Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Security Vendors
Cyber Attacks Cyber attacks on Industrial leaders IBM research ransomware attacks Ransomwares resilience Security Vendors

Cyberattacks on Single Points of Failure Are Driving Major Industry Disruptions


Cybercriminals are increasingly targeting single points of failure within companies, causing widespread disruptions across industries. According to cybersecurity firm Resilience, attackers have shifted their focus toward exploiting key vulnerabilities in highly interconnected organizations, triggering a “cascading effect of disruption and chaos downstream.” This strategy allows cybercriminals to maximize the impact of their attacks, affecting not just the initial target but also its partners, clients, and entire industries. 


The financial consequences of these attacks have been severe. According to IBM research, the global average cost of a data breach in 2024 was nearly $4.9 million. However, some breaches were far more expensive. One of the most significant incidents involved a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth that processes billions of medical claims annually. UnitedHealth reported that the attack cost the company $3.1 billion in response efforts, making it one of the most financially damaging cyber incidents in recent history. 

The attack caused major disruptions across the healthcare sector, impacting hospitals, insurance providers, and pharmacies. John Riggi, national cybersecurity advisor for the American Hospital Association, described the incident as “the most significant and consequential cyberattack in the history of U.S. health care.” Another major ransomware attack targeted CDK Global, a software provider for car dealerships across the U.S. The breach resulted in over $1 billion in collective losses for affected dealerships, according to estimates from Anderson Economic Group. 

This attack further demonstrated how cybercriminals can cripple entire industries by targeting critical service providers that businesses rely on for daily operations. Resilience’s analysis indicates that third-party risk has become a dominant driver of cyber insurance claims. In 2024, third-party breaches accounted for 31% of all claims filed by its clients. While the number was slightly higher in 2023 at 37%, none of those incidents resulted in material financial losses. The report also found that ransomware targeting vendors has become a significant concern, contributing to 18% of all incurred claims.  

Ransomware remained the top cause of financial loss in cyber incidents last year, responsible for 62% of claims involving monetary damages. However, Resilience’s research suggests that while ransomware remains a major threat, its frequency may be declining in broader markets. This trend is attributed to cybercriminals shifting their focus from random, large-scale attacks to more strategic operations against high-value targets that offer larger payouts. 

The evolving threat landscape underscores the need for organizations to strengthen cybersecurity measures, particularly in highly interconnected industries. With cyberattacks becoming more sophisticated and financially motivated, businesses must prioritize risk management, enhance third-party security assessments, and invest in cyber resilience to prevent large-scale disruptions.
Read more »
Ransomware
Cyber Attacks Hackers Microsoft Paragon Software Ransomware

Hackers Exploit Flaw in Microsoft-Signed Driver to Launch Ransomware Attacks

 



Cybercriminals are exploiting a vulnerability in a Microsoft-signed driver developed by Paragon Software, known as BioNTdrv.sys, to carry out ransomware attacks. This driver, part of Paragon Partition Manager, is typically used to manage hard drive space, but hackers have found a way to misuse it for malicious purposes.  


How the Attack Works  

The vulnerability, identified as CVE-2025-0289, allows attackers to use a technique called "bring your own vulnerable driver" (BYOVD). This means they introduce the legitimate but flawed driver into a system and exploit it to gain high-level access. Once they obtain SYSTEM-level privileges, they can execute ransomware, steal data, or disable security software without being detected.  

The alarming part is that the vulnerability can be exploited even on devices that do not have Paragon Partition Manager installed, as long as the driver exists on the system.  


Other Vulnerabilities  

Researchers also found four additional flaws in the driver:  

1. CVE-2025-0288: Allows access to kernel memory, helping attackers gain control.  

2. CVE-2025-0287: Can crash the system using a null pointer error.  

3. CVE-2025-0286: Enables attackers to execute malicious code in kernel memory.  

4. CVE-2025-0285: Allows manipulation of kernel memory, escalating control. 


Response from Microsoft and Paragon  

Microsoft confirmed that hackers are already using this flaw to spread ransomware and has responded by blocking the vulnerable driver through its Vulnerable Driver Blocklist. Meanwhile, Paragon Software has released a security patch and advised users to update their drivers immediately to avoid potential risks.  


How to Stay Safe  

To protect your system from these attacks:  

1. Update your drivers from Paragon Software to the latest version.  

2. Install Windows security updates regularly.  

3. Use reliable antivirus software to detect suspicious activities.  

4. Monitor your system for unexpected crashes or slow performance.    

While Microsoft and Paragon Software have taken steps to contain the damage, users must stay proactive in securing their systems through regular updates and vigilant monitoring.

Read more »
Phishing Attacks
Cyber Attacks cyberattacks trending news Netflix cybersecurity News phishing Phishing Attacks

Netflix Users Warned About AI-Powered Phishing Scam

 

Netflix subscribers are being warned about a sophisticated phishing scam circulating via email, designed to steal personal and financial information. 

The deceptive email mimics an official Netflix communication, falsely claiming that the recipient’s account has been put on hold. It urges users to click a link to resolve the issue, which redirects them to a fraudulent login page that closely resembles Netflix’s official site. 

Unsuspecting users are then prompted to enter sensitive details, including their Netflix credentials, home address, and payment information. Cybersecurity experts caution that phishing scams have become more advanced with the rise of AI-driven tactics. 

According to Jake Moore, Global Cybersecurity Advisor at ESET, artificial intelligence has enabled cybercriminals to launch phishing campaigns at an unprecedented scale, making them appear more legitimate while targeting a larger number of users. 

“Despite these advancements, many scams still rely on urgency to pressure recipients into acting quickly without verifying the sender’s authenticity,” Moore explained. 

Users are advised to remain vigilant, double-check email sources, and avoid clicking on suspicious links. Instead, they should visit Netflix directly through its official website or app to verify any account-related issues.
Read more »
Voice Phishing
AI Attacks Cyber Attacks cyber intrusion threat report Voice Phishing

CrowdStrike Report Reveals a Surge in AI-Driven Threats and Malware-Free Attacks

 

CrowdStrike Holdings Inc. released a new report earlier this month that illustrates how cyber threats evolved significantly in 2024, with attackers pivoting towards malware-free incursions, AI-assisted social engineering, and cloud-focused vulnerabilities. 

The 11th annual CrowdStrike Global Threat Report for 2025 details an increase in claimed Chinese-backed cyber activities, an explosion in "vishing," or voice phishing, and identity-based assaults, and the expanding use of generative AI in cybercrime. 

In 2024, CrowdStrike discovered that 79% of cyber incursions were malware-free, up from 40% in 2019. Attackers were found to be increasingly using genuine remote management and monitoring tools to circumvent standard security measures. 

