Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacker attack. Show all posts
Phishing Scams
Credit Union Customer Data Customer Data Exposed Cyber Attacks cybercriminals Data Leak data security Hacker attack Personal Data Phishing Scams

Blackpool Credit Union Cyberattack Exposes Customer Data in Cork

 

A Cork-based credit union has issued a warning to its customers after a recent cyberattack exposed sensitive personal information. Blackpool Credit Union confirmed that the breach occurred late last month and subsequently notified members through a formal letter. Investigators determined that hackers may have gained access to personal records, including names, contact information, residential addresses, dates of birth, and account details. While there is no evidence that any funds were stolen or PIN numbers compromised, concerns remain that the stolen data could be misused. 

The investigation raised the possibility that cybercriminals may publish the stolen records on underground marketplaces such as the dark web. This type of exposure increases the risk of identity theft or secondary scams, particularly phishing attacks in which fraudsters impersonate trusted organizations to steal additional details from unsuspecting victims. Customers were urged to remain vigilant and to treat any unsolicited communication requesting personal or financial information with caution. 

The Central Bank of Ireland has been briefed on the situation and is monitoring developments. It has advised any members with concerns to reach out directly to Blackpool Credit Union through its official phone line. Meanwhile, a spokesperson for the credit union assured the public that services remain operational and that members can continue to access assistance in person, by phone, or through email. The organization emphasized that safeguarding customer data remains a priority and expressed regret over the incident. Impacted individuals will be contacted directly for follow-up support. 

The Irish League of Credit Unions reinforced the importance of caution, noting that legitimate credit unions will never ask members to verify accounts through text messages or unsolicited communications. Fraudsters often exploit publicly available details to appear convincing, setting up sophisticated websites and emails to lure individuals into disclosing confidential information. Customers were reminded to independently verify the authenticity of any suspicious outreach and to rely on official registers when dealing with financial services.  

Experts warn that people who have already fallen victim to scams are more likely to be targeted again. Attackers often pressure individuals into making hasty decisions, using the sense of urgency to trick them into disclosing sensitive information or transferring money. Customers were encouraged to take their time before responding to unexpected requests and to trust their instincts if something feels unusual or out of place.

The Central Bank reiterated its awareness of the breach and confirmed that it is in direct communication with Blackpool Credit Union regarding the response measures. Members seeking clarification were again directed to the credit union’s official helpline for assistance.
Read more »
protecting sensitive data
Chinese Hackers Cyber Attacks cyber espionage cybercriminal group Cyberthreatm Salt Typhoon Hacks data security Data Theft DHS Hacker attack Hacker group protecting sensitive data

Chinese Hacker Group Salt Typhoon Breaches U.S. National Guard Network for Nine Months

 

An elite Chinese cyber-espionage group known as Salt Typhoon infiltrated a U.S. state’s Army National Guard network for nearly nine months, according to a classified Pentagon report revealed in a June Department of Homeland Security (DHS) memo. The memo, obtained by the nonprofit Property of the People through a freedom of information request, indicates the hackers had deep access between March and December 2024, raising alarms about compromised military or law enforcement data. 

Salt Typhoon has previously been linked to some of the most expansive cyber-intrusions into American infrastructure. This latest revelation suggests their reach was even broader than earlier believed. Authorities are still investigating the full extent of data accessed, including sensitive internal documents, personal information of service members, and network architecture diagrams. The affected state’s identity remains undisclosed. 

The Department of Defense declined to comment on the matter, while a spokesperson from the National Guard Bureau confirmed the breach but assured that the incident did not hinder any ongoing state or federal missions. Investigations are ongoing to determine the scope and potential long-term impact of the breach. 

China’s embassy in Washington did not directly deny the allegations but claimed the U.S. had not provided concrete evidence linking Salt Typhoon to the Chinese government. They reiterated that cyberattacks are a global threat and that China also faces similar risks. 

Salt Typhoon is particularly notorious for its ability to infiltrate and pivot across different networks. In a prior campaign, the group was linked to breaches at major telecom companies, including AT&T and Verizon, where hackers allegedly monitored text messages and calls tied to U.S. political figures, including both Trump and Harris campaigns and Senate Majority Leader Chuck Schumer’s office.

The hybrid structure of the National Guard — functioning under both federal and state authority — may have provided a wider attack surface. According to the DHS memo, the group may have obtained intelligence that could be used to compromise other states’ National Guard units and their local cybersecurity partners. Fourteen state National Guard units reportedly share intelligence with local fusion centers, potentially magnifying the risk. 

In January 2025, the U.S. Treasury Department sanctioned a company in Sichuan believed to be facilitating Salt Typhoon operations for China’s Ministry of State Security. Past incidents have shown that Salt Typhoon can maintain access for years, making complete removal and defense particularly challenging.
Read more »
Ransomwares
Cyber Attacks Data Leak data security Data Theft DragonForce DragonForce Ransomware Group Hacker attack Hacking Group Ransomware attack Ransomware group Ransomwares

Belk Hit by Ransomware Attack as DragonForce Claims Responsibility for Data Breach

 

The department store chain Belk recently became the target of a ransomware attack, with the hacking group DragonForce taking responsibility for the breach. The cybercriminals claim to have stolen 156 GB of sensitive data from the company’s systems in early May. 

JP Castellanos, Director of Threat Intelligence at cybersecurity firm Binary Defense, stated with high confidence that DragonForce is indeed behind the incident. The company, based in Ohio, specializes in threat detection and digital forensics. During an investigation of dark web forums on behalf of The Charlotte Observer, Castellanos found that DragonForce had shared samples of the stolen data online. 

In a message directed at Belk, the group stated that its original aim wasn’t to damage the company but to push it into acknowledging its cybersecurity failures. DragonForce claims Belk declined to meet ransom demands, which ultimately led to the data being leaked, affecting numerous individuals. 

Following the breach, Belk has been named in multiple lawsuits. The complaints allege that the company not only failed to protect sensitive personal information but also delayed disclosing the breach to the public. Information accessed by the attackers included names, Social Security numbers, and internal documentation related to employees and their families. 

