Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Nissan Confirms Employee Data Breach Following Oracle PeopleSoft Zero-Day Cyberattack

  Nissan has confirmed that it fell victim to a third-party cyberattack after being targeted as an Oracle PeopleSoft user, making it the lat...

All the recent news you need to know

BioSchocking Attacks Tricked AI-powered Browsers into Data Theft


A new prompt injection termed “BioShocking” can manipulate AI-based browsers into treating malicious actions as a video game, and give away your login credentials. The technique was discovered by experts at security firm LayerX. The experts tricked six AI-powered browsers and assistants into recording users’ credentials and sending them to the threat actor. 

The browsers include:

ChatGPT Atlas from OpenAI

Comet from Perplexity

Anthropic’s Claude browser

Fellou

Genspark browser

Sigma browser

LayerX experts made a proof-of-concept (PoC), which was tested against these agentic AI browser products. The findings revealed that only one browser addressed the issue after receiving the report.

What is an AI browser?

An AI browser can streamline the entire workflow for the users. If you switch it to agent mode, it can click type, and visit sites that the user has already logged into. Access is the key point hare, which also becomes the problem.

BioShocking attack tactic

Experts made a (PoC) in which an infected webpage showed a BioShock-themed puzzle that rewards wrong answers. This tricks the browser that normal rules are not applicable. 

The trap works because of how these AI-powered browsers read. The webpage and instruction surface as a single stream of text, which allows a malicious page access in commands mimicking ordinary content or game rules. The agent can not tell which is which. Experts have termed this indirect prompt injection.

Tricking the browser

For instance, the compromise starts with a web page made as a puzzle. 3+4+=9 is a wrong answer but the browser rewards it. When the agent accepts that wrong answer is the reward, it follows game puzzle logic not security logic. Following this, the puzzle asks the browser to record login credentials. All six browsers could not flag it as something malicious. To win the game, the agent is commanded to go to a GitHub repository and share the data in the code, such as sensitive data like passwords.

When the link is sent to the target's GitHub repository, it retrieves SSH login credentials and sends them to the hackers. The main issue here is that browsers can’t differentiate between real scenarios and malicious fictional ones. 

According to LayerX, “Once the agents figured out the rules and learned that 'incorrect' actions are acceptable, they were no longer tied to reality.” “When tasked with the final step of the puzzle – compromising user credentials – all 6 agents failed to identify it as going against their safety guardrails,” the experts continued.

The PoC did not execute any malicious commands but warned that it could do so.

AI vendors’ response

According to experts, only OpenAI implemented a working patch for BioShocking in its browser.

Anthropic tried to fix the issue on its chrome login, but the patch was not working against the PoC. Perplexity did not fix the issue, and closed the report. 

LayerX advises that AI vendors should add specific user acknowledgement for sensitive work, and stronger security checks.

Google Cripples NetNut Proxy Network Spanning 2 Million Devices

 

Google has delivered a major blow to NetNut, one of the world’s largest residential proxy networks, by crippling its ability to route malicious traffic through millions of compromised home devices. The operation, conducted in coordination with the FBI, Lumen, and other partners, marks a significant escalation in the fight against infrastructure that cybercriminals rely on to hide their activities. 

Google’s Threat Intelligence Group (GTIG) estimates that NetNut—also tracked under the name Popa—spanned at least 2 million devices globally, including smart TVs, streaming boxes, and other internet-connected appliances. In a single week in June, Google observed 316 distinct threat clusters using suspected NetNut exit nodes to mask their location and carry out activities such as password guessing and malware distribution. By disabling accounts and services tied to NetNut’s command-and-control infrastructure, Google says it has reduced the network’s usable device pool by millions, severely degrading its business operations. 

NetNut grew by embedding its software development kit (SDK) into seemingly legitimate apps and firmware, often on low-cost or no-name hardware. Many victims unknowingly installed applications that promised payment for “unused bandwidth” or “sharing your internet,” a common lure for these networks. Once integrated, the SDK turned devices into relays for other people’s traffic, making malicious activity appear to originate from ordinary home IP addresses and helping attackers bypass security tools and geo-restrictions. 

