Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Financial Data
Athenian Tech Classified Information Data Breach Defence Ministry Financial Data

Cyberattack Exposes Confidential Defence Data, Raising Security Concerns

 



A massive collection of classified defence documents has reportedly been stolen by hackers and put up for sale. The stolen information includes blueprints for a weapon, details about an upcoming Air Force facility, procurement strategies, and India's defence partnerships with other countries.  

Cybersecurity firm Athenian Tech, which analyzed the data, believes it was taken from the personal device of a former Defence Ministry official. Among the leaked files are emergency evacuation procedures for high-ranking government officials, including the President and Prime Minister, in the event of an aerial attack. This has raised serious concerns about national security.  


Defence Agency denies data breach

The Defence Research and Development Organisation (DRDO), which is responsible for developing military technology, is known for its strict security rules. Employees are not even allowed to carry personal mobile phones in certain areas. However, the stolen data has been linked to DRDO, raising concerns about how such critical information was accessed.  

Despite these claims, DRDO officials have denied that their systems were breached. They stated that the stolen files do not belong to their organization but have not provided further details to clarify the situation.  


Hackers Claim Responsibility 

A ransomware group called Babuk Locker 2.0 announced on March 10, 2025, that it was behind the attack. The hackers claim to have stolen 20 terabytes of sensitive defence data from DRDO’s servers, including classified military documents and login credentials. They released a small portion of this data, approximately 753 MB, as proof of their claims.  

The sample files include technical details about upgrades to the T9 Bhishma Tank, along with records of India’s defence collaborations with countries such as Finland, Brazil, and the United States.  

Athenian Tech examined conversations between the hackers and found that they were communicating in Indonesian, suggesting they may be based in Indonesia. However, after further analysis, the firm believes the hackers might have exaggerated the scale of the breach.  

The report indicates that much of the leaked data is linked to Puneet Agarwal, who served as a Joint Secretary in the Defence Ministry between 2019 and 2021. His personal information, including Aadhaar details, financial records, and travel documents, were found in the files. This suggests that the breach might have come from his personal device rather than DRDO’s secured internal network.  


Major Security Risks 

The exposure of such sensitive information highlights major cybersecurity vulnerabilities. It raises concerns about insider threats and whether India’s defence infrastructure is adequately protected from sophisticated cyberattacks.  

Athenian Tech has stressed the need for stronger security measures, tighter access controls, and constant monitoring to prevent such incidents from happening again.  

One of the biggest concerns is that classified documents were stored on a personal device, which indicates serious gaps in data security policies. If the hackers also obtained login credentials, they could use them to infiltrate more secure systems and gain access to additional classified information.  

Read more »
United States
Data Breach Military Operations National Security Security Breach Signal app United States

Experts Warn Trump Officials Using Signal for War Plans Risk Massive Leaks

 

Reports that senior Trump administration officials discussed classified military operations using the encrypted texting app Signal have raised serious security concerns. Although Signal provides encryption, lawmakers and cybersecurity specialists have warned that it is still susceptible to hacking and should never be used for private government communications. 

When journalist Jeffrey Goldberg of The Atlantic was accidentally included in a Signal group discussion where senior Trump officials were discussing military operations in Yemen, the issue became apparent. Goldberg called the conversation an act of "shocking recklessness" and said it included "precise information about weapons packages, targets, and timing.” 

Mark Montgomery, senior director of the Foundation for Defence of Democracies, criticised the decision, saying, "I guess Signal is a few steps above leaving a copy of your war plan at the Chinese Embassy—but it's far below the standards required for discussing any elements of a war plan.” 

Signal has become increasingly popular in Washington despite cybersecurity concerns after Chinese-affiliated hackers significantly compromised U.S. telecommunications networks. To safeguard against spying, officials recommend using encrypted services such as Signal. Experts warn that even while the app has robust encryption and deletes messages automatically, it is not approved for use in government-level sensitive communications. 

Lawmakers call for investigation

Top Democrats have slammed the use of Signal for military discussions, describing it as a significant security breach. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, criticised the Trump administration for failing to vet group chat users. “It should go without saying that administration officials should not be using Signal for discussing intelligence matters,” Thompson noted. 

House Foreign Affairs Committee Ranking Member Gregory Meeks (D-N.Y.) has requested a hearing, calling the episode "the most astonishing breach of our national security in recent history." Ranking member of the House Intelligence Committee, Jim Himes (D-Conn.), said he was "horrified" by the usage of an insecure app. He cautioned that lower-level officials might risk criminal charges for such a failure. 

Michael Waltz, Trump's National Security Adviser, admits to organising the Signal group chat, which inadvertently included writer Jeffrey Goldberg. Waltz first blamed a staff member, but later admitted that he founded the group himself. "It is embarrassing, definitely. We're going to get to the bottom of it," he added, adding that he was engaging Elon Musk on technical matters. 

In support of Waltz, Trump described him as a "good man" who had only "learnt a lesson." "The leak was the only glitch in two months, and it turned out not to be a serious one," he said, downplaying the breach as a small mistake. But there has been a quick pushback, with lawmakers and security experts voicing serious concerns.
Read more »
Data Theft
AT&T cloud storage services CyberCrime cybercriminal arrests Data Breach Data Hackers data security Data Theft

Connor Moucka Extradited to U.S. for Snowflake Data Breaches Targeting 165 Companies

 

Connor Moucka, a Canadian citizen accused of orchestrating large-scale data breaches affecting 165 companies using Snowflake’s cloud storage services, has agreed to be extradited to the United States to face multiple federal charges. The breaches, which targeted high-profile companies like AT&T and Ticketmaster, resulted in the exposure of hundreds of millions of sensitive records. 

Moucka, also known by online aliases such as “Waifu,” “Judische,” and “Ellyel8,” was arrested in Kitchener, Ontario, on October 30, 2024, at the request of U.S. authorities. Last Friday, he signed a written agreement before the Superior Court of Justice in Kitchener, consenting to his extradition without the standard 30-day waiting period. The 26-year-old faces 20 charges in the U.S., including conspiracy to commit computer fraud, unauthorized access to protected systems, wire fraud, and aggravated identity theft. Prosecutors allege that Moucka, along with co-conspirator John Binns, extorted over $2.5 million from victims by stealing and threatening to expose their sensitive information. 

