Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
Threat Intelligence
Business Security Cyber Security Email Bombing Microsoft Office 365 Threat Intelligence

Office 365's Microsoft Defender Now Thwarts Email Bombing Assaults

 

Microsoft claims that the cloud-based email security suite Defender for Office 365 can now automatically detect and prevent email bombing attacks. 

Defender for Office 365 (previously known as Office 365 Advanced Threat Protection or Office 365 ATP) guards organisations working in high-risk industries and dealing with sophisticated attackers from malicious threats delivered via email messages, links, or collaboration tools.

"We're introducing a new detection capability in Microsoft Defender for Office 365 to help protect your organization from a growing threat known as email bombing," Redmond notes in a Microsoft 365 message center update. "This form of abuse floods mailboxes with high volumes of email to obscure important messages or overwhelm systems. The new 'Mail Bombing' detection will automatically identify and block these attacks, helping security teams maintain visibility into real threats.”

In late June 2025, the new 'Mail Bombing' feature began to roll out, and by late July, it should be available to all organisations. All messages detected as being a part of a mail bombing operation will be automatically routed to the Junk folder, require no manual configuration, and be toggled on by default. 

Security operations analysts and administrators can now employ Mail Bombing as a new detection type in Threat Explorer, the Email entity page, the Email summary panel, and Advanced Hunting, the company announced over the weekend.

By leveraging specialised cybercrime services that can send a high number of emails or by subscribing to several newsletters, attackers can use mail bombing operations to bombard their targets' email inboxes with thousands or tens of thousands of messages in a matter of minutes.

In the majority of cases, the perpetrators' ultimate goal is to overwhelm email security systems as part of social engineering schemes, creating the way for malware or ransomware operations that can aid in the exfiltration of sensitive data from victims' compromised devices. 

Email bombing has been used in attacks by cybercrime and ransomware outfits for more than a year. It all started with the BlackBasta gang, who employed this approach to flood their victims' mailboxes with emails just minutes before beginning their attacks.

In order to deceive overwhelmed staff members into allowing remote access to their devices via AnyDesk or the integrated Windows Quick Assist application, they would follow up with voice phishing cold calls, pretending to be their IT support teams. Before unleashing ransomware payloads, the attackers would proceed laterally through corporate networks after penetrating their systems and deploying a variety of malicious tools and malware implants.
Read more »
quantum cryptography
Blockchain Blockchain Security Chinese Tech Cyber Security Post-Quantum post-quantum cryptography Quantum Quantum Computers Quantum computing quantum cryptography

Chinese Scientists Develop Quantum-Resistant Blockchain Storage Technology

 

A team of Chinese researchers has unveiled a new blockchain storage solution designed to withstand the growing threat posed by quantum computers. Blockchain, widely regarded as a breakthrough for secure, decentralized record-keeping in areas like finance and logistics, could face major vulnerabilities as quantum computing advances. 

Typically, blockchains use complex encryption based on mathematical problems such as large-number factorization. However, quantum computers can solve these problems at unprecedented speeds, potentially allowing attackers to forge signatures, insert fraudulent data, or disrupt the integrity of entire ledgers. 

“Even the most advanced methods struggle against quantum attacks,” said Wu Tong, associate professor at the University of Science and Technology Beijing. Wu collaborated with researchers from the Beijing Institute of Technology and Guilin University of Electronic Technology to address this challenge. 

Their solution is called EQAS, or Efficient Quantum-Resistant Authentication Storage. It was detailed in early June in the Journal of Software. Unlike traditional encryption that relies on vulnerable math-based signatures, EQAS uses SPHINCS – a post-quantum cryptographic signature tool introduced in 2015. SPHINCS uses hash functions instead of complex equations, enhancing both security and ease of key management across blockchain networks. 

EQAS also separates the processes of data storage and verification. The system uses a “dynamic tree” to generate proofs and a “supertree” structure to validate them. This design improves network scalability and performance while reducing the computational burden on servers. 

The research team tested EQAS’s performance and found that it significantly reduced the time needed for authentication and storage. In simulations, EQAS completed these tasks in approximately 40 seconds—far faster than Ethereum’s average confirmation time of 180 seconds. 

Although quantum attacks on blockchains are still uncommon, experts say it’s only a matter of time. “It’s like a wooden gate being vulnerable to fire. But if you replace the gate with stone, the fire becomes useless,” said Wang Chao, a quantum cryptography professor at Shanghai University, who was not involved in the research. “We need to prepare, but there is no need to panic.” 

As quantum computing continues to evolve, developments like EQAS represent an important step toward future-proofing blockchain systems against next-generation cyber threats.
Read more »
Ransomware
AI Cyber Security Dark Web Extortion Internet Ransomware

Investigation Reveals Employee Secretly Helped in Extortion Payments

Investigation Reveals Employee Secretly Helped in Extortion Payments

Employee helped in ransomware operations

Federal agents are investigating allegations that a former employee of a Chicago-based firm, DigitalMint, which specializes in cryptocurrency payments and ransomware negotiations, may have profited by collaborating with hackers in extortion cases. Founded in 2014, DigitalMint operates under the name Red Leaf Chicago and is recognized for securing cryptocurrency payments for companies that face ransomware threats. 

About DigitalMint

DigitalMint has taken over 2,000 ransomware cases since 2017, offering services like direct negotiations with hackers and incident response. The clients range from small firms to Fortune 500 companies. 

DigitalMint President Marc Jason told partner firms that the US Department of Justice (DoJ) is investigating the allegations. The employee (identity unknown) was sacked soon after the scam was found. According to Bloomberg, Grens said, “As soon as we were able, we began communicating the facts to affected stakeholders.” 

About the investigation

DigitalMint is currently working with the DoJ, and it clarified that the company is not the target of investigation. Grens did not provide more details as the investigation is ongoing. The DoJ declined to offer any comments. 

The incident has led a few firms to warn clients against dealing with DigitalMint, concerned about the dangers involved in ransomware deals. Ransomware attacks can compromise systems, leak sensitive information, and encrypt data. The ransom demands sometimes go upto millions of dollars, worldwide, the extortion attacks cost billions of dollars every year.

Is ransomware negotiation worth it?

The controversy has also raised questions about conflicts of interest in the ransomware negotiation industry. According to James Talientoo, chief executive of the cyber intelligence services company AFTRDRK, “A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid. Plain and simple.”

Security experts cautioned that paying ransom is a dangerous effort, even when done by expert ransom negotiation firms. A payment helps in furthering the operations of ransomware gangs, and sometimes it can also lead to further attacks.

Read more »
Web Servers
BPH Cyber Security CyberCrime Cyberhackers CyberThreat OFAC Web Hosting Web Servers

United States Imposes Ban on Russian Bulletproof Hosting Provider

 


There has been a considerable escalation in efforts by the United States towards combating cyber-enabled threats. As a result of the increase in efforts, the United States has officially blacklisted Aeza Group, a Russian supplier of bulletproof hosting services (BPH), two affiliated entities, and four individuals. 

