Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity. Show all posts
WhatsApp
CyberCrime Cybersecurity CyberThreat Google Meet Microsoft Privacy skype WhatsApp

Skype's Role in Popularizing End-to-End Encryption Leaves a Lasting Mark


 

In recent years, Skype has established itself as the most popular online communication platform, and it is nearing its close, marking the end of an era for one of the most popular VoIP services in the world. The first version of Skype was created by Niklas Zennström and Janus Friis in 2003 to create a platform that would facilitate seamless internet-based communication among users. When Skype was founded in 2003, it revolutionized digital communication by pioneering video conferencing, instant messaging, and setting the foundation for the modern virtual world. 

As its name implies, Skype pioneered several innovations that revolutionized digital communication. Originally designed for voice calls using peer-to-peer technology, it enabled users to make low cost or free calls from the comfort of their own homes. By removing long-distance costs and allowing users to communicate globally even through cheap long-distance calls, Skype revolutionized digital communication, making global connectivity more accessible by eliminating the high costs associated with long-distance calls. It was launched in August 2003, and grew rapidly in popularity over the next few years. 

It should be noted that there is no need to compromise the privacy or security of your online conversations by implementing Skype's encryption protocols. This provides significantly greater safety and privacy when communicating online, unlike conventional telephone networks. During its peak, the platform had more than 300 million active users worldwide, establishing itself as an indispensable communication tool for activists, journalists, and individuals who valued confidentiality above all else. 

The security measures in place on the platform were so robust that it was difficult even for intelligence agencies to intercept communications through the platform. Among the most noteworthy aspects of these documents are the difficulties Egyptian intelligence authorities encountered in their attempt to compromise Skype calls, further underlining the platform's reputation for being a safe and reliable medium of communication. However, despite its historical significance, Skype has been facing increasing challenges in maintaining its relevance in the face of a host of more competitive alternatives, such as Zoom, Microsoft Teams, WhatsApp, and Google Meet. 

After Microsoft acquired Skype in 2011, its strategic focus has steadily shifted toward Teams and other tools that integrate to become more efficient and effective. Since the platform's user base is shrinking and the needs of the digital communication landscape are changing, it seems that discontinuing Skype seems like a natural progression. As the platform phaseout approaches, not only will it signal the end of an influential platform, but also that communication technologies will continue to evolve to meet the needs of modern connectivity. Almost one decade from now, Skype will cease operations, marking the end of a platform that has significantly shaped global communication. 

In its inception as a basic voice phone service, Skype has evolved into the most widely accepted video conferencing tool on the market. Through the development of Skype, individuals and businesses from around the world have been connected. Despite this, as technology advanced and new communication platforms emerged, Skype faced more competition from more innovative and integrated solutions as the market grew. 

Over the years, Skype's market dominance declined, resulting in losing relevance in the market. Discontinuing the platform signifies the end of one of the most revolutionary platforms to change digital communication in the past few decades, along with the continuing importance of adaptability and innovation to achieve future success. 

The Closure of Skype and the Evolution of Digital Communication


Sadly, the discontinuation of Skype marks the end of an important chapter in the history of digital communication. As a result, businesses and individuals alike will be required to make a large-scale shift as they move to more contemporary platforms that offer advanced features and seamless integration, resulting in a large-scale transition. Corporations need to rapidly adapt by shifting their communication frameworks to alternative services. Microsoft Teams has emerged as one of the most popular options due to its impressive set of collaboration tools, which are designed to meet the dynamic requirements of today's organizations. 

Seeking Alternatives to Skype 


Skype is undoubtedly nearing the end of its lifecycle, so users and organizations are actively looking for alternatives that will meet their communication needs. Microsoft Teams, with its comprehensive and integrated features, is one of the best options. 

As well as this, there are other platforms out there that are also gaining traction, such as Zoom Phone and RingCentral. These platforms offer a wide range of functionalities designed to cater to a variety of business requirements. Each service offers its benefits, allowing users to pick the solution that best matches their operational objectives. 

Skype’s Influence and Enduring Impact

Despite its early beginnings, Skype has played a significant role in shaping the way online communication is shaped ever since it launched in 2003 and was acquired by Microsoft the following year for $8.5 billion, as a widely recognized platform that helps facilitate virtual interactions all over the world. 

While Skype has continuously improved its capabilities over the years, it has struggled to remain at the top of an ever-more competitive market. Over the past few years, communication platforms that are more agile and feature-rich have emerged, resulting in Skype's relevance rapidly eroding, eventually leading to its demise. 

The Future of Digital Connectivity


Digital communication is constantly evolving. Platforms that seamlessly integrate messaging, voice, video, and collaboration tools are becoming increasingly important as a result of a continuing shift toward mobile-centric solutions and artificial intelligence-driven innovations that offer better user experiences and are more intuitive. 

A sophisticated, adaptive and user-friendly ecosystem will be the hallmark of the future of communication as technology advances. This ecosystem will help enhance connectivity, productivity, and security on both a personal and professional level. Government agencies have employed a variety of methods to monitor Skype users throughout the world. 

There was a bug in Skype that, according to Citizen Lab at the University of Toronto, allowed Chinese authorities to intercept messages in China. At the time, Tom-Skype, a joint venture between a local telecommunication provider and eBay, which owned Skype at the time, operated under Chinese authorities. 

As a result of Edward Snowden's leak of documents, it has become clear that Microsoft had modified Skype so that it would give the NSA access to calls and messages, undermining their encryption. It is expected that Skype will close on May 5, 2025 due to Microsoft's decision to shut down the platform, making it irrelevant with just 36 million users in 2023, far under its peak user base of 300 million. While its legacy still exists through the use of encryption technologies that continue to secure modern communication platforms, it has endured through the years.
Read more »
Threat Detection
Compliance Cyber Security Cybersecurity Data Breach Network Security OT security Ransomware Threat Detection

Cybersecurity Threats Are Evolving: Seven Key OT Security Challenges

 

Cyberattacks are advancing rapidly, threatening businesses with QR code scams, deepfake fraud, malware, and evolving ransomware. However, strengthening cybersecurity measures can mitigate risks. Addressing these seven key OT security challenges is essential.

Insurance broker Howden reports that U.K. businesses lost $55 billion to cyberattacks in five years. Basic security measures could save $4.4 million over a decade, delivering a 25% ROI.

Experts at IDS-INDATA warn that outdated OT systems are prime hacker entry points, with 60% of breaches stemming from unpatched systems. Research across industries identifies seven major OT security challenges.

Seven Critical OT Security Challenges

1. Ransomware & AI-Driven Attacks
Ransomware-as-a-Service and AI-powered malware are escalating threats. “The speed at which attack methods evolve makes waiting to update your defences risky,” says Ryan Cooke, CISO at IDS-INDATA. Regular updates and advanced threat detection systems are vital.

2. Outdated Systems & Patch Gaps
Many industrial networks rely on legacy systems. “We know OT is a different environment from IT,” Cooke explains. Where patches aren’t feasible, alternative mitigation is necessary. Regular audits help address vulnerabilities.

3. Lack of OT Device Visibility
Limited visibility makes networks vulnerable. “Without visibility over your connected OT devices, it’s impossible to secure them,” says Cooke. Asset discovery tools help monitor unauthorized access.

4. Growing IoT Complexity
IoT expansion increases security risks. “As more IoT and smart devices are integrated into industrial networks, the complexity of securing them grows exponentially,” Cooke warns. Prioritizing high-risk devices is essential.

5. Financial & Operational Risks
Breaches can cause financial losses, production shutdowns, and life-threatening risks. “A breach in OT environments can cause financial loss, shut down entire production lines, or, in extreme cases, endanger lives,” Cooke states. A strong incident response plan is crucial.

6. Compliance with Evolving Regulations
Non-compliance with OT security regulations leads to financial penalties. Regular audits ensure adherence and minimize risks.

