Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Why Privacy-Conscious Users Should Think Twice Before Storing Sensitive Files on Google Drive

  Google Drive has become an essential tool for millions of users worldwide. Whether it's storing contacts, backing up WhatsApp chats, ...

All the recent news you need to know
Splinter Groups
Cyber Crime Met Police Ransomware Splinter Groups

Ransomware Gangs Splinter as Cyber Threat Becomes More Volatile

 

Cybercrime is moving through a major reset as the ransomware world shifts away from big, organized cartels and toward smaller, more volatile splinter groups. Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, said the underground market has become a highly accessible ecosystem where criminals can buy tools, services, and stolen data with ease. He described it as a place where threat actors can get almost everything they need, except a good drink. 

The biggest driver behind this change is convenience. Cryptocurrencies have removed one of the oldest bottlenecks in cybercrime by making it much easier to cash out illegal profits, while underground marketplaces now provide ransomware kits, phishing services, infrastructure, and support on demand. That lower barrier to entry has blurred the old lines between hacktivists, criminal gangs, and state-linked actors, creating a blended threat environment that is far more crowded and harder to police.

Lyne warned that law enforcement crackdowns are also reshaping the market. When large, centralized groups such as LockBit are disrupted, their affiliates do not disappear; they scatter into smaller factions, each trying to rebuild revenue streams in a less visible way. The result is a more fragmented and “post-trust” criminal scene, where weaker internal controls and looser coordination can make attackers more aggressive, reckless, and unpredictable. 

The threat is also becoming more global. Lyne said the ransomware ecosystem is no longer dominated by traditional Russian-speaking hubs, with actors now emerging from Brazil, Türkiye, and English-speaking groups such as Scattered Spider. At the same time, criminals are increasingly using AI to search through hoarded corporate data, turning old thefts into fresh extortion opportunities and new monetization schemes. 

For police and security teams, the response must go beyond arrests alone. Lyne said the Met Police cannot “arrest its way out” of the problem and instead needs to focus on disrupting infrastructure, weakening trust inside criminal networks, and working more closely with private-sector defenders. In practical terms, that means security teams should expect a ransomware landscape that is smaller in structure but sharper in impact, where fragmented gangs may strike faster and with fewer rules than the cartels they replaced.
Read more »
Terrorist Financing
Crypto Compliance Cryptocurrency Sanctions Cyber Security Digital Asset Security Iranian Crypto Exchanges IRGC Cryptocurrency Nobitex Sanctions OFAC Sanctions Sanctions Evasion Terrorist Financing

Iranian Crypto Giant Nobitex Added to US Sanctions List Amid Terror Financing Probe

 


The intersection of financial innovation, regulatory oversight, and national security has occupied digital asset platforms for years. Earlier this week, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Nobitex, Iran’s largest cryptocurrency exchange, as well as three other Iranian digital asset exchanges. This convergence brought the convergence into sharp focus. 

A significant concern of the Trump Administration is that cryptocurrency infrastructure is being abused both to circumvent international sanctions and to facilitate illicit financial networks associated with government-backed activities, which is reflected in the action taken as part of its Economic Fury campaign. 

Nobitex is allegedly processing more than half of Iran's cryptocurrency inflows by 2025, according to United States authorities, establishing itself as one of Iran's most important digital asset ecosystem hubs. This platform facilitates transactions related to terror financing, sanctions evasion operations, and entities associated with the Islamic Revolutionary Guard Corps (IRGC), including ransomware-related entities. 

According to Treasury officials, the platform was also instrumental in enabling the Central Bank of Iran to obtain substantial stablecoin reserves, highlighting how digital assets are increasingly being used to influence geopolitical and economic affairs. Even though Iran has been economically isolated for many years and has been undergoing mounting geopolitical tension, the digital asset sector has emerged as a significant financial ecosystem. 

Based on industry estimates, the cryptocurrency market in the country will be worth over $7.78 billion in 2025, reflecting the growing integration of digital assets into both commercial activities and international payment channels. 

Based on blockchain intelligence assessments, it is evident that wallet addresses associated with the Islamic Revolutionary Guard Corps (IRGC) accounted for more than half of the total value flowing into Iran's cryptocurrency ecosystem during the fourth quarter of 2025. In this regard, the country’s expanding virtual asset landscape has become increasingly intertwined with national security concerns. Within this environment, exchanges targeted by Washington occupy a dominant position. 