The cyberattack reportedly caused a complete systems shutdown across Belk locations between May 7 and May 11. According to a formal notice submitted to North Carolina’s Attorney General, the breach was discovered on May 8 and disclosed on June 4. The total number of affected individuals was 586, including 133 residents of North Carolina. 

The stolen files contained private details such as account numbers, driver’s license data, passport information, and medical records. Belk responded by initiating a full-scale investigation, collaborating with law enforcement, and enhancing their digital security defenses. On June 5, Belk began notifying those impacted by the attack, offering one year of free identity protection services. These services include credit and dark web monitoring, as well as identity restoration and insurance coverage worth up to $1 million. 

Despite these actions, Belk has yet to issue a public statement or respond to ongoing media inquiries. DragonForce, identified by experts as a hacktivist collective, typically exploits system vulnerabilities to lock down company networks, then demands cryptocurrency payments. If the demands go unmet, the stolen data is often leaked or sold. 

In Belk’s case, the group did not list a price for the compromised data. Castellanos advised anyone who has shopped at Belk to enroll in credit monitoring as a precaution. Belk, which was acquired by Sycamore Partners in 2015, has been working through financial challenges in recent years, including a short-lived bankruptcy filing in 2021. 

The retailer, now operating nearly 300 stores across 16 southeastern U.S. states, continues to rebuild its financial footing amid cybersecurity and operational pressures.
Read more »
Malwares
CVE CVE exploits CVE vulnerability CVEs Cyber Attacks Cyber Threat Intelligence Google GSMA GTIG Hacker attack Malware Attack Malwares

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day

 

Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments. 

These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure. 

GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches. 

The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity. 

Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion. 

GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance. 

The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.
Read more »
Malware Attack
AI Models AI Prompt AI prompt injection attack Cyber Security cybercriminals DNS DNS attacks DNS Hacking DOH DoT Hacker attack Malware Attack

Hackers Use DNS Records to Hide Malware and AI Prompt Injections

 

Cybercriminals are increasingly leveraging an unexpected and largely unmonitored part of the internet’s infrastructure—the Domain Name System (DNS)—to hide malicious code and exploit security weaknesses. Security researchers at DomainTools have uncovered a campaign in which attackers embedded malware directly into DNS records, a method that helps them avoid traditional detection systems. 

DNS records are typically used to translate website names into IP addresses, allowing users to access websites without memorizing numerical codes. However, they can also include TXT records, which are designed to hold arbitrary text. These records are often used for legitimate purposes, such as domain verification for services like Google Workspace. Unfortunately, they can also be misused to store and distribute malicious scripts. 

In a recent case, attackers converted a binary file of the Joke Screenmate malware into hexadecimal code and split it into hundreds of fragments. These fragments were stored across multiple subdomains of a single domain, with each piece placed inside a TXT record. Once an attacker gains access to a system, they can quietly retrieve these fragments through DNS queries, reconstruct the binary code, and deploy the malware. Since DNS traffic often escapes close scrutiny—especially when encrypted via DNS over HTTPS (DOH) or DNS over TLS (DOT)—this method is particularly stealthy. 

Ian Campbell, a senior security engineer at DomainTools, noted that even companies with their own internal DNS resolvers often struggle to distinguish between normal and suspicious DNS requests. The rise of encrypted DNS traffic only makes it harder to detect such activity, as the actual content of DNS queries remains hidden from most monitoring tools. This isn’t a new tactic. Security researchers have observed similar methods in the past, including the use of DNS records to host PowerShell scripts. 

However, the specific use of hexadecimal-encoded binaries in TXT records, as described in DomainTools’ latest findings, adds a new layer of sophistication. Beyond malware, the research also revealed that TXT records are being used to launch prompt injection attacks against AI chatbots. These injections involve embedding deceptive or malicious prompts into files or documents processed by AI models. 

In one instance, TXT records were found to contain commands instructing a chatbot to delete its training data, return nonsensical information, or ignore future instructions entirely. This discovery highlights how the DNS system—an essential but often overlooked component of the internet—can be weaponized in creative and potentially damaging ways. 

As encryption becomes more widespread, organizations need to enhance their DNS monitoring capabilities and adopt more robust defensive strategies to close this blind spot before it’s further exploited.
Read more »
Scattered Spider ransomware
airline industry Cyber Attacks cyberattacks on airline FBI Hacker attack Hawaii MFA Palo Alto Networks Scattered Spider Scattered Spider ransomware

Scattered Spider Hackers Target Airline Industry Amid FBI and Cybersecurity Warnings

 

The FBI has issued a new warning about the cybercriminal group known as Scattered Spider, which is now actively targeting the airline industry. Recent cyber incidents at Hawaiian Airlines and Canadian carrier WestJet underscore the growing threat. 

According to the FBI’s advisory released late last week, Scattered Spider is known for using advanced social engineering tactics, often posing as employees or contractors. Their goal is to manipulate IT help desk teams into granting unauthorized access—frequently by requesting the addition of rogue multi-factor authentication (MFA) devices to compromised accounts.  

The group’s typical targets include large enterprises and their third-party service providers. “That puts the entire aviation supply chain at risk,” the FBI noted. Once they gain entry, the hackers typically exfiltrate sensitive information for extortion purposes and sometimes deploy ransomware as part of their attacks. The agency confirmed that it is working closely with industry partners to contain the threat and support affected organizations.  

Hawaiian Airlines reported late last week that it had detected suspicious activity in some of its IT systems. While full flight operations were not disrupted, the airline stated it was taking protective steps. “We’ve engaged with authorities and cybersecurity experts to investigate and remediate the incident,” the company said in a statement, adding that it’s focused on restoring systems and will share further updates as the situation evolves. 

Earlier in June, WestJet disclosed that it had experienced a cybersecurity event, which led to restricted access for certain users. The airline has brought in third-party experts and digital forensic analysts to investigate the breach. 

