Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft. Show all posts
Ransom Demands
Azure Cloud Cloud Attacks Cloud Security Cyber Security Data Theft Microsoft Microsoft Azure Ransom Demands

Microsoft Warns Storm-0501 Shifts to Cloud-Based Encryption, Data Theft, and Extortion

 

Microsoft has issued a warning about Storm-0501, a threat actor that has significantly evolved its tactics, moving away from traditional ransomware encryption on devices to targeting cloud environments for data theft, extortion, and cloud-based encryption. Instead of relying on conventional ransomware payloads, the group now abuses native cloud features to exfiltrate information, delete backups, and cripple storage systems, applying pressure on victims to pay without deploying malware in the traditional sense. 

Storm-0501 has been active since at least 2021, when it first used the Sabbath ransomware in attacks on organizations across multiple industries. Over time, it adopted ransomware-as-a-service (RaaS) tools, deploying encryptors from groups such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. In September 2024, Microsoft revealed that the group was expanding into hybrid cloud environments, compromising Active Directory and pivoting into Entra ID tenants. During those intrusions, attackers established persistence with malicious federated domains or encrypted on-premises devices with ransomware like Embargo. 

In its latest report, Microsoft highlights that Storm-0501 is now conducting attacks entirely in the cloud. Unlike conventional ransomware campaigns that spread malware across endpoints and then negotiate for decryption, the new approach leverages cloud-native tools to quickly exfiltrate large volumes of data, wipe storage backups, and encrypt files within the cloud itself. This strategy both accelerates the attack and reduces reliance on detectable malware deployment, making it more difficult for defenders to identify the threat in time. 

Recent cases show the group compromising multiple Active Directory domains and Entra tenants by exploiting weaknesses in Microsoft Defender configurations. Using stolen Directory Synchronization Accounts, Storm-0501 enumerated roles, users, and Azure resources with reconnaissance tools such as AzureHound. The attackers then identified a Global Administrator account without multifactor authentication, reset its password, and seized administrative control. With these elevated privileges, they maintained persistence by adding their own federated domains, which allowed them to impersonate users and bypass MFA entirely. 

From there, the attackers escalated further inside Azure by abusing the Microsoft.Authorization/elevateAccess/action capability, granting themselves Owner-level roles and taking complete control of the target’s cloud infrastructure. Once entrenched, they began disabling defenses and siphoning sensitive data from Azure Storage accounts. In many cases, they attempted to delete snapshots, restore points, Recovery Services vaults, and even entire storage accounts to prevent recovery. When these deletions failed, they created new Key Vaults and customer-managed keys to encrypt the data, effectively locking companies out unless a ransom was paid. 

The final stage of the attack involved contacting victims directly through Microsoft Teams accounts that had already been compromised, delivering ransom notes and threats. Microsoft warns that this shift illustrates how ransomware operations may increasingly migrate away from on-premises encryption as defenses improve, moving instead toward cloud-native extortion techniques. The report also includes guidance for detection, including Microsoft Defender XDR hunting queries, to help organizations identify the tactics used by Storm-0501.
Read more »
Technology
Cryptographic Transformation cyber resilience Digital Trust Encryption Standards Microsoft Post Quantum Cryptography Quantum Safe Program Quantum Security Technology

Microsoft Boosts Digital Trust through Post Quantum Cryptography

 


A comprehensive roadmap has been unveiled by Microsoft to enable it to future-proof its security infrastructure, marking a decisive step toward securing the company's products and services with quantum-safe protection by 2033 — two years ahead of the target set by the United States and other governments. 

Moreover, this announcement underscores Microsoft's commitment to preparing for the imminent arrival of quantum computing, which threatens to outpace and undermine the current standards of cryptography in the near future. It is planned that Microsoft's core products and services will begin to be enhanced with quantum-safe capabilities as early as 2029, followed by a gradual transition into default implementation by the following years. 

A new roadmap outlined by Mark Russinovich, Chief Technology Officer for Microsoft Azure, and Michal Braverman-Blumenstyk, Chief Technology Officer for Microsoft's security division, builds upon Microsoft's quantum-safe program introduced in 2023 and builds upon the company's current roadmap. An integral part of this phased approach is a modular framework developed to ensure resilience in the face of cyberattacks from adversaries who possess quantum computers capable of breaking existing encryption models. 

The announcement marks a significant milestone in the race toward post-quantum security worldwide. Microsoft has formally announced its Quantum-Safe Program Strategy. The strategy is designed to make the company's ecosystem ready to deal with the disruptive potential of quantum computing by taking a security-first approach from the very beginning. There are profound stakes involved in this initiative, and it is because of this that this initiative is taking place.

Over the course of the last few decades, modern encryption algorithms have ensured the protection of everything from personal credentials and private communications to financial and critical infrastructure across the globe, but as quantum machines become increasingly powerful, these protections may be compromised, compromising society's trust in the confidentiality and integrity of digital systems that society relies on. 

As Microsoft's roadmap emphasizes its commitment to leading the shift towards a quantum-resilient future, it seeks to address this looming risk well in advance, underlining its commitment to this effort. Even though quantum computing has been hailed as an exciting technological advancement, it is also one of the most significant cryptographic challenges people have encountered during the modern era. This reality Microsoft acknowledges through its ongoing efforts in making the move towards "progress toward next-generation cryptography."

As part of the comprehensive update published by Microsoft Azure's Chief Technology Officer Mark Russinovich and Microsoft's security division's Chief Technology Officer Michal Braverman-Blumenstyk, the company emphasized that quantum systems have the potential to render obsolete the widely used public-key cryptography people are currently using. 

Although Microsoft has already laid the groundwork for a quantum-safe ecosystem, it stressed that it has already begun building resilient security foundations to anticipate and minimize the risks associated with this next wave of computing power. The company has been working on quantum security for quite some time; its pursuit of quantum-safe security dates back to 2014 when early research was conducted into quantum algorithms and quantum cryptography. 

By the end of 2018, the company had begun experimenting with PQC implementations that were confirmed, and in its latest project, it has successfully established a VPN tunnel that is protected by PQC between its Redmond, Washington headquarters and Scotland's underwater data center, Project Natick. 

As Microsoft has grown over the years, it has also taken a strong role in shaping the industry standards, contributing to the development of the Open Quantum Safe project, led the integration workstream of the NIST NCCoE Post-Quantum project, and contributed its FrodoKEM system to ISO standardization as well. It was for these reasons that the company has launched the Quantum Safe Program (QSP), unveiled by Executive Vice President Charlie Bell as part of its long-term vision of helping customers, partners, and the company's own ecosystem make a secure transition into the quantum age. 

As part of the program, a full transition will be completed by 2033, with an early adoption beginning in 2029, aligned with global directives from CISA, NIST, OMB, and CNSSP-15. The strategy, which is based on a phased approach, is structured around three core priorities - the secure deployment of Microsoft's own infrastructure and supply chain, the development of tools that enable crypto-agility for customers and partners, and the advancement of global standards and research. 

The first step in implementing PQC will be to embed PQC into foundational cryptographic libraries such as SymCrypt, with the ML-KEM and ML-DSA already available for testing on Windows Insider builds and Linux APIs, along with hybrid TLS key exchange enabled via SymCrypt-OpenSSL to counter the threat of "harvest now, decrypt later". As the next phase progresses, PQC integration will expand to include authentication, signing, Windows, Azure, Microsoft 365, Artificial Intelligence systems, and networking services as well. 

