Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
WhatsApp Ban
Cyber Security Online Privacy Russia Max App State Surveillance WhatsApp Ban

Russia Blocks WhatsApp, Pushes State Surveillance App

 

Russia has effectively erased WhatsApp from its internet, impacting up to 100 million users in a bold move by regulator Roskomnadzor. On Wednesday, the app was removed from the national directory, severing access without prior slowdown warnings, as reported by the Financial Times and Gizmodo. WhatsApp condemned this as an attempt to force users onto a "state-owned surveillance app," highlighting the isolation of millions from secure communication. 

This crackdown escalates Russia's long-running battle against foreign messaging services amid its push for digital sovereignty. Restrictions began in August 2025 with blocks on voice and video calls, citing WhatsApp's failure to aid fraud and terrorism probes. Courts fined the Meta-owned app repeatedly for not removing banned content or opening a local office; by December, speeds dropped 70%, but full removal came after ongoing non-compliance. Telegram faced similar cuts this week, leaving Russians scrambling.

Enter Max, VK's 2025-launched "superapp" modeled on China's WeChat, now aggressively promoted as the national alternative. Preinstalled on devices and endorsed by celebrities and educators, it offers chats, video calls, file sharing up to 4GB, payments via Russia's Faster Payment System, and government services like digital IDs and e-signatures. Unlike WhatsApp's encryption, Max mandates activity sharing with authorities and lacks apparent privacy safeguards, per The Insider. 

The Kremlin justifies the ban as protecting citizens from scams and terrorism while achieving tech independence under sanctions. Spokesman Dmitry Peskov cited Meta's refusal to follow Russian law, though WhatsApp could return via compliance talks. Critics see it as unprecedented speech suppression, building on post-2022 Ukraine invasion censorship labeled "unprecedented" by Amnesty International. Yet past efforts, like the failed 2018 Telegram block, exposed regime overreach.

Users are turning to VPNs or rivals, but Max's rise could cement state surveillance in daily life. This mirrors global trends—France pushes local apps, and Meta faces U.S. spying claims—but Russia's unencrypted alternative raises alarms for privacy. As Putin eyes indefinite rule, such controls signal deepening authoritarianism, forcing 100 million into monitored chats.
Read more »
surveillance
Android Spyware Applications Cyber Security phishing Software surveillance

Is Spyware Secretly Hiding on Your Phone? How to Detect It, Remove It, and Prevent It

 



If your phone has started behaving in ways you cannot explain, such as draining power unusually fast, heating up during minimal use, crashing, or displaying unfamiliar apps, it may be more than a routine technical fault. In some cases, these irregularities signal the presence of spyware, a type of malicious software designed to quietly monitor users and extract personal information.

Spyware typically enters smartphones through deceptive mobile applications, phishing emails, malicious attachments, fraudulent text messages, manipulated social media links, or unauthorized physical access. These programs are often disguised as legitimate utilities or helpful tools. Once installed, they operate discreetly in the background, avoiding obvious detection.

Depending on the variant, spyware can log incoming and outgoing calls, capture SMS and MMS messages, monitor conversations on platforms such as Facebook and WhatsApp, and intercept Voice over IP communications. Some strains are capable of taking screenshots, activating cameras or microphones, tracking location through GPS, copying clipboard data, recording keystrokes, and harvesting login credentials or cryptocurrency wallet details. The stolen information is transmitted to external servers controlled by unknown operators.

Not all spyware functions the same way. Some applications focus on aggressive advertising tactics, overwhelming users with pop-ups, altering browser settings, and collecting browsing data for revenue generation. Broader mobile surveillance tools extract system-level data and financial credentials, often distributed through mass phishing campaigns. More intrusive software, frequently described as stalkerware, is designed to monitor specific individuals and has been widely associated with domestic abuse cases. At the highest level, intricately designed commercial surveillance platforms such as Pegasus have been deployed in targeted operations, although these tools are costly and rarely directed at the general public.

