Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Smart Meters: A Growing Target in Data Security

  Smart electricity meters, once simple devices for recording household consumption, are now central to modern energy systems. They track us...

All the recent news you need to know
State-Sponsored Monitoring
Authoritarian Technology Cybersecurity Leak Data Breach digital surveillance Great Firewall Internet censorship State-Sponsored Monitoring

Great Firewall of China Compromised in Historic 600GB Data Exposure


 

It has been reported that on September 11, 2025, nearly 600 gigabytes of classified materials linked to the Great Firewall of China have emerged online in a breach of China's closely guarded internet censorship machinery, which is a breach of scale that has never been experienced. This leaked cache of internal GFW documents, which experts have described as the largest exposure of internal GFW documents ever in history, provides a rare opportunity to get a closer look at Beijing's highly automated digital surveillance system. 

It is a collection of data that has been gathered from Geedge Networks, a company founded and led by Fang Binxing, one of the most renowned scientists in the world, along with the MESA Lab at the Institute of Information Engineering of the Chinese Academy of Sciences, which has collected and archived source code, internal communications, development logs, and archives of project management tools for a period of many years. 

According to researchers who examined the document, the revelation not only confirms Chinese national security sweeping domestic control, but reveals how censorship and surveillance technology, packaged as deployable hardware and software systems, has been exported overseas. Geedge's services are indicated in the documents, not only to sensitive domestic regions such as Xinjiang, Jiangsu, and Fujian, but also to governments in Myanmar, Pakistan, Ethiopia, and Kazakhstan, with further signs that the company's services may be deployed under the Belt and Road Initiative.

A 500GB archive of server repositories, detailed manuals, and operational files is one of the details of the breach that indicates not just a compromise of a state secret but also a glimpse into how China's digital authoritarian model of digital authority has been refined and marketed for international use as well. 

There are two pivotal institutions at the heart of China's online censorship regime, which are referred to in the cache of leaked files: Geedge Networks and MESA Lab of the Institute of Information Engineering under the Chinese Academy of Sciences. As a result of the work of Geedge, led by its chief scientist, Fang Binxing— widely known as “Father of the Great Firewall”—Geedge has been seen for decades as the technical brain behind the operation of the firewall system. 

There has been a forensic investigation into the incident, and it appears the attackers have exploited an incorrectly configured private code repository to gain access to backup snapshots, archived communications, and development environments. A single mirror archive of RPM packaging servers was estimated to have accounted for 500 GB of the material that was exposed, along with years' worth of documentation, JIRA project management data, and technical manuals. 

It turned out that the breach exposed nearly 600 gigabytes of data. In the files, scientists found evidence that Geedge was not only located in provinces such as Xinjiang, Jiangsu, and Fujian, which represent some of the worst cases of domestic censorship, but was also supplying censorship as a service to other countries under the Belt and Road Initiative. 

The contract and proposal details the provision of keyword blacklists, real-time traffic monitoring, cloud-based filtering appliances, and other services to the governments of Myanmar, Pakistan, Ethiopia, and Kazakhstan, with diplomatic communications suggesting additional undisclosed customers. 

In the leak, a parallel role also comes to light for MESA Lab, which was established in 2012 as the Processing Architecture Team for "Massive Effective Stream Analysis" and eventually became an international research centre worth millions of yuan. 

The lab maintains internal source code and development records, which expose sophisticated algorithms for packet inspection, dynamic rule enforcement, and evasion detection, including simulated testing against encrypted tunnels circumvention tools as well as testing against encryption tunnels and circumventions. 

The documents, which have been carefully reviewed by organisations such as GFW Report and Net4People on isolated systems, are seen as a groundbreaking intelligence breakthrough by analysts. They provide an unparalleled understanding of the mechanism of state-sponsored internet controls while raising important questions regarding the export of authoritarian surveillance techniques to the global marketplace. 

