Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label AWS. Show all posts
Education Sector Cybersecurity
AWS Cyber Attacks Cyber Breach cybersecurity challenges data security Digital Infrastructure Education Sector Cybersecurity

CBSE Revaluation Portal Hit by Cyberattack, Payment Gateway Glitch Affects Students

 

A breach has surfaced within CBSE's digital infrastructure, casting doubt on transaction reliability during revaluation requests. Officials confirm unusual activity emerged just hours after launch of the updated platform. Instead of standard fees, some users saw inflated amounts appear without explanation. The disruption stemmed from external interference, not internal error, per preliminary assessments. While access resumed quickly, trust in online payments wavered temporarily among applicants. Investigators are now tracing entry points used in the intrusion. Security teams emphasize that only a small fraction faced actual financial impact. Monitoring continues as safeguards undergo review. 

Some fifty learners faced disruptions due to the event, officials noted. Payment amounts shifted without warning in these instances - now low at just one rupee, now near sixty-seven or sixty-eight thousand. Unauthorized entry might have paved the way for intentional system interference, according to insiders. Such altered fees possibly stemmed from targeted digital tampering following a breach. Trouble began when the portal’s payment gateway - handled by HDFC Bank - faced glitches after launch. Right away, access problems appeared, blocking user entry without warning. 

A few people took advantage while systems faltered, altering charges shown on student records. Officials confirmed irregular fees stemmed from these brief security lapses. Following the event, CBSE along with state bodies began closely examining the system's framework. To support this effort, specialists from IIT Madras, joined by counterparts at IIT Kanpur and the Digital Infrastructure Corporation of India, were invited into the process. With access granted, these teams started analyzing the underlying software structure and identifying weak points. 

One main goal drives their work: keeping the service stable under pressure. By reinforcing key defenses now, they aim to block repeat disruptions later. Now live within the platform, four state-run lenders join the network to spread risk beyond one vendor. Among them: State Bank of India, followed by Canara Bank, then Indian Bank, and later Bank of Maharashtra. With more institutions linked, handling payments should run smoother under strain. Built-in backup paths emerge naturally when multiple entry points exist. Stability gains come not from promises but structure - extra layers help maintain flow during outages. 

Later came reports of trouble faced by students after results and rechecking, sparking talks between Dharmendra Pradhan and Nirmala Sitharaman. Because of these concerns, officials decided improvements were needed in how payments work across CBSE platforms. So far, reports indicate the updated setup is running smoothly after shifting the platform to Amazon Web Services (AWS). This move comes in response to past issues with traffic handling and long-term flexibility. Teams remain alert, observing both function and protection measures closely during ongoing evaluations. 

What happened shows why protecting school systems matters more now, given how much personal information and money flows through them. Even so, officials keep digging into the case even as new security steps go live to reduce risks ahead.
Read more »
enterprise cybersecurity
Accenture AI technology AWS Cyber Advancements Cyber Protection Cyber Security enterprise cybersecurity

UK Post Office Awards £410 Million Contracts to Replace Horizon System After Long-Running Scandal

 

Now beginning its largest tech overhaul yet, the UK Post Office handed out £410 million in contracts to Accenture and OneView Commerce. This shift follows years of public scrutiny tied to the flawed Horizon system. Known for fueling a historic wave of wrongful convictions, that earlier platform is being phased out slowly. Instead of repeating past mistakes, officials are betting on updated tools built for accuracy. Behind the scenes, work has already started on untangling old code. What comes next will depend heavily on how well new systems adapt under real conditions.

Taking charge under fresh contracts, Accenture steps into managing and shifting the Post Office’s current tech setup. Worth £269 million across half a decade, the deal includes room to stretch further by another pair of years if needed. Out goes Fujitsu - the firm behind the original 1990s build of Horizon, the system handling sales and money tracking at counters. Instead comes a push led by Accenture: keeping daily operations steady while refreshing essential programs, guiding change toward modern cloud-based systems within an overall plan to renew outdated digital tools. 

Now beginning, OneView Commerce wins a distinct deal worth £141 million to build a fresh tech foundation for retail operations. This setup runs through the cloud, aiming to refresh daily functions inside Post Office locations. Electronic cash handling, portable access points, interactive client systems, data insights, along with stand-alone service stations form part of the rollout. Running within AWS or an equivalent online infrastructure ensures flexibility. Custom adjustments fit specific workflow demands across different sites. Years of dispute preceded the removal of Horizon.

Launched in 1999, it managed money tasks in Post Office locations nationwide. Faults within the program created incorrect account balances. These flawed reports triggered accusations against numerous branch managers - many charged with stealing, dishonest recordkeeping, or deceit. From 1999 until 2015, roughly 736 people faced unjust legal actions due to data flaws in the technology. Lives unraveled as a result: savings vanished, reputations damaged, mental health weakened. 

Still ongoing, a public investigation begun in 2021 examines how the scandal unfolded. By 2025, results showed top figures at the Post Office, together with staff from Fujitsu and earlier ICL, were aware - or ought to have been - of flaws in Horizon causing faulty financial records. Lives shattered under pressure; suicides occurred, tied directly to legal actions and what followed after. What emerged was not just system failure but personal tragedy etched into official findings. 

Come May 2025, the Post Office dropped its plan to build a new system on its own. Instead, it opened up bidding to outside firms. Winning proposals came from Accenture and OneView Commerce. Firms like IBM and Escher Software also submitted bids during the selection round. Now comes a shift - fresh agreements signal serious commitment, not just to upgrade tools but to restore confidence across the Post Office network.

Instead of clinging to outdated setups, leaders choose next-generation cloud solutions to replace the long-troubled Horizon infrastructure. This time around, progress means fewer breakdowns, smoother daily operations. Past mistakes weigh heavily; avoiding them shapes every decision going forward.
Read more »
technology companies
AWS Cloud Computing Cloud Server Customer Data Cyber Security data sovereignty Europe technology companies

Why Europe Is Rethinking Its Dependence on US Cloud Providers




Concerns around digital sovereignty are rapidly becoming one of the most important debates shaping the future of cloud computing, artificial intelligence, and government technology infrastructure across Europe and the UK.

The discussion recently gained attention after Chi Onwurah, chair of the UK Science, Innovation and Technology Select Committee, criticized Britain’s broader technology strategy and warned about growing dependence on a small group of major US technology companies. Her remarks pointed to reliance on providers such as Microsoft and Amazon Web Services, while also referencing Palantir Technologies because of its involvement in NHS and defence-related contracts. She also raised concerns about foreign-controlled technology supply chains supporting critical public infrastructure.