Applications marketed as parental supervision or employee productivity tools also require caution. While such software may have legitimate oversight purposes, its monitoring capabilities mirror those of spyware if misused or installed without informed consent.

Identifying spyware can be difficult because it is engineered to remain hidden. However, several warning indicators may appear. These include sudden battery drain, overheating, sluggish performance, unexplained crashes, random restarts, increased mobile data consumption, distorted calls, persistent pop-up advertisements, modified search engine settings, unfamiliar applications, difficulty shutting down the device, or unexpected subscription charges. Receiving suspicious messages that prompt downloads or permission changes may also signal targeting attempts. If a device has been out of your possession and returns with altered settings, tampering should be considered.

On Android devices, reviewing whether installation from unofficial sources has been enabled is critical, as this setting allows apps outside the Google Play Store to be installed. Users should also inspect special app access and administrative permissions for unfamiliar entries. Malicious programs often disguise themselves with neutral names such as system utilities. Although iPhones are generally more resistant without jailbreaking or exploited vulnerabilities, they are not immune. Failing to install firmware updates increases exposure to known security flaws.

If spyware is suspected, measured action is necessary. Begin by installing reputable mobile security software from verified vendors and running a comprehensive scan. Manually review installed applications and remove anything unfamiliar. Examine permission settings and revoke excessive access. On Android, restarting the device in Safe Mode temporarily disables third-party apps, which may assist in removal. Updating the operating system can also disrupt malicious processes. If the issue persists, a factory reset may be required. Important data should be securely backed up before proceeding, as this step erases all stored content. In rare instances, professional technical assistance or device replacement may be needed.

Long-term protection depends on consistent preventive practices. Maintain strict physical control over your phone and secure it with a strong password or biometric authentication. Configure automatic screen locking to reduce the risk of unauthorized access. Install operating system updates promptly, as they contain critical security patches. Download applications only from official app stores and review developer credibility, ratings, and permission requests carefully before installation. Enable built-in security scanners and avoid disabling system warnings. Regularly audit app permissions, especially for access to location, camera, microphone, contacts, and messages.

Remain cautious when interacting with links or attachments received through email, SMS, or social media, as phishing remains a primary delivery method for spyware. Avoid jailbreaking or rooting devices, since doing so weakens built-in protections and increases vulnerability. Activate multi-factor authentication on essential accounts such as email, banking, and cloud storage services, and monitor login activity for irregular access. Periodically review mobile data usage and billing statements for unexplained charges. Maintain encrypted backups so decisive action, including a factory reset, can be taken without permanent data loss.

No mobile device can be guaranteed completely immune from surveillance threats. However, informed digital habits, timely updates, disciplined permission management, and layered account security significantly reduce the likelihood of covert monitoring. In an era where smartphones store personal, financial, and professional data, vigilance remains the strongest defense.

Read more »
online privacy concerns
Cyber Privacy Cyber Security global privacy tools Google Privacy Sandbox Google Updates online privacy concerns

Google Expands Privacy Tools With Automated ID Detection and Deepfake Image Removal

 

Years of relying on users to report privacy issues have shaped Google’s approach so far. Lately, automated tools began taking a bigger role in spotting private details online. One shift involves how quickly artificial visuals get flagged across search results. Instead of waiting for complaints, systems now proactively detect such content. Efficiency improves when machines assist with removals. This update adjusts how personal data flows through the platform. Recently, detection methods became sharper at finding fake imagery. People gain better control without needing to act first. Progress shows in faster response times behind the scenes. 

What stands out in this update is a more capable "Results About You" feature. Using Google's vast web index, it searches for personal details visible on public pages. Still, there is a condition - people need to share some identifying information for matches to be found. After signing up, automated scans run regularly. Alerts go out when fresh links showing that person’s data turn up in search results. 

One major upgrade helps the software spot ID codes hidden in online pages. These can be driving permit numbers, passport data, or national identity figures. Access depends on user permission set in profiles, along with self-submitted records. With permits, the entire sequence is needed; however, travel documents and tax IDs need just a partial match. After setup, the mechanism reviews stored material to flag possible leaks. 