There is mounting evidence that Aeza has played a crucial role in enabling cybercriminal operations by providing infrastructure specifically designed to conceal malicious activity from law enforcement scrutiny, as evidenced by the U.S. Department of the Treasury's announcement. As a result of U.S. officials' reports, Aeza Group has knowingly provided hosting services to a number of some of the biggest cybercrime syndicates, including those responsible for Medusa ransomware, Lumma information theft, and other disruptive malware. 

Aeza's platforms have reportedly been used by these threat actors to carry out large-scale attacks on key sectors like the U.S. defence industry, major technology companies, and other critical infrastructure sectors. In light of the sanctions, it has become increasingly apparent that bulletproof hosting providers play a crucial role in shielding cybercriminals and facilitating their ability to use malware, exfiltrate sensitive data, and compromise national security. 

As the U.S. government continues to seek to disrupt the digital infrastructure underpinning transnational cybercrime, this latest designation is a stronger indication that it is willing to hold service providers accountable for their involvement in criminal activity through the enforcement of laws. Among the sanctions announced by the United States Department of the Treasury's Office of Foreign Assets Control (OFAC) in response to an intensified crackdown on transnational cybercrime networks, the Aeza Group, a company based in Russia that offers bulletproof hosting (BPH) services. 

According to the company's allegations, it provides digital infrastructure that allows cybercriminals to conduct ransomware attacks anonymously, spread malware, and steal data from U.S. companies and critical sectors. Aeza Group has been implicated in supporting illicit online activity, according to OFAC. Aeza Group rents IP addresses, servers, and domains to cybercriminals at a nominal price, thereby allowing them to conduct illicit online activity with minimal compliance or monitoring. These are services that are highly sought after in the cybercrime underground. 

The bulletproof platforms on which these websites run are deliberately designed to resist efforts by law enforcement to take them down. Thus, they serve as a shield for cyber actors that engage in widespread fraud, ransomware deployment, and the operation of darknet markets. As a result of this move, the United States has emphasised a strategy to dismantle the infrastructure that supports global cyber threats by not only focusing on perpetrators but also on the enablers behind the scenes as well. 

According to U.S. authorities, in addition to earlier enforcement actions targeting cyber infrastructure, the Aeza Group—an online bulletproof hosting provider in Russia—along with two affiliated companies and four of its top executives, has been sanctioned by the agency. A major effort is being made to dismantle the backend services that enable cybercriminals to operate across borders, evading detection, as well as dismantle the backend services that allow them to do so. 

According to the U.S. Department of the Treasury U.S. has determined that the Aeza Group has deliberately contributed to the facilitation of a range of malicious activities by providing resilient hosting infrastructure — such as IP addresses, server space, and domain registration — that has made it possible for bad actors to conduct themselves with impunity. 

It has been reported that users of the platform include hackers involved in the malware and ransomware Medusa, which has been targeting critical sectors such as the defence industry and major technology companies. Having shielded its customers from accountability, Aeza has established itself as an important player within the cybercrime ecosystem. 

Aeza's designation is part of a broader strategic approach by the United States and international partners to disrupt the digital safe havens that support everything from ransomware attacks to darknet market operations, signalling that the providers of services will face severe consequences if they are complicit in the perpetration of such crimes. 

As part of its ongoing efforts to fight cybercrime, the Office of Foreign Assets Control at the U.S Department of the Treasury confirmed that Aeza Group has provided hosting infrastructure and technical support to several high-profile cybercriminals. This announcement further expands the scope of our efforts to combat cybercrime. 

Several individuals are involved in the operations, including those behind the Meduza, RedLine, and Lumma infostealers, as well as the BianLian ransomware group and BlackSprut, a highly influential Russian darknet marketplace specialising in illicit drug distribution. It has been reported that Lumma had infected approximately 10 million systems worldwide before it was taken down in May by a coordinated international response team. 

In addition to the sanctions against Aeza Group, there has been a broad global crackdown on cybercrime that has led to the arrest of prolific cybercriminals and the dismantling of key services throughout the world. Law enforcement agencies have conducted synchronised operations in recent months that have resulted in a series of arrests and the dismantling of key services across the world. There are several types of cybercriminal activity involving the use of information stealers, malware loaders, counter-virus and encryption services, ransomware networks, cybercrime marketplaces, and distributed denial-of-service (DDoS) platforms. 

As a result, the entire digital infrastructure that underpins transnational cybercriminal activities has been significantly disrupted. There is a growing concern about Aeza Group, a British technology company that has directly supported cyberattacks against U.S. defence contractors and major technology companies, as the company has been accused of facilitating hostile cyber operations. 

In a statement issued by the acting undersecretary of the United States Treasury for Terrorism and Financial Intelligence, Bradley T Smith pointed out that bulletproof hosting providers, such as Aeza, continue to play a crucial role in helping to facilitate ransomware deployment, intellectual property theft, and the sale of illicit drugs online by offering services that are designed in a way so as not to be interfered with by law enforcement. 

The OFAC has sanctioned Aeza Group, as well as designated four individuals to serve in leadership roles at the company. They include part-owners such as Arsenii Aleksandrovich Penzev, Yurii Meruzhanovich Bozoyan, who were both previously detained for alleged involvement with the BlackSprut darknet platform, and others who were also sanctioned for their senior roles within the company. Igor Anatolyevich Knyazev and Vladimir Vyacheslavovich Gast were also sanctioned for their senior positions within the company. 

Aeza International, a UK-based company headquartered in London and its Russian subsidiaries, Aeza Logistic and Cloud Solution, have also been seized as part of the crackdown, as the United States is trying to dismantle the company's financial and operational infrastructure completely. Chainalysis, a blockchain analysis company that specialises in cryptocurrency transactions, has uncovered financial activity which is linked to Aeza Group, including cryptocurrency transactions in excess of $350,000, adding yet another layer of evidence against the bulletproof hosting provider. 

Aeza Group's TRON wallet address was found to have received a substantial amount of crypto payments through a corresponding wallet address, which then channelled the funds through a variety of deposit addresses on multiple cryptocurrency exchanges. 

There were also several illicit entities associated with these same addresses, including a darknet vendor that distributed stealer malware, the Russian cryptocurrency exchange Garantex, and a service used for escrowing items on an online gaming platform that is well-known. It was determined from Chainalysis that the designated wallet functioned as the administrative hub for Aeza's financial operations. 

Aeza's services were received directly, funds were processed from third-party payment systems, and profits were routed to crypto exchanges for withdrawal to be made. These functions were performed by the designated wallet, which served multiple functions. In addition, this financial pattern further strengthens the allegations that Aeza Group provided cybercriminals with technological infrastructure as well as actively managed and laundered proceeds from illicit transactions and that it maintained an active role in both these activities. 

