Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
trending news
Africa under cyber threats bfsi BFSI cyber security Cyber Security News trending news

Cyber Threats Surge Across Africa’s Financial Sector, Urging Stronger Cybersecurity Defenses

 

In 2024, the financial landscape in Africa has been rocked by a series of high-impact cyberattacks, underscoring the urgent need for enhanced digital defenses across the Banking, Financial Services, and Insurance (BFSI) sector. From Uganda to Zimbabwe and South Africa, institutions are increasingly in the crosshairs of sophisticated cybercriminal groups. One of the most alarming incidents involved the Bank of Uganda, which reportedly lost approximately $16.8 million to an offshore hacking group known as “Waste.” 

In a similar breach of security, ZB Financial Holdings in Zimbabwe suffered a ransomware attack in July that led to substantial data exposure, compromising both customer details and operational systems. South Africa’s Standard Bank also confirmed a recent data breach that affected limited personal and financial data, highlighting how widespread and varied these threats have become. Interpol’s 2024 African Cyberthreat Assessment paints a grim picture—cyberattacks on African businesses surged by 23% in 2023, with ransomware and data breaches being the most prevalent. 

These figures reflect not only a rising frequency but also the growing sophistication of cybercrime on the continent. The IBM 2024 Cost of a Data Breach report further reveals that the average cost of a data breach in South Africa has risen sharply to R53.1 million, a significant jump from R49.45 million the previous year. Historical incidents continue to serve as cautionary tales. The 2020 Experian breach compromised 24 million personal records, while the 2023 Medusa ransomware attack on the Bank of Africa’s Malian unit resulted in the leak of 2TB of sensitive data. 

These events demonstrate the severe financial and reputational risks African financial institutions face. As the sector increasingly adopts technologies such as artificial intelligence, blockchain, and cloud computing, new avenues for cyber exploitation have emerged. Threats like phishing schemes, insider sabotage, and regulatory compliance issues now loom larger than ever before. “Cybercrime is evolving at an alarming rate, and financial institutions in Africa are prime targets,” said Abe Wakama, CEO of IT News Africa. 

“The BFSI Security Summit will offer a vital platform for industry leaders to collaborate, exchange knowledge, and deploy effective strategies to protect their institutions,” he further added. 

Cybersecurity experts and Chief Information Security Officers (CISOs) across the continent are responding by urging a multi-layered approach to digital defense—deploying AI-powered threat detection systems, implementing zero trust security models, and ensuring compliance with key data privacy regulations like South Africa’s Protection of Personal Information Act (POPIA) and the EU’s GDPR. Additional measures such as continuous monitoring, advanced endpoint protection, and robust incident response planning are becoming standard practice. Equally critical are human factors—regular employee training and rigorous penetration testing play a pivotal role in building organizational cyber resilience.
Read more »
Sanctions
Crypto Exchange cryptocurrency cryptocurrency security Cyber Security financial risks Garantex Russian Crypto Sanctions

Sanctioned Russian Crypto Exchange Garantex Allegedly Rebrands as Grinex

 

International efforts to dismantle illicit financial networks are facing new challenges, as the recently sanctioned Russian cryptocurrency exchange Garantex appears to have rebranded and resumed operations under a new name—Grinex. Reports from blockchain analytics firm Global Ledger suggest that Grinex may be a direct successor to Garantex, which was shut down earlier this month in a joint operation by law enforcement agencies from the U.S., Germany, and Finland. 

Despite the crackdown, Global Ledger researchers have identified on-chain movements linking the two exchanges, including the transfer of Garantex’s holdings in a ruble-backed stablecoin, A7A5, to wallets controlled by Grinex. Off-chain clues further support the connection, such as the sudden surge in trading volume—Grinex reportedly handled over $40 million in transactions within two weeks of its launch. According to Lex Fisun, CEO of Global Ledger, social media activity also suggests a direct relationship between the platforms.

In a Telegram post, Sergey Mendeleev, a known figure associated with Garantex, downplayed the similarities between the two exchanges while making light of the situation. Meanwhile, reports indicate that former Garantex users have been transferring funds at the exchange’s physical offices in Europe and the Middle East, strengthening claims that Grinex is simply a rebranded version of the defunct platform. While leading blockchain analytics firms such as Chainalysis and TRM Labs have yet to verify these findings, Andrew Fierman, Head of National Security Intelligence at Chainalysis, acknowledged that early indicators point to a connection between Garantex and Grinex. 

However, a full assessment of Grinex’s infrastructure is still underway. If Grinex is indeed a rebranded Garantex, it would not be the first time a sanctioned exchange has attempted to evade regulatory scrutiny through rebranding. Similar cases have been observed in the past—BTC-E, a Russian exchange taken down by U.S. authorities in 2017, later reemerged as WEX, only to collapse due to internal conflicts. Likewise, Suex, another Russian exchange sanctioned for facilitating illicit transactions, resurfaced as Chatex before facing renewed enforcement actions. 

The reappearance of Garantex in another form underscores the persistent difficulties regulators face in enforcing financial sanctions. Despite the seizure of its servers and domain, the exchange’s infrastructure appears to have been quickly reestablished under a new identity. Experts warn that non-compliant exchanges operating in high-risk regions will continue to find ways to circumvent restrictions. Before its takedown, Garantex had been identified as a hub for money laundering and illicit financial transactions. 

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the exchange in 2022, citing its involvement in facilitating payments for ransomware groups such as Black Basta and Conti, as well as its ties to darknet marketplaces like Hydra. Court documents also revealed that Garantex provided financial services to North Korea’s Lazarus Group, a state-backed hacking organization responsible for some of the largest cryptocurrency heists in history, including the $1.4 billion Bybit hack.

Additionally, Russian oligarchs reportedly used the platform to bypass economic sanctions imposed after Russia’s invasion of Ukraine. Two individuals linked to Garantex’s operations, Lithuanian national and Russian resident Aleksej Besciokov and Russian citizen Aleksandr Mira Serda, have been charged with conspiracy to commit money laundering. Besciokov was arrested in India earlier this month while on vacation with his family and is expected to be extradited to the U.S. to face trial. 

While authorities work to contain illicit financial activity in the crypto space, the rapid emergence of Grinex serves as a reminder of how easily such operations can adapt and reappear under new identities. Analysts warn that other high-risk exchanges in Russia, such as ABCEX and Keine-Exchange, are poised to take advantage of regulatory loopholes and fill the void left by Garantex’s shutdown.
Read more »
North Korea
Cyber Intelligence Cyber Researchers Cyber Security Cyber Warfare cybersecurity research North Korea

North Korea Establishes Research Center 227 to Strengthen Cyber Warfare Capabilities

 

North Korea has reportedly launched a new cyber research unit, Research Center 227, as part of its efforts to enhance hacking capabilities and intelligence operations. According to Daily NK, this center is expected to function continuously, providing real-time support to North Korean intelligence agencies by developing advanced cyber tools. 