The leaked cache contains nearly 600 gigabytes and tens of thousands of files and repositories, and together, they provide a rare and intricate insight into the machinery of China's censorship system, with its complex and comprehensive policies governing the internet. In its core lies a massive 500GB mirror archive of RPM packaging servers. This demonstrates to us that, in addition to being a political construct, the Great Firewall is a highly engineered software ecosystem that is maintained to the same standard as a large, corporate-scale IT operation. Additional archives such as geedge_docs.tar.zst and mesalab_docs.tar.zst contain countless internal reports and research proposals. 

A number of the files referencing projects such as “CTF-AWD,” “BRI,” and “CPEC” suggest connections and international collaborations that are based on the Belt and Road Initiative, while project management data and communication drafts show the coordination of researchers and engineers on a daily basis. 

Even though many documents appear mundane, such as reimbursement receipts and documents labelled simply “Print”, censorship is still an institutionalised part of bureaucratic processes and procedures. There are a number of things that distinguish this leak from other types of breaches, the most remarkable being its breadth and granularity. Instead of only a few emails or whistleblower memos, this collection comprises raw operational information that reveals years of investment, research, and development. 

Several independent researchers, including Net4People, Hackread.com, and others, have noted that the file tree itself tells a great deal about the Firewall's evolution into a distributed, export-ready system. Additionally, the background materials also examine how the MESA Lab grew in 2012 from a small research lab at the Chinese Academy of Sciences into a multi-million dollar operation that contributed to national cybersecurity awards in 2016, which had been opened in 2016. 

Originally created under the guidance of Fang Binxing, who is given credit for designing the Great Firewall, Geedge Networks quickly absorbed the talents of the MESA and has quickly emerged as one of the few private firms capable of supporting state censorship both domestically and internationally. 

The immediate revelations of Chinese internet control infrastructure confirm what many observers have long suspected: that while the full analysis of source code may take months, they already confirm what many observers have long suspected. There is no static or insular Chinese internet control infrastructure. Instead, it is a living system shaped by government contracts, academic research, and private enterprise, and increasingly packaged for export to other countries. 

A hacktivist group behind the disclosure has warned that examining the files should only be done in an isolated environment because there might be embedded malware and tracking elements in them. Despite these dangers, researchers and rights advocates argue that the trove offers the chance to gain a comprehensive understanding of the Great Firewall, both in terms of how it worsens and how its influence is being systematically extended outside of the country. 

This unprecedented exposé of the Great Firewall's inner workings is far more than a breach - it marks an important turning point in the global debate around digital rights, sovereignty, and the export of surveillance technology worldwide. In the context of governments, these files provide an unfiltered look at how authoritarian states operationalised censorship, transforming it into a scaled, almost commodified system that is capable of deploying well outside their own borders. 

As researchers and civil society groups, we find that this material is an invaluable resource unravelling censorship mechanisms, developing countermeasures, and creating stronger tools to circumvent censorship. 

As a result of these revelations, policymakers around the world need to look at how Chinese surveillance infrastructure is spread through initiatives like the Belt and Road initiative, and to weigh the geopolitical implications of supporting regimes that restrict freedom of expression to take appropriate measures. Since the data is subject to potential security risks, it is imperative to handle it carefully. 

However, its availability presents an excellent opportunity to improve transparency, accountability, and resilience against digital authoritarianism, as well as strengthening transparency, accountability, and resilience. If used responsibly, this leak could not only reshape the way people perceive China's censorship model but also help to spark international efforts to safeguard the open internet in general.
Read more »
telemetry.js malware
GitHub Actions vulnerability NPM malware Nx supply chain attack telemetry.js malware

Nx "s1ngularity" Supply Chain Attack Exposes Thousands of Secrets

 

The recent Nx "s1ngularity" NPM supply chain attack has led to a massive security fallout, exposing thousands of account tokens and repository secrets, according to Wiz researchers.

A post-incident analysis revealed that the breach compromised 2,180 accounts and 7,200 repositories in three distinct attack phases. Wiz emphasized that the impact is still unfolding, as many of the leaked secrets remain valid.