The data breaches tied to this cybercrime operation have had widespread consequences. In May 2024, Ticketmaster’s parent company, Live Nation, confirmed that data from 560 million users had been compromised and put up for sale on hacking forums. Other companies affected include Santander Bank, Advance Auto Parts, and AT&T, among others. Moucka and Binns are believed to be linked to “The Com,” a cybercriminal network involved in various illicit activities, including cyber fraud, extortion, and violent crimes. 

Another alleged associate, Cameron Wagenius, a 21-year-old U.S. Army soldier, was arrested in December for attempting to sell stolen classified information to foreign intelligence agencies. Wagenius has since indicated his intent to plead guilty. U.S. prosecutors claim Moucka and his associates launched a series of cyberattacks on Snowflake customers, gaining unauthorized access to corporate environments and exfiltrating confidential data. 
These breaches, described as among the most extensive cyberattacks in recent history, compromised sensitive 
records from numerous enterprises. While the exact date of Moucka’s extradition remains undisclosed, his case underscores the growing threat of cyber extortion and the increasing international cooperation in tackling cybercrime. His legal representatives have not yet issued a statement regarding the extradition or upcoming trial proceedings.
Read more »
Online Scams
Collectibles.com Customer Information Data Breach Online Scams

Massive Data Leak Exposes Nearly a Million Collectors – Are You at Risk?

 



A major online platform for collectible items, Collectibles.com, has accidentally exposed the private information of nearly a million users. This security flaw could put many people at risk of identity theft, fraud, and online scams, according to cybersecurity experts.  


How the Data Was Leaked  

Cybersecurity researchers from Cybernews discovered that the website had an unprotected database, meaning anyone could access it without a password. This database contained 300GB of data and over 870,000 records, each linked to a different user. The leaked information included full names, email addresses, profile pictures, account details, records of collectible card sales, and other transaction history.  

Experts warn that such leaks can be dangerous because cybercriminals might use this data for fraudulent activities, such as identity theft or phishing scams. Phishing is when scammers send fake emails or messages pretending to be from a trusted company to trick users into revealing passwords or financial information.  


What Is Collectibles.com?  

Previously known as Cardbase, Collectibles.com is an online marketplace where users can buy, sell, and track trading cards, comics, and memorabilia. In 2024, the company announced it had around 300,000 users. However, this data leak suggests the number of affected users might be much higher.  


Company’s Response and Security Concerns  

Cybernews contacted Collectibles.com to inform them about the security issue. However, aside from an automated response, the company did not take immediate action. It took ten days for the exposed database to be secured, but it remains unclear how long the data was accessible before it was discovered.  

There is also uncertainty about whether hackers accessed the information before Cybernews reported it. If cybercriminals obtained this data, they could already be using it for scams or fraud.  


Why Do These Leaks Happen?  

One of the main reasons for data leaks is unsecured cloud databases. Many companies store customer information online but do not always follow proper security practices. Some businesses assume that cloud providers are fully responsible for security, but in reality, companies must also take steps to protect their data.  

Cybercriminals and researchers alike use tools to search the internet for unprotected databases. Once found, these databases can be exploited in different ways, from selling private information to launching scams.  


How Users Can Protect Themselves  

If you have an account on Collectibles.com, consider taking the following steps:  

1. Change your password immediately to ensure your account remains secure.  

2. Enable two-factor authentication (2FA) to add an extra layer of protection.  

3. Be cautious of phishing emails that may try to trick you into revealing personal details.  

4. Monitor your accounts for suspicious activity and report anything unusual.  

Cybersecurity experts emphasize that companies must take data security seriously to prevent such leaks. At the same time, users should remain cautious and take steps to protect their personal information online.  


Read more »
zero-click
Data Breach Hackers paragon Spyware WhatsApp zero-click

WhatsApp Fixes Security Flaw Exploited by Spyware

 



WhatsApp recently fixed a major security loophole that was being used to install spyware on users' devices. The issue, known as a zero-click, zero-day vulnerability, allowed hackers to access phones without the user needing to click on anything. Security experts from the University of Toronto’s Citizen Lab uncovered this attack and linked it to Paragon’s spyware, called Graphite.  

The flaw was patched by WhatsApp in late 2023 without requiring users to update their app. The company also chose not to assign a CVE-ID to the vulnerability, as it did not meet specific reporting criteria.  

A WhatsApp spokesperson confirmed that hackers used the flaw to target certain individuals, including journalists and activists. WhatsApp directly reached out to around 90 affected users across multiple countries.  


How the Attack Worked  

Hackers used WhatsApp groups to launch their attacks. They added their targets to a group and sent a malicious PDF file. As soon as the file reached the victim’s phone, the device automatically processed it. This triggered the exploit, allowing the spyware to install itself without any user action.  

Once installed, the spyware could access sensitive data and private messages. It could also move beyond WhatsApp and infect other apps by bypassing Android’s security barriers. This gave attackers complete control over the victim’s device.  


Who Was Targeted?  

According to Citizen Lab, the attack mostly focused on individuals who challenge governments or advocate for human rights. Journalists, activists, and government critics were among the key targets. However, since only 90 people were officially notified by WhatsApp, experts believe the actual number of victims could be much higher.  

Researchers found a way to detect the spyware by analyzing Android device logs. They identified a forensic marker, nicknamed "BIGPRETZEL," that appears on infected devices. However, spotting the spyware is still difficult because Android logs do not always capture all traces of an attack.  


Spyware Linked to Government Agencies  

Citizen Lab also investigated the infrastructure used to operate the spyware. Their research uncovered multiple servers connected to Paragon’s spyware, some of which were linked to government agencies in countries like Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Many of these servers were rented through cloud platforms or hosted directly by government agencies.  

Further investigation revealed that the spyware's digital certificates contained the name “Graphite” and references to installation servers. This raised concerns about whether Paragon's spyware operates similarly to Pegasus, another surveillance tool known for being used by governments to monitor individuals.  


Who Is Behind Paragon Spyware?  

Paragon Solutions Ltd., the company behind Graphite spyware, is based in Israel. It was founded in 2019 by Ehud Barak, Israel’s former Prime Minister, and Ehud Schneorson, a former commander of Unit 8200, an elite Israeli intelligence unit.  