The initiative highlights North Korea’s increasing reliance on cyber warfare as a key component of its broader security strategy. In February 2025, North Korean leadership directed the Reconnaissance General Bureau (RGB) under the General Staff Department to strengthen the nation’s offensive cyber capabilities. As part of this directive, Research Center 227 was formed to focus on the development of sophisticated hacking techniques and cyber warfare tools. 

These efforts are primarily aimed at infiltrating foreign cybersecurity systems, disrupting critical infrastructure, and stealing sensitive data from targeted nations. The research facility will recruit approximately 90 highly skilled professionals, including graduates from top universities and individuals with advanced degrees in computer science. Unlike frontline cyber operatives who execute attacks, these researchers will focus on creating and refining malware, intrusion methods, and other offensive cyber tools. 

By centralizing its cyber research efforts, North Korea aims to develop more sophisticated digital weapons that can be deployed by operational hacking units in intelligence and espionage missions. North Korea has significantly expanded its cyber operations in recent years, with its state-sponsored hacking groups, such as Lazarus, launching large-scale attacks across the globe. These groups have been responsible for financial cybercrimes, espionage, and the theft of cryptocurrency, targeting both private companies and government agencies. 

Their activities have included spreading malware, infiltrating secure networks, and deploying information-stealing tools to compromise Western organizations. One particularly deceptive tactic used by North Korean hackers is the “Contagious Interview” campaign, in which cybercriminals pose as recruiters or hiring managers to manipulate professionals into downloading malicious software disguised as video conferencing applications. 

This technique has allowed hackers to gain access to corporate systems and steal valuable credentials. Additionally, there have been numerous cases of North Korean operatives using false identities to secure employment in global technology firms, potentially accessing critical software infrastructure or engaging in fraudulent activities. With the establishment of Research Center 227, North Korea is likely to intensify its cyber warfare operations, making its hacking activities more strategic and efficient. 

The development of custom malware, sophisticated intrusion techniques, and advanced cyber espionage methods could further increase the scale and complexity of North Korean cyberattacks. As these threats evolve, governments and cybersecurity professionals worldwide will need to bolster their defenses against the growing risks posed by North Korea’s cyber capabilities.
Read more »
Security Flaws
Cyber Security Extension Malware Detection Malwares Marketplace Microsoft Microsoft security Ransomwares Security Flaws

Ransomware Found in VSCode Extensions Raises Concerns Over Microsoft’s Security Review

 

Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them and they were subsequently removed. 

Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process. The “ahban.cychelloworld” extension was first uploaded on October 27, 2024, followed by “ahban.shiba” on February 17, 2025. The VSCode Marketplace, designed to provide developers with additional tools for Microsoft’s popular coding platform, has come under scrutiny for failing to identify these threats. 

Researchers at ReversingLabs determined that both extensions included a PowerShell script that connected to a remote Amazon Web Services (AWS) server to download further malicious code. This secondary payload functioned as ransomware, though evidence suggests it was still in a testing phase. 

Unlike traditional ransomware that encrypts entire systems, this malware specifically targeted files stored in C:\users%username%\Desktop\testShiba.  Once the encryption was complete, victims received a Windows notification stating: “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them.” However, no further instructions or payment details were provided, suggesting the malware was not yet fully developed.  

Although Microsoft eventually removed the extensions, security researcher Italy Kruk from ExtensionTotal disclosed that their automated detection system had identified the malicious code much earlier. Kruk stated that they had alerted Microsoft about the issue but received no response. Further analysis revealed that the initial version of “ahban.cychelloworld” was clean, but the ransomware was introduced in version 0.0.2, which was released on November 24, 2024. ExtensionTotal flagged this version to Microsoft on November 25, yet the extension remained available for months. 

During this time, five more versions were uploaded, all containing the same ransomware. This case has intensified concerns about Microsoft’s ability to monitor third-party extensions effectively. The security lapse within the VSCode Marketplace highlights the risk developers face when downloading extensions, even from official sources. Microsoft has previously faced criticism for both slow responses to security threats and for mistakenly removing non-malicious extensions. 

A notable example involved two popular VSCode themes, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ which were taken down due to suspected obfuscated JavaScript. However, after further review, Microsoft determined the extensions were safe, reinstated them, and apologized, promising improvements to its security screening process. The presence of ransomware in widely used developer tools underscores the need for stronger security measures. Developers must stay cautious, regularly update security protocols, and carefully evaluate third-party extensions before installing them, even when they come from official platforms like the VSCode Marketplace.
Read more »
Ransomware attack
Cyber Security Cybersecurity Digital Security free file converter risks Identity Theft malware protection Online Safety Ransomware attack

FBI Warns Against Free Online File Converters as Potential Cybersecurity Threats

 

Free online file converters have become a popular choice for users looking to convert files into different formats. Whether transforming a PDF into a Word document or switching between media formats, these tools offer convenience with just a few clicks. However, the FBI has issued a warning about the hidden dangers associated with such services.

Despite their ease of use, free file conversion tools may serve as a gateway for malware, potentially compromising users’ sensitive data. According to TechRadar, the FBI has identified certain converters that embed malicious software into the converted files. This malware can infect the user's system, allowing hackers to steal personal and financial information undetected.

Once installed, malware can extract crucial data, including:
  • Full names and home addresses
  • Social Security numbers
  • Banking and financial details
  • Cryptocurrency wallets and access keys
The stolen information is often exploited for identity theft, financial fraud, and other cybercrimes. In some cases, hackers deploy ransomware, which locks victims out of their own systems and demands a hefty ransom for data recovery.

Ransomware attacks have surged, affecting both businesses and individuals. When malware encrypts files, victims face a difficult choice—either pay the ransom or lose access to critical data. The FBI emphasizes that these threats are not limited to corporations; everyday internet users relying on free online tools are also at risk. A report from Cisco Talos highlights ransomware as one of the most significant security threats in recent years.

Mark Michalek, FBI Denver Special Agent in Charge, advises that awareness and education are the best defenses against malware attacks. To minimize risks, users should follow these cybersecurity best practices:
  • Use trusted sources – Only download or use file conversion tools from reputable websites and developers.
  • Keep security software updated – Install and regularly update antivirus and anti-malware programs to detect potential threats.
  • Avoid suspicious links and attachments – Do not open files or click on links from unknown sources.
  • Maintain data backups – Regularly back up important files to prevent data loss in case of an attack.

