Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberhackers. Show all posts
Technology
AI AI vulnerabilities API Artificial Intelligence CERT-In CyberCrime Cyberhackers CyberThreat Technology

AI as a Key Solution for Mitigating API Cybersecurity Threats

 


Artificial Intelligence (AI) is continuously evolving, and it is fundamentally changing the cybersecurity landscape, enabling organizations to mitigate vulnerabilities more effectively as a result. As artificial intelligence has improved the speed and scale with which threats can be detected and responded, it has also introduced a range of complexities that necessitate a hybrid approach to security management. 

An approach that combines traditional security frameworks with human-digital interventions is necessary. There is one of the biggest challenges AI presents to us, and that is the expansion of the attack surface for Application Programming Interfaces (APIs). The proliferation of AI-powered systems raises questions regarding API resilience as sophisticated threats become increasingly sophisticated. As AI-driven functionality is integrated into APIs, security concerns have increased, which has led to the need for robust defensive strategies. 

In the context of AI security, the implications of the technology extend beyond APIs to the very foundation of Machine Learning (ML) applications as well as large language models. Many of these models are trained on highly sensitive datasets, raising concerns about their privacy, integrity, and potential exploitation. When training data is handled improperly, unauthorized access can occur, data poisoning can occur, and model manipulation may occur, which can further increase the security vulnerability. 

It is important to note, however, that artificial intelligence is also leading security teams to refine their threat modeling strategies while simultaneously posing security challenges. Using AI's analytical capabilities, organizations can enhance their predictive capabilities, automate risk assessments, and implement smarter security frameworks that can be adapted to the changing environment. By adapting to this evolution, security professionals are forced to adopt a proactive and adaptive approach to reducing potential threats. 

Using artificial intelligence effectively while safeguarding digital assets requires an integrated approach that combines traditional security mechanisms with AI-driven security solutions. This is necessary to ensure an effective synergy between automation and human oversight. Enterprises must foster a comprehensive security posture that integrates both legacy and emerging technologies to be more resilient in the face of a changing threat landscape. However, the deployment of AI in cybersecurity requires a well-organized, strategic approach. While AI is an excellent tool for cybersecurity, it does need to be embraced in a strategic and well-organized manner. 

Building a robust and adaptive cybersecurity ecosystem requires addressing API vulnerabilities, strengthening training data security, and refining threat modeling practices. A major part of modern digital applications is APIs, allowing seamless data exchange between various systems, enabling seamless data exchange. However, the widespread adoption of APIs has also led to them becoming prime targets for cyber threats, which have put organizations at risk of significant risks, such as data breaches, financial losses, and disruptions in services.

AI platforms and tools, such as OpenAI, Google's DeepMind, and IBM's Watson, have significantly contributed to advancements in several technological fields over the years. These innovations have revolutionized natural language processing, machine learning, and autonomous systems, leading to a wide range of applications in critical areas such as healthcare, finance, and business. Consequently, organizations worldwide are turning to artificial intelligence to maximize operational efficiency, simplify processes, and unlock new growth opportunities. 

While artificial intelligence is catalyzing progress, it also introduces potential security risks. In addition to manipulating the very technologies that enable industries to orchestrate sophisticated cyber threats, cybercriminals can also use those very technologies. As a result, AI is viewed as having two characteristics: while it is possible for AI-driven security systems to proactively identify, predict, and mitigate threats with extraordinary accuracy, adversaries can weaponize such technologies to create highly advanced cyberattacks, such as phishing schemes and ransomware. 

It is important to keep in mind that, as AI continues to grow, its role in cybersecurity is becoming more complex and dynamic. Organizations need to take proactive measures to protect their organizations from AI attacks by implementing robust frameworks that harness its defensive capabilities and mitigate its vulnerabilities. For a secure digital ecosystem that fosters innovation without compromising cybersecurity, it will be crucial for AI technologies to be developed ethically and responsibly. 

The Application Programming Interface (API) is the fundamental component of digital ecosystems in the 21st century, enabling seamless interactions across industries such as mobile banking, e-commerce, and enterprise solutions. They are also a prime target for cyber-attackers due to their widespread adoption. The consequences of successful breaches can include data compromises, financial losses, and operational disruptions that can pose significant challenges to businesses as well as consumers alike. 

Pratik Shah, F5 Networks' Managing Director for India and SAARC, highlighted that APIs are an integral part of today's digital landscape. AIM reports that APIs account for nearly 90% of worldwide web traffic and that the number of public APIs has grown 460% over the past decade. Despite this rapid proliferation, the company has been exposed to a wide array of cyber risks, including broken authentication, injection attacks, and server-side request forgery. According to him, the robustness of Indian API infrastructure significantly influences India's ambitions to become a global leader in the digital industry. 

“APIs are the backbone of our digital economy, interconnecting key sectors such as finance, healthcare, e-commerce, and government services,” Shah remarked. Shah claims that during the first half of 2024, the Indian Computer Emergency Response Team (CERT-In) reported a 62% increase in API-targeted attacks. The extent of these incidents goes beyond technical breaches, and they represent substantial economic risks that threaten data integrity, business continuity, and consumer trust in addition to technological breaches.

Aside from compromising sensitive information, these incidents have also undermined business continuity and undermined consumer confidence, in addition to compromising business continuity. APIs will continue to be at the heart of digital transformation, and for that reason, ensuring robust security measures will be critical to mitigating potential threats and protecting organisational integrity. 