Google’s response combined legal, technical, and user-protection measures. The company disabled infrastructure used for NetNut-related malware operations, shared detailed technical intelligence on the group’s SDK and backend systems with law enforcement, and worked with partners to seize domains controlling compromised devices. On the user side, Google Play Protect was updated to automatically warn users and disable apps found to integrate the NetNut SDK, while Google identified hundreds of Android apps and thousands of Windows files linked to the network’s infrastructure.

While Google describes the action as a “degradation” rather than a full takedown—NetNut also operates through reseller programs and white-label brands—the disruption raises the cost and complexity for attackers using residential proxies. For everyday users, the incident underscores the risk of installing obscure apps, especially those offering payouts for bandwidth, and of using cheap, unbranded streaming devices. Sticking to official app stores, reviewing app permissions, keeping Play Protect enabled, and buying hardware from reputable manufacturers remain the best defenses against ending up as an unwitting node in the next NetNut-style network.

U.S. Secures Extradition of 19-Year-Old Linked to Scattered Spider


US authorities have intensified their pursuit of individuals linked to the financially motivated hacking collective Scattered Spider, and the extradition of a 19-year-old suspect marks another significant development. 

Peter Stokes, who is a dual citizen of the United States and Estonia, is accused of taking part in coordinated cyber intrusions, ransomware extortion, and fraud operations linked to the group, which disrupted more than 100 organizations across critical industries and generated more than $100 million in extortion payments for the group. 

After Stokes was arrested in Finland on a Red Notice from Interpol, he was transferred to the United States to be tried on several federal charges, which included conspiracy, computer intrusion, and extortion, demonstrating the increasing international cooperation being deployed for the dismantling of one of the most persistent cybercrime groups. 

In describing the prosecution, Federal officials said it is part of an ongoing effort to combat increasingly sophisticated cybercrime activities that target U.S. organizations across a range of industries. In his remarks, Andrew S. Boutros, U.S. Attorney for the Northern District of Illinois, co-chair of the Acting Attorney General's White Collar, Cyber, and Crypto Subcommittee Advisory Committee, stated that the allegations of the Scattered Spider attack caused widespread disruption to businesses nationwide and highlighted the increased capabilities of cybercriminals operating across international borders driven by financial gain. 

The Justice Department has demonstrated its commitment to pursuing technologically advanced threat actors regardless of where they are located with the charges, he stressed. In support of this position, Brett Leatherman, Assistant Director of the FBI's Cyber Division, stated that the group has consistently used employee-focused extortion and network compromise campaigns, which have resulted in millions of dollars of financial losses and disruptions to critical business operations. 

According to him, the investigation illustrates the importance of coordinating the efforts of domestic and international law enforcement to identify, disrupt, and prosecute cybercriminals, wherever they operate. The superseding criminal complaint alleges that Stokes is associated with several cyber intrusions allegedly conducted by his online alias "Bouquet," including activities that date back to his 16th year of age. 

A prosecutor contends that these activities were part of Scattered Spider's overall intrusion campaign, which also includes Octo Tempest, UNC3944, and 0ktapus, which are also tracked by security researchers. According to the investigation, the group compromised more than 100 networks by using highly targeted social engineering techniques, enabling the deployment of ransomware, data theft, and extortion schemes that collectively resulted in over $100 million in ransom payments as well as millions more in recovery costs for the organizations affected.

The complaint details a number of incidents in which Stokes and his co-conspirators allegedly breached a luxury jewelry retailer's network in May 2025, exfiltrating sensitive corporate data and demanding approximately $8 million in cryptocurrency. According to reports, the company declined to negotiate with the attackers, removed them from its environment, and incurred remediation expenses ranging from $2 million to $3 million. 