Even though Google doesn’t control outside sites, it may take down certain links from its search listings. Since being found online often depends on search engines, removing those entries can greatly limit exposure to identity theft, unwanted personal disclosures, or abuse. Despite lacking authority over external pages, limiting access through search still offers meaningful protection.  
Now handling non-consensual intimate visuals differently, the firm includes AI-made fakes in its revised policy. Since manufactured images are spreading faster, reports may cover real photos alongside altered ones. Submitting several pictures at once is possible, which helps people facing organized abuse move through the steps quicker. 

A new option appears via three dots beside image entries - clicking lets people mark media showing them in sensitive situations. Removing such results begins there, with a choice labeled "Remove result" leading onward. That path includes confirming if pictures are authentic or made by artificial tools. Faster replies come now, Google says, especially when many visuals require attention. Streamlined steps help manage high quantities without delay piling up. 

Ahead of issues arising, the system checks for recurring content once someone submits a deletion. Following approval, ongoing scans detect related information during later indexing rounds. Whether it involves personal details or visual files, matches trigger warnings automatically. When duplicates show up, visibility stops before they appear in outcomes - no repeated forms needed. Each cycle works silently unless something flagged emerges. 

Even with improvements, the tools fall short in key ways. While they limit what shows up in searches, they leave the material live on source sites. Yet since many people rely on Google to find content, taking links out of results tends to help - sometimes significantly. 

Right now, systems can spot ID numbers automatically. Soon after, quicker image reports should appear in many regions - proactive scans following shortly afterward. Expansion to nearly every country will happen by the end of the year, though timing may differ slightly depending on location.
Read more »
remote monitoring and management
Command And Control Infrastructure Cyber Security Cyber Threats. Healthcare Cybersecurity Endpoint security Multi Factor Authentication ransomware attacks remote monitoring and management

Enterprise Monitoring Tool Misused by Ransomware Gang to Target Businesses


Increasingly, enterprise networks are characterized by tools designed to enhance visibility and oversight applications purchased in the name of enhancing productivity, compliance, and efficiency. However, the same software entrusted with safeguarding workflow transparency is currently being quietly redirected toward far more harmful purposes. 

As ransomware operators weaponize commercially available monitoring and remote management platforms, they avoid traditional red flags and embed themselves within routine administrative traffic. Nevertheless, the result is not immediate chaos, but calculated persistence. This involves silent access, continuous control, and the staging of systems for extortion, extortion, and financial coercion. Huntress has published a technical analysis that illustrates the evolution of this tactic. 

In a study, researchers found that attackers are no longer relying solely on custom malware to maintain access to systems. Instead, they are repurposing legitimate employee surveillance software as well as remote monitoring and management tools to turn passive oversight tools into active intrusion tools. In the field of ransomware tradecraft, a subtle but significant evolution has occurred, as it becomes increasingly difficult to distinguish between administrative utility and adversarial control.

As outlined in a report February 2026 report, a threat actor associated with the Crazy ransomware gang utilized Net Monitor for Employees Professional, a commercially marketed workplace monitoring product in tandem with SimpleHelp, a remote management platform. Together, these tools enabled more than discrete observation of employees. 

As a result, attackers were able to control the system interactively, transfer files, and execute commands remotely—functions reminiscent of legitimate IT administration, but quietly paved the way for the deployment of disruptive ransomware. In accordance with these findings, Huntress investigators discovered that operators consistently used Net Monitor for Employees Professional and SimpleHelp to secure low-noise, durable access to victim environments using Net Monitor for Employees Professional. 

The monitoring agent was initially sideloaded with the legitimate Windows Installer utility, msiexec.exe, during its initial deployment, resulting in a combination of malicious installation activity and routine administrative processes. The agent, once embedded, provided complete access to victim desktops, allowing for real-time screen surveillance, file transfers, and remote command execution without causing the behavioral anomalies commonly associated with customized backdoors. 