Indusface recently published an article on API security that underscores the seriousness of API-related threats for the next 20 years. There has been an increase of 68% in attacks on APIs compared to traditional websites in the report. Furthermore, there has been a 94% increase in Distributed Denial-of-Service (DDoS) attacks on APIs compared with the previous quarter. This represents an astounding 1,600% increase when compared with website-based DDoS attacks. 

Additionally, bot-driven attacks on APIs increased by 39%, emphasizing the need to adopt robust security measures that protect these vital digital assets from threats. As a result of Artificial Intelligence, cloud security is being transformed by enhancing threat detection, automating responses, and providing predictive insights to mitigate cyber risks. 

Several cloud providers, including Google Cloud, Microsoft, and Amazon Web Services, employ artificial intelligence-driven solutions for monitoring security events, detecting anomalies, and preventing cyberattacks.

The solutions include Chronicle, Microsoft Defender for Cloud, and Amazon GuardDuty. Although there are challenges like false positives, adversarial AI attacks, high implementation costs, and concerns about data privacy, they are still important to consider. 

Although there are still some limitations, advances in self-learning AI models, security automation, and quantum computing are expected to raise AI's profile in the cybersecurity space to a higher level. The cloud environment should be safeguarded against evolving threats by using AI-powered security solutions that can be deployed by businesses.
Read more »
Technology
Authentication Cyber Defence Cyberhackers Cybersecurity Rubrik Security Alert Technology

Security Update from Rubrik as Authentication Keys Are Reissued

 


In a recent report, Rubrik revealed that, last month, an unauthorized security incident compromised one of its log file servers. Rubrik has taken immediate and proactive steps to mitigate potential risks in response to this breach. As part of its remediation efforts, Rubrik has begun rotating all exposed authentication keys, which are designed to prevent potential malicious actors from exploiting these keys. 

A precautionary measure is taken by the company as a precaution to safeguard its systems and make sure that unauthorized entities cannot use the compromised credentials to gain access to the systems. As a part of its efforts to enhance its resilience against future threats, the company is actively assessing its security posture in an attempt to maintain the highest cybersecurity standards. 

This corrective action will reinforce Rubrik's commitment to protecting its infrastructure and safeguarding the integrity of its data security framework by enabling it to implement these corrective actions swiftly. 

Rubrik’s Growth, Financial Success, and Security Measures 


The company was founded in 2014 as a backup and recovery provider but has since grown into a leading security and data protection company. In the fourth quarter of Rubrik's fiscal year, ending October 31, 2024, the company raised $725 million from its initial public offering. In this quarter, Rubrik reported revenues of $236.2 million, which indicated strong market growth, which was a key indicator of Rubrik's growth. 

A security breach in Rubrik occurred in 2023 when a zero-day vulnerability (CVE-2023-0669) in Fortra's GoAnywhere MFT software gave threat actors access to Rubrik's non-production testing environment, allowing them to access Rubrik's non-production IT testing environment. While the Cl0p ransomware group has taken responsibility for this, Rubrik continues to strengthen its cybersecurity framework, which ensures that customer data is protected and that threats are mitigated at an early stage, resulting in an ongoing cybersecurity framework. 

With the launch of advanced innovations, Rubrik has made a major contribution to strengthening the cyber resilience of cloud-based, SaaS, and on-premises environments. Continuing its commitment to strengthening cyber resilience, Rubrik (NYSE: RBRK) has unveiled a series of groundbreaking innovations designed to enhance data security across several cloud, software-as-a-service (SaaS), and on-premises infrastructures. 

In addition to these enhancements, there are enhancements specifically designed to empower organizations with higher levels of capability in anticipating security breaches, identifying emerging threats, and enacting rapid, efficient recovery, regardless of where the data is located. 

As part of Rubrik's annual Cyber Resilience Summit on March 5, this company will unveil its advanced data protection solutions that are set for release during the event. This will be the first time industry leaders and cybersecurity professionals will be able to gain insight into the company's latest advances in data protection technology. 

Rubrik’s Global Presence and Industry Impact 


In the field of cybersecurity, Rubrik is a world-class company that offers backup, recovery, and data protection services. The company has established itself as a trusted partner for businesses throughout the world thanks to its strong team of more than 3,000 people. With more than 22 global offices, the organization provides cutting-edge solutions to a variety of businesses. 

With over 6,000 clients, Rubrik serves a diverse array of companies and institutions across the globe, including leading global corporations such as AMD, Adobe, PepsiCo, Home Depot, Allstate, Sephora, GSK, Honda, Harvard University, and TrelliX, among others. In an increasingly digital landscape, Rubrik is constantly innovating and expanding its security capabilities, which strengthens the company's mission of providing robust, scalable, and intelligent cybersecurity solutions. 

Rubrik Investigates Security Incident Involving Log Server Compromise 


Earlier this week, Rubrik published a security alert detailing the discovery of unusual activity on a server that stored log files. According to Rubrik's Information Security Team, the incident was first identified by cybersecurity expert Kevin Beaumont, who first reported the findings to Rubrik. As soon as the team at Rubrik detected abnormal behavior on the affected server, it immediately took it offline to eliminate any potential risks that could have occurred. 

The investigation conducted by an independent forensic cybersecurity firm, in collaboration with a forensic investigator, has revealed that the event was limited to this single server. A company spokesperson confirmed that no evidence of unauthorized access to customer data or internal code by anyone was found.

Precautionary Measures and Security Enhancements 


While Rubrik admits that the breach was confined to its log server, some log files contained access information even though Rubrik's log server was the only point of vulnerability. The company appears to be taking proactive steps to protect its system against unauthorized access, such as rotating authentication keys. However, it remains unclear how the server was compromised and what information about access has been revealed. 

