Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Secure Communication Solutions
Cyber Attacks Digital Fraud Prevention Identity Theft Prevention Mobile Security Tools Phone Scam Alerts Privacy-First Technology Scam Call Protection Secure Communication Solutions

UK Loses £11 Billion to Scams and NordVPN Responds with Call Protection

 


With a surge in digital fraud that has continued to erupt throughout the past year, NordVPN has introduced a new defense system aimed at protecting mobile users against the rapidly evolving tactics of cybercriminals. 

In order to provide a discreet yet powerful safeguard against fraudulent calls, the company has begun rolling out Scam Call Protection for Android devices, a feature which will provide users with a warning when an incoming call seems suspicious. 

Developed in a privacy-focused manner, the tool analyzes call metadata and reputation indicators in real time, enabling users to recognize and avoid potential threats including phishing, fraud and identity theft before they ever pick up the phone, which is called a privacy-first approach. Currently available in the U.S., the United Kingdom, and Canada, NordVPN's mobile app now includes a feature that is built into the app, and the feature doesn't require a separate installation.

It will display a clear warning message along with information about the suspicious caller. Amidst a time of deceptive phone-based attacks that are on the rise, NordVPN aims to keep users up to date in the field of threat intelligence by quietly analyzing threat intelligence in the background and sending timely alerts in the background. 

A growing threat of scam calls is on the rise worldwide, and NordVPN's latest feature comes as financial losses are rising sharply across major economies as a result of phone-based fraud. Even though the company has initially made the tool available to Android users in the United States, the technology used to make it is part of a wider initiative to raise the bar for mobile security in general. 

NordVPN has devised a simple mechanism for identifying incoming calls that match patterns associated with known scammers databases, or which display suspicious behavior that is deemed to be suspicious, and it then issues a clear warning before the user answers. The goal is to halt deception at its most vulnerable moment and to halt it immediately. 

As time has gone by, the need for such early detection has become increasingly evident. During 2024, FBI data indicates that scam calls contributed to a total of $16.6 billion in reported losses in the United States, representing a steep increase in losses from previous years. This is also the case in other parts of the world; based on estimates from the Global Anti-Scam Alliance, British residents lost nearly £11 billion to various scams in the past year, a majority of them involving phone scams. 

By September of this year, Canadians had already lost C$544 million to fraud, which is close to a total tally recorded the previous year. In this context, NordVPN stands out with its Scam Call Protection feature because it emphasizes privacy and operational simplicity, while still remaining competitive in the market. 

As opposed to analysing the content of calls, it evaluates only the metadata and behavioral indicators associated with the incoming number, which ensures that conversations remain private and unaccessible to the organization as a whole. As the system is running in the background without the need for an active VPN connection, it alerts users to potential scam attempts, reduces the chances of falling victim to social engineering, phishing schemes, or identity theft schemes, and proactively prevents them from falling victim to these types of schemes. 

The setup process for activating this feature in the NordVPN Android app is designed to be as easy and straightforward as possible; users will follow a brief set-up guide to adjust the permissions for their device. The tool works continuously once it is enabled, providing real-time alerts that strengthen user awareness when scammers attempt to contact them. 

NordVPN claims that the feature is constructed on the basis of “privacy-first philosophy,” utilizing only call metadata and behavioural patterns to determine potential threats, while ensuring that user conversations are kept completely private and private from the company at all times. There is no need to activate a VPN connection to ensure continuous protection. This software works quietly in the background, providing continuous protection without altering the users' normal phone use. 

Additionally, the company has mentioned a series of upcoming upgrades that will include more accurate call classifications, enhanced caller identification for legitimate businesses, and improved call-category classifications, all of which should enhance user confidence and accuracy. A NordVPN product director, Dominickas Virbickas, noted that scam calls have become a worldwide problem that requires an equal global response, and that it has evolved into a global challenge. 

By expanding its service to the United Kingdom and Canada, the company is aiming to provide more context for incoming calls and to provide users with the information they need in order to make informed decisions. It is particularly relevant that this rollout was made during a time when major shopping periods, such as Black Friday, create lucrative opportunities for fraudsters to operate during. 

In order to protect consumers' privacy, security experts advise them to remain cautious during seasonal promotions, to not provide payment information to unsolicited telephone calls, and to remain skeptical of unusually generous offers. In the present state of affairs, NordVPN is only making the feature available to Android users in the United States, the United Kingdom, and Canada, although it is expected that iOS devices and additional markets will be supported shortly. 

The NordVPN app makes it very simple for users to activate the app by navigating to the Threat Protection section, enabling the call protection, and setting up the necessary permissions within their Android device. It is widely available to block calls across a wide range of mobile platforms, however NordVPN stands out through its operational transparency and pedigree that make the service stand out from the crowd. 

NordVPN utilizes its reputation as a privacy-minded provider by refraining entirely from analyzing call content, contacts, or personal information, unlike many standalone blocker apps that have been criticized for data harvesting. Its continuous updating threat intelligence makes it a valuable tool, and it is easy to integrate with the existing security ecosystem many users already use, and is independent of a VPN connection. 

NordVPN offers a notably more reassuring alternative for those who are accustomed to skepticism toward third-party call blockers due to its emphasis on confidentiality and minimal data handling. The growing threat of digital fraud continues to outpace traditional measures, which highlights the need for proactive, privacy-focused defenses in everyday communication. 

Tools like NordVPN’s Scam Call Protection underscore this need for proactive, privacy-driven defensive measures. In spite of the fact that no one measure can eliminate scam risks completely, analysts emphasize that using intelligent call screening in conjunction with user vigilance significantly helps boost personal security. 

By regularly updating device settings, avoiding unidentified callers, and partnering with trusted security providers, users can reduce their vulnerability to evolving threats. In an increasingly vulnerable communication landscape, a timely context and credible protection may be imperative to the restoration of confidence in the user. Cybercriminals are constantly refining their tactics, and users need to be equipped with timely context and credible protection.
Read more »
Microsoft security
Azure Azure Attack Botnet Botnet attack Cyber Attacks Microsoft Microsoft Azure Microsoft security

Aisuru Botnet Launches 15.72 Tbps DDoS Attack on Microsoft Azure Network

 

Microsoft has reported that its Azure platform recently experienced one of the largest distributed denial-of-service attacks recorded to date, attributed to the fast-growing Aisuru botnet. According to the company, the attack reached a staggering peak of 15.72 terabits per second and originated from more than 500,000 distinct IP addresses across multiple regions. The traffic surge consisted primarily of high-volume UDP floods and was directed toward a single public-facing Azure IP address located in Australia. At its height, the attack generated nearly 3.64 billion packets per second. 

Microsoft said the activity was linked to Aisuru, a botnet categorized in the same threat class as the well-known Turbo Mirai malware family. Like Mirai, Aisuru spreads by compromising vulnerable Internet of Things (IoT) hardware, including home routers and cameras, particularly those operating on residential internet service providers in the United States and additional countries. Azure Security senior product marketing manager Sean Whalen noted that the attack displayed limited source spoofing and used randomized ports, which ultimately made network tracing and provider-level mitigation more manageable. 