Paragon claims that it only sells its technology to democratic governments for use by law enforcement agencies. However, reports have shown that U.S. agencies, including the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE), have purchased and used its spyware.  

In December 2024, a U.S.-based investment firm, AE Industrial Partners, bought Paragon, further raising questions about its future operations and how its surveillance tools may be used.  


Protecting Yourself from Spyware  

While WhatsApp has fixed this specific security flaw, spyware threats continue to evolve. Users can take the following steps to protect themselves:  

1. Update Your Apps: Always keep your apps updated, as companies frequently release security patches.  

2. Be Cautious of Unknown Files: Never open suspicious PDFs, links, or attachments from unknown sources.  

3. Enable Two-Factor Authentication: Adding an extra layer of security to your accounts makes it harder for hackers to break in.  

4. Check Your Device Logs: If you suspect spyware, seek professional help to analyze your phone’s activity.  

Spyware attacks are becoming more advanced, and staying informed is key to protecting your privacy. WhatsApp’s quick response to this attack highlights the ongoing battle against cyber threats and the need for stronger security measures.  


Read more »
Oracle Cloud
Data Breach Data Leak Data Theft Login Servers Oracle Cloud

Oracle Denies Claim of Server Breach

 

Following a threat actor's claim to be selling 6 million data records allegedly stolen from Oracle Cloud's federated SSO login servers, Oracle denies that it was compromised. 

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company noted. 

This accusation follows the release of many text files yesterday by a threat actor going by the moniker rose87168, which included a sample database, LDAP details, and a list of the businesses they said were pilfered from Oracle Clouds' SSO platform.

The threat actor provided BleepingComputer with this URL as additional evidence that they were able to access Oracle Cloud servers. It displays an Internet Archive URL indicating that they submitted a.txt file to the login.us2.oraclecloud.com server that contained their ProtonMail email address.

The attackers uploaded a text file with their email address without having access to Oracle Cloud servers, as BleepingComputer explained when they got in touch with Oracle once more. 

Alleged Oracle data leak 

Rose87168 is currently offering the allegedly stolen data from Oracle Cloud's SSO service for an undisclosed fee or in exchange for zero-day exploits on the BreachForums hacking community. The information, which included enterprise manager JPS keys, Java Keystore (JKS) files, and encrypted SSO passwords, was allegedly stolen during an intrusion into Oracle servers based in 'login.(region-name).oraclecloud.com'.

"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.” 

They've also promised to share part of the data with anyone who can help decrypt the SSO or LDAP credentials. The threat actor told BleepingComputer that they acquired access to Oracle Cloud servers about 40 days ago and claimed to have emailed the firm after exfiltrating data from the US2 and EM2 regions.

In the email conversation, rose87168 said that they asked Oracle to pay 100,000 XMR for information on how they infiltrated the systems, but the company allegedly refused to pay after requesting for "all information needed for fix and patch.” 

When questioned how they breached the servers, the attackers stated that all Oracle Cloud servers are running a vulnerable version with a public CVE (flaw) that does not yet have a public PoC or exploit. However, BleepingComputer was unable to independently verify whether this was the case.
Read more »
Rhysida Ransomware
Cybersecurity Attack Data Breach Pennsylvania State Education Association (PSEA) Ransomware attack Rhysida Ransomware

Pennsylvania Education Union Alerts Over 500,000 Individuals of Data Breach

 

The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying more than half a million individuals that their personal data was compromised in a cybersecurity breach that occurred in July 2024.

Representing over 178,000 education professionals—including teachers, support staff, higher education employees, nurses, retirees, and future educators—PSEA disclosed the breach in letters sent to 517,487 affected individuals.

"PSEA experienced a security incident on or about July 6, 2024, that impacted our network environment," the organization stated in its notification. "Through a thorough investigation and extensive review of impacted data, which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network."

Types of Stolen Data

The stolen information varies by individual and includes sensitive personal, financial, and health-related details. This may include:
  • Driver’s license or state ID numbers
  • Social Security numbers
  • Account PINs and security codes
  • Payment card details
  • Passport information
  • Taxpayer identification numbers
  • Online credentials
  • Health insurance and medical records
In response to the breach, PSEA is offering free credit monitoring and identity restoration services through IDX for those whose Social Security numbers were affected. Eligible individuals must enroll by June 17, 2025. The union also advised affected individuals to monitor their financial statements, review credit reports for suspicious activity, and consider placing a fraud alert or security freeze on their credit files.

Although PSEA has not directly attributed the attack to a specific threat group, the Rhysida ransomware gang took responsibility for the breach on September 9, 2024. The cybercriminals reportedly demanded a 20 BTC ransom and threatened to leak stolen data if their demands were not met. While it remains unclear if PSEA complied with the ransom request, Rhysida has since removed the stolen data from its dark web leak site.

Rhysida, a ransomware-as-a-service (RaaS) group, first emerged in May 2023 and has been linked to several high-profile cyberattacks. Notable incidents include breaches at the British Library, the Chilean Army, and Sony subsidiary Insomniac Games. In November 2023, the group leaked 1.67 TB of documents after Insomniac refused to pay a $2 million ransom.

More recently, Rhysida affiliates targeted Lurie Children’s Hospital in Chicago in February 2024, attempting to sell stolen data for 60 BTC (approximately $3.7 million at the time). Other victims include the Singing River Health System, which suffered a data breach affecting 900,000 individuals in August 2023, and the City of Columbus, Ohio, where 500,000 residents’ data was compromised in July 2024.

Cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, have warned that Rhysida ransomware affiliates continue to launch opportunistic attacks across various industry sectors. Additionally, the U.S. Department of Health and Human Services (HHS) has linked the group to multiple cyberattacks targeting healthcare institutions.
Read more »
Personal Data
Bank CyberSecurity Bank Data Leak Cleo Server CLOP Customer Data Data Breach Data Leak Data Theft Identity Theft Personal Data

Western Alliance Bank Data Breach Exposes Nearly 22,000 Customers’ Personal Information

 

Western Alliance Bank has alerted nearly 22,000 customers that their personal information was compromised following a cyberattack in October. The breach stemmed from a vulnerability in a third-party vendor’s secure file transfer software, which allowed attackers to gain unauthorized access to the bank’s systems and extract sensitive customer data. 