Cybersecurity Dive received a further reply from Rubrik, and the company responded that, at this time, there is no indication that the information exposed has been exploited. Furthermore, it has been discovered that no signs of threat actors gaining access to Rubrik's internal development environment or customer data have been identified during the ongoing investigation.

Past Security Incidents


Several years ago, Rubrik was one of the organizations affected by the Fortra GoAnywhere vulnerability in 2023, a large-scale data breach orchestrated by the Clop ransomware group. This is not the first time Rubrik has been the target of a security event. Fortra's managed file transfer software was exposed to a zero-day vulnerability during that attack, which resulted in data theft by multiple enterprises, including Rubrik, due to a zero-day vulnerability. 

While these incidents have occurred, the company continues to implement robust security measures to ensure its cyber resilience as well as ensure that its infrastructure is protected against evolving threats in the future. 

Rubrik Unveils Advanced Data Protection and Security Enhancements 


With a range of cutting-edge innovations, Rubrik offers unmatched security, resilience, and cyber threat mitigation capabilities for the protection of critical data: 

Cloud Posture Risk Management (CPR) is an automated service for discovering, inventorying, and protecting cloud data assets based on their cloud standards. 

Cloud Protection for Oracle: Enhances Rubrik Security Cloud (RSC) capability to help safeguard the Oracle Cloud Infrastructure (OCI) databases and the Oracle Cloud VMware Solution (OCVS) databases. 

The PostgreSQL Data Protection solution helps to protect data in one of the most widely used open-source databases through robust backup security. 

The Red Hat OpenShift Back Up service provides immutable, automated backups for environments running on the Kubernetes container engine. 

A great way to back up CI/CD environments with Azure DevOps and GitHub Backup is to use Resilient Backup & GitHub Backup. 

RCV (Rubrik Cloud Vault) for Amazon Web Services: Provides air-gapped, encrypted, as well as policy-driven preservation of files. 

Data protection is strengthened by Microsoft Dynamics 365 Security - protecting data both within the organization and from customers. 

Using Salesforce Sandbox Seeding ensures that data migration from live application environments to sandboxes is efficient and error-free. 

Recovering the identity of an individual is quick, easy and malware-free thanks to Active Directory Recovery (AD) and Entra ID recovery. 

An advanced security solution for Azure & AWS that combines anomaly detection, data classification, and threat monitoring for the most specific threats.

'Turbo Threat Hunting': Delivers a rapid malware free recovery, scanning 75,000 backup files in just 60 seconds to ensure data remains safe. 
Introducing Microsoft 365 Enterprise Edition, which offers Sensitive Data Discovery, Prioritized Recovery, and Threat Intelligence tools. 

These enhancements further reinforce Rubrik's commitment to supporting proactive cyber resilience by providing secure data protection. Rubrik's proactive responses to security incidents and ongoing research in data protection also reinforce this commitment. 

A company's ability to quickly address vulnerabilities and introduce advanced security solutions sets new standards for threat detection, rapid recovery, and intelligent data protection. As cyber threats continue to evolve, organizations must prioritize strong security strategies using cutting-edge technology such as Turbo Threat Hunting and Identity Recovery to ensure their customers are protected from threats. 

It is Rubrik's steadfast commitment to safeguarding enterprise data that enables businesses to navigate digital challenges with a degree of confidence, agility, and resilience that sets it apart.
Read more »
Telegram
Crypto CyberCrime Cyberhackers Cybersecurity CyberThreat Desert Dexter IT malware Telegram

Malware Alert as Desert Dexter Strikes Over 900 Victims Worldwide

 


Several countries in the Middle East and North Africa have been targeted by an advanced Trojan named Desert Dexter, identified by security experts at Positive Technologies. This malware campaign has compromised nearly 900 victims as a result of its sophisticated campaign. The AsyncRAT malware campaign began in September 2024 to spread a modified variant of the malware using social media platforms and geopolitical tensions in an attempt to exploit these platforms. 

Using deceptive tactics to lure unsuspecting users, hackers exploit the vulnerabilities in the Internet, highlighting the growing threat posed by cyber espionage and political cyberattacks. The Positive Technologies Expert Security Center (PT ESC) has discovered and analyzed a new malware campaign that has been orchestrated to target individuals in the Middle East and North Africa (MENA) region with the primary aim of infecting their systems and exfiltrating sensitive data as a result. 

The campaign has been active since September 2024 and has been using a modified version of AsyncRAT to compromise victims' systems and steal sensitive information. On social media, attackers disguised themselves as legitimate news outlets to spread malware, crafting misleading promotional posts containing links to file-sharing services and Telegram channels, which allowed them to spread malware. 

Once executed, the malware extracts cryptocurrency wallet credentials and establishes communications with a Telegram bot, enabling remote data theft and control over cryptocurrency wallets. About 900 individuals have been reported to be affected by this malware, primarily everyday users. The investigation indicates a significant number of victims are employees from key industries, including oil and gas, construction, information technology, and agriculture. This raises concerns about espionage and financial fraud, which could occur in these industries. 

Based on a geographical analysis of the infections, Libya (49%) has been the worst hit, followed by Saudi Arabia (17%), Egypt (10%), Turkey (9%), the UAE (7%), and Qatar (5%) with additional cases reported across other regions. This attack is widespread, which shows that cybercriminals are evolving their tactics, and enhanced cybersecurity measures are necessary to keep them from harm. This malicious campaign was orchestrated by the Desert Dexter threat group, a group that is named after a single employee suspected of running it. 

