Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Government Remains Primary Target as Cyberattacks Grow in 2025

  Government institutions were the most heavily targeted sector in 2025, according to newly published research from HPE Threat Labs, which d...

All the recent news you need to know
Technology
AI Autonomy MiniMax M2.7 Model Optimization Self-Evolving AI Technology

MiniMax Unveils Self-Evolving M2.7 AI: Handles 50% of RL Research

 

Chinese AI startup MiniMax has unveiled its latest proprietary model, M2.7, touted as the industry's first "self-evolving" AI capable of independently handling 30% to 50% of reinforcement learning research workflows. According to a VentureBeat report, this breakthrough positions M2.7 as a reasoning powerhouse that automates key stages of model development, from debugging to evaluation and iterative optimization. Unlike traditional large language models reliant on constant human oversight, M2.7 actively participates in its own improvement cycle, building agent harnesses, updating memory systems, and refining skills based on real-time experiment outcomes. 

The model's self-evolution mechanism represents a paradigm shift in AI training. MiniMax claims M2.7 can execute complex tasks such as hyperparameter tuning and performance benchmarking with minimal engineer intervention, drastically reducing development timelines and costs. Early benchmarks underscore its prowess: a 56.22% score on SWE-Pro for software engineering tasks, alongside competitive results in coding and logical reasoning evaluations. This autonomy stems from advanced reinforcement learning integration, allowing the model to learn from failures and adapt dynamically without external prompts. 

MiniMax, known for previous hits like the Hailuo video generation platform, developed M2.7 amid intensifying global competition in AI. The Shanghai-based firm emphasizes that the model's proprietary nature safeguards its edge, though it plans limited API access for enterprise users. Industry observers note this launch echoes trends from OpenAI and Anthropic, where AI agents increasingly shoulder research burdens, but M2.7's scale—handling up to half of RL workflows—sets it apart. 

Practical implications extend to software engineering and enterprise automation. Developers report M2.7 excels in generating production-ready code, debugging intricate systems, and optimizing algorithms, making it a boon for tech firms grappling with talent shortages. As AI models grow more autonomous, concerns arise over transparency and control; MiniMax assures safeguards like human veto mechanisms prevent runaway evolution. Still, the model's ability to self-improve raises questions about the future obsolescence of human-led training pipelines. 

Looking ahead, M2.7 signals an era where AI doesn't just consume data but engineers its own advancement. If validated at scale, this could accelerate innovation across sectors, from autonomous vehicles to drug discovery, while challenging Western dominance in AI. MiniMax's bold claim invites scrutiny, but early demos suggest self-evolving models are no longer science fiction—they're here, reshaping the boundaries of machine intelligence.
Read more »
Cyber Security
authentication bypass flaw blocking unauthorized access ConnectWise ConnectWise ScreenConnect ConnectWise ScreenConnect malware Cyber flaws Cyber Security

ConnectWise Warns of Critical ScreenConnect Flaw Enabling Unauthorized Access

 

A security alert now circulates among ScreenConnect users - critical exposure lurks within older builds. Versions released before 26.1 carry a defect labeled CVE-2026-3564. Unauthorized entry becomes possible through this gap, alongside elevated permissions. ConnectWise urges immediate awareness around these risks. Though no widespread attacks appear confirmed yet, the potential remains serious. 

Running on servers or in the cloud, ScreenConnect serves MSPs, IT departments, and help desks needing distant computer control. A flaw detailed in the alert stems from weak checks on digital signatures - potentially leaking confidential ASP.NET keys meant to stay protected.  

Should machine keys fall into the wrong hands, forged authentication data might emerge - opening doors normally protected by access checks. Access of this kind often lets attackers move through ScreenConnect environments unnoticed. Their actions then mirror those permitted to verified accounts. 

With version 26.1, ConnectWise rolled out stronger safeguards - data encryption and better machine key management now built in. Updates reached cloud-hosted users without any action needed; systems shifted quietly behind the scenes. Yet those managing local installations must act fast: moving to the latest release cuts exposure sharply. Delay raises concerns, especially where control rests internally. 