The shift from quantum to post-quantum cryptography is not simply a switch, but a multiyear transformation that requires early, coordinated action to avoid a disruptive, last-minute scramble that Microsoft demonstrates by combining years of research, standards collaboration, and staged implementation. It has been set up for the company to set an ambitious internal deadline in order to ensure its core services are quantum-ready by 2029. 

In fact, this is a much more aggressive timeline than most governments have set for the transition. It should be noted that according to the UK Government's National Cyber Security Centre (NCSC), critical sectors should aim to move to post-quantum cryptography (PQC) by the year 2035 in order to ensure their cybersecurity. 

There has been some discussion about this proactive stance recently, and Mark Russinovich, Chief Technology Officer of Microsoft Azure, and Michal Braverman-Blumenstyk, Corporate Vice President and Chief Technology Officer of Microsoft Security, have emphasized the fact that, although the possibility of large-scale quantum computing is quite distant, people must begin preparing now. 

They reported that the transition to PQC was not merely a matter of flipping a switch, but a multi-year transformation that requires early planning and coordination in order to prevent a scramble to become effective later on. Rather than just addressing the quantum threat, Microsoft views the transition as an opportunity for companies to safeguard their systems by modernizing their outdated systems, implementing stronger cryptographic standards, and implementing the crypto-agility practice as a fundamental security practice. 

Essentially, the Quantum Safe Program is anchored by its three core pillars - updating Microsoft's own ecosystems, supporting partners, customers, and advancing global research and standards - and illustrates the importance of preparing industries for the quantum age by combining resilience with modernization.

The company is announcing a phased roadmap that will see accelerating adoption of quantum-safe standards across its core infrastructure, starting as early as 2026. Signing and networking services are slated to be the first areas of its infrastructure that will be upgraded. By 2027, Microsoft intends to extend these safeguards to Windows, Azure, Microsoft 365, data platforms, artificial intelligence services, and networking. 

In order to protect its digital ecosystem, quantum-ready safeguards will be embedded into the backbone of the company's digital ecosystem. In order to lay the groundwork for this to happen, post quantum algorithms were already incorporated into foundational components like SymCrypt, which serves as the foundation for security for many Microsoft products and services. Over the next five years, additional capabilities are expected to be gradually introduced. 

During the preparation process for the company, a comprehensive inventory was conducted across the organisation to identify potential risks associated with its assets. This was a similar process taken by federal agencies as well, followed by a collaborative effort with industry leaders in order to resolve vulnerabilities, strengthen quantum resilience, and advance hardware and firmware innovation. 

Announcing its roadmap as aligned with international standards, Microsoft has confirmed it is on track to meet the most stringent government requirements, including those outlined in the Committee on National Security Systems Policy (CNSSP-15) for government security systems. According to that mandate, every new cryptographically protected product and service that is designed to support U.S. national security systems, as well as operations and partners of the Defense Department, should begin using the Commercial National Security Algorithm Suite 2.0 as soon as possible in January 2027. 

There is a need for Microsoft to act fast when it comes to preparing for a quantum future. It is imperative that the entire digital ecosystem act as well. As individuals and businesses across industries transition to post-quantum cryptography, they must be aware that it is not simply about complying with looming deadlines, but more importantly, about maintaining trust, continuity, and resilience in a rapidly evolving threat environment. 

The benefits of implementing proactive measures in crypto-agility, system modernization, and collaborative research can go far beyond quantum resistance, helping to strengthen defenses against current and emerging cyberattacks, providing businesses with a competitive edge as well as reducing disruption risk. By aligning with the highest standards of digital trust and security, businesses will be able to gain a competitive advantage as well. 

Moreover, governments are also able to utilize this momentum as a means of developing unified policies, advocating for the adoption of interoperable standards, and fostering global cooperation on quantum-safe innovation. To take this next step, people must be willing to share responsibility; as quantum technology advances, they must come together to secure the digital world's foundations as well. Preparation now is crucial for enterprises to turn what is often framed as an looming challenge into an opportunity to transform, innovate, and build resilience not just today, but for generations to come.
Read more »
ToolShell
Canada CSE Cyber Attacks Employee Data Microsoft ToolShell

Canada’s Parliament Probes Data Breach Linked to Microsoft Flaws

 




Canada’s House of Commons has launched an investigation after a cyberattack potentially exposed sensitive staff data, raising questions about whether recently discovered Microsoft vulnerabilities played a role.

According to national media reports, an internal email to parliamentary employees revealed that attackers managed to enter a database containing staff information. The data included names, work emails, job titles, office locations, and details about computers and mobile devices connected to the House of Commons network.

The House of Commons and Canada’s Communications Security Establishment (CSE) are now examining the incident. In a public statement, CSE emphasized that attributing a cyberattack is complex and requires time, resources, and caution before drawing conclusions. In the meantime, staff have been urged to remain alert to suspicious messages or unusual activity.


Possible Link to Microsoft Vulnerabilities

Although officials have not confirmed the exact flaw that was exploited, the mention of a “recent Microsoft vulnerability” has led to speculation. In recent weeks, Canada’s Cyber Centre issued warnings about two critical Microsoft security issues:

  • CVE-2025-53770 (“ToolShell”): A flaw in Microsoft SharePoint servers that has been actively exploited since July. It allows attackers to gain unauthorized access and has been linked to incidents involving government networks and organizations worldwide.
  • CVE-2025-53786: A high-risk bug in Microsoft Exchange that can help attackers move through both cloud and on-premises systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an emergency order for federal agencies to fix this vulnerability after warning of its potential to cause complete system compromises.


Security researchers, including the monitoring platform Shadowserver, have noted that thousands of systems remain unpatched against these flaws, with hundreds of vulnerable servers still running in Canada.


Global Exploitation of ToolShell

The ToolShell vulnerability in particular has been tied to attacks on multiple high-profile organizations, including U.S. government agencies and European institutions. Reports indicate that both state-sponsored groups and cybercriminal gangs have taken advantage of the flaw in recent months, underlining its severity.


Why Updates Matter

Cybersecurity experts consistently stress the importance of keeping systems updated with the latest patches. Unpatched vulnerabilities provide attackers with open doors into critical infrastructure, government bodies, and private organizations. This latest incident underscores how quickly attackers can move to exploit weaknesses once they are made public.


What Happens Next

For now, the House of Commons and CSE are continuing their investigation, and no final determination has been made about the vulnerability used in the breach. However, the case highlights the ongoing risks posed by unpatched software and the need for constant vigilance by organizations and individuals alike.



Read more »
Technology
AI Chatbot ChatGPT Cloud Google Google Drive Internet Microsoft Technology

How ChatGPT prompt can allow cybercriminals to steal your Google Drive data


Chatbots and other AI tools have made life easier for threat actors. A recent incident highlighted how ChatGPT can be exploited to obtain API keys and other sensitive data from cloud platforms.

Prompt injection attacks leads to cloud access

Experts have discovered a new prompt injection attack that can turn ChatGPT into a hacker’s best friend in data thefts. Known as AgentFlayer, the exploit uses a single document to hide “secret” prompt instructions that target OpenAI’s chatbot. An attacker can share what appears to be a harmless document with victims through Google Drive, without any clicks.

Zero-click threat: AgentFlayer

AgentFlayer is a “zero-click” threat as it abuses a vulnerability in Connectors, for instance, a ChatGPT feature that connects the assistant to other applications, websites, and services. OpenAI suggests that Connectors supports a few of the world’s most widely used platforms. This includes cloud storage platforms such as Microsoft OneDrive and Google Drive.

Experts used Google Drive to expose the threats possible from chatbots and hidden prompts. 

GoogleDoc used for injecting prompt

The malicious document has a 300-word hidden malicious prompt. The text is size one, formatted in white to hide it from human readers but visible to the chatbot.

