Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

AI Expert Warns World Is Running Out of Time to Tackle High-Risk AI Revolution

  AI safety specialist David Dalrymple has warned in no unclear terms that humanity may be running out of time to get ready for the dangers ...

All the recent news you need to know
WhatsApp Security
Account Hijacking Risks Data Protection Controls digital identity protection End-to-End Encryption Meta AI Privacy Phishing Awareness Privacy Social Engineering Threats WhatsApp Security

Privacy Takes Center Stage in WhatsApp’s Latest Feature Update

 


There are billions of WhatsApp users worldwide, making it a crucial communication platform for both personal and professional exchanges alike. But its wide spread has also made it an increasingly attractive target for cybercriminals because of its widespread reach and popularity. 

Recent security research has highlighted the possibility of emerging threats exploiting the platform's ecosystem. For example, a technique known as GhostPairing is being used to connect a victim's account to a malicious browser session through the use of a covert link. 

Additionally, separate studies have shown that the app's contact discovery functionality can also be exploited by third parties in order to expose large numbers of phone numbers, as well as photo profiles and other identifying information, causing fresh concerns about the exploitation of large-scale data. 

Despite the fact that WhatsApp relyes heavily on end-to-end encryption to safeguard message content and has made additional efforts to ensure the safety of message content, including passkey-secured backups and privacy-conscious artificial intelligence, security experts emphasize that user awareness remains an important factor in protecting the service from threats. 

When properly enabled, the platform comes with a variety of built-in tools that, when properly deployed, can significantly enhance account security and reduce risk of exposure to evolving digital threats when implemented properly. 

WhatsApp has continued to strengthen its end-to-end encryption framework in response to these evolving risks as well as to increase its portfolio of privacy-centric security controls. In response, it has been said that security analysts believe that limited user awareness often undermines the effectiveness of these safeguards, causing many account holders to not properly configure the protections that are already available to them. 

WhatsApp's native privacy settings can be an effective tool to prevent unauthorised access, curb data misuse, and reduce the risk of account takeover if they are properly enabled. There is an increased importance for this matter, especially because the platform is routinely used to exchange sensitive information, such as Aadhaar information and bank credentials, as well as one-time passwords, personal images, and official documents, on a daily basis.

In accordance with expert opinion, lax privacy configurations can put sensitive personal data at risk of fraud, identity theft, and social engineering attacks, while even a modest effort to review and tighten privacy controls can significantly improve one's digital security posture. It has come as a result of these broader privacy debates that the introduction of the Meta AI within WhatsApp has become a focus of concern for both users and privacy advocates. 

The AI chatbot, which can be accessed via a persistent blue icon on the Chats screen, will enable users to generate images and receive responses to prompts, but its continuous presence has sparked concerns over data handling, consent management, and user control over the chatbot. 

Despite WhatsApp's claims that only messages shared on the platform intentionally will be processed by the chatbot, many users are uneasy about the inability of the company to disable or remove Meta AI, especially since the company is unsure of the policies regarding data retention, training AI, and possible third-party access. 

Despite the company's caution against sharing sensitive personal information with the chatbot, users may still be able to use this data in order to refine the model as a whole, implicitly acknowledging the possibility of doing so. 

In light of this backdrop, WhatsApp has rolled out a feature aimed at protecting users from one another in lieu of addressing concerns associated with AI integration directly. It is designed to create an additional layer of confidentiality within selected conversations, and eliminates the use of Meta AI within those threads so that end-to-end encryption is maintained during user-to-user conversations. This framework reinforces the concept of end-to-end encryption at each level of the user-to-user conversation. 

As a result, many critics of this technology contend that while it is successful in safeguarding sensitive information comprehensively, it has limitations, such as allowing screenshots and manual saving of content. This limits its ability to provide comprehensive information protection.

The feature may temporarily reduce the anxiety surrounding Meta AI's involvement in private conversations, but experts claim it does little to resolve deeper concerns about transparency, consent, and control over the collection and use of data by AI systems.

In the future, WhatsApp will eventually need to address those concerns in a more direct manner in the course of rolling out additional updates. WhatsApp continues to serve as a primary channel for workplace communication, but security experts warn that convenience has quietly outpaced caution as it continues to consolidate its position.

