Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

State-Backed Hackers Are Turning to AI Tools to Plan, Build, and Scale Cyber Attacks

  Cybersecurity investigators at Google have confirmed that state-sponsored hacking groups are actively relying on generative artificial int...

All the recent news you need to know
ShinyHunters ransomware
Microsoft Entra SSO attack Okta voice phishing Panera Bread data breach ShinyHunters ransomware

Panera Bread Reportedly Hit by ShinyHunters Data Breach, 14 Million Records Exposed

 

Panera Bread has allegedly fallen victim to a cyberattack carried out by the notorious hacking collective ShinyHunters, with millions of customer records said to have been stolen.

The threat group recently listed Panera Bread, along with CarMax and Edmunds, on its data leak portal. In Panera’s case, attackers claim to have accessed approximately 14 million records. The compromised data reportedly includes customer names, email addresses, mailing addresses, phone numbers, and account-related details. Altogether, around 760MB of compressed data was allegedly extracted from company systems.

In a conversation with The Register, ShinyHunters stated that access to Panera’s network was gained through Microsoft Entra single sign-on (SSO). If accurate, the breach may be connected to a recent alert issued by Okta, which warned that cybercriminals were targeting SSO credentials from Okta, Microsoft, and Google through an advanced voice phishing scheme.

Should that link be confirmed, Panera Bread — which operates thousands of outlets across the United States and Canada — would join a growing roster of companies reportedly compromised through similar tactics, including Crunchbase and Betterment. According to ShinyHunters, both organizations were breached via voice phishing attacks aimed at stealing Okta authentication codes.

To date, most of the affected companies have not publicly addressed the incidents. Betterment is the only firm that has acknowledged a breach, confirming that employees were deceived in a social engineering attack on January 9.

"The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations," the company said.

"Once they gained access, the unauthorized individual was able to send a fraudulent, crypto-related message that appeared to come from Betterment to a subset of our customers."

ShinyHunters remains one of the most active ransomware groups currently operating and is notable for abandoning traditional encryption tactics. Rather than locking victims out of their systems, the group focuses solely on stealing sensitive information and pressuring organizations to pay in exchange for keeping the data private — a method that is less complex to deploy but potentially just as profitable.
Read more »
Privacy Allegations
AI Training Data Artificial Intelligence Litigation Copyright Infringement Dataset Governance Generative AI Compliance Intellectual Property Rights Platform Terms Of Service Privacy Privacy Allegations

Snap Faces Lawsuit From Creators Over Alleged AI Data Misuse


 

A legal conflict between online creators and companies dedicated to artificial intelligence has entered an increasingly personal and sharper stage. In recent weeks, well-known YouTubers have filed suits in federal court against Snap alleging that the company built its artificial intelligence capabilities on the basis of their copyrighted material. 

In the complaint, there is a familiar but unresolved question for the digital economy: Can the vast archives of video created by creators that power the internet be repurposed to train commercial artificial intelligence systems without the knowledge or consent of the creators? 

Among the participants in the proposed class action, which was filed in the Central District Court of California on Friday, are internet personalities whose combined YouTube audience exceeds 6.2 million subscribers.

According to Snap, the videos they uploaded to YouTube were scraped to be used as datasets for training AI models on Snapchat, which were scraped in violation of platform rules as well as federal copyright laws.

A similar claim has previously been brought against Nvidia, Meta, and ByteDance by the plaintiffs, claiming that a growing segment of the artificial intelligence industry is relying on creator content without authorization. Specifically, the YouTubers contend that Snap was using large-scale video-language datasets, including HD-VILA-100M, developed for academic and research purposes rather than commercial applications. 

The newly filed complaint specifically challenges Snap's reported use of these datasets. Upon filing the lawsuit, YouTube has asserted that any commercial use would have been subject to YouTube's technological safeguards, terms of service, and licensing restrictions. Plaintiffs argue that these limitations were bypassed in order for Snap's AI systems to incorporate the material. 

In addition to statutory damages, the lawsuit seeks a permanent injunction prohibiting further alleged infringements. Among the participants are the creators of the YouTube channel h3h3, which has a subscriber base of 5.52 million, as well as the golf-focused channels MrShortGame Golf and Golfholics. 

The case is one of the latest in a series of copyright disputes between users and artificial intelligence developers. Recently, publishers, authors, newspapers, artists, and user-generated content platforms have brought similar claims. As reported by the nonprofit Copyright Alliance, over 70 copyright infringement lawsuits have been filed against artificial intelligence companies to date with varying outcomes. 