Although the culprits haven’t been officially named, recent analysis from security firm Halcyon indicates that Scattered Spider has broadened its scope, now targeting not only aviation but also sectors like food production and manufacturing. 

“These attacks are fast-moving and devastating,” Halcyon warned. “They can cripple an entire organization in just a few hours, with impacts on everything from operations to consumer trust.”

Other experts echoed these concerns. Palo Alto Networks’ Unit 42 recently advised aviation companies to be extra cautious, particularly regarding suspicious MFA reset requests and socially engineered phishing attempts.  

Darren Williams, founder and CEO of cybersecurity company BlackFog, emphasized the high value of the airline sector for cybercriminals. “Airlines manage immense volumes of sensitive customer data, making them an extremely attractive target,” he said. “With international travel surging, attackers are exploiting this pressure point.” 

Williams added that the disruptions caused by such attacks can ripple across the globe, affecting travelers, business continuity, and public confidence. “These incidents show that airlines need to invest more heavily in cybersecurity infrastructure that can protect passenger data and maintain operational integrity.”
Read more »
North Korea cyberattacks
Crypto cryptocurrency cryptocurrency hacks cryptocurrency scam cryptocurrency theft cryptocurrency wallet Cyber Attacks Hacker attack North Korea North Korea cyberattacks

North Korea-Linked Hackers Behind $2.1 Billion in Crypto Theft in Early 2025

 

A new report from blockchain analytics firm TRM Labs reveals that hackers stole an unprecedented $2.1 billion in cryptocurrency during the first half of 2025—marking the highest amount ever recorded for a six-month period. A staggering 70% of the total, or around $1.6 billion, has been attributed to cybercriminal groups sponsored by North Korea. 

According to TRM Labs’ “H1 2025 Crypto Hacks and Exploits” report, this figure surpasses the previous record set in 2022 by 10%, pointing to an escalating trend in high-stakes cybercrime. The report also emphasizes how North Korea has solidified its role as the leading state-backed threat actor in the cryptocurrency ecosystem.  

“These thefts are not just criminal—they’re tools of statecraft,” the report states, highlighting how stolen crypto plays a strategic role in funding the sanctioned regime’s national objectives, including its controversial weapons program. 

Much of this year’s unprecedented losses stem from a single massive incident: the $1.5 billion hack targeting Ethereum and related assets held by the crypto exchange Bybit in February. This attack is being considered the largest theft in the history of the cryptocurrency sector.  

Safe, a provider of multi-signature wallet solutions, traced the breach back to a compromised laptop belonging to one of its senior developers. The device was reportedly infected on February 4 after interacting with a malicious Docker project. The infiltration ultimately allowed attackers to gain unauthorized access to private keys.  

Both U.S. law enforcement and TRM Labs have linked the Bybit attack to North Korean hackers, aligning with prior assessments that the regime increasingly relies on crypto theft as a state-funded operation. 

This event drastically skewed the average size of crypto heists for 2025 and emphasized the changing nature of these attacks—from purely profit-driven motives to broader geopolitical strategies. 

TRM Labs noted that 80% of all crypto losses in 2025 were due to infrastructure breaches, with attackers exploiting vulnerabilities in systems that store private keys and seed phrases—essential components in controlling digital wallets. 

Analysts warn that such incidents signal a shift in the threat landscape. “Crypto hacking is becoming less about financial gain and more about political symbolism or strategic advantage,” TRM concluded. 

As the year continues, security experts urge crypto platforms and users to enhance infrastructure protection, especially against sophisticated, nation-backed threats that blur the line between cybercrime and cyberwarfare.
Read more »
NSA
Bank Security Banking Security CISA Cyber Security cybersecurity concerns Financial Institutions Hacker attack Iran hackers Iran-based hacker group Iranian cyber attack NSA

Iranian Hackers Threaten More Trump Email Leaks Amid Rising U.S. Cyber Tensions

 

Iran-linked hackers have renewed threats against the U.S., claiming they plan to release more emails allegedly stolen from former President Donald Trump’s associates. The announcement follows earlier leaks during the 2024 presidential race, when a batch of messages was distributed to the media. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by calling the incident “digital propaganda,” warning it was a calculated attempt to discredit public officials and mislead the public. CISA added that those responsible would be held accountable, describing the operation as part of a broader campaign by hostile foreign actors to sow division. 

Speaking virtually with Reuters, a hacker using the alias “Robert” claimed the group accessed roughly 100 GB of emails from individuals including Trump adviser Roger Stone, legal counsel Lindsey Halligan, White House chief of staff Susie Wiles, and Trump critic Stormy Daniels. Though the hackers hinted at selling the material, they provided no specifics or content. 

The initial leaks reportedly involved internal discussions, legal matters, and possible financial dealings involving RFK Jr.’s legal team. Some information was verified, but had little influence on the election, which Trump ultimately won. U.S. authorities later linked the operation to Iran’s Revolutionary Guard, though the hackers declined to confirm this. 

Soon after Trump ordered airstrikes on Iranian nuclear sites, Iranian-aligned hackers began launching cyberattacks. Truth Social, Trump’s platform, was briefly knocked offline by a distributed denial-of-service (DDoS) attack claimed by a group known as “313 Team.” Security experts confirmed the group’s ties to Iranian and pro-Palestinian cyber networks. 

The outage occurred shortly after Trump posted about the strikes. Users encountered error messages, and monitoring organizations warned that “313 Team” operates within a wider ecosystem of groups supporting anti-U.S. cyber activity. 

The Department of Homeland Security (DHS) issued a national alert on June 22, citing rising cyber threats linked to Iran-Israel tensions. The bulletin highlighted increased risks to U.S. infrastructure, especially from loosely affiliated hacktivists and state-backed cyber actors. DHS also warned that extremist rhetoric could trigger lone-wolf attacks inspired by Iran’s ideology. 

Federal agencies remain on high alert, with targeted sectors including defense, finance, and energy. Though large-scale service disruptions have not yet occurred, cybersecurity teams have documented attempted breaches. Two groups backing the Palestinian cause claimed responsibility for further attacks across more than a dozen U.S. sectors. 