It was discovered by cybersecurity researchers that hackers were using temporary accounts and fake news channels to evade advertising filters and disseminate malicious content on Facebook, which enabled them to evade ad filtering mechanisms. There was a similar campaign reported in 2019, however this latest operation seems to incorporate enhancements aimed at improving the efficiency and impact of the malware. 

According to Denis Kuvshinov, Head of Threat Intelligence at Positive Technologies, the attack follows a multi-stage approach that involves several steps and attacks. The initial victim is lured to a file-sharing service or Telegram channel, where a RAR archive containing malicious files is downloaded unintentionally, causing them to unknowingly download them. 

After the files are executed, they install a modified version of AsyncRAT, which gathers data about the system, transmits it to the threat actors' Telegram bot, and then distributes it to them. This variant of AsyncRAT contains the upgraded IdSender module specifically designed for cryptocurrency wallet extensions, two-factor authentication plugins, and wallet management software that are specifically targeted by the latest version. 

Although Desert Dexter's campaign's success has been largely attributed to the use of social media advertising and legitimate online services, which are not highly technical, the tools used by the organization have not been highly sophisticated. There is an attack underway by malicious actors targeting both individuals and high profile officials within the Middle East and North Africa (MENA) region as a result of geopolitical tensions within the region. 

Due to ongoing political instability throughout the MENA region, cyber threats remain a top priority, with phishing campaigns increasingly focusing on politically charged themes to deceive and compromise victims in the region. While the majority of individuals involved in the cyberattack seem to be everyday consumers, cybersecurity researchers have identified individuals across a wide variety of industries, including those involved in oil production, construction, technology, and agriculture, who have also been affected by the cyberattack. 

With the widespread scale of these infections, it is clear that social engineering techniques are effective at deceiving victims and geopolitical narratives. Through the application of these tactics, the attackers managed to successfully infiltrate multiple devices in multiple countries, even though they utilized relatively simple tools. There is a malware campaign that is continuing to succeed, and cybersecurity experts are urging everyone to exercise caution when confronted with unverified links or attachments, particularly those that claim to contain sensitive political material. 

Several organizations operating within the affected regions are advised to adopt proactive cybersecurity strategies, enhance employee awareness regarding cybersecurity threats, and implement robust security protocols for mitigating the risks posed by this and similar emerging threats that are being faced by these organizations.
Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cyberhackers CyberThreat Cyersecurity Qualcomm Vulnerabilities and Exploits

Qualcomm Identifies and Patches Critical Security Issues in Latest Update

 


Several vulnerabilities were identified in Qualcomm's latest security update for March 2025 that impacted many products, including automotive systems, mobile chipsets, and networking devices. There are several critical security issues in this security bulletin, including memory corruption risks and input validation flaws that could pose a significant security risk if exploited to compromise the system. 

The Qualcomm Security Updates are intended to improve the security of Qualcomm's technology ecosystem as well as strengthen its protection against possible cyber threats. There had been multiple security vulnerabilities identified and resolved by Qualcomm and MediaTek over the last few weeks, some of which had already been addressed by their respective Android updates, which were deployed in the previous weeks. 

Qualcomm released the March 2025 Security Bulletin, which outlined 14 vulnerabilities, all of which were addressed via upstream updates to its proprietary software, highlighting the serious potential risks associated with these security vulnerabilities. These security flaws are most of the time classified as critical or high severity, highlighting the seriousness of the threat they pose to users. Several of the vulnerabilities identified by Qualcomm include memory corruption, affecting Qualcomm's automotive software platform based on the QNX operating system.

Qualcomm has also released patches to resolve five high-severity vulnerabilities, which could result in information disclosures, denial-of-service (DoS) attacks, and memory corruption as a result. Furthermore, two moderate-severity flaws have been addressed as part of the latest security updates launched by the semiconductor manufacturer. 

The semiconductor manufacturer has also resolved seven high-severity defects and six medium-severe defects within open-source components launched by the manufacturer. As a result of these security patches, Qualcomm emphasized that OEMs (original equipment manufacturers) are being actively notified of the updates and urged them to implement the fixes on deployed devices as soon as possible. 

It is noteworthy that Google's March 2025 Android security update addressed three of the identified vulnerabilities: CVE-2024-43051, CVE-2025-53011, and CVE-2024-53025. It has been revealed that MediaTek has discovered ten security vulnerabilities that impact multiple chipsets. As part of the release of the company's fixes, three high-severity issues have been found, including a memory corruption flaw in modems, which can lead to DoS attacks, as well as an out-of-bounds write vulnerability in KeyInstall and WLAN, which can lead to escalation of privileges. 

This security bulletin from Qualcomm not only addresses vulnerabilities identified in proprietary software, but also vulnerabilities in open-source components that Qualcomm's products are integrated with. There are several security flaws affecting Android operating systems, camera drivers, and multimedia frameworks, among others. Qualcomm intends to mitigate the potential risks of these vulnerabilities by informing its customers and partners and strongly urging that patches be deployed as soon as possible to mitigate these risks. 

Users of Qualcomm-powered devices should check with their device manufacturers to learn about the availability of security updates and patches for those devices. During the last few months, Qualcomm has released a series of security updates demonstrating its commitment to increasing cybersecurity across all its product lines. By addressing critical vulnerabilities and working closely with original equipment manufacturers (OEMs) to facilitate timely patch deployments, the company aims to decrease security risks and enhance the integrity of its systems. 