The prompt used to showcase AgentFlayer’s attacks prompts ChatGPT to find the victim’s Google Drive for API keys, link them to a tailored URL, and an external server. When the malicious document is shared, the attack is launched. The threat actor gets the hidden API keys when the target uses ChatGPT (the Connectors feature has to be enabled).

Othe cloud platforms at risk too

AgentFlayer is not a bug that only affects the Google Cloud. “As with any indirect prompt injection attack, we need a way into the LLM's context. And luckily for us, people upload untrusted documents into their ChatGPT all the time. This is usually done to summarize files or data, or leverage the LLM to ask specific questions about the document’s content instead of parsing through the entire thing by themselves,” said expert Tamir Ishay Sharbat from Zenity Labs.

“OpenAI is already aware of the vulnerability and has mitigations in place. But unfortunately, these mitigations aren’t enough. Even safe-looking URLs can be used for malicious purposes. If a URL is considered safe, you can be sure an attacker will find a creative way to take advantage of it,” Zenith Labs said in the report.

Read more »
Technology
AI App Store ChatGPT DeepSeek-R1 Microsoft Technology

DeepSeek Under Investigation Leading to App Store Withdrawals

 


As one of the world's leading AI players, DeepSeek, a chatbot application developed by the Chinese government, has been a formidable force in the artificial intelligence arena since it emerged in January 2025, launching at the top of the app store charts and reshaping conversations in the technology and investment industries. After initially being hailed as a potential "ChatGPT killer" by industry observers, the platform has been the subject of intense scrutiny since its meteoric rise. 

The DeepSeek platform is positioned in the centre of app store removals, cross-border security investigations, and measured enterprise adoption by August 2025. In other words, we are at the intersection of technological advances, infrastructure challenges, and geopolitical issues that may shape the next phase of the evolution of artificial intelligence in the years ahead. 

A significant regulatory development has occurred in South Korea, with the Personal Information Protection Commission confirming that DeepSeek temporarily suspended the download of its chatbot applications while working with local authorities to address privacy concerns and issues regarding DeepSeek's data assets. On Saturday, the South Korean version of Apple's App Store, as well as Google Play in South Korea, were taken down from their respective platforms, following an agreement with the company to enhance its privacy protection measures before they were relaunched.

It has been emphasised that, although existing mobile users and personal computer users are not affected, officials are urging caution on behalf of the commission; Nam Seok, director of the investigation division, has advised users to remove the app or to refrain from sharing personal information until the issues have been addressed. 

An investigation by Microsoft's security team has revealed that individuals reportedly linked to DeepSeek have been transferring substantial amounts of data using OpenAI's application programming interface (API), which is a core channel for developers and enterprises to integrate OpenAI technology into their products and services. Having become OpenAI's biggest shareholder, Microsoft flagged this unusual activity, triggering a review internally. 

There has been a meteoric rise by DeepSeek in recent days, and the Chinese artificial intelligence startup has emerged as an increasingly prominent competitor to established U.S. companies, including ChatGPT and Claude, whose AI assistant is currently more popular than ChatGPT. On Monday, as a result of a plunge in technology sector stock prices on Monday, the AI assistant surged to overtake ChatGPT in the U.S. App Store downloads. 

There has been growing international scrutiny surrounding the DeepSeek R1 chatbot, which has recently been removed from Apple’s App Store and Google Play in South Korea amid mounting international scrutiny. This follows an admission by the Hangzhou-based company that it did not comply with the laws regulating personal data privacy.

As DeepSeek’s R1 chatbot is lauded as having advanced capabilities at a fraction of its Western competitors’ cost, its data handling practices are being questioned sharply as well. Particularly, how user information is stored on secure servers in the People’s Republic of China has been criticised by the US and others. The Personal Information Protection Commission of South Korea confirmed that the app had been removed from the local app stores at 6 p.m. on Monday. 

In a statement released on Saturday morning (900 GMT), the commission said it had suspended the service due to violations of domestic data protection laws. Existing users can continue using the service, but the commission has urged the public not to provide personal information until the investigation is completed.

According to the PIPC, DeepSeek must make substantial changes so that it can meet Korean privacy standards. A shortcoming that DeepSeek has acknowledged is this. In addition, data security professor Youm Heung-youl, from Soonchunhyang University, further noted that despite the company's privacy policies relating to European markets and other markets, the same policy does not exist for South Korean users, who are subject to a different localised framework. 

In response to an inquiry by Italy's data protection authority, the company has taken steps to ensure the app takes the appropriate precautions with regard to the data that it collects, the sources from which it obtains it, its intended use, legal justifications, and its storage in China. 

While it is unclear to what extent DeepSeek initiated the removal or whether the app store operators took an active role in the process, the development follows the company's announcement last month of its R1 reasoning model, an open-source alternative to ChatGPT, positioned as an alternative to ChatGPT for more cost-effectiveness. 

Government concerns over data privacy have been heightened by the model's rapid success, which led to similar inquiries in Ireland and Italy as well as a cautionary directive from the United States Navy indicating that DeepSeek AI cannot be used because of its origin and operation, posing security and ethical risks. The controversy revolves around the handling and storage of user data at the centre of this controversy.

It has been reported that all user information, including chat histories and other personal information of users, has been transferred to China and stored on servers there. A more privacy-conscious version of DeepSeek's model may be run locally on a desktop computer, though the performance of this offline version is significantly slower than the cloud-connected version that can be accessed on Apple and Android phones. 

DeepSeek's data practices have drawn escalating regulatory attention across a wide range of jurisdictions, including the United States. According to the privacy policies of the company, personal data, including user requests and uploaded files, is stored on servers located in China, which the company also claims it does not store in the U.S. 

As Ulrich Kamp stated in his statement, DeepSeek has not provided credible assurances that data belonging to Germans will be protected to the same extent as data belonging to European Union citizens. He also pointed out that Chinese authorities have access to personal data held by domestic companies with extensive access rights. 

It was Kamp's office's request in May for DeepSeek to either meet EU data transfer requirements or voluntarily withdraw its app, but the company did not do so. The controversy follows DeepSeek's January debut when it said that it had created an AI model that rivalled the ones of other American companies like OpenAI, but at a fraction of the cost. 

Over the past few years, the app has been banned in Italy due to concerns about transparency, as well as restricted access to government devices in the Netherlands, Belgium, and Spain, and the consumer rights organisation OCU has called for an official investigation into the matter. After reports from Reuters alleging DeepSeek's involvement in China's military and intelligence activities, lawmakers are preparing legislation that will prohibit federal agencies from using artificial intelligence models developed by Chinese companies. 

According to the Italian data protection authority, the Guarantor for the Protection of Personal Data, Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence have been requested to provide detailed information concerning the collection and processing of their data. A regulator has requested clarification about which personal data is collected, where the data originates, what the legal basis is for processing, and whether it is stored on Chinese servers. 

There are also other inquiries peopl would like to make regarding the training methodologies used for DeepSeek's artificial intelligence models, such as whether web scraping is involved, and how both registered as well as unregistered users are informed of this data collection. DeepSeek has 20 days to reply to these inquiries. 

As Forrester analysts have warned, the app has been widely adopted — it has been downloaded millions of times, which means that large amounts of potentially sensitive information are being uploaded and processed as a result. Based on DeepSeek's own privacy policy, the company has noted that it may collect user input, audio prompts, uploaded files, feedback, chat histories, and other content for training purposes, and may share these details with law enforcement officials or public authorities as needed. 