And the breakout time — the time it takes a perpetrator to move laterally within a compromised network after gaining initial access — plummeted to 48 minutes in 2024, with some attacks spreading in less than a minute. Identity-based assaults and social engineering had significant increases until 2024. 

Vishing attacks increased more than fivefold, displacing traditional phishing as the dominant form of initial entry. Help desk impersonation attempts grew throughout the year, with adversaries convincing IT professionals to reset passwords or bypass multifactor authentication. Access broker adverts, in which attackers sell stolen credentials, increased by 50% through 2024, as more credentials were stolen and made available on both the clear and dark web. .

Alleged China-linked actors were also active throughout the year. CrowdStrike's researchers claim a 150% rise in activity, with some industries experiencing a 200% to 300% spike. The same groups are mentioned in the report as adopting strong OPSEC measures, making their attacks more difficult to track. CrowdStrike's annual report, like past year's, emphasises the growing use of AI in cybercrime.

Generative AI is now commonly used for social engineering, phishing, deepfake frauds, and automated disinformation campaigns. Notable AI initiatives include the North Korean-linked group FAMOUS CHOLLIMA, which used AI-powered fake job interviews to penetrate tech companies. 

Mitigation tips 

To combat rising security risks, CrowdStrike experts advocate improving identity security through phishing-resistant MFA, continuous monitoring of privileged accounts, and proactive threat hunting to discover malware-free incursions before attackers gain a foothold. Organisations should also incorporate real-time AI-driven threat detection, which ensures rapid response capabilities to mitigate fast-moving attacks, such as those with breakout periods of less than one minute. 

In addition to identity protection, companies can strengthen cloud security by requiring least privilege access, monitoring API keys for unauthorised use, and safeguarding software-as-a-service apps from credential misuse. As attackers increasingly use automation and AI capabilities, defenders should implement advanced behavioural analytics and cross-domain visibility solutions to detect stealthy breaches and halt adversary operations before they escalate.
Read more »
Qilin Ransomware
Cyber Attacks Data Theft Double extortion Media Firm Qilin Ransomware

Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach

 

The Lee Enterprises attack that caused disruptions on February 3 has been linked to the Qilin ransomware group, which has released samples of data they claim were stolen from the enterprise. The ransomware actors have now threatened to release all of the allegedly stolen material unless a ransom demand is fulfilled.

The US-based media firm Lee Enterprises owns and runs 350 magazines, 77 daily newspapers, digital media platforms, and marketing services. The company's internet viewership reaches tens of millions each month, and its main concentration is local news and advertising.

In a report with the Securities and Exchange Commission (SEC) earlier this month, the company disclosed that it was subjected to a cyberattack on February 3, 2025, resulting in major operational disruption. Threat analysts discovered that the outage created serious issues, including lost access to internal systems and cloud storage, as well as non-functioning corporate VPNs.

A week later, Lee Enterprises filed a new statement with the SEC, stating that the attackers "encrypted critical applications and exfiltrated certain files," implying that they had been targeted by ransomware. 

Earlier this week, Qilin ransomware added Lee Enterprises to its dark web extortion site, publishing samples of allegedly stolen data such as government ID scans, non-disclosure agreements, financial spreadsheets, contracts/agreements, and other private papers reportedly stolen from the company. 

Evolution of Qilin ransomware

Despite not being one of the most active ransomware groups, Qilin has advanced significantly since being introduced in August 2022 under the alias "Agenda.”

In the years that followed, the cybercriminals claimed hundreds of victims, with prominent examples including automotive manufacturer Yangfeng, Australia's Court Services Victoria, and many major NHS hospitals in London. 

In terms of technical evolution, Qilin delivered a Linux (VMware ESXi) variation in December 2023, began deploying a custom Chrome credentials stealer in August 2024, and launched a Rust-based data locker with stronger encryption and better evasion in October. 

Microsoft released a report last year claiming that the infamous members of the hacking group known as "Scattered Spider" had started using the Qilin ransomware in their attacks.
Read more »
Russia
Aerospace Cyber Attacks Europe Poland Russia

Poland’s Space Agency Investigates Cyberattack, Works On Security Measures

 



Poland’s space agency, POLSA, has reported a cyberattack on its systems, prompting an ongoing investigation. In response to the breach, the agency quickly disconnected its network from the internet to prevent further damage. As of Monday, its official website was still offline.  


Government and Cybersecurity Teams Take Action

Poland’s Minister of Digital Affairs, Krzysztof Gawkowski, confirmed that cybersecurity experts detected unauthorized access to POLSA’s systems. Security specialists have since secured the affected infrastructure and are now working to determine who was behind the attack. However, officials have not yet shared whether the hackers were financially motivated cybercriminals or politically driven groups. The method used to infiltrate the agency’s network also remains undisclosed.  


Why Hackers Target Space Agencies

Organizations involved in space research and technology are often appealing targets for cybercriminals. Many of these agencies collaborate with defense and intelligence sectors, making them vulnerable to attacks that could expose confidential projects, satellite communications, and security-related data. A cyberattack on such an agency could disrupt critical operations, leak classified research, or even interfere with national security.  


Poland Faces a Surge in Cyberattacks

Poland has become one of the most frequently targeted countries in the European Union when it comes to cyber threats. Earlier this year, Gawkowski stated that the country experiences more cyber incidents than any other EU nation, with most attacks believed to be linked to Russian actors. Poland’s strong support for Ukraine, both in military assistance and humanitarian aid, has likely contributed to this rise in cyber threats.  

The number of cyberattacks against Poland has increased drastically in recent years. Reports indicate that attacks doubled in 2023 compared to previous years, with over 400,000 cybersecurity incidents recorded in just the first half of the year. In response, the Polish government introduced a cybersecurity initiative in June, allocating $760 million to strengthen the country’s digital defenses.  


Other Space Agencies Have Also Been Targeted

This is not the first time a space agency has fallen victim to cyberattacks. Japan’s space agency, JAXA, has faced multiple breaches in the past. In 2016, reports suggested that JAXA was among 200 Japanese organizations targeted by suspected Chinese military hackers. In 2023, unknown attackers infiltrated the agency’s network, raising concerns that sensitive communications with private companies, such as Toyota, may have been exposed.  

As space technology continues to advance, protecting space agencies from cyber threats has become more crucial than ever. These organizations handle valuable and often classified information, making them prime targets for espionage, sabotage, and financial cybercrime. If hackers manage to breach their systems, the consequences could be severe, ranging from stolen research data to disruptions in satellite operations and defense communications.  

POLSA’s ongoing investigation will likely uncover more details about the cyberattack in the coming weeks. For now, the incident highlights the increasing need for governments and space organizations to invest in stronger cybersecurity measures to protect critical infrastructure.