At the same time, the U.S. faces internal challenges in cyber preparedness. The recent dismissal of Gen. Timothy Haugh, who led both the NSA and Cyber Command, has created leadership uncertainty. Budget cuts to election security programs have added to concerns. 

While a military ceasefire between Iran and Israel may be holding, experts warn the cyber conflict is far from over. Independent threat actors and ideological sympathizers could continue launching attacks. Analysts stress the need for sustained investment in cybersecurity infrastructure—both public and private—as digital warfare becomes a long-term concern.
Read more »
Routers
CISA CISA advisory CISA warning Cyber Security Hacker attack Internet Routers internet Security Public Wifi router security Routers

CISA Warns of Renewed Exploits Targeting TP-Link Routers with Critical Flaws

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised fresh concerns about several outdated TP-Link router models that are being actively exploited by cybercriminals. Despite the flaw being identified years ago, it has re-emerged in recent attack campaigns, prompting its addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

The security issue is a command injection vulnerability with a high severity rating of 8.8. It impacts three specific models: TP-Link TL-WR940N, TL-WR841N, and TL-WR740N. The flaw exists within the routers’ web-based management interface, where improperly validated input allows hackers to execute unauthorized commands directly on the devices. This makes it possible for attackers to gain control of the routers remotely if remote access is enabled, or locally if they’re on the same network. 

Although this vulnerability has been publicly known for years, recent activity suggests that malicious actors are targeting these devices once again. According to cybersecurity researchers, the attack surface remains significant because these routers are still in use across many households and small offices. 

CISA has mandated that all federal agencies remove the affected router models from their networks by July 7, 2025. It also strongly recommends that other organizations and individuals replace the devices to avoid potential exploitation. 

The affected routers are particularly vulnerable because they are no longer supported by the manufacturer. The TL-WR940N last received a firmware update in 2016, the TL-WR841N in 2015, and the TL-WR740N has gone without updates for over 15 years. As these devices have reached end-of-life status, no further security patches will be provided. Users are urged to upgrade to newer routers that are regularly updated by manufacturers. 

Modern Wi-Fi routers often include enhanced performance, support for more devices, and built-in security protections. Some brands even offer network-wide security features to safeguard connected devices against malware and intrusion attempts. Additionally, using antivirus software with extra security tools, such as VPNs and threat detection, can further protect against online threats. 

Outdated routers not only put your personal information at risk but also slow down internet speed and struggle to manage today’s connected home environments. Replacing obsolete hardware is an important step in defending your digital life. 

Ensuring you’re using a router that receives timely security updates, combined with good cybersecurity habits, can significantly reduce your exposure to cyberattacks. 

CISA’s warning is a clear signal that relying on aging technology leaves both individuals and organizations vulnerable to renewed threats.
Read more »
Personal Data Breach
Customer Information Cybernews Cybersecurity Data Breach Data Hackers Data Leak Data Safety User Data data security Data Trading Hacker attack Personal Data Breach

T-Mobile Denies Involvement After Hackers Claim Massive Customer Data Breach

 

T-Mobile is once again in the cybersecurity spotlight after a hacking group claimed to have obtained sensitive personal information belonging to 64 million customers. The hackers alleged the data was freshly taken as of June 1, 2025, and listed their find on a well-known dark web forum popular among cybercriminals and data traders.  

The leaked trove reportedly contains highly personal information, including full names, birthdates, tax identification numbers, addresses, contact details, device and cookie IDs, and IP addresses. Such data can be extremely valuable to cybercriminals for fraud, identity theft, or phishing attacks. Cybernews, which analyzed a sample of the data, confirmed its sensitive nature, raising alarm over the scale and potential damage of the breach.  

Yet, T-Mobile has come forward to strongly deny any connection to the alleged hack. In a statement to The Mobile Report, the telecom company asserted that the leaked data does not belong to T-Mobile or any of its customers. “Any reports of a T-Mobile data breach are inaccurate. We have reviewed the sample data provided and can confirm the data does not relate to T-Mobile or our customers,” the company stated. 

Despite T-Mobile’s denial, cybersecurity analysts remain cautious. Cybernews pointed out that portions of the leaked data mirror details from previous breaches that targeted T-Mobile, suggesting there may be some overlap with older incidents. This has sparked speculation that the latest claim may not be based on a new breach, but rather a repackaging of previously stolen information to create hype or confusion. 

Adding to the uncertainty, Have I Been Pwned—a trusted platform used to monitor data breaches—has yet to list the supposed breach, which could support the theory that the leaked data is not new. Still, the situation has left many T-Mobile customers in limbo, unsure whether their data has truly been compromised again. 

If the claims prove to be true, it would be another in a series of cybersecurity setbacks for T-Mobile. The company only recently began issuing compensation checks related to its 2021 data breach, suggesting that resolution in such matters can take years. 

For now, the legitimacy of this latest breach remains unclear. Until further evidence surfaces or an independent investigation confirms or refutes the claims, customers are advised to remain vigilant and monitor their accounts for any unusual activity.
Read more »
Power Outage
Cyber Defenses Cyber Security Cyber Threats Cyberattack Hacker attack Hacking Portugal Cyber Army Portugese Power Grids Power Outage

Spain Investigates Cybersecurity of Power Suppliers After Widespread Grid Outage

 

Spain is investigating the cybersecurity practices of its power suppliers following a major power outage that affected much of the Iberian Peninsula at the end of April. While initial assessments by Spanish and Portuguese grid operators ruled out a cyberattack, authorities are now questioning whether smaller, independent energy producers may have inadvertently opened vulnerabilities within the national power infrastructure. 

The outage disrupted electricity supply across both Spain and Portugal, with most regions regaining power after ten hours. However, it took nearly a full day—23 hours—for Spain’s grid to be fully restored. Although no immediate signs of hacking were found, the duration and scale of the disruption raised alarms, prompting deeper scrutiny into the resilience of Spain’s decentralized energy network. According to a report from the Financial Times, Spain’s National Cybersecurity Institute (INCIBE) has reached out to various smaller renewable energy producers, asking whether they experienced any unusual activity before the blackout on April 28. 