Although DeepSeek's models remain freely accessible throughout the world, despite regulatory bans and investigations intensifying in China, developers continue to download, adapt, and deploy them, sometimes independent of the official app or Chinese infrastructure, regardless of the official ban. The technology has become increasingly important in industry analysis, not just as an isolated threat, but as part of a broader shift toward a hardware-efficient, open-weight AI architecture, a trend which has been influenced by players such as Mistral, OpenHermes, and Elon Musk's Grok initiative, among many others.

To join the open-weight reasoning movement, OpenAI has released two open-weight reasoning models, GPTT-OSS-120B and GPTT-OSS-20B, which have been deployed within their infrastructure. During the rapid evolution of the artificial intelligence market, the question is no longer whether open-source AI can compete with existing incumbents—in fact, it already has. 

It is much more pressing to decide who will define the governance frameworks that will earn the trust of the public at a time when artificial intelligence, infrastructure control, and national sovereignty are converging at unprecedented rates. Despite the growing complexity of regulating advanced artificial intelligence in an interconnected, highly competitive global market, the ongoing scrutiny surrounding DeepSeek underscores the importance of governing advanced artificial intelligence. 

As a disruptive technological breakthrough evolved, it became a geopolitical and regulatory hot-button, demonstrating how privacy, security, and data sovereignty have now become a major issue in the race against artificial intelligence. Policymakers will find this case extremely significant because it emphasizes the need for coherent international frameworks that can address cross-border data governance and balance innovation with accountability, as well as addressing cross-border data governance. 

Whether it is enterprises or individuals, it serves to remind them that despite the benefits of cutting-edge AI tools, they come with inherent risks, risks that need to be carefully evaluated before they are adopted. A significant part of the future will be the blurring of the boundaries between local oversight and global accessibility as AI models become increasingly lightweight, hardware-efficient, and widely deployable. 

As a result, trust will not be primarily dependent on technological capability, but also on transparency, verifiable safeguards, and the willingness of developers to adhere to ethical and legal standards in the markets they are trying to serve in this environment. It is clear from the ongoing scrutiny surrounding DeepSeek that in a highly competitive global market, regulating advanced artificial intelligence is becoming increasingly complicated as it becomes increasingly interconnected. 

The initial breakthrough in technology has evolved into a geopolitical and regulatory flashpoint, demonstrating how questions of privacy, security, and data sovereignty have become a crucial element in the race toward artificial intelligence. It is clear from this case that policymakers have a pressing need for international frameworks that can address cross-border data governance and balance innovation with accountability. 

For enterprises and individuals alike, the case serves as a reminder that embracing cutting-edge artificial intelligence tools comes with inherent risks and that the risks must be carefully weighed before adoption can be made. It will become increasingly difficult to distinguish between local oversight and global accessibility as AI models become more open-minded, hardware-efficient, and widely deployable as they become more open-hearted, hardware-efficient, and widely deployable. 

In such a situation, trust will not be solely based on technological capabilities, but also on transparency, verifiable safeguards, as well as the willingness of developers to operate within the ethical and legal guidelines of the market in which they seek to compete.
Read more »
Windows
Artificial Intelligence DevilsTongue Internet malware Microsoft Spyware surveillance Windows

DevilsTongue Spyware Attacking Windows System, Linked to Saudi Arabia, Hungary


Cybersecurity experts have discovered a new infrastructure suspected to be used by spyware company Candiru to target computers via Windows malware.

DevilsTongue spyware targets Windows systems

The research by Recorded Future’s Insikt Group disclosed eight different operational clusters associated with the spyware, which is termed as DevilsTongue. Five are highly active, including clusters linked to Hungary and Saudi Arabia. 

About Candiru’ spyware

According to the report, the “infrastructure includes both victim-facing components likely used in the deployment and [command and control] of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators.” While a few clusters directly handle their victim-facing infrastructure, others follow an intermediary infrastructure layers approach or through the Tor network, which allows threat actors to use the dark web.

Additionally, experts discovered another cluster linked to Indonesia that seemed to be active until November 2024. Experts couldn’t assess whether the two extra clusters linked with Azerbaijan are still active.

Mode of operation

Mercenary spyware such as DevilsTongue is infamous worldwide, known for use in serious crimes and counterterrorism operations. However, it also poses various legal, privacy, and safety risks to targets, their companies, and even the reporter, according to Recorded Future.

Windows itself has termed the spyware Devil's Tongue. There is not much reporting on its deployment techniques, but the leaked materials suggest it can be delivered via malicious links, man-in-the-middle attacks, physical access to a Windows device, and weaponized files. DevilsTongue has been installed via both threat actor-controlled URLs that are found in spearphishing emails and via strategic website attacks known as ‘watering hole,’ which exploit bugs in the web browser.

Insikt Group has also found a new agent inside Candiru’s network that is suspected to have been released during the time when Candiru’s assets were acquired by Integrity Partners, a US-based investment fund. Experts believe that a different company might have been involved in the acquisition.

How to stay safe?

In the short term, experts from Recorded Future advise defenders to “implement security best practices, including regular software updates, hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices.” In the long term, organizations are advised to invest in robust risk assessments to create effective policies.

Read more »
Multifactor
AI vulnerabilities CISO Cyber Security CyberThreat Google IT Departments market trends MFA Microsoft Multifactor

Market Trends Reveal Urgent Emerging Cybersecurity Requirements

 


During an era of unprecedented digital acceleration and hyperconnectivity, cybersecurity is no longer the sole responsibility of IT departments — it has now become a crucial strategic pillar for businesses of all sizes in an age of hyperconnectivity. 

Recent market trends are signalling an urgent need for a recalibration of cybersecurity priorities, as sophisticated cyber threats are on the rise, regulations are being tightened, and cloud-native technologies are on the rise. Increasingly, businesses and governments are realising that security is no longer merely a technical protection, but rather a foundational component of trust, resilience, and long-term growth. 

There is a growing need in the cybersecurity market for proactive, adaptable, and intelligence-driven defences as a result of the evolving threat landscape and expanding attack surfaces. There is no doubt that the market is speaking louder through investment shifts, vendor realignment, and customer demand, which is why modern cybersecurity must move in lockstep with innovation — otherwise it may turn out to be a costly vulnerability. 

Increasingly, organisations are finding that they are having trouble coping with the speed at which technological innovation and business transformation are taking place. Throughout the year 2025, chief information security officers (CISOs) will be faced with a critical situation where they must defend their organisations not only from evolving threats but also demonstrate that their security programs can be of tangible business value. 

Based on emerging insights, cybersecurity leaders are increasingly focused on ensuring that resilience is embedded at all levels — organisational, team-based, and individual — as a means of maintaining performance and operational continuity when adversity occurs. Based on recent industry trends, nine core capabilities seem to be the most important ones to address this mandate, ranging from how organisations can foster cross-functional collaborations and prevent analyst burnout, as well as how they should ensure teams are educated, aligned, and flexible. 

Keeping a balance between enabling digital transformation and maintaining cyber resilience has become one of the most important challenges of the modern security mandate. If organisations succeed in this endeavour, resilience must be built into their cybersecurity strategy from the beginning, not just as an afterthought. 

Threat actors have evolved from ideology-driven disruptions to monetisation-focused attacks in the age of cybercrime, which has grown into a multi-trillion-dollar industry. They have moved from spam and botnets to crypto mining and now ransomware-as-a-service. In light of the rapid increase in threat sophistication, organisations are being forced to rethink traditional cybersecurity paradigms in an attempt to stay competitive. 