At the centre of the debate is the meaning of “digital sovereignty,” a term that is increasingly used by governments but often interpreted differently. In practical terms, sovereignty refers to a country maintaining legal authority and control over its citizens’ sensitive data, including where that information is processed, accessed, and governed. Experts argue that sovereign data should only fall under the jurisdiction of the nation to which it belongs, rather than being exposed to foreign legal systems or overseas regulatory reach.

The issue has become especially significant in the era of public cloud computing. Before large-scale cloud adoption, most government and enterprise data was stored and processed inside domestic datacentres, limiting both physical and remote access to national borders. While foreign software vendors occasionally required access for maintenance or support purposes, control over infrastructure largely remained local.

That model changed as governments and businesses increasingly adopted cloud services operated by US-headquartered providers. As organizations shifted toward subscription-based cloud platforms, concerns began emerging over whether sensitive national data could still be considered sovereign if it was processed through globally distributed infrastructure.

Much of the modern sovereignty debate intensified following the Schrems II ruling, a landmark European court decision that challenged how personal data could be transferred outside the EU to countries viewed as having weaker privacy protections. Since then, governments across Europe have pushed for tighter oversight of where data travels and who ultimately controls cloud infrastructure.

Although sovereignty concerns are often framed as a problem tied only to hyperscalers, industry analysts say the challenge is broader. Companies including IBM, Oracle Corporation, and Hewlett Packard Enterprise also face pressure to adapt their cloud and data processing models to meet stricter sovereignty expectations.

The debate has also been intensified by geopolitical tensions. European governments have become increasingly cautious about long-term dependence on foreign-owned digital infrastructure, particularly as cloud computing and artificial intelligence become more deeply connected to defence, healthcare, and public services. Analysts note that data infrastructure is now being viewed similarly to energy or telecommunications infrastructure: strategically important and politically sensitive.

Among the prominent providers, Microsoft was one of the earliest companies to experiment with sovereign cloud initiatives, including a dedicated German version of Microsoft 365. However, that model was eventually discontinued in 2022. Critics argue the company now faces greater difficulties adapting because many of its cloud services operate through highly interconnected global systems spread across more than 100 countries.

Questions around transparency have also created challenges. Reports previously indicated that Microsoft struggled to provide detailed information about certain data flows when requested by the Scottish Police Authority under data protection obligations. Investigative reporting from ProPublica also stated that US authorities encountered similar difficulties while attempting to evaluate Microsoft cloud services under FedRAMP certification requirements for government environments.

Additional scrutiny has emerged around Microsoft’s artificial intelligence infrastructure plans. The company had previously indicated that in-country AI processing capabilities for Copilot services in the UK would arrive by the end of 2025, though timelines have reportedly shifted into 2026. Some European customers are also expected to receive regional AI processing instead of fully sovereign national deployments.

Industry experts increasingly categorize sovereign cloud approaches into multiple levels. One common method involves creating “data boundaries,” where providers attempt to restrict where customer data is stored or processed while still operating under global cloud architectures. Critics argue this model may not fully satisfy stricter interpretations of sovereignty because some operational control can still remain overseas.

A second approach focuses on partnerships with local operators that manage sovereign services regionally. Amazon Web Services has promoted its European Sovereign Cloud initiative using this framework, arguing that the platform aligns with EU regulatory requirements. However, some analysts contend that EU-level governance is not the same as national sovereignty, particularly for non-EU countries such as the UK. Concerns have also been raised over whether US legislation, including the CLOUD Act, could still apply in certain circumstances.

Meanwhile, Google Cloud has attracted attention through its partnership with French defence and technology company Thales Group. Their joint venture, S3NS, is designed around France-specific sovereign infrastructure with air-gapped operations, meaning the systems can function independently without continuously communicating with external global networks for updates or validation checks.

Security specialists consider air-gapped architecture an important benchmark for sovereign cloud environments because it reduces reliance on foreign operational control. Google’s Distributed Cloud Air-Gapped platform is currently viewed by some analysts as one of the more mature sovereign cloud offerings available, despite still lacking some features present in its broader public cloud ecosystem.

The approach has already attracted major defence-related interest. France, NATO members, and the German military have all shown interest in sovereign infrastructure models, while the UK Ministry of Defence recently announced a £400 million contract spanning five years tied to these types of capabilities.

Competing alternatives are still evolving. AWS offers LocalStack-focused options largely aimed at development environments, while Microsoft’s disconnected Azure Local products have faced criticism from some analysts who argue the offerings remain less mature than competing sovereign platforms.

Despite rapid investment, experts say the sovereign cloud market is still in its early stages. Google’s France-based partnership model currently appears to offer one of the clearest examples of locally controlled hyperscale infrastructure, while AWS continues refining its European-focused model and Microsoft works through broader architectural and transparency challenges.

At the same time, the sovereignty movement may create new opportunities for regional cloud providers and domestic technology companies. However, analysts warn that building competitive sovereign infrastructure will require long-term investment, government support, and procurement strategies that allow interoperability between multiple vendors rather than locking public institutions into a single provider.

Many experts believe the future of sovereign technology infrastructure will likely depend on hybrid and partnership-driven models combining hyperscale cloud capabilities with locally managed operations. Supporters of the S3NS approach argue it offers an early blueprint for how global cloud providers and national operators could collaborate while still preserving local control over sensitive data and critical digital systems.

Read more »
TruffleHog
Amazon Web Services AWS Cyber Attacks TeamPCP TruffleHog

TruffleHog Targets European Commission, Breach Leaked Data of 30 EU Entities


The European Union Cybersecurity Service (CERT-EU) has linked the European Commission cloud breach to the TeamPCP gang. The breach leaked the information of 29 Union organizations.

The breach

The commission disclosed the attack on March 27, when Bleeping Computer confirmed the breach of the European Union’s primary executive body.

Recently, the European Commission informed CERT-EU about the breach, informing them that their Cybersecurity Operations was not warned about an API exploit, a possible account hack, or any malicious network traffic until March 24.

TeamPCP's attack tactic

In March, TeamPCP exploited a compromised AWS API key to manage rights over different Commission AWS accounts (hacked in the Trivy supply-chain breach).

After that, the gang deployed TruffleHog to look for more secrets, then added a new access key to an existing user to escape detection before doing more spying and data theft. 