The same botnet has been connected to other record-setting cyber incidents in recent months. Cloudflare previously associated Aisuru with an attack that measured 22.2 Tbps and generated over 10.6 billion packets per second in September 2025, one of the highest traffic bursts observed in a short-duration DDoS event. Despite lasting only 40 seconds, that incident was comparable in bandwidth consumption to more than one million simultaneous 4K video streams. 

Within the same timeframe, researchers from Qi’anxin’s XLab division attributed another 11.5 Tbps attack to Aisuru and estimated the botnet was using around 300,000 infected devices. XLab’s reporting indicates rapid expansion earlier in 2025 after attackers compromised a TotoLink router firmware distribution server, resulting in the infection of approximately 100,000 additional devices. 

Industry reporting also suggests the botnet has targeted vulnerabilities in consumer equipment produced by major vendors, including D-Link, Linksys, Realtek-based systems, Zyxel hardware, and network equipment distributed through T-Mobile. 

The botnet’s growing presence has begun influencing unrelated systems such as DNS ranking services. Cybersecurity journalist Brian Krebs reported that Cloudflare removed several Aisuru-controlled domains from public ranking dashboards after they began appearing higher than widely used legitimate platforms. Cloudflare leadership confirmed that intentional traffic manipulation distorted ranking visibility, prompting new internal policies to suppress suspected malicious domain patterns. 

Cloudflare disclosed earlier this year that DDoS attacks across its network surged dramatically. The company recorded a 198% quarter-to-quarter rise and a 358% year-over-year increase, with more than 21.3 million attempted attacks against customers during 2024 and an additional 6.6 million incidents directed specifically at its own services during an extended multi-vector campaign.
Read more »
Hacker attack
Cyber Attacks Cybersecurity Breach Data Breaches Data Leaked data security Defaced Website Hacked Hacker attack

Russian-Linked Surveillance Tech Firm Protei Hacked, Website Defaced and Data Published

 

A telecommunications technology provider with ties to Russian surveillance infrastructure has reportedly suffered a major cybersecurity breach. The company, Protei, which builds systems used by telecom providers to monitor online activity and restrict access to websites and platforms, had its website defaced and internal data stolen, according to information reviewed by TechCrunch. The firm originally operated from Russia but is now based in Jordan and supplies technology to clients across multiple regions, including the Middle East, Europe, Africa, Mexico, Kazakhstan and Pakistan. 

Protei develops a range of systems used by telecom operators, including conferencing platforms and connectivity services. However, the company is most widely associated with deep packet inspection (DPI) tools and network filtering technologies — software commonly used in countries where governments impose strict controls on online information flow and communication. These systems allow network providers to inspect traffic patterns, identify specific services or websites and enforce blocks or restrictions. 

It remains uncertain exactly when the intrusion occurred, but archived pages from the Wayback Machine indicate the public defacement took place on November 8. The altered site contained a short message referencing the firm’s involvement in DPI technology and surveillance infrastructure. Although the webpage was restored quickly, the attackers reportedly extracted approximately 182 gigabytes of data from Protei’s systems, including email archives dating back several years. 

A copy of the exposed files was later supplied to Distributed Denial of Secrets (DDoSecrets), an organization known for cataloging leaked data from governments, law enforcement agencies and companies operating in surveillance or censorship markets. DDoSecrets confirmed receiving the dataset and made it available to researchers and journalists. 

Prior to publication, TechCrunch reached out to Protei leadership for clarification. Mohammad Jalal, who oversees the company’s Jordan branch, did not initially respond. After publication, he issued an email claiming the company is not connected to Russia and stating that Protei had no confirmed knowledge of unauthorized data extraction from its servers. 

The message left by the hacker suggested an ideological motive rather than a financial one. The wording referenced SORM — Russia’s lawful interception framework that enables intelligence agencies to access telecommunications data. Protei’s network filtering and DPI tools are believed to complement SORM deployments in regions where governments restrict digital freedoms. 

Reports from research organizations have previously linked Protei technology to censorship infrastructure. In 2023, Citizen Lab documented exchanges suggesting that Iranian telecommunications companies sought Protei’s systems to log network activity and block access to selected websites. Documents reviewed by the group indicated the company’s ability to deploy population-level filtering and targeted restrictions. 

The breach adds to growing scrutiny surrounding technology vendors supplying surveillance capabilities internationally, especially in environments where privacy protections and freedom of expression remain vulnerable.
Read more »
vehicle security
Automotive Cybersecurity Car Theft Devices Crime Prevention Cyber Attacks Cybercrime Tools Digital Interference Keyless Theft Relay Attacks Signal Hacking vehicle security

Surge in £20k Keyless Car Theft Gadgets Sparks Security Concerns

 


The automotive and security industries have become increasingly aware of the fact that criminals are increasingly using advanced signal-manipulation devices capable of stealing keyless car fobs without entering the property or obtaining the owner's fob, a development that has intensified concerns across the whole industry. 

A variety of specialist tools aimed at copying or amplifying the wireless signal of a key in order to fool a vehicle into believing that an authorized user is nearby have rapidly found their way into organised criminal networks. 

In the report published by the BBC recently, it is noted that some of these devices are openly available for purchase online for sums exceeding a million pounds, which proves both how sophisticated the technology is and how big the illegal market for these devices is. As a result of the increasing accessibility of such equipment, owners of high value, keyless entry vehicles, as well as fleet operators, are more likely to experience targeted thefts.

Despite forthcoming legislation aimed at tightening up controls on who is permitted to possess or operate these devices, security analysts advise that there are already many criminal groups who have gained access to the tools and circulate them throughout their networks. As regulatory changes approach, the threat is largely undiminished. 

Clearly, the proliferation of £20,000 keyless theft devices signals a deeper shift in the methods used to commit vehicle thefts. Using a technology that exploits the vulnerabilities of wireless communication systems that allow cars to start without using a physical key, criminals are able to capture and amplify signals from key fobs, allowing them to unlock and drive away their vehicles with as little effort as possible. 

A key advantage of these machines is that there is only a very low amount of human intervention involved, making them an attractive choice for organised groups seeking efficiency and reducing risk. It is not currently illegal to own such equipment, so an abundance of it remains available online, leaving law enforcement only responding to thefts when the crime occurs rather than curbing its availability at the beginning.

A report by experts cites that this imbalance effectively shifts the constraint on crime prevention to a new location: traditional defenses designed to prevent forced entry or hot-wiring do not provide resistance to remote signal manipulation attacks that are executed by criminals. Instead, the primary challenge is to regulate, restrict, and intercept the tools themselves before criminals are able to take advantage of them. 

Technology-enabled offences are experiencing a broader trend, as automation and remote capabilities are weakening frontline security measures, making authorities more inclined to target upstream supply chains and to intervene legislatively. 

Despite the government's intention to ban such devices, enforcement will continue to trail behind a fast-growing, demand-driven black market unless decisive action is taken at a policy level. There has been an increasing awareness among law enforcement officials and the auto industry of the extent and sophistication of the problem they face. 

Approximately 100,000 vehicles have been stolen over the past year, according to figures from the Office for National Statistics. Insurance companies report that keyless cars now account for 60% to 70% of thefts. A number of people have been exploited through signal-manipulating devices, despite the fact that it is unclear just how many of these devices have been used.