7. Human Error & Awareness Gaps
Misconfigured security settings remain a major vulnerability. “Investing in cybersecurity awareness training for your OT teams is critical,” Cooke advises. Security training and monitoring help prevent insider threats.

“Proactively addressing these points will help significantly reduce the risk of compromise, protect critical infrastructure, ensure compliance, and safeguard against potentially severe disruptions,” Cooke concluded. 

Moreover, cyberattacks will persist regardless, but proactively addressing these challenges significantly improves the chances of defending against them.
Read more »
Technology
Authentication Cyber Defence Cyberhackers Cybersecurity Rubrik Security Alert Technology

Security Update from Rubrik as Authentication Keys Are Reissued

 


In a recent report, Rubrik revealed that, last month, an unauthorized security incident compromised one of its log file servers. Rubrik has taken immediate and proactive steps to mitigate potential risks in response to this breach. As part of its remediation efforts, Rubrik has begun rotating all exposed authentication keys, which are designed to prevent potential malicious actors from exploiting these keys. 

A precautionary measure is taken by the company as a precaution to safeguard its systems and make sure that unauthorized entities cannot use the compromised credentials to gain access to the systems. As a part of its efforts to enhance its resilience against future threats, the company is actively assessing its security posture in an attempt to maintain the highest cybersecurity standards. 

This corrective action will reinforce Rubrik's commitment to protecting its infrastructure and safeguarding the integrity of its data security framework by enabling it to implement these corrective actions swiftly. 

Rubrik’s Growth, Financial Success, and Security Measures 


The company was founded in 2014 as a backup and recovery provider but has since grown into a leading security and data protection company. In the fourth quarter of Rubrik's fiscal year, ending October 31, 2024, the company raised $725 million from its initial public offering. In this quarter, Rubrik reported revenues of $236.2 million, which indicated strong market growth, which was a key indicator of Rubrik's growth. 

A security breach in Rubrik occurred in 2023 when a zero-day vulnerability (CVE-2023-0669) in Fortra's GoAnywhere MFT software gave threat actors access to Rubrik's non-production testing environment, allowing them to access Rubrik's non-production IT testing environment. While the Cl0p ransomware group has taken responsibility for this, Rubrik continues to strengthen its cybersecurity framework, which ensures that customer data is protected and that threats are mitigated at an early stage, resulting in an ongoing cybersecurity framework. 

With the launch of advanced innovations, Rubrik has made a major contribution to strengthening the cyber resilience of cloud-based, SaaS, and on-premises environments. Continuing its commitment to strengthening cyber resilience, Rubrik (NYSE: RBRK) has unveiled a series of groundbreaking innovations designed to enhance data security across several cloud, software-as-a-service (SaaS), and on-premises infrastructures. 

In addition to these enhancements, there are enhancements specifically designed to empower organizations with higher levels of capability in anticipating security breaches, identifying emerging threats, and enacting rapid, efficient recovery, regardless of where the data is located. 

As part of Rubrik's annual Cyber Resilience Summit on March 5, this company will unveil its advanced data protection solutions that are set for release during the event. This will be the first time industry leaders and cybersecurity professionals will be able to gain insight into the company's latest advances in data protection technology. 

Rubrik’s Global Presence and Industry Impact 


In the field of cybersecurity, Rubrik is a world-class company that offers backup, recovery, and data protection services. The company has established itself as a trusted partner for businesses throughout the world thanks to its strong team of more than 3,000 people. With more than 22 global offices, the organization provides cutting-edge solutions to a variety of businesses. 

With over 6,000 clients, Rubrik serves a diverse array of companies and institutions across the globe, including leading global corporations such as AMD, Adobe, PepsiCo, Home Depot, Allstate, Sephora, GSK, Honda, Harvard University, and TrelliX, among others. In an increasingly digital landscape, Rubrik is constantly innovating and expanding its security capabilities, which strengthens the company's mission of providing robust, scalable, and intelligent cybersecurity solutions. 

Rubrik Investigates Security Incident Involving Log Server Compromise 


Earlier this week, Rubrik published a security alert detailing the discovery of unusual activity on a server that stored log files. According to Rubrik's Information Security Team, the incident was first identified by cybersecurity expert Kevin Beaumont, who first reported the findings to Rubrik. As soon as the team at Rubrik detected abnormal behavior on the affected server, it immediately took it offline to eliminate any potential risks that could have occurred. 

The investigation conducted by an independent forensic cybersecurity firm, in collaboration with a forensic investigator, has revealed that the event was limited to this single server. A company spokesperson confirmed that no evidence of unauthorized access to customer data or internal code by anyone was found.

Precautionary Measures and Security Enhancements 


While Rubrik admits that the breach was confined to its log server, some log files contained access information even though Rubrik's log server was the only point of vulnerability. The company appears to be taking proactive steps to protect its system against unauthorized access, such as rotating authentication keys. However, it remains unclear how the server was compromised and what information about access has been revealed. 

Cybersecurity Dive received a further reply from Rubrik, and the company responded that, at this time, there is no indication that the information exposed has been exploited. Furthermore, it has been discovered that no signs of threat actors gaining access to Rubrik's internal development environment or customer data have been identified during the ongoing investigation.

Past Security Incidents


Several years ago, Rubrik was one of the organizations affected by the Fortra GoAnywhere vulnerability in 2023, a large-scale data breach orchestrated by the Clop ransomware group. This is not the first time Rubrik has been the target of a security event. Fortra's managed file transfer software was exposed to a zero-day vulnerability during that attack, which resulted in data theft by multiple enterprises, including Rubrik, due to a zero-day vulnerability. 

While these incidents have occurred, the company continues to implement robust security measures to ensure its cyber resilience as well as ensure that its infrastructure is protected against evolving threats in the future. 

Rubrik Unveils Advanced Data Protection and Security Enhancements 


With a range of cutting-edge innovations, Rubrik offers unmatched security, resilience, and cyber threat mitigation capabilities for the protection of critical data: 

Cloud Posture Risk Management (CPR) is an automated service for discovering, inventorying, and protecting cloud data assets based on their cloud standards. 

Cloud Protection for Oracle: Enhances Rubrik Security Cloud (RSC) capability to help safeguard the Oracle Cloud Infrastructure (OCI) databases and the Oracle Cloud VMware Solution (OCVS) databases. 

The PostgreSQL Data Protection solution helps to protect data in one of the most widely used open-source databases through robust backup security. 

The Red Hat OpenShift Back Up service provides immutable, automated backups for environments running on the Kubernetes container engine. 

A great way to back up CI/CD environments with Azure DevOps and GitHub Backup is to use Resilient Backup & GitHub Backup. 

RCV (Rubrik Cloud Vault) for Amazon Web Services: Provides air-gapped, encrypted, as well as policy-driven preservation of files. 

Data protection is strengthened by Microsoft Dynamics 365 Security - protecting data both within the organization and from customers. 

Using Salesforce Sandbox Seeding ensures that data migration from live application environments to sandboxes is efficient and error-free. 

Recovering the identity of an individual is quick, easy and malware-free thanks to Active Directory Recovery (AD) and Entra ID recovery. 

An advanced security solution for Azure & AWS that combines anomaly detection, data classification, and threat monitoring for the most specific threats.

'Turbo Threat Hunting': Delivers a rapid malware free recovery, scanning 75,000 backup files in just 60 seconds to ensure data remains safe. 
Introducing Microsoft 365 Enterprise Edition, which offers Sensitive Data Discovery, Prioritized Recovery, and Threat Intelligence tools. 

These enhancements further reinforce Rubrik's commitment to supporting proactive cyber resilience by providing secure data protection. Rubrik's proactive responses to security incidents and ongoing research in data protection also reinforce this commitment. 

A company's ability to quickly address vulnerabilities and introduce advanced security solutions sets new standards for threat detection, rapid recovery, and intelligent data protection. As cyber threats continue to evolve, organizations must prioritize strong security strategies using cutting-edge technology such as Turbo Threat Hunting and Identity Recovery to ensure their customers are protected from threats. 