In the past, TeamPCP has been known for supply-chain attacks targeting developer code forums like NPM, Docker, PyPi, and GitHub. The gang also attacked the LiteLLM PyPI package in a campaign that affected tens of thousands of devices via its “TeamPCP Cloud Stealer” data-stealing malware. 

ShinyHunters' role

Later, data extortion gang ShinyHunters posted the stolen data on their dark web leak site as a 90 GB archive of documents (around 340GB uncompressed), which includes email addresses, contacts, and email information. 

According to the CERT-EU analysis, hackers have stolen tens of thousands of documents; the leak affects around 42 internal European Commission clients and around 20 other Union firms. 

"The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities,” CERT-EU said. Regarding the dataset, CERT-EU said it also contained “at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, 'bounce-back' notifications, which are responses to incoming messages from users, may contain the original user-submitted content, posing a risk of personal data exposure."

The impact

No websites were taken offline or altered as a result of this attack, and no lateral movement to other Commission AWS accounts has been found, according to CERT-EU.

Although it would probably take "a considerable amount of time" to analyze the exfiltrated databases and information, the Commission has informed the appropriate data protection authorities and is in direct contact with the impacted organizations.

After learning that a mobile device management platform used to oversee employees' devices had been compromised, the European Commission revealed another data breach in February.

Read more »
enterprise cybersecurity
Attack Vectors AWS AWS security report Cyber Attacks data security Enterprise Cyber Risk enterprise cybersecurity

AWS Bedrock Security Risks Exposed as Researchers Identify Eight Key Attack Vectors

 

Unexpectedly, Amazon Web Services’ Bedrock - built for crafting AI-driven apps - is drawing sharper attention from cybersecurity experts. Several exploit routes have emerged, threatening to reveal corporate infrastructure. Although the system smooths links between artificial intelligence models and company software, such fluid access now raises alarms. Because convenience widens exposure, what helps operations may also invite intrusion.  

Eight ways into Bedrock setups emerge from XM Cyber’s analysis. Not the models but their access settings, setup choices, and linked tools draw attacker focus. Threats now bend toward structure gaps instead of core algorithms. How risks grow changes shape - seen here in surrounding layers, not beneath. 

What makes the risk stand out isn’t just technology - it’s how Bedrock links directly to systems like Salesforce, AWS Lambda, and Microsoft SharePoint. Because of these pathways, AI agents pull in confidential information while performing actions across business environments. Operation begins once integration takes hold, placing automated units at the heart of company workflows. 

A significant type of threat centers on altering logs. When attackers gain entry to storage platforms such as Amazon S3, they may collect confidential prompts - alternatively, reroute records to outside destinations, allowing unseen data transfers. Sometimes, erasing those logs follows, wiping evidence of wrongdoing entirely. 

Starting differently each time helps clarity. Access points through knowledge bases create serious risks. Using retrieval-augmented generation, Bedrock pulls information from places like cloud storage, internal databases, or SaaS tools. When hackers obtain entry to those systems - or the login details tied to them - they skip past the AI completely. Getting in this way lets them grab unfiltered company data. Movement across linked environments also becomes possible. 

Though designed to assist, AI agents may become entry points for compromise. When given broad access, bad actors might alter an agent's directives, link destructive modules, or slip corrupted scripts into backend systems. Such changes let them perform illicit operations - editing records or generating fake profiles - all while appearing like normal activity. What seems like automation could mask sabotage beneath routine tasks. One risk involves changing how workflows operate. 

When Bedrock Flows get modified, information may flow through harmful components instead of secure paths. In much the same way, tampering with safeguards - those filters meant to block unsafe content - opens doors to deceptive inputs. Without strong barriers, systems face higher chances of being tricked or misused. Prompt management systems tend to become vulnerable spots. Because templates move between apps, harmful directions might slip through - reshaping how AIs act broadly, without needing new deployments, which hides activity longer. 

Security teams worry most about small openings turning into big breaches. Though minimal, access might be enough for intruders to boost their permissions. One identity granted too much control could become a pathway inward. Instead of broad attacks, hackers exploit these narrow points deeply. They pull out sensitive information once inside. Control over AI systems may shift without warning. Cloud setups face risks just like local networks do. 

Although researchers highlight visibility across AI tasks, tight access rules shape secure Bedrock setups. Because machine learning tools now live inside core business software, defenses increasingly target system architecture instead of algorithm accuracy.
Read more »
LexisNexis
AWS Cloud Data Theft Cloud Infrastructure Threats Customer Data Exposed Data Breach Data protection data security Hacker attack LexisNexis

LexisNexis Confirms Data Breach After Hackers Exploit Unpatched React App

 

A breach at LexisNexis Legal & Professional exposed some customer and business data, the firm confirmed. News surfaced after FulcrumSec claimed responsibility and leaked about two gigabytes of files on underground platforms. Hackers accessed parts of the company’s systems, though the breach scope was limited. The American analytics provider confirmed the incident days later, stating only a small portion of its infrastructure was affected. 

The company said an outside actor gained access to a limited number of servers. LexisNexis Legal & Professional provides legal research, regulatory information, and analytics tools to lawyers, corporations, government agencies, and universities in more than 150 countries. According to the firm, most of the accessed information came from older systems and was not considered sensitive, which reduced the potential impact.  

Internal findings showed that much of the exposed data originated from legacy systems storing information created before 2020. Records included customer names, user IDs, and business contact details. Some files contained product usage information and logs from past support tickets, including IP addresses from survey responses. However, sensitive personal identifiers such as Social Security numbers or driver’s license data were not included. Financial information, active passwords, search queries, and confidential client case data were also not part of the compromised dataset. 

The breach reportedly occurred around February 24 after attackers exploited the React2Shell vulnerability in an outdated front-end application built with React. The flaw allowed entry into cloud resources hosted on Amazon Web Services before it was addressed. 

While LexisNexis described the affected systems as containing mostly obsolete data, FulcrumSec claimed the intrusion was broader. The group said it extracted about 2.04GB of structured data from the company’s cloud infrastructure, including numerous database tables, millions of records, and internal system configurations. According to the attacker, the breach exposed more than 21,000 customer accounts and information linked to over 400,000 cloud user profiles, including names, email addresses, phone numbers, and job roles. 