Several cases involving Meta and a group of authors were resolved in favor of the technology company by a federal judge. In another case involving Anthropic and authors, the company reached a settlement. Several other cases are still pending, which leaves courts with the task of defining how technological innovation intersects with intellectual property rights in our rapidly evolving age.

There are a number of individuals in the U.S. who have uploaded original video content to YouTube and whose works have allegedly been incorporated into the large-scale video datasets referenced in the complaint. The proposed class entails more than just the named plaintiffs, but all U.S-based individuals who have uploaded original video content to YouTube. 

According to Snap's filing, these datasets formed the foundation for the company's artificial intelligence training pipeline, enabling the company to process and ingest creator content in significant quantities. ByteDance, Meta, and Nvidia have been the targets of comparable class complaints, resulting from a coordinated legal strategy intended to challenge industry-wide data acquisition practices by the same plaintiffs. 

Also requesting declaratory judgment that Snap willfully circumvented YouTube’s copyright protection mechanisms, the plaintiffs seek monetary relief along with declaratory judgment. As part of the complaint, statutory damages, costs and interest are requested, as well as an injunction to stop the continued use of the disputed video materials.

There is a central claim in the complaint that Snap developed and refined its generative AI video systems by accessing and copying YouTube content en masse, despite the platform's architecture which permits controlled streaming, but does not provide access to source files for download. 

Snap’s model development is attributed to specific datasets, including HD-VILA-100M and Panda-70M, cited in the complaint. According to the filing, HD-VILA-100M contains metadata that references YouTube videos rather than hosting the audiovisual files themselves. As a result, the plaintiffs maintain that Snap had to retrieve and duplicate the references directly from YouTube’s servers in order to operationalize such datasets for model training.

As a result of this process, they contend that technology protection measures and access controls designed to prevent large-scale extraction and downloading were necessarily bypassed. This lawsuit alleges the use of automated tools and structured workflows to facilitate this retrieval. Moreover, the complaint claims that the datasets segmented individual YouTube uploads into multiple discrete clips, which required repeated access to the same source video as well. 

According to the plaintiffs, this method resulted in millions of separate acts of copying which were essentially identical in nature. In Snapchat’s AI-powered features, those copies were allegedly used to train and enhance text-to-video and image-to-video models.

In spite of license restrictions associated with certain datasets, the filing asserts that these activities were conducted for commercial deployment rather than academic or research purposes. As a final point, the plaintiffs assert Snap's conduct violated YouTube's terms of service and constituted unlawful circumvention of technological safeguards, regardless of whether particular videos had been formally registered with the U.S. Copyright Office. 

Thus, the complaint positions the dispute in context not merely as a disagreement over platform rules but as a broader issue related to the legal and technical limits governing large-scale data ingestion for commercial AI development. 

Depending on the outcome of the litigation, it may have implications that extend far beyond the parties involved. At stake are not only the questions of liability in a single dispute but also the broader compliance landscape that undergirds commercial AI development.

In this case, the court will examine how training data is sourced, whether technical safeguards constitute enforceable measures of protection, and how thoroughly dataset provenance and licensing constraints need to be audited before model deployment is undertaken. 

Technology companies are reminded by this case that data governance frameworks that can be defended, training pipelines that are transparent, and third-party datasets should be rigorously reviewed. Creators and platforms alike should take note of this development as it signals that regulation of artificial intelligence will be shaped less by abstract policy debates and more by detailed judicial scrutiny of the technological processes used in transforming publicly accessible content into machine-learning systems.
Read more »
Exposed Servers
breach servers Bypass Flaw CISA Cyber Security Cyber Vulnerabilities Data exposed data security email servers Exposed Servers

Shadowserver Finds 6,000 Exposed SmarterMail Servers Hit by Critical Flaw

 

Over six thousand SmarterMail systems sit reachable online, possibly at risk due to a serious login vulnerability, found by the nonprofit cybersecurity group Shadowserver. Attention grows as hackers increasingly aim for outdated corporate mail setups left unprotected.  


On January 8, watchTowr informed SmarterTools about the security weakness. Released one week later, the patch arrived before an official CVE number appeared. Later named CVE-2026-23760, its severity earned a top-tier rating because of how deeply intruders could penetrate systems. Critical access capabilities made this bug especially dangerous. 

A security notice logged in the NIST National Vulnerability Database points to an issue in earlier releases of SmarterMail - versions before build 9511. This flaw sits within the password reset API, where access control does not function properly. Instead of blocking unknown users, the force-reset-password feature accepts input without requiring proof of identity. Missing checks on both token validity and current login details create an open door. Without needing prior access, threat actors may trigger resets for admin accounts using only known usernames. Such exploitation grants complete takeover of affected systems. 