It is Rubrik's steadfast commitment to safeguarding enterprise data that enables businesses to navigate digital challenges with a degree of confidence, agility, and resilience that sets it apart.
Read more »
Telegram
Crypto CyberCrime Cyberhackers Cybersecurity CyberThreat Desert Dexter IT malware Telegram

Malware Alert as Desert Dexter Strikes Over 900 Victims Worldwide

 


Several countries in the Middle East and North Africa have been targeted by an advanced Trojan named Desert Dexter, identified by security experts at Positive Technologies. This malware campaign has compromised nearly 900 victims as a result of its sophisticated campaign. The AsyncRAT malware campaign began in September 2024 to spread a modified variant of the malware using social media platforms and geopolitical tensions in an attempt to exploit these platforms. 

Using deceptive tactics to lure unsuspecting users, hackers exploit the vulnerabilities in the Internet, highlighting the growing threat posed by cyber espionage and political cyberattacks. The Positive Technologies Expert Security Center (PT ESC) has discovered and analyzed a new malware campaign that has been orchestrated to target individuals in the Middle East and North Africa (MENA) region with the primary aim of infecting their systems and exfiltrating sensitive data as a result. 

The campaign has been active since September 2024 and has been using a modified version of AsyncRAT to compromise victims' systems and steal sensitive information. On social media, attackers disguised themselves as legitimate news outlets to spread malware, crafting misleading promotional posts containing links to file-sharing services and Telegram channels, which allowed them to spread malware. 

Once executed, the malware extracts cryptocurrency wallet credentials and establishes communications with a Telegram bot, enabling remote data theft and control over cryptocurrency wallets. About 900 individuals have been reported to be affected by this malware, primarily everyday users. The investigation indicates a significant number of victims are employees from key industries, including oil and gas, construction, information technology, and agriculture. This raises concerns about espionage and financial fraud, which could occur in these industries. 

Based on a geographical analysis of the infections, Libya (49%) has been the worst hit, followed by Saudi Arabia (17%), Egypt (10%), Turkey (9%), the UAE (7%), and Qatar (5%) with additional cases reported across other regions. This attack is widespread, which shows that cybercriminals are evolving their tactics, and enhanced cybersecurity measures are necessary to keep them from harm. This malicious campaign was orchestrated by the Desert Dexter threat group, a group that is named after a single employee suspected of running it. 

It was discovered by cybersecurity researchers that hackers were using temporary accounts and fake news channels to evade advertising filters and disseminate malicious content on Facebook, which enabled them to evade ad filtering mechanisms. There was a similar campaign reported in 2019, however this latest operation seems to incorporate enhancements aimed at improving the efficiency and impact of the malware. 

According to Denis Kuvshinov, Head of Threat Intelligence at Positive Technologies, the attack follows a multi-stage approach that involves several steps and attacks. The initial victim is lured to a file-sharing service or Telegram channel, where a RAR archive containing malicious files is downloaded unintentionally, causing them to unknowingly download them. 

After the files are executed, they install a modified version of AsyncRAT, which gathers data about the system, transmits it to the threat actors' Telegram bot, and then distributes it to them. This variant of AsyncRAT contains the upgraded IdSender module specifically designed for cryptocurrency wallet extensions, two-factor authentication plugins, and wallet management software that are specifically targeted by the latest version. 

Although Desert Dexter's campaign's success has been largely attributed to the use of social media advertising and legitimate online services, which are not highly technical, the tools used by the organization have not been highly sophisticated. There is an attack underway by malicious actors targeting both individuals and high profile officials within the Middle East and North Africa (MENA) region as a result of geopolitical tensions within the region. 

Due to ongoing political instability throughout the MENA region, cyber threats remain a top priority, with phishing campaigns increasingly focusing on politically charged themes to deceive and compromise victims in the region. While the majority of individuals involved in the cyberattack seem to be everyday consumers, cybersecurity researchers have identified individuals across a wide variety of industries, including those involved in oil production, construction, technology, and agriculture, who have also been affected by the cyberattack. 

With the widespread scale of these infections, it is clear that social engineering techniques are effective at deceiving victims and geopolitical narratives. Through the application of these tactics, the attackers managed to successfully infiltrate multiple devices in multiple countries, even though they utilized relatively simple tools. There is a malware campaign that is continuing to succeed, and cybersecurity experts are urging everyone to exercise caution when confronted with unverified links or attachments, particularly those that claim to contain sensitive political material. 

Several organizations operating within the affected regions are advised to adopt proactive cybersecurity strategies, enhance employee awareness regarding cybersecurity threats, and implement robust security protocols for mitigating the risks posed by this and similar emerging threats that are being faced by these organizations.
Read more »
Russia cyber threats
Cyber Security Cybersecurity Russia Russia cyber threats

Trump Administration Halts Offensive Cyber Operations Against Russia Amid Ukraine War Talks

 

The Trump administration has issued orders to suspend U.S. offensive cyber operations targeting Russia, a move reportedly aimed at encouraging Russian President Vladimir Putin to engage in diplomatic discussions over the war in Ukraine. According to The Record, U.S. Defense Secretary Pete Hegseth directed the halt, which is expected to remain in place indefinitely. 

This decision comes in the wake of a heated Oval Office dispute on Friday between President Donald Trump, Vice President JD Vance, and Ukrainian President Volodymyr Zelensky over continued U.S. financial and military support for Ukraine. The previous Biden administration had strongly backed Ukraine, committing billions of dollars in aid and weaponry to counter Russian aggression. 

However, the Trump administration’s shift in stance has raised uncertainty regarding America’s future role in the conflict. Meanwhile, British Prime Minister Keir Starmer announced on Sunday that European nations would establish a “coalition of the willing” to continue providing support to Ukraine. 

The extent of the U.S. cyber operations suspension remains unclear, but officials stress that understanding Russia’s objectives in Ukraine is crucial for assessing Moscow’s broader geopolitical strategy, particularly in the realm of cyber espionage. 

Hegseth’s directive is reportedly part of a larger reassessment of Washington’s involvement in the war and its broader operations against Russia. While intelligence-gathering activities remain unaffected, the decision to halt offensive cyber operations is seen as a calculated risk. Trump has previously blamed Ukraine for the war and has labeled Zelensky a “dictator” who, in his view, is “not ready for peace.”
Read more »
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
UAE banking security Ransomware attacks
Cyber Security Cyber wargaming Cybersecurity Financial sector threats UAE banking security Ransomware attacks

Middle East Banks Strengthen Cybersecurity Amid Growing Threats

 

Financial institutions across the Middle East participated in the fourth annual Cyber Wargaming exercise in the United Arab Emirates, preparing for simulated cyberattacks amid rising digital threats. Despite these proactive measures, security experts remain concerned about the region’s rapid digital transformation and the shortage of skilled cybersecurity professionals, which continue to pose significant risks to the financial sector.

Jamal Saleh, director general of the UAE Banks Federation, emphasized the importance of cyber wargaming in identifying vulnerabilities and strengthening defenses against evolving cyber threats.

"[T]he rapid adoption and deployment of advanced technologies in the banking and financial sector have increased risks related to transaction security and digital infrastructure," he stated. Saleh also highlighted the sector’s growing awareness of cybersecurity initiatives that enhance security frameworks and protect consumers as cyber threats become more sophisticated.

The financial industry in the UAE is a prime target for cybercriminals, with 21% of all cybersecurity incidents in the region directed at banks and financial services. This makes the sector the second-most targeted after government entities, which account for 35% of attacks, according to a report released on February 25 by the UAE Cyber Security Council and CPX. While ransomware remains a persistent challenge, attackers are shifting strategies, focusing more on phishing, data breaches, and identity theft rather than traditional distributed denial-of-service (DDoS) attacks.

Shilpi Handa, associate research director for the Middle East, Turkey, and Africa at IDC, noted the industry's increased investment in identity and data security.

"[We see] trends such as increased investment in identity and data security, the adoption of integrated security platforms, and a focus on operational technology security in the finance sector," she said. However, she cautioned that despite regulatory improvements, the shortage of cybersecurity talent remains a pressing concern.