Despite the fact that many professionals still use the default settings of their accounts, there are still risks associated with hijacking, impersonation, and data theft, which go far beyond the risks to your personal privacy, client privacy, and brand reputation.

There are several layers of security that are widely available, including two-step authentication, device management, biometric app locks, encrypted backups, and regular privacy checks, all of which remain underutilized despite their proven effectiveness at preventing common takeovers and phishing attempts. 

It must be noted that experts emphasize that technical controls alone are not sufficient to prevent cybercriminals from exploiting vulnerabilities. Human error remains one of the most exploited vulnerabilities, especially since attackers are increasingly using WhatsApp for social engineering scams, voice phishing, and impersonation of executives.

There has been an upward trend in the adoption of structured phishing simulation and awareness programs in recent years, which, according to industry data, can significantly reduce breach costs and employee susceptibility to attacks, as well as employees' privacy concerns. 

It is becoming increasingly important for organizations to take action to safeguard sensitive conversations in a climate where messaging apps have become both indispensable tools and high-value targets, through the disciplined application of WhatsApp's built-in protections and sustained investment in user training. 

The development of these developments, taken together, underscores the widening gap between WhatsApp's security capabilities and how it is used in reality. As the app continues to evolve into a hybrid space for personal communication, business coordination, and AI-assisted interactions, privacy and data protection concerns are growing as it develops into an increasingly hybrid platform. 

Various attack techniques have advanced over the years, but the combination of these techniques, the opaque integration of artificial intelligence, and the widespread reliance on default settings has resulted in an environment where users have become increasingly responsible for their own security. 

There has been some progress on WhatsApp's security, in terms of introducing meaningful safeguards, and it has also announced further updates, but their ultimate impact relies on informed adoption, transparent governance, and sustained scrutiny from regulators, as well as the security community. 

While clearer boundaries are being established around data use and user control, protecting conversations on one of the world's most popular messaging platforms will continue to be a technical challenge, but also a test of trust between users and the service they rely upon on a daily basis.
Read more »
VS Code malware
BeaverTail malware Contagious Interview campaign malicious GitHub repository malware North Korea Hackers VS Code malware

North Korean Hackers Abuse VS Code Projects in Contagious Interview Campaign to Deploy Backdoors

 

North Korea–linked threat actors behind the long-running Contagious Interview campaign have been seen leveraging weaponized Microsoft Visual Studio Code (VS Code) projects to trick victims into installing a backdoor on their systems.

According to Jamf Threat Labs, this activity reflects a steady refinement of a technique that first came to light in December 2025. The attackers continue to adapt their methods to blend seamlessly into legitimate developer workflows.

"This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

Initially revealed by OpenSourceMalware last month, the attack relies on social engineering job seekers. Targets are instructed to clone a repository hosted on platforms such as GitHub, GitLab, or Bitbucket and open it in VS Code as part of an alleged hiring assessment.

Once opened, the malicious repository abuses VS Code task configuration files to run harmful payloads hosted on Vercel infrastructure, with execution tailored to the victim’s operating system. By configuring tasks with the "runOn: folderOpen" option, the malware automatically runs whenever the project or any file within it is opened in VS Code. This process ultimately results in the deployment of BeaverTail and InvisibleFerret.

Later versions of the campaign have introduced more complex, multi-stage droppers concealed within task configuration files. These droppers masquerade as benign spell-check dictionaries, serving as a fallback if the malware cannot retrieve its payload from the Vercel-hosted domain.

As with earlier iterations, the obfuscated JavaScript embedded in these files executes immediately when the project is opened in the integrated development environment (IDE). It connects to a remote server ("ip-regions-check.vercel[.]app") and runs any JavaScript code sent back. The final payload stage consists of yet another heavily obfuscated JavaScript component.

Jamf also identified a newly observed infection method that had not been documented previously. While the initial lure remains the same—cloning and opening a malicious Git repository in VS Code—the execution path changes once the repository is trusted.

"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained. "If that trust is granted, the application automatically processes the repository's tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system."
"On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime. This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output."

The JavaScript payload, delivered from Vercel, contains the core backdoor logic. It establishes persistence, gathers basic system information, and maintains communication with a command-and-control server to enable remote code execution and system profiling.