Even though the firm reported no verified cases of CVE-2026-3564 currently under attack, it admitted experts have spotted efforts to misuse accessible machine keys outside lab settings. Such activity implies the flaw carries a realistic risk right now. 

Unconfirmed reports suggest certain weaknesses might have already caught the attention of skilled attackers. Earlier incidents could tie into these, one example being CVE-2025-3935. That case revolved around stolen machine keys pulled from ScreenConnect systems. Some connections between past events and current concerns remain unclear. 

Software updates aside, ConnectWise advises tighter access rules for configuration files. Unusual patterns in login records should draw attention. Backups need protection through layered safeguards. Each extension must remain current to reduce exposure. Monitoring happens alongside preventive steps by design. 

Despite common assumptions, remote access tools continue posing significant threats. Patching delays often open doors to attackers. Staying ahead means adopting active defenses before weaknesses are exploited. Vigilance matters most when systems appear secure. Preventive steps reduce chances of unauthorized entry significantly.
Read more »
Third Party Risk
Banking Security Cybersecurity Threats Data Breach Data protection financial data exposure Network Security Ransomware attack SonicWall Vulnerability Third Party Risk

Large Scale Ransomware Attack at Marquis Compromises Data of 672000 People


 

Marquis, a Texas-based provider of analytics and visualization solutions to hundreds of U.S. banks, recently disclosed a ransomware intrusion that took place in August 2025 resulted in a large-scale compromise of highly sensitive customer information, demonstrating the systemic vulnerability inherent in today's interconnected financial data ecosystem. 

A breach that has only recently become publicized due to regulatory disclosures affected at least 672,075 individuals, and involved exfiltration of both personal identifiers and critical financial information. A company filing submitted to the Maine Attorney General's office indicates that it is beginning the process of notifying the affected, with a significant concentration of those affected residing in Texas. 

In light of the extent of the stolen dataset, which consists of names, dates of birth, addresses, bank account details, payment card information, and even Social Security numbers, this is not merely an unauthorized access incident, but a deeply consequential event threatening consumer financial security as well as institutional trust for the long term. 

Marquis has received subsequent disclosures suggesting that the incident may have been linked to a broader compromise within the vendor ecosystem on which Marquis relies. SonicWall released an advisory in mid-September 2025 urging its customers to reset their credentials following the discovery of a brute-force attack on the MySonicWall cloud platform. This service stores and manages configuration backups on behalf of firewall administrators. 

A backup may contain highly sensitive operational data, including network rules, access control policies, VPN configurations, authentication parameters associated with enterprise identity systems such as LDAP, RADIUS, and SNMP, as well as administrative account credentials. Later, Marquis confirmed the inclusion of Marquis among those affected entities, and the company acknowledged that the compromise encompassed the entire company's customer base. 

Although early reports do not offer a complete picture of downstream impact, subsequent regulatory filings by Marquis across multiple jurisdictions show that the nature and extent of compromised data varies from state to state. This company provided a particularly comprehensive dataset in its submission to Maine authorities that included names, physical addresses, contact information, Social Security numbers, taxpayer identification numbers, and financial account information without associated security codes. 

The date of birth, as well as the dates of birth, indicate a breach with both infrastructure and personal consequences. As a result of the incident, more attention has been drawn to the structural risks associated with the financial sector's reliance on third-party service providers, where a single point of compromise can have cascading effects on a number of institutions and, by extension, their clients. 

The runsomware event in August affected data associated with clients from dozens of banks and credit unions, according to Marquis, but it has only recently been confirmed how broad the scope of the individual impact and the amount of information exposed have been clarified. According to our investigation, the initial intrusion vector was caused by unauthorized access to the SonicWall firewall, which permitted a third party to gain access to Marquis’ internal network. 

In response to this incident, the company has taken legal action against the vendor, emphasizing the complexity of accountability issues which often follow breaches involving interconnected technology. Providing digital and physical marketing solutions to more than 700 financial institutions along with compliance software and services, Marquis occupies a position of considerable data centrality, which inherently magnifies the downstream consequences of any security breaches. 