The inquiries also covered their use of recent security patches and whether their systems could be remotely accessed, signaling a broader concern over cybersecurity readiness among these suppliers. This line of investigation is significant given Spain’s heavy reliance on renewable energy, much of which is generated by smaller, less centralized plants. The concern is that these entities, though critical to Spain’s green transition, may lack the robust cyber defenses maintained by larger grid operators. 

While this doesn’t point to renewable energy as unreliable, it highlights how a fragmented supplier ecosystem could pose a collective security risk. Cybersecurity experts have also weighed in. A blog post by security firm Specops Software compared the Spanish outage to known cyberattacks on power grids, such as those in Ukraine in 2015 and 2016. While Specops acknowledged the Spanish grid operators’ conclusion that no breach was detected through their internal monitoring systems, the firm noted similarities in how the shutdown unfolded. 

However, Barracuda Networks’ regional director Miguel López suggested that if a cyberattack had indeed compromised critical systems, it would have taken significantly longer to recover, casting doubt on hacking as the root cause. Still, the possibility that attackers exploited a less secure third-party provider has not been ruled out. This renewed scrutiny comes amid global concerns over cyber threats to critical infrastructure. 

The U.S. and U.K. have both issued alerts about increased activity by pro-Russian hacktivists targeting industrial control systems. With recent research showing that 95% of critical infrastructure organizations experienced a data breach in the past year, Spain’s situation underscores the urgent need for improved cyber vigilance across all levels of the energy supply chain.
Read more »
Russian Hackers
COLDRIVER Coldriver hacker group Cyber Attacks cyber espionage data security espionage Hacker attack Malware Attack Malwares Russian Hackers

Lostkeys Malware: Russian Group Coldriver Targets Western Officials in Espionage Campaign

 

A new wave of cyber espionage has emerged, with Russian hackers deploying a sophisticated malware strain known as “Lostkeys” to infiltrate the systems of Western officials, journalists, and NGOs. According to researchers from Google’s Threat Intelligence Group, the malware is linked to Coldriver, also known as UNC4057, Star Blizzard, or Callisto—a threat actor believed to be part of Russia’s Federal Security Service (FSB), the successor to the KGB. 

Coldriver has traditionally been involved in phishing operations to steal credentials, but the emergence of Lostkeys demonstrates a significant leap in their cyber capabilities. Lostkeys appears to mark a shift in strategy for the group, moving beyond phishing and into deeper system infiltration. The malware is deployed in a targeted manner, reserved for high-value individuals such as political advisors, think tank members, journalists, and people with known connections to Ukraine.

Activity related to Lostkeys was observed by Google in the early months of 2024—specifically January, March, and April—with evidence suggesting its use might have started as far back as December 2023. The attack begins with a deceptive Captcha page, tricking victims into copying a malicious PowerShell script into the Windows Run dialog. This method, known as “ClickFix,” bypasses typical security filters and exploits user behavior rather than software vulnerabilities. 

Once executed, the script connects to a command-and-control server, downloading a series of payloads uniquely tailored to each victim. In an effort to avoid detection, the malware includes anti-sandbox measures. During the second stage of infection, the script checks the screen resolution of the host machine and halts if it matches known virtual machine environments used by analysts and cybersecurity researchers. If the device passes this check, the malware proceeds to the final stage—a Visual Basic Script that steals data, including specific file types, system details, and active processes. These are exfiltrated back to the attackers using an encoded system that applies a unique two-key substitution cipher for each infected machine. 

Lostkeys appears to be a more refined successor to a previous malware strain known as Spica, which Coldriver also deployed in 2024. While both strains focus on data exfiltration, Lostkeys features a more intricate delivery system and improved obfuscation techniques. Some earlier samples of Lostkeys mimicked legitimate software like Maltego and used executable files instead of PowerShell, though Google has not confirmed if these instances were part of the same campaign or the work of a different threat actor reusing Coldriver’s tactics. 

This development highlights an alarming evolution in state-backed cyber operations, where advanced social engineering and stealth techniques are being increasingly used to infiltrate high-profile targets. As geopolitical tensions persist, the risks posed by such targeted cyber espionage campaigns are expected to grow.
Read more »
Public Sector
Critical Infrastructure Cyber Attacks Cyber Warfare DDoS Hacker attack Hackers Indian Cyber Security Malware Attack Military Data Public Sector

India Faces Cyber Onslaught After Operation Sindoor Military Strikes

 

In the aftermath of India’s military action under Operation Sindoor, Pakistan responded not only with conventional threats but also with a wave of coordinated cyberattacks. While India’s defense systems effectively intercepted aerial threats like drones and missiles, a simultaneous digital assault unfolded, targeting the nation’s critical infrastructure and strategic systems. 

Reports from The Times of India indicate that the cyberattacks were focused on key defense public sector units (PSUs), their supporting MSMEs, and essential infrastructure including airports, ports, the Indian Railways, power grids, and major telecom providers such as BSNL. Additionally, digital financial platforms—ranging from UPI services to stock exchanges and mobile wallets—were also in the crosshairs. 

Sources suggest these cyber intrusions aimed to steal classified military data, disrupt daily life, and damage India’s global standing. Allegedly, the attackers sought intelligence on missile defense systems and military readiness. In retaliation, India reportedly struck back at Pakistani military infrastructure, although the cyber battlefield remains active. 

Cybersecurity expert and Interpol trainer Pendyala Krishna Shastry confirmed the attacks involved a range of methods: malware deployment, denial-of-service (DoS) strikes, phishing schemes, and website defacements. These tactics targeted multiple sectors, including finance, telecom, and public services, aiming to breach systems and sow confusion. 

Website tracking portal Zone-H recorded several government domain breaches. Notable targets included the websites of the National Institute of Water Sports (niws.nic.in) and nationaltrust.nic.in, both of which were defaced before being restored. The Central Coalfields Ltd (CCL) website also experienced a breach, displaying a message from a group calling itself “Mr Habib 404 – Pakistani Cyber Force,” declaring, “You thought you were safe, but we are here.” 