A scripted PowerShell command was used by the attackers to install SimpleHelp, which was renamed frequently to mimic benign system artifacts such as VShost.exe or files related to OneDrive synchronization in order to strengthen persistence. As a result of this deliberate masquerading, cursory process reviews and endpoint inspections were less likely to be scrutinized. Attempts were also made to weaken native defenses, including the disablement of Microsoft Defender protections, by researchers. 

It was found several times that the remote management client generated alerts related to cryptocurrency wallet activity or the presence of additional remote access utilities, an indication that the intrusions were not opportunistic reconnaissance alone, but rather preparatory steps aligned with ransomware deployment and the theft of assets. 

In the absence of disparate affiliates, correlated command-and-control endpoints and recurring filename conventions suggest that a single, coordinated operator is responsible for the incidents. The broader trend indicates a growing preference for legitimate remote management and monitoring software as an access vector due to their widespread use in enterprise IT administration. As such, their presence rarely raises immediate suspicions. 

Initial compromise in the cases examined was caused by the exposure or theft of SSL VPN credentials, which enabled adversaries to authenticate into networks and then silently layer commercial management tools over that access. 

Observations such as these reinforce the need for multi-factor authentication to be enforced across all remote access services as well as continuous monitoring controls designed to detect unauthorized deployments of remote management tools. Those who lack such safeguards can exploit trusted administrative frameworks to move laterally, persist, and eventually execute ransomware. The operational model observed in these intrusions has been seen previously. 

During the year 2025, DragonForce ransomware operated on a managed service provider and leveraged SimpleHelp deployments to pivot into downstream customer environments. By utilizing the MSP's own remote monitoring and management system, the attackers were able to conduct reconnaissance at scale without installing conspicuous malware. 

In order to exfiltrate sensitive data and deploy encryption payloads across client networks, the platform was used to enumerate user accounts, system configurations, and active network connections. Upon subverting trusted administrative infrastructure, it can function as a force multiplier—extending a single breach into multiple organizations, thus demonstrating the power of trusted administrative infrastructure. 

Researchers have observed attackers configuring granular monitoring rules within SimpleHelp to track specific operational activities. The agent was configured to continuously search for cryptocurrency-related keywords in connection with wallet applications, exchanges, blockchain explorers, and payment service providers, an indication that digital assets were being discovered and potential financial targets were being targeted. 

Meanwhile, it monitored for references to remote access technologies such as RDP, AnyDesk, UltraViewer, TeamViewer, and VNC so that legitimate administrators or incident responders would be able to determine whether they were communicating with infected systems. Upon reviewing log data, investigators found that the agent repeatedly cycled through triggers and resets associated with these keyword sets, indicating automated surveillance that alerted operators to threats in near real time.

In addition to redundancy, threat actors maintained multiple remote access pathways to maintain control even when one tool was identified and removed from the deployment strategy. The layered persistence approach aligns with a wider “living off the land” strategy, which is a form of adversary exploitation that relies upon legitimate, digitally signed software that has already been trusted within an enterprise environment. 

Remote support utilities and employee monitoring platforms are commonly used as productivity monitors, troubleshooters, and distributed workforce management tools. These platforms offer built-in capabilities such as screen capture, keystroke logging, and file transfer.

In addition to complicating detection efforts and reducing the forensic footprint typically associated with custom backdoors, their behavior closely mirrors sanctioned administrative behavior when repurposed for malicious purposes. Health care and managed services sectors are particularly affected by remote management frameworks, which are often integrated into workflows supporting medical devices, telehealth systems, and electronic health record platforms.

It is possible for attackers to gain privileged access to protected health information and critical infrastructure if these tools are commandeered. A deliberate strategy was demonstrated by ransomware operators in exploiting widely used RMM software: compromising authentication, blending into legitimate management channels, and expanding laterally through the very mechanisms organizations rely on for operational resilience.