Due to their centralized storage of aggregated financial data and personally identifiable information, such intermediaries remain high-value targets for ransomware groups. Upon learning about the breach, affected individuals are advised to adopt heightened monitoring practices, including carefully reviewing their bank and credit card transactions, obtaining credit reports from established credit bureaus, and activating fraud alerts and credit freezes whenever necessary. 

Furthermore, caution is being urged against unsolicited communications that may attempt to exploit the incident through phishing or social engineering methods. Ultimately, the episode underscores the importance of continuous risk assessments, stronger access controls, and coordinated security strategies between institutions and service providers as an increasingly persistent and sophisticated threat landscape continues to affect the financial ecosystem.

A security breach has also drawn attention to the systemic vulnerabilities introduced by financial institutions' deeper integration with third-party technology providers, where operational efficiency is often sacrificed at the expense of expanded attack surfaces. 

Even though Marquis had previously acknowledged that the August ransomware incident affected banking and credit union clients, subsequent disclosures have clarified the extent of individual exposures as well as the sensitive nature of compromised records.

A forensic analysis revealed that the point of entry was a SonicWall firewall that permitted unauthorized access to Marquis' internal infrastructure, allowing an external actor to gain access to the system. It has therefore decided to pursue legal action against the vendor in response, emphasizing the complex issues of liability and shared responsibility that arise from breaches within interconnected digital ecosystems. 

A significant amount of information within Marquis's systems magnifies the impact of such an intrusion because of the company's role in providing marketing, compliance, and data-driven services to more than 700 financial institutions. Observations from security experts suggest organizations that operate at this crossroads of aggregated financial and personally identifiable data remain particularly attractive targets for ransomware operators seeking maximum impact. 

In light of the incident, individuals are being urged to adopt a more vigilant stance, which includes monitoring their financial statements on a continuous basis, obtaining credit reports to detect anomalies, and implementing precautionary measures, such as fraud alerts or credit freezes, as appropriate.

A special focus is being placed on preventing opportunistic follow-on attacks, such as phishing attacks or deceptive outreach that may use compromised information to establish trust. These incidents serve as a reminder, together with tighter access governance and more cohesive defensive collaboration between service providers and their institutional clients, of the importance of continuous security reassessment, tighter access governance, and more cohesive defensive collaboration. 

In an increasingly complex digital environment, threat actors continue to refine their tactics. Despite the incident's unfortunate outcome, it serves as a defining example of how digitally interconnected financial services are evolving in terms of risk dynamics, in which trust is distributed among vendors, platforms, and shared infrastructure. 

As a result, cybersecurity is no longer considered a perimeter function, but rather an integrated, continuous discipline throughout the entire supply chain that must be addressed continuously. It entails a deeper level of vendor due diligence, stricter configuration governance, and real-time visibility into third-party dependencies for institutions. As a result, service providers must harden cloud-integrated environments and limit the persistence of sensitive credentials within systems that can be accessed. 

A stronger regulatory scrutiny and continued exploits of systemic interdependencies will lead to an increasing focus on resilience, which will not necessarily mean avoiding breaches but rather anticipating, containing, and responding transparently to breaches without eroded stakeholder trust.
Read more »
malware
Crypto Wallet Theft DarkSword exploit kit GHOSTBLADE iOS security iOS Vulnerability iPhone Malware malware

DarkSword Exploit Kit Targets iPhones, Steals Crypto Wallet and Personal Data


 

A newly identified exploit kit named “DarkSword” is being used to target iOS devices and extract a wide range of sensitive user information, including data from cryptocurrency wallet applications.

The threat specifically impacts iPhones running iOS versions 18.4 to 18.7 and has been linked to multiple threat actors. Among them is UNC6353, believed to have Russian origins, which leveraged the previously disclosed Coruna exploit chain earlier this month.

The exploit kit was uncovered by researchers at mobile security firm Lookout during an investigation into infrastructure tied to Coruna-based attacks. The analysis was further supported by Google’s Threat Intelligence Group (GTIG) and iVerify, providing deeper insights into this emerging threat and the groups behind it. According to iVerify, the exploit chain relies on already known vulnerabilities—covering sandbox escape, privilege escalation, and remote code execution—that have since been patched by Apple in recent iOS updates.

