Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Karnataka’s Cybercrime Losses Soar as Scam Recoveries Plunge

  Recoveries in Karnataka's cybercrime prosecutions are falling even as authorities ramp up specialized policing capability, reflecting ...

All the recent news you need to know
telecom fraud warning
caller name presentation CNAP India Cyber Security DoT advisory silent calls India telecom fraud warning

India Warns on ‘Silent Calls’ as Telecom Firms Roll Out Verified Caller Names to Curb Fraud

 

India’s telecom authorities have issued a fresh advisory highlighting how ordinary phone calls are increasingly being used as entry points for scams, even as a long-discussed caller identity system begins to take shape as a countermeasure.

For many users, the pattern is familiar: the phone rings, the call is picked up, and no one responds. According to the Department of Telecommunications (DoT), these “silent calls” are intentional rather than technical faults.

Officials explain that such calls are designed to check whether a number is active. Once answered, the number is marked as live and becomes more valuable to fraud networks. It can then be circulated within scam databases and later targeted for phishing, impersonation or financial fraud. The DoT has advised users to block these numbers immediately and report them via the government’s Sanchar Saathi portal, which aims to gather public inputs to identify and disrupt telecom abuse.

The warning signals a broader concern within the government: many frauds today begin not with advanced hacking tools, but with simple behavioural triggers that rely on users answering calls out of habit.

At the same time, India’s telecom ecosystem is seeing a gradual but significant change. Reliance Jio has started deploying Caller Name Presentation (CNAP), a feature that shows the registered name of the caller on the recipient’s screen.

Unlike third-party caller-ID applications that depend on user-generated labels, CNAP pulls data directly from subscriber details submitted during SIM registration. Since this information is document-verified, authorities argue it is harder to falsify on a large scale.

Supporters believe this could help restore confidence in voice calls, which have become a weak link in the digital security chain. Seeing a verified name, they say, may discourage users from engaging with unknown or spoofed callers. However, the initiative also revives concerns around privacy, data accuracy and the risk of misuse—issues regulators and telecom companies say they are addressing through a phased rollout.

Regulators Push for a Unified Approach

The Telecom Regulatory Authority of India (TRAI) has instructed other major operators—Airtel, Vodafone-Idea (Vi) and BSNL—to implement CNAP, aiming to make it a nationwide standard rather than a single-network feature.

Progress varies by operator. Jio’s CNAP is already active across several regions in eastern, northern and southern India, including West Bengal, Kerala, Bihar, Rajasthan and Odisha. Airtel has introduced the feature in select circles such as West Bengal, Gujarat and Madhya Pradesh. Vodafone-Idea has rolled it out primarily in Maharashtra, with limited testing in Tamil Nadu, while BSNL is still conducting pilot trials.

Industry executives note that the rollout is technically demanding, involving upgrades to older network infrastructure and coordination between operators. Regulators view CNAP as one layer in a broader anti-spam strategy that also includes call filtering, identification of bulk callers and tighter controls on telemarketers.

The rise of silent calls alongside verified caller names reflects a larger shift: phone calls are no longer inherently trustworthy. Scammers thrive on anonymity and volume, while authorities are responding with greater emphasis on identity and traceability.

Whether CNAP will significantly reduce fraud remains uncertain. Experts point out that fake or improperly verified SIM registrations still exist, and user trust in displayed names will depend on data quality and enforcement.

For now, the official guidance is cautious. Silent calls should be treated as red flags, not harmless glitches. Caller names, even when verified, should be assessed carefully. In a country handling billions of calls daily, small changes in how people respond to their phones could meaningfully influence the fight between fraud and vigilance.
Read more »
Mobile Security Tools
Android Android Smartphone cybersecurity breaches Cybersecurity measures iOS Mobile Security Mobile Security Tools

Swiss Startup Soverli Introduces a Sovereign OS Layer to Secure Smartphones Beyond Android and iOS

 

A Swiss cybersecurity startup, Soverli, has introduced a new approach to mobile security that challenges how smartphones are traditionally protected. Instead of relying solely on Android or iOS, the company has developed a fully auditable sovereign operating system layer that can run independently alongside existing mobile platforms. The goal is to ensure that critical workflows remain functional even if the underlying operating system is compromised, without forcing users to abandon the convenience of modern smartphones. 

Soverli’s architecture allows multiple operating systems to operate simultaneously on a single device, creating a hardened environment that is logically isolated from Android or iOS. This design enables organizations to maintain operational continuity during cyber incidents, misconfigurations, or targeted attacks affecting the primary mobile OS. By separating critical applications into an independent software stack, the platform reduces reliance on the security posture of consumer operating systems alone. 