Read more »
Ransomware group
Cyber Attacks Data Leak data security Genea Healthcare Breach Patient Data Ransomware attack Ransomware group

Genea Cyberattack: Termite Ransomware Leaks Sensitive Patient Data

 

One of Australia’s leading fertility providers, Genea Pty Ltd, has been targeted in a cyberattack allegedly carried out by the Termite ransomware group. On February 26, 2025, the group claimed responsibility for breaching Genea’s systems and stated that they had stolen 700GB of data from 27 company servers. The stolen information reportedly includes financial documents, invoices, medical records, personal identification data, and detailed patient questionnaires. 

Among these files are Protected Health Information (PHI), which contains personal medical histories and sensitive patient details. The cyberattack was first confirmed by Genea on February 19, 2025, when the company disclosed that its network had been compromised. The breach caused system outages and disrupted operations, leading to an internal investigation supported by cybersecurity experts. Genea moved quickly to assess the extent of the damage and reassure patients that the incident was being addressed with urgency. 

In an update released on February 24, 2025, the company acknowledged that unauthorized access had been detected within its patient management systems. By February 26, 2025, Genea confirmed that some of the stolen data had been leaked online by the attackers. In a public statement, the company expressed deep regret over the breach, acknowledging the distress it may have caused its patients. In response, Genea took immediate legal action by securing a court-ordered injunction to prevent further distribution or use of the stolen information. 

This measure was part of the company’s broader effort to protect affected individuals and limit the potential damage caused by the breach. To assist those impacted, Genea partnered with IDCARE, Australia’s national identity and cyber support service. Affected individuals were encouraged to seek help and take necessary steps to safeguard their personal information. The company urged patients to remain alert for potential fraud or identity theft attempts, particularly unsolicited emails, phone calls, or messages requesting personal details.  

The attack was initially detected on February 14, 2025, when suspicious activity was observed within Genea’s network. Upon further investigation, it was revealed that unauthorized access had occurred, and patient data had been compromised. The attackers reportedly targeted Genea’s patient management system, gaining entry to folders containing sensitive information. The exposed data includes full names, contact details, medical histories, treatment records, Medicare card numbers, and private health insurance information. 

However, as of the latest update, there was no evidence that financial data, such as bank account details or credit card numbers, had been accessed. Despite the severity of the breach, Genea assured patients that its medical and administrative teams were working tirelessly to restore affected systems and minimize disruptions to fertility services. Ensuring continuity of patient care remained a top priority while the company simultaneously focused on strengthening security measures to prevent further incidents. 

In response to the breach, Genea has been collaborating with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) to investigate the full extent of the attack. The company is committed to keeping affected individuals informed and taking all necessary precautions to enhance its cybersecurity framework. Patients were advised to monitor their accounts and report any suspicious activity to authorities. 

As a precaution, Genea recommended that affected individuals follow security guidelines issued by official government agencies such as the Australian Cyber Security Centre and the ACCC’s Scamwatch. For those concerned about identity theft, IDCARE’s experts were made available to provide support and guidance on mitigating risks associated with cybercrime. The incident has highlighted the growing risks faced by healthcare providers and the importance of implementing stronger security measures to protect patient data.
Read more »
Telecom
Beeline Cyber Attacks DDOS Attacks Internet Russia Telecom

Russian Telecom Company "Beeline" Hit, Users Face Internet Outage

Russian Telecom Company "Beeline" Hit, Users Face Internet Outage

Internet outage in, telecom provider attacked

Users in Russia faced an internet outage in a targeted DDoS attack on Russian telecom company Beeline. This is the second major attack on the Moscow-based company in recent weeks; the provider has over 44 million subscribers.

After several user complaints and reports from outage-tracking services, Beeline confirmed the attack to local media.

According to Record Media, internet monitoring service Downdetector’s data suggests “most Beeline users in Russia faced difficulties accessing the company’s mobile app, while some also reported website outages, notification failures and internet disruptions.” 

Impact on Beeline

Beeline informed about the attack on its Telegram channel, stressing that the hacker did not gain unauthorized access to consumer data. Currently, the internet provider is restoring all impacted systems and improving its cybersecurity policies to avoid future attacks. Mobile services are active, but users have cited issues using a few online services and account management features.

Rise of threat in Russia

The targeted attack on Beeline is part of a wider trend of cyberattacks in Russia; in September 2024, VTB, Russia’s second-largest bank, faced similar issues due to an attack on its infrastructure. 

These attacks highlight the rising threats posed by cyberattacks cherry-picking critical infrastructures in Russia and worldwide.

Experts have been warning about the rise in intensity and advanced techniques of such cyberattacks, damaging not only critical businesses but also essential industries that support millions of Russian citizens. 

Telecom companies in Russia targeted

How Beeline responds to the attack and recovers will be closely observed by both the telecom industry and regulators. The Beeline incident is similar to the attack on Russian telecom giant Megafon, another large-scale DDoS attack happened earlier this year. 

According to a cybersecurity source reported by Forbes Russia, the Beeline attack in February and the Megafon incident in January are the top hacktivist cyberattacks aiming at telecom sectors in 2025. 

According to the conversation with Forbes, the source said, “Both attacks were multi-vector and large-scale. The volume of malicious traffic was identical, but MegaFon faced an attack from 3,300 IP addresses, while Beeline was targeted via 1,600, resulting in a higher load per IP address.”

Read more »
Ethereum wallet hack
Bybit security breach Lazarus Group cyberattack cryptocurrency hack Cyber Attacks Ethereum wallet hack

Bybit Suffers Historic $1.5 Billion Crypto Hack, Lazarus Group Implicated

 

Dubai-based cryptocurrency exchange Bybit Technology Ltd. has fallen victim to a massive cyberattack, with approximately $1.5 billion in cryptocurrency stolen. The breach is believed to be the largest single theft in cryptocurrency history.

Bybit, a well-established exchange with over 60 million users, consistently ranks among the top five platforms by trading volume. The company disclosed the hack on February 21, revealing that attackers gained control of an Ethereum wallet and transferred its holdings to an unknown address. The attack took place during a routine transfer from Bybit’s offline cold wallet to a warm wallet designated for daily trading, with vulnerabilities in the process allowing unauthorized access to the cold wallet. Approximately 401,000 ETH was stolen.

“Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit explained on X. “As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address.”

In response, Bybit’s co-founder and Chief Executive Officer Ben Zhou reassured users that the platform remains solvent, emphasizing that all client assets are backed one-to-one. The company also stated that it holds reserves exceeding $20 billion to cover the losses.

To incentivize recovery efforts, Bybit is offering a 10% reward on any recovered funds for ethical cyber and network security experts contributing to the retrieval process.