DarkSword operates using six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

According to a report from GTIG, the exploit kit has been active since at least November 2025 and has been deployed by several actors using three distinct malware families:
  • GHOSTBLADE: A JavaScript-based data stealer that collects extensive information such as cryptocurrency wallet details, system data, browsing history, photos, location, and communications from platforms like iMessage, Telegram, WhatsApp, email, and call logs.
  • GHOSTKNIFE: A backdoor capable of extracting account credentials, messages, browsing data, location history, and recordings.
  • GHOSTSABER: Another JavaScript-based backdoor that can enumerate devices and accounts, execute scripts, access files, and steal data.
The earliest observed use of this exploit chain is attributed to UNC6748, which targeted users in Saudi Arabia through a website mimicking Snapchat.

GTIG also reported that in late November 2025, DarkSword activity was detected in Turkey and linked to PARS Defense, a commercial surveillance vendor. These attacks targeted devices running iOS 18.4 through 18.7.

"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes.

Subsequently, Google researchers observed similar activity in Malaysia, where another PARS Defense client deployed the GHOSTSABER backdoor.

UNC6353, suspected to be involved in Russian espionage operations, has been using the Coruna exploit kit since mid-2025 and began deploying DarkSword in December 2025 against targets in Ukraine. These attacks continued into March 2026, primarily through watering hole campaigns involving compromised websites that delivered the GHOSTBLADE malware.

Researchers also noted that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline."

Lookout researchers highlighted that both Coruna and DarkSword show signs of development aided by large language models (LLMs), with DarkSword containing multiple explanatory code comments.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says.

“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”

In addition to the one-click exploit kit, iVerify identified a Safari-based exploit chain involving sandbox escape, privilege escalation, and in-memory implants capable of extracting sensitive data.

DarkSword attacks typically begin in the Safari browser, where multiple exploits are chained together to gain kernel-level read/write access. A central orchestrator component (pe_main.js) is then used to execute malicious code.

While the initial compromise vector remains unclear, attackers were able to inject malicious iframes into targeted websites. The orchestrator then embeds a JavaScript engine into high-privilege iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, enabling data exfiltration via modules like GHOSTBLADE.

The stolen data may include:
  • Saved passwords
  • Photos (including hidden and screenshots)
  • Messaging app databases (WhatsApp, Telegram)
  • Cryptocurrency wallets (Coinbase, Binance, Ledger, etc.)
  • SMS messages
  • Contacts and call history
  • Location and browsing history
  • Cookies and Wi-Fi credentials
  • Apple Health data
  • Calendar entries and notes
  • Installed apps and linked accounts
Notably, the malware deletes temporary files and exits after exfiltration, suggesting it is not designed for persistent surveillance.

Lookout assesses that DarkSword is likely used by a Russian-linked threat actor pursuing both financial gain and espionage objectives aligned with national intelligence interests.

Users are strongly advised to update their devices to the latest iOS version. Devices with Lockdown Mode enabled are also protected against both Coruna and DarkSword.

In a statement to BleepingComputer, Apple confirmed that patches addressing these vulnerabilities were released last year and extended to older devices as well. The company noted that users running iOS 15 through iOS 26 are already protected, and that devices on iOS 17 and later benefit from the Memory Integrity Enforcement feature, which mitigates such attacks.

To enhance security, users should enable passcodes, use strong passwords with two-factor authentication, avoid sideloading apps, and refrain from clicking on suspicious links or attachments.



Read more »
Iran
APT Group Artificial Intelligence CISA Cyber Attacks Cyber Breach Hacktivism Iran

Cyber Operations Expand as Iran Conflict Extends into Digital Warfare

 




Cyberattacks are increasingly being used alongside conventional military actions in the ongoing conflict involving Iran, with both state-linked actors and loosely organised hacker groups targeting systems in the United States and Israel.