According to Treasury data, Nobitex processed more than 50% of all Iranian digital assets inflows during 2025, whereas Wallex and Bitpin handled approximately 12% and 10%, respectively. Since its establishment in 2018, Ramzinex has facilitated more than $2.45 billion in cumulative transactions, making it one of the nation's longest-running platforms. The figures illustrate why US policymakers have focused on the enforcement of sanctions on virtual asset service providers in recent years. Increasingly, digital asset networks have emerged as alternatives to conventional financial controls for moving capital, settling transactions, and maintaining access to global liquidity.

Iranian financial institutions are largely excluded from international banking mechanisms, including SWIFT. It has been argued that these platforms have served as critical entry and exit points connecting domestic actors to international cryptocurrency markets, creating pathways through which sanctions may be evaded and funds may be transferred across borders. 

OFAC has announced the latest measures as part of a larger campaign that has already frozen approximately half a billion dollars of cryptocurrency connected to the Iranian regime. A strategic move by Washington to target the country's largest exchanges and associated infrastructure is intended to disrupt the digital financial channels through which sanctioned entities can convert, transfer, store, and repatriate value through the cryptocurrency ecosystem, extending the reach of traditional sanctions into a decentralized financial world. 

The Treasury's latest action, which builds on these allegations, targeted not just a single exchange, but what it describes as a broader cryptocurrency infrastructure network underpinning Iran's access to global digital asset markets. In addition to Nobitex, sanctions were also imposed on Iranian exchanges Wallex, Bitpin, and Ramzinex, as well as several senior executives and Nobitex founders.

Washington identified Amir Hossein Rad as a key figure within the platform's leadership structure, in addition to being the company's chairman and co-founder. The Treasury contends that Nobitex is more significant than just its market share, alleging that the exchange was a critical financial gateway for state-linked entities, facilitating transactions associated with sanctions evasion, IRGC-related activities, ransomware activity, and the movement of assets controlled by the government. Aside from that, the department also claimed that the platform enabled the Central Bank of Iran to access stablecoins worth hundreds of millions of dollars at a time when authorities were seeking a means of supporting the weakening rial and maintaining access to international liquidity channels outside traditional banking channels. 

As outlined by the Treasury Department, the exchange also facilitated access to overseas cryptocurrency platforms for Iranian officials, individuals with political connections, and affiliated entities despite decades of financial restrictions. Furthermore, US authorities claimed that, following the onset of American military operations involving Iran, Nobitex provided transfers of government assets and safeguarded them during periods of domestic internet disruption, demonstrating the growing strategic significance of digital asset networks during geopolitical crises. 

Among the sanctions included in the package were co-founders Mohammad Ali Aghamir and Mohammad Aghamir, who heads the blockchain division of the company, in which the Treasury asserted that both maintain close ties to influential Islamic circles. The company's chief executive officer, Seyed Ali Khoei, was also designated as a sanctioned individual due to his significant leadership role. 

Aside from Nobitex, Washington identified Wallex as the second largest cryptocurrency exchange by trading volume in Iran, alleging that it accounted for approximately 12 percent of the country's digital asset inflows in 2025 as well as facilitating transactions related to the IRGC. The Treasury officials indicated that Bitpin processed approximately 10 percent of Iranian digital asset inflows during that same period, and some investors involved in efforts to circumvent US sanctions were allegedly involved. 

In contrast, Ramzinex has been accused of processing transactions worth more than $2.45 billion since its inception in 2018 as well as participating in transactions involving entities associated with the Iranian government and the Islamic Revolutionary Guard Corps. Washington intends to target not only individual actors, but also the digital financial infrastructure that Tehran believes allows it to access, transfer, and repatriate funds beyond conventional sanctions enforcement mechanisms in an effort to combat this threat. 

Cryptocurrencies are becoming a critical frontier in modern financial security as geopolitical conflict, sanctions enforcement, cybercrime, and digital finance increasingly intersect. In an era when regulators are increasingly paying attention to virtual asset ecosystems beyond traditional banking networks, exchanges and financial service providers are facing increased scrutiny over compliance controls, transaction monitoring, and exposure to jurisdictions with high risk.