If you suspect that malware has been installed through a file converter, take immediate action:
  • Disconnect from the internet to prevent further data compromise.
  • Run a full system scan using reputable antivirus software to detect and remove malicious files.
  • Report the incident to law enforcement to document the attack and seek assistance.
While free online file converters provide convenience, they also pose significant cybersecurity risks. Users must remain vigilant and prioritize safety when handling digital files. By adopting precautionary measures and staying informed, individuals can protect their sensitive data from cyber threats.
Read more »
Vulnerabiliies
Cyber Security Cyberattacks GitHub Security Breach Supply Chain. CI/CD Vulnerabiliies

GitHub Action Security Breach Raises Concerns Over Supply Chain Risks

 


An attack of a cascading supply chain was recently triggered by the compromise of the GitHub action "reviewdog/action-setup@v1", which ultimately led to the security breach of the "tj-actions/changed-files" repository. As a result of this breach, unintended secrets about continuous integration and delivery were exposed, raising concerns about the integrity of software supply chains. 

There was a malicious code in the tj-actions/changed-files application last week, which introduced malicious code that was capable of extracting CI/CD secrets from the workflow logs and logging them within the log files. This incident affected approximately 23,000 repositories. Even though these logs were not accessible to the public, this exposure highlights significant security risks. In the case that the logs had become public, the attacker would have been able to gain unauthorized access to vital credentials.

Even though there has been an ongoing investigation into tj-actions/changed files, its developers have been unable to determine exactly how the attackers compromised GitHub's Personal Access Token (PAT) to gain access to critical data. For the unauthorized changes to be made, this token, which was used by an automated bot to modify code, appears to have played a pivotal role in the process. GitHub Actions and CI/CD pipelines need to be enhanced to prevent the spread of software supply chain vulnerabilities. This incident underscores the increasing threat of software supply chain vulnerabilities. 

A critical security breach has been identified in the widely used third-party GitHub Action, tj-actions/changed-files, that has been assigned the CVE-2025-30066 vulnerability. When a supply chain attack compromises the action that tracks file changes in pull requests and commits, it results in unauthorized disclosure of sensitive credentials since this action tracks file modifications. Among the secrets that were exposed were valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. 

A security patch was implemented in version 46.0.1 as a response to the incident to mitigate the risk associated with it. As a result of an updated analysis from March 19, 2025, security researchers have suggested that this breach may have been the result of a similar compromise of another GitHub action, reviewdog/action-setup@v1, identified as CVE-2025-30154 by security researchers. Considering the timing of both incidents and the growing threat landscape surrounding software supply chains, there is a strong likelihood that there is a connection between them. 

The developments highlighted in this article underscore the importance of conducting rigorous security audits and maintaining enhanced monitoring practices within the GitHub ecosystem to prevent future threats. In the recent past, there was a security breach affecting GitHub Action tj-actions/changed-files that exposed critical security vulnerabilities in software supply chains, emphasizing the risks associated with third-party dependencies in continuous integration/continuous delivery. 

Through GitHub Actions, a widely used automation platform, developers can optimize their workflows through reusable components, allowing them to save time and money. However, due to the compromise of tj-actions/changed-files—a tool that detects changes in files in pull requests and commits—over 23,000 repositories were accessed unauthorized, resulting in the theft of sensitive workflow secrets. A security researcher first noticed unusual activity related to the repository on March 14, 2025, which led to the discovery of the breach. 

A malicious payload has been injected into CI/CD runners in an attempt to extract CI/CD runner memory, which exposed critical environment variables and workflow secrets within logs, which were discovered to have been injected by the attackers. An exploit like this could result in unauthorized access to confidential credentials, thereby posing a significant security risk to the organization. Having been provided with a critical lead by security researcher Adnan Khan, it has been confirmed that the root cause of this compromise stems from another GitHub Action called reviewdog/action-setup, which an independent organization maintains. 

The investigation revealed that the tj-actions/changed-files action was compromised because it was dependent on the tj-actions/eslint-changed-files action, which was itself dependent on the reviewdog/action-setup action. In addition to the attack on the review dog organization, multiple activities were also affected within that organization, indicating that the attack was more widespread than that. Maintainers of TJ-actions and Review Dog quickly mitigated this incident by implementing security patches and reducing further risks. 

To counteract growing threats within software supply chains, continuous security monitoring, dependency validation, and rapid mitigation strategies must be implemented to protect continuous integration/continuous delivery pipelines from future attacks. Wiz, one of the leading security firms, recommended that developers evaluate their potential exposure by performing a GitHub query to determine if any references to reviewdog/action-setup@v1 were found in their repositories. 

As part of this process, it is important to determine if any of the projects might have been compromised by the recent supply chain compromise. It would be prudent to treat the detection of double-encoded base64 payloads within workflow logs as a confirmation of the leakage of sensitive information. If this happens, immediate remediation measures are required to prevent further security incidents. 

To reduce the risks associated with compromised actions, developers are advised to remove all references to these actions across branches, remove workflow logs that might contain exposed credentials, and rotate any potentially compromised secrets so that unauthorized access cannot occur. There is a need to take proactive security measures, such as pin GitHub Actions to specific commit hashes rather than version tags to reduce the probability that similar breaches will occur in the future. Furthermore, by utilizing GitHub's allow-listing feature, we can restrict unauthorized actions and enhance the security of our repositories. 

One must respond quickly to supply chain attacks, which may have far-reaching consequences as well as leak CI/CD secrets. Immediately following the breach, organizations must take steps to contain the breach, and they must develop long-term security strategies to protect themselves against future threats as well. The companies that are potentially impacted by this GitHub Actions supply chain attack should take immediate measures to protect their systems from further harm. To effectively counteract unauthorized access and further exploitation, all exposed secrets must be rotated. This is especially true for those secrets that were used between March 14 and March 15, 2025. 

Failure to replace compromised credentials could result in further exploitation. Further, security teams need to thoroughly review CI/CD workflows, paying close attention to unexpected outputs, particularly within the section on "changed files". There is a good chance that any anomalies may indicate an unauthorized modification or possible data leak. All workflow references should be updated to point to specific commit hashes rather than mutable tags so that they can be used to enhance security and mitigate the risk of a similar incident in the future. This will reduce the risk that attackers may inject malicious code into widely used GitHub Actions in the future. 

A robust security policy is also crucial for organizations. For this reason, organizations must utilize GitHub's allow-listing feature to restrict access to unauthorized actions, and they should conduct regular security audits of their third-party dependencies before integrating them into workflows. This kind of prevention measure can greatly reduce the chances of an attack on the supply chain or an unauthorized change in the source code. As a result of the recent breach, it has been highlighted how widely used automation tools are prone to vulnerabilities, which emphasizes the need to maintain continuous security monitoring and develop proactive defence strategies. 