In at least one observed incident, Jamf noted additional JavaScript being executed approximately eight minutes after the initial compromise. This secondary payload beacons to the server every five seconds, executes further JavaScript instructions, and can delete traces of its activity upon command. Researchers suspect the code may have been generated with the help of artificial intelligence (AI), based on the language and inline comments found in the source.

Actors linked to the Democratic People's Republic of Korea (DPRK) are known to aggressively target software developers, especially those working in cryptocurrency, blockchain, and fintech environments. These individuals often possess elevated access to financial systems, wallets, and proprietary infrastructure.

By compromising developer accounts and machines, attackers could gain access to sensitive source code, internal platforms, intellectual property, and digital assets. The frequent tactical changes observed in this campaign suggest an effort to improve success rates and further the regime’s cyber espionage and revenue-generation objectives.

The disclosure coincides with findings from Red Asgard, which investigated a malicious repository abusing VS Code tasks to install a full-featured backdoor known as Tsunami (also called TsunamiKit), along with the XMRig cryptocurrency miner. Separately, Security Alliance reported on a similar attack where a victim was contacted on LinkedIn by actors posing as the CTO of a project named Meta2140. The attackers shared a Notion[.]so page containing a technical test and a Bitbucket link hosting the malicious code.

Notably, the attack framework includes multiple fallback mechanisms. These include installing a rogue npm package called "grayavatar" or executing JavaScript that downloads an advanced Node.js controller. This controller runs five modules designed to log keystrokes, capture screenshots, scan the home directory for sensitive data, replace clipboard wallet addresses, steal browser credentials, and maintain persistent communication with a remote server.

The malware further establishes a parallel Python environment using a stager script that supports data exfiltration, cryptocurrency mining via XMRig, keylogging, and the installation of AnyDesk for remote access. The Node.js and Python components are tracked as BeaverTail and InvisibleFerret, respectively.

Collectively, these observations show that the state-sponsored group is testing several delivery mechanisms simultaneously to maximize the chances of successful compromise.

"While monitoring, we've seen the malware that is being delivered change very quickly over a short amount of time," Jaron Bradley, director of Jamf Threat Labs, told The Hacker News. It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted. It's difficult to know exactly how quickly attackers are changing their workflows, but this particular threat actor has a reputation for adapting quickly."

To reduce exposure, developers are urged to remain cautious when handling third-party repositories—particularly those shared during hiring exercises—carefully review source code before opening it in VS Code, and limit npm installations to trusted, well-vetted packages.

"This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows," Jamf said. "The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools."
Read more »
Technology
Asia Cloud Services Cybersecurity Data protection data sovereignty Europe Geopolitical Cyber Risk Government organisations Technology

Geopolitical Conflict Is Increasing the Risk of Cyber Disruption




Cybersecurity is increasingly shaped by global politics. Armed conflicts, economic sanctions, trade restrictions, and competition over advanced technologies are pushing countries to use digital operations as tools of state power. Cyber activity allows governments to disrupt rivals quietly, without deploying traditional military force, making it an attractive option during periods of heightened tension.

This development has raised serious concerns about infrastructure safety. A large share of technology leaders fear that advanced cyber capabilities developed by governments could escalate into wider cyber conflict. If that happens, systems that support everyday life, such as electricity, water supply, and transport networks, are expected to face the greatest exposure.

Recent events have shown how damaging infrastructure failures can be. A widespread power outage across parts of the Iberian Peninsula was not caused by a cyber incident, but it demonstrated how quickly modern societies are affected when essential services fail. Similar disruptions caused deliberately through cyber means could have even more severe consequences.

There have also been rare public references to cyber tools being used during political or military operations. In one instance, U.S. leadership suggested that cyber capabilities were involved in disrupting electricity in Caracas during an operation targeting Venezuela’s leadership. Such actions raise concerns because disabling utilities affects civilians as much as strategic targets.

Across Europe, multiple incidents have reinforced these fears. Security agencies have reported attempts to interfere with energy infrastructure, including dams and national power grids. In one case, unauthorized control of a water facility allowed water to flow unchecked for several hours before detection. In another, a country narrowly avoided a major blackout after suspicious activity targeted its electricity network. Analysts often view these incidents against the backdrop of Europe’s political and military support for Ukraine, which has been followed by increased tension with Moscow and a rise in hybrid tactics, including cyber activity and disinformation.