Despite Bybit’s assurances, the disclosure triggered significant withdrawals from the exchange. According to CoinDesk, users withdrew approximately $4 billion, bringing the total outflows, including stolen funds, to around $5.5 billion.

Investigators swiftly traced the stolen Ethereum to North Korea’s notorious Lazarus Group. Known for high-profile cyberattacks, the group was behind the 2014 Sony Pictures breach and the 2017 WannaCry ransomware outbreak. It has previously targeted cryptocurrency exchanges, including the 2024 theft of 4,500 bitcoins from Japanese exchange DMM Bitcoin.

Arkham Intelligence was the first to identify the connection, with researcher ZachXBT providing definitive proof on X. Further investigation linked the Bybit hack to a January attack on Phemex, another cryptocurrency exchange that suffered a $69 million loss.

Recovering stolen funds from a state-backed hacking group poses significant challenges. However, nearly $43 million of the stolen cryptocurrency has already been frozen in wallets through coordinated efforts, and an affiliated token has been blocked and removed. 

Discussions have emerged about a possible rollback of the Ethereum blockchain to recover stolen assets. Bybit CEO Ben Zhou and BitMEX co-founder Arthur Hayes have floated the idea, though it remains uncertain whether such a measure is feasible. As reported by CoinDesk, executing a rollback would require community consensus, which may not be forthcoming and could potentially lead to a contentious hard fork of the cryptocurrency.
Read more »
Windows
BlackLock Cyber Attacks Linux Ransomware Windows

BlackLock Ransomware: The Fastest-Growing Cyber Threat and How to Stay Safe

 



Ransomware remains a major problem for businesses, and a new cybercriminal group is expanding at an alarming rate. Security researchers at ReliaQuest have identified BlackLock as the fastest-growing ransomware operation today, with its activity increasing by 1,425% since late 2024. Although it is currently the seventh most active ransomware group, experts predict it could become the biggest threat in 2025.  

Despite law enforcement cracking down on major ransomware gangs like LockBit in 2024, the number of cyberattacks continues to grow. A report from January 31 suggested ransomware incidents had risen by 15% compared to the previous year. However, a February 20 study by Symantec showed a slower increase of just 3%. No matter the rate, the takeaway is the same, ransomware remains a serious risk.  


How BlackLock Ransomware Operates  

BlackLock ransomware is designed to infect Windows, Linux, and VMware ESXi systems, making it a versatile and dangerous threat. Cybercriminals behind this operation have developed unique methods to pressure victims into paying ransom quickly.  


1. Blocking access to stolen data  

  • Ransomware groups often leak stolen information on dark web sites to force victims to pay.  
  • BlackLock makes it harder for victims and cybersecurity teams to access leaked data by blocking repeated download attempts.  
  • If someone tries to retrieve files too often, they either receive no response or only see empty files with contact details instead of real data.  
  • This tactic prevents companies from fully understanding what was stolen, increasing the likelihood of paying the ransom.  


2. Recruiting criminals to assist with attacks  

  • BlackLock actively hires "traffers," cybercriminals who help spread ransomware by tricking people into downloading malware.  
  • These traffers guide victims toward fake websites or malicious links that install ransomware.  
  • The group openly recruits low-level hackers on underground forums, while more skilled cybercriminals are privately contacted for higher-level roles.  


Steps to Protect Your Systems  

Security experts recommend taking immediate action to strengthen defenses, especially for companies using VMware ESXi servers. Here are some key steps:  

1. Turn off unnecessary services  

  • Disable unused features like vMotion and SNMP to reduce possible entry points for attackers.  

2. Strengthen security restrictions  

  •  Configure VMware ESXi hosts to only allow management through vCenter, making it harder for hackers to exploit weaknesses.  

3. Limit network access  

  •  Use firewalls and strict access controls to prevent unauthorized users from reaching sensitive systems.  

Additional recommendations include:  

1. Activating multi-factor authentication (MFA) to prevent unauthorized logins.  

2. Disabling Remote Desktop Protocol (RDP) on systems that do not need remote access.  

The rapid rise of BlackLock ransomware shows that cybercriminals ar constantly developing new strategies to pressure victims and avoid detection. Organizations must take proactive steps to secure their networks and stay informed about emerging threats. Implementing strong security controls today can prevent costly cyberattacks in the future.

Read more »
Security Breach
Crypto Exchange Crypto Hack cryptocurrency Cyber Attacks Digital Assets Lazarus Group Security Breach

Bybit Crypto Exchange Hacked for $1.5 Billion in Largest Crypto Heist

 

Bybit, one of the world’s largest cryptocurrency exchanges, has suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack, now considered the largest in crypto history, compromised the exchange’s cold wallet—an offline storage system designed to provide enhanced security against cyber threats. 

Despite the breach, Bybit CEO Ben Zhou assured users that other cold wallets remain secure and that withdrawals continue as normal. Blockchain analysis firms, including Elliptic and Arkham Intelligence, traced the stolen funds as they were quickly moved across multiple wallets and laundered through various platforms. Most of the stolen assets were in ether, which were liquidated swiftly to avoid detection. 

The scale of the attack far exceeds previous high-profile crypto thefts, including the $611 million Poly Network hack in 2021 and the $570 million stolen from Binance’s BNB token in 2022. Investigators later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking organization known for targeting cryptocurrency platforms. The group has a history of siphoning billions from the digital asset industry to fund the North Korean regime. 

Experts say Lazarus employs advanced laundering techniques to hide the stolen funds, making recovery difficult. Elliptic’s chief scientist, Tom Robinson, confirmed that the hacker’s addresses have been flagged in an attempt to prevent further transactions or cash-outs on other exchanges. However, the sheer speed and sophistication of the operation suggest that a significant portion of the funds may already be out of reach. The news of the breach sent shockwaves through the crypto community, triggering a surge in withdrawals as users feared the worst. 

While Bybit has managed to stabilize outflows, concerns remain over the platform’s ability to recover from such a massive loss. To reassure customers, Bybit announced that it had secured a bridge loan from undisclosed partners to cover any unrecoverable losses and maintain operations. The Lazarus Group’s involvement highlights the persistent security risks in the cryptocurrency industry. Since 2017, the group has orchestrated multiple cyberattacks, including the theft of $200 million in bitcoin from South Korean exchanges. 

Their methods have become increasingly sophisticated, exploiting vulnerabilities in crypto platforms to fund North Korea’s financial needs. Industry experts warn that large-scale thefts like this will continue unless exchanges implement stronger security measures. Robinson emphasized that making it harder for criminals to profit from these attacks is the best deterrent against future incidents. 

