT systems that support essential services, even when industrial control networks are kept separate. 


Read more »
State-Sponsored Cyber Espionage
Advanced Persistent Threats Critical Infrastructure Cyberattack Data Breach Global Cybersecurity Threats Linux Rootkit Malware nation-state hackers Palo Alto Unit 42 State-Sponsored Cyber Espionage

Widespread Cyber Espionage Campaign Breaches Infrastructure in 37 Countries


 

Research over the past year indicates that a newly identified cyberespionage threat actor operating in Asia has been conducting a sustained and methodical cyberespionage campaign that is characterized both by its operational scale and technical proficiency. 

A fully adaptive and mature toolchain has been utilized by this group to successfully compromise 70 government and critical infrastructure institutions spanning 37 countries. The group's operations utilize a range of classic intrusion vectors, including targeted phishing, advanced exploitation frameworks, along with custom malware, Linux-based rootkits, persistent web shells, tunneling and proxying mechanisms to hide command-and-control traffic and maintain long-term access. 

According to the analysis of the campaign, these intrusions represent only a portion of the group's overall activities. There appears to be an increase in reconnaissance efforts, indicating a strategic expansion beyond confirmed victims, according to security researchers. 

During November and December of 2025, the actor was observed conducting active scanning and reconnaissance against government-linked infrastructures located in 155 countries, indicating that an intelligence collection operation had a global perspective rather than an opportunistic approach. 

A previously unknown cyberespionage actor identified as TGR-STA-1030, also known as UNC6619, has been attributed to the activity by researchers at Palo Alto Networks' Unit 42. Based on a combination of technical artifacts, operational behavior, and targeting patterns, Unit 42 assesses with high confidence that the group is state-aligned and operating from Asia. 

A 12-month period during which the actor compromised government and critical infrastructure organizations across 37 countries puts nearly one fifth of the world's countries within the campaign's verified impact zone. 

A sharp increase in reconnaissance activity was observed by Unit 42 in parallel with these intrusions between November and December 2025, as the group actively scanned government-linked infrastructure associated with 155 countries, signaling a shift toward a broader collection of intelligence. 

Based on the analysis conducted by Unit 42, the group was first discovered during an investigation into coordinated phishing operations targeting European government entities in early 2025. 

Eventually, as the actor refined its access methods, these campaigns, which were part of the initial phase of the Shadow Campaigns, evolved into more direct exploitation-driven intrusions based on exploitation. In light of the assessment that the activity aligns with state interests but has not yet been conclusively linked to a particular sponsoring organization, the designation TGR-STA-1030 is serving as a temporary tracking label while attribution efforts are continued.

Over time, the group demonstrated increasing technical maturity by deploying persistence mechanisms capable of providing extended access to exposed services beyond email-based lures, and exploiting exposed services. To date, a wide range of sensitive government and infrastructure sectors have been identified as victims, including interior affairs, foreign relations, finance, trade, economic policy, immigration, mining, justice, and energy ministries and departments. 

Despite confirmed compromises, researchers from Unit 42 believe that the breadth of reconnaissance activity offers insight into the actor's global priorities, while confirmed scanning efforts indicate that scanning efforts can be translated into operational access. 

There were at least 70 successful breaches during the period under review, and attackers maintained footholds in several environments for several months at a time. Although the campaign appears to be primarily geared toward espionage, Unit 42 has cautioned that the scale, persistence, and alignment of the activity with real-world geopolitical events raise concerns about potential long-term consequences for national security and critical service resilience. 

According to an in-depth analysis of the campaign, a pattern of targeting closely tracked sensitive geopolitical and commercial developments. Unit 42 documented the compromise of one of the largest suppliers in Taiwan's power equipment industry among the confirmed intrusions, which underscores the group's interest in energy-related industrial ecosystems. 