A Chief Information Security Officer (CISO), an IT security leader, or a Managed Service Provider (MSP) who is starting a new role needs to be clear about the objective within the first 100 days of taking on a new role. In order to prevent as many attacks as possible, create friction for cybercriminals, and maintain internal alignment without disrupting IT operations, the most effective method has been to start with prevention. 

One of the most significant characteristics of modern attacks is that up to 90% of them take advantage of macros in Office to deliver remote access tools or malicious payloads. Disabling these macros, often with minimal disruption to business, can reduce exposure to these threats immediately. It is also becoming more common for organisations to adopt applications allowlisting to only allow explicitly approved applications, to block not only malware but also abused legitimate tools, such as TeamViewer and GoToAssist, automatically. 

A behavioural-level control like RingfencingTM also adds a layer of protection to this, preventing allowed applications from executing unauthorised actions and mitigating exploit-based threats such as Follina through the use of behaviour-level controls such as RingfencingTM. Collectively, these proactive controls reflect an important shift towards threat prevention and operational resilience as well. 

In the face of the emergence of generative AI that is deeply embedded within enterprise workflows, a new frontier of cybersecurity has emerged — one that extends well beyond conventional systems into the interaction between employees and artificial intelligence models. What was once considered speculative risks is now becoming a matter of urgency for organisations. 

In recent years, organisations have begun to recognise how important it is to secure how employees interact with artificial intelligence services from both external and internal sources, and have implemented a growing number of solutions designed to monitor and prompt activity, assess data sensitivity, and enforce usage policies. 

In order to maintain regulatory compliance in increasingly AI-aided environments, these controls are crucial for protecting proprietary information as well as for maintaining regulatory compliance. It is also crucial to secure the AI systems that organisations build, including the training datasets they use, the model outputs they use, and the decision logic they use, as well as the systems that they build. Emerging threats, such as prompt injection attacks and model manipulation, emphasise the need for visibility and control tailored specifically to artificial intelligence. 

Due to the impact of AI applications on security, a new class of AI application security tools has been developed, which leads to the establishment of AI system protection as a core discipline of cybersecurity, and raises it to the same level as the security of traditional infrastructures. Increasingly, organisations are adapting to an increasingly perimeterless digital environment, making the need to strengthen basic security controls non-negotiable. 

The multi-factor authentication (MFA) approach is at the forefront of remote access defence as it offers the ability to secure accounts spanning Microsoft 365, Google Workspace, domain registrars, and remote administration tools. MFA offers these accounts a crucial level of security. The use of multi-factor authentication reduces the likelihood that unauthorised access could occur even if credentials have been compromised. It is also vital that least-privilege principles be enforced. 

Despite the fact that attackers can easily install ransomware without administrative privileges, stripping local admin privileges prevents them from disabling security controls and escalating privileges. It has been recommended that users should be given elevated access to specific applications through dedicated tools rather than being given it to an entire group of users. 

In regard to data security, the use of full-disk encryption, such as BitLocker, is essential for preventing unauthorised access to virtual hard disks and tampering. As well as reducing exposure further, the use of granular permissions to access data is also crucial, ensuring that only information pertinent to their function is accessed by users and applications. 

As an example, it is important to limit tools like SSH clients to log files and restrict sensitive financial data to financial roles that do not have access to it. In addition, USB devices should be blocked by default, with a narrowly defined exception for encrypted, sanctioned drives, since they are a common vector for malware and data theft. 

The ability to monitor file activity in real time across endpoints, cloud platforms like OneDrive, and removable media has become increasingly important to the success of any comprehensive security program. This visibility can assist in proactive monitoring and enhance incident response by providing a detailed understanding of data interactions, as well as improving incident response. 

There is a strong possibility that the cybersecurity landscape will become even more complex in the future as digital ecosystems expand, adversaries refine their tactics, and companies pursue accelerated innovation, thereby increasing the complexity of the landscape. As a response, security leaders need to go beyond conventional defensive approaches and create a culture of vigilance, accountability, and adaptability that extends across entire organisations. 

Organisations will need to invest in specialised talent, cross-functional collaboration, and continuous security validation in order to deal with the convergence of IT, AI, cloud, and operational technologies. As well, with a growing number of regulatory scrutiny and stakeholder expectations, cybersecurity is now measured not just by its capability to block threats, but also by how it enables secure growth, safeguards the reputation of its users, and ensures that digital trust is maintained.

A cybersecurity strategy that integrates security seamlessly into business objectives rather than as a barrier will provide organizations with the best chance of navigating the next wave of risk and resilience in an increasingly volatile threat environment by integrating it seamlessly into business objectives. In 2025 and beyond, cybersecurity leadership will be defined by staying proactive, intelligent, and resilient as market forces continue to change the landscape of risk.
Read more »
Windows
Banking Credential Theft Coyote Cybeattacks CyberCrime malware Microsoft RAT Trojon UIA UL Elements Windows

Emerging Threat Uses Windows Tools to Facilitate Banking Credential Theft


An alarming development that underscores how financial cybercrime is evolving is a Windows-based banking trojan dubbed Coyote. It has been observed for the first time that a malware strain leveraging the Microsoft UI Automation (UIA) framework for stealthy extraction of sensitive user data has emerged. It was developed in 2024 by Kaspersky, and it is specifically targeted at Brazilian users. Through its advanced capabilities, Coyote can log keystrokes, record screenshots, and use deceptive overlays on banking login pages that are designed to fool users into providing their information to the malware. 


A security researcher at Akamai has reported that in the latest variant, the legitimate Microsoft UIA component, which is designed to provide accessibility to desktop UI elements for those with disabilities, is exploited to retrieve credentials from websites linked to 75 financial institutions and cryptocurrency platforms via a phishing attack. A novel abuse of an accessibility tool demonstrates that threat actors are becoming increasingly sophisticated in their attempts to circumvent traditional security measures and compromise digital financial ecosystems. 

The Coyote virus first appeared in Latin American cybersecurity in February 2024 and has since been a persistent and damaging threat across the region. Coyote, a banking trojan, was originally used to steal financial information from unsuspecting users by using traditional methods, such as keylogging and phishing overlays. 

Despite being classified as a banking trojan, its distribution mechanism is based on the popular Squirrel installer, a feature which is also the inspiration for its name, a reference to the coyote-squirrel relationship, which is a predator-prey relationship. It was not long ago that Coyote began targeting Brazilian businesses, with the intent of deploying an information-stealing Remote Access Trojan (RAT) in their networks in an effort to steal information. 

After the malware was discovered, cybersecurity researchers began to discover critical insight into its behaviour as soon as it became apparent. The Fortinet company released a comprehensive technical report in January 2025 that detailed Coyote's attack chain, including the methods used to propagate the attack and the techniques used to infiltrate the system. In the evolution of Coyote from conventional credential theft to sophisticated abuse of legitimate accessibility frameworks, one can see a common theme in modern malware development—a trend in which native system utilities are retooled to facilitate covert surveillance and data theft. 

Through innovation and stealth, Coyote is proving to be an excellent example of how regionally focused threats can rapidly escalate into globally significant risks through the use of innovation and stealth. The Coyote malware has evolved significantly in its attack methodology since its previous appearance in 2015, which has prompted cybersecurity professionals to have new concerns. 

Since December 2024, Akamai researchers have been following Coyote closely, and they have found out that earlier versions of the malware have mainly relied on keylogging and phishing overlays to steal login credentials from users of 75 targeted banking and cryptocurrency websites. However, users had to access financial applications outside of traditional web browsers in order for these methods to work, meaning that browser-based sessions largely remained safe. 