Meanwhile, law enforcement agencies and crypto-tracking firms are working to trace the stolen assets in hopes of recovering a portion of the funds. While exchanges have made strides in improving security, cybercriminals continue to find ways to exploit weaknesses, making robust protections more crucial than ever.
Read more »
Hacking
Australia Cyber Attacks cyberattack news data stealing Hacking

University of Notre Dame Hit by Cyberattack— Hackers Say They Stole Everything

 



A cybercriminal group known as Fog Ransomware has claimed responsibility for a cyberattack on the University of Notre Dame in Perth, Australia. According to reports, the group has allegedly stolen 62.2GB of sensitive data, including student medical records, staff and student contact information, and confidential documents.  


Hackers Announce Data Theft on the Dark Web  

The university was first alerted to a cybersecurity breach in January 2025. Recently, technology news sources revealed that Fog Ransomware had posted details of the attack on its dark web leak site. The group claimed to have accessed and stolen a large amount of private and institutional information.  

As of now, the hackers have not made any ransom demands or issued a deadline for payment. Cybersecurity experts believe that this group has a history of targeting educational and recreational institutions worldwide.  


How the Attack Has Affected the University  

The cyberattack has disrupted essential university operations, making it difficult for students and staff to access key services. Some of the areas impacted include:  

1. Payroll and leave management – Employees have been unable to process payments and leave applications as usual. Temporary manual processes have been put in place.  

2. Student enrolments and timetables – Many students have struggled to access their class schedules and register for courses.  

3. Communication services – Internet and email systems have also been affected, causing delays in official university communication.  

University official Patrick Hampton, who is both the Deputy Head of Education and President of the National Tertiary Education Union WA Notre Dame branch, stated that the attack had disrupted critical functions necessary for the university’s daily operations. He also emphasized that staff and students need additional support to cope with these challenges.  


Uncertainty Over the Full Extent of the Data Breach  

At this stage, the university has not been able to confirm exactly what data has been stolen. A spokesperson explained that while primary systems handling student records, finance, and human resources appear secure, some separately stored data might have been compromised.  

To assess the situation, the university has engaged international cybersecurity experts and is working to determine the extent of the breach. Officials have assured that if any personal data is found to be affected, the university will notify those impacted as soon as possible.  


Response and Future Actions

The incident has been reported to the Australian Cyber Security Centre (ACSC), and the university is taking necessary precautions to strengthen its security measures. Despite the ongoing challenges, the university has confirmed that classes for the 2025 academic year will begin as scheduled.  

Meanwhile, the staff union is pushing for greater transparency from the university administration. They are demanding that university leadership keep staff and students fully informed about what data has been compromised and provide assurances about data protection measures moving forward.  

This attack is a reminder of the increasing cybersecurity threats faced by educational institutions. Universities hold vast amounts of sensitive student and staff data, making them prime targets for cybercriminals. 

Read more »
Security flaw
Cyber Attacks email servers Exim Security flaw

Serious Security Flaw in Exim Email Servers Could Let Hackers Steal Data

 



A dangerous security flaw has been discovered in Exim, a widely used email server software. The vulnerability, officially tracked as CVE-2025-26794, allows hackers to inject harmful commands into the system, potentially leading to data theft or even complete control over the email server. This issue affects Exim version 4.98 when used with a specific database system called SQLite. Experts warn that this is one of the biggest email security threats of 2025.  


How This Vulnerability Works

The problem occurs because of the way Exim handles database queries under certain settings. It mainly affects systems that:  

1. Use SQLite for storing email-related data – This happens when Exim is set up with a special feature called `USE_SQLITE`.  

2. Enable the ETRN command – This is a function that allows users to request email deliveries, but it can be misused if not properly restricted.  

3. Have weak protections against command execution – Some default settings make it easier for attackers to sneak in harmful database commands.  

If all these conditions are met, a hacker can send specially designed emails to the server, tricking it into running unauthorized commands. This could allow them to access sensitive information, modify system settings, or even take control of the entire email system.  


How Attackers Can Use This Flaw

For this security risk to be exploited, three things need to be true:  

1. The system must be running Exim 4.98 with SQLite enabled.  

2. The ETRN command must be set to "accept" instead of the safer "deny" mode.  

3. A specific security setting, smtp_etrn_serialize, must be left at its default value, which can create a loophole for hackers.  

Even though Exim’s default settings provide some level of security, many organizations adjust them to work with older systems, unknowingly making their servers more vulnerable.  


Steps to Stay Safe

To protect email systems from this issue, cybersecurity experts recommend taking the following steps immediately:  

1. Check which version of Exim is installed using the command `exim -bV`.  

2. Disable SQLite integration if it’s not necessary.  

3. Modify ETRN settings to prevent unauthorized use.  

4. Update to the latest Exim version (4.98.1), which includes a fix for this problem.  

For organizations that must continue using SQLite, additional security measures should be in place, such as filtering out risky commands and monitoring unusual activity in the database.  


How Exim Developers Responded

The Exim development team acted quickly by releasing a patched version within 72 hours after confirming the issue. The flaw was originally reported by cybersecurity researcher Oscar Bataille, who followed responsible disclosure guidelines. This allowed Exim’s developers to fix the problem before it became public, reducing the chances of widespread attacks.  


Why This Matters

Exim is used by over 60% of email servers on the internet, meaning this flaw could have affected millions of systems worldwide. This incident is a reminder that even well-established software can have hidden weaknesses, especially when newer features interact with older components.  

To stay safe, organizations must regularly update their email software, follow security best practices, and stay informed about new threats. The faster vulnerabilities like this are addressed, the lower the risk of cyberattacks.

Read more »
security threat
AI Phishing Cybbercrime Cyber Attacks Cybersecurity CyberThreat Cyerhackers Phishing scam security threat

Lack of Phishing Awareness Among Executives Poses a Security Threat

 


Even though phishing scams are predicted to continue to pose a serious cybersecurity threat in the years to come, recent research has highlighted the fact that a worrying gap in awareness among business leaders has been identified as a major concern. The study found that a vast majority of executives in the United States are unable to recognize all the warning signs of a phishing email. This demonstrates that corporate security practices are vulnerable. 

As cyber threats have become increasingly sophisticated, the threat to personal and corporate data has risen. Security breaches and ransomware attacks have become increasingly common, driven by advances in artificial intelligence, which have enabled cybercriminals to develop more deceptive and efficient scams as a result of advances in artificial intelligence. Organizations are constantly facing new threats, as the digital landscape continues to evolve. As phishing tactics emerge every day, it becomes increasingly challenging for organizations to stay ahead of them. 

Cybersecurity awareness must be raised at the leadership level to mitigate these risks and protect sensitive information. There is currently a significant gap in cybersecurity knowledge among senior executives, raising concerns about how businesses are resilient to phishing attacks, according to a recent study. The findings suggest that only 1.6% of senior leaders were able to identify all key indicators of phishing emails in a correct manner, which indicates a critical weakness in cybersecurity defences at organizations. 