Western Alliance, a subsidiary of Western Alliance Bancorporation with over $80 billion in assets, first disclosed the incident in a February SEC filing. The bank revealed that hackers exploited a zero-day vulnerability in the software, which was officially disclosed on October 27, 2024. However, unauthorized access to the bank’s systems had already occurred between October 12 and October 24. The breach was only confirmed after the attackers leaked stolen files online. 

According to breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the stolen data includes names, Social Security numbers, birth dates, financial account details, driver’s license numbers, tax identification numbers, and passport information if previously provided to the bank. Despite the exposure, Western Alliance stated there is no evidence of fraud or identity theft resulting from the breach. 

To support affected customers, the bank is offering one year of free identity protection services through Experian IdentityWorks Credit 3B. Although Western Alliance did not disclose the name of the compromised software in its SEC filing or customer notifications, the Clop ransomware gang has claimed responsibility for the attack. In January, Clop listed the bank among 58 companies targeted in a campaign that exploited a critical zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software. 

The ransomware group had previously leveraged similar security flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA to conduct large-scale data theft operations. Further investigations revealed that Clop exploited an additional zero-day vulnerability (CVE-2024-55956) in Cleo software in December. This allowed them to deploy a Java-based backdoor, dubbed “Malichus,” enabling deeper infiltration into victims’ networks. Cleo, which serves over 4,000 organizations worldwide, confirmed the vulnerability had been used to install malicious backdoor code in affected instances of its Harmony, VLTrader, and LexiCom software. 

The full extent of the breach remains unclear, but it highlights the growing risks posed by vulnerabilities in third-party software. Organizations relying on such solutions must remain vigilant, promptly apply security patches, and implement robust defenses to prevent similar incidents.
Read more »
iOS
API Keys App security cloud storage Cybersecurity Data Breach Data Leak Encryption Hardcoded Secrets iOS

Thousands of iOS Apps Expose Sensitive Data Through Hardcoded Secrets, Researchers Warn

 

Cybersecurity researchers have uncovered alarming vulnerabilities in thousands of iOS applications, revealing that hardcoded secrets in their code have put users' sensitive information at risk.

A recent analysis by Cybernews examined over 156,000 iOS apps and detected more than 815,000 hardcoded secrets—some of which are highly sensitive and could potentially lead to security breaches or data leaks.

The term "secret" broadly refers to sensitive credentials like API keys, passwords, and encryption keys. These are often embedded directly into an app’s source code for convenience during development, but developers sometimes fail to remove them before release. According to Cybernews, the average iOS app exposes 5.2 secrets, and 71% of apps contain at least one leaked credential.

While some of these hardcoded secrets pose minimal risk, the report highlights serious threats. Researchers identified over 83,000 cloud storage endpoints, with 836 exposed without authentication, potentially leaking more than 400TB of data. Additionally, 51,000 Firebase endpoints were discovered, thousands of which were accessible to outsiders. Other exposed credentials include API keys for platforms like Fabric API, Live Branch, and MobApp Creator.

Among the most critical findings were 19 hardcoded Stripe secret keys, which directly control financial transactions. Cybernews researchers emphasized the severity of this issue, stating: “Stripe is widely used by e-commerce and even fintech companies to handle online payments.”

This vulnerability could allow cybercriminals to manipulate transactions or gain unauthorized access to payment infrastructure.

The findings challenge the common belief that iOS apps offer stronger security compared to other platforms.

“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews.

This study underscores the importance of secure coding practices and urges developers to adopt better security protocols to prevent data breaches and unauthorized access.


Read more »
Safari
Browser ChatGPT Data Breach Google Chrome Safari

How Web Browsers Have Become a Major Data Security Risk

 




For years, companies protected sensitive data by securing emails, devices, and internal networks. But work habits have changed. Now, most of the data moves through web browsers.  

Employees often copy, paste, upload, or transfer information online without realizing the risks. Web apps, personal accounts, AI tools, and browser extensions have made it harder to track where the data goes. Old security methods can no longer catch these new risks.  


How Data Slips Out Through Browsers  

Data leaks no longer happen only through obvious channels like USB drives or emails. Today, normal work tasks done inside browsers cause unintentional leaks.  

For example, a developer might paste secret codes into an AI chatbot. A salesperson could move customer details into their personal cloud account. A manager might give an online tool access to company data without knowing it.  

Because these activities happen inside approved apps, companies often miss the risks. Different platforms also store data differently, making it harder to apply the same safety rules everywhere.  

Simple actions like copying text, using extensions, or uploading files now create new ways for data to leak. Cloud services like AWS or Microsoft add another layer of confusion, as it becomes unclear where the data is stored.  

The use of multiple browsers, Chrome, Safari, Firefox — makes it even harder for security teams to keep an eye on everything.  


Personal Accounts Add to the Risk  

Switching between work and personal accounts during the same browser session is very common. People use services like Gmail, Google Drive, ChatGPT, and others without separating personal and office work.  

As a result, important company data often ends up in personal cloud drives, emails, or messaging apps without any bad intention from employees.  

Studies show that nearly 40% of web use in Google apps involves personal accounts. Blocking personal uploads is not a solution. Instead, companies need smart browser rules to separate work from personal use without affecting productivity.  


Moving Data Is the Most Dangerous Moment  

Data is most vulnerable when it is being shared or transferred — what experts call "data in motion." Even though companies try to label sensitive information, most protections work only when data is stored, not when it moves.  

Popular apps like Google Drive, Slack, and ChatGPT make sharing easy but also increase the risk of leaks. Old security systems fail because the biggest threats now come from tools employees use every day.  


Extensions and Unknown Apps — The Hidden Threat  

Browser extensions and third-party apps are another weak spot. Employees often install them without knowing how much access they give away.  

Some of these tools can record keystrokes, collect login details, or keep pulling data even after use. Since these risks often stay hidden, security teams struggle to control them.  

Today, browsers are the biggest weak spot in protecting company data. Businesses need better tools that control data flow inside the browser, keeping information safe without slowing down work.  