As the United States sanctioned another bulletproof hosting provider based in Russia, Zservers, earlier this year, it was accused of supporting ransomware groups such as LockBit that were infected with malicious software. A comprehensive set of sanctions by U.S. authorities aimed at exposing and dismantling the financial and operational networks at the heart of cybercrime infrastructure is evident in their consistent approach. 

International enforcement bodies are sending a clear message by tracing digital payment flows and targeting the entities behind them by implementing direct and sustained pressure on the infrastructure and financial channels enabling cybercrime. International regulators and cybersecurity agencies have come to a deep consensus on how to combat cybercrime. 

At the moment, there is a growing consensus that combatting cybercrime requires us not only to pursue the threats but also to dismantle the enabling infrastructure that enables them. There is no doubt that cybercrime is becoming more decentralised, sophisticated, and financially self-sustaining, and that cyber defence must take action to target unrestricted service providers who operate with impunity to be effective. 

There are many companies, including web hosting companies and domain registrars, that may unknowingly or negligently contribute to the monetisation and concealment of illegal activity, as highlighted by the Aeza case. This case encourages vigilance throughout the digital supply chain, including third-party vendors and crypto platforms that may improperly monetise or conceal illegal activity. 

Considering the future, public and private stakeholders must prioritise collaboration, proactive threat detection, and strong compliance frameworks in order to reduce the systemic risks that can be posed by bulletproof hosting services, as well as other illicit enablers. Governments must continue aligning cross-border enforcement actions and sanctions to close jurisdictional gaps, while technology providers must invest in the tools and expertise required to detect abuse within their platforms so that the platform becomes more secure. 

As far as the Aeza takedown is concerned, it is not an isolated incident but rather one that clearly illustrates the world's cybercrime economy thrives in environments that lack oversight and accountability. In order to disrupt this ecosystem effectively, we must take a unified and sustained approach—one that considers infrastructure providers not only neutral intermediaries, but also potential co-conspirators when they profit from criminal acts.
Read more »
Qantas Airways
Cyber Security Cybersecurity cybersecurity news FBI cyber alert Qantas Airways

Qantas Hit by Cyberattack Days After FBI Warning on Airline 2FA Bypass Threat

 

Just days after the FBI warned airlines about a surge in 2FA bypass attacks by the hacker group Scattered Spider, Australian airline Qantas has confirmed a major cybersecurity incident. The breach, which targeted a third-party platform used for customer service, has potentially exposed personal data—including names, emails, birth dates, and frequent flyer details—of up to six million customers. 

The attack exploited social engineering tactics, a signature method of Scattered Spider, where attackers impersonate staff to deceive IT help desks into granting unauthorized access. Brett Winterford of Okta described the group as a loosely organized, profit-driven collective that thrives on peer recognition and repeated attacks across successful sectors. In a July 4 statement, Qantas Group CEO Vanessa Hudson assured that no credit card, passport, or financial data was compromised, and Qantas’ core systems remain secure. 

The airline said it contained the breach on July 1 and is working with cybersecurity experts to complete a forensic investigation. Affected customers began receiving email notifications from July 3, with further updates promised on the exact data exposed. Hudson emphasized the company’s commitment to transparency and robust response efforts, saying, “We are treating this incredibly seriously and have implemented additional security measures.” 

Cybersecurity professionals, including ex-FBI agent Adam Marrè and OPSWAT's James Neilson, stressed the need for heightened vigilance in the aviation sector, especially during peak travel periods. Marrè urged organizations to strengthen supply chain defenses and advised consumers to verify all communications from airlines. 

Graylog’s Ross Brewer, a Qantas customer himself, noted that clear and precise communication from the airline is critical to avoiding unnecessary panic and maintaining public trust. With airlines holding vast stores of sensitive data, experts warn the industry is an increasingly attractive target for cybercriminals. The Qantas breach reinforces the FBI’s call for all sectors to evaluate their cybersecurity hygiene and response strategies without delay.
Read more »
User Privacy
Cyber Security Mass Surveillance Palantir Trump Administration User Privacy

US Government Secretly Builds Enormous Database Tracking Citizens

 

An explosive story regarding the Trump administration's collaboration with Palantir, which could result in the creation of a master database containing data on every American, was released by the New York Times last month. If such a "master list" was created, the Times claims, it would grant the president "untold surveillance power." 

President Donald Trump signed an executive order earlier this year allowing the federal government to exchange data on Americans among multiple organisations. However, we now have a better idea of how the administration plans to accomplish this. Trump has hired Palantir, a software startup co-founded by Trump and Republican megadonor Peter Thiel, to carry out these initiatives. 

According to the New York Times, Palantir's technology would allow for the compilation of sensitive information from agencies such as the Department of Homeland Security, Immigration and Customs Enforcement, and the Internal Revenue Service. Various government databases already have information on Americans' bank account numbers, medical claims, disabilities, student loan levels, and other details, though not in one location. 

In order to boost government efficiency and save hard-earned public cash, the Trump administration has stated that it wants to "eliminate information silos and streamline data collection across all agencies." The threat of a central database, however, is a nightmare for privacy advocates and has even prompted security and privacy worries from former Palantir staff members. 

Palantir controversial role

Despite its reputation for being extremely covert about its data mining and spying activities, Palantir positions itself as a data and analytics firm. Additionally, Palantir has been under fire for offering information services to support the Israeli military during the Israel-Hamas conflict in 2023. The IDF receives intelligence services from Palantir, as CEO Karp has previously revealed.

Palantir has responded by defending its collaboration with Israel and refuting claims that it is supporting war crimes, as its most vocal detractors claim. As part of the Trump Administration's contentious policing and deportation initiatives, Palantir has also been called upon to assist U.S. Immigration and Customs Enforcement (ICE) in tracking immigrants in the United States. 

Why would the Trump Administration use Palantir to acquire data?

Palantir has already been contracted by the federal government for several years. For example, Palantir previously collaborated with Health and Human Services to track the COVID-19 pandemic. However, Palantir's stock and revenue have soared since Trump's inauguration earlier this year. To date, the federal government has given Palantir around $113 million in 2025.

Furthermore, last week, Palantir was given a $795 million contract by the Department of Defence. In 2024, Palantir earned $1.2 billion from the U.S. government, according to the company's last quarterly report. Furthermore, Thiel, a co-founder of Palantir, is a key Republican fundraiser. In addition to giving $1.25 million to Trump's 2016 campaign, he has contributed tens of millions of dollars to Republican congressional campaigns over the years.
Read more »
Ransomware
Artificial Intelligence Cyber Security Digital Landscape insurance Internet Ransomware

How Ransomware Has Impacted Cyber Insurance Assessment Approach

How Ransomware Has Impacted Cyber Insurance Assessment Approach

Cyber insurance and ransomware

The surge in ransomware campaigns has compelled cyber insurers to rethink their security measures. Ransomware attacks have been a threat for many years, but it was only recently that threat actors realized the significant financial benefits they could reap from such attacks. The rise of ransomware-as-a-service (RaaS) and double extortion tactics has changed the threat landscape, as organizations continue to fall victim and suffer data leaks that are accessible to everyone. 