As the threat of cyber-attacks continues to evolve, maintaining robust security measures through regular updates is imperative. According to Qualcomm, their users are encouraged to stay informed about security developments and to ensure they get the latest patches installed on their devices to prevent any possible exploitation of the vulnerabilities. In addition, organizations that are utilizing Snapdragon-powered systems are also encouraged to make sure that these updates are implemented promptly as a means of ensuring that their technology infrastructure is secure and reliable.
Read more »
Technology
CyberCrime Cyberhackers Cybersecurity CyberThreat Koi Stealer macOS RustDoor Software Target Crypto Technology

North Korea-Linked Hackers Target Crypto with RustDoor and Koi Stealer

 


A significant amount of malware has become a common threat to Mac OS systems in today’s rapidly developing threat landscape. The majority of these threats are associated with cybercriminal activities, including the theft of data and the mining of cryptocurrencies without consent. As of recently, cybercrime operations have been attributed to groups of advanced persistent threat (APT) groups that are sponsored by the North Korean government. 

In addition to this trend, the Federal Bureau of Investigation (FBI) recently issued a public service announcement regarding North Korean social engineering campaigns. In many of these attacks, deceptive tactics are used to manipulate victims into divulging sensitive information or allowing access to the system. This type of attack is usually carried out using deceptive tactics. As such, there have been increasing numbers of such incidents targeting software developers within the cryptocurrency industry, specifically those seeking employment opportunities, in a growing number of such incidents. 

In my view, these sophisticated cyber threats, originating from North Korean threat actors, demonstrate the persistence and evolution of these threats. Known as CL-STA-240, or Contagious Interview, the cyber campaign aims to infiltrate macOS systems with advanced malware strains, including RustDoor and Koi Stealer. It is known that these malicious programs have been specifically designed to exfiltrate sensitive data and can use sophisticated techniques to avoid detection within the macOS environment while doing so. As a result of this campaign's technical proficiency, it reinforces the fact that threats targeting the Apple ecosystem are becoming increasingly complex as time passes. 

he threat actors responsible for this operation are utilizing social engineering as a primary attack vector. By impersonating recruiters or potential employers, they can trick job seekers, especially those working in the cryptocurrency industry, into installing the compromised software unintentionally. It is through this deceptive strategy that attackers can gain access to critical data while maintaining operational stealth. 

These manipulative strategies are becoming increasingly popular, highlighting the persistent threat that state-sponsored cybercriminal groups, especially those linked to North Korea, continue to pose as they continue to refine their methods to exploit human vulnerability to continue their operation. In the course of this cyber campaign, researchers have revealed that Rust-based malware, referred to as RustDoor, is hiding inside legitimate software updates to evade detection. In addition, researchers have discovered that there was an undocumented macOS variant of the Koi Stealer malware that has been discovered for the first time in recent years. 


A recent investigation uncovered rare techniques for evasion, including manipulating macOS system components to conceal their presence and remain undetected. These sophisticated tactics underscore the increasing sophistication of threats aimed at Mac OS. In the past year, several reports have linked North Korean threat actors to cyberattacks targeting job seekers, which are based on the characteristics and methodologies observed in this campaign. 

According to the available evidence, analysts can rely on a moderate degree of confidence that this attack was carried out to further North Korean state-sponsored cyber objectives. By using social engineering to target job seekers, these adversaries are further proving that they are involved in an extensive pattern of attacks. An in-depth technical analysis of the recently identified Koi Stealer macOS variant was performed in this research, which provides an in-depth picture of the attackers’ activities in compromised environments. 

In addition, Cortex XDR is used to examine the various stages of the attack to provide an understanding of the investigation. A suite of advanced security solutions offered by Palo Alto Networks, an established leader in network security solutions, helps Palo Alto Networks' customers protect themselves from these evolving threats, including applications such as: Two products offer enhanced detection and responding capabilities - Cortex XDR and XSIAM. Computer-based security services for firewalls, such as Advanced WildFire, Advanced DNS Security, and Advanced URL Filtering that provide proactive defense against malicious activities. 

The use of these security solutions can help organizations greatly strengthen their defenses against RustDoor, Koi Stealer, and similar malware threats targeting MacOS environments. Often, victims are tricked into downloading malware disguised as legitimate software development tools in the form of fake job interviews associated with this campaign, which results in the infection process starting with a fake job interview. The attackers were particularly noteworthy for using malicious Visual Studio projects, which is a strategy previously documented in similar cyber campaigns analyzed by Jamf Threat Labs. 

When the RustDoor malware is executed, it establishes persistence within the system and attempts to exfiltrate sensitive user information, which is one of the first steps toward completing its operations. Researchers have discovered that the threat actors have attempted to execute several variants of the malware throughout the investigation. As a result of this adaptive behavior, it appears to me that attackers are continuously adapting their approach in response to security controls and detection mechanisms in place.

According to security researchers, when the Cortex XDR was blocked for the initial attempt at infiltration, adversaries quickly tried to re-deploy and execute additional malware payloads to circumvent detection by redeploying and executing additional malware payloads. RustDoor Infection Stages An infection process that involves two RustDoor binaries being executed in hidden system directories to avoid detection of the malware is the process by which the RustDoor malware operates. 

Another stage involves the deployment of additional payloads, such as a reverse shell, that allows attackers to gain remote access. Several sensitive data sets were stolen, and the attackers specifically targeted credentials stored in web browsers, such as LastPass data from Google Chrome, as well as exfiltrating the information into command and control servers under their control. As part of this campaign, it was discovered that an IP address known as 31.41.244[.]92 has previously been used to conduct cybercriminal activities. This was one of our most significant findings. 