Some of the records reportedly belonged to individuals with .gov email addresses, including U.S. government employees, federal judges and law clerks, Department of Justice attorneys, and staff connected to the Securities and Exchange Commission. FulcrumSec also criticized the company’s cloud security setup, alleging that a single ECS task role had access to numerous stored secrets, including credentials linked to production databases. The group said it attempted to contact the company but claimed no cooperation occurred. 

LexisNexis stated that the breach has been contained and confirmed that its products and customer-facing services were not affected. The company notified law enforcement and engaged external cybersecurity experts to assist with investigation and response. Customers, both current and former, have also been informed about the incident. The company had disclosed another breach last year after a compromised corporate account exposed data belonging to roughly 364,000 customers. 

The latest case highlights how vulnerabilities in cloud applications and outdated software can expose enterprise systems even when they contain primarily legacy information.
Read more »
Malicious Codes
AWS AWS Hijacking Cyber Attacks Cyber flaws cybersecurity risks GitHub Hacker attack Malicious Codes

AWS CodeBuild Misconfiguration Could Have Enabled Full GitHub Repository Takeover

 

One mistake in how Amazon Web Services set up its CodeBuild tool might have let hackers grab control of official AWS GitHub accounts. That access could spill into more parts of AWS, opening doors for wide-reaching attacks on software supplies. Cloud security team Wiz found the weak spot and called it CodeBreach. They told AWS about it on August 25, 2025. Fixes arrived by September that year. Experts say key pieces inside AWS were at stake - like the popular JavaScript SDK developers rely on every day. 

Into trusted repositories, attackers might have slipped harmful code thanks to CodeBreach, said Wiz team members Yuval Avrahami and Nir Ohfeld. If exploited, many apps using AWS SDKs could face consequences - possibly even disruptions in how the AWS Console functions or risks within user setups. Not a bug inside CodeBuild caused this, but gaps found deeper in automated build processes. These weak spots lived where tools merge and deploy code automatically. 

Something went wrong because the webhook filters had been set up incorrectly. They’re supposed to decide which GitHub actions get permission to start CodeBuild tasks. Only certain people or selected branches should be allowed through, keeping unsafe code changes out of high-access areas. But in a few open-source projects run by AWS, the rules meant to check user IDs didn’t work right. The patterns written to match those users failed at their job. 

Notably, some repositories used regex patterns missing boundary markers at beginning or end, leading to incomplete matches rather than full validation. This gap meant a GitHub user identifier only needed to include an authorized maintainer's number within a larger sequence to slip through. Because GitHub hands out IDs in order, those at Wiz showed how likely it became for upcoming identifiers to accidentally align with known legitimate ones. 

Ahead of any manual effort, bots made it possible to spam GitHub App setups nonstop. One after another, these fake apps rolled out - just waiting for a specific ID pattern to slip through broken checks. When the right match appeared, everything changed quietly. A hidden workflow fired up inside CodeBuild, pulled from what should have stayed locked down. Secrets spilled into logs nobody monitored closely. For aws-sdk-js-v3, that leak handed total control away - tied straight to a powerful token meant to stay private. If hackers gained that much control, they might slip harmful code into secure branches without warning. 

Malicious changes could get approved through rigged pull requests, while hidden data stored in the repo gets quietly pulled out. Once inside, corrupted updates might travel unnoticed through trusted AWS libraries to users relying on them. AWS eventually confirmed some repos lacked tight webhook checks. Still, they noted only certain setups were exposed. 

Now fixed, Amazon says it adjusted those flawed settings. Exposed keys were swapped out, safeguards tightened around building software. Evidence shows CodeBreach wasn’t used by attackers, the firm added. Yet specialists warn - small gaps in automated pipelines might lead to big problems down the line. Now worries grow around CI/CD safety, a new report adds fuel. 

Lately, studies have revealed that poorly set up GitHub Actions might spill sensitive tokens. This mistake lets hackers gain higher permissions in large open-source efforts. What we’re seeing shows tighter checks matter. Running on minimal needed access helps too. How unknown data is processed in builds turns out to be critical. Each step shapes whether systems stay secure.
Read more »
Russia
Amazon AWS Cloud Security Credential Theft Cyber Attacks GRU Russia

Amazon Says It Has Disrupted GRU-Linked Cyber Operations Targeting Cloud Customers

 



Amazon has announced that its threat intelligence division has intervened in ongoing cyber operations attributed to hackers associated with Russia’s foreign military intelligence service, the GRU. The activity targeted organizations using Amazon’s cloud infrastructure, with attackers attempting to gain unauthorized access to customer-managed systems.

The company reported that the malicious campaign dates back to 2021 and largely concentrated on Western critical infrastructure. Within this scope, energy-related organizations were among the most frequently targeted sectors, indicating a strategic focus on high-impact industries.

Amazon’s investigation shows that the attackers initially relied on exploiting security weaknesses to break into networks. Over multiple years, they used a combination of newly discovered flaws and already known vulnerabilities in enterprise technologies, including security appliances, collaboration software, and data protection platforms. These weaknesses served as their primary entry points.

As the campaign progressed, the attackers adjusted their approach. By 2025, Amazon observed a reduced reliance on vulnerability exploitation. Instead, the group increasingly targeted customer network edge devices that were incorrectly configured. These included enterprise routers, VPN gateways, network management systems, collaboration tools, and cloud-based project management platforms.

Devices with exposed administrative interfaces or weak security controls became easy targets. By exploiting configuration errors rather than software flaws, the attackers achieved the same long-term goals: maintaining persistent access to critical networks and collecting login credentials for later use.

Amazon noted that this shift reflects a change in operational focus rather than intent. While misconfiguration abuse has been observed since at least 2022, the sustained emphasis on this tactic in 2025 suggests the attackers deliberately scaled back efforts to exploit zero-day and known vulnerabilities. Despite this evolution, their core objectives remained unchanged: credential theft and quiet movement within victim environments using minimal resources and low visibility.

Based on overlapping infrastructure and targeting similarities with previously identified threat groups, Amazon assessed with high confidence that the activity is linked to GRU-associated hackers. The company believes one subgroup, previously identified by external researchers, may be responsible for actions taken after initial compromise as part of a broader, multi-unit campaign.

Although Amazon did not directly observe how data was extracted, forensic evidence suggests passive network monitoring techniques were used. Indicators included delays between initial device compromise and credential usage, as well as unauthorized reuse of legitimate organizational credentials.

The compromised systems were customer-controlled network appliances running on Amazon EC2 instances. Amazon emphasized that no vulnerabilities in AWS services themselves were exploited during these attacks.