In the context of cybersecurity and financial security professionals, this development underscores that digital asset infrastructure is not solely viewed as a technological innovation, but also as a strategic component of national security, a phenomenon which makes transparency, risk management, and threat intelligence more critical than ever in an increasingly interconnected financial environment.
Read more »
Meta Security
Cyber Security Cyber Security Ransomware Attacks Cyber Threats Cyberattacks Data Breach Threat data security Hacktivism Meta Meta Security

META Threat Landscape Report Q1 2026: Ransomware, Data Breaches and Hacktivism Rise Across Middle East, Turkey and Africa

 

Early 2026 saw sharper cyber aggression throughout the Middle East, Turkey, and Africa, fueled less by isolated incidents than by coordinated ransomware attacks, politically charged hacking efforts, and repeated exposure of sensitive information. Notably, Cyble's regional analysis highlights how public institutions, financial entities, infrastructure firms, and power providers faced relentless pressure from diverse digital adversaries during those months. Amid shifting tactics, one pattern held steady - attack volume climbed without pause. Early in the year, ransomware kept gaining ground across the region. 

Across META nations, 116 cases came to light between January and March. Leading the list was Turkey, with the UAE trailing just behind. Intrusions hit South Africa and Egypt hard, too - frequent probes and breakdowns marked their networks. Known crews like Gentlemen, INC Ransom, Qilin, Tengu, and LockBit stayed busy through the period. Each group showed steady signs of operation during those months. What stands out is construction being hit hardest, then government offices, police departments, banks, and power companies. Because these sectors manage vital systems and confidential information, they draw hackers aiming to profit or cause chaos. 

Notably, ransomware crews are acting more like businesses - some run subscription-style services so partners can launch attacks faster and wider. Terabytes of sensitive files surfaced online, allegedly pulled from Qatar’s energy infrastructure - login details, cloud backups, all circulating without permission. While ransomware grabbed headlines, leaked datasets kept spreading just beneath the surface. Cyber bazaars active throughout the year moved quietly, swapping access tokens and corporate records like currency. Healthcare providers found themselves exposed. So did hotels, sports leagues, even digital influencers promoting brands. 

A single hacker boasted control over massive archives - one claim among many. State agencies showed up repeatedly in breach reports, their systems probed by actors with unclear allegiances. Motives varied: some sought profit, others appeared driven by surveillance goals or national interests. What stands out is how often attackers used known weaknesses to break into systems. Soon after flaws became public, they appeared in hacking attempts - some quickly listed by CISA as actively abused. Targeting focused heavily on corporate networks, defensive software, besides services open to the web. 

One standout issue involved Ivanti’s mobile management tool, where a severe bug allowed remote control without login verification. Access like that remains appealing; it skips the need to harvest passwords entirely. Throughout Q1 2026, hacktivism stayed prominently in view. A steady flow of leaked data, altered websites, and network floods hit thousands of online addresses in the META area. Tied closely to simmering global conflicts, especially around Israel and Iran, these actions grew more frequent. Rather than just causing outages, they began serving as tools to push narratives into online conversations. Digital platforms turned into stages where cyber acts echoed real-world disputes. 

Though quiet at first glance, new data from Cyble’s META Threat Landscape Report reveals how quickly digital dangers shift when crime blends with global tensions. Where politics and networks meet, risks climb - especially for firms tied to essential services or disputed industries. Instead of waiting, many now see value in tracking hidden signals, patching weaknesses faster, not just reacting after breaches occur. 

As hostile actors refine methods across the Middle East, Africa, Turkey, and Asia, one thing becomes clear: staying ahead means seeing more, acting sooner, adjusting constantly.
Read more »
Vertex AI
AI ethics cloud storage Data Harvesting SDK Google Google OAuth Python technology Vertex AI

Security Bug in Google Vertex AI Could Allow Model Upload Hijacking

 




Google has addressed a security flaw in the Python SDK for Vertex AI after researchers demonstrated that attackers could potentially intercept machine learning model uploads and substitute them with malicious files.

The issue was identified by researchers from Palo Alto Networks' Unit 42 team, who disclosed the findings through Google's bug bounty program. According to the researchers, the vulnerability could be exploited without compromising a target organization's cloud environment, stealing credentials, or tricking users through phishing campaigns. Instead, the attack relied on weaknesses in how the SDK handled temporary storage locations during model uploads.

Researchers referred to the technique as "Pickle in the Middle." They reported no evidence that the flaw had been exploited outside of controlled testing environments. Google has since released security updates, and organizations using Vertex AI are advised to upgrade to version 1.148.0 or newer.


Predictable Storage Names Created an Opening

The vulnerability originated from the SDK's automatic staging process.

When developers uploaded a machine learning model without manually specifying a Cloud Storage bucket, the SDK generated a temporary bucket name based on information such as the Google Cloud project identifier and deployment region.