Read more »
Technology
AI Security Cyber Threats Cybersecurity Strategy Data Breach human risk insider risk Phishing Attacks Technology

Over Half of Organizations Lack AI Cybersecurity Strategies, Mimecast Report Reveals

 

More than 55% of organizations have yet to implement dedicated strategies to counter AI-driven cyber threats, according to new research by Mimecast. The cybersecurity firm's latest State of Human Risk report, based on insights from 1,100 IT security professionals worldwide, highlights growing concerns over AI vulnerabilities, insider threats, and cybersecurity funding shortfalls.

The study reveals that 96% of organizations report improved risk management after adopting a formal cybersecurity strategy. However, security leaders face an increasingly complex threat landscape, with AI-powered attacks and insider risks posing significant challenges.

“Despite the complexity of challenges facing organisations—including increased insider risk, larger attack surfaces from collaboration tools, and sophisticated AI attacks—organisations are still too eager to simply throw point solutions at the problem,” said Mimecast’s human risk strategist VP, Masha Sedova. “With short-staffed IT and security teams and an unrelenting threat landscape, organisations must shift to a human-centric platform approach that connects the dots between employees and technology to keep the business secure.”

The report finds that 95% of organizations are leveraging AI for threat detection, endpoint security, and insider risk analysis. However, 81% express concerns over data leaks from generative AI (GenAI) tools. More than half lack structured strategies to combat AI-driven attacks, while 46% remain uncertain about their ability to defend against AI-powered phishing and deepfake threats.

Insider threats have surged by 43%, with 66% of IT leaders anticipating an increase in data loss from internal sources in the coming year. The report estimates that insider-driven data breaches, leaks, or theft cost an average of $13.9 million per incident. Additionally, 79% of organizations believe collaboration tools have heightened security risks, amplifying both intentional and accidental data breaches.

Despite 85% of organizations raising their cybersecurity budgets, 61% cite financial constraints as a barrier to addressing emerging threats and implementing AI-driven security solutions. The report underscores the need for increased investment in cybersecurity staffing, third-party security services, email security, and collaboration tool protection.

Although 87% of organizations conduct quarterly cybersecurity training, 33% of IT leaders remain concerned about employee mismanagement of email threats, while 27% cite security fatigue as a growing risk. 95% of organizations expect email-based cyber threats to persist in 2025, as phishing attacks continue to exploit human vulnerabilities.

Collaboration tools are expanding attack surfaces, with 44% of organizations reporting a rise in cyber threats originating from these platforms. 61% believe a cyberattack involving collaboration tools could disrupt business operations in 2025, raising concerns over data integrity and compliance.

The report highlights a shift from traditional security awareness training to proactive Human Risk Management. Notably, just 8% of employees are responsible for 80% of security incidents. Organizations are increasingly turning to AI-driven monitoring and behavioral analytics to detect and mitigate threats early. 72% of security leaders see human-centric cybersecurity solutions as essential in the next five years, signaling a shift toward advanced threat detection and risk mitigation.
Read more »
Security Concerns
CyberCrime Cybersecurity Darkweb Data Breach Jaguar Land Rover Security Concerns

Major Data Breach at Jaguar Land Rover Raises Security Concerns



It has been revealed that a cybercriminal, described as "Rey" on the dark web, has publicly claimed responsibility for a substantial cyberattack that occurred against Jaguar Land Rover over a period of two months. The disclosure was made on a well-known dark web forum, in which the threat actor alleged that he had breached the company's internal systems. 

There has been a report that Jaguar Land Rover, a British automobile manufacturer that specializes in luxury and off-road vehicles, has been experiencing a data breach. This has resulted in the exposure of significant amounts of internal company data which has been kept secure. There are still unclear details regarding what kind and how much data was compromised, but cybersecurity experts are closely monitoring the situation to see what happened next. 

Despite the ongoing challenges facing large corporations concerning cybersecurity, the incident underscores the growing threat posed by threat actors operating on the dark web, which is of increasing concern. A thorough investigation into the breach is expected to provide further insight into the impact of the breach and any potential security vulnerabilities that may have been exploited. A cyber-attack, believed to have occurred in March 2025, has resulted in approximately 700 confidential Jaguar Land Rover documents becoming exposed as a result of the cyber-attack, according to reports. 

These documents include critical development logs, tracking records, and proprietary source codes that have been exposed as part of the hack. It is extremely risky for Jaguar Land Rover to have such sensitive information exposed to unauthorized parties, as it could provide competitors and malicious actors with strategic insights which could adversely affect the company's competitiveness in the automotive industry, potentially compromising the company's position in the marketplace. 

In addition to the breach affecting a large employee dataset, the breach exposed a considerable amount of personally identifiable information about the employees, including their usernames, email addresses, display names and time zones. As a result of this data leakage, serious security concerns are raised, as it increases the probability that impacted employees will be subjected to identity theft, phishing scams, and other targeted cyber threats. 

Considering how sensitive corporate and employee information is, this incident emphasizes the need for enhanced cybersecurity measures to reduce potential risks and safeguard crucial information. There is a possibility that Jaguar Land Rover will suffer significant repercussions from this cybersecurity incident, potentially compromising the company's competitiveness in the automotive industry as a result. By divulging confidential internal documents, competitors might gain valuable insight into the company's proprietary technologies, strategic initiatives and plans by reviewing these documents. 

The unauthorized access could result in JLR losing its competitive edge in a highly competitive industry where innovation and intellectual property are critical to success. This breach of security also raises serious concerns about the security of employees. The leaked dataset, which contains personal identifiers such as usernames, emails, and time zones, exposes individuals to the risk of cyberattack by revealing such information. 

Employees should exercise enhanced vigilance to protect themselves from phishing attempts, identity fraud, and other types of targeted attacks that exploit compromised credentials at this time Jaguar Land Rover has not made an official statement regarding the breach at this time. Even though there is still no clear information about the company's response strategy and remediation efforts, an internal investigation is planned to determine the extent of the attack and to identify security vulnerabilities. 

To prevent future breaches of cyber security, cybersecurity infrastructure must be strengthened as well as additional protective measures implemented. In response to the data exposure, employees affected by the breach are encouraged to take immediate precautionary measures, including updating their passwords and turning on two-factor authentication, as well as exercising caution when responding to unsolicited emails or messages. 