Although some organizations, like Coinbase, successfully mitigated the impact of this incident, it serves as a reaffirmation that all organizations should continue strengthening their security postures and remain vigilant when it comes to evolving threats in the software industry. Recent information about a security breach with GitHub Actions confirms that the threats associated with supply chain attacks are continuing to grow in the modern software development industry. It has become increasingly important for organizations to enforce strong security frameworks for the sake of preventing cyber threats by implementing continuous monitoring mechanisms, thorough dependency audits, and enhanced access controls as cyber threats become more sophisticated. 

CI/CD pipelines need to be protected against unauthorized intrusions at all costs, and this incident highlights the urgency for proactive defense strategies to prevent this type of activity. Teams can mitigate vulnerabilities and ensure their workflows are protected by adopting secure coding best practices, enforcing strict authentication policies, and utilizing GitHub's security features, if they implement secure coding practices and enforce strict authentication policies. As software supply chain security has become a world-wide concern, maintaining vigilance and immediate response to incidents is crucial to ensuring operational integrity and resilience against evolving threats in an era when it has become paramount.
Read more »
Online Safety
Cyber Security Cyber websites CyberCrime CyberThreat ICE Online Safety

ICE Expands Online Surveillance With Tool Tracking 200+ Websites

 


To ensure the safety of citizens throughout the world, and to enforce immigration laws, the Department of Homeland Security and Immigration and Customs Enforcement (ICE) have always relied heavily on social media monitoring as an essential component of their respective operations. As an integral part of the agency's “enhanced screening” protocols, which are applied to foreign nationals upon their arrival in the United States, such monitoring has been an integral part of the agency's programs for several years. 

In addition to enforcing the protocols at borders and international airports, even visitors who are visiting the country for a limited period are subject to them. As part of its extensive surveillance efforts, ICE has utilized a range of technological tools. These techniques include purchasing location information from third-party data brokers, accessing utility bill databases, and utilizing other information sources to track undocumented immigrants. 

In addition to gathering vast amounts of personal information, these methods enable the agency to conduct enforcement activities that are aimed at improving the quality of life of Americans. Recent developments have shown that ICE has adopted a new, advanced surveillance tool that is capable of continuously gathering, organizing, and analyzing information from various online platforms. As reported by Joseph Cox for 404 Media, this tool combines data from several social media services and websites to expand the capability of ICE in terms of digital surveillance.

In the course of implementing this technology, Immigration and Customs Enforcement (ICE) is taking steps to improve its monitoring and data-gathering strategies in response to the threat that the agency is facing. The agency is preparing to expand its efforts to monitor and analyze online discourse as part of its digital surveillance efforts. These initiatives will be focused on individuals who are expressing negative opinions about the agency or making threats against its personnel. 

A recent request for information issued by ICE in November called for private sector companies that can improve the organization's monitoring capabilities to aid it in countering an increasing number of external threats, which are being spread through social media and other online platforms. As part of its 15-page statement outlining its objectives, the agency detailed the requirements for a specialized contractor to conduct extensive online monitoring as part of their monitoring efforts. 

In order to identify potential risks, it would be the responsibility of the selected entity to scan social media networks, publicly accessible online databases, the deep web, and the dark web. As part of ICE's efforts to pinpoint and assess potential threats, it has specified the need for advanced analytical tools such as geolocation tracking, psychological profiling, and facial recognition to assist in this process. These increased monitoring efforts have resulted in increased scrutiny of individuals who have consistently made negative statements about ICE or who have mentioned specific immigration enforcement personnel on social media. 

Through this initiative, the agency is showing its commitment to strengthening its security measures through enhanced digital surveillance and intelligence collection techniques. It was in November, just after Trump's electoral victory, when Immigration and Customs Enforcement (ICE) announced multiple solicitations on federal procurement websites, seeking contractors for enhancing, upgrading, and expanding its technological capabilities so that it can better track, monitor, and monitor noncitizens. 

Trump's administration has been supporting the ICE agency despite its history of violating human rights, mistreating its detainees, and committing misconduct within its detention facilities and deportation operations. In his campaign, Trump promised that he would implement large-scale deportations, which he promptly carried out during his presidency. His administration took action within a couple of days after taking office by authorizing nationwide immigration enforcement operations, robbing ICE of restrictions on its activities in sensitive locations, including schools, hospitals, and places of worship. This policy shift enabled the department to take effective action against immigration violations everywhere. 

There was also the passage of the Laken Riley Act during the same time these measures were taking place, which gave ICE the authority to deport individuals convicted of minor offences, such as shoplifting, regardless of whether conviction had been obtained or not. As a result of bipartisan support, ten senators and 48 members of the House of Representatives voted in favour of this legislation, which has been criticized for undermining due process rights. As ICE is poised to expand its surveillance apparatus, policy changes are not the only factor driving it. 

Additionally, private contractors have financial interests that are influenced by these entities as they strive to maximize profits. These entities are motivated by profit and wish to broaden enforcement mechanisms, which in turn increases the number of people being monitored and detained. A growing anti-immigrant sentiment has sparked concern among advocacy organizations and civil society organizations about the protection of immigrant communities in the United States. 

A growing number of activists and civil society groups are now focusing on exposing and challenging the growing surveillance infrastructure, a system that has been built over the past decade, and which is being reinforced by an administration that has used incendiary rhetoric against immigrants and activists, calling them threats to the country. ICE’s Expanding Surveillance Network and Private Sector Involvement The growth of electronic monitoring within immigration enforcement has made BI Inc., an organization that has a $2.2 billion contract with Immigration and Customs Enforcement (ICE) that is set to expire in July, one of the major beneficiaries of the expansion of electronic monitoring. 

The BI Inc., as the only provider of electronic monitoring devices for ICE, has a crucial role to play in implementing the agency’s surveillance programs as its exclusive provider of electronic monitoring devices. This company is owned and operated by a subsidiary of the GEO Group, the world's largest private prison corporation. They operate multiple immigration detention facilities that are contracted by the Department of Immigration and the Department of Homeland Security. Geo Group's involvement in political financing has also been heavily emphasized, with $3.4 million contributed to political campaigns in 2024 by Geo Group, of which $3.4 million went to the Make America Great Again super PAC. 

Last year, the company also spent $1.03 million on lobbying activities, directing a substantial amount ($340,000) in favour of policies that relate to immigration enforcement and alternatives to detention, a sector in which BI Inc. has long held a dominant position. Legal Challenges and Privacy Concerns Surrounding ISAP There have been several advocacy groups that are urging more transparency regarding ICE's Intensive Supervision Appearance Program (ISAP), which uses electronic surveillance rather than detention facilities to place immigrants under electronic surveillance. These groups include Just Futures Law, Mijente, and Community Justice Exchange. 