According to a 2024 threat report by Cisco, "Ransomware remains a prevalent threat as it directly monetizes attacks by holding data or systems hostage for ransom. Its high profitability, coupled with the increasing availability of ransomware-as-a-service platforms, allows even less skilled attackers to launch campaigns."

Changing insurance landscape due to ransomware

Cyber insurance is helping businesses to address such threats by offering services such as ransom negotiation, ransom reimbursement, and incident response. Such support, however, comes with a price. The years 2020 and 2021 witnessed a surge in insurance premiums. The Black Hat USA conference, scheduled in Las Vegas, will discuss how ransomware has changed businesses’ partnerships with insurers. Ransomware impacts an organization’s business model.

At the start of the 21st century, insurance firms required companies to buy a security audit to get a 25% policy discount. Insurance back then used to be a hands-on approach. The 2000s were followed by the data breach era; however, breaches were less common and frequent, targeting the hospitality and retail sectors. 

This caused insurers to stop checking for in-depth security audits, and they began using questionnaires to measure risk. In 2019, the ransomware wave happened, and insurers started paying out more claims than they were accepting. It was a sign that the business model was inadequate.

Questionnaires tend to be tricky for businesses to fill out. For instance, multifactor authentication (MFA) can be a complicated question to answer. Besides questionnaires, insurers have started using scans. 

Incentives to promote security measures

Threats have risen, but so have assessments, coverage incentives like vanishing retention mean that if policy users follow security instructions, retention disappears. Safety awareness training and patching vulnerabilities are other measures that can help in cost reductions. Scanning assessment can help in premium pricing, as it is lower currently. 

Read more »
social engineering scams
aviation cyber attacks Cyber Security cybersecurity threats FBI Scattered Spider ransomware social engineering scams

FBI Warns Airlines and Insurers as Scattered Spider Ransomware Attacks Surge

 

When the Federal Bureau of Investigation (FBI) sounds the alarm on cybersecurity, organizations should take immediate notice. The latest urgent warning involves the notorious Scattered Spider group, which has already made headlines for attacking major retailers such as Marks & Spencer in the U.K.—a breach estimated to have cost the company upwards of $600 million.

According to the FBI, this cybercriminal organization is now turning its focus to the airline sector, targeting companies both directly and by infiltrating their supply chains. A recent June 26 report by Halcyon ransomware analysts indicated Scattered Spider had expanded operations into the Food, Manufacturing, and Transportation sectors, especially Aviation. The FBI confirmed this, stating via email:

“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.”

The agency also posted this statement on X, formerly Twitter, highlighting that the attackers use consistent tactics—namely social engineering. Scattered Spider often impersonates employees or contractors to manipulate IT help desks into granting unauthorized access. Their ultimate goal is to sidestep multi-factor authentication (MFA) by convincing support staff to register fraudulent MFA devices to compromised accounts.

This threat group has been on law enforcement radar for years. In 2023, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory after Scattered Spider activity against commercial facilities escalated. Authorities are now working closely with aviation companies to counter this surge in attacks and assist any impacted organizations. The FBI urges anyone who suspects their business has been targeted to contact their local office without delay.

Meanwhile, the Reliaquest Threat Research Team has published a detailed profile of Scattered Spider, emphasizing that 81% of the group’s domains impersonate technology vendors. Their preferred victims are executives and system administrators with high-level credentials. Reliaquest reports that the attackers leverage sophisticated phishing frameworks such as Evilginx and even conduct video calls to deceive targets in industries like finance, technology, and retail.


Recent analysis has uncovered Scattered Spider’s connection to The Community, a loosely organized hacking collective. According to cybersecurity firm Reliaquest:

“Through strategic alliances with major ransomware operators ALPHV, RansomHub, and DragonForce…”

Scattered Spider has gained access to sophisticated tools and techniques, many of which originate from Russia-aligned and English-speaking threat actors. This collaboration has enabled the group to launch highly convincing impersonation campaigns targeting Western organizations.

Social Engineering with a Scripted Edge

To execute these campaigns more effectively, Scattered Spider actively recruits skilled social engineers. Their criteria are precise: candidates must speak native or regionally neutral English and be available during Western business hours. These operators are then equipped with:

Detailed call scripts tailored to the organization being targeted.

Real-time coaching, where a “curator” provides live guidance to handle unexpected situations during calls.

Reliaquest also noted that the group deliberately avoids targeting entities in Russia and the Commonwealth of Independent States, suggesting both geopolitical awareness and operational discipline.

Future Threat: AI-Enhanced Social Engineering


Looking ahead, Reliaquest warns that Scattered Spider is likely to adopt AI tools to further automate and scale their trust-based attacks.

While the FBI’s recent alert focused on threats to the transportation and aviation sectors, other industries are already feeling the impact. John Hultquist, Chief Analyst at Google Threat Intelligence Group, confirmed:

“We are aware of multiple intrusions in the U.S. that bear all the hallmarks of Scattered Spider activity.”

The insurance sector has emerged as a prominent new target. Jon Abbott, CEO of ThreatAware, emphasized:

“The rising tide of attacks on U.S. insurers is a serious threat that should not be underestimated.”

However, he also cautioned that this trend is not limited to insurers; organizations across all industries should take it as a warning.

Supply Chain Weakness: The Common Denominator


Many of these incidents share a dangerous pattern: attackers first compromise a smaller vendor or partner, then use that access to pivot into larger, more valuable targets.

Richard Orange, Vice President at Abnormal AI, echoed the FBI’s concerns:

“This group relies on social engineering rather than technical exploits.”

By posing as trusted contacts, attackers manipulate employees into granting access—allowing them to move laterally across networks, harvest credentials, and breach other departments or third-party systems.

Security First: Verify Every Request


Organisations are strongly advised to:

  1. Scrutinise all requests for changes to multi-factor authentication (MFA) settings.
  2. Enforce strict identity verification procedures, regardless of how convincing the caller may seem.
  3. In this evolving threat landscape, vigilance remains the strongest defense.

Read more »
FBI
cyber attack Cyber Security cyberattacks news cyberattacks on airline cyberattacks on transportation FBI

FBI Warns of Scattered Spider Cyberattacks on Airline and Transport Sectors

 

The FBI, along with top cybersecurity firms, has issued a fresh warning that the notorious hacking group Scattered Spider is expanding its targets to include the airline and broader transportation industries. In a statement released Friday and shared with TechCrunch, the FBI said it had “recently observed” cyber activity in the airline sector bearing the hallmarks of Scattered Spider’s tactics. 