Nx, a widely used open-source build system and monorepo management tool in enterprise-scale JavaScript/TypeScript projects, has over 5.5 million weekly downloads on the NPM registry.

How the Attack Happened

On August 26, 2025, threat actors exploited a flawed GitHub Actions workflow in the Nx repository. This enabled them to publish a malicious version of Nx on NPM containing a post-install malware script called telemetry.js.

The telemetry.js malware targeted Linux and macOS systems, attempting to steal sensitive data such as GitHub tokens, npm tokens, SSH keys, .env files, and even crypto wallets. The stolen data was then uploaded to public repositories under the name "s1ngularity-repository."

What made this breach particularly unique was the attacker’s use of AI command-line tools like Claude, Q, and Gemini. These tools were leveraged with changing LLM prompts to hunt for and extract secrets.

"The evolution of the prompt shows the attacker exploring prompt tuning rapidly throughout the attack. We can see the introduction of role-prompting, as well as varying levels of specificity on techniques," explained Wiz.

"These changes had a concrete impact on the success of the malware. The introduction of the phrase ‘penetration testing’, for example, was concretely reflected in LLM refusals to engage in such activity."

Three Phases of the Attack

Phase 1 (Aug 26–27): Backdoored Nx packages impacted around 1,700 users, leaking more than 2,000 unique secrets and exposing 20,000 files from infected systems. GitHub removed attacker-created repositories within eight hours, but the stolen data had already been duplicated.

Phase 2 (Aug 28–29): Using stolen GitHub tokens, attackers flipped private repositories to public, renaming them with the “s1ngularity” tag. This compromised 480 more accounts (mostly organizations) and exposed 6,700 private repositories.

Phase 3 (from Aug 31): The attackers focused on a single organization, using two compromised accounts to publish another 500 private repositories.

Root Cause & Response

The Nx team later confirmed that the breach stemmed from a pull request title injection combined with insecure use of pull_request_target. This flaw allowed attackers to execute arbitrary code with elevated permissions, triggering Nx’s publish pipeline and stealing the npm publishing token.

In response, Nx revoked compromised tokens, adopted two-factor authentication, and migrated to NPM’s Trusted Publisher model, which eliminates token-based publishing. Additionally, manual approvals are now required for pull request-triggered workflows.
Read more »
protecting sensitive data
China Critical Infrastructure cyber espionage Cyber Security Czech data security Data Transfer protecting sensitive data

Czechia Warns of Chinese Data Transfers and Espionage Risks to Critical Infrastructure

 

Czechia’s National Cyber and Information Security Agency (NÚKIB) has issued a stark warning about rising cyber espionage campaigns linked to China and Russia, urging both government institutions and private companies to strengthen their security measures. The agency classified the threat as highly likely, citing particular concerns over data transfers to China and remote administration of assets from Chinese territories, including Hong Kong and Macau. According to the watchdog, these operations are part of long-term efforts by foreign states to compromise critical infrastructure, steal sensitive data, and undermine public trust. 

The agency’s concerns are rooted in China’s legal and regulatory framework, which it argues makes private data inherently insecure. Laws such as the National Intelligence Law of 2017 require all citizens and organizations to assist intelligence services, while the 2015 National Security Law and the 2013 Company Law provide broad avenues for state interference in corporate operations. Additionally, regulations introduced in 2021 obligate technology firms to report software vulnerabilities to government authorities within two days while prohibiting disclosure to foreign organizations. NÚKIB noted that these measures give Chinese state actors sweeping access to sensitive information, making foreign businesses and governments vulnerable if their data passes through Chinese systems. 

Hong Kong and Macau also fall under scrutiny in the agency’s assessment. In Hong Kong, the 2024 Safeguarding National Security Ordinance integrates Chinese security laws into its own legal system, broadening the definition of state secrets. Macau’s 2019 Cybersecurity Law grants authorities powers to monitor data transmissions from critical infrastructure in real time, with little oversight to prevent misuse. NÚKIB argues that these developments extend the Chinese government’s reach well beyond its mainland jurisdiction. 