There have been some organizations that have sued ICE to obtain information regarding the type of data collected and the way it is used, but after examining the agency's response to these questions, they concluded in 2023 that the agency had not provided adequate assurances regarding the protection of data and privacy in ISAP. ICE’s Use of Facial Recognition Technology ICE has been using facial recognition software since 2020. 

They contracted Clearview AI, which is famous for scraping images from social networks and the internet without the consent of the individuals involved. By matching this data to names and cross-referencing it with law enforcement databases, the police can identify individuals suspected of crime. As a result of Clearview AI's practices being questioned in multiple jurisdictions, the EU has imposed a ban on its operations in the EU due to violations of the General Data Protection Regulations (GDPR), which govern data collection and use. 

Numerous lawsuits have been filed against the company claiming that the company has engaged in unlawful surveillance practices in the United States. A $2.3 million contract with Clearview AI ended in September 2023, and it has not yet been decided whether or not the agency has renewed the contract or will continue to utilize the software in another manner. Moreover, Clearview AI has not only been in legal battles, but has also been actively lobbying against legislation that would regulate both its operation and the operation of data brokers as well. 

Growing Concerns Over ICE’s Surveillance Expansion With the increasing use of electronic monitoring and facial recognition technology by ICE, concerns remain regarding privacy violations, data security, and ethical implications that are associated with these technologies as they continue to expand their surveillance infrastructure. It is important to note that the agency relies on private companies with vested financial interests, which further emphasizes the complexity of immigration enforcement and civil liberties in a digital age.
Read more »
Ransomwares
corporate network breach Cyber Security firewall vulnerability Forescout Research Labs Fortnite Hacker attack Ransomware attack Ransomwares

Hackers Exploit Fortinet Firewall Bugs to Deploy Ransomware

 

Cybersecurity researchers have uncovered a new attack campaign in which hackers are exploiting vulnerabilities in Fortinet firewalls to breach corporate networks and deploy ransomware. The hacking group, tracked as “Mora_001,” is leveraging two specific flaws in Fortinet’s firewall software to infiltrate systems and launch a custom ransomware strain called “SuperBlack.” 

These vulnerabilities, tracked as CVE-2024-55591 and CVE-2025-24472, have been actively exploited since December 2024, despite Fortinet releasing patches in January 2025. Many organizations have yet to apply these critical updates, leaving their networks vulnerable. Once inside a network, the attackers conduct reconnaissance to identify valuable data before deploying ransomware. Instead of immediately encrypting files, they first exfiltrate sensitive information, a tactic that has become increasingly common among ransomware groups seeking to pressure victims into paying a ransom to prevent data leaks. 

Security researchers at Forescout observed that the Mora_001 group selectively encrypted file servers only after stealing critical data, making their attacks more damaging and difficult to recover from. There is strong evidence linking Mora_001 to the notorious LockBit ransomware gang. The SuperBlack ransomware strain appears to be based on a leaked builder from LockBit 3.0 attacks, and the ransom notes left by Mora_001 include the same contact details previously used by LockBit affiliates. This suggests that Mora_001 may be a current LockBit affiliate with distinct operational methods or a separate group that shares infrastructure and communication channels. 

Cybersecurity experts believe that Mora_001 is primarily targeting organizations that have not yet applied Fortinet’s security patches. Companies that failed to update their firewalls or properly harden their network configurations when the vulnerabilities were first disclosed are at the highest risk. The ransom notes used in these attacks also bear similarities to those used by other cybercriminal groups, such as the now-defunct ALPHV/BlackCat ransomware gang, further indicating connections within the ransomware ecosystem. 

Despite Fortinet releasing fixes for the affected vulnerabilities, unpatched systems remain an easy target for attackers. Security professionals are urging organizations to update their firewalls immediately and implement additional security measures to prevent unauthorized access. Best practices include applying all available patches, segmenting networks to restrict access to critical systems, monitoring for suspicious activity using endpoint detection and response tools, and maintaining secure offline backups. Organizations that fail to take these precautions risk falling victim to sophisticated ransomware attacks that can result in severe financial and operational damage.
Read more »
Ransomware
Black Basta Cyber Security Password Ransomware

Black Basta Hackers Use New Tool to Break Weak Passwords on Remote Systems

 



A cybercriminal group called Black Basta has built a new tool that helps them break into remote systems like VPNs and firewalls by guessing weak passwords. This tool allows them to easily target companies and demand ransom.

According to cybersecurity experts, the tool— named BRUTED, automatically scans the internet to find systems that might be easy to hack. It focuses on popular VPN and firewall services from companies like Cisco, Fortinet, Palo Alto, and others. It also attacks systems used for remote desktop access.

The tool gathers information like IP addresses, website subdomains, and security certificates to help guess passwords specific to each organization. It then sends fake login requests that look like they’re from a real user or device, making it harder to detect.

Since BRUTED runs automatically, it helps hackers attack many targets quickly. This increases their chances of breaking in and earning money from ransomware attacks.

Experts warn that many companies still rely on simple or repeated passwords, which makes their systems easy to hack. Sometimes, attackers use leaked or default passwords that organizations forget to change.

This poor password management exposes businesses to big risks. In fact, weak passwords might have also caused a leak in Black Basta’s own data when a hacker broke into a Russian bank and exposed the gang’s private chats.

Black Basta is known for targeting important industries like healthcare and manufacturing, where even a small disruption can cause major losses. These industries are more likely to pay ransom to avoid shutdowns.

Security experts are urging businesses to act fast—use strong and unique passwords, change default settings, run regular security checks, and train employees about password safety.

Good password habits can help prevent such attacks and protect important systems from hackers like Black Basta.


Read more »
Government surveillance
Cyber Security Data Privacy Digital Security Encryption End-to-End Encryption Government surveillance

Encryption Under Siege: A New Wave of Attacks Intensifies

 

Over the past decade, encrypted communication has become a standard for billions worldwide. Platforms like Signal, iMessage, and WhatsApp use default end-to-end encryption, ensuring user privacy. Despite widespread adoption, governments continue pushing for greater access, threatening encryption’s integrity.

Recently, authorities in the UK, France, and Sweden have introduced policies that could weaken encryption, adding to EU and Indian regulatory measures that challenge privacy. Meanwhile, US intelligence agencies, previously critical of encryption, now advocate for its use after major cybersecurity breaches. The shift follows an incident where the China-backed hacking group Salt Typhoon infiltrated US telecom networks. Simultaneously, the second Trump administration is expanding surveillance of undocumented migrants and reassessing intelligence-sharing agreements.

“The trend is bleak,” says Carmela Troncoso, privacy and cryptography researcher at the Max-Planck Institute for Security and Privacy. “New policies are emerging that undermine encryption.”