Experts from Google’s Mandiant and Palo Alto Networks’ Unit 42 also confirmed they have identified attacks on aviation-related systems linked to the same group. Scattered Spider is widely known in cybersecurity circles as a loosely organized yet highly active group of hackers, believed to be comprised mainly of young, English-speaking individuals. Motivated largely by financial gain, the group is infamous for using sophisticated social engineering techniques, phishing campaigns, and even threats directed at corporate help desks to infiltrate systems. In some cases, their intrusions have led to the deployment of ransomware. 

The FBI’s alert highlighted the group’s pattern of targeting both major corporations and their third-party IT service providers. This broad approach means that anyone within the airline ecosystem from airline staff to external contractors could be a potential target. The warning follows a series of cyber incidents involving airlines. 

Hawaiian Airlines confirmed on Thursday that it was responding to a cyberattack affecting its systems. Meanwhile, Canadian carrier WestJet reported a breach on June 13 that is still ongoing. Media reports suggest that Scattered Spider may be responsible for the WestJet intrusion. 

This latest activity comes after a string of attacks by the group on other industries, including retail chains in the U.K. and several insurance companies. In the past, Scattered Spider has also been linked to breaches involving casinos, hotel groups, and large tech firms. Cybersecurity professionals warn that the group’s evolving methods and willingness to exploit human vulnerabilities make them a significant threat across sectors, especially industries reliant on large-scale digital infrastructure and third-party vendors.
Read more »
News
CloudFlare Cyber Security Cybersecurity DDOS Attack News

Cloudflare Thwarts Record-Breaking DDoS Attack as Global Threat Escalates

 

Cloudflare has successfully blocked the largest distributed denial-of-service (DDoS) attack ever recorded, marking a significant moment in the escalating battle against cyber threats. The attack peaked at an unprecedented 7.3 terabits per second (Tbps), targeting an unnamed hosting provider and unleashing 37.4 terabytes of data in just 45 seconds. Cloudflare’s Magic Transit service absorbed the blow, which was composed almost entirely—99.996%—of User Datagram Protocol (UDP) flood attacks. 

While UDP is commonly used for real-time applications like streaming and gaming due to its speed, that same characteristic makes it vulnerable to exploitation in high-volume cyberattacks. The remaining 0.004% of the traffic—about 1.3 GBps—included various amplification and reflection attack methods such as NTP reflection, Echo reflection, Mirai UDP flood, and RIPv1 amplification. This sliver alone would be enough to cripple most unprotected systems. 

What set this attack apart wasn’t just volume but velocity—it carpet-bombed an average of 21,925 destination ports per second, with peaks reaching 34,517 ports on a single IP address. The attack originated from over 122,000 unique IP addresses spanning 161 countries, with the most significant traffic coming from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine. This historic attack is part of a growing wave of DDoS incidents. In the first quarter of 2025 alone, Cloudflare mitigated 20.5 million DDoS attacks—a staggering 358% increase from the same period last year. Nearly 700 of these were hyper-volumetric attacks, averaging eight per day and overwhelmingly leveraging network-layer vulnerabilities via UDP floods. 

Earlier this year, Cloudflare had also defended against a 6.5 Tbps strike linked to the Eleven11bot botnet, composed of tens of thousands of compromised webcams and IoT devices. The rise in DDoS activity is not just a technical issue—it’s being fueled by geopolitical tensions as well. According to Radware’s director of threat intelligence, Pascal Geenens, hacktivist DDoS attacks against U.S. targets surged by 800% in just two days in June, following U.S. involvement in the Israel-Iran conflict. Radware’s 2025 Global Threat Analysis Report highlights a 550% global increase in web-based DDoS attacks and a near 400% year-over-year growth in overall DDoS traffic volume. Experts warn that these attacks are only going to become more frequent and intense. To counter this threat, experts recommend a multi-layered defense strategy. 

Partnering with specialized DDoS mitigation providers such as Cloudflare, Akamai, Imperva, or Radware is essential for organizations that lack the infrastructure to defend against large-scale attacks. Blocking traffic from known malicious Autonomous System Numbers (ASNs) and using geoblocking can filter out harmful sources, although attackers often bypass these measures with spoofed IPs or botnets. Distributing network infrastructure can prevent single points of failure, while configuring routers and firewalls to block unsafe protocols like ICMP and FTP adds an additional line of defense. Businesses are also advised to work closely with their internet service providers to filter unnecessary traffic upstream. 

Deploying Web Application Firewalls (WAFs) is critical for defending against application-layer threats, and using multiple DNS providers with DNSSEC can ensure site availability even during attacks. Specialized tools like Wordfence for WordPress add another layer of protection for widely used platforms. Importantly, no single solution is sufficient. Organizations must adopt layered defenses and routinely test their systems through red team exercises using tools like HULK, hping3, or GoldenEye to identify vulnerabilities before attackers exploit them. Even small websites are no longer safe from DDoS campaigns. As cybersecurity journalist Steven Vaughan-Nichols noted, his personal site faces about a dozen DDoS attacks every week. In today's threat landscape, robust DDoS defense isn't a luxury—it’s a necessity.
Read more »
Generative AI
ai agents AI Assistant AI cybersecurity Ai Data AI DIgital Assistant AI technology Cyber Security Data Privacy Generative AI

Personal AI Agents Could Become Digital Advocates in an AI-Dominated World

 

As generative AI agents proliferate, a new concept is gaining traction: AI entities that act as loyal digital advocates, protecting individuals from overwhelming technological complexity, misinformation, and data exploitation. Experts suggest these personal AI companions could function similarly to service animals—trained not just to assist, but to guard user interests in an AI-saturated world. From scam detection to helping navigate automated marketing and opaque algorithms, these agents would act as user-first shields. 

At a recent Imagination in Action panel, Consumer Reports’ Ginny Fahs explained, “As companies embed AI deeper into commerce, it becomes harder for consumers to identify fair offers or make informed decisions. An AI that prioritizes users’ interests can build trust and help transition toward a more transparent digital economy.” The idea is rooted in giving users agency and control in a system where most AI is built to serve businesses. Panelists—including experts like Dazza Greenwood, Amir Sarhangi, and Tobin South—discussed how loyal, trustworthy AI advocates could reshape personal data rights, online trust, and legal accountability. 

Greenwood drew parallels to early internet-era reforms such as e-signatures and automated contracts, suggesting a similar legal evolution is needed now to govern AI agents. South added that AI agents must be “loyal by design,” ensuring they act within legal frameworks and always prioritize the user. Sarhangi introduced the concept of “Know Your Agent” (KYA), which promotes transparency by tracking the digital footprint of an AI. 