Once the activity was detected, Amazon moved to secure affected instances, alerted impacted customers, and shared intelligence with relevant vendors and industry partners. The company stated that coordinated action helped disrupt the attackers’ operations and limit further exposure.

Amazon also released a list of internet addresses linked to the activity but cautioned organizations against blocking them without proper analysis, as they belong to legitimate systems that had been hijacked.

To mitigate similar threats, Amazon recommended immediate steps such as auditing network device configurations, monitoring for credential replay, and closely tracking access to administrative portals. For AWS users, additional measures include isolating management interfaces, tightening security group rules, and enabling monitoring tools like CloudTrail, GuardDuty, and VPC Flow Logs.

Read more »
Vulnerability Exploits
AWS Cloud Outage Risks Cyber Threats DDOS Attacks Firmware Security IOT Security malware Mirai Network Defense ShadowV2 Botnet Vulnerability Exploits

ShadowV2 Botnet Activity Quietly Intensified During AWS Outage

 


The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries. 

Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity. 

During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375. 

A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future. 

ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle. 

The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched. 

The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore. 

During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended. 

Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways.

A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key. 

As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away. 

According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion. 

An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks. 

Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns. 

Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service. 

By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events. 

Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few. 

Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish. 

As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored. 

Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded. 

As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows. 

Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots. 

Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed. 

Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets. 

In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.
Read more »
internet outage
Amazon AWS Cyber incidents Cyber Outage Cyber Security E-commerce Websites Compromised internet outage

AWS Apologizes for Massive Outage That Disrupted Major Platforms Worldwide

 

Amazon Web Services (AWS) has issued an apology to customers following a widespread outage on October 20 that brought down more than a thousand websites and services globally. The disruption affected major platforms including Snapchat, Reddit, Lloyds Bank, Venmo, and several gaming and payment applications, underscoring the heavy dependence of the modern internet on a few dominant cloud providers. The outage originated in AWS’s North Virginia region (US-EAST-1), which powers a significant portion of global online infrastructure. 

According to Amazon’s official statement, the outage stemmed from internal errors that prevented systems from properly linking domain names to the IP addresses required to locate them. This technical fault caused a cascade of connectivity failures across multiple services. “We apologize for the impact this event caused our customers,” AWS said. “We know how critical our services are to our customers, their applications, and their businesses. We are committed to learning from this and improving our availability.”

While some platforms like Fortnite and Roblox recovered within a few hours, others faced extended downtime. Lloyds Bank customers, for instance, reported continued access issues well into the afternoon. Similarly, services like Reddit and Venmo were affected for longer durations. The outage even extended to connected devices such as Eight Sleep’s smart mattresses, which rely on internet access to adjust temperature and elevation. 

The company stated it would work to make its systems more resilient after some users reported overheating or malfunctioning devices during the outage. AWS’s detailed incident summary attributed the issue to a “latent race condition” in the systems managing the Domain Name System (DNS) records in the affected region. Essentially, one of the automated processes responsible for maintaining synchronization between critical database systems malfunctioned, triggering a chain reaction that disrupted multiple dependent services. Because many of AWS’s internal processes are automated, the problem propagated without human intervention until it was detected and mitigated. 

Dr. Junade Ali, a software engineer and fellow at the Institute for Engineering and Technology, explained that “faulty automation” was central to the failure. He noted that the internal “address book” system in the region broke down, preventing key infrastructure components from locating each other. “This incident demonstrates how businesses relying on a single cloud provider remain vulnerable to regional failures,” Dr. Ali added, emphasizing the importance of diversifying cloud service providers to improve resilience. 

The event once again highlights the concentration of digital infrastructure within a few dominant providers, primarily AWS and Microsoft Azure. Experts warn that such dependency increases systemic risk, as disruptions in one region can have global ripple effects. Amazon has stated that it will take measures to strengthen fault detection, introduce greater redundancy, and enhance the reliability of automated processes in its network. 

As the world grows increasingly reliant on cloud computing, the AWS outage serves as a critical reminder of the fragility of internet infrastructure and the urgent need for redundancy and diversification.
Read more »
Signal
AWS communication Data Decentralised Platform Matrix Outage Privacy Signal

AWS Outage Exposes the Fragility of Centralized Messaging Platforms




A recently recorded outage at Amazon Web Services (AWS) disrupted several major online services worldwide, including privacy-focused communication apps such as Signal. The event has sparked renewed discussion about the risks of depending on centralized systems for critical digital communication.

Signal is known globally for its strong encryption and commitment to privacy. However, its centralized structure means that all its operations rely on servers located within a single jurisdiction and primarily managed by one cloud provider. When that infrastructure fails, the app’s global availability is affected at once. This incident has demonstrated that even highly secure applications can experience disruption if they depend on a single service provider.

According to experts working on decentralized communication technology, this kind of breakdown reveals a fundamental flaw in the way most modern communication apps are built. They argue that centralization makes systems easier to control but also easier to compromise. If the central infrastructure goes offline, every user connected to it is impacted simultaneously.

Developers behind the Matrix protocol, an open-source network for decentralized communication, have long emphasized the need for more resilient systems. They explain that Matrix allows users to communicate without relying entirely on the internet or on a single server. Instead, the protocol enables anyone to host their own server or connect through smaller, distributed networks. This decentralization offers users more control over their data and ensures communication can continue even if a major provider like AWS faces an outage.

The first platform built on Matrix, Element, was launched in 2016 by a UK-based team with the aim of offering encrypted communication for both individuals and institutions. For years, Element’s primary focus was to help governments and organizations secure their communication systems. This focus allowed the project to achieve financial stability while developing sustainable, privacy-preserving technologies.

Now, with growing support and new investments, the developers behind Matrix are working toward expanding the technology for broader public use. Recent funding from European institutions has been directed toward developing peer-to-peer and mesh network communication, which could allow users to exchange messages without relying on centralized servers or continuous internet connectivity. These networks create direct device-to-device links, potentially keeping users connected during internet blackouts or technical failures.

Mesh-based communication is not a new idea. Previous applications like FireChat allowed people to send messages through Bluetooth or Wi-Fi Direct during times when the internet was restricted. The concept gained popularity during civil movements where traditional communication channels were limited. More recently, other developers have experimented with similar models, exploring ways to make decentralized communication more user-friendly and accessible.