According to evidence gathered by the BBC, these devices range from everyday Bluetooth speakers to military-grade equipment that can block tracking systems after a vehicle has been stolen. Security specialists warn that such tools do not serve any legitimate purpose outside of criminal activity and are now an integral part of a shift away from opportunistic theft into highly organised theft.

The analyst for Thatcham Research, Richard Billyeald, points out that gangs are now stealing to order, recouping their investment by targeting multiple vehicles each week and recouping their investment. According to investigators, the equipment is constantly passed through groups, thereby making it difficult to curb the crime and allowing the networks to operate across state and national borders. 

Criminals often steal from victims in residential areas, intercepting signals quietly as they move through residential areas. Many victims describe thefts that took place in mere minutes. Despite the fact that keyless entry is a convenient feature for motorists, it has also been found to be a lucrative avenue for relay theft as offenders adapt to more advanced vehicle technology, according to industry groups.

It is hoped that the government's Crime and Policing Bill will fill this gap by making possession or distribution of these devices a criminal offence carrying a five-year prison sentence, a substantial shift from previous rules whereby police needed to prove that the equipment was used in a specific crime in order to obtain the warrant. 

Despite keyless technology becoming increasingly prevalent, analysts claim that there is still a structural weakness in current security practices that makes traditional alarms and physical locks less effective against signal-based attacks that are relying on radio signals. Legislative action in this context is just as crucial as technical upgrades; experts have stated that, in other sectors, tighter bans on digital signal interception tools have decreased their circulation and have affected the reach of criminal groups operationally to a great extent. 

The authors state that a similar approach is critical to the automotive industry, where one of the biggest challenges now is not merely to improve vehicle hardware, but also to close the loopholes that allow such devices to be purchased and shared easily rather than to enhance them. There is no doubt that this situation reflects a broader pattern of cybersecurity attacks where adversaries exploit overlooked vulnerabilities to gain disproportionate leverage. 

As a result, authorities have been forced to shift away from addressing incidents to limiting access to the tools themselves that enable the attack. With the criminalization of possessions and distributions of keyless theft devices, the government is attempting to rebalance that leverage by focusing on the upstream supply chains that facilitate high-volume thefts, preventing the spread of these technologies to the public. 

In order to combat technologically driven crime at its source, it is increasingly being seen as essential to implement a multilayered strategy that combines strengthened digital protections with firm legal boundaries. 

Despite the upcoming full enforcement of new laws, experts warn that long-term progress will require coordinated actions between manufacturers, legislators, insurers, and consumers as the industry awaits the full implementation of new legislation. In order to narrow the window of criminal opportunity, it is seen as essential to strengthen encryption standards, to improve tracker resilience, and to accelerate over-the-air security updates. 

Meanwhile, insurance companies and the police emphasize the importance of community reporting, secure parking habits, and signal-blocking storage of key fobs. Although legislation may be able to restrict access to illicit devices to some extent, the extent to which the UK will be able to combat this ever-evolving threat will ultimately depend upon sustained investment in smarter vehicle design as well as public awareness.
Read more »
UK ransomware payment ban
Cyber Attacks cyber resilience ransomware attacks ransomware statistics 2025 UK ransomware payment ban

UK’s Proposed Ransomware Payment Ban Sparks New Debate as Attacks Surge in 2025

 

Ransomware incidents are climbing at an alarming rate, reigniting discussions around whether organizations should be allowed to pay attackers at all.

Cybercriminals are increasingly turning to ransomware to extort large sums of money from organizations desperate to protect sensitive employee and customer data. Recent findings revealed a 126% increase in ransomware incidents in Q1 2025 compared to the previous quarter, a surge that has captured global attention.

In response, the UK government has unveiled a proposal to prohibit ransomware payments, aiming to stop public bodies and Critical National Infrastructure (CNI) providers from transferring large amounts of money to cybercriminals in hopes of regaining stolen data or avoiding public embarrassment. Many experts believe this ban could eventually expand to cover every organization operating in the UK.

If the restriction becomes universal, businesses will be forced to operate in an environment where paying attackers is no longer an option. This shift would require a stronger emphasis on resilience, incident response, and rapid recovery strategies.

The debate now centers on a key question: Is banning ransomware payments a wise move? And if the ban comes into effect, how can organizations safeguard their data without relying on a ransom fund?

Many companies have long viewed ransom payments as a quick, albeit risky, solution — almost a “get out of jail free” card. They see it as a seemingly reliable way to recover stolen data without formal disclosure or regulatory reporting.

However, negotiations with criminals come with no certainty. Paying a ransom only strengthens the broader cybercrime ecosystem and incentivizes further attacks.

Yet the practice persists. Research from 2025 reveals that 41% of organizations have paid a ransom, but only 67% of those regained full access to their data. These figures highlight that companies are still funneling large budgets into ransom payments — money that could instead be invested in preventing attacks through stronger cyber infrastructure.

The UK’s proposed ban brings both advantages and disadvantages. On the positive side, organizations would no longer be pushed into negotiating with unreliable cybercriminals. Since attackers may not return the data even after receiving payment, the ban eliminates that particular risk entirely.

Additionally, many organizations prefer to quietly pay ransoms to avoid reputational damage associated with admitting an attack. This secrecy not only benefits attackers but also leaves authorities unaware of crimes being committed. A payment ban, however, would force almost all affected organizations to formally report incidents — encouraging more accurate investigations and accountability.

Supporters of the ban argue that if attackers know ransom payments are impossible, the financial incentive behind ransomware will eventually disappear. While optimistic, the UK government sees the ban as a strong step toward reducing or even eliminating ransomware threats.

But opponents highlight an undeniable concern: ransomware attacks will continue, at least in the near term. If payment is no longer an option, organizations may struggle to recover highly sensitive information — often involving customer data — and may be left without any practical alternatives, even if negotiating feels morally uncomfortable.

If the UK enforces a nationwide prohibition on ransom payments, businesses must prioritize strengthening their cyber resilience. Increasing investment in preventive strategies will be crucial.

For SMEs — many of which lack dedicated cybersecurity teams — partnering with a Managed Service Provider (MSP) is one of the simplest ways to boost security. MSPs oversee IT operations and cybersecurity defenses, allowing business leaders to focus on innovation and growth. Recent studies show that over 80% of SMEs now rely on MSPs for cybersecurity support.

Regular employee security awareness training is also essential, helping staff identify early warning signs of cyberattacks and avoid mistakes that commonly lead to ransomware infections.

Organizations should also create and routinely test a detailed incident response plan. Although often overlooked, a well-rehearsed plan is critical for minimizing the damage when an attack occurs.

With the UK considering a nationwide ban on ransom payments, companies cannot afford to wait. The most effective approach is to build strong cyber resilience now.

This includes leveraging MSP services, upgrading security tools, and establishing a clear incident response strategy. Proactive planning will lower the chances of falling victim to ransomware and ensure smoother recovery if an attack does occur.
Read more »
Threat actors
AiCloud Exploits ASUS Routers Cyber Attacks Cybersecurity Espionage Campaign Firmware Updates Global Botnet Network Security Router Vulnerabilities Threat actors

Mass Router Hijack Targets End-of-Life ASUS Devices


 

The research team has found an extensive cyber-espionage campaign known as Operation WrtHug, which has quietly infiltrated tens of thousands of ASUS routers across the globe, which is a sign that everyday network infrastructure is becoming increasingly vulnerable. 

