Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Latest News

London Startup Allegedly Deceived Microsoft with Fake AI Engineers

  There have now been serious allegations of fraud against London-based startup Builder.ai, once considered a disruptor of software developm...

All the recent news you need to know

Germany Police Have ID'd the Leader of Trickbot Criminal Gang

Cops in Germany have found cybercrime gang leader

The Federal Criminal Police of Journey “BKA” has claimed that Stern, the leader of TrickBot and Conti cybercrime gangs, is Vitaly Nikolaevich Kovalev, a 36-year-old Russian. 

According to BKA, he is suspected of founding the ‘TrickBot’ group, aka ‘Wizard Spider. ' This was part of Operation Endgame, a collaborative global crackdown against malware infrastructure and hackers behind it. The gang used TrickBot and other malware, such as SystemBC, Bazarloader, Ryuk, Diavol, Conti, and IcedID. 

Most wanted in Germany

According to Interpol, Kovalev is wanted in Germany. He is charged with being the mastermind of an unnamed criminal gang.

This is not the first time Kovalev has been charged with participating in a cybercrime organization. In 2023, he was one of seven Russians charged in the US for their connections to the Conti and TrickBot cybercrime gangs. 

At that time, he was only charged as a senior member of the TrickBot gang using the aliases “Bergen,” “Ben,” “Bentley,” and “Alex Konor.”

Leaks led to the identification

The sanctions were announced after massive information leaks from Conti and TrickBot members called ContiLeaks and TrickLeaks.

Contileaks gave access to the gang’s inside conversations and source code, and TrickLeaks even leaked the identities, and personal information of TrickBot members, and online accounts on X (former Twitter).

These chats revealed that Kovalev aka “Stern” was heading the TriickBot operation and Conti and Ryuk ransomware groups. The chats revealed members asking Stern permission before launching attacks or getting lawyers for TrickBot members captured in the U.S. 

The leaks led to a speedy crackdown on Conti, the gang members switching to other operations or forming new criminal groups such as BlackCat, LockBit, Royal, Black Basta, AvosLocker, Zeon, and DagonLocker. 

BKA’s investigation revealed that the “TrickBot group consisted of more than 100 members. It works in an organized and hierarchically structured manner and is project and profit-oriented.” 

BKA said that the “group is responsible for the infection of several hundred thousand systems in Germany and worldwide; through its illegal activities, it has obtained funds in the three-digit million range. Its victims include hospitals, public facilities, companies, public authorities, and private individuals."

Kovalev is in hiding and German police believe that he may be in Russia. The police have asked for any info that could lead to his arrest. 

Rust-Developed InfoStealer Extracts Sensitive Data from Chromium-Based Browsers

Rust-Developed InfoStealer Extracts Sensitive Data from Chromium-Based Browsers

Browsers at risk

The latest information-stealing malware, made in the Rust programming language, has surfaced as a major danger to users of Chromium-based browsers such as Microsoft Edge, Google Chrome, and others. 

Known as “RustStealer” by cybersecurity experts, this advanced malware is made to retrieve sensitive data, including login cookies, browsing history, and credentials, from infected systems. 

Evolution of Rust language

The growth in Rust language known for memory safety and performance indicates a transition toward more resilient and hard-to-find problems, as Rust binaries often escape traditional antivirus solutions due to their combined nature and lower order in malware environments. 

RustStealers works with high secrecy, using sophisticated obfuscation techniques to escape endpoint security tools. Initial infection vectors hint towards phishing campaigns, where dangerous attachments or links in evidently genuine emails trick users into downloading the payload. 

After execution, the malware makes persistence via registry modifications or scheduled tasks, to make sure it remains active even after the system reboots. 

Distribution Mechanisms

The main aim is on Chromium-based browsers, abusing the accessibility of unencrypted information stored in browser profiles to harvest session tokens, usernames, and passwords. 

Besides this, RustStealer has been found to extract data to remote C2 servers via encrypted communication channels, making detection by network surveillance tools such as Wireshark more challenging.

Experts have also observed its potential to attack cryptocurrency wallet extensions, exposing users to risks in managing digital assets via browser plugins. This multi-faceted approach highlights the malware’s goal to increase data robbery while reducing the chances of early detection, a technique similar to advanced persistent threats (APTs).

About RustStealer malware

What makes RustStealer different is its modular build, letting hackers rework its strengths remotely. This flexibility reveals that future ve

This adaptability suggests that future replications could integrate functionalities such as ransomware components or keylogging, intensifying threats in the longer run. 

The deployment of Rust also makes reverse-engineering efforts difficult, as the language’s output is less direct to decompile in comparison to scripts like Python or other languages deployed in outdated malware strains. 

Businesses are advised to remain cautious, using strong phishing securities, frequently updating browser software, and using endpoint detection and response (EDR) solutions to detect suspicious behavior. 