The threat has also been associated with the RedLine Stealer infostealer campaign, which further reinforces the sophisticated nature of the ongoing threats that have been identified. The second malware strain identified, Koi Stealer, possesses advanced data exfiltration capabilities, as compared to the previously undocumented macOS variant. According to this discovery, it is clear that macOS-targeted malware continues to evolve and that robust cybersecurity measures are necessary to mitigate the risks posed by these sophisticated threats and help to minimize incidents. 


As a result of the Koi Stealer malware, a run-time string decryption mechanism is utilized by it. Throughout the binary code, there is a single function that is repeatedly invoked. In the decryption function, each character of a hard-coded key (xRdEh3f6g1qxTxsCfg1d30W66JuUgQvVti) is iterated sequentially from index 0 to index 33 and the XOR operation is applied between the key’s characters and the encrypted string's characters, in a way that is applied sequentially. 

To get a better understanding of how Koi Stealer behaves, researchers developed a custom decryption program that replicates the malware's logic to gain insight into the malware's behavior, along with the techniques it uses to disguise its true functionality. Using the same decryption routine, analysts were able to extract and analyze the decrypted strings with success, allowing a more comprehensive understanding of the malware’s capabilities and objectives. There are significant similarities between the code structure and execution flow of different versions of Koi Stealer, as shown by a comparison between the various variants. 

Each variant of malware was designed consistently to steal data. Each category of stolen information was contained within separate functions within each variant. This modular design indicates that the malware has been developed in a structured and organized manner, further proving its sophistication. Besides targeting common types of information stealers, Koi Stealer also has a specific interest in specific directories and configurations that are not commonly found in the information stealer world. 

Interestingly, both of the analyzed samples actively target user data from Steam and Discord, which indicates a deep interest in credentials related to gaming platforms and communication platforms. A wide range of targeted data demonstrates how versatile the malware is and how it is capable of being exploited for a wider range of purposes than traditional financial or credential thefts. The detailed breakdown of the notable decrypted strings and the additional technical findings found in Appendix C provides further insight into Koi Stealer's internal operations and goals, as well as providing additional insight into the company's internal operations.
Read more »
Technology
AI-driven cyberattacks Artificial Intelligence Bank CyberCrime Cyberhackers DBS Technology

AI-Driven Changes Lead to Workforce Reduction at Major Asian Bank

 


Over the next three years, DBS, Singapore's largest bank, has announced plans to reduce the number of employees by approximately 4,000 by way of a significant shift toward automation. A key reason for this decision was the growing adoption of artificial intelligence (AI), which will gradually replace human employees in performing functions previously performed by humans. 

Essentially, these job reductions will occur through natural attrition as projects conclude, affecting primarily temporary and contract workers. However, the bank has confirmed that this will not have any adverse effects on permanent employees. A spokesperson for DBS stated that artificial intelligence-driven advances could reduce the need for temporary and contract positions to be renewed, thereby resulting in a gradual decrease in the number of employees as project-based roles are completed. 

According to the bank's website, the bank employs approximately 8,000-9,000 temporary and contract workers and has a total workforce of around 41,000 workers. Former CEO Piyush Gupta has highlighted the bank's longstanding investment in artificial intelligence, noting that DBS has been leveraging artificial intelligence technology for over a decade. According to him, DBS has employed over 800 artificial intelligence models in 350 applications in the bank, with the expected economic impact surpassing S$1 billion by 2025 (US$745 million; £592 million). 

DBS is also changing leadership as Gupta, the current CEO of the bank, is about to step down at the end of March, and his successor, Tan Su Shan, will take over from him. Artificial intelligence is becoming increasingly widely used, which has brought about a lot of discussion about its advantages and shortcomings. According to the International Monetary Fund (IMF), artificial intelligence will influence approximately 40% of global employment by 2050, with Managing Director Kristalina Georgieva cautioning that, in most scenarios, AI could worsen economic inequality. 

According to the International Monetary Fund (IMF), AI could lead to a reduction in nearly 40% of global employment in the future. Several CEOs, including Kristalina Georgieva, have warned that, in many scenarios, artificial intelligence has the potential to significantly increase economic inequality. For this reason, concerns are being raised about its long-term social implications. The Governor of the Bank of England, Andrew Bailey, told the BBC in an interview that artificial intelligence shouldn't be viewed as a 'mass destruction' of jobs, but that human workers will adapt to evolving technologies as they become more advanced. 

Bailey acknowledged the risks associated with artificial intelligence but also noted its vast potential for innovation in a wide range of industries by highlighting its potential. It is becoming increasingly apparent that Artificial Intelligence will play a significant role in the future of employment, productivity, and economic stability. Financial institutions are evaluating the long-term effects on these factors as it grows. In addition to transforming workforce dynamics, the increasing reliance on artificial intelligence (AI) is also delivering significant financial advantages to the banking sector as a whole.

Investing in artificial intelligence could potentially increase the profits of banks by 17%, which could increase to $180 billion in combined earnings, according to Bloomberg. According to Digit News, this will increase their collective earnings by $170 billion. Aside from the substantial financial incentives, banks and corporations are actively seeking professionals with AI and data analytics skills to integrate AI into their operations.

According to the World Economic Forum's Future of Work report, technological skills, particularly those related to artificial intelligence (AI) and big data, are expected to become among the most in-demand skills within the next five years, especially as AI adoption accelerates. As an evolving labor market continues to evolve, employees are increasingly being encouraged to learn new skills to ensure job security. 

The WEF has recommended that companies invest in retraining programs that will help employees adjust to the new workplace environment; however, some organizations are reducing existing positions and recruiting AI experts to fill the gaps left by the existing positions. They are taking a more immediate approach than the WEF has recommended. AI has become increasingly prevalent across various industries, changing employment strategies as well as financial priorities as a result. 