Although CCL’s Public Relations Officer Alok Gupta dismissed the breach as a technical issue with no data loss, cybersecurity experts warn that downplaying such incidents could weaken national digital defense. 

This escalation underscores how cyber warfare is now being integrated into broader military strategies. Experts argue that India must urgently strengthen its cyber defenses to address the growing threat. Priorities include deploying AI-based threat detection, reinforcing CERT-In and sector-specific Security Operation Centres (SOCs), enforcing strong cybersecurity practices across public systems, and expanding collaboration on global cyber intelligence. 

As state-sponsored attacks become more sophisticated and frequent, India’s ability to defend its digital frontier will be just as crucial as its military strength.
Read more »
Russia-Ukraine War
Cyber Attacks DDoS DDOS Attacks DDoS Threats Hacker attack Hacktivist group NCSC Pro-Russian Hackers Russia-Ukraine War

Russian Hacktivists Disrupt Dutch Institutions with DDoS Attacks

 

Several Dutch public and private organizations have experienced significant service outages this week following a wave of distributed denial-of-service (DDoS) attacks linked to pro-Russian hacktivists. The Netherlands’ National Cyber Security Center (NCSC), part of the Ministry of Justice, confirmed that the attacks affected multiple sectors and regions across the country.  

The NCSC disclosed that both government and private entities were targeted in what it described as large-scale cyber disruptions. While the full scope is still being assessed, municipalities and provinces including Groningen, Noord-Holland, Drenthe, Overijssel, Zeeland, Noord-Brabant, and cities like Nijmegen, Apeldoorn, Breda, and Tilburg reported that public portals were intermittently inaccessible. 

A pro-Russian threat group calling itself NoName057(16) has claimed responsibility for the cyberattacks through its Telegram channel. Though the NCSC did not confirm the motive, the group posted that the attacks were a response to the Netherlands’ recent €6 billion military aid commitment to Ukraine, as well as future support amounting to €3.5 billion expected in 2026. Despite the widespread disruptions, authorities have stated that no internal systems or sensitive data were compromised. 

The issue appears confined to access-related outages caused by overwhelming traffic directed at the affected servers — a hallmark of DDoS tactics. NoName057(16) has been a known actor in the European cybersecurity landscape since early 2022. It has targeted various Western governments and institutions, often in retaliation for political or military actions perceived as anti-Russian. The group also operates DDoSIA, a decentralized platform where users can participate in attacks in exchange for cryptocurrency payments. 

This model has enabled them to recruit thousands of volunteers and sustain persistent campaigns against European targets. While law enforcement in Spain arrested three alleged DDoSIA participants last year and confiscated their devices, key figures behind the platform remain unidentified and at large. The lack of major indictments has allowed the group to continue its operations relatively unimpeded. 

The NCSC has urged organizations to remain vigilant and maintain strong cybersecurity protocols to withstand potential follow-up attacks. With geopolitical tensions remaining high, experts warn that such politically motivated cyber operations are likely to increase in frequency and sophistication. 

As of now, restoration efforts are ongoing, and the government continues to monitor the digital landscape for further signs of coordinated threats.
Read more »
Sensitive data
Cyber Attacks Data Leak data security Data Theft Hacker attack Indian Cyber Security Pakistan Hacker Personal Data Sensitive data

Pakistan-Based Hackers Launch Cyber Attack on Indian Defence Websites, Claim Access to Sensitive Data

 

In a concerning escalation of cyber hostilities, a Pakistan-based threat group known as the Pakistan Cyber Force launched a coordinated cyber offensive on multiple Indian defence-related websites on Monday. The group claimed responsibility for defacing the official site of a Ministry of Defence public sector undertaking (PSU) and asserted that it had gained unauthorized access to sensitive information belonging to Indian defence personnel. According to reports, the targeted websites included those of the Military Engineering Service (MES) and the Manohar Parrikar Institute of Defence Studies and Analyses (MP-IDSA), both critical components in India’s defence research and infrastructure network. 

The group’s social media posts alleged that it had exfiltrated login credentials and personal data associated with defence personnel. One particularly alarming development was the defacement of the official website of Armoured Vehicle Nigam Limited (AVNL), a key PSU under the Ministry of Defence. The hackers replaced the homepage with the Pakistani flag and an image of the Al Khalid tank, a symbol of Pakistan’s military capabilities. A message reportedly posted on social platform X read, “Hacked. Your security is illusion. MES data owned,” followed by a list of names allegedly linked to Indian defence staff. 

Sources quoted by ANI indicated that there is a credible concern that personal data of military personnel may have been compromised during the breach. In response, authorities promptly took the AVNL website offline to prevent further exploitation and launched a full-scale forensic audit to assess the scope of the intrusion and restore digital integrity. Cybersecurity experts are currently monitoring for further signs of intrusion, especially in light of repeated cyber threats and defacement attempts linked to Pakistani-sponsored groups. 

The ongoing tensions between the two countries have only heightened the frequency and severity of such state-aligned cyber operations. This latest attack follows a pattern of provocative cyber incidents, with Pakistani hacker groups increasingly targeting sensitive Indian assets in attempts to undermine national security and sow discord. Intelligence sources are treating the incident as part of a broader information warfare campaign and have emphasized the need for heightened vigilance and improved cyber defense strategies. 

Authorities continue to investigate the breach while urging government departments and defense agencies to reinforce their cybersecurity posture amid rising digital threats in the region.
Read more »
Ransomwares
Cyber Attacks data security Data Theft Hacker attack Pharmaceutical Firms Ransom Demand Ransomware attack Ransomwares

Pune-Based Biopharma Company Hit by Ransomware Attack, Hackers Demand $80,000

 

A multinational biopharmaceutical company based in Pune has fallen victim to a sophisticated ransomware attack, with cybercriminals encrypting vital data and demanding $80,000 (over Rs 68 lakh) for its release. The attackers have also threatened to leak the stolen proprietary data on the dark web if the ransom is not paid, according to local police authorities. 