With unique agent wallets and activity histories, bad actors could be identified and held accountable. Fahs described a tool called “Permission Slip,” which automates user requests like data deletion. This form of AI advocacy predates current generative models but shows how user-authorized agents could manage privacy at scale. Agents could also learn from collective behavior. For instance, an AI noting a negative review of a product could share that experience with other agents, building an automated form of word-of-mouth. 

This concept, said panel moderator Sandy Pentland, mirrors how Consumer Reports aggregates user feedback to identify reliable products. South emphasized that cryptographic tools could ensure safe data-sharing without blindly trusting tech giants. He also referenced NANDA, a decentralized protocol from MIT that aims to enable trustworthy AI infrastructure. Still, implementing AI agents raises usability questions. “We want agents to understand nuanced permissions without constantly asking users to approve every action,” Fahs said. 

Getting this right will be crucial to user adoption. Pentland noted that current AI models struggle to align with individual preferences. “An effective agent must represent you—not a demographic group, but your unique values,” he said. Greenwood believes that’s now possible: “We finally have the tools to build AI agents with fiduciary responsibilities.” In closing, South stressed that the real bottleneck isn’t AI capability but structuring and contextualizing information properly. “If you want AI to truly act on your behalf, we must design systems that help it understand you.” 

As AI becomes deeply embedded in daily life, building personalized, privacy-conscious agents may be the key to ensuring technology serves people—not the other way around.
Read more »
User Privacy
Business Security Cyber Security Document-Borne Malware Malicious Campaign User Privacy

Here's Why Businesses Need to be Wary of Document-Borne Malware

 

The cybersecurity experts are constantly on the lookout for novel tactics for attack as criminal groups adapt to better defences against ransomware and phishing. However, in addition to the latest developments, some traditional strategies seem to be resurfacing—or rather, they never really went extinct. 

Document-borne malware is one such strategy. Once believed to be a relic of early cyber warfare, this tactic remains a significant threat, especially for organisations that handle huge volumes of sensitive data, such as those in critical infrastructure.

The lure for perpetrators is evident. Routine files, including Word documents, PDFs, and Excel spreadsheets, are intrinsically trusted and freely exchanged between enterprises, often via cloud-based systems. With modern security measures focussing on endpoints, networks, and email filtering, seemingly innocuous files can serve as the ideal Trojan horse. 

Reasons behind malicious actors using document-borne malware 

Attacks utilising malicious documents seems to be a relic. It's a decades-old strategy, but that doesn't make it any less detrimental for organisations. Still, while the concept is not novel, threat groups are modernising it to keep it fresh and bypass conventional safety procedures. This indicates that the seemingly outdated method remains a threat even in the most security-conscious sectors.

As with other email-based techniques, attackers often prefer to hide in plain sight. The majority of attacks use standard file types like PDFs, Word documents, and Excel spreadsheets to carry malware. Malware is typically concealed in macros, encoded in scripts like JavaScript within PDFs, or hidden behind obfuscated file formats and layers of encryption and archiving. 

These unassuming files are used with common social engineering approaches, such as a supplier invoice or user submission form. Spoofed addresses or hacked accounts are examples of email attack strategies that help mask malicious content. 

Organisations' challenges in defending against these threats 

Security analysts claim that document security is frequently disregarded in favour of other domains, such as endpoint protection and network perimeter. Although document-borne attacks are sufficiently commonplace to be overlooked, they are sophisticated enough to evade the majority of common security measures.

There is an overreliance on signature-based antivirus solutions, which frequently fail to detect new document-borne threats. While security teams are often aware of harmful macros, formats such as ActiveX controls, OLE objects, and embedded JavaScript may be overlooked. 

Attackers have also discovered that there is a considerable mental blind spot when it comes to documents that appear to have been supplied via conventional cloud-based routes. Even when staff have received phishing awareness training, there is a propensity to instinctively believe a document that arrives from an expected source, such as Google or Office 365.

Mitigation tips 

As with other evolving cyberattack strategies, a multi-layered strategy is essential to defending against document-borne threats. One critical step is to use a multi-engine strategy to malware scanning. While threat actors may be able to deceive one detection engine, using numerous technologies increases the likelihood of detecting concealed malware and minimises false negatives. 

Content Disarm and Reconstruction (CDR) tools are also critical. These sanitise and remove malicious macros, scripts, and active material while keeping the page intact. Suspect files can then be run through enhanced standboxes to detect previously unknown threats' malicious behaviour while in a controlled environment. 

The network should also be configured with strict file rules, such as limiting high-risk file categories and requiring user authentication before document uploads. Setting file size restrictions can also help detect malicious documents that have grown in size due to hidden coding. Efficiency and dependability are also important here. Organisations must be able to detect fraudulent documents in their regular incoming traffic while maintaining a rapid and consistent workflow for customers.
Read more »
LLM security
AI Models AI technology AI tools CISO Cyber Security Cybersecurity Researchers GenAI Generative AI generative AI tools LLM LLM Model LLM security

Security Teams Struggle to Keep Up With Generative AI Threats, Cobalt Warns

 

A growing number of cybersecurity professionals are expressing concern that generative AI is evolving too rapidly for their teams to manage. 

According to new research by penetration testing company Cobalt, over one-third of security leaders and practitioners admit that the pace of genAI development has outstripped their ability to respond. Nearly half of those surveyed (48%) said they wish they could pause and reassess their defense strategies in light of these emerging threats—though they acknowledge that such a break isn’t realistic. 

In fact, 72% of respondents listed generative AI-related attacks as their top IT security risk. Despite this, one in three organizations still isn’t conducting regular security evaluations of their large language model (LLM) deployments, including basic penetration testing. 

Cobalt CTO Gunter Ollmann warned that the security landscape is shifting, and the foundational controls many organizations rely on are quickly becoming outdated. “Our research shows that while generative AI is transforming how businesses operate, it’s also exposing them to risks they’re not prepared for,” said Ollmann. 
“Security frameworks must evolve or risk falling behind.” The study revealed a divide between leadership and practitioners. Executives such as CISOs and VPs are more concerned about long-term threats like adversarial AI attacks, with 76% listing them as a top issue. Meanwhile, 45% of practitioners are more focused on immediate operational challenges such as model inaccuracies, compared to 36% of executives. 

A majority of leaders—52%—are open to rethinking their cybersecurity strategies to address genAI threats. Among practitioners, only 43% shared this view. The top genAI-related concerns identified by the survey included the risk of sensitive information disclosure (46%), model poisoning or theft (42%), data inaccuracies (40%), and leakage of training data (37%). Around half of respondents also expressed a desire for more transparency from software vendors about how vulnerabilities are identified and patched, highlighting a widening trust gap in the AI supply chain. 

Cobalt’s internal pentest data shows a worrying trend: while 69% of high-risk vulnerabilities are typically fixed across all test types, only 21% of critical flaws found in LLM tests are resolved. This is especially alarming considering that nearly one-third of LLM vulnerabilities are classified as serious. Interestingly, the average time to resolve these LLM-specific vulnerabilities is just 19 days—the fastest across all categories. 