With artificial intelligence continuing to change industries in several ways, its growing presence in the banking sector makes it clear just how transformative it has the potential to be and the challenges that come with it. It is clear that AI is advancing efficiency and financial performance of companies; however, this integration is also forcing organizations to reevaluate their workforce strategies, skill development, and ethical considerations related to job displacement and economic inequality. 

There must be a balance struck between leveraging technological advancements and ensuring a sustainable transition for employees who will be affected by automation. To prepare the workforce for the future of artificial intelligence, governments, businesses, and educational institutions must all play a critical role. A significant amount of effort must be put into reskilling initiatives, policies that support equitable workforce transitions, and an ethical AI governance framework to mitigate the risks associated with job displacement. In addition, the advancement of artificial intelligence, industry leaders, and policymakers can help promote a more inclusive and flexible labor market. 

Financial institutions continue to embrace the technology for its efficiency and economic benefits, but they must also remain conscious of its impact on society at large. For technological progress to become a significant factor in long-term economic and social stability, it will be essential to plan for the workforce early, ethically deploy ethical AI, and upskill employees.
Read more »
Vulnerability
CyberCrime Cyberhackers Cybersecurity CyberThreat Internet of Things Password Privacy Security Security Risk Vulnerability

Default Password Creates Major Security Risk for Apartment Complexes

 


Under research conducted by security researchers, it was discovered that a widely used door access control system includes an inherently insecure default password. Thousands of buildings across the country have insecure default passwords that can be accessed easily and remotely by anyone. It was discovered by Eric Daigle that there is still a lot of residential and commercial properties in North America that have not yet modified the default passwords for their access control systems, many of them are not even aware that this is a good idea.   

When security researcher Eric Daigle examined an apartment building’s access control panel, he inadvertently discovered one of the most concerning security issues in recent years while inspecting the access control panel. Initially, a routine observation while waiting for a ferry led to the discovery of a critical security flaw affecting hundreds of residential buildings across the country, which caused a widespread financial loss for thousands of people.

In late last year, Eric Daigle became interested in the system when he noticed an unusual access control panel on his normal daily activities. He conducted a short online search for “MESH by Viscount” and found a sales page for its remote access capability, followed by the discovery of a PDF installation guide available for download. It is typical for access control systems to be configured with a default password, which administrators are supposed to change to match their credentials. 

However, Daigle observed that the installation manual did not provide clear instructions regarding how these credentials were to be modified. It was later revealed, after further investigation into the user interface's login page title, that multiple publicly accessible login portals are available for this product. Alarmingly, as a result of this research, he was able to access the first one with default credentials, which highlights a critical security vulnerability. 

The Enterphone MESH door access system is currently owned by Hirsch, and Hirsch has announced that to address this security vulnerability, a software patch will be released shortly that will require users to change their default password, as soon as possible. An internet-connected device will often have a default password, which is often included in the product manual to facilitate the initial setup process. 

There is, however, a significant security risk in requiring end users to manually update these credentials, since if they fail to do so, their systems can be vulnerable to unauthorized access. Hirsch’s door access solutions are not prompted to customers when they are installed, nor are they required to modify the default passwords, leaving many systems at risk of unauthorized access. This vulnerability had been discovered by security researcher Eric Daigle, based on the findings he made, according to his findings. 

The vulnerability has been designated as CVE-2025-26793 as a result of his findings. Modern building security systems have become increasingly integrated with the Internet of Things (IoT) technology, especially in apartment complexes seeking a more advanced alternative to traditional phone-line-based access control systems. Among these key fob systems, Hirsch Mesh features a web-based portal that enables the use of key fobs throughout a large building to be tracked and logged, as well as allowing remote access to various entry points also within the building to be controlled remotely. 

The accessibility of the system's default login credentials, however, raises a crucial security concern because they are openly published in the installation manual, which is easily accessible via an online search, as the installer provides a list of the default login credentials. While waiting at a bus stop for his bus, Eric Daigle made a quick internet search based on the name of the product displayed on the security terminal of the apartment complex across the street. He located the manual in just a few minutes, which identified a way to circumvent the building's security measures. This highlighted a significant flaw in the system's design, leading to a serious risk of abuse. 

The default password that is set on internet-connected devices has historically posed a significant security threat because unauthorized individuals can gain access under the guise of legitimate users, leading to data breaches or the possibility of malicious actors hijacking these devices to carry out large-scale cyberattacks. In recent years, there have been several governments, including the UK, Germany, the US, and other countries, which have been encouraging technology manufacturers to adopt more robust security measures to avoid the security risks associated with using default credentials that were considered insecure in the first place. 

Having been rated as highly vulnerable by the FBI as a result of its ease of exploit, Hirsch's door entry system has been rated as a high threat as well with a severity rating of 10. Exploiting the flaw involves a minimal amount of effort. There is a public documentation available on Hirsch's website, which contains the installation manual for the system, which can be used to obtain the default password. An affected building is vulnerable to unauthorized access if individuals with these credentials log in to the login window of the building's system through the login portal; this highlights a critical security flaw in the system.
Read more »
UPI
Call Merging CyberCrime Cyberhackers Cybersecurity CyberThreat Mobile Security NPCI OTP personal verification Scammers UPI

Call Merging Scams and Financial Security Risks with Prevention Strategies

 


It is not uncommon for fraudsters to develop innovative tactics to deceive their targets, with one of the latest scams being the called merging scam in which the scammers attempt to gain unauthorized access to the victim's accounts to defraud them. In many cases, the victims suffer substantial financial losses due to this scheme. 