A seemingly routine home or small-office device that appears to be ordinary has been covertly repurposed to make up a sophisticated reconnaissance and relay network that has enabled threat actors to operate both anonymously and with great reach. There is a clear pattern in which consumer-grade routers are being strategically used for intelligence gathering, according to SecurityScorecard analysts, a trend that has been on the rise for several months now. 

Security specialists warn of the risk of such compromises becoming an ongoing trend in which outdated or poorly secured home routers are rapidly becoming valuable assets for hostile operators seeking persistence, cover, and distributed access to targeted environments that is no longer isolated incidents. In the last six months, investigators have determined that the operation’s reach has been much wider than they initially thought. 

As a result, over the past few months, nearly 50,000 unique IP addresses have responded to probing for compromised ASUS WRT routers. A chain of six unpatched vulnerabilities allowed the attackers to hijack these end of life or outdated devices and use them to develop a coordinated, globally distributed infrastructure by combining them with a series of unpatched vulnerabilities. 

Taiwan was attributed to the majority of routers infected, and significant clusters of routers were detected across Southeast Asia, Russia, Central Europe, and the United States. As a detail, the researchers noted that there were no infections within China, a detail that implies that the infection originates in China, but the available evidence is still insufficient for conclusive evidence to indicate a Chinese operator may be responsible. 

Moreover, the SecurityScorecard STRIKE team noticed that there were overlaps between the tactics and targeting patterns of Operation WrtHug, as well as the earlier AyySSHush campaign that was detected earlier by GreyNoise in May, suggesting that the campaign may be related to a much broader and well-organized effort to weaponize aging consumer networking products. 

A further analysis reveals that the intrusions seem to be connected to a coordinated effort to exploit a series of well-known vulnerabilities present in end-of-life ASUS WRT routers. This gives attackers the ability to perform full control over devices that remain unpatched, even after the end of the device's useful lifespan.

According to the investigators, each of the compromised routers has the same distinctive self-signed TLS certificate, which is supposed to expire a century after April 2022, suggesting the operation was carried out by the same set of toolset or deployment strategy. A report from SecurityScorecard states that nearly all of the services using this certificate are linked to ASUS's AiCloud platform. 

AiCloud is a proprietary feature that enables users to access their local storage over the internet and has become a convenient entry point for attackers who are leveraging n-day flaws to gain high-level access to hardware which is not supported. Researchers have noted parallels between this campaign and several China-linked ORBs and botnet ecosystems, despite its adherence to the classic profile of an Operational Relay Box network. 

According to the researchers, the attackers are relying on a cluster of vulnerabilities that include CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2023-39780, CVE-2024-12912, and CVE-2025-2492. The AyySSHush botnet is one of the routers that have been exploited in the past. 

A number of the infected IP addresses have been tagged with signs consistent with compromises made by both WrtHug and AyySSHush, which suggests that the two operations may be overlapping. However, researchers caution that any link between the two operations remains speculative and is solely based upon the exploitation of common vulnerabilities, rather than a confirmed coordination effort. According to security experts, the majority of infections that have been identified originate from Taiwan, with minor concentrations spreading throughout Southeast Asia, Russia, Central Europe, and the United States of America. 

A lot of the targeted ASUS models appear to be among the most vulnerable to the campaign-including the 4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, and RT-AC1300UHP-many of them no longer receiving updates and can no longer be supported. 

In the opinion of the STRIKE researchers, attackers are initiating their takeover by exploiting a high-impact command injection flaw along with several other known vulnerabilities to take control of the routers by converting them into operational relay boxes designed to conceal commands-and-control activities, so they can be integrated into these networks as a whole. 

It is important to note, however, that the researchers do not confirm the network's full operational role. Instead, they emphasize that the underlying vulnerabilities make these devices exceptionally valuable to hackers. It has been recommended that users immediately update their routers to address all six exploited flaws. 

Users of nonsupported routers, they warn, should either disable the remote access functions or retire them. Researchers noted that the attackers were not using undisclosed zero-day exploits, but rather a series of well-documented n-day vulnerabilities that are still unpatched on older ASUS WRT routers, providing a path to large-scale compromise that was possible without patching. 

Through this weakness, multiple forms of intrusion were possible, including OS command injection, which tricks a device into executing unauthorized system-level instructions, as well as remote code execution, which allows for complete authentication bypass as well. Using ASUS's AiCloud remote access service as a point of entry, SecurityScorecard's STRIKE team found that the threat actors were constantly exploiting ASUS's exposure to the internet, allowing them to gain a foothold on vulnerable devices. 

Once the routers were intruded into an extremely vast, global mesh network of hijacked systems once access had been secured. Research has identified over 50,000 unique IP addresses associated with compromised devices in the past six months alone. Based on analysis, analysts believe that the campaign's behavior resembles that of a covert network known as a Operational Relay Box, which involves repurposing everyday consumer devices as relays for espionage traffic, concealing the true source of espionage activity, and maintaining long-term persistence as a covert infrastructure model. 

As far as ORB-style operations are concerned, China-aligned threat groups are frequently associated with them, and this observation is reinforced by the geographical footprint of the infected devices. Security Scorecard found that about 30% to 50% of the compromised routers were based in Taiwan. Moreover, other concentrations have been observed in the United States, Russia, Southeast Asia and parts of Europe as well. 

There was also another distinctive technical signature that was shared by all of the infected routers, namely, a self-signed TLS certificate that had an unusually long valid period of 100 years, a sign that could be used by researchers to trace the campaign's infrastructure throughout multiple geographical locations. 

Together, these characteristics align closely with the pattern of cyber-espionage activities linked to China—including its choice of targets, methods of exploitation, design of operations, and geographic distribution. An important finding of the investigation is the geographical imbalance in which infected devices were detected, which scientists say is difficult to dismiss as coincidental by the researchers. 

According to analysts, one-third to one-half of all compromised routers identified in Operation WrtHug were traced back to IP addresses located in Taiwan - an overrepresentation that analysts argue is consistent with the long-standing intelligence priorities assigned to China-linked cyber operators, which is why this is an overrepresentation. 

A further striking feature of this study is that there have been no infections within mainland China, apart from a handful detected in Hong Kong, thereby highlighting the possibility of a deliberate targeting effort by the attackers. The attackers also seemed to be very interested in Southeast Asia, where the number of infected devices is substantially higher than the global average. 

In addition, researchers have noted striking tradecraft overlap between WrtHug and AyySSHush, another campaign outlined by GreyNoise earlier that aimed to use ASUS routers to conscript into a persistent botnet. The CVE-2023-39780 command injection vulnerability is used by both of these operations, raising the possibility that they could represent different phases of the same evolving campaign, separate efforts by the same threat actor, or parallel operations that are loosely coordinated.

It is still believed by analysts that WrtHug continues to be an independent campaign despite the fact that it carries the characteristics of a well-resourced adversary even though there is no conclusive evidence to prove it. It remains a fertile ground for such intrusions, despite the absence of conclusive evidence. Small office and home office routers are often installed only to be forgotten, especially as manufacturers discontinue support for them. 