Attackers can take over admin accounts by abusing this weakness, gaining full access to vulnerable SmarterMail systems through remote code execution. Knowing just one administrator username is enough, according to watchTowr, making it much easier to carry out such attacks. 

More than six thousand SmarterMail servers are now under watch by Shadowserver, each marked as probably exposed. Across North America, over four thousand two hundred sit in this group. Almost a thousand others appear in Asia. Widespread risk emerges where patches remain unused. Organizations slow to update face higher chances of compromise. 

Scans showing over 8,550 vulnerable SmarterMail systems came to light through data provided by Macnica analyst Yutaka Sejiyama, reported to BleepingComputer. Though attackers continue targeting the flaw, response levels across networks vary widely - this uneven pace only adds weight to ongoing worries about delayed fixes.  

On January 21, watchTowr noted it had detected active exploitation attempts. The next day, confirmation came through Huntress, a cybersecurity company spotting similar incidents. Rather than isolated cases, what they saw pointed to broad, automated attacks aimed at exposed servers. 

Early warnings prompted CISA to list CVE-2026-23760 in its active threat database, requiring federal bodies across the U.S. to fix it before February 16. Because flaws like this often become entry points, security teams face rising pressure - especially when hostile groups exploit them quickly. Government systems, along with corporate networks, stand at higher risk once these weaknesses go public. 

On its own, Shadowserver noted close to 800,000 IP addresses showing open Telnet signatures during incidents tied to a serious authentication loophole in GNU Inetutils' telnetd - highlighting how outdated systems still connected to the web can widen security exposure.
Read more »
HoneyMyte
Chinese Hacker CoolClient Cyber Attacks Data Theft HoneyMyte

HoneyMyte Upgrades CoolClient: New Browser Stealers Target Asia, Europe

 

The HoneyMyte threat group, also known as Mustang Panda or Bronze President, has escalated its cyber espionage efforts by significantly upgrading its CoolClient backdoor malware. This China-linked advanced persistent threat (APT) actor, active since at least 2012, primarily targets government organizations in Asia and Europe to harvest sensitive geopolitical and economic intelligence.

In 2025, security researchers from Kaspersky identified enhanced versions of CoolClient deployed in campaigns hitting countries like Myanmar, Mongolia, Malaysia, Thailand, Russia, and Pakistan.These updates reflect HoneyMyte's ongoing adaptation to evade detection and maximize data theft from high-value targets. CoolClient now employs a multi-stage infection chain, often using DLL side-loading to hijack legitimate applications from vendors like BitDefender, VLC Media Player, and Sangfor. 

This technique allows the malware to masquerade as trusted software while executing malicious payloads for persistence and command-and-control communication. The backdoor supports extensible plugins, including new capabilities to extract HTTP proxy credentials from network traffic—a feature not previously observed in HoneyMyte's arsenal. Combined with tools like ToneShell rootkit, PlugX, and USB worms such as Tonedisk, these enhancements enable deeper system compromise and long-term surveillance.

A standout addition is HoneyMyte's browser credential stealer, available in at least three variants tailored to popular browsers. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C handles multiple Chromium-based browsers like Brave and Opera. The stealer copies login databases to temporary folders, leverages Windows Data Protection API (DPAPI) to decrypt master keys and passwords, then reconstructs full credential sets for exfiltration. This shift toward active credential harvesting, alongside keylogging and clipboard monitoring, marks HoneyMyte's evolution from passive espionage to comprehensive victim surveillance.

Supporting these implants, HoneyMyte deploys scripts for reconnaissance, document exfiltration, and system profiling, often in tandem with CoolClient infections. These campaigns exploit spear-phishing lures mimicking government services in victims' native languages, exploiting regional events for credibility.Earlier variants of CoolClient were analyzed by Sophos in 2022 and Trend Micro in 2023, but 2025 iterations show marked improvements in stealth and modularity. The group's focus on Southeast Asian governments underscores its alignment with Chinese strategic interests.

Organizations face heightened risks from HoneyMyte's refined toolkit, demanding robust defenses like behavioral monitoring for DLL side-loading, browser credential anomalies, and anomalous network traffic. Government entities in targeted regions should prioritize endpoint detection, credential hygiene, and threat intelligence sharing to counter these persistent threats. As HoneyMyte continues innovating—potentially expanding to Europe—proactive measures remain essential against this adaptable adversary.
Read more »
surveillance
AI Cyber Crime Data espionage spying surveillance

Palo Alto Pulls Back from Linking China to Spying Campaign


Palo Alto Network pulls back

According to two people familiar with the situation, Palo Alto Networks (PANW.O), which opens a new tab, decided against linking China to a global cyberespionage effort that the company revealed last week out of fear that Beijing would retaliate against the cybersecurity business or its clients. 