Experts remain uncertain about the readiness of smart infrastructure to withstand complex cyber operations. Past attacks on power grids, particularly in Eastern Europe, are frequently cited as warnings. Those incidents showed how coordinated intrusions could interrupt electricity for millions of people within a short period.

Beyond physical systems, the information space has also become a battleground. Disinformation campaigns are evolving rapidly, with artificial intelligence enabling the fast creation of convincing false images and videos. During politically sensitive moments, misleading content can spread online within hours, shaping public perception before facts are confirmed.

Such tactics are used by states, political groups, and other actors to influence opinion, create confusion, and deepen social divisions. From Eastern Europe to East Asia, information manipulation has become a routine feature of modern conflict.

In Iran, ongoing protests have been accompanied by tighter control over internet access. Authorities have restricted connectivity and filtered traffic, limiting access to independent information. While official channels remain active, these measures create conditions where manipulated narratives can circulate more easily. Reports of satellite internet shutdowns were later contradicted by evidence that some services remained available.

Different countries engage in cyber activity in distinct ways. Russia is frequently associated with ransomware ecosystems, though direct state involvement is difficult to prove. Iran has used cyber operations alongside political pressure, targeting institutions and infrastructure. North Korea combines cyber espionage with financially motivated attacks, including cryptocurrency theft. China is most often linked to long-term intelligence gathering and access to sensitive data rather than immediate disruption.

As these threats manifest into serious matters of concern, cybersecurity is increasingly viewed as an issue of national control. Governments and organizations are reassessing reliance on foreign technology and cloud services due to legal, data protection, and supply chain concerns. This shift is already influencing infrastructure decisions and is expected to play a central role in security planning as global instability continues into 2026.

Read more »
Google security
AI tools Data Breach Data Leak Digital Personal Data Protection Gemini AI Gemini Flaw Gemini vulnerability Google Gemini Google security

Google Gemini Calendar Flaw Allows Meeting Invites to Leak Private Data

 

Though built to make life easier, artificial intelligence helpers sometimes carry hidden risks. A recent study reveals that everyday features - such as scheduling meetings - can become pathways for privacy breaches. Instead of protecting data, certain functions may unknowingly expose it. Experts from Miggo Security identified a flaw in Google Gemini’s connection to Google Calendar. Their findings show how an ordinary invite might secretly gather private details. What looks innocent on the surface could serve another purpose beneath. 

A fresh look at Gemini shows it helps people by understanding everyday speech and pulling details from tools like calendars. Because the system responds to words instead of rigid programming rules, security experts from Miggo discovered a gap in its design. Using just text that seems normal, hackers might steer the AI off course. These insights, delivered openly to Hackread.com, reveal subtle risks hidden in seemingly harmless interactions. 

A single calendar entry is enough to trigger the exploit - no clicking, no downloads, no obvious red flags. Hidden inside what looks like normal event details sits coded directions meant for machines, not people. Rather than arriving through email attachments or shady websites, the payload comes disguised as routine scheduling data. The wording blends in visually, yet when processed by Gemini, it shifts into operational mode. Instructions buried in plain sight tell the system to act without signaling intent to the recipient. 

A single harmful invitation sits quietly once added to the calendar. Only after the user poses a routine inquiry - like asking about free time on Saturday - is anything set in motion. When Gemini checks the agenda, it reads the tainted event along with everything else. Within that entry lies a concealed instruction: gather sensitive calendar data and compile a report. Using built-in features of Google Calendar, the system generates a fresh event containing those extracted details. 

Without any sign, personal timing information ends up embedded within a new appointment. What makes the threat hard to spot is its invisible nature. Though responses appear normal, hidden processes run without alerting the person using the system. Instead of bugs in software, experts point to how artificial intelligence understands words as the real weak point. The concern grows as behavior - rather than broken code - becomes the source of danger. Not seeing anything wrong does not mean everything is fine. 

Back in December 2025, problems weren’t new for Google’s AI tools when it came to handling sneaky language tricks. A team at Noma Security found a gap called GeminiJack around that time. Hidden directions inside files and messages could trigger leaks of company secrets through the system. Experts pointed out flaws deep within how these smart tools interpret context across linked platforms. The design itself seemed to play a role in the vulnerability. Following the discovery by Miggo Security, Google fixed the reported flaw. 