It has become increasingly common for end-of-life devices to be updated automatically, but they still function as usual, and there seems to be little reason for users to replace them despite the mounting security risks. Despite the persistent gap, authorities have been increasingly concerned. The FBI released a public advisory in May calling for users of SOHO routers to disable remote management features as a minimum requirement in order to reduce the chances of compromise by retiring unsupported models. 

During the ongoing unfolding of Operation WrtHug, users' vigilance is becoming increasingly important as the security of global networks continues to become more dependent upon enterprise defenses, as well as the efforts of everyday users. As the findings indicate, households and small businesses need to abandon outdated hardware, implement timely patching, and limit their exposure to remote access services, which silently increase the attack surface of their networks. 

The experts stress that proactive maintenance - once considered optional - has now become a vital component of preventing consumer devices from being used as a tool in geopolitical cyber operations. With the rise of international espionage fueling neglected routers today, even basic security hygiene has become a matter of national importance.
Read more »
Malwares
Cyber Attacks CyberCrime DanaBot Malicious Backdoor Malicious Mails Malware attacks Malwares

DanaBot Malware Resurfaces With New Variant After Operation Endgame Disruption

 

Despite a coordinated international takedown earlier this year, the DanaBot malware has returned with a newly upgraded version, signaling yet another resurgence of a threat that has repeatedly evaded permanent shutdown. The fresh discovery comes roughly six months after law enforcement agencies crippled the malware’s network during Operation Endgame, a global effort that announced infrastructure seizures and criminal indictments in May. Researchers at Zscaler ThreatLabz now report that DanaBot is once again circulating in attacks, with a rebuilt architecture designed for persistence and continued financial gain. 

The latest version, identified as DanaBot 669, introduces a command-and-control system based on Tor hidden services and “backconnect” nodes. By routing malicious communication through .onion domains, the operators create a layer of anonymity that makes tracking and disruption significantly more difficult. Zscaler’s analysis also uncovered several active cryptocurrency wallet addresses linked to the campaign, spanning Bitcoin, Ethereum, Litecoin, and TRON, which the attackers are using to collect stolen funds from victims. 

DanaBot first emerged several years ago when researchers at Proofpoint revealed it as a Delphi-written banking trojan delivered largely through phishing emails and malvertising lures. Its creators adopted a malware-as-a-service model, renting out access to cybercriminal groups who used it to harvest credentials from online banking sessions. Over time, the malware evolved into a modular system capable of functioning as both an information stealer and a loader, extracting stored browser data — including crypto wallet details — and enabling follow-on payloads such as ransomware. 

Although Operation Endgame temporarily slowed activity, it did not eliminate the malware’s core operators. Threat actors simply paused long enough to rebuild infrastructure and adapt their tactics. During this downtime, many initial access brokers shifted toward other malware families, but the financial motivation behind DanaBot ensured its eventual revival. Its steady reappearance in campaigns since 2021 has shown that as long as cybercrime remains profitable, disruptions are rarely permanent.

Zscaler warns that current DanaBot campaigns employ familiar distribution methods. Malicious email attachments and links continue to be the main infection route, while SEO poisoning and deceptive online advertisements also lure victims into executing the malware. Some infections have been linked to wider incidents involving ransomware deployments, demonstrating the tool’s ongoing role in larger criminal ecosystems. 

Organizations can reduce exposure by updating security tools and blocking newly published indicators of compromise from Zscaler’s latest intelligence. The return of DanaBot highlights a recurring cybersecurity reality: even major law enforcement actions cannot fully dismantle financially driven malware operations when key actors remain at large.
Read more »
WhatsApp Security
Banking Malware Cyber Attacks Cybercrime Trends Digital Fraud Identity Theft Malware Threats Online Safety Screen Sharing Scam Social Engineering WhatsApp Security

Screen Sharing on WhatsApp Turns Costly with Major Financial Loss

 


Several disturbing patterns of digital deception have quietly developed in recent months, revealing just how readily everyday communications tools can be turned into instruments of financial ruin in an instant. According to security researchers, there has been an increase in sophisticated cybercriminal schemes utilizing the trust users place in familiar platforms, particularly WhatsApp, to gain access to the internet. 

It is a common occurrence that what initially starts out as a friendly message, an unexpected image, or a polite call claiming that an “urgent issue” with a bank account is a crafted scam which soon unravels into a meticulously crafted scam. It is very possible for malicious software to be installed through downloading an innocuous-looking picture that can allow you to infiltrate banking applications, harvest passwords, and expose personal identification information without your knowledge. 

There have been instances where fraudsters impersonating bank representatives have coaxed users into sharing their screens with the false pretense that they are resolving account discrepancy. When this has happened, these fraudsters can observe every detail in real time - OTP codes, login credentials, account balances - and in some cases, they will convince victims to install remote access programs or screen mirroring programs so they can further control the device. 

It is evident from the intertwined tactics that a troubling trend in digital crime has taken place, emphasizing the need for increased vigilance among Indians and beyond, underscoring a troubling development. There is a fast-growing network of social-engineering groups operating across multiple regions, who are utilizing WhatsApp's screen-sharing capabilities to bypass safety measures and gain control of their financial lives by manipulating their screen-sharing capabilities. 

Investigators have begun piecing together the contours of this network. Initially introduced in 2023 as a convenience feature, screen-sharing has since become a critical point of exploitation for fraudsters who place unsolicited video calls, pretend to be bank officials or service providers, and convince victims to reveal their screens, or install remote-access applications masquerading as diagnostic tools, to exploit their vulnerabilities. 

Almost $700,000 was defrauded by one victim in one of the cases of abuse that spanned from India and the U.K. to Brazil and Hong Kong. This demonstrates how swiftly and precisely these schemes emerge. In describing the technique, it is noted that it is not based on sophisticated malware, but rather on urgency, trust, and psychological manipulation, allowing scammers to circumvent a lot of traditional technical protections. 

Furthermore, criminal networks are enhancing their arsenals by spreading malicious files via WhatsApp Web, including one Brazilian operation that uses self-replicating payloads to hijack contacts, automate fraudulent outreach, and compromise online banking credentials through its use of malicious payloads distributed through WhatsApp Web. 

The investigators of the fraud note that the mechanisms are based less on technical sophistication and more on psychological pressure intended to disarm victims. An unsolicited WhatsApp video call made by a number that appears local can be the start of the scam, usually presented as a bank officer, customer service agent, or even an acquaintance in need of assistance. 

Callers claim to have an urgent problem to solve - an unauthorized transaction, an account suspension threat, or even an error in the verification process - that creates a feeling of panic that encourages their victims to comply without hesitation.

The imposter will initially convince the victim that the issue is being resolved, thereby leading to them sharing their screen or installing a legitimate remote-access application, such as AnyDesk or TeamViewer, which will enable the fraudster to watch every action that occurs on the screen in real time, as they pretend to resolve it. 

By using this live feed, an attacker can access one-time passwords, authentication prompts, banking app interfaces, as well as other sensitive credentials. By doing so, attackers can be able to take control of WhatsApp accounts, initiate unauthorized transfers, or coax the victim into carrying out these actions on their own.

A more elaborate variant consists of guiding the victim into downloading applications that secretly contain keyloggers or spyware that can collect passwords and financial information long after the call has ended, allowing them to collect it all. When scammers have access to personal information such as banking details or social media profiles, they can drain accounts, take over accounts on social networks, and assume the identity of victims to target others on their contact list.