Stokes was reportedly apprehended at Helsinki Airport as he attempted to board a flight to Japan, where Finnish law enforcement officials confiscated two 2-terabyte hard drives as part of the investigation. According to investigators, Scattered Spider is not a traditional hierarchical cybercrime syndicate, but rather a decentralized, English-speaking network of young threat actors operating throughout the United States, the United Kingdom, and Europe. 

In order to gain initial access, the attackers utilize sophisticated social engineering techniques rather than exploiting software vulnerabilities. In their investigations, investigators assert that Scattered Spider has consistently focused on human manipulation rather than technical exploitation. It has been reported that members impersonate legitimate employees when contacting corporate IT support desks, convincing them to reset their credentials or authorize their account access before moving laterally through compromised environments, exfiltrating sensitive data, and demanding payment under the threat of publication.

After the high-profile compromises of MGM Resorts and Caesars Entertainment in 2023, the group's techniques have come under scrutiny. The intrusion at MGM severely disrupted casino and hotel operations. Several security researchers have observed a sector-focused targeting strategy since then, connecting the collective with multiple campaigns against major UK retailers, including Marks & Spencer, Harrods, and Co-op before it moved on to target American insurance companies, followed by the aviation industry. 

A. Tysen Duva, assistant attorney general, pointed out that the collective was responsible for over 100 network intrusions resulting in over $100 million in ransom payments. It is important to note that Stokes' case also represents the culmination of a broader international law enforcement campaign that has relentlessly dismantled the individuals operating under the pseudonym Scattered Spider. 

During recent prosecutions, Scottish national Tyler Buchanan, 24, admitted to fraud and identity theft by admitting to his role in phishing campaigns targeting Twilio and LastPass. As a result, prosecutors stated that $8 million in cryptocurrency was stolen and carries a maximum sentence of 22 years in prison.

In addition, Florida-based member Noah Urban was sentenced in August 2025 to 10 years in prison as well as a $12 million fine, while U.K. citizens Thalha Jubair and Owen Flowers pleaded guilty in June 2026 in connection with the Transport for London hack in 2024. As indicated in court documents, Flowers admitted to conspiring to compromise the networks of U.S. healthcare providers SSM Health and Sutter Health, demonstrating how far prosecutions have spread in an effort to dismantle the group's international cybercrime network. 

Despite successive arrests disrupting Scattered Spider's operations, cybersecurity researchers caution that the group's tactics continue to affect the wider threat landscape. As a result of the law enforcement actions of 2025, Mandiant observed a temporary drop in activity; however, it also stated that other financially motivated threat groups have begun replicating the collective's social engineering approach. 

An important defensive lesson of the assessment is that identity verification processes are often the primary attack surface rather than perimeter security measures. It is recommended that assistance desk authentication procedures be strengthened and that phishing-resistant authentication methods, such as hardware-backed passkeys or security keys, be adopted as effective measures for limiting unauthorized access through credential reset abuse. 

According to a joint advisory issued by U.S. and international cybersecurity authorities, once the attackers gained initial access, they have reportedly been observed monitoring internal collaboration platforms and taking part in incident response calls as a way of tracking defensive actions in real-time and evading containment measures.

Researchers believe the digital evidence recovered during Stokes' arrest in Helsinki may provide valuable information about the group's broader infrastructure as well as potential associates. Even though Stokes remains presumed innocent until proven guilty in court, this latest extradition highlights a growing international enforcement effort that is demonstrating the inability of geographical distance, decentralized operations, and youth to provide reliable barriers to coordinated cybercrime prosecution. 

International authorities are increasingly combining cross-border investigations with coordinated prosecutions to pursue individuals behind sophisticated intrusion campaigns that can disrupt businesses and disrupt lives. Increasing sophistication in identity-based attacks requires organizations to strengthen authentication controls, harden help desk verification processes, and continuously monitor privileged access in order to reduce the impact of increasingly sophisticated social engineering tactics.