In contrast, Coyote's newest version, which was released earlier this year, demonstrates a markedly higher level of sophistication. Using Microsoft's UI Automation framework (UIA), Coyote can now detect and analyse banking and crypto exchange websites that are open directly within browsers by utilising its Microsoft UI Automation framework. As a result of this enhancement, malware is now able to identify financial activity more accurately and extract sensitive information even from less vulnerable sessions, significantly increasing the scope and impact of the malware. 

With stealth and precision, the Coyote malware activates on a victim's computer as soon as the program they are infected with—typically through the widely used Squirrel installer—is executed on their system. As soon as the malware has been installed, it runs silently in the background, gathering fundamental system details as well as continuously monitoring all active programs and windows. One of the primary objectives of this malware is to detect interactions with cryptocurrency platforms or banking services.

If Coyote detects such activity, it utilises the UI Automation framework (UIA) to programmatically read the content displayed on the screen, bypassing traditional input-based detection mechanisms. Furthermore, the malware is capable of extracting web addresses directly from browser tabs or the address bar, cross-referenced to a predefined list of financial institutions and crypto exchanges that are targeted. This further elevates the malware's threat profile. 

Upon finding a match, the tool initiates a credential harvesting operation that is aimed at capturing credentials such as login information and wallet information. As of right now, Coyote appears to have a geographic focus on Brazilian users, targeting companies like Banco do Brasil, Santander, as well as global platforms like Binance, as well. 

Although it is unlikely that this regional concentration will remain static for long, threat actors often launch malware campaigns in limited geographies for the purpose of testing them out before attempting to spread their campaign to a broader audience. Among the latest versions of Coyote malware, there is an impressive combination of technical refinement and operational stealth that sets it apart from typical financial Trojans in terms of performance.

It is particularly noteworthy that it utilises Microsoft's UI Automation framework to look directly at application window content to be able to steal sensitive information without having to rely on visible URLs or browser titles. There are no longer any traditional techniques for this variant that rely on keylogging or phishing overlays, but rather rely on UI-level reconnaissance that allows it to identify and engage with targeted Brazilian cryptocurrency and banking platforms with remarkable subtlety. Further increasing its evasiveness is its ability to operate offline. 

By doing so, it can gather and scan data without requiring a connection to the command-and-control (C2) server. In order to initiate an attack sequence, the malware first profiles the infected system, obtaining information such as the name of the device, the operating system version, and the credentials of the user. As a result, Coyote scans the titles of active windows in an attempt to find financial platforms that are well-known. 

If no direct match is found, Coyote escalates its efforts by parsing the visual user interface elements via the UIA interface, resulting in critical data such as URLs and tab labels that are crucial for the application. As soon as the application detects a target, it uses an array of credential harvesting techniques, which include token interception and direct access to usernames and passwords.

Although the current campaign remains focused in Brazil, the fact that Coyote can operate undetected at the user interface layer and that it uses native Windows APIs poses a serious and scalable threat to businesses across the globe. Considering its offline functionality, small network footprint, and ability to evade standard security solutions, it is a potent reminder that legitimate system tools can be repurposed to quietly undermine digital defences complex cybersecurity landscape that is getting ever more complex. 

Cybersecurity is rapidly evolving, and it is becoming increasingly apparent to us that the dynamic between threat actors and defenders has become more of a high-stakes game, where innovation can change the balance quite rapidly between the two sides. A case study such as the Coyote malware underscores the fact that even system components which appear harmless, such as Microsoft's UI Automation (UIA) framework, can be exploited to achieve malicious objectives. 

Although UIA was created to enhance accessibility and usability, the abuse of the tool by advanced malware proves the inherent risks associated with native tools that are trusted. The objective of security researchers is to give defenders a better understanding of the inner workings and methods employed by Coyote, so they can detect, mitigate, and respond more effectively to such stealthy intrusions. 

It is important to note that the exploitation of UIA as an attack vector is not simply a tactic that is used for a single attack-it signals a shift in adversarial strategy that emphasises invisibility and manipulation of systems. Organisations must strengthen their security posture by observing how legitimate technologies may be repurposed as a means to commit cybercrime, as well as staying vigilant against threats that blur the line between utility and vulnerability. 

There is no question that the advent of Coyote malware marked a turning point in the evolution of cyber threats. It underscores the growing abuse of legitimate system tools for malicious purposes as well. Using Microsoft's UI Automation framework (UIA), an accessibility feature which was created to support users with disabilities, Coyote illustrates to us that trusted functionality could be repurposed to steal information from systems by silently infiltrating them. 

The malware operations of this company, which are currently focused on Brazilian financial institutions and crypto exchanges, represent the emerging trend toward stealth-driven malware campaigns that target specific regions of the globe. A call to action has been issued to defenders by this evolution, as traditional security tools that are based on network-based detection or signature matching may not be up to the task of combating threats that operate entirely within the user interface layer and do not require the use of command-and-control communications. 

Consequently, organisations have to develop more nuanced strategies to keep their data secure, such as behavioural monitoring, heuristic analysis, and visibility of native API usage. As a further precaution, maintaining strict controls over software distribution methods, such as Squirrel installers, is also a great way to prevent the spread of early-stage infections. By adopting a silent, system-native approach, Coyote reflects a change in the cyber threat landscape, shifting away from overt, disruptive attacks to covert, credential-stealing surveillance. 

Coyote utilizes low-noise approaches to achieve maximum data exfiltration, often as part of long-term campaigns, in order to evade detection, resulting in maximum data exfiltration. This demonstrates the sophistication of modern malware and the urgent need for adaptive cybersecurity frameworks to cope with these threats. In addition to exploiting UIA, it is also likely that it will result in more widespread abuse of accessibility features that have traditionally been overlooked in security planning, and which may eventually become a major security concern.

As threat actors continue to refine their approaches, companies need to be vigilant, rethink what constitutes potential attack surfaces, and take measures to detect threats as soon as possible. Coyote is an example of malware that requires a combination of stronger tools, as well as a deeper understanding of the way even helpful technology can be turned into a security liability quickly if it is misused.
Read more »
Windows
Coyote Data Theft malware Microsoft UIA Windows

New Coyote Malware Variant Exploits Windows Accessibility Tool for Data Theft

 




A recently observed version of the banking malware known as Coyote has begun using a lesser-known Windows feature, originally designed to help users with disabilities, to gather sensitive information from infected systems. This marks the first confirmed use of Microsoft’s UI Automation (UIA) framework by malware for this purpose in real-world attacks.

The UI Automation framework is part of Windows’ accessibility system. It allows assistive tools, such as screen readers, to interact with software by analyzing and controlling user interface (UI) elements, like buttons, text boxes, and navigation bars. Unfortunately, this same capability is now being turned into a tool for cybercrime.


What is the malware doing?

According to recent findings from cybersecurity researchers, this new Coyote variant targets online banking and cryptocurrency exchange platforms by monitoring user activity on the infected device. When a person accesses a banking or crypto website through a browser, the malware scans the visible elements of the application’s interface using UIA. It checks things like the tab names and address bar to figure out which website is open.

If the malware recognizes a target website based on a preset list of 75 financial services, it continues tracking activity. This list includes major banks and crypto platforms, with a focus on Brazilian users.

If the browser window title doesn’t give away the website, the malware digs deeper. It uses UIA to scan through nested elements in the browser, such as open tabs or address bars, to extract URLs. These URLs are then compared to its list of targets. While current evidence shows this technique is being used mainly for tracking, researchers have also demonstrated that it could be used to steal login credentials in the future.


Why is this alarming?

This form of cyberattack bypasses many traditional security tools like antivirus programs or endpoint detection systems, making it harder to detect. The concern grows when you consider that accessibility tools are supposed to help people with disabilities not become a pathway for cybercriminals.