Authorities caution that the success of these schemes depends on trust exploiting, so user vigilance is key. According to the advisories, individuals should be cautious when receiving unknown phone calls, avoid sharing screens with unknown parties, disable installations coming from untrusted sources, and refrain from opening financial apps when they are receiving remote access. 

These measures are crucial in order to prevent these social engineering scams from getting the better of them, as they continue to develop. As far as the most advanced variations of the scam are concerned, the most sophisticated versions of the scam entail criminals installing malicious software through deceptive links or media files in a victim's device, thus granting them complete control of that victim's computer. 

When these kinds of malware are installed, they can record keystrokes, capture screens, gather banking credentials, intercept two-factor authentication codes, and even gain access to sensitive identity documents. It is possible for attackers to take control of cameras and microphones remotely, which allows them to utilize the device as a tool for surveillance, coercion, or a long-term digital impersonation device. 

In addition to financial theft, the extent to which the compromised identity may be exploited goes far beyond immediate financial exploitation, often enabling blackmail and continuous abuse of the victim's identity. 

In light of this backdrop, cybersecurity agencies emphasize the significance of adopting preventative habits that can significantly reduce exposure to cybercriminals. There is still an important role to play in ensuring that users do not download unfamiliar media, disable WhatsApp's automatic download feature, and keep reputable mobile security tools up to date. 

WhatsApp still has the built-in features that allow them to block and report suspicious contacts, while officials urge individuals to spread basic cyber-hygiene knowledge among their communities, pointing out that many people fall victim to cyber-attacks simply because they lack awareness of the dangers that lurk. 

There has been a surge of fraud attempts across messaging platforms, and Indian authorities, including the Indian Cybercrime Coordination Centre, as well as various state cyber cells have issued a number of public advisories about this, and citizens are encouraged to report such attacks to the National Cybercrime Reporting Portal as soon as possible. 

In conjunction with these warnings, these findings shed light on a broader point: even the most ordinary digital interactions are capable of masking sophisticated threats, and sustained vigilance remains the strongest defense against the growing epidemic of social engineering and malware-driven crimes that are booming in modern society. 

As the majority of the fraud is carried out by social-engineering tactics, researchers have also observed a parallel wave of malware campaigns that are utilizing WhatsApp's broader ecosystem, which demonstrates how WhatsApp is capable of serving as a powerful channel for large-scale infection. As an example of self-replicating chains delivered through WhatsApp Web, one of the most striking cases was reported by analysts in Brazil. 

A ZIP archive was sent to the victims, which when opened, triggered the obfuscated VBS installer SORVEPOTEL, which was an obfuscated VBS installer. In this PowerShell routine, the malware used ChromeDriver and Selenium to re-enter the victim's active WhatsApp Web session, enabling the malware to take full control of the victim's active WhatsApp Web session. 

In order to spread the malware, the script retrieved message templates from a command-and-control server, exfiltrated the user's contact list, and automatically distributed the same malicious ZIP file to every network member that was connected with it—often while displaying a fake banner that said "WhatsApp Automation v6.0" to give it the appearance of legitimacy. 

Researchers found that Maverick was a payload that was evasive and highly targeted, and it was also accompanied by a suite of malicious capabilities. It was also packaged inside the ZIP with a Windows LNK file that could execute additional code through the use of a remote server that had the first stage loader on it. As soon as the malware discovered that the device was belonging to a Brazilian user, it launched its banking module only after checking for debugging tools, examining the system locale indicators such as the time zone and language settings. 

A Maverick server monitoring website activity for URLs linked to Latin American financial institutions, when activated, was aligned with credential harvesting and account manipulation against regional banks, aligning its behavior with credential harvesting. As Trend Micro pointed out previously, an account ban could be issued as a result of the sheer volume of outbound messages caused by a similar WhatsApp Web abuse vector, which relied on active sessions to mass-distribute infected ZIP files. 

These malware infections acted primarily as infostealers that targeted Brazilian banking and cryptocurrency platforms, thereby demonstrating the fact that financial fraud objectives can be easily mapped to WhatsApp-based lures when it comes to financial fraud. 

It is important to note, however, that security analysts emphasize that the global screen-sharing scams are not primarily the work of a single sophisticated actor, but rather the work of a diffuse criminal ecosystem that combines trust, urgency, and social manipulation to make them successful. According to ESET researchers, these tactics are fundamentally human-driven rather than based on technical exploits over a long period of time, whereas Brazilian malware operations show clearer signs of being involved in structured criminal activity. 

It is thought that the Maverick Trojan can be linked to the group that has been named Water Saci, whose operations overlap with those of the Coyote banking malware family-which indicates that these groups have been sharing techniques and developing tools within Brazil's underground cybercrime market. 

Even though the associations that have been drawn between WhatsApp and opportunistic scammers still seem to be rooted in moderate confidence, they reveal an evolving threat landscape in which both opportunistic scammers and organized cybercriminals work towards exploiting WhatsApp to their advantage. 

A number of analysts have indicated that the success of the scheme is a function of a carefully orchestrated combination of trust, urgency, and control. By presenting themselves as legitimate entities through video calls that appear to originate from banks, service providers, or other reliable entities, scammers achieve a veneer of legitimacy by appearing authentic.

In addition, they will fabricate a crisis – a fake transaction, a compromised account, or a suspended service – in order to pressure the victim into making a hasty decision. The last step is perhaps the most consequential: convincing the victim to share their screen with the attacker, or installing a remote access tool, which in effect grants the attacker complete access to the device. 

In the event that a phone is gained access to, then every action, notification, and security prompt becomes visible, revealing the phone as an open book that needs to be monitored. Security professionals indicate that preventative measures depend more on vigilance and personal precautions than on technical measures alone. 

Unsolicited calls should be treated with suspicion, particularly those requesting sensitive information or screen access, as soon as they are received, and any alarming claims should be independently verified through official channels before responding to anything unfounded. The use of passwords, OTPs, and banking information should never be disclosed over the telephone or through email, as legitimate institutions would not request such data in this manner. 

Installing remote access apps at the direction of unfamiliar callers should be avoided at all costs, given that remote access applications allow you to control your device completely. It is also recommended to enable WhatsApp's built-in two-step verification feature, which increases the security level even in the event of compromised credentials.

Finally, investigators emphasize that a healthy degree of skepticism remains the most effective defense; if we just pause and check it out independently, we may be able to prevent the cascading damage that these highly persuasive scams intend to cause us.
Read more »
Malware Attack
APT44 Cyber Attacks Cyber Hackers Data Hackers Data protection data security data wipers Data Wiping Malware Hacker attack Malware Attack

Russian Sandworm Hackers Deploy New Data-Wipers Against Ukraine’s Government and Grain Sector

 

Russian state-backed hacking group Sandworm has intensified its destructive cyber operations in Ukraine, deploying several families of data-wiping malware against organizations in the government, education, logistics, energy, and grain industries. According to a new report by cybersecurity firm ESET, the attacks occurred in June and September and form part of a broader pattern of digital sabotage carried out by Sandworm—also known as APT44—throughout the conflict. 