The automotive sector is facing increasing cybersecurity challenges due to the increasing connectivity of modern vehicles and the increasing dependency on advanced software systems. This breach highlights these challenges. Organizations need to implement proactive security strategies to secure sensitive corporate data and mitigate the risk posed by evolving cyber threats to prevent data losses.

A critical part of determining the long-term consequences of this incident is going to be the way stakeholders monitor Jaguar Land Rover's response, as well as any potential law enforcement action that may occur. Moreover, the exposure of Jaguar Land Rover's development logs and source code will present a long-term security risk that could negatively affect the integrity of the company's products and intellectual property. 

By obtaining access to such critical information, threat actors might be able to exploit system vulnerabilities in the future, which could lead to security concerns and competitive disadvantage in the future. Also, there are significant legal and reputational risks involved in the compromise of employee data, particularly regarding data privacy regulations. It has been suggested that the company might be exposed to legal scrutiny if it discloses sensitive personal information without permission and erodes stakeholder trust as a result. 

When organizations experience such an incident, they usually begin a comprehensive investigation to determine the extent to which the breach occurred and implement remediation measures based on the findings. It is often necessary for affected employees to be notified, cybersecurity protocols are strengthened, and law enforcement agencies are consulted to identify the perpetrators and prevent future attacks from occurring. The incident highlights the increasing cybercrime threats to large multinational corporations. 

Cybercriminals are continually evolving their tactics as technology advances, which requires organizations to constantly adjust their security strategies to mitigate the new threats that are emerging. Cyberattacks continue to target companies entrusted with sensitive and valuable information, often motivated by financial incentives or the desire to gain fame or recognition. There has been an increase in scrutiny regarding Jaguar Land Rover's data protection practices following the breach. 

The situation demonstrates just how difficult it can be for businesses to safeguard the information they have about their employees and their companies against persistent cyber threats. In the meantime, industry experts and cybersecurity experts will continue to watch for further developments closely until an official statement is issued. The event also raises concerns relating to the effectiveness of existing cybersecurity frameworks and the necessity for continuous investments in advanced cybersecurity measures.

To enhance corporate resilience against cyberattacks, companies need to raise employee awareness, implement cutting-edge security technologies, and adopt a proactive strategy to combat threats. As the situation unfolds, attention will be directed toward Jaguar Land Rover’s response strategy and the steps taken to address any vulnerabilities that may have contributed to this security breach.
Read more »
Stolen Data
Cyberattack Cybersecurity Data Breach health data medical records Personal Information Ransomware Social Security Stolen Data

Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records

 

Sunflower recently disclosed a cyberattack on its systems, revealing that hackers gained access on December 15 but remained undetected until January 7. 

During this time, sensitive personal and medical data — including names, addresses, dates of birth, Social Security numbers, driver’s license details, medical records, and health insurance information—were compromised. According to its filing with the Maine Attorney General’s Office, the breach impacted 220,968 individuals.

Meanwhile, CCA experienced a similar data breach in July last year. The organization reported that cybercriminals stole extensive patient information, including names, addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, lab results, prescriptions, patient ID numbers, and provider details. The breach affected 114,945 individuals, as per its filing with Maine’s Attorney General’s Office.

The Rhysida ransomware group has claimed possession of 7.6TB of Sunflower’s data, including a 3TB SQL database, according to The Register. With the data still listed online, it suggests that either negotiations are ongoing or have collapsed. However, as of now, there is no confirmed evidence of the stolen data being misused on the dark web.

Following these incidents, both organizations have taken steps to strengthen cybersecurity measures to prevent future breaches.
Read more »
Jaguar Land Rover
Automobile Firm Data Breach Document Leak Employee Risk Jaguar Land Rover

Automobile Giant Jaguar Land Rover Allegedly Suffers Major Data Breach

 

Jaguar Land Rover (JLR), the well-known luxury car company, is reported to be the latest victim of a cybersecurity breach. A threat actor known as "Rey" has publicly disclosed critical company records and personnel data on the infamous hacking forum BreachForums. 

According to the reports, approximately 700 internal Jaguar Land Rover documents were made public as a result of the data breach, which is believed to have taken place around March 2025. Critical development logs, tracking information, and proprietary source codes are among the leaked documents. 

Such materials are highly sensitive and could jeopardise the company's competitive advantage by supplying rivals or malicious actors with information about JLR's operational and strategic plans. 

In addition to internal company records, a large personnel dataset has been compromised. This dataset contains private data such as usernames, email addresses, display names, and time zone data. The disclosure of personal information puts impacted employees at risk of identity theft, phishing schemes, and other targeted cyberattacks.

An anonymous threat actor known as "Rey" exposed the vulnerability on BreachForums. Rey made the hacked data available for download to cybercriminals and possible competitors, compounding the potential harm to JLR and its employees, security researchers stated. 

For Jaguar Land Rover, this security issue may have far-reaching effects. Competitors may learn about the company's future plans, proprietary technologies, and strategic operations if confidential internal documents are made public. In the fiercely competitive automotive sector, this can result in a major competitive disadvantage. 

The personnel dataset that was exposed also presents serious risks to organisational and individual security. Employees whose data was compromised need to be on the lookout for signs of fraud and targeted phishing attacks, among other cyberthreats. 

Mitigation tips 

Jaguar Land Rover has not yet commented on the data breach. It remains to be seen how the company will handle this issue and what steps it will take to minimise the damage. An internal investigation is anticipated to be initiated to investigate the scope of the breach and any flaws in the organization's security systems. 

The organisation should perform a thorough internal investigation to discover vulnerabilities and upgrade its cybersecurity infrastructure. Affected personnel should change their passwords, enable two-factor authentication, and be wary of unsolicited communications, especially suspicious emails or messages.
Read more »
Ransom
Cyber Attacks Data Breach Data Extortion FBI Ransom

FBI Warns Business Executives About Fake Extortion Scam

 



The Federal Bureau of Investigation (FBI) has warned corporate executives about a new scam designed to trick them into paying large sums of money. Criminals are sending threatening letters claiming to have stolen sensitive company data and demanding a ransom. They are falsely using the name of a well-known hacker group to appear more convincing. However, the FBI has found no actual link between the scammers and the group they claim to represent.  


How the Scam Operates  

According to an FBI alert issued on March 6, 2025, the scammers are mailing letters to company executives marked as urgent. These letters state that hackers have broken into their company's systems and taken confidential data. The scammers then demand a payment of anywhere between 250,000 and 500,000 dollars to prevent the data from being exposed online.  