Following the successful deployment of the monitoring utility, it became a fully interactive remote access channel for organizations. This allowed operators to monitor victim computers in real time, transfer files bidirectionally, and execute arbitrary commands, effectively assuming the role of local privileged users. 

There were several instances where they used the command net user administrator /active:yes to activate the built-in Windows Administrator account, which was consistent with privilege consolidation and fallback access planning. Through scripted execution of PowerShell, the threat actors obtained and installed the SimpleHelp client, reinforcing persistence. Filenames mimicking Microsoft Visual Studio VShost.exe were frequently used to rename the binary to resemble legitimate development or system artifacts.

A number of times it was staged within directories designed to appear associated with the OneDrive services, including C:/ProgramData/OneDriveSvc/OneDriveSvc.exe, thereby reducing suspicion during routine administrative review processes. Once executed, the payload ensured continued remote connectivity, even if the original employee monitoring agent was identified and removed. Huntress researchers observed attempts to weaken host-based defenses as well. 

By stopping and deleting related services, the attackers attempted to disable Microsoft Defender, reducing real-time protection prior to any encryption attempts. As part of SimpleHelp’s monitoring policies, they were configured so that alerts were generated when cryptocurrency wallets were accessed or remote management tools were invoked behavior which suggests a preparation for reconnaissance and a desire to detect potential incident response activities. 

Based on log telemetry, it is evident that the agent repeatedly triggers based on keywords associated with wallets, cryptocurrency exchanges, blockchain explorers, and payment platforms, while simultaneously flagging references to RDP sessions, AnyDesk sessions, UltraViewer sessions, TeamViewer sessions, and VNC sessions. 

By utilizing multiple remote access mechanisms simultaneously, operational redundancy was achieved. Despite the disruption of one channel, alternative channels permitted the intruders to remain in control of the network. 

Although only one of the documented intrusions resulted in the deployment of the Crazy ransomware gang encryptor, an overlap in command and control infrastructure as well as the re-use of distinctive filenames such as vhost.exe across incidents strongly suggests the presence of one operator or coordinated group. 

Due to the widespread use of remote monitoring and support tools within enterprise environments, their network traffic and process behavior tend to align with sanctioned IT operations, reflecting a larger shift in ransomware tradecraft toward strategic abuse of legitimate administrative software. The result is that malicious activity can remain concealed within routine management processes. 

To identify unauthorized deployments, Huntress suggests that organizations implement strict oversight over the installation and execution of remote monitoring utilities. This can be accomplished through the correlation of endpoint telemetry with change management logs. Because both breaches originated from compromised SSL VPN credentials, the implementation of multi-factor authentication across all remote access services remains a foundational control to prevent adversarial persistence following initial entry. 

All of these incidents illustrate that modern enterprise security models have a structural weakness: trust in administrative tools is not generally scrutinized in the same way as unfamiliar executables or overt malware. Due to the continued operationalization of legitimate remote management frameworks by ransomware groups, defensive strategies must expand beyond signature-based detections and perimeter controls. 

A mature security program will consider unauthorized implementation of RMM as a high-severity event, enforce strict administrative utility access governance, and perform behavioral monitoring to distinguish between sanctioned IT activity and anomalous control patterns in the network.

It is also critical to harden authentication pathways, limit credential exposure, and segment high-value systems in order to reduce blast radius during compromises. It is not possible to ensure resilience in an environment where adversaries are increasingly blending into routine operations by blocking every tool, but by ensuring that every instance of trust is validated.

Read more »
UNC2814 China hacking group
Cyber Espionage Campaign Cyber Security Google Google cyber security report Google Sheets API abuse GRIDTIDE malware UNC2814 China hacking group

Google Disrupts China-Linked UNC2814 Cyber Espionage Network Targeting 70+ Countries

 

Google on Wednesday revealed that it collaborated with industry partners to dismantle the digital infrastructure of a suspected China-aligned cyber espionage group known as UNC2814, which compromised at least 53 organizations spanning 42 countries.