However, researchers noted this may be because organizations prioritize easier, low-effort fixes rather than tackling more complex threats embedded in foundational AI models. Ollmann compared the current scenario to the early days of cloud adoption, where innovation outpaced security readiness. He emphasized that traditional controls aren’t enough in the age of LLMs. “Security teams can’t afford to be reactive anymore,” he concluded. “They must move toward continuous, programmatic AI testing if they want to keep up.”
Read more »
User Security
AI tools Cyber Security Data Privacy Generative AI User Security

New Report Ranks Best And Worst Generative AI Tools For Privacy

 

Most generative AI companies use client data to train their chatbots. For this, they may use private or public data. Some services take a more flexible and non-intrusive approach to gathering customer data. Not so much for others. A recent analysis from data removal firm Incogni weighs the benefits and drawbacks of AI in terms of protecting your personal data and privacy.

As part of its "Gen AI and LLM Data Privacy Ranking 2025," Incogni analysed nine well-known generative AI services and evaluated their data privacy policies using 11 distinct factors. The following queries were addressed by the criteria: 

  • What kind of data do the models get trained on? 
  • Is it possible to train the models using user conversations? 
  • Can non-service providers or other appropriate entities receive prompts? 
  • Can the private data from users be erased from the training dataset?
  • How clear is it when training is done via prompts? 
  • How simple is it to locate details about the training process of models? 
  • Does the data collection process have a clear privacy policy?
  • How easy is it to read the privacy statement? 
  • Which resources are used to gather information about users?
  • Are third parties given access to the data? 
  • What information are gathered by the AI apps? 

The research involved Mistral AI's Le Chat, OpenAI's ChatGPT, xAI's Grok, Anthropic's Claude, Inflection AI's Pi, DeekSeek, Microsoft Copilot, Google Gemini, and Meta AI. Each AI performed well on certain questions but not so well on others. 

For instance, Grok performed poorly on the readability of its privacy policy but received a decent rating for how clearly it communicates that prompts are used for training. As another example, the ratings that ChatGPT and Gemini received for gathering data from their mobile apps varied significantly between the iOS and Android versions.

However, Le Chat emerged as the best privacy-friendly AI service overall. It did well in the transparency category, despite losing a few points. Additionally, it only collects a small amount of data and achieves excellent scores for additional privacy concerns unique to AI. 

Second place went to ChatGPT. Researchers at Incogni were a little worried about how user data interacts with the service and how OpenAI trains its models. However, ChatGPT explains the company's privacy standards in detail, lets you know what happens to your data, and gives you explicit instructions on how to restrict how your data is used. Claude and PI came in third and fourth, respectively, after Grok. Each performed reasonably well in terms of protecting user privacy overall, while there were some issues in certain areas. 

"Le Chat by Mistral AI is the least privacy-invasive platform, with ChatGPT and Grok following closely behind," Incogni noted in its report. "These platforms ranked highest when it comes to how transparent they are on how they use and collect data, and how easy it is to opt out of having personal data used to train underlying models. ChatGPT turned out to be the most transparent about whether prompts will be used for model training and had a clear privacy policy.” 

In its investigation, Incogni discovered that AI firms exchange data with a variety of parties, including service providers, law enforcement, members of the same corporate group, research partners, affiliates, and third parties. 

"Microsoft's privacy policy implies that user prompts may be shared with 'third parties that perform online advertising services for Microsoft or that use Microsoft's advertising technologies,'" Incogni added in the report. "DeepSeek's and Meta's privacy policies indicate that prompts can be shared with companies within its corporate group. Meta's and Anthropic's privacy policies can reasonably be understood to indicate that prompts are shared with research collaborators.” 

You can prevent the models from being trained using your prompts with some providers. This is true for Grok, Mistral AI, Copilot, and ChatGPT. However, based on their privacy rules and other resources, it appears that other services do not allow this kind of data collecting to be stopped. Gemini, DeepSeek, Pi AI, and Meta AI are a few of these. In response to this concern, Anthropic stated that it never gathers user input for model training. 

Ultimately, a clear and understandable privacy policy significantly helps in assisting you in determining what information is being gathered and how to opt out.
Read more »
NSA
Bank Security Banking Security CISA Cyber Security cybersecurity concerns Financial Institutions Hacker attack Iran hackers Iran-based hacker group Iranian cyber attack NSA

Iranian Hackers Threaten More Trump Email Leaks Amid Rising U.S. Cyber Tensions

 

Iran-linked hackers have renewed threats against the U.S., claiming they plan to release more emails allegedly stolen from former President Donald Trump’s associates. The announcement follows earlier leaks during the 2024 presidential race, when a batch of messages was distributed to the media. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by calling the incident “digital propaganda,” warning it was a calculated attempt to discredit public officials and mislead the public. CISA added that those responsible would be held accountable, describing the operation as part of a broader campaign by hostile foreign actors to sow division. 

Speaking virtually with Reuters, a hacker using the alias “Robert” claimed the group accessed roughly 100 GB of emails from individuals including Trump adviser Roger Stone, legal counsel Lindsey Halligan, White House chief of staff Susie Wiles, and Trump critic Stormy Daniels. Though the hackers hinted at selling the material, they provided no specifics or content. 

The initial leaks reportedly involved internal discussions, legal matters, and possible financial dealings involving RFK Jr.’s legal team. Some information was verified, but had little influence on the election, which Trump ultimately won. U.S. authorities later linked the operation to Iran’s Revolutionary Guard, though the hackers declined to confirm this. 

Soon after Trump ordered airstrikes on Iranian nuclear sites, Iranian-aligned hackers began launching cyberattacks. Truth Social, Trump’s platform, was briefly knocked offline by a distributed denial-of-service (DDoS) attack claimed by a group known as “313 Team.” Security experts confirmed the group’s ties to Iranian and pro-Palestinian cyber networks. 

The outage occurred shortly after Trump posted about the strikes. Users encountered error messages, and monitoring organizations warned that “313 Team” operates within a wider ecosystem of groups supporting anti-U.S. cyber activity. 

The Department of Homeland Security (DHS) issued a national alert on June 22, citing rising cyber threats linked to Iran-Israel tensions. The bulletin highlighted increased risks to U.S. infrastructure, especially from loosely affiliated hacktivists and state-backed cyber actors. DHS also warned that extremist rhetoric could trigger lone-wolf attacks inspired by Iran’s ideology. 

Federal agencies remain on high alert, with targeted sectors including defense, finance, and energy. Though large-scale service disruptions have not yet occurred, cybersecurity teams have documented attempted breaches. Two groups backing the Palestinian cause claimed responsibility for further attacks across more than a dozen U.S. sectors. 

At the same time, the U.S. faces internal challenges in cyber preparedness. The recent dismissal of Gen. Timothy Haugh, who led both the NSA and Cyber Command, has created leadership uncertainty. Budget cuts to election security programs have added to concerns. 