Early adoption of the technology is focused on mission-critical use cases, particularly within the public sector. Emergency services, law enforcement agencies, and firefighting units are among the first groups testing the platform, where uninterrupted communication and system availability are essential. By isolating essential workflows from the main operating system, these users can continue operating even if Android experiences failures or security breaches. The same isolation model is also relevant for journalists and human rights workers, who face elevated surveillance risks and require secure communication channels that remain protected under hostile conditions.  

According to Soverli’s leadership, the platform represents a shift in how mobile security is approached. Rather than assuming that the primary operating system will always remain secure, the company’s model is built around resilience and continuity. The sovereign layer is designed to stay operational even when Android is compromised, while still allowing users to retain the familiar smartphone experience they expect. Beyond government and critical infrastructure use cases, the platform is gaining attention from enterprises exploring secure bring-your-own-device programs. 

The technology allows employees to maintain a personal smartphone environment alongside a tightly controlled business workspace. This separation helps protect sensitive corporate data without intruding on personal privacy or limiting device functionality. The system integrates with mobile device management tools and incorporates auditable verification mechanisms to strengthen identity protection and compliance. The underlying technology was developed over four years at ETH Zurich and does not require specialized hardware modifications. 

Engineers designed the system to minimize the attack surface for sensitive applications while encrypting data within the isolated operating system. Users can switch between Android and the sovereign environment in milliseconds, balancing usability with enhanced security. Demonstrations have shown secure messaging applications operating inside the sovereign layer, remaining confidential even if the main OS is compromised. Soverli’s approach aligns with Europe’s broader push toward digital sovereignty, particularly in areas where governments and enterprises demand auditable and trustworthy infrastructure. 

Smartphones, often considered a weak link in enterprise security, are increasingly being re-evaluated as platforms capable of supporting sovereign-grade protection without sacrificing usability. Backed by $2.6 million in pre-seed funding, the company plans to expand its engineering team, deepen partnerships with device manufacturers, and scale integrations with enterprise productivity tools. Investors believe the technology could redefine mobile security expectations, positioning smartphones as resilient platforms capable of operating securely even in the face of OS-level compromise.
Read more »
yber Espionage
Data Breach firewall vulnerability GCHQ NCSC Ransomware Impact State-Linked Cyber Threat UK Cyber Defense Visa Data Leak yber Espionage

Digital Intrusion at the Heart of UK Diplomacy Verified by Officials


In the wake of the revelation of a serious cybersecurity breach at the Foreign, Commonwealth, and Development Office of the United Kingdom, the integrity of national institutions once again came into the focus of public attention. In October, its systems were breached by an external intrusion, which exposed widespread cybersecurity vulnerabilities.

There is growing concern in the global community about the existence of state-linked cyberattacks targeting government infrastructure, as revealed by minister Chris Bryant in his statement following the revelations. 

Although officials have determined that the breach does not pose a high risk for individuals, preliminary findings suggest that the incident may have involved large volumes of sensitive administrative records, including potentially tens of thousands of visa-related details. Although the precise scale and impact of the attack have not been determined, it is believed that the incident was of a low risk.

Bryant emphasized and cautioned that no attribution has been formally established, nor has a definite link to the operation been established, yet unverified intelligence assessments have pointed to possible involvement by a Chinese cyber group dubbed Storm 1849; however, it is important not to make definitive conclusions before the investigation has been conducted. 

A number of cybersecurity analysts have compared the breach with the 2024 ArcaneDoor campaign, a sophisticated attack that brought together state-sponsored actors, and prompted them to consider overlapping methods and the broader implications of coordinated data targeting campaigns in the future. 

An investigation has already been conducted by government response teams to identify and neutralize the vulnerability that enabled the intrusion, and forensic specialists are now studying log files and access patterns in an effort to determine the intent, origin, and extent of the breach.

Bryant highlighted the complexity of the investigation and stressed that speculation is of no benefit to the investigation, and admitted that determining who is responsible could take a considerable amount of time, reinforcing the government's belief that the official narrative will be based only on substantiated findings. Consequently, authorities have not yet publicly verified the full extent of what information was accessed by this breach, which was detected by government monitoring systems in October. 

It is possible that tens of thousands of visa-related data entries are included in the breach, although there has been no official confirmation yet from the government. When the intrusion was discovered, international security advisories also noted that active exploitation of vulnerabilities affecting a series of Cisco firewalls, including Cisco firewalls manufactured by Cisco, was being detected by government agencies across the country, including the United States and Asia.