The actors also breached an Indonesian airline's network during the active procurement process with a U.S.-based aircraft manufacturer in a separate incident. Researchers noted that the intrusion coincided with a significant increase in the promotion of competing aircraft products from a manufacturer based in Southeast Asia, suggesting that the operation was not limited to passive intelligence gathering, but extended to strategic economic interests. 

It is important to note that several intrusion waves corresponded directly with diplomatic and political flashpoints involving China. After a high-profile meeting between the country’s president and the Dalai Lama, scanning activity was observed against the Czech military, national police, parliamentary systems, and multiple government bureaus in the Czech Republic. 

A month prior to Honduras' presidential election, during which both of the leading candidates indicated their willingness to reestablish diplomatic relations with Taiwan, the group launched a targeted attack against Honduran government infrastructure on October 31, approximately one month before the election. 

At least 200 government-associated IP addresses were targeted during this period by Unit 42, marking one of the largest concentrations of activity recorded by the group to date, which resulted in reconnaissance attempts and intrusion attempts. From a technical standpoint, the actor's tooling exhibits a high level of sophistication and operational discipline. 

As a part of initial access, phishing campaigns were frequently used to deliver custom malware loaders known as DiaoYu. DiaoYu is the Chinese word for fishing. Upon execution, the malware loader performed antivirus checks before deploying follow-on payloads, including command-and-control beacons known as Cobalt Strike beacons.

Additionally, the group exploited various enterprise-facing vulnerabilities, including Microsoft Exchange Server, SAP Solution Manager, as well as more than a dozen other widely deployed platforms and services, attempting to exploit these vulnerabilities in parallel. By utilizing a previously undocumented Linux rootkit known as ShadowGuard, Palo Alto Networks enhanced persistence and stealth. 

Rootkits operate within Linux kernel virtual machines referred to as Extended Berkeley Packet Filters (eBPF), allowing malicious logic to be executed entirely within highly trusted kernel space. According to researchers from Unit 42, eBPF-based backdoors pose a particular challenge for detection, because they are capable of intercepting and manipulating core system functions and auditing data before host-based security tools or monitoring platforms are aware of them. 

A similar approach has been documented in recent research on advanced Chinese-linked threat actors. However, certain operational artifacts also emerged in spite of the group's multi-tiered infrastructure strategy designed to obscure command-and-control pathways and impede attribution. 

Several cases involved investigators observing connections to victims' environments originating from IP address ranges associated with China Mobile Communications Group, a major backbone telecommunications provider. 

According to Palo Alto Networks, based on infrastructure analysis and historical telemetry, this group has been active since at least January 2024 and continues to pose a threat to the company. According to Unit 42, TGR-STA-1030 remains an active and evolving threat to critical infrastructure and government environments worldwide. This threat's combination of geopolitical alignment, technical capability, and sustained access creates a potential long-term threat. 

Unit 42 encourages governments and critical infrastructure operators to revisit long-held assumptions related to perimeter security and incident visibility in light of these findings. Through the campaign, it can be seen how advanced threat actors are increasingly combining prolonged reconnaissance with selective exploitation in order to achieve durable access and remain undetected for extended periods of time. 

It is recommended that security professionals prioritize continuous monitoring of exposed services, improve detection capabilities at both the endpoint and network layers, and closely monitor anomalous activity within trusted system components, such as kernel-level processes, where appropriate. 

Additionally, the researchers emphasize the importance of cross-sector coordination and threat intelligence sharing in addition to immediate technical mitigations, noting that the campaign's scale and geopolitical alignment demonstrate the deterioration of national resilience over time through cyberespionage operations. 

Keeping a keen eye on current and future state-aligned operations and adjusting defensive strategies in response will remain critical to limiting their strategic impact, especially as state-aligned actors continue to develop their skills.
Read more »
Youtube
AI ChatGPT Cloud Data GenAI Technology Youtube

YouTube's New GenAI Feature in Tools Coming Soon


Youtube is planning something new for its platform and content creators in 2026. The company plans to integrate AI into its existing and new tools. The CEO said that content creators will be able to use GenAI for shorts. While we don't know much about the feature yet, it looks like OpenAI’s Sora app where users make videos of themselves via prompt. 