"This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas," Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today.

UNC2814 is believed to be associated with additional breaches across more than 20 other nations. Google, which has monitored the group since 2017, observed the attackers leveraging API requests to interact with software-as-a-service (SaaS) platforms as part of their command-and-control (C2) framework. This method allowed the threat actor to blend malicious communications with normal traffic patterns.

At the core of the campaign is a previously undocumented backdoor named GRIDTIDE. The malware exploits the Google Sheets API as a covert channel for C2 operations, enabling attackers to conceal communications while transferring raw data and executing shell commands. Written in C, GRIDTIDE supports file uploads and downloads, along with arbitrary command execution.

Dan Perez, GTIG researcher, told The Hacker News via email that they cannot confirm if all the intrusions involved the use of the GRIDTIDE backdoor. "We believe many of these organizations have been compromised for years," Perez added.

Investigators are still examining how UNC2814 gains its initial foothold. However, the group has a documented track record of exploiting web servers and edge devices to infiltrate targeted networks. Once inside, the attackers reportedly used service accounts to move laterally via SSH, while relying on living-off-the-land (LotL) tools to perform reconnaissance, elevate privileges, and maintain long-term persistence.

"To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt," Google explained.

The campaign also involved the use of SoftEther VPN Bridge to establish encrypted outbound connections to external IP addresses. Security researchers have previously linked misuse of SoftEther VPN technology to several Chinese state-sponsored hacking groups.

Evidence suggests that GRIDTIDE was deployed on systems containing personally identifiable information (PII), aligning with espionage objectives aimed at monitoring individuals of strategic interest. Despite this, Google stated that it did not detect any data exfiltration during the observed operations.

The malware’s communication mechanism relies on a spreadsheet-based polling system, assigning specific functions to designated cells for two-way communication:
  • A1: Used to retrieve attacker-issued commands and update status responses (e.g., S-C-R or Server-Command-Success)
  • A2–An: Facilitates the transfer of data such as command outputs and files
  • V1: Stores system-related data from the compromised endpoint
In response, Google terminated all Google Cloud projects associated with the attackers, dismantled known UNC2814 infrastructure, and revoked access to malicious accounts and Google Sheets API operations used for C2 activity.

The company described UNC2814 as one of the "most far-reaching, impactful campaigns" encountered in recent years. It confirmed that formal notifications were issued to affected entities and that assistance is being provided to organizations with verified breaches linked to the group.

Security experts note that this activity reflects a broader strategy by Chinese state-backed actors to secure prolonged access within global networks. The findings further emphasize the vulnerability of network edge devices, which frequently become entry points due to exposed weaknesses and misconfigurations.

Such appliances are increasingly targeted because they often lack advanced endpoint detection capabilities while offering direct access or pivot opportunities into internal enterprise systems once compromised.

"The global scope of UNC2814's activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders," Google said.

"Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish its global footprint."
Read more »
semiconductor cybersecurity
Advantest ransomware attack Cyber Security Japanese tech company breach ransomware in manufacturing semiconductor cybersecurity

Advantest Confirms Ransomware Breach After Suspicious Network Activity

 

Japanese semiconductor testing equipment manufacturer Advantest has confirmed it was targeted in a ransomware attack following the discovery of suspicious activity within its IT systems on February 15, 2026. The company publicly acknowledged the incident last Thursday.

Headquartered in Tokyo, Advantest is a major producer of automatic test and measurement systems essential to semiconductor development and manufacturing. Its technologies support a wide range of applications, including computers, consumer electronics such as mobile phones, autonomous vehicles, and high-performance computing systems like artificial intelligence platforms. The company operates across the Americas, Asia, and Europe and employs more than 7,600 people worldwide.

In an official statement, the company said, “Preliminary findings appear to indicate that an unauthorized third party may have gained access to portions of the company’s network and deployed ransomware,” the company said.

The firm added, “Upon detection, Advantest immediately activated its incident response protocols, isolated affected systems, and engaged leading third-party cybersecurity experts to assist in the investigation and containment of the incident.”