The lack of awareness is putting businesses at considerable risk, as phishing remains the most common method cybercriminals use to gain access to corporate networks. Phishing scams are expected to continue to cause major concern to businesses in 2025, as data indicates that these attacks directly lead to security breaches in the future. As a result of the survey, 40% of organizations experiencing a breach attributed the incident to phishing, which is the second most common cause of cybersecurity failures after malicious attacks. The number of breaches caused by computer viruses was second only to those caused by malware, affecting 53% of firms. 

In light of these findings, executives must enhance cybersecurity training and awareness initiatives so that they can mitigate the growing threats posed by phishing and other cyber threats to mitigate them. A report published annually examines the changing trends shaping the business landscape by looking at the impact of technology on the workplace. Technology advances, including cybersecurity, have been assessed comprehensively in this study to assess the impact they have on businesses daily. 

The latest study surveyed 1,036 senior executives and workplace managers from a variety of industries to gain insights into how organizations are dealing with these changes. This study reveals a concerning lack of leadership preparedness for data protection, which is concerning. Even though cyber threats are becoming increasingly sophisticated, many senior leaders in organizations are still unprepared to deal with vulnerabilities within their organizations. This study illustrates the urgency of improving cybersecurity training and establishing strategic initiatives to enhance data security measures in this era when digital threats continue to grow in sophistication. 

The study, conducted a few months ago, surveyed 1,036 U.S. business leaders to determine if they could recognize certain indicators of phishing emails from real emails. Participants were evaluated on their sensitivity to common red flags, among them: Spelling and grammatical errors Emails received from unfamiliar senders Requests for sensitive information Messages conveying urgency or threats Senior executives are showing a troubling lack of cybersecurity awareness, according to the findings of this study. 

Alarmingly, 33% of respondents failed to recognize when they received an email from an unknown sender that it might be a potential phishing scam. Even more concerning is that 47% of respondents failed to identify a tone of urgency or threat as a sign of phishing scams. In 2024, phishing attacks are estimated to have accounted for 40% of all data breaches affecting businesses, a sharp increase over 2023, when phishing attacks made up 23% of data breaches. Another finding of the study is that nearly a third (19%) of business leaders do not understand the concept of two-factor authentication, which is a fundamental security measure aimed at protecting against unauthorized access to their business systems. 

A significant gap is evident in cybersecurity education at the leadership level, indicating that serious concerns have been raised about organizations' data protection strategies. As a result, there will be substantial financial consequences for businesses if these vulnerabilities are exploited, with data breaches costing on average $4.88 million in 2024, which is an increase of 10% over last year's cost. Tech.co's Editor, Jack Turner, emphasizes the importance of addressing this matter and emphasises that research serves as a wake-up call for business leaders who may underestimate the risks associated with cybercrime. 

A significant percentage of respondents were unable to identify even the most basic signs of phishing attempts, which indicates why phishing attacks remain so effective. A company's cybersecurity training programs should not be limited to the IT department. They should be available to all employees, including entry-level employees and senior managers. Only by continuously increasing the level of education and vigilance can organizations strengthen their defences against cyberattacks, which are becoming increasingly commonplace. 

The business continues to suffer from significant financial and reputational damage as a result of poor cybersecurity practices, a result in data breaches that result in substantial revenue losses and long-term brand erosion. Since these risks must be taken into account, cybersecurity has become a top priority for companies, and leadership must take active steps to enhance security measures within their organization. 

The problem is, however, that many senior executives do not possess the fundamental knowledge they need to be able to implement effective security strategies. The latest survey reveals that almost 19% of senior leaders are unable to define multi-factor authentication (MFA) correctly, despite it being widely recognized as an effective tool to safeguard sensitive data, even though nearly 19% of them cannot do so. 

As a consequence, there is a significant vulnerability at the leadership level as they play a pivotal role in shaping and enforcing cybersecurity policies, and these policies are tightly regulated by their organizations. As a part of establishing a robust cybersecurity framework for an organization, senior leadership needs to take an active role in acquiring knowledge of key security measures and becoming familiar with those measures. However, securing an organization cannot rest solely in the hands of executive management. 

To develop a comprehensive security strategy, the entire company must be involved, with all employees being able to recognize and respond to potential threats. With technology progressing at such a rapid pace, investing in cybersecurity education at all levels of an organization is no longer an optional investment; rather, it is a must. By implementing structured training programs, companies can ensure their employees and executives remain alert to the ever-changing cyber threats. 

By cultivating a culture of cybersecurity awareness, businesses can ensure that their data, financial stability, and long-term reputation are protected in an increasingly digital environment, thus enhancing the efficiency of their business. Several key findings of the report reveal the urgent need for senior executives to have a better understanding of cybersecurity. 

Organizations must address this knowledge gap by providing comprehensive training and utilizing robust security frameworks that can strengthen their defences against cyberattacks from the outside. Cyber threats are becoming more advanced every day, and proactive leadership as well as company-wide awareness will be of crucial importance for mitigating risks and safeguarding business operations in a world where everything is going digital.
Read more »
Phishing Attacks
Cyber Attacks CyberCriminal Evasion Tactics Hackers JavaScript Obfuscation Technique Phishing Attacks

Hackers Use Invisible Unicode Trick to Hide Phishing Attacks

 


Cybercriminals have discovered a new way to conceal malicious code inside phishing attacks by using invisible Unicode characters. This technique, identified by Juniper Threat Labs, has been actively used in attacks targeting affiliates of a U.S. political action committee (PAC). By making their scripts appear as blank space, hackers can evade detection from traditional security tools and increase the likelihood of successfully compromising victims. 

The attack, first observed in early January 2025, is more advanced than typical phishing campaigns. Hackers customized their messages using personal, non-public details about their targets, making the emails seem more legitimate. They also implemented various tricks to avoid detection, such as inserting debugger breakpoints and using timing checks to prevent cybersecurity professionals from analyzing the script. 

Additionally, they wrapped phishing links inside multiple layers of Postmark tracking links, making it harder to trace the final destination of the attack. The method itself isn’t entirely new. In October 2024, JavaScript developer Martin Kleppe introduced the idea as an experimental programming technique. However, cybercriminals quickly adapted it for phishing attacks. 

The trick works by converting each character in a JavaScript script into an 8-bit binary format. Instead of using visible numbers like ones and zeros, attackers replace them with invisible Hangul Unicode characters, such as U+FFA0 and U+3164. Since these characters don’t appear on-screen, the malicious code looks completely empty, making it difficult to detect with the naked eye or automated security scans. 