There has been a warning issued by the Indian authorities in regards to a new scam that involves individuals being manipulated into merging their calls by scammers, who then subsequently reveal One-Time Passwords (OTPs) unknowingly. Using this deceptive tactic, fraudsters can gain access to victims' financial accounts, which will enable them to carry out fraudulent activities. 

NPCI's Unified Payments Interface (UPI), an initiative that was developed by the National Payments Corporation of India (NPCI), has expressed concern about this emerging threat. As a precautionary measure, UPI cautioned users on its X account of the risks involved in call merging scams and stressed that call merging scams pose a serious threat to users. 

As part of the advisory, individuals were advised to remain vigilant, stating, Fraudsters are using call merging tactics to deceive users into giving out OTPs. As part of its role to oversee the Unified Payments Interface (UPI), NPCI has expressed significant concerns about the growing cyber fraud epidemic. 

The goal of social engineering scammers is to deceive unsuspecting victims into disclosing their sensitive banking credentials to take control of the situation. In most cases, the scam begins with the fraudster contacting the target, falsely claiming to have obtained their phone number through a mutual acquaintance. 

The fraudster will then try to convince the target to combine the call with a similar call from a different number. It is true that in this second call, the victim is being connected to an official OTP verification call from their bank. Therefore, the victim does not know they are being deceived, and unwittingly allows someone to access their banking details. 

It uses social engineering techniques to manipulate individuals to unknowingly divulge their One-Time Password (OTP), an important security feature used for financial transactions, through their manipulation techniques. 

It is quite common for victims to receive a phone call from a trusted source offering lucrative opportunities or a message from one of their trusted contacts recommending what seems a beneficial scheme to them. 

A significant security risk can be posed by engaging with such communications without due diligence as a result of the growing prevalence of such fraud activities. As a result, financial institutions and regulatory agencies are cautioning individuals to remain vigilant when receiving unexpected phone calls and to refrain from sharing OTPs or merging calls without verifying the identity of the callers before doing so. 

It has become increasingly common for these frauds to occur, and so the Unified Payments Interface (UPI) has issued an urgent advisory that warns users about the dangers of call merging scams. To avoid being victimized by such deceptive tactics, individuals need to be vigilant and take strict security measures to protect their financial information. 

There is a deceptive technique known as the Call Merging Scam, which is used by fraudsters to trick people into divulging sensitive information such as One-Time Passwords (OTPs), unknowingly. In this manner, scammers can gain unauthorized access to victims' bank accounts and other secured platforms by exploiting this technique to commit financial fraud on the victims. 

Modus Operandi of the Scam


It is quite common for fraudsters to make deceptive telephone calls, falsely stating that they have obtained the recipient's phone number from an acquaintance or source that is reliable. 

There are many scams out there that involve victims being persuaded to merge calls with another individual. This is often accomplished by presenting another individual as a friend or a bank representative, depending on the scam. 

There is an automatic OTP verification call that they will be connected to without their knowledge. The automated call will direct them to a bank site that activates a mobile OTP verification system for verification. 

As a scammer, the victim is deceitfully manipulated into believing that sharing the OTP for their financial accounts to be accessed is necessary because sharing it is required for authentication. 

Preventive Measures to Safeguard Against Fraud 


To avoid the merging of calls between unknown callers, decline the request right away. Be careful about authenticating the identity of a caller: Whenever users receive an email from someone who claims to represent a financial institution, they should contact the bank directly through their official customer support phone number. Recognize Fraudulent Requests: Banks never ask customers for an OTP over the phone. 

A request of this nature should be viewed as an indication of a potential fraud and reported promptly. Ift an unsolicited OTP or suspected fraudulent activity occurs, individuals should notify their bank immediately and call 1930 (the national cybercrime helpline), so the incident can be investigated further. 

Considering the increasing number of scams like these, it has become imperative that one remains vigilant and adopts strict security practices as a precautionary measure to avoid financial loss. Many viral videos and discussions on social media emphasize a single aspect of fraudulent transactions — receiving an OTP via a merged call as opposed to a text message. 

Despite this, they often overlook the important point: an OTP is not sufficient for authorization of a transaction by itself. A fraudster needs to obtain essential banking details such as a card number, a card verification value, or a UPI Personal Identification Number (PIN) before he or she can use an OTP as a final step in committing an unauthorized transaction. 

To mitigate such risks, the Reserve Bank of India (RBI) has implemented strict security protocols to minimize them. To complete electronic transactions, financial institutions and payment service providers must implement multi-factor authentication (MFA) as of 2021 so that user authentication can be verified by more than one factor. This level of protection is achieved by implementing multiple authentication measures in combination with a combination of vital characteristics, including OTP verification, mobile device authentication, biometric identification, and hardware security tokens, which together provide a high level of security against unauthorized access. 

Digital transactions are typically protected by multiple layers of security, each requiring a combination of authentication factors to ensure their integrity. There are three types of authentication: manual, which includes everything the user possesses, such as their credentials, card numbers, and UPI IDs; known, such as their password, CVV, or PIN; and dynamic, such as their OTP, biometric authentication, or device authentication. 

To achieve the highest level of security, all three levels are necessary for most online banking and card transactions. However, a UPI transaction with a value up to a lakh does not require an OTP and can be authorized with only a UPI ID and PIN, without the need for an OTP. As a result of this multi-layered approach, financial fraud risks are greatly reduced and the security of digital payments is greatly strengthened.
Read more »
Subscribe to: Posts (Atom)