To pressure victims into paying, the letter includes a QR code that directs them to a Bitcoin wallet for the ransom payment. The message also warns that the criminals will not negotiate, adding to the urgency.  

The letter claims to be from a group known for past cyberattacks, but investigators have found no evidence that the real organization is behind these threats. Instead, scammers are using the group's name to make their claims seem more credible and to scare victims into complying.  


Why Executives Are Being Targeted  

Top business leaders often have access to critical company information, making them valuable targets for cybercriminals. Attackers believe that these individuals will feel pressured to act quickly when they receive threats about stolen data. By creating a sense of urgency, the scammers hope their victims will pay the ransom without questioning its legitimacy.  

The FBI has stressed that companies should not assume the threats are real just because they mention a well-known hacking group. Instead, businesses should focus on improving their cybersecurity defenses and educating employees about potential scams.  


How to Protect Against This Scam  

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have shared several important steps businesses can take to safeguard themselves against such scams:  

1. Inform and Educate – Business executives and employees should be aware of this type of scam so they can identify suspicious threats and avoid panic.  

2. Strengthen Security Systems – Companies should ensure that their firewalls, antivirus software, and security protocols are up to date and functioning effectively.  

3. Establish a Response Plan – Organizations should have a clear strategy in place for handling extortion threats. They should not respond or pay the ransom but instead follow proper security procedures.  

4. Report Suspicious Activity – If a business receives one of these extortion letters, it should immediately inform the FBI or report the incident through the Internet Crime Complaint Center (IC3). Reporting such cases helps authorities track cybercriminals and take action against them.  


Why Awareness is Crucial  

This scam highlights the growing trend of cybercriminals using fear to manipulate victims into handing over large amounts of money. While there is no confirmation that the real hacker group mentioned in the letter is involved, this situation serves as a reminder for businesses to stay cautious.  

The best way to prevent falling victim to such scams is through strong security measures, employee awareness, and prompt reporting of suspicious activity. The FBI is closely monitoring the situation and urges companies to take cybersecurity seriously to avoid financial and reputational damage.

Read more »
NTT
CyberCrime Cyberhacekrs Cybersecurity CyberThreat Data Breach Docomo NTT

NTT Data Breach Puts Thousands of Businesses at Risk

 


An NTT Communications (NTT Com) employee in Tokyo has confirmed that in February, unauthorized access to sensitive data belonging to approximately 18,000 corporate customers was caused by a cyberattack. There is no definitive estimate of how extensive the breach is, as well as the impact it will have on individual users. In this case, NTT Com's cybersecurity team detected unauthorized access to an internal system that handles service orders on February 5, which led to the detection of the security incident. 

A company investigation revealed that malicious actors infiltrated its infrastructure and compromised confidential business data by successfully infiltrating it, resulting in an internal investigation of the matter. In addition to the fact that NTT Com is one of the largest providers of network and telecommunication solutions in the world, the company has expressed concern regarding possible ramifications of the breach. To prevent further risks from occurring, the company has assured stakeholders that they are actively assessing the scope of the incident and implementing appropriate security measures. 

There has been a data breach reported by NTT Communications Corporation (NTT Com), a leading Japanese provider of information and communication technology (ICT) services, affecting approximately 18,000 corporations. As a consequence of an unknown threat actor gaining unauthorized access to the company's internal systems on February 5, 2025, which contained critical information related to services provided to customers, the incident was first identified on February 5, 2025. 

It was NTT Com's responsibility to restrict access to the compromised system as soon as suspicious communication activity was detected to minimize potential risks associated with the compromised system. However, further investigation on February 15, 2025, revealed that another system had also been compromised, causing the company to implement immediate measures to contain the problem. There was an intruder that succeeded in stealing sensitive data from 17,891 corporate clients, including contract numbers, company names, contact details of individual contact persons, phone numbers, e-mail addresses, physical addresses, and data about the use of service. 

In response to this breach, NTT Com has been in touch with all affected customers directly to inform them of the breach and to provide any necessary guidance they may require. Furthermore, the company has reinvented its cybersecurity framework to prevent future security incidents and actively works to maintain industry standards in the protection of customer data to mitigate the risks arising from this recent hack and cybersecurity incident. 

"NTT Com remains committed to safeguarding client data and is actively working to enhance its security protocols.". There has been an attempted breach of the Order Information Distribution System by threat actors, a platform containing details about 17,891 corporate clients of NTT Communications Corporation (NTT Com). However, the NTT Com breach did not impact consumers' data as individuals. This incident compromised the information about corporate customers (registered contract names), representatives' names, contract numbers, phone numbers, email addresses, physical addresses, and details regarding their service usage. 

However, NTT Docomo has not been affected by this incident as far as their contracts with corporations that have used mobile phones and smartphones provided directly by the company were concerned. As soon as the company discovered the breach on February 5, 2025, it immediately restricted the attackers' access the following day to stop them from gaining access. However, further investigations on February 15, 2025, revealed that the threat actors had switched to another device within NTT's network. 

Immediately after disconnecting the device, the company made sure there would be no further lateral movement, and the company has assured that the breach has been secured. This incident has resulted in NTT Com deciding that it would not be necessary to send personalized notifications to all affected customers. As a result, a public announcement on NTT Com's official website will be the only communication regarding the incident. To ensure the integrity of the data of the company's corporate clients, we remain committed to maintaining our cybersecurity measures. 

The NTT Communications Corporation (NTT Com) has not yet made any disclosures regarding how many individuals in the affected organizations might have had their personal information compromised during the recent data breach, nor has it provided any specifics regarding who the corporate clients whose data was stolen are, nor has the company disclosed the identities of the companies that the data breach has impacted.

Several NTT Com clients are served by the company across 70 countries, making the potential impact of this incident very significant, according to its official website. TechCrunch did not receive immediate responses from NTT Com when it contacted TechCrunch outside of its normal working hours, but according to the official statement issued by the company, NTT Com reaffirmed that it immediately limited access to the initially compromised system once it was discovered that it had been compromised. However, despite these containment measures, an internal investigation revealed that, on February 15, 2025, hackers had infiltrated another device within the company's network, which was quickly disconnected to stop further unauthorized access from occurring.