Still, specialists note similar dangers remain possible. Most current protection systems look for suspicious code or URLs - rarely do they catch damaging word patterns hidden within regular messages. When AI helpers get built into daily software and given freedom to respond independently, some fear misuse may grow. Unexpected uses of helpful features could lead to serious consequences, researchers say.
Read more »
Third Party Risk
Cybercrime Groups Data Breach Employee Data Exposure enterprise cybersecurity Incident response Ransomware As A Service Ransomware attack supply chain security Third Party Risk

Ingram Micro Reveals Impact of Ransomware Attack on Employee Records


 

Ingram Micro quietly divulged all the personal details of their employees and job applicants last summer after a ransomware attack at the height of the summer turned into a far-reaching data exposure, exposing sensitive information about their employees and job applicants and illustrating the growing threat of cybercrime. 

A significant breach at one of the world's most influential technology supply-chain providers has been revealed in the July 2025 attack, in which the company confirms that records linked to more than 42,000 people were compromised, marking the most significant breach of the company's history. It is evident that in the wake of the disruptions caused by older, high-profile cybercriminals, emerging ransomware groups are swiftly targeting even the most established businesses. 

These groups are capitalizing on disrupting these older, high-profile cyber criminal operations by swiftly attacking even the most established businesses. It is a stark reminder to manufacturers, distributors, and mid-market companies that depend on Ingram Micro for global logistics, cloud platforms, and managed services to stay protected from cybersecurity risks, and the breach serves as a warning that cybersecurity risk does not end within an organization's boundaries, as third-party cyber-incidents are becoming increasingly serious and problematic. 

The largest distributor of business-to-business technology, Ingram Micro, operates on a global scale. The company employs more than 23,500 associates, serves more than 161,000 customers, and reported net sales of $48 billion in 2024, which was much greater than the previous year's gross sales of $6 billion. 

As stated in the notification letters to the Maine Attorney General and distributed to affected individuals, the attackers obtained documents containing extensive information, including Social Security numbers, that they had stolen. 

There was a security incident involving the company on July 3rd, 2025, and, in its disclosure, the company indicated that an internal investigation was immediately launched, which determined that an unauthorized third party had access to and removed files from internal repositories between July 2 and July 3rd, 2025. 

In addition to the information contained in the compromised records, there were also information regarding current and former employees and potential job applicants, including names, contact details, birthdates, and government-issued identification numbers such as Social Security numbers, driver's license numbers, and passport numbers, as well as employment records in certain cases. 

A major attack on Ingram Micro's infrastructure may also have caused widespread disruptions to internal operations, as well as taking the company's website offline for a period of time, forcing the company to instruct its employees to work remotely as remediation efforts were underway. 

In spite of the fact that the company does not claim the breach was the result of a particular threat actor, it confirms that ransomware was deployed during the incident, in line with earlier reports linking the incident with the SafePay ransomware group, which later claimed responsibility and claimed to have stolen about 3.5 terabytes of data, and then published the name of the company on its dark web leaks.

In addition to drawing renewed attention to the systemic threat posed by attacks on central technology distributors, the incident also shed light on the risk that a single compromise can have a ripple effect across the entire digital supply chain as well. 

Analysts who examined the Ingram Micro intrusion claim that the ransomware was designed to be sophisticated, modular, and was modeled after modern malware campaigns that are operated by operators. The malicious code unfolded in carefully sequenced stages, with the lightweight loader establishing persistence and neutralizing baseline security controls before the primary payload was delivered.

The attackers subsequently developed components that enabled them to move laterally through internal networks by exploiting cached authentication data and directory services in order to gain access to additional privileges and harvest credentials. The attackers also employed components designed to escalate privileges and harvest credentials. 

The spread across accessible systems was then automated using a dedicated propagation engine, while at the same time manual intervention was still allowed to prioritize high-value targets using a dedicated propagation engine. As part of the attack, the encryption engine used a combination of industry-grade symmetric cryptography and asymmetric key protection to secure critical data, effectively locking that data beyond recovery without the cooperation of the attackers. 