Even though the Cyber Security and Communication Centre (CISC) and the Foreign, Commonwealth and Development Office (FCDO) attacks occurred at almost the same time, the UK government has declined to confirm whether the CISC attack was caused by the same infrastructure vulnerabilities as FCDO or a known threat actor, citing the sensitivity of ongoing forensic investigations. 

The trade minister, Sir Chris Bryant, has made public remarks to Sky News acknowledging the compromise, stating that the government had been aware of the intrusion since October, but has cautioned against premature attribution to the cyber group Storm-1849. According to Bryant, the reports circulated are mostly speculative rather than evidence-based, adding that disclosure is limited due to the complexity and anticipated duration of the investigation, which remains unresolved. 

The department's technical response teams confirmed that the vulnerability that enabled the breach had been neutralised swiftly, describing the incident as a technical fault isolated to one of the department's web platforms. 

As a result of risk assessments, it appears that a low likelihood exists that individuals' data will be directly affected, as is the case with current risk assessments. After the intrusion was detected in October, the National Cyber Security Centre (NCSC) confirmed that it is coordinating closely with government departments to determine what operational and personal implications the breach might have, as it has been discovered that systems managed by the Foreign, Commonwealth and Development Office infrastructure have been accessed without authorization without authority, following its discovery. 

The trade minister, Sir Chris Bryant, spoke to national broadcasters and radio networks about the incident. He stressed that the security vulnerability had been swiftly addressed by government response units, and that early risk analysis suggests a low probability of individuals becoming materially affected as a result. Moreover, Bryant stressed the lack of veracity of claims made by foreign states to be involved in the intrusion, especially those linking the intrusion to Chinese actors or the Chinese state. 

According to Bryant, the investigation is at a stage in which only a limited amount of technical details can be divulged at present. A number of reports, including those published in The Sun, suggested that visa-related records may have been a target of the investigation, but the government hasn't provided any confirmation of scope or attribution. 

There has been a formal referral to the Information Commissioner's Office (ICO) of the incident, and the UK's data protection authority has been notified as well for regulatory review. The disclosure comes amid repeated warnings from UK intelligence agencies regarding the growing presence of state-linked espionage activities originating in China, spanning cyber campaigns and intelligence gathering to gather information about the political, commercial, and strategic affairs of the nation.

It has been reported by GCHQ publicly that its most significant national security focus is countering threats from China, which is greater than all other state adversaries when it comes to resources allocated to defensive purposes. According to Bryant's remarks released on Friday, government institutions remain persistent targets for outside cyber operations. In his remarks, he asserted that officials are still assessing the consequences of their actions, reaffirming that future statements will be based on validated findings, not speculation. 

It is expected that this breach will intensify the existing discussion around the government's digital transformation agenda, and the proposals to establish a national digital identity framework in particular. There is no doubt that government IT infrastructure is routinely tested for cybersecurity. However, the timing of the incident has given renewed momentum to those who have been critical of the consolidation of large amounts of identity data. 

There have been reports that centralised citizen authentication systems could be an attractive target for malicious cyber operators, as previously warned. This revelation coincides with an investigation by ITV News that highlighted security concerns surrounding One Login, which will be used to underpin digital identity services in the future. This investigation is part of an ongoing series of ITV News investigations highlighting security concerns associated with One Login. 

Originally documented by Computer Weekly earlier this year, these vulnerabilities were then examined in national media as well, putting a sustained focus on the system's security assurances. It is not surprising that the incident has taken place against a backdrop of disruptive cyber campaigns that have stretched far beyond Whitehall and into key commercial sectors. 

As of 2025, runsomware attacks caused Jaguar Land Rover (JLR) to halt production, affecting supply chains throughout the automobile industry. The Office for National Statistics then attributed part of the UK's November economic slowdown as a result of the operational paralysis caused by the breach. 

Several other major institutions, such as the Co-op and Marks & Spencer, have also confirmed they have been affected by significant cyber incidents, confirming what many analysts have said had been one of the most aggressive periods of online targeting the UK has faced in recent years. 

A coordinated attack on local government networks has disrupted services across four London councils, including the City of London, Hackney, Westminster, and Hammersmith and Fulham, three of whom share a unified IT service. In a later press conference, the NCSC confirmed that sensitive information could have been copied during the attack, prompting them to participate in further investigation as the broader implications of these shared public infrastructure vulnerabilities are assessed. 