The UAE has committed over $2 billion to bolster its cybersecurity and digital transformation initiatives. This investment focuses on strengthening national cyber defenses, enhancing digital infrastructure, and securing critical systems. Cyber Wargaming 2025 played a key role in equipping financial sector professionals with the skills needed to counter emerging cyber risks.

Osama Al-Zoubi, vice president of Phosphorus Cybersecurity, stressed the importance of modernizing security frameworks to combat advanced threats.

"A central part of this plan involves updating outdated security frameworks," he said. "Many banks still rely on systems that were built without considering today’s advanced cyber threats. By directing funds toward those systems, institutions can stay current in an environment where attackers constantly adapt."

Cyber Wargaming 2025, the largest exercise of its kind in the Middle East, attracted central banks and financial institutions from across the Gulf Cooperative Council (GCC). Now in its fourth year, the event continues to play a critical role in shaping the region’s cybersecurity resilience.

Despite increased security measures, ransomware remains a top concern for financial institutions in the region. The "State of the UAE Cybersecurity" report revealed that the number of ransomware groups targeting UAE organizations increased from 12 in 2023 to 19 in 2024. Notably, RansomHub and LockBit were among the most active ransomware groups, with LockBit continuing to be the most prominent threat.

Ray Kafity, vice president for the Middle East, Turkey, and Africa at Halcyon, explained why financial institutions remain a prime target for ransomware attacks.

"When it comes to ransomware, it's a worldwide problem, not a geopolitical one," he said. "These criminal ransomware groups are motivated by profit and until that motive is removed, ransomware attacks will continue."

Cyber threats are intensifying as the attack surface for financial institutions expands. The latest CDX reports indicate that over 223,000 vulnerable assets were exposed to potential cyberattacks in the UAE in 2024, up from 155,000 in 2023. Among the vulnerabilities, a third of exposed systems had an unpatched OpenSSH flaw (CVE-2023-38408), further exacerbating security risks.

Osama Al-Zoubi from Phosphorus Cybersecurity pointed out the critical need for greater visibility into connected devices in financial settings.

"[A] major priority is addressing connected devices in financial settings," he said. "When everything from payment terminals to building controls is connected, institutions need broader defenses that keep track of each device’s status."

In addition to cybercriminal threats, financial institutions in the region face an increase in attacks by hacktivists and nation-state actors driven by geopolitical and ideological motives. Research from the previous year revealed that 66% of all cyberattacks in the region targeted the UAE and Saudi Arabia, underscoring the need for continuous vigilance and investment in cybersecurity resilience.
Read more »
Digital Fraud
Cyber Fraud CyberCrime Cyberhacker Cybersecurity CyberThreat Deepfake Scam Digital Fraud

India’s Escalating Crisis of Fake Institutions and Digital Fraud


 

As fraudulent activities in India continue to evolve and exploit systemic vulnerabilities to deceive unsuspecting individuals, there are counterfeit banks, legal entities that are fraudulent, and sophisticated cyber scams exploiting systemic vulnerabilities. There has been a significant increase in cases of financial fraud in the country during the first half of the current fiscal year, according to recent data from RBI, which indicates that the country's legal and financial frameworks are under the influence of an alarming trend.

It is common practice for scammers to create fake banks that operate under the guise of legitimate financial institutions and to offer attractive products and investment opportunities in exchange for their money. In the same way, sham courts and legal entities are also being set up to manipulate legal proceedings, mislead victims, and extort money from the public. Additionally, cybercriminals are employing advanced digital technologies to orchestrate scams that compromise sensitive financial and personal information as well as compromising the privacy of victims. This is highlighting critical weaknesses in regulatory oversight and enforcement mechanisms that are failing to effectively counter these frauds. 

Even though authorities are continuing to implement measures to curb these threats, it is imperative to develop more robust intervention strategies to combat the rapid growth of deceptive practices. It remains imperative that digital security frameworks are enhanced, public awareness is increased, and strict legal sanctions are implemented against offenders to reduce the impact of this growing financial and legal fraud. Although the Reserve Bank of India (RBI) has implemented significant changes in its policies regarding bank branch licensing, the process of establishing a new bank still requires multiple regulatory approvals, even after these changes have been implemented.

By conducting these rigorous checks, it can be ensured that unauthorized operations do not occur and ensure that the banking system remains intact. As a result of the discovery of a fraudulent State Bank of India (SBI) branch in Chhapora village, Chhattisgarh, in recent months, serious question marks have been raised about the efficiency of the existing oversight mechanisms in place to prevent such occurrences. 

In this elaborate scheme, the perpetrators not only deceived residents into depositing their hard-earned money into a nonexistent banking institution but also exploited the circumstances to create fake jobs. They further exacerbated the financial losses suffered by the victims by claiming the jobs were legitimate. In this case, the fact that such an operation remained undetected for such a long period highlights critical deficiencies in the monitoring and enforcement of financial regulation in this country. 

It is important to note that this is not an isolated case but rather a significant part of an increasingly widespread trend of fraudulent activities in the banking sector. It is evident from such cases that people need to be more vigilant, to have stronger regulatory enforcement, and to become more aware of financial scams to avoid becoming victims. As a means of preventing these deceptive practices and maintaining the credibility of the banking sector, financial institutions, law enforcement agencies, and regulatory bodies must work together to strengthen coordination between them. 

The Growing Threat of Cyber Fraud in India 


Cyber fraud has been on the rise for several years; scammers are employing more and more sophisticated tactics. Fraudulent call centers, primarily located in Gujarat, have been exposed for operating international scams, and operations have been dismantled in Gurugram, Noida, Mumbai and Indore. 

It has been reported that these syndicates mainly target victims living in the United States, the UK, and Canada by luring them with fake cryptocurrency investments, medical supplies, and antivirus software, and their operations have been ongoing for some time now. 

Rising Scams Targeting Indian Citizens 


Indian citizens are also falling prey to several fraudulent schemes, including Parcel Scams – A fictitious delivery notification tricks victims into paying for a package, SIM Deactivation Fraud – An impersonator of a telecom operator steals personal data while impersonating a telecom operator Job Scam – False work-from-home offers require upfront costs Electricity Disconnection Hoaxes – Fraudsters threaten power cuts to gain money from victims. 

There are many international fraud networks linked to these operations, including in Syria, Turkey, Saudi Arabia, Malaysia, and Singapore. Since India has been rapidly shifting to digital transactions, fraudsters are exploiting vulnerabilities in credit cards, UPI wallets, and online banking systems. Several seniors are at high risk of being tricked into transferring money through deceptive calls and messages as a result of fraudsters exploiting vulnerabilities in these systems. 

Fraud Expanding Beyond Finance 


As a result, scams are now extending into various sectors such as real estate, healthcare, education, and employment. In Kanpur, fraudsters made people pay up to 35 crores for bogus oxygen therapy intended to delay aging. At the same time, fake CBI documents and arrest warrants are being used to extort money. 

The Need for Stronger Regulations and Awareness 


As cyber fraud becomes more sophisticated, it warrants tighter enforcement, increased cybersecurity, and greater public awareness to curb its spread. Therefore, strengthening the coordination between law enforcement agencies, financial institutions, and regulatory bodies is crucial to combat this growing problem. 

Expanding Threat of Financial and Health-Related Fraud in India 


Fraud is not just confined to financial deception in India; it is posing increasingly serious risks to public health. Although some counterfeit drug manufacturers have been apprehended over the years, many operate undetected and without attracting much notice. An investigation of certain pharmaceutical companies found that they were willing to print any Maximum Retail Price (MRP) on bulk orders as part of a recent sting operation, which underscores the extent to which the pharmaceutical industry has been mistreated.