While decentralized systems bring clear advantages in terms of resilience and independence, they also face challenges. Running individual servers or maintaining peer-to-peer networks can be complex, requiring technical knowledge that many everyday users might not have. Developers acknowledge that reaching mainstream adoption will depend on simplifying these systems so they work as seamlessly as centralized apps.

Other privacy-focused technology leaders have also noted the implications of the AWS outage. They argue that relying on infrastructure concentrated within a few major U.S. providers poses strategic and privacy risks, especially for regions like Europe that aim to maintain digital autonomy. Building independent, regionally controlled cloud and communication systems is increasingly being seen as a necessary step toward safeguarding user privacy and operational security.

The recent AWS disruption serves as a clear warning. Centralized systems, no matter how secure, remain vulnerable to large-scale failures. As the digital world continues to depend heavily on cloud-based infrastructure, developing decentralized and distributed alternatives may be key to ensuring communication remains secure, private, and resilient in the face of future outages.


Read more »
Internet
AWS Business Cyber Security Global IT Outage Government Internet

The Fragile Internet: How Small Failures Trigger Global Outages






The modern internet, though vast and advanced, remains surprisingly delicate. A minor technical fault or human error can disrupt millions of users worldwide, revealing how dependent our lives have become on digital systems.

On October 20, 2025, a technical error in a database service operated by Amazon Web Services (AWS) caused widespread outages across several online platforms. AWS, one of the largest cloud computing providers globally, hosts the infrastructure behind thousands of popular websites and apps. As a result, users found services such as Roblox, Fortnite, Pokémon Go, Snapchat, Slack, and multiple banking platforms temporarily inaccessible. The incident showed how a single malfunction in a key cloud system can paralyze numerous organizations at once.

Such disruptions are not new. In July 2024, a faulty software update from cybersecurity company CrowdStrike crashed around 8.5 million Windows computers globally, producing the infamous “blue screen of death.” Airlines had to cancel tens of thousands of flights, hospitals postponed surgeries, and emergency services across the United States faced interruptions. Businesses reverted to manual operations, with some even switching to cash transactions. The event became a global lesson in how a single rushed software update can cripple essential infrastructure.

History provides many similar warnings. In 1997, a technical glitch at Network Solutions Inc., a major domain registrar, temporarily disabled every website ending in “.com” and “.net.” Though the number of websites was smaller then, the event marked the first large-scale internet failure, showing how dependent the digital world had already become on centralized systems.

Some outages, however, have stemmed from physical damage. In 2011, an elderly woman in Georgia accidentally cut through a fiber-optic cable while scavenging for copper, disconnecting the entire nation of Armenia from the internet. The incident exposed how a single damaged cable could isolate millions of users. Similarly, in 2017, a construction vehicle in South Africa severed a key line, knocking Zimbabwe offline for hours. Even undersea cables face threats, with sharks and other marine life occasionally biting through them, forcing companies like Google to reinforce cables with protective materials.

In 2022, Canada witnessed one of its largest connectivity failures when telecom provider Rogers Communications experienced a system breakdown that halted internet and phone services for roughly a quarter of the country. Emergency calls, hospital appointments, and digital payments were affected nationwide, highlighting the deep societal consequences of a single network failure.

Experts warn that such events will keep occurring. As networks grow more interconnected, even a small mistake or single-point failure can spread rapidly. Cybersecurity analysts emphasize the need for stronger redundancy, slower software rollouts, and diversified cloud dependencies to prevent global disruptions.

The internet connects nearly every part of modern life, yet these incidents remind us that it remains vulnerable. Whether caused by human error, faulty code, or damaged cables, the web’s fragility shows why constant vigilance, better infrastructure planning, and verified information are essential to keeping the world online.



Read more »
Technology
Amazon AWS DNS Downdetector Online Banking Technology

Amazon resolves major AWS outage that disrupted apps, websites, and banks globally



 


A widespread disruption at Amazon Web Services (AWS) on Monday caused several high-profile apps, websites, and banking platforms to go offline for hours before the issue was finally resolved later in the night. The outage, which affected one of Amazon’s main cloud regions in the United States, drew attention to how heavily the global digital infrastructure depends on a few large cloud service providers.

According to Amazon’s official update, the problem stemmed from a technical fault in its Domain Name System (DNS) — a core internet function that translates website names into numerical addresses that computers can read. When the DNS experiences interruptions, browsers and applications lose their ability to locate and connect with servers, causing widespread loading failures. The company confirmed the issue affected its DynamoDB API endpoint in the US-EAST-1 region, one of its busiest hubs.

The first reports of disruptions appeared around 7:00 a.m. BST on Monday, when users began facing difficulties accessing multiple platforms. As the issue spread, users of services such as Snapchat, Fortnite, and Duolingo were unable to log in or perform basic functions. Several banking websites, including Lloyds and Halifax, also reported temporary connectivity problems.

The outage quickly escalated to a global scale. According to the monitoring website Downdetector, more than 11 million user complaints were recorded throughout the day, an unprecedented figure that reflected the magnitude of the disruption. Early in the incident, Downdetector noted over four million reports from more than 500 affected platforms within just a few hours, which was more than double its usual weekday average.

AWS engineers worked through the day to isolate the source of the issue and restore affected systems. To stabilize its network, Amazon temporarily limited some internal operations to prevent further cascading failures. By 11:00 p.m. BST, the company announced that all services had “returned to normal operations.”

Experts said the incident underlined the vulnerabilities of an increasingly centralized internet. Professor Alan Woodward of the University of Surrey explained that modern online systems are highly interdependent, meaning that an error within one major provider can ripple across numerous unrelated services. “Even small technical mistakes can trigger large-scale failures,” he said, pointing out how human or software missteps in one corner of the infrastructure can have global consequences.

Professor Mike Chapple from the University of Notre Dame compared the recovery process to restoring electricity after a large power outage. He said the system might “flicker” several times as engineers fix underlying causes and bring services gradually back online.

Industry observers say such incidents reflect a growing systemic risk within the cloud computing sector, which is dominated by a handful of major firms such as Amazon, Microsoft, and Google collectively controlling nearly 70% of the market. Cori Crider, director of the Future of Technology Institute, described the current model as “unsustainable,” warning that heavy reliance on a few global companies poses economic and security risks for nations and organizations alike.