Data wipers differ fundamentally from ransomware, which typically encrypts and steals data for extortion. Wipers are designed solely to destroy information by corrupting files, damaging disk partitions, or deleting master boot records in ways that prevent recovery. The resulting disruption can be severe, especially for critical Ukrainian institutions already strained by wartime pressures. Since Russia’s invasion, Ukraine has faced repeated wiper campaigns attributed to state-aligned actors, including PathWiper, HermeticWiper, CaddyWiper, WhisperGate, and IsaacWiper.

ESET’s report documents advanced persistent threat (APT) activity between April and September 2025 and highlights a notable escalation: targeted attacks against Ukraine’s grain sector. Grain exports remain one of the country’s essential revenue streams, and ESET notes that wiper attacks on this industry reflect an attempt to erode Ukraine’s economic resilience. The company reports that Sandworm deployed multiple variants of wiper malware during both June and September, striking organizations responsible for government operations, energy distribution, logistics networks, and grain production. While each of these sectors has faced previous sabotage attempts, direct attacks on the grain industry remain comparatively rare and underscore a growing focus on undermining Ukraine’s wartime economy. 

Earlier, in April 2025, APT44 used two additional wipers—ZeroLot and Sting—against a Ukrainian university. Investigators discovered that Sting was executed through a Windows scheduled task named after the Hungarian dish goulash, a detail that illustrates the group’s use of deceptive operational techniques. ESET also found that initial access in several incidents was achieved by UAC-0099, a separate threat actor active since 2023, which then passed control to Sandworm for wiper deployment. UAC-0099 has consistently focused its intrusions on Ukrainian institutions, suggesting coordinated efforts between threat groups aligned with Russian interests. 

Although Sandworm has recently engaged in more espionage-driven operations, ESET concludes that destructive attacks remain a persistent and ongoing part of the group’s strategy. The report further identifies cyber activity linked to Iranian interests, though not attributed to a specific Iranian threat group. These clusters involved the use of Go-based wipers derived from open-source code and targeted Israel’s energy and engineering sectors in June 2025. The tactics, techniques, and procedures align with those typically associated with Iranian state-aligned hackers, indicating a parallel rise in destructive cyber operations across regions affected by geopolitical tensions. 

Defending against data-wiping attacks requires a combination of familiar but essential cybersecurity practices. Many of the same measures advised for ransomware—such as maintaining offline, immutable backups—are crucial because wipers aim to permanently destroy data rather than exploit it. Strong endpoint detection systems, modern intrusion prevention technologies, and consistent software patching can help prevent attackers from gaining a foothold in networks. As Ukraine continues to face sophisticated threats from state-backed actors, resilient cybersecurity defenses are increasingly vital for preserving both operational continuity and national stability.
Read more »
Scattered Spider
Cyber Attacks DragonForce Marks & Spencer Ransomware Scattered Spider

M&S Cyberattack: Retailer Issues Fresh Warning to Shoppers

 

Marks & Spencer (M&S) suffered a severe cyberattack in April 2025, orchestrated by the ransomware group known as Scattered Spider, with the ransomware called DragonForce. This breach forced M&S to halt all online transactions for nearly six weeks, disrupting its operations during a traditionally strong trading period around Easter. 

The attackers first infiltrated M&S's network through social engineering tactics aimed at a third-party IT helpdesk contractor, Tata Consultancy Services, tricking staff into granting access. This human error allowed the hackers to steal sensitive customer personal data, including names, addresses, emails, phone numbers, birthdates, and order histories, though no payment details or passwords were compromised.

As a result, M&S had to suspend online shopping completely and revert to manual processes for inventory and logistics, which led to empty shelves and disrupted service in many stores. Contactless payments and order collection systems failed at the outset of the incident, adding to customer frustration. M&S publicly apologized and reset all customer passwords on affected accounts as a precaution against subsequent phishing attacks using the stolen data.

Financially, the incident is estimated to have cost M&S approximately £300 million in lost profits, which significantly impacted its half-year results. Despite the disruption, M&S’s revenue during the affected period remained relatively stable, reflecting growth in grocery and clothing/home segments, though online market share was partly lost to competitors like Next. The full impact on profits and sales was to be revealed in M&S’s upcoming financial report.

The cyber attack highlighted vulnerabilities in traditional cybersecurity defenses focused on inbound threats, as the ransomware attack involved a "double extortion" technique where data was exfiltrated before encryption, and legacy tools failed to detect the outbound data theft. Experts suggest that more advanced anti-data exfiltration capabilities could have mitigated damage. M&S is reviewing its cybersecurity posture and continuing to recover operationally while managing costs and store investments moving forward.

M&S shoppers were urged to remain vigilant against phishing scams, as criminals exploit stolen personal data for targeted attacks. The incident underscores the evolving threats retailers face from ransomware and social engineering attacks on supply chains and third-party vendors. Overall, the attack marked a significant challenge for M&S’s digital and retail operations with a wide-reaching customer impact and financial implications.
Read more »
RaaS
Cloud Cyber Attacks Cyber Attacks. Ransomware Extortion Japan RaaS

Firms in Japan at Risk of Ransomware Threats, Government Measures Insufficient


There is no indication that ransomware assaults against Japanese businesses will stop. Major online retailer Askul Corp. experienced a cyberattack in October that resulted in system interruptions, following an attack on Asahi Group Holdings Ltd. Government authorities are finding it difficult to keep up with the situation.

The ransomware profit 

According to some estimates, a complete system recovery could take several months. Asahi is thought to have been employing a large-scale operations system that linked ordering, shipping, human resources, and accounting administration. 

A hacker collective known as Qilin claimed responsibility for this most recent attack in a statement released on a dark web website on October 27. The group claimed to have stolen approximately 9,300 files totaling at least 27 gigabytes, and they shared 29 photos that they felt showed Asahi's internal documents and employee personal information.

About Quilin

Qilin is thought to be a hacker collective with ties to Russia that was established around 2022. The gang reportedly released over 700 statements claiming responsibility for ransomware attacks in 2025 alone, when it started to become more active. 

Additionally, Qilin uses a business model called "Ransomware as a Service" (RaaS), whereby it offers third parties ransomware programs and attack techniques as a service. Even anyone without a high level of technological competence can conduct assaults utilizing RaaS. 

The creation of ransomware and the implementation of the attacks have been split between many players who split ransom payments, whereas in the past, virus writers frequently carried out the operations individually. These company strategies seem to have gained popularity in recent years.

Attack tactics

Hackers typically breach a company's networks to prevent access to data and threaten to release it. This is referred regarded as a double extortion strategy. 

To make businesses pay, some hackers even go so far as to use triple or quadruple extortion. These include direct threats to the targeted company's clients and business partners or frequent distributed denial-of-service (DDoS) attacks that flood servers with data.  

According to reports, these techniques are become more malevolent. The majority of specialists concur that payments should not be made in principle, and even if a business pays the ransom, there is no assurance that the data would be released.




Read more »
GPS Spoofing
aviation aviation cyber attacks Cyber Attacks Cybersecurity Attack GPS GPS interference GPS Spoofing

Delhi Airport Hit by Rare GPS Spoofing Attacks Causing Flight Delays and Diversions

 


Delhi’s Indira Gandhi International Airport witnessed an unusual series of GPS spoofing incidents this week, where fake satellite signals were transmitted to mislead aircraft about their real positions. These rare cyber disruptions, more common in conflict zones or near sensitive borders, created severe flight congestion and diversions. 