By setting up a therapy center called Revival World, a couple named Rajeev Kumar Dubey and Rashmi Dubey orchestrated a large-scale fraud. It was falsely claimed that by using oxygen therapy, a 60-year-old man could become a 25-year-old man, thus reversing the effects of aging. As a result of the 35 crore scam, it has become evident that people are vulnerable to a variety of health-related scams. Wolves are exploiting digital platforms just as they did before, to orchestrate financial deception both domestically and internationally, as they attempted to defraud customers. The problem with India's literacy is that even highly educated people from the United States, Britain, and Canada have been victims of these scams, despite its literacy challenges.

In the past, Gujarat-based call centers have been implicated in schemes involving fake medical supplies, counterfeit antivirus software and cryptocurrency investments, as well as international fraud operations. Gujarat-based call centers have been notorious for running international fraud operations. In recent years, similar operations have been uncovered in Gurugram, Noida, Mumbai, and Indore, but it is unclear the extent to which such activities are being carried out throughout the country. Financial crime in India has increased significantly in recent years.

A recent report from the Reserve Bank of India (RBI) on the Trends and Progress of Indian Banking indicates that 18,461 cases of bank fraud have been reported in the first half of the current fiscal year, resulting in a total loss of money that is eightfold greater than what is reported previously. To combat the rapidly growing landscape of financial crime, there is an urgent need for increased regulatory oversight, stricter enforcement measures, and a greater degree of public awareness. 

Strengthening Regulatory Measures to Curb Financial Fraud


There is an increasing ease with which fraud is being perpetrated in India today, a national concern that requires immediate attention. Addressing the growing issues that have resulted in the fraud epidemic in India requires understanding its magnitude and the wide-reaching implications of the issue. 

India is at risk of becoming a global hotspot for financial fraud unless comprehensive regulatory reforms and stricter enforcement mechanisms occur. Several steps can help mitigate this threat, including strengthening legal frameworks, improving oversight of financial institutions, and utilizing advanced technology to detect fraudulent activities. 

For the economy to remain safe and the public to have trust in the financial system to be restored, regulatory agencies, financial institutions, and law enforcement agencies must work together as a team.
Read more »
Technology
CyberCrime Cyberhackers Cybersecurity CyberThreat Koi Stealer macOS RustDoor Software Target Crypto Technology

North Korea-Linked Hackers Target Crypto with RustDoor and Koi Stealer

 


A significant amount of malware has become a common threat to Mac OS systems in today’s rapidly developing threat landscape. The majority of these threats are associated with cybercriminal activities, including the theft of data and the mining of cryptocurrencies without consent. As of recently, cybercrime operations have been attributed to groups of advanced persistent threat (APT) groups that are sponsored by the North Korean government. 

In addition to this trend, the Federal Bureau of Investigation (FBI) recently issued a public service announcement regarding North Korean social engineering campaigns. In many of these attacks, deceptive tactics are used to manipulate victims into divulging sensitive information or allowing access to the system. This type of attack is usually carried out using deceptive tactics. As such, there have been increasing numbers of such incidents targeting software developers within the cryptocurrency industry, specifically those seeking employment opportunities, in a growing number of such incidents. 

In my view, these sophisticated cyber threats, originating from North Korean threat actors, demonstrate the persistence and evolution of these threats. Known as CL-STA-240, or Contagious Interview, the cyber campaign aims to infiltrate macOS systems with advanced malware strains, including RustDoor and Koi Stealer. It is known that these malicious programs have been specifically designed to exfiltrate sensitive data and can use sophisticated techniques to avoid detection within the macOS environment while doing so. As a result of this campaign's technical proficiency, it reinforces the fact that threats targeting the Apple ecosystem are becoming increasingly complex as time passes. 

he threat actors responsible for this operation are utilizing social engineering as a primary attack vector. By impersonating recruiters or potential employers, they can trick job seekers, especially those working in the cryptocurrency industry, into installing the compromised software unintentionally. It is through this deceptive strategy that attackers can gain access to critical data while maintaining operational stealth. 

These manipulative strategies are becoming increasingly popular, highlighting the persistent threat that state-sponsored cybercriminal groups, especially those linked to North Korea, continue to pose as they continue to refine their methods to exploit human vulnerability to continue their operation. In the course of this cyber campaign, researchers have revealed that Rust-based malware, referred to as RustDoor, is hiding inside legitimate software updates to evade detection. In addition, researchers have discovered that there was an undocumented macOS variant of the Koi Stealer malware that has been discovered for the first time in recent years. 


A recent investigation uncovered rare techniques for evasion, including manipulating macOS system components to conceal their presence and remain undetected. These sophisticated tactics underscore the increasing sophistication of threats aimed at Mac OS. In the past year, several reports have linked North Korean threat actors to cyberattacks targeting job seekers, which are based on the characteristics and methodologies observed in this campaign. 

According to the available evidence, analysts can rely on a moderate degree of confidence that this attack was carried out to further North Korean state-sponsored cyber objectives. By using social engineering to target job seekers, these adversaries are further proving that they are involved in an extensive pattern of attacks. An in-depth technical analysis of the recently identified Koi Stealer macOS variant was performed in this research, which provides an in-depth picture of the attackers’ activities in compromised environments. 

In addition, Cortex XDR is used to examine the various stages of the attack to provide an understanding of the investigation. A suite of advanced security solutions offered by Palo Alto Networks, an established leader in network security solutions, helps Palo Alto Networks' customers protect themselves from these evolving threats, including applications such as: Two products offer enhanced detection and responding capabilities - Cortex XDR and XSIAM. Computer-based security services for firewalls, such as Advanced WildFire, Advanced DNS Security, and Advanced URL Filtering that provide proactive defense against malicious activities. 

The use of these security solutions can help organizations greatly strengthen their defenses against RustDoor, Koi Stealer, and similar malware threats targeting MacOS environments. Often, victims are tricked into downloading malware disguised as legitimate software development tools in the form of fake job interviews associated with this campaign, which results in the infection process starting with a fake job interview. The attackers were particularly noteworthy for using malicious Visual Studio projects, which is a strategy previously documented in similar cyber campaigns analyzed by Jamf Threat Labs. 

When the RustDoor malware is executed, it establishes persistence within the system and attempts to exfiltrate sensitive user information, which is one of the first steps toward completing its operations. Researchers have discovered that the threat actors have attempted to execute several variants of the malware throughout the investigation. As a result of this adaptive behavior, it appears to me that attackers are continuously adapting their approach in response to security controls and detection mechanisms in place.

According to security researchers, when the Cortex XDR was blocked for the initial attempt at infiltration, adversaries quickly tried to re-deploy and execute additional malware payloads to circumvent detection by redeploying and executing additional malware payloads. RustDoor Infection Stages An infection process that involves two RustDoor binaries being executed in hidden system directories to avoid detection of the malware is the process by which the RustDoor malware operates. 

Another stage involves the deployment of additional payloads, such as a reverse shell, that allows attackers to gain remote access. Several sensitive data sets were stolen, and the attackers specifically targeted credentials stored in web browsers, such as LastPass data from Google Chrome, as well as exfiltrating the information into command and control servers under their control. As part of this campaign, it was discovered that an IP address known as 31.41.244[.]92 has previously been used to conduct cybercriminal activities. This was one of our most significant findings. 

The threat has also been associated with the RedLine Stealer infostealer campaign, which further reinforces the sophisticated nature of the ongoing threats that have been identified. The second malware strain identified, Koi Stealer, possesses advanced data exfiltration capabilities, as compared to the previously undocumented macOS variant. According to this discovery, it is clear that macOS-targeted malware continues to evolve and that robust cybersecurity measures are necessary to mitigate the risks posed by these sophisticated threats and help to minimize incidents. 


As a result of the Koi Stealer malware, a run-time string decryption mechanism is utilized by it. Throughout the binary code, there is a single function that is repeatedly invoked. In the decryption function, each character of a hard-coded key (xRdEh3f6g1qxTxsCfg1d30W66JuUgQvVti) is iterated sequentially from index 0 to index 33 and the XOR operation is applied between the key’s characters and the encrypted string's characters, in a way that is applied sequentially. 