While a military ceasefire between Iran and Israel may be holding, experts warn the cyber conflict is far from over. Independent threat actors and ideological sympathizers could continue launching attacks. Analysts stress the need for sustained investment in cybersecurity infrastructure—both public and private—as digital warfare becomes a long-term concern.
Read more »
Jammu airport
Air India Express airline safety aviation security India Cyber Security flight returns Delhi GPS interference GPS Spoofing Jammu airport

Air India Express Flight Returns Mid-Air After Suspected GPS Spoofing Near Jammu Border

 

In an unusual and concerning incident, an Air India Express flight en route from Delhi to Jammu was forced to return to Indira Gandhi International Airport on Monday due to suspected GPS spoofing near India's border region.

Carrying 160 passengers, the flight reportedly reached Jammu’s airspace but was unable to land and began circling the area before flying back to Delhi. A replacement flight was arranged approximately six hours later, and passengers reached Jammu significantly behind schedule.

Spoofing involves intentional manipulation of GPS signals — vital for aircraft navigation — leading the aircraft to incorrect or misleading locations. Flight No. IX 2564, operated on an Airbus A320, departed from Terminal 3 at 11:05 am and returned at 1:28 pm, according to flight tracking platform Flightaware.

An Air India Express spokesperson stated, “Our Delhi–Jammu flight returned to Delhi as a precautionary measure, following a suspected GPS interference incident. Subsequently, an alternative flight was organised to connect guests to Jammu. We regret the inconvenience caused. Instances of GPS signal interference have been reported by operators while flying over certain sensitive regions.”

Given the aircraft’s proximity to Pakistan, the pilot is believed to have opted for a precautionary return rather than risk a deviation into potentially hostile airspace.

Aviation expert Captain Mohan Ranganthan noted, “For the last two years, there have been reports of GPS spoofing in places like Pakistan, Iran, some parts of the Middle East and even Myanmar. It often happens in war zones. This kind of spoofing is done deliberately but we cannot say for sure who is involved in it.”

The incident adds to growing global concerns around aviation safety in geopolitically sensitive regions.
Read more »
WormGPT
AI Tool Cyber Security Grok Mistral WormGPT

Jailbroken Mistral And Grok Tools Are Used by Attackers to Build Powerful Malware

 

The latest findings by Cato Networks suggests that a number of jailbroken and uncensored AI tool variations marketed on hacker forums were probably created using well-known commercial large language models like Mistral AI and X's Grok.

A parallel underground market has developed offering to sell more uncensored versions of the technology, while some commercial AI companies have attempted to incorporate safety and security safeguards into their models to prevent them from explicitly coding malware, transmitting detailed instructions for building bombs, or engaging in other malicious behaviours. 

These "WormGPTs," which receive their name from one of the first AI tools that was promoted on underground hacker forums in 2023, are typically assembled from open-source models and other toolkits. They are capable of creating code, finding and analysing vulnerabilities, and then being sold and promoted online. However, two variants promoted on BreachForums in the last year had simpler roots, according to researcher Vitaly Simonovich of Cato Networks.

Named after one of the first AI tools that was promoted on underground hacker forums in 2023, these "WormGPTs" are typically assembled from open-source models and other toolkits and are capable of generating code, searching for and analysing vulnerabilities, and then being sold and marketed online. 

However, Vitaly Simonovich, a researcher at Cato Networks, reveals that two variations promoted on BreachForums in the last year had straightforward origins. “Cato CTRL has discovered previously unreported WormGPT variants that are powered by xAI’s Grok and Mistral AI’s Mixtral,” he wrote. 

One version was accessible via Telegram and was promoted on BreachForums in February. It referred to itself as a “Uncensored Assistant” but otherwise described its function in a positive and uncontroversial manner. After gaining access to both models and beginning his investigation, Simonovich discovered that they were, as promised, mainly unfiltered. 

In addition to other offensive capabilities, the models could create phishing emails and build malware that stole PowerShell credentials on demand. However, he discovered prompt-based guardrails meant to hide one thing: the initial system prompts used to build those models. He was able to evade the constraints by using an LLM jailbreaking technique to access the first 200 tokens processed by the system. The answer identified xAI's Grok as the underlying model that drives the tool.

“It appears to be a wrapper on top of Grok and uses the system prompt to define its character and instruct it to bypass Grok’s guardrails to produce malicious content,” Simonovich added.

Another WormGPT variant, promoted in October 2024 with the subject line "WormGPT / 'Hacking' & UNCENSORED AI," was described as an artificial intelligence-based language model focused on "cyber security and hacking issues." The seller stated that the tools give customers "access to information about how cyber attacks are carried out, how to detect vulnerabilities, or how to take defensive measures," but emphasised that neither they nor the product accept legal responsibility for the user's actions.
Read more »
Software
Cyber Security IT Security JFrog Security malware python Software

New Malicious Python Package Found Stealing Cloud Credentials

 


A dangerous piece of malware has been discovered hidden inside a Python software package, raising serious concerns about the security of open-source tools often used by developers.

Security experts at JFrog recently found a harmful package uploaded to the Python Package Index (PyPI) – a popular online repository where developers share and download software components. This specific package, named chimera-sandbox-extensions, was designed to secretly collect sensitive information from developers, especially those working with cloud infrastructure.

The package was uploaded by a user going by the name chimerai and appears to target users of the Chimera sandbox— a platform used by developers for testing. Once installed, the package launches a chain of events that unfolds in multiple stages.

It starts with a function called check_update() which tries to contact a list of web domains generated using a special algorithm. Out of these, only one domain was found to be active at the time of analysis. This connection allows the malware to download a hidden tool that fetches an authentication token, which is then used to download a second, more harmful tool written in Python.

This second stage of the malware focuses on stealing valuable information. It attempts to gather data such as Git settings, CI/CD pipeline details, AWS access tokens, configuration files from tools like Zscaler and JAMF, and other system-level information. All of this stolen data is bundled into a structured file and sent back to a remote server controlled by the attackers.

According to JFrog’s research, the malware was likely designed to go even further, possibly launching a third phase of attack. However, researchers did not find evidence of this additional step in the version they analyzed.

After JFrog alerted the maintainers of PyPI, the malicious package was removed from the platform. However, the incident serves as a reminder of the growing complexity and danger of software supply chain attacks. Unlike basic infostealers, this malware showed signs of being deliberately crafted to infiltrate professional development environments.

Cybersecurity experts are urging development and IT security teams to stay alert. They recommend using multiple layers of protection, regularly reviewing third-party packages, and staying updated on new threats to avoid falling victim to such sophisticated attacks.

As open-source tools continue to be essential in software development, such incidents highlight the need for stronger checks and awareness across the development community.

Read more »
Subscribe to: Posts (Atom)