The problem was not that the bucket name could be predicted. The problem was that the SDK only checked whether the bucket existed. It did not verify whether that bucket belonged to the project performing the upload.

Because Cloud Storage bucket names are globally unique across Google Cloud, an attacker could create the expected bucket before the victim did. If that happened, model files uploaded by the victim could be redirected into infrastructure controlled by the attacker.

In practical terms, a developer could believe a model was being uploaded to their own cloud environment while the files were actually being delivered elsewhere.


Attackers Could Replace Models Before Deployment

After receiving the uploaded files, an attacker could modify or replace the model before Vertex AI retrieved it for deployment.

This becomes particularly important because many machine learning workflows rely on serialization formats such as Pickle and Joblib. These formats are commonly used to save trained models, but they also contain functionality capable of executing instructions when the file is loaded.

As a result, a manipulated model may do more than generate predictions. It can potentially run arbitrary code inside the environment responsible for serving the model.

Unit 42 researchers demonstrated that this behavior could be abused to execute attacker-controlled code inside Vertex AI's serving infrastructure.


Researchers Exploited a Narrow Timing Window

The attack required the malicious file replacement to occur very quickly.

During testing, researchers observed that Vertex AI typically retrieved uploaded files roughly 2.5 seconds after the upload process completed.

To exploit this short interval, they created an automated Cloud Function that monitored the attacker-controlled bucket and immediately replaced newly uploaded files. The replacement process took approximately 1.4 seconds, allowing the malicious model to be swapped before Vertex AI accessed it.

This timing-based attack demonstrated that the vulnerability was practical under the right conditions rather than being a purely theoretical risk.


Proof-of-Concept Reached Beyond a Single Model

After achieving code execution, researchers tested what level of access could be obtained from the serving environment.

Their proof-of-concept extracted an OAuth token from the container's metadata service and used it to interact with resources available within Google's managed infrastructure.

According to the report, the token provided visibility into additional machine learning assets, model artifacts, TensorFlow files, BigQuery metadata, access control information, system logs, Kubernetes cluster identifiers, and internal infrastructure references.

The findings suggested that a successful compromise could potentially expose information beyond the originally targeted model deployment.


Exploitation Required Specific Conditions

The vulnerability was not universally exploitable.

Researchers noted that two requirements had to be met before the attack could succeed.

First, the expected default staging bucket could not already exist in the chosen deployment region. Second, the developer needed to rely on the SDK's default bucket-generation behavior rather than specifying a storage bucket manually.

The researchers noted that newly created Vertex AI projects often satisfy the first condition because the default bucket may not yet have been created.


Google Introduced Multiple Fixes

Unit 42 reported the issue to Google on March 5, 2026.

Google's initial response introduced additional randomness into bucket names by appending a UUID value, making bucket prediction substantially more difficult.

The company later strengthened the mitigation by implementing ownership validation checks. These checks ensure that automatically selected buckets belong to the project initiating the upload, preventing bucket-squatting attacks from succeeding.

The ownership verification mechanism was included in Vertex AI SDK version 1.148.0.

At the time the researchers published their findings, neither Google's Vertex AI security advisories nor the research report listed a CVE identifier for the vulnerability.


Recommendations for Organizations

Security teams using Vertex AI should verify that all environments are running updated versions of the google-cloud-aiplatform package. This includes development notebooks, machine learning pipelines, automated build systems, testing environments, and production deployments.

Researchers also recommend explicitly defining a staging bucket owned by the organization instead of relying on SDK defaults. This reduces the risk of storage misconfigurations and provides greater visibility into where machine learning artifacts are stored during deployment.

The disclosure is the latest example of how weaknesses in supporting cloud infrastructure can affect AI systems. As organizations continue moving model development and deployment into managed cloud platforms, security reviews must extend beyond the model itself to include storage, deployment pipelines, permissions, and the services that support the AI lifecycle.

Read more »
Cyber Crime
Blockchain Security CertiK Report Crypto Thieves Cyber Crime

Crypto Exploit Losses Plummet 90% in May to $68.3 Million as Thieves Hit Security Wall

 

Crypto thieves are hitting a major wall, with exploit losses plunging nearly 90% in May 2026. Blockchain security firm CertiK reported that crypto platform losses fell to $68.3 million last month, a dramatic drop from the staggering $650 million stolen in April. This sharp decline signals improved security measures across the industry and represents the third month in 2026 where losses stayed below $100 million. 