The investigation remains ongoing, and it is not yet clear whether any customer or employee information was compromised. Advantest has not reported any major operational interruptions at its manufacturing facilities so far.

Reaffirming its response efforts, the company stated, “Advantest is focused on understanding the full extent of this incident while reinforcing all possible defenses,” the company added, and promised to provide regular updates about the investigation.

Manufacturing Sector Increasingly Targeted by Ransomware Groups

The incident highlights a broader cybersecurity challenge facing industrial organizations worldwide. According to industrial cybersecurity firm Dragos, ransomware actors targeted more than 3,300 industrial entities over the past year, with 119 separate ransomware groups involved. Manufacturers accounted for over two-thirds of those affected organizations.

Similarly, UK-based cybersecurity company Sophos reported a significant rise in attacks against manufacturing firms. The company stated, “[In 2025], Sophos X-Ops has observed ransomware activity across leak sites and found that 99 distinct threat groups targeted manufacturing organizations. The most prominent groups targeting manufacturing organizations based on leak site observations are [Akira, Qilin, and Play],” the UK-based cybersecurity company shared in December 2025.

Sophos further emphasized the growing use of double extortion tactics, noting, “Over half of the ransomware incidents handled by Sophos Emergency Incident Response involved both data theft and data encryption, underscoring the continued rise of double extortion tactics where stolen data is held to ransom and threatened with publication on a leak site.”

Beyond financially motivated cybercriminal groups, the semiconductor supply chain has increasingly drawn attention from state-sponsored threat actors seeking to obtain valuable intellectual property, including proprietary chip designs and specialized manufacturing processes.
Read more »
Korea
Bitcoin Bitcoin Cyber Threat Bithumb cryptocurrency Cryptocurrency news Cyber Security digital currency Financial Regulators Korea

Bithumb Error Sends 620,000 Bitcoins to Users, Triggers Regulatory Scrutiny in South Korea

 

A huge glitch at Bithumb, South Korea’s second-biggest digital currency platform, triggered chaos when users suddenly found themselves holding vast quantities of bitcoin due to a flawed promotion. Instead of issuing minor monetary rewards, a technical oversight allowed 620,000 bitcoins to be wrongly allocated. Regulators quickly stepped in, launching investigations as the scale of the incident became clear. Recovery efforts are now underway for assets exceeding $40 billion, stemming directly from the mishap. Legal pressure mounts on the firm while authorities assess compliance failures. What began as a routine marketing effort has turned into one of the largest operational blunders in crypto trading history.  

On 6 February, a mistake unfolded amid a promotion meant to give rewards to 695 qualifying users - totaling 620,000 Korean won, about $423. Instead of using local currency, one employee typed in bitcoin by accident; this shifted the reward value dramatically. What should have been small bonuses became 620,000 bitcoins, valued around $42 billion then. Among those who qualified, nearly half accessed their digital boxes before anyone noticed. These 249 people ended up with massive deposits, exceeding the entire crypto balance held by the platform. 

Bithumb said it fixed many incorrect deposits through adjustments in its internal records. Still, regulators noted approximately 13 billion won - about $9 million - was unaccounted for, lost when certain users moved or cashed out funds prior to detection. During the half-hour span before freezing actions began, 86 individuals allegedly offloaded close to 1,788 bitcoins, sparking temporary shifts in pricing across the site's trading system. 

Criticism came fast once news broke. "Catastrophic" was the word used by Lee Chan-jin - head of South Korea’s Financial Supervisory Service - to describe what happened to those who offloaded their bitcoin. With prices climbing afterward, people forced to give back holdings might now owe money instead. Not just a one-off error, according to Lee; it revealed deeper flaws in how crypto platforms handle internal ledgers and transaction safeguards. 