Accenture Buys Cybersecurity Firms Dragos, runZero, NetRise for $4.18 Billion

 

In a landmark move to fortify its cybersecurity capabilities, Accenture has announced a $4.18 billion deal to acquire a majority stake in industrial cybersecurity leader Dragos, alongside full ownership of asset intelligence firm runZero and device security specialist NetRise. This strategic acquisition spree underscores Accenture’s ambition to expand beyond traditional consulting services and establish itself as a comprehensive provider of software-driven cybersecurity solutions, particularly for critical infrastructure sectors vulnerable to AI-powered cyber threats and geopolitical risks. 

The timing of the deal reflects both opportunity and necessity. While global consulting demand has softened—partly due to the ongoing Iran war impacting Middle East operations—cybersecurity remains a high-growth domain with surging client investment. Accenture, already operating a $10 billion cybersecurity business, sees industrial and operational technology (OT) security as a key frontier. By integrating Dragos’s OT threat monitoring, runZero’s real-time asset discovery, and NetRise’s embedded device security, the firm aims to deliver end-to-end protection for energy grids, manufacturing facilities, transportation systems, and other mission-critical environments increasingly targeted by state-sponsored and criminal hackers.

Dragos brings deep expertise in securing industrial control systems, with a platform widely used by utilities and heavy industries to detect and respond to OT-specific threats. runZero complements this with advanced asset intelligence, enabling organizations to maintain accurate, dynamic inventories of all connected devices—a foundational requirement for effective cybersecurity in complex, hybrid IT-OT environments. NetRise adds another critical layer by securing firmware and embedded systems, which are often overlooked but increasingly exploited attack vectors. Combined, these three companies contribute approximately $208 million in annual recurring revenue and significantly enhance Accenture’s software-led service portfolio. 

The transactions are structured to close by August or September 2026, subject to regulatory approvals and standard closing conditions. Accenture’s majority stake in Dragos—rather than full acquisition—suggests a collaborative approach that preserves the firm’s entrepreneurial agility while leveraging Accenture’s global scale and client network. Full ownership of runZero and NetRise, meanwhile, allows deeper integration into Accenture’s existing cybersecurity and cloud practices. This hybrid model reflects a broader industry shift where consultancies blend strategic partnerships with outright acquisitions to rapidly scale niche capabilities without disrupting innovation cultures. 

For the cybersecurity market, Accenture’s move signals intensifying competition among large professional services firms to capture share in the booming industrial security segment. Enterprises, especially in critical infrastructure, stand to benefit from more integrated offerings that combine strategy, implementation, threat intelligence, and managed services under a single provider. However, investor reaction has been cautious, with Accenture’s shares dropping over 13% following the announcement, partly due to weaker-than-expected quarterly guidance tied to geopolitical headwinds. Still, the $4.18 billion bet highlights Accenture’s long-term conviction that cybersecurity—particularly in the industrial realm—will remain a cornerstone of digital transformation and risk management in the AI era.

Researchers Warn of Unpatched Argo CD Flaw That Enables Cluster Takeover

 


Organizations using Argo CD to automate application deployments on Kubernetes are being urged to review their network configurations after security researchers disclosed an unpatched vulnerability that could allow attackers to execute arbitrary code on the platform's repo-server component and ultimately seize control of an entire Kubernetes cluster.

The vulnerability was identified by French cybersecurity firm Synacktiv, which says the issue affects the repo-server, a core Argo CD service responsible for retrieving application source code from Git repositories and converting it into Kubernetes manifests before workloads are deployed. Because the repo-server sits at the center of the GitOps deployment process, compromising it gives an attacker an opportunity to interfere with how applications are delivered throughout the cluster.

According to the researchers, exploitation does not require authentication. An attacker only needs network access to the repo-server's internal gRPC service, which accepts requests from other Argo CD components but does not verify the identity of the caller. Once that communication channel becomes reachable, a specially crafted request can be used to trigger remote code execution on the vulnerable service.

Synacktiv reported the vulnerability to the Argo CD maintainers in January 2025 through a responsible disclosure process. However, roughly eighteen months later, the issue remains unresolved, with no official security patch or CVE identifier assigned. The researchers chose to disclose their findings publicly to give administrators time to strengthen their deployments while awaiting a permanent fix.