The hidden script is stored as a property inside a JavaScript object, appearing as blank space. A separate bootstrap script then retrieves the hidden payload using a JavaScript Proxy get() trap. When accessed, this proxy deciphers the invisible Unicode characters back into binary, reconstructing the original JavaScript code and allowing the attack to execute. To make detection even more difficult, hackers have layered additional evasion techniques. They use base64 encoding to further disguise the script and implement anti-debugging measures. If the script detects that it’s being analyzed—such as when someone tries to inspect it with a debugger—it will shut down immediately and redirect the user to a harmless website. 

This prevents cybersecurity researchers from easily studying the malware. This technique is particularly dangerous because it allows attackers to blend their malicious code into legitimate scripts without raising suspicion. The invisible payload can be injected into otherwise safe websites, and since it appears as empty space, many security tools may fail to detect it. 

Juniper Threat Labs linked two of the domains used in this campaign to the Tycoon 2FA phishing kit, a tool previously associated with large-scale phishing operations. This connection suggests that the technique could soon be adopted by other cybercriminals. As attackers continue to develop new evasion strategies, cybersecurity teams will need to create better detection methods to counter these hidden threats before they cause widespread damage.
Read more »
Ransomwares
Cyber Attacks Cybersecurity data security Media Industry News Corporation Ransomware attack Ransomwares

Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations

 

Lee Enterprises, one of the largest newspaper publishers in the United States, is facing an ongoing ransomware attack that has severely disrupted its operations for over three weeks. The company confirmed the attack in a filing with the U.S. Securities and Exchange Commission (SEC), revealing that hackers illegally accessed its network, encrypted critical applications, and exfiltrated certain files. 

The publishing giant is now conducting a forensic investigation to determine whether sensitive or personal data was stolen. The attack has had widespread consequences across Lee’s business, affecting essential operations such as billing, collections, vendor payments, and the distribution of print newspapers. Many of its 72 publications have experienced significant delays, with some print editions not being published at all. 

The Winston-Salem Journal in North Carolina reported that it was unable to print several editions, while the Albany Democrat-Herald and Corvallis Gazette-Times in Oregon faced similar disruptions, preventing the release of at least two editions. Digital services have also been affected. On February 3, Lee Enterprises notified affected media outlets that one of its data centers, which supports applications and services for both the company and its customers, had gone offline. 

This outage has prevented subscribers from logging into their accounts and accessing key business applications. Several Lee-owned newspaper websites now display maintenance messages, warning readers that subscription services and digital editions may be temporarily unavailable. The full impact of the attack is still being assessed, but Lee has acknowledged that the incident is “reasonably likely” to have a material financial impact. With print and digital disruptions continuing, the company faces potential revenue losses from advertising, subscription cancellations, and operational delays. 

Law enforcement has been notified, though the company has not disclosed details about the perpetrators or whether it is considering paying a ransom. Ransomware attacks typically involve cybercriminals encrypting a company’s data and demanding payment in exchange for its release. If Lee refuses to negotiate, it may take weeks or months to fully restore its systems. 

Cyberattacks targeting media organizations have become increasingly common, as newspapers and digital publications rely on complex networks that can be vulnerable to security breaches. The Freedom of the Press Foundation is currently tracking the scope of the attack and compiling a list of affected newspapers. For now, Lee Enterprises continues its recovery efforts while its newspapers work to restore regular operations. 

Until the attack is fully resolved, readers, advertisers, and employees may continue to face disruptions across print and digital platforms. The incident highlights the growing threat of ransomware attacks on critical infrastructure and the challenges companies face in securing their networks against cyber threats.
Read more »
Russian-Ukraine War
Airports Banks Cyber Attacks Cybersecurity Intesa Sanpaolo Italy Milan Pro-Russian Hackers Russian-Ukraine War

Pro-Russia Hackers Target Italian Banks and Airports Amid Rising Tensions

 

Around 20 Italian websites, including those of major banks and airports, were targeted by alleged pro-Russian hackers, according to Italy’s cybersecurity agency on Monday. The attack is believed to be linked to escalating diplomatic tensions between Rome and Moscow.

Earlier this month, Italian President Sergio Mattarella likened Russia’s invasion of Ukraine to Nazi Germany’s pre-World War II expansionism. The statement sparked strong reactions from Moscow but was defended by Italian Prime Minister Giorgia Meloni.

The cyberattacks, reportedly carried out by the pro-Russian hacker group Noname057(16), impacted the websites of Intesa Sanpaolo, Banca Monte dei Paschi, Iccrea Banca, and Milan’s Linate and Malpensa airports, among others. However, the cybersecurity agency confirmed that the attacks did not cause significant disruptions.

Intesa Sanpaolo and SEA, the operator of Milan’s airports, declined to comment on the incident. A spokesperson for Iccrea Banca stated that its services remained unaffected, while Banca Monte dei Paschi has yet to respond to requests for comment.

According to Italy’s cybersecurity agency, the hacker group cited Mattarella’s remarks as the motivation behind the attack. In December, Noname057(16) had claimed responsibility for another cyber assault on Italy, targeting approximately 10 institutional websites.

SEO Keywords: Cyberattack, Italy, Pro-Russian Hackers, Banks, Airports, Cybersecurity, Noname057(16), Russian-Ukraine War, Milan, Intesa Sanpaolo, Banca Monte dei Paschi, Iccrea Banca, Linate Airport, Malpensa Airport.
Read more »
Russian Hackers
Cyber Attacks Device Code Microsoft phishing Russian Hackers

Russian State Actors Target Microsoft 365 Accounts Via Device Code Phishing Campaign

 

A hacking outfit potentially linked to Russia is running an active operation that uses device code phishing to target Microsoft 365 accounts of individuals at organisations of interest. The targets are in the government, non-governmental organisations (NGOs), IT services and technology, defence, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East. 

Microsoft Threat Intelligence Centre is tracking the threat actors behind the device code phishing effort as 'Storm-237'. Based on targets, victimology, and tradecraft, the researchers are confident that the activity is linked to a nation-state operation that serves Russia's interests.

Device code phishing assaults 

Input-constrained devices, such as smart TVs and some IoTs, use a code authentication flow to allow users to sign into an app by typing an authorization code on a different device, such as a smartphone or computer.

Since last August, Microsoft researchers noticed that Storm-2372 has been exploiting this authentication flow by deceiving users into submitting attacker-generated device numbers on legitimate sign-in sites. The operatives launch the attack after "falsely posing as a prominent person relevant to the target" via messaging systems such as WhatsApp, Signal, and Microsoft Teams.

The malicious actor progressively builds rapport before sending a bogus online meeting invitation via email or messaging. According to the researchers, the victim receives a Teams meeting invitation including a device code generated by the attacker.

"The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting," Microsoft noted. 