A number of cyber threats targeting government and economic infrastructure are emerging rapidly, as evidenced by the incident. However, while the investigation into the Foreign Office breach continues, its broad implications go well beyond a single attack, making it even more important for the public sector to conduct proactive security audits, harden supply chains, and accelerate vulnerability disclosure protocols in order to avoid the same thing happening again. 

The analyst note that while shared infrastructure and centralised authentication platforms are extremely efficient in terms of operational efficiency, they require significantly higher level of safeguards, continuous penetration testing, and multilayered anomaly detection and mitigation procedures in order to mitigate systemic risks.

Despite the fact that the UK government has already signalled that it will increase defense resources through agencies such as the NCSC and GCHQ in order to enhance defence. However, experts argue that long-term resilience will be achieved by simultaneously investing in workforce capabilities, encrypting data compartmentalization, and collaborating with global coalitions that promote cybersecurity. 

It is also imperative for organizations and citizens alike to recognize that digital security is now intertwined with national stability as a matter of necessity. Public trust will be strengthened when emerging digital frameworks are not only responded to quickly, but they must also be transparent, responsible, and accountable to the community.

In order to maintain a sustainable digital governance environment, continued vigilance, structured incident reporting, as well as security-by-design implementation, remain the cornerstones.
Read more »
Russia
Amazon AWS Cloud Security Credential Theft Cyber Attacks GRU Russia

Amazon Says It Has Disrupted GRU-Linked Cyber Operations Targeting Cloud Customers

 



Amazon has announced that its threat intelligence division has intervened in ongoing cyber operations attributed to hackers associated with Russia’s foreign military intelligence service, the GRU. The activity targeted organizations using Amazon’s cloud infrastructure, with attackers attempting to gain unauthorized access to customer-managed systems.

The company reported that the malicious campaign dates back to 2021 and largely concentrated on Western critical infrastructure. Within this scope, energy-related organizations were among the most frequently targeted sectors, indicating a strategic focus on high-impact industries.

Amazon’s investigation shows that the attackers initially relied on exploiting security weaknesses to break into networks. Over multiple years, they used a combination of newly discovered flaws and already known vulnerabilities in enterprise technologies, including security appliances, collaboration software, and data protection platforms. These weaknesses served as their primary entry points.

As the campaign progressed, the attackers adjusted their approach. By 2025, Amazon observed a reduced reliance on vulnerability exploitation. Instead, the group increasingly targeted customer network edge devices that were incorrectly configured. These included enterprise routers, VPN gateways, network management systems, collaboration tools, and cloud-based project management platforms.

Devices with exposed administrative interfaces or weak security controls became easy targets. By exploiting configuration errors rather than software flaws, the attackers achieved the same long-term goals: maintaining persistent access to critical networks and collecting login credentials for later use.

Amazon noted that this shift reflects a change in operational focus rather than intent. While misconfiguration abuse has been observed since at least 2022, the sustained emphasis on this tactic in 2025 suggests the attackers deliberately scaled back efforts to exploit zero-day and known vulnerabilities. Despite this evolution, their core objectives remained unchanged: credential theft and quiet movement within victim environments using minimal resources and low visibility.

Based on overlapping infrastructure and targeting similarities with previously identified threat groups, Amazon assessed with high confidence that the activity is linked to GRU-associated hackers. The company believes one subgroup, previously identified by external researchers, may be responsible for actions taken after initial compromise as part of a broader, multi-unit campaign.

Although Amazon did not directly observe how data was extracted, forensic evidence suggests passive network monitoring techniques were used. Indicators included delays between initial device compromise and credential usage, as well as unauthorized reuse of legitimate organizational credentials.

The compromised systems were customer-controlled network appliances running on Amazon EC2 instances. Amazon emphasized that no vulnerabilities in AWS services themselves were exploited during these attacks.

Once the activity was detected, Amazon moved to secure affected instances, alerted impacted customers, and shared intelligence with relevant vendors and industry partners. The company stated that coordinated action helped disrupt the attackers’ operations and limit further exposure.

Amazon also released a list of internet addresses linked to the activity but cautioned organizations against blocking them without proper analysis, as they belong to legitimate systems that had been hijacked.

To mitigate similar threats, Amazon recommended immediate steps such as auditing network device configurations, monitoring for credential replay, and closely tracking access to administrative portals. For AWS users, additional measures include isolating management interfaces, tightening security group rules, and enabling monitoring tools like CloudTrail, GuardDuty, and VPC Flow Logs.