At this point, there has been no identification of the perpetrators behind the cyberattack and no information has been provided regarding the specific methods used during the attack. The NTT Com investigation continues, and as it works to safeguard clients' data and prevent future security threats, NTT Com is also focused on strengthening its cybersecurity framework to prevent future security threats and safeguard client data. 

Even though NTT Communications Corporation (NTT Com) is one of the largest telecommunications companies in Japan, cybercriminals are often targeting it in the hopes of disrupting its operations or stealing sensitive data from it as a result of these attacks. In January 2025, NTT Com experienced a 12-hour service outage that affected its mobile services and payments platforms, despite its extensive infrastructure and huge customer base, which made it an attractive target for malicious actors. The outage was later attributed to a large-scale DDoS attack which caused the outage. 

There has been an extensive disruption to operations in response to this disruption, which highlights the increasing threat that cyberattacks pose to critical telecommunications infrastructure. NTT Com has also suffered previously from data breaches. In May 2020, threat actors successfully penetrated the internal network of the company, stealing sensitive customer information. Due to these recurring security incidents, it is evident that major telecom operators are facing persistent cyber threats. This reinforces the importance of continuous advancements in cybersecurity measures for safeguarding critical systems and customer data. 

As cyber threats become more sophisticated and persistent, major telecommunications providers are facing increasing risks as a result of these breaches. As a result of this incident, people are reminded that even though the majority of businesses have robust security infrastructures, they remain vulnerable to determined adversaries. Digital transformation is rapidly accelerating and businesses increasingly rely on cloud-based and networked solutions, making strengthening cybersecurity defenses even more important than ever. 

To minimize potential risks, organizations should adopt proactive security strategies that include continuous monitoring, threat intelligence integration, and advanced incident response mechanisms. As part of the mitigation process, organizations should ensure that while NTT Com has assured that the breach has been contained and security enhancements are in progress, this event emphasizes the importance of reassessing the resilience of companies to cyber threats. It remains the question, what is the state of preparedness of similar global enterprises in the event of similar attacks and how they can deal with them? 

Keeping abreast of the advances in cybercrime at an unprecedented pace, every company's security agenda must place increasing importance on the advancement of digital defenses to prevent this epidemic from spreading. As the investigation into the incident continues, the telecom giant's response will likely play an important role in shaping the future policies around cybersecurity across the industry. NTT Com's breach should not be viewed simply as a lesson for the company; rather, it should be viewed as a wake-up call for all companies entrusted with sensitive data in the future.
Read more »
User Security
Data Breach Data Leak Ransomware attack Retirement Service Firm United States User Security

Ransomware Attack on Retirement Services Firm Exposes Thousands of US School Data

 

A ransomware assault targeting retirement service firm Carruth Compliance Consulting has resulted in a data breach affecting dozens of school districts and thousands of individuals in the US. Carruth Compliance Consulting (CCC) administers retirement savings accounts for public schools and non-profit organisations.

Carruth announced on its website on January 13, 2025, that it had detected suspicious activity on its computer systems on December 21, 2024. An investigation revealed that hackers gained access to company networks between December 19 and December 26, and stole some files. 

The company claims that private information such as name, Social Security number, financial account information, and, in specific circumstances, driver's license numbers, medical billing information, W-2 information, and tax filings were among the hacked files. Free identity restoration and credit monitoring services are being provided to affected consumers. 

A relatively new ransomware organisation called Skira claimed responsibility for the Carruth attack this week, claiming to have taken about 469 gigabytes of data, including databases, source code, and the data the company had included in their customer notification. Only four additional victims are listed on Skira's Tor-based leak website as of this writing; the first victim was revealed in December 2024. 

While Carruth has not disclosed the number of impacted organisations and individuals, dozens of school districts and institutions across multiple states have confirmed in recent weeks that they have been affected by the cybersecurity issue. School districts notified state attorneys general that Carruth was unable to identify affected individuals, and each educational institution is seeking to identify current and former employees whose personal information was provided with the retirement services provider. 

To date, nine school districts in Maine have reported identifying more than 20,000 individuals affected by a data breach, as mandated by the attorney general. The Carruth data breach comes just weeks after it was revealed that hackers may have stolen the personal information of millions of students and instructors in the United States and Canada after a cyberattack on education software and services company PowerSchool.
Read more »
third-party risk
business disruption Cyber Attacks Cyber Insurance Cybersecurity Data Breach Ransomware third-party risk

Cyberattacks on Key Vendors Trigger Widespread Disruptions Across Industries

Cybercriminals are increasingly targeting a single point of failure within companies to create large-scale disruption, according to a recent report by Resilience. The analysis highlights how such attacks can have a ripple effect across entire industries.

In 2024, the global average cost of a data breach was estimated at nearly $4.9 million, based on IBM research. However, certain incidents proved to be significantly more damaging.

One of the most costly breaches occurred when UnitedHealth reported a staggering $3.1 billion expenditure in response to a cyberattack on its Change Healthcare subsidiary. This division processes billions of medical claims annually, and the ransomware attack led to prolonged disruptions in the healthcare sector.

“It was the most significant and consequential cyberattack in the history of U.S. health care,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, in a blog post.

Another major incident targeted CDK Global, a software provider for car dealerships across the U.S. The ransomware attack caused financial damages exceeding $1 billion collectively, as estimated by Anderson Economic Group.

The cyberattacks on Change Healthcare and CDK Global exemplify how disruptions in interconnected organizations can have widespread industry consequences, Resilience noted in its report.

According to Resilience’s analysis, third-party risks have become a leading factor in cyber insurance claims, representing 31% of claims filed by its clients in 2024. While a slightly higher percentage (37%) of third-party claims was recorded in 2023, none resulted in material financial losses.

The study also revealed that ransomware attacks targeting vendors have become a “new and significant” contributor to insurance claims, accounting for 18% of such cases.

Although ransomware remained the primary cause of cyber losses in 2024—responsible for 62% of claims—its overall occurrence may be declining. Resilience attributes this trend to cybercriminals shifting focus toward larger, high-profile organizations that offer bigger financial payouts, moving away from the traditional “spray and prey” strategy.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Subscribe to: Posts (Atom)