The potential abuse of accessibility features is not limited to Windows. On Android, similar tactics have long been used by malicious apps, prompting developers to build stricter safeguards. Experts believe it may now be time for Microsoft to take similar steps to limit misuse of its accessibility systems.

While no official comment has been made regarding new protections, the discovery highlights how tools built for good can be misused if not properly secured. For now, the best defense remains being careful, both from users and from developers of operating systems and applications.



Read more »
Windows
Apple Google Internet Microsoft Passkeys Passwords Technology Windows

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch Passwords, Use Passkeys to Secure Your Account

Ditch passwords, use passkeys

Microsoft and Google users, in particular, have been warned about ditching passwords for passkeys. Passwords are easy to steal and can unlock your digital life. Microsoft has been at the forefront, confirming it will delete passwords for more than a billion users. Google, too, has warned that most of its users will have to add passkeys to their accounts. 

What are passkeys?

Instead of a username and password, passkeys use our device security to log into our account. This means that there is no password to hack and no two-factor authentication codes to bypass, making it phishing-resistant.

At the same time, the Okta team warned that it found threat actors exploiting v0, an advanced GenAI tool made by Vercelopens, to create phishing websites that mimic real sign-in webpages

Okta warns users to not use passwords

A video shows how this works, raising concerns about users still using passwords to sign into their accounts, even when backed by multi-factor authentication, and “especially if that 2FA is nothing better than SMS, which is now little better than nothing at all,” according to Forbes. 

According to Okta, “This signals a new evolution in the weaponization of GenAI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. The technology is being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer.”

Why are passwords not safe?

It is shocking how easy a login webpage can be mimicked. Users should not be surprised that today’s cyber criminals are exploiting and weaponizing GenAI features to advance and streamline their phishing attacks. AI in the wrong hands can have massive repercussions for the cybersecurity industry.

According to Forbes, “Gone are the days of clumsy imagery and texts and fake sign-in pages that can be detected in an instant. These latest attacks need a technical solution.”

Users are advised to add passkeys to their accounts if available and stop using passwords when signing in to their accounts. Users should also ensure that if they use passwords, they should be long and unique, and not backed up by SMS 2-factor authentication. 

Read more »
Windows
AI Email Internet Microsoft Ransomware Technology Windows

Microsoft Defender for Office 365 Will Now Block Email Bombing Attacks



Microsoft Defender for Office 365 Will Now Block Email Bombing Attacks

Microsoft Defender for Office 365, a cloud-based email safety suite, will automatically detect and stop email-bombing attacks, the company said.  Previously known as Office 365 Advanced Threat Protection (Office 365 ATP), Defender for Office 365 safeguards businesses operating in high-risk sectors and dealing with advanced threat actors from harmful threats originating from emails, collaboration tools, and links. 

"We're introducing a new detection capability in Microsoft Defender for Office 365 to help protect your organization from a growing threat known as email bombing," Redmond said in a Microsoft 365 message center update. These attacks flood mailboxes with emails to hide important messages and crash systems. The latest ‘Mail Bombing’ identification will spot and block such attempts, increasing visibility for real threats. 

About the new feature

The latest feature was rolled out in June 2025, toggled as default, and would not require manual configuration. Mail Bombing will automatically send all suspicious texts to the Junk folder. It is now available for security analysts and admins in Threat Explorer, Advanced Hunting, the Email entity page, the Email summary panel, and the Email entity page. 

About email bombing attacks

In mail bombing campaigns, the attackers spam their victims’ emails with high volumes of messages. This is done by subscribing users to junk newsletters and using specific cybercrime services that can send thousands or tens of thousands of messages within minutes. The goal is to crash email security systems as a part of social engineering attacks, enabling ransomware attacks and malware to extract sensitive data from victims. These attacks have been spotted for over a year, and used by ransomware gangs. 

Mode of operation

BlackBast gang first used email bombing to spam their victims’ mailboxes. The attackers would later follow up and pretend to be IT support teams to lure victims into allowing remote access to their devices via AnyDesk or the default Windows Quick Assist tool. 

After gaining access, threat actors install malicious tools and malware that help them travel laterally through the corporate networks before installing ransomware payloads.

Read more »
Teams API
ATO Azure cloud storage Credential CyberCrime Cyberhackers Data Breach Microsfot Entra ID Microsoft Passwords Teams API

Microsoft Entra ID Faces Surge in Coordinated Credential-Based Attacks

An extensive account takeover (ATO) campaign targeting Microsoft Entra ID has been identified by cybersecurity experts, exploiting a powerful open-source penetration testing framework known as TeamFiltration. 

First detected in December 2024, the campaign has accelerated rapidly, compromising more than 80,000 user accounts across many cloud environments over the past several years. It is a sophisticated and stealthy attack operation aimed at breaching enterprise cloud infrastructure that has been identified by the threat intelligence firm Proofpoint with the codename UNK_SneakyStrike, a sophisticated and stealthy attack operation. 

UNK_SneakyStrike stands out due to its distinctive operational pattern, which tends to unfold in waves of activity throughout a single cloud environment often targeting a broad spectrum of users. The attacks usually follow a period of silent periods lasting between four and five days following these aggressive bursts of login attempts, a tactic that enables attackers to avoid triggering traditional detection mechanisms while maintaining sustained pressure on organizations' defence systems. 

Several technical indicators indicate that the attackers are using TeamFiltration—a sophisticated, open-source penetration testing framework first introduced at the Def Con security conference in 2022—a framework that is highly sophisticated and open source. As well as its original purpose of offering security testing and red teaming services in enterprises, TeamFiltration is now being used by malicious actors to automate large-scale user enumeration, password spraying, and stealthy data exfiltration, all of which are carried out on a massive scale by malicious actors. 

To simulate real-world account takeover scenarios in Microsoft cloud environments, this tool has been designed to compromise Microsoft Entra ID, also known as Azure Active Directory, in an attempt to compromise these accounts. It is important to know that TeamFiltration's most dangerous feature is its integration with the Microsoft Teams APIs, along with its use of Amazon Web Services (AWS) cloud infrastructure to rotate the source IP addresses dynamically. 

Not only will this strategy allow security teams to evade geofencing and rate-limiting defences, but also make attribution and traffic filtering a significant deal more challenging. Additionally, the framework features advanced functionalities that include the ability to backdoor OneDrive accounts so that attackers can gain prolonged, covert access to compromised systems without triggering immediate alarms, which is the main benefit of this framework. 

A combination of these features makes TeamFiltration a useful tool for long-term intrusion campaigns as it enhances an attacker's ability to keep persistence within targeted networks and to siphon sensitive data for extended periods of time. By analysing a series of distinctive digital fingerprints that were discovered during forensic analysis, Proofpoint was able to pinpoint both the TeamFiltration framework and the threat actor dubbed UNK_SneakyStrike as being responsible for this malicious activity. 

As a result, there were numerous issues with the tool, including a rarely observed user agent string, hardcoded client identifications for OAuth, and a snapshot of the Secureworks FOCI project embedded within its backend architecture that had been around for quite some time. As a result of these technical artefacts, researchers were able to trace the attack's origin and misuse of tools with a high degree of confidence, enabling them to trace the campaign's origin and tool misuse with greater certainty. 

An in-depth investigation of the attack revealed that the attackers were obfuscating and circumventing geo-based blocking mechanisms by using Amazon Web Services (AWS) infrastructure spanning multiple international regions in order to conceal their real location. A particularly stealthy manoeuvre was used by the threat actors when they interacted with the Microsoft Teams API using a "sacrificial" Microsoft Office 365 Business Basic account, which gave them the opportunity to conduct covert account enumeration activities. 