Code vulnerabilities were responsible for the bulk of May's damage, accounting for roughly 66% of total losses at approximately $45 million. Cross-chain bridges took the heaviest hit by category, absorbing 42% of total losses or $28.6 million. Despite the marked decrease, the sector wasn't entirely free from high-profile incidents, though the overall attack success rate has significantly diminished compared to previous months. 

The positive trend reflects multiple factors working together to protect crypto assets. Improved security measures and rapid response capabilities are driving this improvement, even as vulnerabilities persist across the ecosystem. CertiK's data shows that attackers are facing stronger defenses, with platforms implementing more robust protection systems and responding faster to emerging threats. This defensive upgrade is forcing crypto thieves to "hit a wall" as their traditional exploit methods become less effective. 

May 2026's performance stands in stark contrast to the previous quarter's chaos. The nearly 90% drop demonstrates that the industry is learning from past mistakes and adapting quickly to attack vectors. While $68.3 million in losses remains concerning, the trajectory is clearly positive, with monthly losses trending downward consistently through early 2026. Investors and platform operators are seeing tangible benefits from increased security investments. 

This security improvement offers hope for the cryptocurrency industry's long-term viability. As platforms strengthen their defenses and response times, the success rate for exploits continues declining. The trend suggests that crypto thieves are struggling to adapt to newer security protocols, marking a turning point in the ongoing battle between attackers and defenders. While attacks will continue, the dramatic reduction in losses indicates the industry is finally building effective walls against digital theft.
Read more »
cybersecurity attacks
CIS Cyber Attacks Cyber Criminals Cyber Gangs Cyber Security Ransomware Attacks cybercrime gangs cybersecurity attacks

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors

 

Surprisingly, even cybercriminal collectives slip up sometimes - a fact highlighted when attackers struck a business inside a CIS country. A misstep by Nova, tied to the RAlord network, led to unintended consequences. Following an accidental hit on Eriell Group - an oilfield services leader based in Tashkent with operations extending into Russia - affiliates backtracked publicly. The group formally expressed regret over targeting such a firm. Apologies emerged only after internal protocols appeared breached. Mistaken identity seems to have triggered the reversal. Trust among criminal actors likely took a quiet blow. 

Reports indicate that after Eriell reached out to Nova, alerting them to the mistake, the link between the operator and the group was cut. Banned soon afterward, the individual involved lost access entirely. Instead of resistance, there came an apology - structured, deliberate. Assistance followed, provided freely, framed as support rather than restitution. Their stance: encryption never happened, data remains unpublished, intent unclear but outwardly cooperative. Still, the unwritten code among major ransomware groups holds: steer clear of Russian and broader CIS networks. 

Even though hacking violates local laws there, officials routinely ignore profit-driven breaches if they spare homegrown entities. Some hacking collectives like DragonForce, VanHelsing, and LockBit ban strikes on Russian-linked targets. Despite that, the Nova member tied to the Eriell breach probably won’t earn trust among peers again quickly. Though rules exist, breaking unwritten loyalties carries consequences few overlook. It's happened before - threat actors stumbling through avoidable errors. 

Back then, a ransom-driven team called Scattered Lapsus$ Hunters announced full control over Resecurity, a firm focused on digital defense, boasting they’d extracted every piece of stored information. In reality, their intrusion led straight into a trap set long in advance: a decoy system designed to mislead. That slip gave authorities what they needed - not just tracking one participant but securing legal grounds to pursue evidence further. 

Besides earlier cases, attention turned to CyberVolk - a pro-Russian hacktivist collective - that rolled out ransomware yet embedded the primary decryption keys directly within the code. Because of this oversight, those affected found a way to unlock data freely, bypassing any payment. Mistakes like these undermined the entire scheme before it gained traction. Wrong moves in coding sometimes backfire. 

The team behind Sicarii built a system that made fresh encryption keys on each launch - yet wiped the matching private key right after. Because of this, users had no way to unlock data, payment or not. In another case, Nitrogen’s tool failed due to a nearly identical error, leaving its decryption method useless. Paying up became meaningless when recovery was impossible by design. Certain missteps reveal a different side - those behind cyberattacks aren’t flawless. 

Though often seen as highly skilled, people running ransomware schemes act mainly for money; yet just like others, they slip up, leaving openings that can unexpectedly help those targeted.
Read more »
Subscribe to: Posts (Atom)

Featured