To get a better understanding of how Koi Stealer behaves, researchers developed a custom decryption program that replicates the malware's logic to gain insight into the malware's behavior, along with the techniques it uses to disguise its true functionality. Using the same decryption routine, analysts were able to extract and analyze the decrypted strings with success, allowing a more comprehensive understanding of the malware’s capabilities and objectives. There are significant similarities between the code structure and execution flow of different versions of Koi Stealer, as shown by a comparison between the various variants. 

Each variant of malware was designed consistently to steal data. Each category of stolen information was contained within separate functions within each variant. This modular design indicates that the malware has been developed in a structured and organized manner, further proving its sophistication. Besides targeting common types of information stealers, Koi Stealer also has a specific interest in specific directories and configurations that are not commonly found in the information stealer world. 

Interestingly, both of the analyzed samples actively target user data from Steam and Discord, which indicates a deep interest in credentials related to gaming platforms and communication platforms. A wide range of targeted data demonstrates how versatile the malware is and how it is capable of being exploited for a wider range of purposes than traditional financial or credential thefts. The detailed breakdown of the notable decrypted strings and the additional technical findings found in Appendix C provides further insight into Koi Stealer's internal operations and goals, as well as providing additional insight into the company's internal operations.
Read more »
Vulnerability
CyberCrime Cyberhackers Cybersecurity CyberThreat Internet of Things Password Privacy Security Security Risk Vulnerability

Default Password Creates Major Security Risk for Apartment Complexes

 


Under research conducted by security researchers, it was discovered that a widely used door access control system includes an inherently insecure default password. Thousands of buildings across the country have insecure default passwords that can be accessed easily and remotely by anyone. It was discovered by Eric Daigle that there is still a lot of residential and commercial properties in North America that have not yet modified the default passwords for their access control systems, many of them are not even aware that this is a good idea.   

When security researcher Eric Daigle examined an apartment building’s access control panel, he inadvertently discovered one of the most concerning security issues in recent years while inspecting the access control panel. Initially, a routine observation while waiting for a ferry led to the discovery of a critical security flaw affecting hundreds of residential buildings across the country, which caused a widespread financial loss for thousands of people.

In late last year, Eric Daigle became interested in the system when he noticed an unusual access control panel on his normal daily activities. He conducted a short online search for “MESH by Viscount” and found a sales page for its remote access capability, followed by the discovery of a PDF installation guide available for download. It is typical for access control systems to be configured with a default password, which administrators are supposed to change to match their credentials. 

However, Daigle observed that the installation manual did not provide clear instructions regarding how these credentials were to be modified. It was later revealed, after further investigation into the user interface's login page title, that multiple publicly accessible login portals are available for this product. Alarmingly, as a result of this research, he was able to access the first one with default credentials, which highlights a critical security vulnerability. 

The Enterphone MESH door access system is currently owned by Hirsch, and Hirsch has announced that to address this security vulnerability, a software patch will be released shortly that will require users to change their default password, as soon as possible. An internet-connected device will often have a default password, which is often included in the product manual to facilitate the initial setup process. 

There is, however, a significant security risk in requiring end users to manually update these credentials, since if they fail to do so, their systems can be vulnerable to unauthorized access. Hirsch’s door access solutions are not prompted to customers when they are installed, nor are they required to modify the default passwords, leaving many systems at risk of unauthorized access. This vulnerability had been discovered by security researcher Eric Daigle, based on the findings he made, according to his findings. 

The vulnerability has been designated as CVE-2025-26793 as a result of his findings. Modern building security systems have become increasingly integrated with the Internet of Things (IoT) technology, especially in apartment complexes seeking a more advanced alternative to traditional phone-line-based access control systems. Among these key fob systems, Hirsch Mesh features a web-based portal that enables the use of key fobs throughout a large building to be tracked and logged, as well as allowing remote access to various entry points also within the building to be controlled remotely. 

The accessibility of the system's default login credentials, however, raises a crucial security concern because they are openly published in the installation manual, which is easily accessible via an online search, as the installer provides a list of the default login credentials. While waiting at a bus stop for his bus, Eric Daigle made a quick internet search based on the name of the product displayed on the security terminal of the apartment complex across the street. He located the manual in just a few minutes, which identified a way to circumvent the building's security measures. This highlighted a significant flaw in the system's design, leading to a serious risk of abuse. 

The default password that is set on internet-connected devices has historically posed a significant security threat because unauthorized individuals can gain access under the guise of legitimate users, leading to data breaches or the possibility of malicious actors hijacking these devices to carry out large-scale cyberattacks. In recent years, there have been several governments, including the UK, Germany, the US, and other countries, which have been encouraging technology manufacturers to adopt more robust security measures to avoid the security risks associated with using default credentials that were considered insecure in the first place. 

Having been rated as highly vulnerable by the FBI as a result of its ease of exploit, Hirsch's door entry system has been rated as a high threat as well with a severity rating of 10. Exploiting the flaw involves a minimal amount of effort. There is a public documentation available on Hirsch's website, which contains the installation manual for the system, which can be used to obtain the default password. An affected building is vulnerable to unauthorized access if individuals with these credentials log in to the login window of the building's system through the login portal; this highlights a critical security flaw in the system.
Read more »
Russian IT security
banking software hack Cybersecurity Data Breach LANIT breach LANIT cyberattack NKTsKI warning Russian IT security

LANIT Cyberattack: Russian IT Giant Faces Major Security Breach

 

Russia's National Coordination Center for Computer Incidents (NKTsKI) has issued a warning to organizations in the country's credit and financial sector regarding a security breach at LANIT, a leading Russian IT service and software provider.

The alert, also published on GosSOPKA’s (State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks) website, states that the attack occurred on February 21, 2025. The incident may have affected LLC LANTER and LLC LAN ATMservice, both subsidiaries of the LANIT Group of Companies.

LANIT Group is a key player in Russia’s IT sector and the nation’s largest system integrator, with a client portfolio that includes the Russian Ministry of Defense and entities within the military-industrial complex, such as Rostec. Due to these associations, the U.S. Department of the Treasury imposed sanctions on LANIT in May 2024.

LLC LANTER and LLC LAN ATMservice specialize in banking technology, developing software solutions for banking equipment, payment systems, and Automated Teller Machines (ATMs).

Following the breach, NKTsKI has advised all potentially impacted organizations to reset passwords, update access keys, and modify remote access credentials.

"NKTsKI recommends that all organizations immediately change passwords and access keys for their systems hosted in LANIT's data centers," the bulletin states. "If your infrastructure uses LANIT group developments and software products, and LANIT engineers have been granted remote access, it is also recommended to change connection credentials."

"Additionally, it is advised to enhance monitoring of threats and information security events in systems that were developed, deployed, or maintained by engineers from the LANIT Group of Companies."

A detailed PDF document has been provided with further security recommendations, outlining measures to mitigate threats from compromised external channels.

NKTsKI has not disclosed how the attackers infiltrated the LANIT network, the exact timeline of the breach, the extent of the compromised data, or the perpetrators behind the attack.

In recent months, Russian ATM operators and banks have faced repeated cyberattacks from Ukrainian hackers, who frequently use distributed denial-of-service (DDoS) techniques to disrupt operations.

However, the latest warning suggests a deeper infiltration into a major service provider’s systems, raising concerns about potential widespread supply chain vulnerabilities.
Read more »
UPI
Call Merging CyberCrime Cyberhackers Cybersecurity CyberThreat Mobile Security NPCI OTP personal verification Scammers UPI

Call Merging Scams and Financial Security Risks with Prevention Strategies

 


It is not uncommon for fraudsters to develop innovative tactics to deceive their targets, with one of the latest scams being the called merging scam in which the scammers attempt to gain unauthorized access to the victim's accounts to defraud them. In many cases, the victims suffer substantial financial losses due to this scheme. 