Unimed AI Chatbot Exposes Millions of Patient Messages in Major Data Leak

 

iA significant data exposure involving Unimed, one of the world’s largest healthcare cooperatives, has come to light after cybersecurity researchers discovered an unsecured database containing millions of sensitive patient-doctor communications.

The discovery was made by cybersecurity experts at Cybernews, who traced the breach to an unprotected Kafka instance. According to their findings, the exposed logs were generated from patient interactions with “Sara,” Unimed’s AI-driven chatbot, as well as conversations with actual healthcare professionals.

Researchers revealed that they intercepted more than 140,000 messages, although logs suggest that over 14 million communications may have been exchanged through the chat system.

“The leak is very sensitive as it exposed confidential medical information. Attackers could exploit the leaked details for discrimination and targeted hate crimes, as well as more standard cybercrime such as identity theft, medical and financial fraud, phishing, and scams,” said Cybernews researchers.

The compromised data included uploaded images and documents, full names, contact details such as phone numbers and email addresses, message content, and Unimed card numbers.

Experts warn that this trove of personal data, when processed using advanced tools like Large Language Models (LLMs), could be weaponized to build in-depth patient profiles. These could then be used to orchestrate highly convincing phishing attacks and fraud schemes.

Fortunately, the exposed system was secured after Cybernews alerted Unimed. The organization issued a statement confirming it had resolved the issue:

“Unimed do Brasil informs that it has investigated an isolated incident, identified in March 2025, and promptly resolved, with no evidence, so far, of any leakage of sensitive data from clients, cooperative physicians, or healthcare professionals,” the notification email stated. “An in-depth investigation remains ongoing.”

Healthcare cooperatives like Unimed are nonprofit entities owned by their members, aimed at delivering accessible healthcare services. This incident raises fresh concerns over data security in an increasingly AI-integrated medical landscape.

Critical Bug in E-commerce Website, Over 10000 Customers Impacted


WordPress plugin exploit

Cybersecurity experts have found a critical unpatched security vulnerability impacting the TI WooCommerce Wishlist plugin for WordPress that unauthorized threat actors could abuse to upload arbitrary files.

TI WooCommerce Wishlist has more than 100,000 active installations. It allows e-commerce website users to save their favorite products for later and share the lists on social media platforms. According to Patchstack researcher John Castro, “The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication.”

About the vulnerability 

Labeled as CVE-2025-47577, the vulnerability has a CVSS score of 10.0 (critical), it impacts all variants of the plugin below 2.92 released on November 29, 2024. Currently, there is no patch available. 

According to the security company, the issue lies in a function called "tinvwl_upload_file_wc_fields_factory," which uses another native WordPress function "wp_handle_upload" to validate but sets the override parameters “test_form” and “test_type” to “false.” 

The "test_type" override checks whether the Multipurpose Internal Mail Extension (MIME) file type is as expected, while the “test_form” verifies whether the $_POST['action'] parameter is correct. 

When setting "test_type," it permits the file type validation to escape effectively, permitting any file type to be uploaded. 

Reading the calendar

The TIWooCommerce Wishlist plugin is an extension for WooCommerce stores that lets users create and manage wishlists, sharing and saving their wishlist products. 

Apart from social sharing options, the plugin has AJAX-based functionality and multiple-wishlist support in the premium variant, email alerts, etc. 

Impact of attack

The scale of the potential attack surface is massive. A major concern is that these are ecommerce sites, where customers spend money, this can compound the risk. 

Currently, the latest variant of the plugin is 2.9.2, last updated 6 months ago. As the patch has not yet been released, concerned users are advised to deactivate and remove the plugin until a fix is issued.

The good thing here is that effective compromise is only possible on sites that also contain the WC Fields Factory plugin deployed and active, and the integration is active on the TI WooCommerce Wishlist plugin. This can make things difficult for threat actors. 

TSA Advises Against Using Airport USB Ports to Charge Your Phone

 

So-called juice jacking is the most controversial topic in cybersecurity circles. In most years, when a new alert is issued by a government agency before the holidays, it creates new headlines. Stories are written and cyber eyebrows are raised — there are more stories than attacks. But still those stories come. However, a recent alert raises the possibility that travellers may actually be at risk.

In reality, juice jacking occurs when you plug your phone into a public charging cable or socket at a hotel or airport, and rather than a dumb charger, a computer operates in the background to retrieve data from your device. This is not the same as carefully designed attack cables that contain a malicious payload inside the cable.

The latest official warning (and headlines 1,2) comes from the TSA. "When you're at an airport, do not plug your phone directly into a USB port," it warns you. "Bring your TSA-compliant power brick or battery pack and plug in there." This is so because "hackers can install malware at USB ports (we've been told that's called 'juice/port jacking').” 