The Czech warning gains credibility from recent attribution efforts. Earlier this year, Prague linked cyberattacks on its Ministry of Foreign Affairs to APT31, a group tied to China’s Ministry of State Security, in a campaign active since 2022. The government condemned the attacks as deliberate attempts to disrupt its institutions and confirmed a high degree of certainty about Chinese involvement, based on cooperation among domestic and international intelligence agencies. 

These warnings align with broader global moves to limit reliance on Chinese technologies. Countries such as Germany, Italy, and the Netherlands have already imposed restrictions, while the Five Eyes alliance has issued similar advisories. For Czechia, the implications are serious: NÚKIB highlighted risks across devices and systems such as smartphones, cloud services, photovoltaic inverters, and health technology, stressing that disruptions could have wide-reaching consequences. The agency’s message reflects an ongoing effort to secure its digital ecosystem against foreign influence, particularly as geopolitical tensions deepen in Europe.
Read more »
VirusTotal
Colombia JavaScript malware phishing SVG VirusTotal

SVG Phishing Campaign Bypasses Antivirus, Targets Colombian Judiciary

 

VirusTotal has uncovered a sophisticated phishing campaign that leverages SVG (Scalable Vector Graphics) files to bypass traditional antivirus detection while impersonating Colombia's judicial system. The campaign was discovered after VirusTotal added SVG support to its AI Code Insight platform, which uses machine learning to analyze suspicious behavior in uploaded files. 

Campaign discovery and scale 

The malicious SVG files initially showed zero detections by conventional antivirus scans but were flagged by VirusTotal's AI-powered Code Insight feature for suspicious JavaScript execution and HTML rendering capabilities. Following the initial discovery, VirusTotal identified 523 previously uploaded SVG files that were part of the same campaign, all of which had evaded detection by traditional security software. 

Modus operandi 

The SVG files exploit the element to display HTML content and execute JavaScript when loaded. These files create convincing fake portals impersonating Colombia's Fiscalía General de la Nación (Office of the Attorney General), complete with case numbers, security tokens, and official government branding to build victim trust. 

When users interact with these fake portals, they see a phony download progress bar that simulates an official government document download process. While victims believe they are downloading legitimate legal documents, the malware simultaneously triggers the download of a password-protected ZIP archive in the background . 

Malware payload

Analysis of the extracted ZIP files reveals a multi-component attack containing four files: a legitimate Comodo Dragon web browser executable renamed to appear as an official judicial document, a malicious DLL, and two encrypted files. When the user opens the executable, the malicious DLL is sideloaded to install additional malware on the system. 

Evasion techniques

The campaign demonstrates sophisticated evasion tactics including obfuscation, polymorphism, and substantial amounts of dummy code designed to increase file entropy and avoid static detection methods. The attackers evolved their payloads over time, with earlier samples being larger (around 25 MB) and later versions becoming more streamlined. 

Detection challenges

SVG files present unique security challenges because they can contain executable JavaScript while appearing as harmless image files to users and many security tools. Traditional antivirus solutions struggle to analyze the XML-based SVG format effectively, making AI-powered behavioral analysis crucial for detection. 

The campaign highlights the growing trend of threat actors exploiting SVG files for phishing attacks, as these files can embed malicious scripts that execute automatically while maintaining the appearance of legitimate graphics. VirusTotal's AI Code Insight platform proved essential in exposing this campaign, demonstrating how machine learning can identify threats that traditional signature-based detection methods miss .
Read more »
Vietnam
AI Artificial Intelligence Cloud Cyber Attacks Internet Panama Ransomware Vietnam

Panama and Vietnam Governments Suffer Cyber Attacks, Data Leaked


Hackers stole government data from organizations in Panama and Vietnam in multiple cyber attacks that surfaced recently.

About the incident

According to Vietnam’s state news outlet, the Cyber Emergency Response Team (VNCERT) confirmed reports of a breach targeting the National Credit Information Center (CIC) that manages credit information for businesses and people, an organization run by the State Bank of Vietnam. 