Law enforcement argues encryption obstructs criminal investigations, leading governments to demand backdoor access to encrypted platforms. Experts warn such access could be exploited by malicious actors, jeopardizing security. Apple, for example, recently withdrew its encrypted iCloud backup system from the UK after receiving a secret government order. The company’s compliance would require creating a backdoor, a move expected to be challenged in court on March 14. Similarly, Sweden is considering laws requiring messaging services like Signal and WhatsApp to retain message copies for law enforcement access, prompting Signal to threaten market exit.

“Some democracies are reverting to crude approaches to circumvent encryption,” says Callum Voge, director of governmental affairs at the Internet Society.

A growing concern is client-side scanning, a technology that scans messages on users’ devices before encryption. While presented as a compromise, experts argue it introduces vulnerabilities. The EU has debated its implementation for years, with some member states advocating stronger encryption while others push for increased surveillance. Apple abandoned a similar initiative after warning that scanning for one type of content could pave the way for mass surveillance.

“Europe is divided, with some countries strongly in favor of scanning and others strongly against it,” says Voge.

Another pressing threat is the potential banning of encrypted services. Russia blocked Signal in 2024, while India’s legal battle with WhatsApp could force the platform to abandon encryption or exit the market. The country has already prohibited multiple VPN services, further limiting digital privacy options.

Despite mounting threats, pro-encryption responses have emerged. The US Cybersecurity and Infrastructure Security Agency and the FBI have urged encrypted communication use following recent cybersecurity breaches. Sweden’s armed forces also endorse Signal for unclassified communications, recognizing its security benefits.

With the UK’s March 14 legal proceedings over Apple’s backdoor request approaching, US senators and privacy organizations are demanding greater transparency. UK civil rights groups are challenging the confidential nature of such surveillance orders.

“The UK government may have come for Apple today, but tomorrow it could be Google, Microsoft, or even your VPN provider,” warns Privacy International.

Encryption remains fundamental to human rights, safeguarding free speech, secure communication, and data privacy. “Encryption is crucial because it enables a full spectrum of human rights,” says Namrata Maheshwari of Access Now. “It supports privacy, freedom of expression, organization, and association.”

As governments push for greater surveillance, the fight for encryption and privacy continues, shaping the future of digital security worldwide.


Read more »
Outdated Systems
Business Security Cyber Security Data Hostage Outdated Systems

Here's How to Prevent Outdated Software from Hurting Your Business

 

Do you think continuing with the same old version of the same old software is a good idea? While it may function adequately for the time being, the clock is ticking towards disaster. Waiting to upgrade results in a monster that consumes money, time, data, and morale.

Demands on your organisation are increasing, putting additional strain on your outdated software to perform under conditions it was not built to withstand. As your system strains to keep up, malfunctions occur more frequently, increasing the likelihood of failure. Software vendors may still be prepared to assist, but when your old system fades into obscurity, fixing it becomes a custom task with increased custom work costs. 

Maintenance is critical and costs more as software ages. If you think you can forgo maintenance and only pay for repairs on a case-by-case basis, you're going down a bad road. You'll deplete your money and risk having emergencies that hinder or even halt your output completely. When a software system goes down for repair, personnel and procedures may be affected. 

Do you worry about the cost of licensing new software? Consider the value you obtain for your investment. Better software opens up new options to operate smarter and more efficiently. It increases your ability to accomplish more for your clients faster, which can easily offset license expenses. Fewer errors, reduced downtime, and less expensive maintenance all contribute to a higher return on investment in upgrades and licenses.

Holding your data hostage 

Isolated software systems are becoming increasingly rare. It's a connected world, and your system's ability to integrate with other systems, both internal and external, can make or break your company's ability to grow. Old software that is incompatible with other systems in your company, your vendors' systems, or your clients' systems effectively traps data that could otherwise propel you forward. 

Incompatibility disrupts the flow of data, preventing it from being used to inform and enhance your partnerships. Incompatibility might also be a risk when it comes to hardware connectivity. Old software can corrupt inputs streaming from hardware, resulting in inaccuracy and data loss. Access control gear, networking hardware, and surveillance equipment, as well as more specialised systems ranging from advanced two-way radios to inventory management tools such as barcode scanners and RFID readers, can all be compromised. 

Older software also increases the threat of data security breaches. As security standards increase through software upgrades, old software becomes easier to exploit. Clinging to an obsolete system may end up costing significantly more in security breaches than modernising. And if a crisis comes, you can end up paying for both at once. 

Data portability realities can often come as a great, unexpected surprise. You may be unable to transfer data that is locked within an older software system. There may be no way to recover the data for use in a new or different system. Then you have to decide whether to dump your old system and start afresh, or to continue with it until it ages and eventually fails.

It’s a dead end 

Your old software system may have served you well for years, performing exactly as needed to support your company's goals. You may consider it a workhorse that you cannot live without, and you are concerned that upgrading to something new will take too long to master and may not work as well. 

But the reality is that new software is intended to be a rewarding experience. Many people wonder how they lived for so long without upgrading their enterprises. The truth is, there isn't much of an option. Even well-maintained software loses steam with time. The people who built and maintained it eventually abandon it in favour of other opportunities to create something smarter, stronger, and more effective for your company.
Read more »
Software
Cyber Security LockBit Ransomware Software

New Ransomware 'SuperBlack' Abuses Fortinet Firewall Flaws to Launch Attacks

 


A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.

The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.

Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.


Step-by-Step Breakdown of the Attack

The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.

Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.

After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.

The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.

Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.

To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.


Possible Links to a Bigger Ransomware Group

During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.

However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.

This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.



Read more »
secure access
application virtualization Cyber Security Cybersecurity Hybrid Work IT Infrastructure remote desktop Remote Work secure access

The Future of Work: Why Remote Desktop Solutions Are Essential

 

The workplace is transforming at an unprecedented rate. Remote and hybrid work models, once considered temporary adjustments, have now become permanent components of modern business operations. Organizations worldwide are seeking secure, efficient, and cost-effective solutions to support a distributed workforce while maintaining productivity. As a result, remote desktop solutions have become essential, enabling seamless access to business applications and data from any location.

One of the most scalable and effective solutions available today is TSplus. Designed for businesses of all sizes, TSplus provides secure remote access, application virtualization, and IT infrastructure optimization, making it a key technology for the evolving workplace.

The shift to remote work accelerated during the COVID-19 pandemic, proving that many roles can be performed effectively outside traditional office environments. While some organizations initially faced difficulties adapting, many quickly recognized the advantages of flexible work models. Today, hybrid work is the norm, combining in-office collaboration with remote flexibility.

However, managing a dispersed workforce presents challenges, particularly regarding IT accessibility and security. Businesses must ensure employees can securely access their work environments from any device while maintaining operational efficiency.