As an extension of the encryption process, a parallel exfiltration process used encrypted web traffic to evade detection to quietly transfer sensitive files to external command-and-control infrastructure. Ultimately, ransom notes were released in order to exert pressure through both operational disruptions as well as the threat of public data exposure, which culminated in the deployment of ransom notes. 

The combination of these elements illustrates exactly how contemporary ransomware has evolved into a hybrid threat model-a model that combines automation, stealth, and human oversight-and why breaches at key nodes within the technology ecosystem can have a far-reaching impact well beyond the implications of one organization. 

When Ingram Micro discovered that its data had been compromised, the company took a variety of standard incident response measures to address it, including launching a forensic investigation with the help of an external cybersecurity firm, notifying law enforcement and relevant regulators, and notifying those individuals whose personal information may have been compromised. 

Additionally, the company offered two years of free credit monitoring and identity theft protection to all customers for two years. It has been unclear who the attackers are, but the SafePay ransomware group later claimed responsibility, alleging in its dark web leak site that the group had stolen 3.5 terabytes of sensitive data. Those claims, however, are not independently verified, nor is there any information as to what ransom demands have been made.

The attack has the hallmarks of a modern ransomware-as-a-service attack, with a custom malware being deployed through a well-established framework that streamlines intrusion, privilege escalation, lateral movement, data exfiltration, and data encryption while streamlining intrusion, privilege escalation, lateral movement, and data encryption techniques.

As such, these campaigns usually take advantage of compromised credentials, phishing schemes, and unpatched vulnerabilities to gain access to the victim. They then combine double-extortion tactics—locking down systems while siphoning sensitive data—with the goal of putting maximum pressure on them. 

During the event, Ingram Micro's own networks were disrupted, which caused delays across global supply chains that depended on Ingram Micro's platforms, causing disruptions as well as disruptions to transactions. There is an opportunity for customers, partners, and the wider IT industry to gain a better understanding of the risks associated with concentration of risk in critical vendors as well as the potentially catastrophic consequences of a relatively small breach at a central node.

A number of immediate actions were taken by Ingram Micro in the aftermath of the attack, including implementing the necessary measures to contain the threat, taking all affected systems offline to prevent further spread of the attack, and engaging external cybersecurity specialists as well as law enforcement to support the investigation and remediation process. 

As quickly as possible, the company restored access to critical platforms, gradually restoring core services, and maintained ongoing forensic analysis throughout the day to assess the full extent of the intrusion, as well as to assure its customers and partners that the company was stable. It is not only the operational response that has been triggered by the incident, but the industry has largely reflected on the lessons learned from a similar attack. 

It is apparent that security experts are advocating resilience-driven strategies such as zero trust access models, network microsegmentation, immutable backup architectures, and continuous threat monitoring in order to limit breaches' blast radius. 

It is also evident from the episode that the technology industry is becoming increasingly dependent on third-party providers, which is why it has reinforced the importance of regular incident response simulations and robust vendor risk management strategies. This ransomware attack from Ingram Micro illustrates the importance of modern cyber operations beyond encrypting data. 

It also illustrates how modern cyber operations are also designed to disrupt interconnected ecosystems, in addition to exerting pressure through theft of data and a systemic impact. As a result of this incident, it was once again reinforced that enterprise security requires preparation, layers of defenses, and supply chain awareness. 

A response of Ingram Micro was to isolate the affected servers and segments of the network in order to contain the intrusion. During this time, the Security Operations Center activated a team within its organization to coordinate remediation and forensic analysis as part of its response. This action corresponds with established incident handling standards, which include the NIST Cybersecurity Framework and ISO 27035 guidelines. 

Currently, investigators are conducting forensic examinations of the ransomware strain, tracking the initial access vectors, and determining whether data has been exfiltrating in order to determine if it was malicious or not. Federal agencies including the FBI Internet Crime Complaint Center and the Cybersecurity and Infrastructure Security Agency have been informed about the investigation. 

In the recovery process, critical systems are restored from verified backups, compromised infrastructure is rebuilt, and before the environment can be returned to production, it is verified that a restored environment does not contain any malicious artifacts.

It is no surprise to security specialists that incidents of this scale are increasingly causing large companies to reevaluate their core controls, such as identity and access management, which includes stronger authentication, tighter access governance, and continuous monitoring.