TSA also urges smartphone users not to use free public WiFi, especially if they intend to make any online purchases. Do not enter any sensitive information while using unsecure WiFi. Cyber experts are almost as divided on the public WiFi hijacking problem as they are on juice-jacking. TL;DR: While it compromises your location, all encrypted data transmitted to or from your device via websites or apps should be secure.

The greater risk is downloading an app from the malicious access point's splash page, filling online forms, or being routed to bogus login sites for Microsoft, Google, or other accounts. The typical advice applies: use passkeys, avoid logging in to linked or popup windows and instead utilise the traditional channels, and do not reveal personal information. You should also be cautious about which WiFi hotspots you connect to - are they legitimate services from the hotel, airport, or mall, or are they cleverly labelled fakes? 

This is more of an issue for Android than iOS, but it isn't something most people need be concerned about. However, if you believe you may be the target of an attack or if you travel to high-risk areas of the world, I strongly advise against utilising public charging outlets or public WiFi without some type of data protection.

AI Agents Raise Cybersecurity Concerns Amid Rapid Enterprise Adoption

 

A growing number of organizations are adopting autonomous AI agents despite widespread concerns about the cybersecurity risks they pose. According to a new global report released by identity security firm SailPoint, this accelerated deployment is happening in a largely unregulated environment. The findings are based on a survey of more than 350 IT professionals, revealing that 84% of respondents said their organizations already use AI agents internally. 

However, only 44% confirmed the presence of any formal policies to regulate the agents’ actions. AI agents differ from traditional chatbots in that they are designed to independently plan and execute tasks without constant human direction. Since the emergence of generative AI tools like ChatGPT in late 2022, major tech companies have been racing to launch their own agents. Many smaller businesses have followed suit, motivated by the desire for operational efficiency and the pressure to adopt what is widely viewed as a transformative technology.  

Despite this enthusiasm, 96% of survey participants acknowledged that these autonomous systems pose security risks, while 98% stated their organizations plan to expand AI agent usage within the next year. The report warns that these agents often have extensive access to sensitive systems and information, making them a new and significant attack surface for cyber threats. Chandra Gnanasambandam, SailPoint’s Executive Vice President of Product and Chief Technology Officer, emphasized the risks associated with such broad access. He explained that these systems are transforming workflows but typically operate with minimal oversight, which introduces serious vulnerabilities. 

Further compounding the issue is the inconsistent implementation of governance controls. Although 92% of those surveyed agree that AI agents should be governed similarly to human employees, 80% reported incidents where agents performed unauthorized actions or accessed restricted data. These incidents underscore the dangers of deploying autonomous systems without robust monitoring or access controls. 

Gnanasambandam suggests adopting an identity-first approach to agent management. He recommends applying the same security protocols used for human users, including real-time access permissions, least privilege principles, and comprehensive activity tracking. Without such measures, organizations risk exposing themselves to breaches or data misuse due to the very tools designed to streamline operations. 

As AI agents become more deeply embedded in business processes, experts caution that failing to implement adequate oversight could create long-term vulnerabilities. The report serves as a timely reminder that innovation must be accompanied by strong governance to ensure cybersecurity is not compromised in the pursuit of automation.

US Sanctions Philippines-Based Web Host Tied to $200 Million Crypto Scam Network

 

In a significant move against online fraud, the US Treasury Department has sanctioned a Philippines-based web hosting company accused of enabling massive cryptocurrency scams. The sanctions, announced Thursday, target Funnull Technology and its administrator, Chinese national Liu Lizhi, for allegedly supplying infrastructure to online fraudsters. 
 
According to the Treasury, Funnull played a central role in supporting websites used in “pig butchering” scams—a deceptive tactic where fraudsters lure victims into fake crypto investment schemes. The platform is accused of enabling hundreds of thousands of fraudulent websites, causing over $200 million in reported losses from US victims. The agency stated that Funnull not only hosted these fraudulent domains but also generated uniquely named websites and offered ready-made design templates to scammers. These fake investment platforms were crafted to imitate legitimate sites, showcasing fabricated returns to deceive users. 

As part of the crackdown, the FBI also issued an alert, highlighting how scammers initiate contact with victims via text messages or social media, posing as a friend or potential romantic interest. After building trust, they direct victims to invest in fake crypto platforms, ultimately stealing their assets. “Funnull facilitates these scams by purchasing IP addresses and providing hosting services and other internet infrastructure to groups performing these frauds,” the FBI noted. The agency added that Funnull sources these services from legitimate US providers and resells them to cybercriminal networks. This move comes amid rising concern in the US over Asia-based scam operations, many operating out of large compounds and targeting international victims, including Americans. The sanctions mark a continuing effort to disrupt the financial and technical support enabling such cybercrime at scale.