A recent incident involving Stryker illustrates the scale of this activity. On March 11, the company confirmed that a cyberattack had disrupted parts of its global network. Employees across several offices reportedly encountered login screens displaying the symbol of Handala, a group believed to have links to Iran. The attack affected systems within Microsoft’s environment, although the full extent of the disruption and the timeline for recovery remain unclear.

Handala has claimed responsibility for the operation, stating that it exploited Microsoft’s cloud-based device management platform, Intune. According to data from SOCRadar, the group alleged it remotely wiped more than 200,000 devices across 79 countries. These claims have not been independently verified, and attempts have been made to seek confirmation from Microsoft. The group described the attack as retaliation for a missile strike in Minab, Iran, which reportedly killed more than 160 people at a girls’ school.

This breach is part of a broader surge in cyber activity following Operation Epic Fury, with multiple pro-Iranian actors directing attacks against American and Israeli systems.


State-linked groups target essential systems

A cybersecurity assessment indicates that several groups associated with Iran’s Islamic Revolutionary Guard Corps, including CyberAv3ngers, APT33, and APT55, are actively targeting critical infrastructure in the United States.

These operations focus on industrial control systems, which are specialised computers used to manage essential services such as electricity grids, water treatment plants, and manufacturing processes. In some instances, attackers have gained access by using unchanged default passwords, allowing them to install malicious software capable of interfering with or taking control of these systems.

CyberAv3ngers has reportedly accessed industrial machinery in this way, while APT33 has used commonly reused passwords to infiltrate accounts at US energy companies. After gaining entry, the group attempts to weaken safety mechanisms by inserting malware into operational systems. APT55, meanwhile, has focused on cyber-espionage, targeting individuals connected to the energy and defence sectors to gather intelligence for Iranian operations.

Other groups linked to Iran’s Ministry of Intelligence and Security, including MuddyWater and APT34, are also involved in these campaigns. MuddyWater has targeted telecommunications providers, oil and gas companies, and government organisations. It functions as an initial access broker, meaning it breaks into networks, collects login credentials, and then passes that access to other attackers.

Handala has also claimed additional operations beyond the Stryker incident. These include deleting more than 40 terabytes of data from servers at the Hebrew University of Jerusalem and breaching systems linked to Verifone in Israel. However, Verifone has stated that it found no evidence of any compromise or service disruption.

Cyber operations are also being carried out by the United States and Israel.

General Dan Caine stated on March 2 that US Cyber Command was one of the first operational units involved in Operation Epic Fury. He said these efforts disrupted Iran’s communication and sensor networks, leaving it with reduced ability to monitor, coordinate, or respond effectively. He did not provide further operational details.

On March 13, Pete Hegseth confirmed that the United States is using artificial intelligence alongside cyber tools as part of its military approach in the conflict.

Separate reporting suggests that Israeli intelligence agencies may have used data obtained from compromised traffic cameras across Tehran to support planning related to Iran’s leadership, including Ayatollah Ali Khamenei.


Hacktivist networks operate with fewer constraints

Alongside state-backed actors, hacktivist groups have played a significant role. More than 60 such groups reportedly mobilised in the early hours of Operation Epic Fury, forming a coalition known as the Cyber Islamic Resistance.

This network coordinates its activity through Telegram channels described as an “Electronic Operations Room.” Unlike state-directed groups, these actors operate based on ideological motivations rather than central command structures. Analysts note that such groups tend to be less disciplined, more unpredictable, and more likely to act without regard for civilian impact.

Within the first two weeks of the conflict, the coalition claimed responsibility for more than 600 distinct cyber incidents across over 100 Telegram channels. These include attacks targeting Israeli defence-related systems, drone detection platforms such as VigilAir, and infrastructure affecting electricity and water services at a hotel in Tel Aviv.

The same group also claimed to have compromised BadeSaba Calendar, a widely used religious mobile application with more than five million downloads. During the incident, users reportedly received messages such as “Help is on the way” and “It’s time for reckoning,” based on screenshots shared online.

Some analysts assess that these groups may be using artificial intelligence tools to compensate for limited technical expertise, allowing them to scale operations more effectively.


Global actors join the conflict

Cyber intelligence findings suggest that participation in these operations is expanding geographically. Ongoing internet restrictions within Iran appear to be limiting the involvement of domestic hacktivists by disrupting Telegram-based coordination.