At the center of the attack is Argo CD's repo-server, which continuously retrieves application definitions stored in Git repositories and prepares them for deployment by generating Kubernetes manifests. These manifests describe the desired state of applications, including containers, services, networking, storage, and other deployment configurations that Kubernetes uses to build and manage workloads. Since every deployment passes through this component, gaining control of the repo-server can provide attackers with extensive influence over the software being deployed inside a cluster.

The vulnerability stems from an unauthenticated internal gRPC interface exposed by the repo-server. gRPC is a high-performance communication framework commonly used for communication between services inside distributed applications. In Argo CD's design, the interface is intended for trusted internal communication. However, Synacktiv found that the service performs no authentication checks, allowing any system capable of reaching the port to submit requests that the repo-server will process.

The researchers demonstrated the attack against Argo CD version 2.13.3. They noted that no patched release currently exists and did not publish a complete list of affected versions, leaving administrators without a definitive inventory of vulnerable deployments.

To achieve code execution, the attack abuses Kustomize, a Kubernetes configuration management tool that Argo CD relies on to generate deployment manifests. Kustomize can also invoke Helm, another widely used package manager for Kubernetes, through the "--helm-command" option that specifies which executable should be launched.

Instead of directing Kustomize to the legitimate Helm binary, Synacktiv discovered that an attacker can send a malicious GenerateManifest request instructing it to execute a script stored inside an attacker-controlled Git repository. When Kustomize begins processing the deployment, it unknowingly launches the attacker's script in place of Helm, providing arbitrary code execution within the repo-server environment.

Although the vulnerable interface is intended to remain internal, the researchers warn that internal services should not automatically be considered secure. Kubernetes clusters frequently host dozens or even hundreds of interconnected workloads, and a compromise affecting a single pod can become the starting point for lateral movement if internal communication is not properly restricted.

Argo CD includes Kubernetes NetworkPolicy resources designed to limit access to sensitive services such as the repo-server and Redis. However, Synacktiv found that these protections are disabled by default when Argo CD is deployed using its Helm chart because the "networkPolicy.create" option is set to "false". As a result, installations that rely on the default configuration may unintentionally leave the repo-server reachable from other workloads running inside the cluster.

In such environments, compromising a single pod may be enough for an attacker to contact the repo-server and exploit the vulnerability.

The researchers also demonstrated that remote code execution represents only the beginning of the attack chain. After obtaining execution on the repo-server, they extracted the Redis password stored in an environment variable, authenticated to Argo CD's Redis instance, and modified cached deployment information. When Argo CD later performed its routine synchronization with the Git repository, the poisoned cache caused the platform to deploy an attacker-controlled workload instead of the intended application.

According to Synacktiv, this technique effectively revives a previously addressed weakness tracked as CVE-2024-31989. That earlier vulnerability, discovered by Cycode, exposed Argo CD deployments where Redis lacked password protection, allowing any pod inside the cluster to manipulate deployment cache data. Although Argo CD later introduced Redis password protection to address that issue, the cache contents themselves remain unsigned. By stealing the Redis credentials through the newly disclosed repo-server vulnerability, attackers can once again tamper with deployment data and recreate a similar compromise path.

With no software update currently available, researchers recommend treating network segmentation as the primary line of defense. Administrators should enable Kubernetes NetworkPolicy rules to ensure that only legitimate Argo CD components can communicate with the repo-server and Redis services. Organizations deploying Argo CD through Helm should verify that these policies have been explicitly enabled rather than relying on the chart's default configuration.

Administrators can inspect active network policies by running:

"kubectl get networkpolicy -A"

A properly secured deployment should display dedicated network policies protecting each Argo CD component, including both the repo-server and Redis. Missing policies may indicate that sensitive internal services remain accessible to other workloads inside the cluster.

To help organizations evaluate their exposure, Synacktiv developed a proof-of-concept tool named argo-cdown, capable of automating the complete attack chain. The researchers have postponed its public release to provide defenders with additional time to secure vulnerable environments. The tool is expected to be published on GitHub later, allowing administrators to validate the effectiveness of their own security controls.