Read more »
Infrastructure Security
Critical Infrastructure Security Cyber Attacks Cyber Security Ransomware Attacks Cyber Threats Hypervisor Infrastructure Security

Hypervisor Ransomware Attacks Surge as Threat Actors Shift Focus to Virtual Infrastructure

 

Hypervisors have emerged as a highly important, yet insecure, component in modern infrastructural networks, and attackers have understood this to expand the reach of their ransomware attacks. It has been observed by the security community that the modes of attack have changed, where attackers have abandoned heavily fortified devices in favor of the hypervisor, the platform through which they have the capability to regulate hundreds of devices at one time. In other words, a compromised hypervisor forms a force multiplier in a ransomware attack. 

Data from Huntress on threat hunting indicates the speed at which this trend is gathering pace. Initially in the early part of 2025, hypervisors were involved in just a few percent of ransomware attacks. However, towards the latter part of the year, this number had risen substantially, with hypervisor-level encryption now contributing towards a quarter of these attacks. This is largely because the Akira ransomware group is specifically leveraging vulnerabilities within virtualized infrastructure.  

Hypervisors provide attackers the opportunity by typically residing outside the sight of traditional security software. For this reason, bare-metal hypervisors are of particular interest to attackers since traditional security software cannot be set up on these environments. Attacks begin after gaining root access, and the attackers will be able to encrypt the disks on the virtual machines. Furthermore, attackers will be able to use the built-in functions to execute the encryption process without necessarily setting up the ransomware. 

In this case, security software would be rendered unable to detect the attacks. These attacks often begin with loopholes in credentials and network segmentation. With the availability of Hypervisor Management Interfaces on the larger internets inside organizations, attackers can launch lateral attacks when they gain entry and gain control of the virtualization layer. Misuse of native management tools has also been discovered by Huntress for adjusting Machine Settings, degrading defenses, and preparing the environment for massive Ransomware attacks. 

Additionally, the increased interest in hypervisors has emphasized that this layer must be afforded the equivalent security emphasis on it as for servers and end-points. Refined access controls and proper segmentation of management networks are required to remediate this. So too is having current and properly maintained patches on this infrastructure, as it has been shown to have regularly exploited vulnerabilities for full administrative control and rapid encryption of virtualized environments. While having comprehensive methods in place for prevention, recovery planning is essential in this scenario as well. 

A hypervisor-based ransomware is meant for environments, which could very well go down, hence the need for reliable backups, ideally immutables. This is especially true for organizations that do not have a recovery plan in place. As ransomware threats continue to evolve and become more sophisticated, the role of hypervisors has stepped up to become a focal point on the battlefield of business security. 

This is because by not securing and protecting the hypervisor level against cyber threats, what a business will essentially present to the cyber attackers is what they have always wanted: control of their whole operation with a mere click of their fingers.
Read more »
User Privacy
Android Spyware Cellik Credential Theft malware User Privacy

Cellik Android Spyware Exploits Play Store Trust to Steal Data

 

Recently found in the Android platform, remote access trojan named Cellik has been recognized as a serious mobile threat, using the Google Play integration feature to mask itself within legitimate applications to evade detection by security solutions.

Cellik is advertised as a malware-as-a-service (MaaS) in the cybercrime forums, with membership rates beginning at approximately $150 a month. One of the most frightening facets of the malware is the fact that it allows malicious payloads to be injected into legitimate Google Play applications, which can be easily installed. 

Once it is installed, Cellik provides complete control over the target device for the attacker. Operators can remotely stream the target device’s screen live, as well as access all files, receive notifications, and even use a stealthy browser to surf websites and enter form data without the target’s awareness. The malware also comes equipped with an app inject functionality that enables attackers to superimpose login screens on normal applications such as bank or email apps and harvest login and other sensitive data. 

Cellik Play Store integration also includes an automated APK builder, so the perpetrators of this crimeware can now browse the store for apps, choose popular apps, and pack them with the Cellik payload in one click bundling it together with the cellik payload. The perpetrators of this attack claim that this allows them to bypass Google Play Protect and other device-based security scanners, but Google has not independently verified this. 

Android users should heed the words of security experts and not sideload APKs from unknown sources, keep Play Protect enabled at all times, be very judicious about app permissions, and keep an eye out for anything strange on their phones that might be harmful. Since Cellik is a groundbreaking new development in Android malware, both users and the security community should be vigilant to ensure their sensitive data and device integrity are not compromised.
Read more »
Subscribe to: Comments (Atom)

Featured