The incident came to light when a senior executive from the company’s Pune office lodged a complaint at the Cyber Crime Police Station of Pimpri Chinchwad on Monday evening. The attack was first identified on Sunday afternoon, prompting immediate concern due to the sensitivity of the data involved. According to initial investigations by cybercrime officials, the breach is believed to have occurred through a compromised endpoint device—most likely via a phishing email containing a malicious link. 

Once the attackers gained access to the internal network, they deployed ransomware to the company’s main server and extended it to more than a dozen connected servers. Sensitive data, including proprietary pharmaceutical formulations, manufacturing protocols, and confidential business documents, was then encrypted and locked. 

“A preliminary probe suggests that vulnerabilities in the company’s cybersecurity setup allowed the attackers to infiltrate its systems,” an officer from the Cyber Police Station said. “Unfortunately, a significant portion of the critical data was not backed up offline, leaving the organization exposed to potential data loss if the ransom is not paid.” The hackers have made it clear that if their ransom demand of $80,000 is not met, the stolen data will be sold on the dark web. 

So far, the company has not paid the ransom, and authorities are currently analyzing IP logs and other digital evidence to trace the origin of the attack. Cybercrime investigators have urged all businesses to strengthen their cybersecurity measures, including regularly backing up data offline, updating firewall configurations, and educating employees about phishing threats. “This incident is a wake-up call for organizations to prioritize robust digital security,” the officer added.  

Deputy Commissioner of Police (Crime) Sandeep Doiphode emphasized the growing need for enterprises to invest in both technology and skilled cybersecurity personnel. “This case underlines the urgent necessity for companies to stay ahead of evolving threats through both infrastructure and human resource development,” he said. Police also noted that ransomware attacks typically use phishing emails and exploit weak security protocols. Payments are often demanded in cryptocurrency, making the attackers harder to trace. 

The investigation remains ongoing.
Read more »
Sensitive Data Leak
cyber attack Cyber Warfare Cybersecurity Data Breach Data Theft Hacker attack Information Security Personal Data Breach Sensitive Data Leak

Jammu Municipal Corporation Targeted in Major Cyberattack, Sensitive Data Allegedly Stolen

 

In a significant breach of digital infrastructure, the Jammu Municipal Corporation (JMC) has fallen victim to a cyberattack believed to have resulted in the loss of vast amounts of sensitive data. According to high-level intelligence sources, the attackers managed to compromise the website, gaining access to critical records and databases that may include personally identifiable information such as Aadhaar numbers, property ownership documents, tax filings, infrastructure blueprints, and internal administrative communications.  

The breach, which occurred on Friday, has prompted an immediate investigation and system lockdown as cybersecurity teams race to contain the damage and begin recovery operations. Officials involved in the incident response have confirmed that website functionality has been suspended as data restoration processes are initiated. Top intelligence sources indicate that the attack bears hallmarks of Pakistan-sponsored cyber operations aimed at undermining India’s administrative framework. “These tactics are consistent with state-backed cyber warfare efforts targeting strategic and sensitive zones like Jammu and Kashmir,” said a senior intelligence official.

“The objective is often to destabilize public services and spread fear among the populace.” The JMC’s website is a key platform used to manage municipal services, property taxes, and local development projects. Its compromise has raised concerns about the broader implications for civic governance and the potential misuse of the stolen data.  

This latest breach follows a series of unsuccessful but alarming hacking attempts by groups linked to Pakistan. Just a day before the JMC attack, hacker collectives such as ‘Cyber Group HOAX1337’ and ‘National Cyber Crew’ reportedly targeted several Indian websites. Cybersecurity teams were able to detect and neutralize these threats before they could cause any major disruption. Among the recent targets were the websites of Army Public School Nagrota and Army Public School Sunjuwan. These were reportedly subjected to defacement attempts featuring inflammatory messages referencing the victims of the Pahalgam terror attack. 

In another incident, a portal catering to the healthcare needs of retired armed forces personnel was compromised and vandalized. Cybersecurity experts warn that such attacks often aim to disrupt not only public trust but also national morale. The recurring pattern of targeting vulnerable groups—such as schoolchildren and elderly veterans—further emphasizes the psychological warfare tactics employed by these groups. 

As recovery efforts continue, the Indian government is likely to review its cybersecurity protocols across public sector systems, especially in high-risk regions. Enhanced defense measures and greater inter-agency coordination are expected to follow. The investigation remains ongoing, and further updates are expected in the coming days.
Read more »
OCC
Banks bloomberg Cyber Attacks Data Sharing digital data email security financial attack Financial Data Hacker attack OCC

Top U.S. Banks Cut Off Digital Data Sharing With OCC After Major Cyberattack

 

Several of the largest banks in the United States have curtailed or reassessed how they share sensitive data with the Office of the Comptroller of the Currency (OCC), after a significant cyberattack compromised the regulator’s email system. 

According to Bloomberg, JPMorgan Chase and Bank of New York Mellon have paused all electronic communications with the OCC. Bank of America is continuing to share data, but through what it considers more secure digital channels. The decision follows the discovery that hackers had accessed over 100 email accounts at the OCC for more than a year—a breach labeled a “major incident” by both the OCC and the U.S. Treasury Department. 

The hackers reportedly obtained highly sensitive information related to financial institutions, although their identities remain unknown. The OCC, a bureau under the Treasury, oversees over 1,000 national banks and savings associations, including the U.S. branches of foreign institutions. Among the materials potentially exposed are reports on cybersecurity protocols, internal vulnerability assessments, and National Security Letters—documents that may contain classified intelligence regarding terrorism or espionage. 

Banks have raised concerns about the extent of the breach and the OCC’s communication about the incident. Some financial institutions reportedly did not learn of the scope of the compromise until media coverage surfaced. As a result, there is growing distrust among regulated institutions regarding how the OCC has handled disclosure and mitigation. The OCC said it is actively working with independent cybersecurity experts, including Mandiant and Microsoft, to investigate the breach and determine whether stolen data has surfaced on the dark web. 