Why Remote Desktop Solutions Matter

1. Seamless Access to Business Applications
A primary challenge of remote work is providing employees with secure access to essential business tools without compromising security. Remote desktop solutions allow seamless login to work environments from any device, replicating the in-office experience.

With TSplus, businesses can centrally host applications and desktops, enabling secure access from anywhere. This eliminates the need for costly hardware upgrades, allowing companies to support remote teams effortlessly.

2. Enhanced Security for Distributed Teams
As cybersecurity threats continue to rise, remote workers have become prime targets for phishing, ransomware, and data breaches. Traditional VPNs and unsecured remote connections expose businesses to significant risks.

A robust remote desktop solution integrates multi-layered security measures, such as:

  • End-to-end encryption to protect sensitive data
  • Multi-factor authentication (MFA) to prevent unauthorized access
  • IP and geo-restriction policies to regulate login location
TSplus provides advanced security features, safeguarding businesses from cyber threats while ensuring a seamless user experience.

Maintaining an on-premise IT infrastructure is costly and resource-intensive. Businesses must invest in high-performance hardware, software licenses, and ongoing IT maintenance to support remote work.

Remote desktop solutions reduce IT costs by centralizing resources and eliminating the need for physical workstations. Employees can securely access their work environment from any device, including laptops and tablets, allowing businesses to scale operations efficiently as they grow.
Read more »
Threat Landscape
Business Security Cyber Security Generative AI Threat Intelligence Threat Landscape

Nearly Half of Companies Lack AI-driven Cyber Threat Plans, Report Finds

 

Mimecast has discovered that over 55% of organisations do not have specific plans in place to deal with AI-driven cyberthreats. The cybersecurity company's most recent "State of Human Risk" report, which is based on a global survey of 1,100 IT security professionals, emphasises growing concerns about insider threats, cybersecurity budget shortages, and vulnerabilities related to artificial intelligence. 

According to the report, establishing a structured cybersecurity strategy has improved the risk posture of 96% of organisations. The threat landscape is still becoming more complicated, though, and insider threats and AI-driven attacks are posing new challenges for security leaders. 

“Despite the complexity of challenges facing organisations—including increased insider risk, larger attack surfaces from collaboration tools, and sophisticated AI attacks—organisations are still too eager to simply throw point solutions at the problem,” stated Mimecast’s human risk strategist VP, Masha Sedova. “With short-staffed IT and security teams and an unrelenting threat landscape, organisations must shift to a human-centric platform approach that connects the dots between employees and technology to keep the business secure.” 

95% of organisations use AI for insider risk assessments, endpoint security, and threat detection, according to the survey, but 81% are concerned regarding data leakage from generative AI (GenAI) technology. In addition to 46% not being confident in their abilities to defend against AI-powered phishing and deepfake threats, more than half do not have defined tactics to resist AI-driven attacks.

Data loss from internal sources is expected to increase over the next year, according to 66% of IT leaders, while insider security incidents have increased by 43%. The average cost of insider-driven data breaches, leaks, or theft is $13.9 million per incident, according to the research. Furthermore, 79% of organisations think that the increased usage of collaboration technologies has increased security concerns, making them more vulnerable to both deliberate and accidental data breaches. 

With only 8% of employees accountable for 80% of security incidents, the report highlights a move away from traditional security awareness training and towards proactive Human Risk Management. To identify and eliminate threats early, organisations are implementing behavioural analytics and AI-driven surveillance. A shift towards sophisticated threat detection and risk mitigation techniques is seen in the fact that 72% of security leaders believe that human-centric cybersecurity solutions will be essential over the next five years.
Read more »
Penetration Testing
Cyber Security Digital Forensics Ethical Hacking Kali Kali Pentesting Linux Linux Linux Security Penetration Testing

What Is Kali Linux? Everything You Need to Know

 

Kali Linux has become a cornerstone of cybersecurity, widely used by ethical hackers, penetration testers, and security professionals. This open-source Debian-based distribution is designed specifically for security testing and digital forensics. 

Recognized for its extensive toolset, it has been featured in popular culture, including the TV series Mr. Robot. Its accessibility and specialized features make it a preferred choice for those working in cybersecurity. The project originated as a successor to BackTrack Linux, developed by Offensive Security (OffSec) in 2013. 

Created by Mati Aharoni and Devon Kearns, Kali was designed to be a more refined, customizable, and scalable penetration testing platform. Unlike its predecessor, Kali adopted a rolling release model in 2016, ensuring continuous updates and seamless integration of the latest security tools. This model keeps the OS up to date with emerging cybersecurity threats and techniques. 

One of Kali Linux’s standout features is its extensive suite of security testing tools—approximately 600 in total—catering to various tasks, including network penetration testing, password cracking, vulnerability analysis, and digital forensics. The OS is also optimized for a wide range of hardware platforms, from traditional desktops and laptops to ARM-based systems like Raspberry Pi and even Android devices through Kali NetHunter. 

A key advantage of Kali is its built-in customization and ease of use. Unlike installing individual security tools on a standard Linux distribution, Kali provides a ready-to-use environment where everything is pre-configured. Additionally, it offers unique capabilities such as “Boot Nuke,” which enables secure data wiping, and containerized support for running older security tools that may no longer be maintained. 

Maintained and funded by Offensive Security, Kali Linux benefits from ongoing community contributions and industry support. The development team continuously enhances the system, addressing technical challenges like transitioning to updated architectures, improving multi-platform compatibility, and ensuring stability despite its rolling release model. 

The project also prioritizes accessibility for both seasoned professionals and newcomers, offering free educational resources like Kali Linux Revealed to help users get started. Looking ahead, Kali Linux’s roadmap remains dynamic, adapting to the fast-changing cybersecurity landscape. 

While core updates follow a structured quarterly release cycle, the development team quickly integrates new security tools, updates, and features as needed. With its strong foundation and community-driven approach, Kali Linux continues to evolve as an essential tool for cybersecurity professionals worldwide.
Read more »
enterprise cybersecurity
AI Chatbots AI Risks AI technology Chatbots ChatGPT. OpenAI Cyber Security data security DeepSeek enterprise cybersecurity

DeepSeek AI: Benefits, Risks, and Security Concerns for Businesses

 

DeepSeek, an AI chatbot developed by China-based High-Flyer, has gained rapid popularity due to its affordability and advanced natural language processing capabilities. Marketed as a cost-effective alternative to OpenAI’s ChatGPT, DeepSeek has been widely adopted by businesses looking for AI-driven insights. 

However, cybersecurity experts have raised serious concerns over its potential security risks, warning that the platform may expose sensitive corporate data to unauthorized surveillance. Reports suggest that DeepSeek’s code contains embedded links to China Mobile’s CMPassport.com, a registry controlled by the Chinese government. This discovery has sparked fears that businesses using DeepSeek may unknowingly be transferring sensitive intellectual property, financial records, and client communications to external entities. 