This allows the attackers to access the victim's Microsoft services (email, cloud storage) without requiring a password for as long as the stolen tokens are valid. However, Microsoft claims that the perpetrator is currently employing a specific client ID for Microsoft Authentication Broker during the device code sign-in flow, allowing them to issue fresh tokens. 

This opens up new attack and persistence opportunities, as the threat actor can utilise the client ID to register devices with Entra ID, Microsoft's cloud-based identity and access management product. "With the same refresh token and the new device identity, Storm-2372 is able to obtain a Primary Refresh Token (PRT) and access an organization’s resources. We have observed Storm-2372 using the connected device to collect emails," Microsoft added.
Read more »
SamCERT
APT40 Chinese Hacker Cyber Attacks Malicious Campaign SamCERT

China-backed APT40 Hacking Outfit Implicated for Samoa Cyberattacks

 

Samoa's national cybersecurity office issued an urgent advisory after the Chinese state-sponsored cyber outfit APT40 escalated its attacks on government and critical infrastructure networks across the Pacific. 

Samoa's Computer Emergency Response Team, or SamCERT, has warned that APT40 is using fileless malware and modified commodity malware to attack and persist within networks without being detected. 

The majority of Chinese nation-state activity has focused on Southeast Asia and Western nations, but the advisory, based on SamCERT investigations and intelligence from partner nations, warned of digital spying threats posed by the outfit's prolonged presence within targeted networks in the Blue Pacific region, which includes thousands of islands in the vast central Pacific Ocean. 

"It is essential to note that throughout our investigations we have observed the threat actor pre-positioning themselves in the networks for long periods of time and remaining undetected before conducting exfiltration activity," SamCERT noted. "This activity is sophisticated.” 

In August 2023, China-aligned APT40, also known as IslandDreams on Google, launched a phishing attack aimed at victims in Papua New Guinea. The emails had multiple attachments, including an exploit, a password-protected fake PDF that could not be read, and an.lnk file. The.lnk file was created to execute a malicious.dll payload from either a hard-coded IP address or a file-sharing website. 

The final stage of the assault attempts to install BoxRat, an in-memory backdoor for.NET that connects to the attackers' botnet command-and-control network via the Dropbox API. 

APT40, which was previously linked to operations in the United States and Australia, has moved its attention to Pacific island nations, where it employs advanced tactics such as DLL side-loading, registry alterations, and memory-based malware execution. The group's methods also include using modified reverse proxies to gather sensitive data while concealing command-and-control communications. 

SamCERT's findings indicate that APT40 gains long-term access to networks, executing reconnaissance and data theft operations over extended periods. The outfit relies on lateral movement across networks, often using legitimate administrative tools to bypass security measures and maintain control. 

The agency recommends organisations to use methodical threat hunting, enable complete logging, and assess incident response procedures. It further recommends that endpoints and firewalls be patched immediately to close the vulnerabilities exploited by APT40.
Read more »
identity-based attacks
AI-driven cyberattacks Credential Theft Cyber Attacks Cybercrime economy Cybersecurity Threats identity-based attacks

Data Reveals Identity-Based Attacks Now Dominate Cybercrime

 

Cyberattacks are undergoing a significant transformation, shifting away from malware-driven methods toward identity exploitation. According to the CrowdStrike 2024 Global Threat Report, three out of four cyberattacks now leverage valid credentials instead of malicious software.

This change is fueled by the expanding cybercrime economy, where stolen identities are becoming as valuable as exploitable system vulnerabilities. A booming underground market for credentials, combined with AI-powered deception and automated phishing, is rendering traditional security measures ineffective.

“You may have really locked down environments for untrusted external threats, but as soon as you look like a legitimate user, you’ve got the keys to the kingdom,” said Elia Zaitsev, CTO at CrowdStrike. This shift presents a pressing challenge for enterprises: if attackers no longer need malware to infiltrate networks, how can they be stopped?

The CrowdStrike report also highlights the speed at which attackers escalate privileges once inside a network. The fastest recorded eCrime breakout time—the duration between initial access and lateral movement—was just 2 minutes and 7 seconds.

Traditional security models that focus on malware detection or manual threat investigation are struggling to keep up. In identity-driven attacks, there are no suspicious payloads to analyze—just adversaries impersonating authorized users. This has led to a rise in living-off-the-land techniques, where attackers use built-in system tools to evade detection. Instead of deploying custom malware, they exploit legitimate credentials and remote monitoring tools to blend seamlessly into network activity.

A key challenge outlined in the 2024 Global Threat Report is the expansion of identity attacks beyond a single environment. Cybercriminals now utilize stolen credentials to move laterally across on-premises, cloud, and SaaS environments, making detection even more difficult.

Jim Guinn, a cybersecurity leader at EY, explained this evolving strategy: “You have to get in, and you have to be able to laterally move throughout the network, which means you have some level of access. And access requires identity.”

Guinn also emphasized the growing role of nation-state actors, who infiltrate networks months or even years in advance, waiting for the right moment to launch an attack.

For companies that still treat endpoint security, cloud security, and identity protection as separate entities, this shift presents a major challenge. Attackers increasingly pivot between these environments, making detection and prevention even more complex.

“The moment that man created AI, he also created a way for bad actors to use AI against you,” Guinn noted. “They're creating a quicker way to get to a set of targets that cybercriminals can use, and they're creating code bases and ways to manipulate users' credentials faster than the human can think about it.”

With identity-based attacks outpacing traditional security defenses, organizations are rethinking their cybersecurity strategies.

One crucial change is the adoption of continuous identity verification. Historically, authentication has been a one-time process, where users log in and remain trusted indefinitely. However, as attackers increasingly impersonate legitimate users, companies are implementing real-time behavioral monitoring to detect anomalies.

Another key adaptation is just-in-time privileges, where employees are granted administrative access only when required—and revoked immediately afterward—to minimize risk.

“We're bringing all that to bear,” Zaitsev explained. “We are taking that cross-domain, multi-domain visibility approach, unifying it all, and then, of course, also focusing heavily on continuous detection, prevention, and response.”

Guinn shared a compelling example of an organization recognizing the importance of identity security. “One of their senior executives said, ‘I think the only reason we haven’t really had a breach—like a significant breach—is because we have multi-factor authentication for our user credentials.’”

The CrowdStrike 2024 Global Threat Report underscores a fundamental shift in cybersecurity: identity, not malware, is the new battleground. Attackers no longer rely on complex exploits or hidden backdoors when they can buy access credentials, phish an employee, or manipulate AI-driven authentication systems.

Simply put, without access to valid credentials, cybercriminals are powerless. This makes identity security the core of modern cybersecurity strategies.

As organizations adapt to this evolving threat landscape, one thing is clear: failing to prioritize identity security leaves businesses vulnerable to adversaries who no longer need to break in—they already have the keys.
Read more »
Subscribe to: Posts (Atom)