Through this tactic, they were able to verify existing Entra ID accounts without triggering security alerts, thereby silently creating a map of user credentials that were available. As a result of the analysis of network telemetry, the majority of malicious traffic originated in the United States (42%). Additional significant activity was traced to Ireland (11%) and the United Kingdom (8%) as well. As a consequence of the global distribution of attack sources, attribution became even more complex and time-consuming, compromising the ability to respond efficiently. 

A detailed advisory issued by Proofpoint, in response to the campaign, urged organisations, particularly those that rely on Microsoft Entra ID for cloud identity management and remote access-to initiate immediate mitigations or improvements to the system. As part of its recommendations, the TeamFiltration-specific user-agent strings should be flagged by detection rules, and multi-factor authentication (MFA) should be enforced uniformly across all user roles, based on all IP addresses that are listed in the published indicators of compromise (IOCs). 

It is also recommended that organisations comply with OAuth 2.0 security standards and implement granular conditional access policies within Entra ID environments to limit potential exposure to hackers. There has been no official security bulletin issued by Microsoft concerning this specific threat, but internal reports have revealed that multiple instances of unauthorised access involving enterprise accounts have been reported. This incident serves as a reminder of the risks associated with dual-use red-teaming tools such as TeamFiltration, which can pose a serious risk to organisations. 

There is no doubt in my mind that such frameworks are designed to provide legitimate security assessments, however, as they are made available to the general public, they continue to raise concerns as they make it more easy for threat actors to use them to gain an advantage, blurring the line between offensive research and actual attack vectors as threats evolve. 

The attackers during the incident exploited the infrastructure of Amazon Web Services (AWS), but Amazon Web Services (AWS) reiterated its strong commitment to promoting responsible and lawful use of its cloud platform. As stated by Amazon Web Services, in order to use its resources lawfully and legally, all customers are required to adhere to all applicable laws and to adhere to the platform's terms of service. 

A spokesperson for Amazon Web Services explained that the company maintains a clearly defined policy framework that prevents misappropriation of its infrastructure. As soon as a company receives credible reports that indicate a potential violation of these policies, it initiates an internal investigation and takes appropriate action, such as disabling access to content that is deemed to be violating the company's terms. As part of this commitment, Amazon Web Services actively supports and values the global community of security researchers. 

Using the UNK_SneakyStrike codename, the campaign has been classified as a highly orchestrated and large-scale operation that is based on the enumeration of users and password spraying. According to researchers at Proofpoint, these attempts to gain access to cloud computing services usually take place in bursts that are intense and short-lived, resulting in a flood of credentials-based login requests to cloud environments. Then, there is a period of quietness lasting between four and five days after these attacks, which is an intentional way to prevent continuous detection and prolong the life cycle of the campaign while enabling threat actors to remain evasive. 

A key concern with this operation is the precision with which it targets its targets, which makes it particularly concerning. In the opinion of Proofpoint, attackers are trying to gain access to nearly all user accounts within the small cloud tenants, while selectively targeting particular users within the larger enterprise environments. 

TeamFiltration's built-in filtering capabilities, which allow attackers to prioritise the highest value accounts while avoiding detection by excessive probing, are a calculated approach that mirrors the built-in filtering capabilities of TeamFiltration. This situation underscores one of the major challenges the cybersecurity community faces today: tools like TeamFiltration that were designed to help defenders simulate real-world attacks are increasingly being turned against organisations, instead of helping them fight back. 

By weaponizing these tools, threat actors can infiltrate cloud infrastructure, extract sensitive data, establish long-term access, and bypass conventional security controls, while infiltrating it, extracting sensitive data, and establishing long-term control. In this campaign, we are reminded that dual-purpose cybersecurity technologies, though essential for improving organization resilience, can also pose a persistent and evolving threat when misappropriated. 

As the UNK_SneakyStrike campaign demonstrates, the modern threat landscape continues to grow in size and sophistication, which is why it is imperative that cloud security be taken into account in a proactive, intelligence-driven way. Cloud-native organisations must take steps to enhance their threat detection capabilities and go beyond just reactive measures by investing in continuous threat monitoring, behavioural analytics, and threat hunting capabilities tailored to match their environments' needs. 

In the present day, security strategies must adapt to the dynamic nature of cloud infrastructure and the growing threat of identity-based attacks, which means relying on traditional perimeter defences or static access controls will no longer be sufficient. In order to maintain security, enterprise defenders need to routinely audit their identity and access management policies, verify that integrated third-party applications are secure, and review logs for anomalies indicative of low-and-slow intrusion patterns. 

In order to build a resilient ecosystem that can withstand emerging threats, cloud service providers, vendors, and enterprise security teams need to work together in order to create a collaborative ecosystem. As an added note, cybersecurity community members must engage in ongoing discussions about how dual-purpose security tools should be distributed and governed to ensure that innovation intended to strengthen defences is not merely a weapon that compromises them, but rather a means of strengthening those defences. 

The ability to deal with advanced threats requires agility, visibility, and collaboration in order for organisations to remain resilient. There is no doubt that organisations are more vulnerable to attacks than they were in the past, but they can minimise exposure, contain intrusions quickly, and ensure business continuity despite increasingly coordinated, deceptive attack campaigns if they are making use of holistic security hygiene and adopting a zero-trust architecture.

Read more »
Weather Forecast
AI Model Global Climate Microsoft Technology Weather Forecast

Microsoft's Latest AI Model Outperforms Current Weather Forecasting

 

Microsoft has created an artificial intelligence (AI) model that outperforms current forecasting methods in tracking air quality, weather patterns, and climate-affected tropical storms, according to studies published last week.

The new model, known as Aurora, provided 10-day weather forecasts and forecasted hurricane courses more precisely and quickly than traditional forecasting, and at a lower cost, according to researchers who published their findings in journal Nature. 

"For the first time, an AI system can outperform all operational centers for hurricane forecasting," noted senior author Paris Perdikaris, an associate professor of mechanical engineering at the University of Pennsylvania.

Aurora, trained just on historical data, was able to estimate all hurricanes in 2023 more precisely than operational forecasting centres such as the US National Hurricane Centre. Traditional weather prediction models are based on fundamental physics principles such as mass, momentum, and energy conservation, and therefore demand significant computing power. The study found that Aurora's computing expenses were several hundred times cheaper. 

The trial results come on the heels of the Pangu-meteorological AI model developed and unveiled by Chinese tech giant Huawei in 2023, and might mark a paradigm shift in how the world's leading meteorological agencies predict weather and possibly deadly extreme events caused by global warming. According to its creators, Aurora is the first AI model to regularly surpass seven forecasting centres in predicting the five-day path of deadly storms. 

Aurora's simulation, for example, correctly predicted four days in advance where and when Doksuri, the most expensive typhoon ever recorded in the Pacific, would reach the Philippines. Official forecasts at the time, in 2023, showed it moving north of Taiwan. 

Microsoft's AI model also surpassed the European Centre for Medium-Range Weather Forecasts (ECMWF) model in 92% of 10-day worldwide forecasts, on a scale of about 10 square kilometres (3.86 square miles). The ECMWF, which provides forecasts for 35 European countries, is regarded as the global standard for meteorological accuracy.

In December, Google announced that its GenCast model has exceeded the European center's accuracy in more than 97 percent of the 1,320 climate disasters observed in 2019. Weather authorities are closely monitoring these promising performances—all experimental and based on observed phenomena.
Read more »
Subscribe to: Posts (Atom)