A contractor is also reviewing two internal communication systems—BankNet and another used for transferring large files—to assess whether they were affected. While JPMorgan and BNY Mellon have suspended digital transmissions, Citigroup has continued data sharing due to its existing consent order with the OCC. It remains unclear whether other major banks like Wells Fargo or Goldman Sachs have taken similar steps. Experts warn that the breach could enable targeted cyberattacks or extortion attempts, as the stolen material may offer insight into institutional vulnerabilities. 

According to former Treasury CIO Eric Olson, the exposed data is “as sensitive as it gets.” The incident has drawn attention from Congress, with both the House Financial Services Committee and the Senate Banking Committee seeking more information. Experts view the banks’ decision to reduce data sharing as a sign of eroding trust in the OCC’s ability to safeguard critical regulatory communications.
Read more »
Silicon Valley
AI generated Deepfake AI Security AI technology AI Tool Breach attack Cyber Security Hacker attack Silicon Valley

Silicon Valley Crosswalk Buttons Hacked With AI Voices Mimicking Tech Billionaires

 

A strange tech prank unfolded across Silicon Valley this past weekend after crosswalk buttons in several cities began playing AI-generated voice messages impersonating Elon Musk and Mark Zuckerberg.  

Pedestrians reported hearing bizarre and oddly personal phrases coming from audio-enabled crosswalk systems in Menlo Park, Palo Alto, and Redwood City. The altered voices were crafted to sound like the two tech moguls, with messages that ranged from humorous to unsettling. One button, using a voice resembling Zuckerberg, declared: “We’re putting AI into every corner of your life, and you can’t stop it.” Another, mimicking Musk, joked about loneliness and buying a Cybertruck to fill the void.  

The origins of the incident remain unknown, but online speculation points to possible hacktivism—potentially aimed at critiquing Silicon Valley’s AI dominance or simply poking fun at tech culture. Videos of the voice spoof spread quickly on TikTok and X, with users commenting on the surreal experience and sarcastically suggesting the crosswalks had been “venture funded.” This situation prompts serious concern. 

Local officials confirmed they’re investigating the breach and working to restore normal functionality. According to early reports, the tampering may have taken place on Friday. These crosswalk buttons aren’t new—they’re part of accessibility technology designed to help visually impaired pedestrians cross streets safely by playing audio cues. But this incident highlights how vulnerable public infrastructure can be to digital interference. Security researchers have warned in the past that these systems, often managed with default settings and unsecured firmware, can be compromised if not properly protected. 

One expert, physical penetration specialist Deviant Ollam, has previously demonstrated how such buttons can be manipulated using unchanged passwords or open ports. Polara, a leading manufacturer of these audio-enabled buttons, did not respond to requests for comment. The silence leaves open questions about how widespread the vulnerability might be and what cybersecurity measures, if any, are in place. This AI voice hack not only exposed weaknesses in public technology but also raised broader questions about the blending of artificial intelligence, infrastructure, and data privacy. 

What began as a strange and comedic moment at the crosswalk is now fueling a much larger conversation about the cybersecurity risks of increasingly connected cities. With AI becoming more embedded in daily life, events like this might be just the beginning of new kinds of public tech disruptions.
Read more »
phishing
CAPTCHA CAPTCHA Security Cyber Attacks cybercriminals Fake Captcha Hacker attack Hackers Malware attacks phishing

Fake CAPTCHAs Are the New Trap: Here’s How Hackers Are Using Them to Install Malware

 

For years, CAPTCHAs have been a familiar online hurdle—click a box, identify a few blurry images, and prove you’re human. They’ve long served as digital gatekeepers to help websites filter out bots and protect against abuse. But now, cybercriminals are turning this trusted security mechanism into a tool for deception. Security researchers are sounding the alarm over a growing threat: fake CAPTCHAs designed to trick users into unknowingly installing malware. 

These phony tests imitate the real thing, often appearing as pop-up windows or embedded verification boxes on compromised websites. At first glance, they seem harmless—just another quick click on your way to a webpage. But a single interaction can trigger a hidden chain reaction that compromises your device. The tactic is subtle but effective. By replicating legitimate CAPTCHA interfaces, attackers play on instinct. Most users are conditioned to complete CAPTCHAs without much thought. That reflexive click becomes the entry point for malicious code. 

One reported incident involved a prompt asking users to paste a code into the Windows Run dialog—an action that launched malware installation scripts. Another campaign tied to the Quakbot malware family used similar deception, embedding CAPTCHAs that initiated background downloads and executed harmful commands with a single click. These attacks, often referred to as ClickFix CAPTCHA scams, are a form of social engineering—a psychological manipulation tactic hackers use to exploit human behavior. 

In this case, attackers are banking on your trust in familiar security prompts to lower your guard. The threat doesn’t stop at just fake clicks. Some CAPTCHAs redirect users to infected web pages, while others silently copy dangerous commands to the clipboard. In the worst cases, users are tricked into pressing keyboard shortcuts that launch Windows PowerShell, allowing attackers to run scripts that steal data, disable security software, or hijack system functions. 

Experts warn that this method is particularly dangerous because it blends in so well with normal browsing activity. Unlike more obvious phishing scams, fake CAPTCHA attacks don’t rely on emails or suspicious links—they happen right where users feel safe: in their browsers. To defend against these attacks, users must remain skeptical of CAPTCHAs that ask for more than a simple click. 

If a CAPTCHA ever requests you to enter text into system tools, press unusual key combinations, or follow unfamiliar instructions, stop immediately. Those are red flags. Moreover, ensure you have reliable antivirus protection installed and keep your browser and operating system updated. Visiting lesser-known websites? Use an ad blocker or security-focused browser extension to reduce exposure to malicious scripts. 

As CAPTCHA-based scams grow more sophisticated, digital vigilance is your best defense. The next time you’re asked to “prove you’re not a robot,” it might not be your humanity being tested—but your cybersecurity awareness.
Read more »
Subscribe to: Posts (Atom)