According to reports, more than 400 flights were delayed on Friday alone, as controllers struggled to manage operations amid both spoofing interference and a separate technical glitch in the Air Traffic Control (ATC) system. The cascading impact spread across North India, disrupting schedules at several major airports. Earlier in the week, Delhi Airport ranked second globally for flight delays, as reported by the Times of India. 

At least seven flights had to be diverted to nearby airports such as Jaipur and Lucknow, even though all four of Delhi’s runways were fully operational. On Tuesday, the Navigation Integrity Category value—a critical measure of aircraft positioning accuracy—fell dramatically from 8 to 0, raising alarms within the aviation community. Pilots reported these irregularities within a 60-nautical-mile radius of Delhi, prompting the Directorate General of Civil Aviation (DGCA) to initiate an investigation, as confirmed by The Hindu. 

The situation was worsened by the temporary shutdown of the main runway’s Instrument Landing System (ILS), which provides ground-based precision guidance to pilots during landings. The ILS is currently being upgraded to Category III, which will allow landings even in dense fog—a major requirement ahead of Delhi’s winter season. However, its unavailability has forced aircraft to rely heavily on satellite-based navigation systems, making them more vulnerable to spoofing attacks. GPS spoofing, a complex form of cyber interference, involves the deliberate transmission of counterfeit satellite signals to trick navigation systems. 

Unlike GPS jamming, which blocks genuine signals, spoofing feeds in false ones, making aircraft believe they are in a different location. For example, a jet actually flying over Delhi could appear to be over Chandigarh on cockpit instruments, potentially leading to dangerous course deviations. Such cyber manipulations have grown more frequent worldwide, raising serious safety concerns for both commercial and military aviation. 

In India, GPS spoofing incidents are not entirely new. The Centre informed Parliament earlier this year that 465 such cases were recorded between November 2023 and February 2025 along the India-Pakistan border, primarily near Amritsar and Jammu. A report by the International Air Transport Association (IATA) also revealed that over 430,000 cases of GPS jamming and spoofing were documented globally in 2024, a 62% increase from the previous year. The consequences of such interference have sometimes been deadly. 

In December 2024, an Azerbaijan Airlines aircraft crashed in Kazakhstan, reportedly due to Russian anti-aircraft systems misidentifying it amid GPS signal disruption. Earlier this year, an Indian Air Force aircraft flying humanitarian aid to earthquake-hit Myanmar encountered GPS spoofing suspected to originate from Chinese-enabled systems. Data from the GPSjam portal shows India’s borders with Pakistan and Myanmar among the world’s top five regions with poor navigation accuracy for aircraft. 

With Delhi Airport handling over 1,550 flights daily, even brief interruptions can cause widespread delays and logistical chaos. The Airports Authority of India (AAI) has assured that technical teams are working to strengthen the ATC system and implement safeguards to prevent future interference. As investigations continue, the recent incidents serve as a crucial reminder of the evolving cybersecurity challenges in modern aviation and the urgent need for resilient navigation infrastructure to ensure passenger safety in increasingly contested airspace.
Read more »
Jennings O'Donovan
Cyber Attacks Data Leak Engineering firm Ireland Jennings O'Donovan

Cyber Attack Exposes Data of 861 Irish Defective Block Grant Applicants

 

An engineering firm that assesses applications for Ireland's defective concrete blocks grant scheme has been hit by a cyberattack, potentially exposing the personal data of approximately 861 homeowners across multiple counties. The breach targeted Sligo-based consulting firm Jennings O'Donovan, which works with the Housing Agency to evaluate applications under the enhanced defective concrete blocks scheme. 

The incident, first reported in October 2025, resulted in unauthorized access to a limited portion of the company's IT systems. Affected data includes applicants' names, local authority reference numbers, contact details, and technical reports containing photographs of damaged dwellings. However, the Housing Agency confirmed that no financial or banking information was compromised, as this data was stored securely on unaffected systems.

Donegal County was the most severely impacted, with approximately 685 applicants affected, representing over 30% of all Donegal applications to the scheme. Mayo County had 47 affected applicants, while 176 applications from other counties were also caught in the breach. The defective concrete blocks scheme, commonly known as the mica or pyrite redress scheme, provides grants to homeowners whose properties have been damaged by defective building materials containing excessive levels of mica or pyrite.

According to Jennings O'Donovan, the firm experienced a network disruption involving temporary unauthorized access and immediately activated established IT security protocols. The company worked with external specialists to identify, isolate, and mitigate the disruption. The Housing Agency emphasized that its own systems remained unaffected and the incident appears isolated to the single engineering company.

The Housing Agency has contacted all impacted applicants, advising that homeowners who were not contacted were not affected by the breach. Security experts warn that exposed personal data could potentially be used for targeted phishing or social engineering attacks against vulnerable homeowners. Despite the breach, the Housing Agency stated that no material delays to grant applications are expected.

The incident adds further complications to a scheme already facing criticism for processing delays and administrative challenges. As of June 2025, only 164 of 2,796 applicants had completed remediation work on their homes, with €163 million paid out in grants. The cyberattack highlights cybersecurity vulnerabilities in government contractor systems handling sensitive citizen data.
Read more »
Western Sydney University
Cyber Attacks Data Leak Private Data User Security Western Sydney University

Western Sydney University Hit by Major Cyberattack

 

Western Sydney University has suffered a significant cyberattack, marking the latest in a series of incidents targeting the institution since 2023. Sensitive data belonging to students, staff, and alumni—including tax file numbers, bank account details, passport and driver license information, visa and health data, contact information, and even ethnicities—was compromised when threat actors gained access to the university’s Student Management System hosted on a cloud-based platform by a third-party provider. 


The breach was discovered after two instances of unusual activity on August 6 and August 11, 2025. Investigations revealed that unauthorised access occurred through a chain involving external systems linked to the university’s infrastructure between June 19 and September 3, 2025. The attackers subsequently used this stolen data to send out fraudulent emails to students and graduates on October 6, 2025. 

These emails falsely claimed recipients had been excluded from the university or had their degrees revoked, causing widespread concern. Some scam emails appeared especially credible as they included legitimate student numbers and exploited ongoing web vulnerabilities.

The university responded by immediately initiating investigations, directing its third-party supplier to shut down access, and cooperating closely with the NSW Police Cybercrime Squad’s Strike Force Docker. Notably, in June 2025, police arrested a former student, Birdie Kingston, alleged to have played a role in earlier hacks, although officials stopped short of directly connecting this individual to the latest attack.

In recent statements, Vice-Chancellor Professor George Williams apologised for the disruption and emphasised the institution’s ongoing efforts to rectify the issue and bolster cybersecurity. The attack forms part of a troubling pattern of breaches, including incidents involving Microsoft Office 365 and other IT environments exposed since 2023. Data from previous attacks has surfaced on both the dark web and clear web, affecting thousands of current and former students.

WSU has advised affected community members to change passwords, enable multi-factor authentication, and avoid using the same password across multiple online accounts. Victims are encouraged to follow university guidance and make use of support services available. The institution continues to work with law enforcement and remains on high alert for further attacks.
Read more »
Subscribe to: Comments (Atom)