As a result, increased activity has been observed from pro-Iranian groups based in Southeast Asia, Pakistan, and other parts of the Middle East.

The Islamic Cyber Resistance in Iraq, also known as the 313 Team, has claimed responsibility for attacks on websites belonging to Kuwaiti government ministries, including defence-related institutions, according to a separate threat intelligence briefing. The group has also reportedly targeted websites in Romania and Bahrain.

Another group, DieNet, has claimed cyber operations affecting airport systems in Bahrain, Saudi Arabia, and the United Arab Emirates.

Russian-linked actors have also entered the landscape. NoName057(16), previously involved in cyber campaigns related to Ukraine, has launched distributed denial-of-service attacks, a technique used to overwhelm websites with traffic and render them inaccessible. Targets include Israeli municipal services, political platforms, telecommunications providers, and defence-related entities, including Elbit Systems, as noted by a threat intelligence monitoring platform.

The group is also reported to be collaborating with Hider-Nex, a North Africa-based collective that has claimed attacks on Kuwaiti government domains.


Some pro-Israeli hacktivist groups are active, including Anonymous Syria Hackers. One such group recently claimed to have breached an Iranian technology firm and released sensitive data, including account credentials, emails, and passwords.

However, these groups remain less visible. Analysts suggest that Israel primarily conducts cyber operations through state-controlled channels, reducing the role and visibility of independent actors. In addition, these groups often do not appear in alerts issued by agencies such as the US Cybersecurity and Infrastructure Security Agency, making their activities harder to track.


These developments suggest how cyber operations are becoming embedded in modern warfare. Such attacks are used not only to disrupt infrastructure but also to gather intelligence, impose financial strain, and influence perception.

The growing use of artificial intelligence, combined with the involvement of decentralised and ideologically driven groups, is making attribution more complex and the threat environment more difficult to manage. As a result, cyber capabilities are now a central component of how conflicts are conducted, extending the battlefield into digital systems that underpin everyday life.

Read more »
User Security
Cyber Fraud Indian Government Loan Apps RBI User Security

Govt, RBI Tighten Grip on Fraudulent Loan Apps

 

The Government of India and the Reserve Bank of India (RBI) have intensified efforts to combat fraudulent digital loan apps that exploit vulnerable borrowers. In a recent Rajya Sabha response, Minister of State for Finance Pankaj Chaudhary outlined coordinated measures to strengthen the digital lending framework and protect consumers from unauthorized platforms. These steps follow growing concerns over illegal apps that charge exorbitant rates and harass users. 

RBI formed a Working Group on Digital Lending, including loans via online platforms and mobile apps, leading to comprehensive guidelines issued to regulated entities (REs). All REs must comply, with supervisory assessments ensuring adherence; non-compliance triggers rectification or enforcement actions. The guidelines aim to make the ecosystem transparent, safe, and customer-focused by firming up regulations for app-based lending. 

A key initiative is RBI's 'Digital Lending Apps (DLAs)' directory, launched on July 1, 2025, listing all apps deployed by REs. This public tool helps users verify an app's legitimacy and association with regulated lenders. It addresses the confusion caused by fake apps mimicking legitimate ones, empowering borrowers to avoid scams before downloading. 

The Ministry of Electronics and Information Technology (MeitY) blocks fraudulent apps under Section 69A of the IT Act, 2000, following due process. Internet intermediaries face directives for tech-driven vetting to stop malicious ads from offshore entities, while the Indian Cyber Crime Coordination Centre (I4C) analyzes risky apps. Citizens can report issues via the National Cybercrime Reporting Portal (cybercrime.gov.in) or helpline 1930, with banks using 'SACHET' and State Level Coordination Committees for complaints. 

Awareness drives include RBI's SMS, radio campaigns, and e-BAAT programs on cyber fraud prevention. States handle enforcement as 'Police' is their domain, supported by central advisories. These multi-pronged actions signal a robust push toward a secure digital lending space in India.
Read more »
Subscribe to: Comments (Atom)

Featured