Personal data leaked

Earlier reports suggested that personal information was exposed due to the attack. VNCERT is now investigating and working with various agencies and Viettel, a state-owned telecom. It said, “Initial verification results show signs of cybercrime attacks and intrusions to steal personal data. The amount of illegally acquired data is still being counted and clarified.”

VNCERT has requested citizens to avoid downloading and sharing stolen data and also threatened legal charges against people who do so.

Who was behind the attack?

The statement has come after threat actors linked to the Shiny Hunters Group and Scattered Spider cybercriminal organization took responsibility for hacking the CIC and stealing around 160 million records. 

Threat actors put up stolen data for sale on the cybercriminal platforms, giving a sneak peek of a sample that included personal information. DataBreaches.net interviewed the hackers, who said they abused a bug in end-of-life software, and didn’t offer a ransom for the stolen information.

CIC told banks that the Shiny Hunters gang was behind the incident, Bloomberg News reported.

The attackers have gained the attention of law enforcement agencies globally for various high-profile attacks in 2025, including various campaigns attacking big enterprises in the insurance, retail, and airline sectors. 

The Finance Ministry of Panama also hit

The Ministry of Economy and Finance in Panam was also hit by a cyber attack, government officials confirmed. “The Ministry of Economy and Finance (MEF) informs the public that today it detected an incident involving malicious software at one of the offices of the Ministry,” they said in a statement. 

The INC ransomware group claimed responsibility for the incident and stole 1.5 terabytes of data, such as emails, budgets, etc., from the ministry.

Read more »
Vulnerabilities and Exploits
Akira Ransomware CVE-2024-40766 SonicOS 7.3.0 SonicWall firewall vulnerability SonicWall Gen 7 SSLVPN exploit Vulnerabilities and Exploits

Ransomware Groups Still Exploiting SonicWall Firewall Vulnerability Despite Patch

 

More than a year after SonicWall released a patch for CVE-2024-40766, a critical vulnerability affecting its next-generation firewalls, attackers linked to the Akira ransomware-as-a-service operation continue to exploit the flaw to breach organizations.

Similar to incidents in September 2024 and earlier this year, affiliates of the Akira group are behind the latest wave of attacks. The spike observed in July 2025 was partly due to organizations upgrading from Gen 6 to Gen 7 SonicWall firewalls without resetting local user passwords as recommended by SonicWall.

Attackers have also expanded their techniques. According to Rapid7’s Incident Response team, there has been “an uptick in intrusions involving SonicWall appliances” since early August 2025. Their findings indicate that the Akira group may be chaining together three different security weaknesses to gain access and deploy ransomware.

CVE-2024-40766, which remains unpatched in some environments.

A misconfiguration in the SSLVPN Default Users Group setting. SonicWall explains:

“This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.”
“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.”

Abuse of the Virtual Office Portal feature in SonicWall appliances, which attackers are using to configure MFA/TOTP on already compromised accounts.

The Australian Cyber Security Centre (ACSC) has also issued warnings about increased Akira activity targeting Australian entities via CVE-2024-40766.

According to Rapid7, the attackers’ method remains consistent: they gain entry through the SSLVPN component, escalate privileges to elevated or service accounts, exfiltrate sensitive data from file servers and network shares, disable or delete backups, and finally execute ransomware at the hypervisor layer.

Recommended Mitigations

Organizations relying on SonicWall firewalls are advised to:

  • Rotate passwords on all SonicWall local accounts and delete unused ones.
  • Enforce MFA/TOTP for SSLVPN services.
  • Set the Default LDAP User Group to “None.”
  • Restrict Virtual Office Portal access to trusted local networks and closely monitor usage.
  • Ensure all appliances run the latest firmware updates.

SonicWall recently highlighted that SonicOS 7.3.0 introduces additional protections against brute-force attacks and enhanced MFA controls, providing stronger defense against ransomware intrusions.
Read more »
Subscribe to: Posts (Atom)

Featured