There has been a warning issued by the Indian authorities in regards to a new scam that involves individuals being manipulated into merging their calls by scammers, who then subsequently reveal One-Time Passwords (OTPs) unknowingly. Using this deceptive tactic, fraudsters can gain access to victims' financial accounts, which will enable them to carry out fraudulent activities. 

NPCI's Unified Payments Interface (UPI), an initiative that was developed by the National Payments Corporation of India (NPCI), has expressed concern about this emerging threat. As a precautionary measure, UPI cautioned users on its X account of the risks involved in call merging scams and stressed that call merging scams pose a serious threat to users. 

As part of the advisory, individuals were advised to remain vigilant, stating, Fraudsters are using call merging tactics to deceive users into giving out OTPs. As part of its role to oversee the Unified Payments Interface (UPI), NPCI has expressed significant concerns about the growing cyber fraud epidemic. 

The goal of social engineering scammers is to deceive unsuspecting victims into disclosing their sensitive banking credentials to take control of the situation. In most cases, the scam begins with the fraudster contacting the target, falsely claiming to have obtained their phone number through a mutual acquaintance. 

The fraudster will then try to convince the target to combine the call with a similar call from a different number. It is true that in this second call, the victim is being connected to an official OTP verification call from their bank. Therefore, the victim does not know they are being deceived, and unwittingly allows someone to access their banking details. 

It uses social engineering techniques to manipulate individuals to unknowingly divulge their One-Time Password (OTP), an important security feature used for financial transactions, through their manipulation techniques. 

It is quite common for victims to receive a phone call from a trusted source offering lucrative opportunities or a message from one of their trusted contacts recommending what seems a beneficial scheme to them. 

A significant security risk can be posed by engaging with such communications without due diligence as a result of the growing prevalence of such fraud activities. As a result, financial institutions and regulatory agencies are cautioning individuals to remain vigilant when receiving unexpected phone calls and to refrain from sharing OTPs or merging calls without verifying the identity of the callers before doing so. 

It has become increasingly common for these frauds to occur, and so the Unified Payments Interface (UPI) has issued an urgent advisory that warns users about the dangers of call merging scams. To avoid being victimized by such deceptive tactics, individuals need to be vigilant and take strict security measures to protect their financial information. 

There is a deceptive technique known as the Call Merging Scam, which is used by fraudsters to trick people into divulging sensitive information such as One-Time Passwords (OTPs), unknowingly. In this manner, scammers can gain unauthorized access to victims' bank accounts and other secured platforms by exploiting this technique to commit financial fraud on the victims. 

Modus Operandi of the Scam


It is quite common for fraudsters to make deceptive telephone calls, falsely stating that they have obtained the recipient's phone number from an acquaintance or source that is reliable. 

There are many scams out there that involve victims being persuaded to merge calls with another individual. This is often accomplished by presenting another individual as a friend or a bank representative, depending on the scam. 

There is an automatic OTP verification call that they will be connected to without their knowledge. The automated call will direct them to a bank site that activates a mobile OTP verification system for verification. 

As a scammer, the victim is deceitfully manipulated into believing that sharing the OTP for their financial accounts to be accessed is necessary because sharing it is required for authentication. 

Preventive Measures to Safeguard Against Fraud 


To avoid the merging of calls between unknown callers, decline the request right away. Be careful about authenticating the identity of a caller: Whenever users receive an email from someone who claims to represent a financial institution, they should contact the bank directly through their official customer support phone number. Recognize Fraudulent Requests: Banks never ask customers for an OTP over the phone. 

A request of this nature should be viewed as an indication of a potential fraud and reported promptly. Ift an unsolicited OTP or suspected fraudulent activity occurs, individuals should notify their bank immediately and call 1930 (the national cybercrime helpline), so the incident can be investigated further. 

Considering the increasing number of scams like these, it has become imperative that one remains vigilant and adopts strict security practices as a precautionary measure to avoid financial loss. Many viral videos and discussions on social media emphasize a single aspect of fraudulent transactions — receiving an OTP via a merged call as opposed to a text message. 

Despite this, they often overlook the important point: an OTP is not sufficient for authorization of a transaction by itself. A fraudster needs to obtain essential banking details such as a card number, a card verification value, or a UPI Personal Identification Number (PIN) before he or she can use an OTP as a final step in committing an unauthorized transaction. 

To mitigate such risks, the Reserve Bank of India (RBI) has implemented strict security protocols to minimize them. To complete electronic transactions, financial institutions and payment service providers must implement multi-factor authentication (MFA) as of 2021 so that user authentication can be verified by more than one factor. This level of protection is achieved by implementing multiple authentication measures in combination with a combination of vital characteristics, including OTP verification, mobile device authentication, biometric identification, and hardware security tokens, which together provide a high level of security against unauthorized access. 

Digital transactions are typically protected by multiple layers of security, each requiring a combination of authentication factors to ensure their integrity. There are three types of authentication: manual, which includes everything the user possesses, such as their credentials, card numbers, and UPI IDs; known, such as their password, CVV, or PIN; and dynamic, such as their OTP, biometric authentication, or device authentication. 

To achieve the highest level of security, all three levels are necessary for most online banking and card transactions. However, a UPI transaction with a value up to a lakh does not require an OTP and can be authorized with only a UPI ID and PIN, without the need for an OTP. As a result of this multi-layered approach, financial fraud risks are greatly reduced and the security of digital payments is greatly strengthened.
Read more »
VPN
BackLock Black Basta Cyberhacekrs Cybersecurity CyberThreat malware Ransomware ransomware-as-a-service (RaaS) VBS VPN

Black Basta's Slowdown Coincides with BlackLock's Growth

 


The activity level of ransomware groups with "black" in their name has varied greatly over the early months of the new year. Despite the significant increase in attacks caused by the BlackLock ransomware group, the long-established Black Basta ransomware group appears to be about to break up, although it is still posing a persistent cybersecurity threat even so. 

Even though BlackLock was first identified as a ransomware-as-a-service operation in March 2024, the cyber-criminals have been actively targeting multiple platforms in the past few months, including Windows, VMware ESXi, and Linux systems, according to a report by cybersecurity firm ReliaQuest. According to a report by ReliaQuest, BlackLock, also known as El Dorado or Eldorado, utilizes a double-extortion strategy, which involves exfiltration of sensitive data from a victim before the encryption of their computer systems. 

With this approach, threat actors can demand a ransom in addition to the decryption of compromised files to obtain a promise that they will not reveal the stolen data once they have decrypted it. As reported by ReliaQuest, BlackLock has also reported a substantial increase in its activities over the last three months, with its data leak site registering fourteen times as many victims as it did in the previous three months of 2024. In light of this sharp increase, it is evident that BlackLock is becoming a greater threat to organizations, as it continues to expand its operations and refine its extortion tactics, which are becoming increasingly sophisticated. 

To enhance an enterprise's cybersecurity posture, it is crucial to have a thorough understanding of the Black Basta attack methodologies. The Black Basta ransomware group attacks targeted organizations by exploiting known vulnerabilities, system misconfigurations, and inadequate security controls. It has been determined that the group systematically focused on exposed Remote Desktop Protocol servers, weak authentication mechanisms, malware droppers disguised as legitimate files, and exposed RDP servers through analyzing its internal communications. 

In April 2022, blackBasta, a ransomware-as-a-service (RaaS) operation based in Russian, was first discovered. It is safe to say that Black Basta expanded quickly after the dismantling of the Conti ransomware group, taking advantage of the void left behind and including former Conti affiliates in its ranks in an effort to exploit the void left behind. Through this strategic expansion, the group was able to orchestrate attacks against hundreds of organizations throughout the world, establishing itself as an elite cybercriminal organization. 

According to cyber-intelligence firm Prodaft, the group's campaigns have declined steadily over the past couple of months, with its last known operations occurring in December, according to the firm. Since this group was previously one of the most dominant players in the ransomware landscape, it has been the subject of considerable attention within the cybersecurity community during this abrupt downturn in activity. There are numerous sophisticated attack vectors employed by Black Basta to compromise systems, which include the following. 