Investigative findings have drawn parallels between DeepSeek and TikTok, the latter having faced a U.S. federal ban over concerns regarding Chinese government access to user data. Unlike TikTok, however, security analysts claim to have found direct evidence of DeepSeek’s potential backdoor access, raising further alarms among cybersecurity professionals. Cybersecurity expert Ivan Tsarynny warns that DeepSeek’s digital fingerprinting capabilities could allow it to track users’ web activity even after they close the app. 

This means companies may be exposing not just individual employee data but also internal business strategies and confidential documents. While AI-driven tools like DeepSeek offer substantial productivity gains, business leaders must weigh these benefits against potential security vulnerabilities. A complete ban on DeepSeek may not be the most practical solution, as employees often adopt new AI tools before leadership can fully assess their risks. Instead, organizations should take a strategic approach to AI integration by implementing governance policies that define approved AI tools and security measures. 

Restricting DeepSeek’s usage to non-sensitive tasks such as content brainstorming or customer support automation can help mitigate data security concerns. Enterprises should prioritize the use of vetted AI solutions with stronger security frameworks. Platforms like OpenAI’s ChatGPT Enterprise, Microsoft Copilot, and Claude AI offer greater transparency and data protection. IT teams should conduct regular software audits to monitor unauthorized AI use and implement access restrictions where necessary. 

Employee education on AI risks and cybersecurity threats will also be crucial in ensuring compliance with corporate security policies. As AI technology continues to evolve, so do the challenges surrounding data privacy. Business leaders must remain proactive in evaluating emerging AI tools, balancing innovation with security to protect corporate data from potential exploitation.
Read more »
Software
Cisco Cyber Security Hackers Software

Cisco Warns of Critical Security Flaw in IOS XR Software – Immediate Update Recommended




Cisco has issued a security warning about a newly identified vulnerability in its IOS XR Software. This security flaw, labeled CVE-2025-20138, has been rated 8.8 on the CVSS scale, meaning it poses a major risk to affected devices.


What Is the Problem?

The issue is found in the Command Line Interface (CLI) of Cisco’s IOS XR Software. If an attacker gains access to a system with limited user privileges, they can exploit this weakness to execute commands with the highest level of control. This would allow them to make major modifications to the system, potentially leading to severe security threats.

The root of the problem is improper validation of user inputs in certain CLI commands. Because the system does not correctly filter these inputs, attackers can manipulate it using carefully crafted commands. If successful, they can obtain full administrative access, giving them total control over the device.


Who Is Affected?

This vulnerability affects all configurations of Cisco IOS XR 64-bit Software. Users should check Cisco’s official security advisory to confirm if their specific version is vulnerable.

However, some Cisco software versions are confirmed to be unaffected, including:

IOS Software

IOS XE Software

IOS XR 32-bit Software

NX-OS Software

No Quick Fixes—Users Must Update Their Software

Cisco has stated that there are no temporary solutions or workarounds for this security flaw. The only way to protect affected systems is to install the latest software updates provided by Cisco.

The company has outlined which versions require updates:

1. Users running Cisco IOS XR Software Release 24.1 or earlier need to switch to a patched version.

2. Those using Release 24.2 should upgrade to version 24.2.21 when it becomes available.

3. Users on Release 24.3 must transition to a secure version.

Release 24.4 is not affected by this issue.

As of now, there have been no reports of hackers exploiting this flaw. However, because of the severity of the issue, users should not delay in updating their devices.

Cisco is urging all users running affected versions of IOS XR Software to review the security advisory and apply the necessary updates as soon as possible. Keeping software up to date is the only way to ensure systems remain protected from potential cyber threats.

Read more »
IoT device security
Bluetooth exploits Cyber Security ESP32 vulnerability Espressif security risk IoT device security

Undocumented ESP32 Commands Pose Security Risks, Researchers Warn

 

The widely used ESP32 microchip, manufactured by Chinese company Espressif and embedded in over a billion devices as of 2023, has been found to contain undocumented commands that could be exploited for cyberattacks.

These hidden commands enable threat actors to spoof trusted devices, gain unauthorized access to sensitive data, pivot within a network, and establish persistent control over affected systems.

Spanish cybersecurity experts Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security uncovered these vulnerabilities and presented their findings at RootedCON in Madrid.

"Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," the company stated in an announcement shared with BleepingComputer.

"Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks, or medical equipment by bypassing code audit controls."

The researchers highlighted that ESP32 is one of the most commonly used chips for Wi-Fi and Bluetooth connectivity in IoT devices, making the potential impact significant. They noted that while interest in Bluetooth security research has declined, this is not due to increased security but rather the lack of effective tools and updated research methodologies.

To address this gap, Tarlogic developed a C-based, cross-platform USB Bluetooth driver that bypasses OS-specific APIs, providing direct hardware access. Using this tool, they discovered 29 undocumented vendor-specific commands (Opcode 0x3F) embedded in the ESP32 Bluetooth firmware. These commands facilitate low-level control over Bluetooth functionality, including RAM and Flash memory manipulation, MAC address spoofing, and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, raising concerns about whether they were intentionally left accessible or unintentionally exposed. The vulnerability has now been assigned CVE-2025-27840.

Potential risks include supply chain attacks and unauthorized firmware modifications at the OEM level. Depending on how Bluetooth stacks handle HCI commands, remote exploitation could be possible through malicious firmware or rogue Bluetooth connections. However, the most realistic attack scenario would involve an attacker gaining physical access to a device via its USB or UART interface.

"In a context where you can compromise an IoT device with an ESP32, you will be able to hide an APT inside the ESP memory and perform Bluetooth (or Wi-Fi) attacks against other devices while controlling the device over Wi-Fi/Bluetooth," the researchers told BleepingComputer.

"Our findings would allow for complete control over ESP32 chips and the ability to establish persistence via commands that modify RAM and Flash."

"Also, with persistence in the chip, it may be possible to spread to other devices because the ESP32 allows for the execution of advanced Bluetooth attacks."

BleepingComputer reached out to Espressif for a statement, and while an immediate response was unavailable, the company later issued a clarification on March 10, 2025.

Espressif acknowledged the existence of the undocumented commands, stating they were intended as debug tools for internal testing.

"The functionality found are debug commands included for testing purposes," reads Espressif’s statement.

"These debug commands are part of Espressif’s implementation of the HCI (Host Controller Interface) protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth layers."

Despite downplaying the security risks, Espressif assured that the debug commands would be removed in an upcoming software update.

"While these debug commands exist, they cannot, by themselves, pose a security risk to ESP32 chips. Espressif will still provide a software fix to remove these undocumented commands," the statement concluded.
Read more »
Subscribe to: Posts (Atom)