Disagreement persists among legal professionals regarding possible criminal consequences for users who withdrew accidentally deposited bitcoin. Though crypto assets were central to a 2021 South Korean high court decision, their exclusion from the definition of "property" in penal statutes muddies enforcement paths. Instead of pursuing drawn-out lawsuits, Bithumb initiated private talks with around eighty individuals who converted the digital value into local currency, asking repayment in won amounts. 

Now probing deeper, the Financial Supervisory Service has opened a comprehensive review; meanwhile, lawmakers in Seoul will hold an urgent session on 11 February to press officials and platform leaders for answers. Speaking publicly, Bithumb admitted changes are underway - its payout systems being rebuilt, oversight tightened - even though they insist no cyberattack occurred nor did outside actors gain access.
Read more »
Global Economy
ai strategy AI Training CISO Cyber Security ec Council Global Economy

EC-Council Introduces AI Training Programs as Demand for Skilled Professionals Grows

 



As artificial intelligence becomes embedded in daily business functions, concerns are growing over whether the workforce is adequately prepared to manage its risks and responsibilities. EC-Council has announced the launch of four new AI-focused certifications along with an updated Certified CISO v4 program, marking the largest single expansion in the organization’s 25-year history.

The rollout comes amid projections that unmanaged AI-related vulnerabilities could expose the global economy to as much as $5.5 trillion in risk, according to industry estimates attributed to IDC. At the same time, analysis from Bain & Company suggests that approximately 700,000 workers in the United States will require reskilling in AI and cybersecurity disciplines to meet rising demand.

Global institutions including the International Monetary Fund and the World Economic Forum have identified workforce capability as a primary constraint on AI-driven productivity, arguing that the barrier is no longer access to technology but access to trained professionals.

Security threats are escalating in parallel with adoption. Reports indicate that 87 percent of organizations have encountered AI-enabled cyberattacks. Additionally, generative AI-related network traffic has increased by 890 percent, significantly expanding potential attack surfaces. Emerging risks include prompt injection attacks, data poisoning, manipulation of machine learning models, and compromise of AI supply chains.

The new Enterprise AI Credential Suite is structured around EC-Council’s operational framework described as Adopt, Defend, and Govern. The “Adopt” pillar emphasizes structured and safeguarded AI deployment. “Defend” focuses on protecting AI systems from evolving threats. “Govern” integrates oversight, accountability, and risk management mechanisms into AI systems from the design stage.

Artificial Intelligence Essentials serves as the foundational certification, aimed at building practical literacy and responsible AI usage across professional roles. The Certified AI Program Manager credential prepares professionals to convert AI strategy into coordinated implementation, ensuring governance alignment and measurable return on investment.

The Certified Offensive AI Security Professional program trains specialists to identify vulnerabilities in large language models, simulate adversarial techniques, and strengthen AI infrastructure. The Certified Responsible AI Governance and Ethics certification centers on enterprise-scale oversight and compliance, referencing established standards such as those developed by NIST and ISO.

Certified CISO v4 has also been updated to prepare executive leaders for AI-integrated risk environments, where intelligent systems influence operational and strategic decisions. According to EC-Council leadership, security executives must now manage adaptive systems that evolve rapidly and require clear governance accountability.

The initiative aligns with U.S. federal priorities outlined in Executive Order 14179, the July 2025 AI Action Plan’s workforce development pillar, and Executive Orders 14277 and 14278, all of which emphasize expanding AI education pathways and strengthening job-ready skills across professional and skilled trade sectors.

AI expertise remains geographically concentrated, with 67 percent of U.S. AI talent located in just 15 cities, while women account for 28 percent of the workforce, underlining ongoing participation disparities.

Founded in 2001, EC-Council is known for its Certified Ethical Hacker credential. The organization holds ISO/IEC 17024 accreditation and reports certifying more than 350,000 professionals globally, including personnel within government agencies, the Department of Defense under DoD 8140 baseline recognition, and Fortune 100 companies.

As AI transitions from experimentation to infrastructure, workforce readiness and governance capability are increasingly central to secure and sustainable deployment.

Read more »
Subscribe to: Comments (Atom)