It is believed that these actions will decrease the risk of unauthorized access and limit the impact of future breaches to a great extent. This Ingram Micro incident is an excellent example of how ransomware has evolved into a technical and systemic threat as well, one that increasingly targets the connective tissue of the global technology economy, rather than isolated enterprises, to increasingly target. 

A breach like the one in question has demonstrated the way that attacks on highly integrated distributors can cascade across industries, exposing information, disrupting operations, and amplifying risks that extend far beyond the initial point of compromise. It is likely that the episode will serve as a benchmark for regulators, enterprises, and security leaders to evaluate resilience within complex supply chains as investigations continue and recovery efforts mature. 

During a period of time when the industry relies heavily on scale, speed, and trust, the attack serves as a strong warning that cybersecurity readiness cannot be judged solely by its internal defenses, but also by its ability to anticipate, absorb, and recover from shocks originating anywhere within the interconnected digital ecosystem as well as to measure its readiness for cybersecurity.
Read more »
User Privacy
Data Breach Honeypot Resecurity SLH Group User Privacy

Resecurity Breach Claims Exposed as Honeypot Deception

 

The hackers, who claimed to represent the “Scattered Lapsus$ Hunters” (SLH) group, believed they successfully compromised Resecurity, a cybersecurity firm based in the United States, by exfiltrating their data. Resecurity disputed this by saying they were only able to gain access to their honeypot, which was set up to provide fake data to potential attackers. Such differing accounts of an incident show not only the brazenness of financially driven attackers but also the increasing use of deception techniques by attackers to gain intelligence.

The SLH members propagated their allegations through Telegram, claiming “full access” to the Resecurity systems and the theft of all internal conversations and logs, employee data, threat intelligence reports, and an extensive list of clients and their information. In an attempt to prove the validity of these allegations, the SLH members shared screenshots of Resecurity’s internal “Mattermost” environment, where conversations between the company employees and Pastebin representatives about malicious data on the Pastebin platform were shown. The SLH members described the attack as retaliation against Resecurity, which they believed was trying to socially engineer them by impersonating the buyers of the stolen Vietnamese financial database in order to receive complimentary samples and more information about their activities. 

Adding to this complexity, the renowned threat actor group known as ShinyHunters, known to have been part of the Scattered Lapsus$ Hunters umbrella, later disclaimed their involvement in this incident. This was revealed when a representative of ShinyHunters told a local media outlet that, although they have long claimed to be part of SLH, they did not have any involvement in this incident against Resecurity. This has left many questions regarding how these overlapping groups coordinate their efforts or if SLH uses its association with ShinyHunters to magnify its efforts. 

Resecurity firmly disputes any compromise of its production environment, asserting that the attackers never touched live systems or genuine client data but instead interacted with a purpose-built honeypot. According to a report filed on December 24, it was determined that the initial recon in the vulnerable environment was first spotted on November 21, 2025, with subsequent scanning activities originating from Egyptian IP addresses and utilizing Mullvad VPN. In this regard, in order to monitor the tactics, techniques, and procedures of the attacker, the Digital Forensics and Incident Response (DFIR) team set up an isolated “honeypot” account. 

To make the bait more convincing, Resecurity claims the creation of more than 28,000 fake consumer records and over 190,000 fake payment transactions modeled after the official API structures defined by Stripe. Later in December, the attacker reportedly began automated data exfiltration attacks with more than 188,000 requests made between December 12th and December 24th using a wide range of residential proxy IP addresses. During this period, Resecurity claims that sporadic proxy issues temporarily revealed actual IP addresses, helping analysts identify the attacker’s back-end servers, whose details were later shared with a foreign law enforcement agency that subsequently issued a subpoena against the attacker.

After the initial coverage, the attackers contacted Dissent Doe of DataBreaches.net and provided samples of what they claimed was stolen data, seeking to reinforce their narrative. However, an independent review by DataBreaches concluded there was no evidence that SLH obtained information from any real Resecurity clients, aligning with the company’s assertion that only synthetic records were exposed. Meanwhile, the Telegram channel that originally hosted SLH’s breach claims has since been suspended for violating the platform’s policies, limiting the group’s ability to continue publishing its version of events.
Read more »
Subscribe to: Comments (Atom)

Featured