The newly disclosed vulnerability is the latest in a series of security issues affecting Argo CD's privileged position within Kubernetes environments. In September 2025, the project patched CVE-2025-55190 after researchers found that an API token with only basic read permissions could retrieve Git repository credentials associated with a project. Several months later, in May 2026, another flaw tracked as CVE-2026-42880 enabled read-only users to access plaintext Kubernetes secrets.

Taken together, these incidents point to a recurring challenge rather than isolated implementation flaws. Argo CD occupies one of the most privileged positions within Kubernetes deployments, maintaining access to source repositories, deployment pipelines, cluster resources, and sensitive credentials. As a result, weaknesses affecting its internal services can quickly become pathways to broader infrastructure compromise.

Until an official patch becomes available, organizations should assume that internal cluster traffic cannot always be trusted. Restricting communication between workloads, enabling Kubernetes NetworkPolicy protections, and limiting access to critical Argo CD services remain the most effective measures for reducing exposure to this newly disclosed attack technique.

WhatsApp Tests New Android Chat Backup Management Feature to Improve Google Drive Storage Control

 

Managing WhatsApp backups on Android might become significantly easier in the future as the messaging platform prepares new solutions to give users more control over their data. The upcoming update will allow people to organize and delete old backups, thus saving space on their devices and ensuring a better management of information stored on Google Drive. 

WhatsApp has been working on the tool for quite some time, while it has not been publicly available yet. Reporters found out about the future feature as they explored the latest beta version of the app. The new tool will appear in the Backup section and will enable users to delete old backups directly from WhatsApp, thus providing more space for data stored on Google Drive. 

This update will make managing storage much easier for millions of Android users who experience difficulties deleting excess data from Google Drive. The update comes as WhatsApp continues working on new ways to improve its cloud backup system. Last year, reporters learned about the company’s plan to create its cloud storage system. That way, WhatsApp users will be able to store their backups on Google Drive or the company’s cloud. 

According to the publication, WhatsApp’s storage will offer 2 gigabytes of space for free, and an additional 10 gigabytes can be acquired for a small fee. Moreover, regardless of the storage method, WhatsApp backups will be end-to-end encrypted. The encryption can be supplemented by a passkey, a regular password, or a 64-digit code. At the same time, WhatsApp has not abandoned its reliance on Google Drive. The application updates in 2021 demonstrated Android users’ demand for more control over their WhatsApp backups. 

Developers worked on ways to meet the users’ requirements and made the new in-app management system more accessible by adding shortcuts to Google Drive’s management system and Android’s built-in settings. In the same vein, Google has also been working on ways to provide more convenience and flexibility for Android users. Recently, Android users have received an additional tool to manage WhatsApp backups. 

With version 26.23 of Google Play Services, users gained the ability to view and control their WhatsApp backups directly from their device’s Settings menu. Thus, the Settings page now offers access to WhatsApp backups without having to open the messaging app. Right now, WhatsApp users can back up their chats, media files, voice notes, and other content to Google Drive. The application can automatically perform backups every day, weekly, or monthly. 

To restore a backup, one has to reinstall WhatsApp on their device and log in with their Google and WhatsApp account. The upcoming update will allow Android users to manage backups directly in WhatsApp, complementing Google’s newly introduced settings. The new system for managing WhatsApp backups will enable Android users to delete unwanted backups directly inside the application. 

That way, the update will enable more control over the backups, which will help the users that have multiple devices or simply change their smartphones too often. Having more than one phone results in multiple backups, whereas excessive WhatsApp backups consume more space on Google Drive. Though WhatsApp has not announced when the update will be released, it should come in the near future. 

After Google released its new system that allows Android users better control over WhatsApp backups, the update can be available to users soon. If the update arrives in 2022, Android users will appreciate the additional flexibility and convenience of managing their WhatsApp backups while keeping their data safe and secure.

Featured