Other experts suggested that responsibility also lies with companies using these services. Ken Birman, a computer science professor at Cornell University, noted that many organizations fail to develop backup mechanisms to keep essential applications online during provider outages. “We already know how to build more resilient systems,” he said. “The challenge is that many businesses still rely entirely on their cloud providers instead of investing in redundancy.”

Although AWS has not released a detailed technical report yet, its preliminary statement confirmed that the outage originated from a DNS-related fault within its DynamoDB service. The incident, though resolved, highlights a growing concern within the cybersecurity community: as dependence on cloud computing deepens, so does the scale of disruption when a single provider experiences a failure.


Read more »
Salesloft
AWS Data Breach Developers GitHub organizations Salesloft

Salesloft Hack Shows How Developer Breaches Can Spread

 



Salesloft, a popular sales engagement platform, has revealed that a breach of its GitHub environment earlier this year played a key role in a recent wave of data theft attacks targeting Salesforce customers.

The company explained that attackers gained access to its GitHub repositories between March and June 2025. During this time, intruders downloaded code, added unauthorized accounts, and created rogue workflows. These actions gave them a foothold that was later used to compromise Drift, Salesloft’s conversational marketing product. Drift integrates with major platforms such as Salesforce and Google Workspace, enabling businesses to automate chat interactions and sales pipelines.


How the breach unfolded

Investigators from cybersecurity firm Mandiant, who were brought in to assist Salesloft, found that the GitHub compromise was the first step in a multi-stage campaign. After the attackers established persistence, they moved into Drift’s cloud infrastructure hosted on Amazon Web Services (AWS). From there, they stole OAuth tokens, digital keys that allow applications to access user accounts without requiring passwords.

These stolen tokens were then exploited in August to infiltrate Salesforce environments belonging to multiple organizations. By abusing the access tokens, attackers were able to view and extract customer support cases. Many of these records contained sensitive information such as cloud service credentials, authentication tokens, and even Snowflake-related access keys.


Impact on organizations

The theft of Salesforce data affected a wide range of technology companies. Attackers specifically sought credentials and secrets that could be reused to gain further access into enterprise systems. According to Salesloft’s August 26 update, the campaign’s primary goal was credential theft rather than direct financial fraud.

Threat intelligence groups have tracked this operation under the identifier UNC6395. Meanwhile, reports also suggest links to known cybercrime groups, although conclusive attribution remains unsettled.


Response and recovery

Salesloft said it has since rotated credentials, hardened its defenses, and isolated Drift’s infrastructure to prevent further abuse. Mandiant confirmed that containment steps have been effective, with no evidence that attackers maintain ongoing access. Current efforts are focused on forensic review and long-term assurance.

Following weeks of precautionary suspensions, Salesloft has now restored its Salesforce integrations. The company has also published detailed instructions to help customers safely resume data synchronization.

The incident underlines the risks of supply-chain style attacks, where a compromise at one service provider can cascade into breaches at many of its customers. It underscores the importance of securing developer accounts, closely monitoring access tokens, and limiting sensitive data shared in support cases.

For organizations, best practices now include regularly rotating OAuth tokens, auditing third-party app permissions, and enforcing stronger segmentation between critical systems.


Read more »
Software
API Keys AWS Cyber Attacks Salesloft Software

Salesloft Integration Breach Exposes Salesforce Customer Data


 

A recent cyber incident has brought to light how one weak link in software integrations can expose sensitive business information. Salesloft, a sales automation platform, confirmed that attackers exploited its Drift chat integration with Salesforce to steal tokens that granted access to customer environments.

Between August 8 and August 18, 2025, threat actors obtained OAuth and refresh tokens connected to the Drift–Salesforce integration. These tokens work like digital keys, allowing connected apps to access Salesforce data without repeatedly asking for passwords. Once stolen, the tokens were used to log into Salesforce accounts and extract confidential data.

According to Salesloft, the attackers specifically searched for credentials such as Amazon Web Services (AWS) keys, Snowflake access tokens, and internal passwords. The company said the breach only impacted customers who used the Drift–Salesforce connection, while other integrations were unaffected. As a precaution, all tokens for this integration were revoked, forcing customers to reauthenticate before continuing use.

Google’s Threat Intelligence team, which is monitoring the attackers under the name UNC6395, reported that the group issued queries inside Salesforce to collect sensitive details hidden in support cases. These included login credentials, API keys, and cloud access tokens. Investigators noted that while the attackers tried to cover their tracks by deleting query jobs, the activity still appears in Salesforce logs.

To disguise their operations, the hackers used anonymizing tools like Tor and commercial hosting services. Google also identified user-agent strings and IP addresses linked to the attack, which organizations can use to check their logs for signs of compromise.

Security experts are urging affected administrators to rotate credentials immediately, review Salesforce logs for unusual queries, and search for leaked secrets by scanning for terms such as “AKIA” (used in AWS keys), “Snowflake,” “password,” or “secret.” They also recommend tightening access controls on third-party apps, limiting token permissions, and shortening session times to reduce future risk.

While some extortion groups have publicly claimed responsibility for the attack, Google stated there is no clear evidence tying them to this breach. The investigation is still ongoing, and attribution remains uncertain.

This incident underlines the broader risks of SaaS integrations. Connected apps are often given high levels of access to critical business platforms. If those credentials are compromised, attackers can bypass normal login protections and move deeper into company systems. As businesses continue relying on cloud applications, stronger governance of integrations and closer monitoring of token use are becoming essential.




Read more »
GitHub Advanced Security
AWS Cloud Security Critical Infrastructure Customer Data Cyberattack Data Breach Data Safety User Data data security GitHub GitHub Advanced Security

Massive Cyberattack Disrupts KiranaPro’s Operations, Erases Servers and User Data


KiranaPro, a voice-powered quick commerce startup connected with India’s Open Network for Digital Commerce (ONDC), has been hit by a devastating cyberattack that completely crippled its backend infrastructure. The breach, which occurred over the span of May 24–25, led to the deletion of key servers and customer data, effectively halting all order processing on the platform. Despite the app still being live, it is currently non-functional, unable to serve users or fulfill orders. 


Company CEO Deepak Ravindran confirmed the attack, revealing that both their Amazon Web Services (AWS) and GitHub systems had been compromised. As a result, all cloud-based virtual machines were erased, along with personally identifiable information such as customer names, payment details, and delivery addresses. The breach was only discovered on May 26, when the team found themselves locked out of AWS’s root account. Chief Technology Officer Saurav Kumar explained that while they retained access through IAM (Identity and Access Management), the primary cloud environment had already been dismantled. 