What will be new in 2026? 

“This year you'll be able to create a Short using your own likeness, produce games with a simple text prompt, and experiment with music “ said CEO Neal Mohan. All these apps will be AI-powered which many creators may not like. Many users prefer non-AI content. CEO Neil Mohan has addressed these concerns and said that “throughout this evolution, AI will remain a tool for expression, not a replacement.”

But the CEO didn't provide other details about these new AI capabilities. It is not clear how this will help the creators and the music experimentation work. 

That's not all, though.

Additionally, YouTube will introduce new formats for shorts. According to Mohan, Shorts would let users to share images in the same way as Instagram Reels does. Direct sharing of these will occur on the subscribers' feed. 

In 2026, YouTube will likewise concentrate on the biggest displays it can be accessed on, which are televisions. According to Mohan, the business will soon introduce "more than 10 specialized YouTube TV plans spanning sports, entertainment, and news, all designed to give subscribers more control," along with "fully customizable multiview.”

Why new feature?

Mohan noted that the creator economy is another area of concern. According to YouTube's CEO, video producers will discover new revenue streams this year. The suggestions made include fan funding elements like jewelry and gifts, which will be included in addition to the current Super Chat, as well as shopping and brand bargains made possible by YouTube. 

YouTube's new venture

The business also hopes to grow YouTube Shopping, an affiliate program that lets content producers sell goods directly in their videos, shorts, and live streams. The business stated that it will implement in-app checkout in 2026, enabling users to make purchases without ever leaving the site.


Read more »
Vulnerabilities and Exploits
CISA Enterprise Flaws KEV Vulnerabilities and Exploits

CISA Confirms Active Exploitation of Four Critical Enterprise Software Flaws

 

CISA has confirmed active exploitation of four critical vulnerabilities in widely used enterprise software, urging immediate action from federal agencies and organizations worldwide. These flaws, now added to the agency's Known Exploited Vulnerabilities (KEV) catalog, affect products from Versa, Zimbra, Vite, and Prettier, with evidence of real-world attacks underway. As cyber threats escalate in 2026, this development highlights the urgent need for swift patching to safeguard networks.

The first vulnerability, CVE-2025-31125, is a high-severity improper access control issue in the Vite frontend tooling framework. It allows attackers to expose non-allowed files if the server is exposed to the network, primarily impacting development instances . Patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11, this flaw underscores the risks of misconfigured dev environments in production-like setups.

CVE-2025-34026 represents a critical authentication bypass in Versa Concerto SD-WAN orchestration platform, versions 12.1.2 through 12.2.0. Stemming from a Traefik reverse proxy misconfiguration, it grants unauthorized access to admin endpoints, including sensitive heap dumps and trace logs . Discovered by ProjectDiscovery in February 2025 and fixed by March, it exposes enterprises relying on SD-WAN to potential data leaks and deeper intrusions.

A supply-chain attack targeted the eslint-config-prettier package via CVE-2025-54313, compromising npm versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. Malicious install scripts deployed node-gyp.dll payloads on Windows to steal npm tokens, affecting developers using ESLint and Prettier for code formatting . This incident reveals the growing dangers of dependency hijacking in open-source ecosystems.

Finally, CVE-2025-68645 is a local file inclusion flaw in Zimbra Collaboration Suite 10.0 and 10.1's Webmail Classic UI. Unauthenticated attackers exploit the /h/rest endpoint due to poor parameter handling in the RestFilter servlet, reading arbitrary WebRoot files . CISA mandates federal agencies to patch by February 12, 2026, or discontinue use, emphasizing proactive vulnerability management amid unknown ransomware links.
Read more »
Subscribe to: Comments (Atom)

Featured