Among its primary tactics has been scanning for exposed RDP and VPN services around the world. This group frequently takes advantage of the default credentials available for VPN connections, or they use brute-force attacks to establish initial access by exploiting previously compromised credentials. Black Basta is also actively exploiting known Common Vulnerabilities and Exposures (CVEs) in unpatched systems, taking advantage of organizations that are not updated with security patches, or are behind in updating their security systems. 

To make malware deployment much easier, ransomware operators often use MSI (Microsoft Installer) and VBS (Visual Basic Script) malware droppers that deliver malicious payloads discreetly to make malware deployments easier. The majority of these payloads are executed by misusing system utilities such as Rundll32.exe, which can be used to execute harmful DLL files as a result. Additionally, this group focuses on credential harvesting and privilege escalation, which allows them to gain a deeper understanding of a compromised network and to increase their impact.

Black Bastion’s tactics have been evolving over the years and are becoming more persistent. This is why organizations should adopt a proactive cybersecurity strategy, ensuring regular patching, robust authentication protocols, and continuous network monitoring to minimize the risks posed by this malware. There is no denying that the sophistication of malware used by threat actors greatly influences the effectiveness of ransomware operations. 

As a result of developing and maintaining proprietary crypters, prominent ransomware groups like Play, Qilin, and BlackLock have distinguished themselves from the competition. It has been widely believed that leading cybercriminal organizations have used customized crypters to enhance the stealth and operational efficiency of their malware, making security systems more difficult to detect and mitigate. 


A strategic advantage for these organizations is the ability to market their malware as faster and more evasive than the competitors, which will help them attract high-level affiliates. However, other ransomware groups, such as Bl00dy, Dragonforce, and RA World, rely on leaked ransomware builders that were originally developed by Babuk or LockBit. In his opinion, Jim Wilson, a ReliaQuest security analyst, believes such groups are either lacking the technical expertise required to develop proprietary malware or they are not able to afford to pay skilled developers to develop proprietary malware. From a cybersecurity perspective, the reliance on publicly available tools creates opportunities for defenders, as it enables them to analyze code and develop targeted countermeasures based on that analysis. 

Recently, BlackLock has become increasingly popular within cybercriminal forums. Wilson has noted that the group actively recruits affiliates, initial access brokers, and experienced developers through the Ramp forum. The alias "$$$" is used to identify this group as active within the Ramp cybercrime forums. The BlackLock group also frequently recruits "traffers" which are cybercriminals who send victims to malicious websites before passing them off to more experienced operatives for execution. According to incident response firms, ransomware groups typically gain their first access to enterprise networks through phishing campaigns as well as by utilizing remote access tools. 

Cybercriminals often use known software vulnerabilities to attack systems by infiltrating them. Sophisticated ransomware groups are constantly trying to improve their attack strategies through utilizing innovative methods. There was a post made by "$$$" on Ramp on January 28, 2025, in which he asked hackers who had experience exploiting Microsoft's Entra Connect Sync, a software that allows Active Directory to be synchronized with Entra (formerly Azure Active Directory), to be exploited. 

Research published by SpecterOps in December 2024 was referenced as the basis for this request. As part of the research, attackers were able to inject their own Windows Hello for Business (WHFB) key into a victim's account to exploit Entra's synchronization mechanisms. Additionally, cybersecurity expert Garrity noted that Black Basta has demonstrated a proactive approach to vulnerability exploitation. 

The group reportedly discusses new vulnerabilities within days of security advisories being released and, while hesitant, considers purchasing exploits from emerging threat actors. Furthermore, there is evidence suggesting that Black Basta possesses the necessary resources to develop new exploits. Garrity’s analysis of Black Basta’s chat logs indicates a strategic yet opportunistic approach that prioritizes well-known vulnerabilities and high-value targets. 

While the group primarily leverages established exploit frameworks and widely available tools, discussions within their network suggest a potential for new exploit development and tactical evolution. For cybersecurity defenders, the key takeaway is the importance of prioritizing vulnerability remediation through an evidence-based security strategy. Cybersecurity firm Rapid7 has reported that Black Basta has continuously refined its social engineering techniques, incorporating enhanced malware payloads, improved delivery mechanisms, and advanced evasion tactics. 

The group has been observed leveraging Microsoft Teams to impersonate IT personnel, often masquerading as help desk or customer support representatives. Upon engaging a victim, attackers attempt to install remote management tools such as AnyDesk, TeamViewer, or ScreenConnect, deploy malicious QR codes, or establish a reverse shell using OpenSSH. Once access is secured, malware such as Zbot or DarkGate is used to escalate privileges, harvest credentials, and bypass multifactor authentication, ultimately leading to data exfiltration and ransomware deployment. 

A December 2024 attack investigated by ReliaQuest involved a Microsoft lookalike domain sending a flood of phishing emails to employees, followed by direct calls through Teams. Within minutes of gaining access via Quick Assist, the attacker established communication with a command-and-control server and began lateral movement within 48 minutes, successfully exfiltrating data from a manufacturing firm. Despite these ongoing attacks, intelligence from deep and dark web sources suggests that Black Basta’s leadership has exhibited signs of fatigue since mid-2024. 

According to RedSense analyst Bohuslavskiy, key members, including a critical administrator, have reportedly lost interest in ransomware operations, possibly due to prolonged involvement since 2019 or 2020. While the group appears to be scaling down, its infrastructure remains operational, with continued victim negotiations and ransomware deployments. However, declining operational standards have led to increased failures in decryption, rendering attacks even more destructive due to the group's growing negligence.

As well, Cybersecurity expert Garrity noted that Black Basta has been proactive when it comes to exploiting vulnerabilities. It has been reported that the group discusses new vulnerabilities as soon as security advisories are released, and while it is reluctant to buy exploits from emerging threat actors, the group is still considering doing so. Several pieces of evidence suggest that Black Basta possesses the necessary resources to develop new exploits based on evidence. 

According to Garrity's analysis of Black Basta's chat logs, the group takes a strategic yet opportunistic approach, prioritizing well-known vulnerabilities and high-value targets. Although the group primarily relies on established exploit frameworks and readily available tools, discussions within the group suggest that new exploits could be developed and tactically evolved in the future. 

Among the key takeaways for cybersecurity defenders is the importance of prioritizing vulnerability remediation as part of an evidence-based security strategy. According to Rapid7, Black Basta has continuously reworked its social engineering techniques, including enhancing malware payloads, improving delivery mechanisms, and incorporating evasion tactics to make it more effective than before. Observations have indicated that the group uses Microsoft Teams to impersonate IT employees, often masquerading as help desk or customer support representatives. 

As soon as the attacker engages a victim, he or she attempts to install remote management tools such as AnyDesk, TeamViewer, or ScreenConnect to deploy malicious QR codes, or to establish a reverse shell via OpenSSH in the event of an attack. Malware, such as Zbot, DarkGate, and other malicious programs, is then employed to escalate privileges, harvest credentials, and bypass multifactor authentication, resulting in data exfiltration and ransomware deployment. This attack is believed to have been perpetrated by a Microsoft-like domain that sent phishing emails to employees in December 2024, followed by direct calls through Teams. 

After gaining access via Quick Assist in less than five minutes, the attacker established a connection with a command and control server, started moving laterally within 48 minutes, and successfully extracted information from a manufacturing company within 48 minutes. However, information from deep and dark web sources suggests that the leadership of Black Basta has shown signs of fatigue since mid-2024 despite these ongoing attacks. 

It has been reported that RedSense analyst Bohuslavskiy believes key members, including a critical administrator, have lost interest in ransomware operations, possibly due to their prolonged involvement in the ransomware campaign from 2019 or 2020. Although the group appears to be reducing its operations, it has been continuing to negotiate with victims and deploy ransomware, despite its apparent scaling down. It is important to note that while operational standards are decreasing, more and more failures in decryption have arisen during the last few years, which has rendered attacks even more destructive due to the growing negligence of the group.
Read more »
Subscribe to: Posts (Atom)