Investigations suggest that the initial access may have been gained through an account associated with a former team member, although the company has yet to confirm the source of the breach. To complicate matters, the team’s multi-factor authentication (MFA), powered by Google Authenticator, failed during recovery attempts—raising questions about whether the attackers had also tampered with MFA settings. 

Founded in late 2024, KiranaPro operates across 50 Indian cities and allows customers to order groceries from local kirana shops using voice commands in multiple languages including Hindi, Tamil, Malayalam, and English. Before the cyberattack, the platform served approximately 2,000 orders daily from a user base of over 55,000 and was preparing for a major rollout to double its footprint across 100 cities. 

Following the breach, KiranaPro has contacted GitHub for assistance in identifying IP addresses linked to the intrusion and has initiated legal action against ex-employees accused of withholding account credentials. However, no final evidence has been released to the public about the precise origin or nature of the attack. 

The startup, backed by notable investors such as Blume Ventures, Snow Leopard Ventures, and TurboStart, had recently made headlines for acquiring AR startup Likeo in a $1 million stock-based deal. High-profile individual investors include Olympic medalist P.V. Sindhu and Boston Consulting Group’s Vikas Taneja. 

Speaking recently to The Indian Dream Magazine, Ravindran had laid out ambitious plans to turn India’s millions of kirana stores into a tech-enabled delivery network powered by voice AI and ONDC. International expansion, starting with Dubai, was also on the horizon—plans now put on hold due to this security incident. 

This breach underscores how even tech-forward startups are vulnerable when cybersecurity governance doesn’t keep pace with scale. As KiranaPro works to recover, the incident serves as a wake-up call for cloud-native businesses managing sensitive data.
Read more »
Mailchimp
API Key AWS Cyber Security LLM Mailchimp

Private API Keys and Passwords Discovered in a Popular AI Training dataset

 

The Common Crawl dataset, which is used to train several artificial intelligence models, has over 12,000 legitimate secrets, including API keys and passwords. The Common Crawl non-profit organisation maintains a vast open-source archive of petabytes of web data collected since 2008, which is free to use. 

Because of the huge dataset, various artificial intelligence initiatives, including OpenAI, DeepSeek, Google, Meta, Anthropic, and Stability, may rely on the digital archive to train large language models (LLMs).

Truffle Security researchers discovered legitimate secrets after scanning 400 terabytes of data from 2.67 billion web pages in the Common Crawl December 2024 database. They uncovered 11,908 secrets that were successfully authenticated and were hardcoded by developers, highlighting that LLMs could be trained on insecure code.

It should be noted that LLM training data is not used in its raw form; instead, it is cleaned and filtered to remove extraneous content such as useless data, duplicate, malicious, or sensitive data. Despite these efforts, removing confidential data is challenging, and the method does not guarantee that all personally identifiable information (PII), financial data, medical records, and other sensitive content will be erased from the huge dataset. 

Truffle Security discovered legitimate API keys for the WalkScore, MailChimp, and Amazon Web Services (AWS) services after examining the scanned data. In the Common Crawl dataset, TruffleHog found 219 different secret kinds in total, with MailChimp API keys being the most prevalent. 

Cybersecurity researchers explain that the developers made a mistake by hardcoding them into HTML forms and JavaScript snippets rather than using server-side environment variables. An attacker could exploit these keys for nefarious purposes like phishing and brand impersonation. Furthermore, disclosing such knowledge could result in data exfiltration. Another feature of the paper is the high reuse rate of the uncovered secrets, with 63% found on several pages. 

However, a WalkScore API key "appeared 57,029 times across 1,871 subdomains." The researchers also discovered a homepage with 17 unique live Slack webhooks, which should be kept private because they allow apps to submit messages to Slack. After conducting the research, Truffle Security got in touch with the affected suppliers and collaborated with them to remove the keys belonging to their users. 

The researchers claim to have "successfully assisted those organisations collectively in rotating/revoke several thousand keys." Truffle Security's findings are a warning that insecure coding mistakes can affect the LLM's behaviour, even if an AI model uses older archives than the dataset the researchers analysed.
Read more »
PowerSchool
AWS Data Breach LummaC2 malware MFA PowerSchool

PowerSchool Data Breach Exposes Millions

 


An American education technology company, PowerSchool, is the latest giant to fall a victim of hacking and data breaches, which probably compromised millions of records of students and teachers in North America. As one of the leading providers of school records management software, PowerSchool serves 18,000 schools who manage data over 60 million students.


How the breach happened

The compromise was discovered on December 28 and was traced to a subcontractor's account. The new report said, however, that another incident of hacking-a compromise of the access of a PowerSchool software engineer-may have had something to do with the breach. Malware infected the engineer's computer and exfiltrated login credentials for internal systems, such as Slack, AWS, and other tools.

According to the logs retrieved by researchers, the infostealing malware known as LummaC2 was used to steal the engineer's passwords. The malware extracted saved passwords and browsing histories from the web browsers of the engineer and uploaded them to a server run by cybercriminals. The stolen credentials were shared in cybercrime groups, which further exposed PowerSchool's systems. 


What Data Was Stolen?

The hackers accessed a range of sensitive personal information, including:  

  • Social Security numbers  
  •  Student grades and demographics  
  •  Medical information  
  •  Parental access details, such as restraining orders  
  •  Records of students’ medication schedules  

School districts impacted by the breach reported that the attackers stole all historical data stored in PowerSchool’s systems.  

The lack of multi-factor authentication (MFA) on a compromised maintenance account was one key vulnerability. PowerSchool has implemented MFA and reset passwords across its customer support portal. Many of the employee credentials discovered were weak and have been exposed in other breaches.

The breach, which has underlined the threats of infostealing malware in hybrid work setups where employees operate company systems using personal devices, has left much to be expected from PowerSchool.


Response and Investigation

PowerSchool, the company concerned, is reportedly working with a cybersecurity firm named CrowdStrike for the investigation into the incident. According to them, no signs of malware have been found neither has any sign of system-layer access. But they are analyzing the stolen data.


Effects on Schools

Many school districts are operating independently to gauge the scope of the breach, relying on collective knowledge from other administrators. As the investigation continues, there are questions about PowerSchool's security measures and how it managed this extensive breach. 

Schools, parents, and educators are urged to be vigilant and ensure additional layers of security are put in place to prevent future incidents.


Read more »
Subscribe to: Posts (Atom)