The reason 

According to the sources, after Reuters first reported last month that Palo Alto was one of roughly 15 U.S. and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds, Palo Alto's findings that China was linked to the widespread hacking spree were scaled back.

According to the two individuals, a draft report from Palo Alto's Unit 42, the company's threat intelligence division, said that the prolific hackers, known as "TGR-STA-1030," were associated with Beijing. 

About the report 

The report was released on Thursday of last week. Instead, a more vague description of the hacking group as a "state-aligned group that operates out of Asia" was included in the final report. Advanced attacks are notoriously hard to attribute, and cybersecurity specialists frequently argue about who should be held accountable for digital incursions. Palo Alto executives ordered the adjustment because they were worried about the software prohibition and suspected that it would lead to retaliation from Chinese authorities against the company's employees in China or its customers abroad.

China's reply 

The Chinese Embassy in Washington stated that it is against "any kind of cyberattack." Assigning hacks was described as "a complex technical issue" and it was anticipated that "relevant parties will adopt a professional and responsible attitude, basing their characterization of cyber incidents on sufficient evidence, rather than unfounded speculation and accusations'." 

In early 2025, Palo Alto discovered the hacker collective TGR-STA-1030, the report says, opening a new tab. Palo Alto called the extensive operation "The Shadow Campaigns." It claimed that the spies successfully infiltrated government and vital infrastructure institutions in 37 countries and carried out surveillance against almost every nation on the planet.

After reviewing Palo Alto's study, outside experts claimed to have observed comparable activity that they linked to Chinese state-sponsored espionage activities.





Read more »
Windows
cyber espionage deskrat Indian Government Linux malware RAT Windows

Cross-Platform Spyware Campaigns Target Indian Defense and Government Sectors

 



Cybersecurity researchers have identified multiple coordinated cyber espionage campaigns targeting organizations connected to India’s defense sector and government ecosystem. These operations are designed to infiltrate both Windows and Linux systems using remote access trojans that allow attackers to steal sensitive information and retain long-term control over compromised devices.

The activity involves several spyware families, including Geta RAT, Ares RAT, and DeskRAT. These tools have been associated in open-source security reporting with threat clusters commonly tracked as SideCopy and APT36, also known as Transparent Tribe. Analysts assess that SideCopy has operated for several years and functions as an operational subset of the broader cluster. Rather than introducing radically new tactics, the actors appear to be refining established espionage techniques by expanding their reach across operating systems, using stealthier memory-resident methods, and experimenting with new delivery mechanisms to avoid detection while sustaining strategic targeting.

Across the campaigns, initial access is commonly achieved through phishing emails that deliver malicious attachments or links to attacker-controlled servers. Victims are directed to open Windows shortcut files, Linux executables, or weaponized presentation add-ins. These files initiate multi-stage infection chains that install spyware while displaying decoy documents to reduce suspicion.

One observed Windows attack chain abuses a legitimate system utility to retrieve and execute web-hosted malicious code from compromised, regionally trusted websites. The downloaded component decrypts an embedded library, writes a decoy PDF file to disk, contacts a command-and-control server, and opens the decoy for the user. Before deploying Geta RAT, the malware checks which security products are installed and modifies its persistence technique accordingly to improve survivability. This method has been documented in public research by multiple security vendors.

Geta RAT enables extensive surveillance and control, including system profiling, listing and terminating processes, enumerating installed applications, credential theft, clipboard manipulation, screenshot capture, file management, command execution, and data extraction from connected USB devices.

Parallel Linux-focused attacks begin with a loader written in Go that downloads a shell script to install a Python-based Ares RAT. This malware supports remote command execution, data collection, and the running of attacker-supplied scripts. In a separate infection chain, DeskRAT, a Golang-based backdoor, is delivered through a malicious presentation add-in that establishes outbound communication to retrieve the payload, a technique previously described in independent research.

Researchers note that targets extend beyond defense to policy bodies, research institutions, critical infrastructure, and defense-adjacent organizations within the same trusted networks. The combined deployment of Geta RAT, Ares RAT, and DeskRAT reflects a developing toolkit optimized for stealth, persistence, and long-term intelligence collection.

Read more »
Subscribe to: Comments (Atom)

Featured