Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber attack. Show all posts
Polymorphic Attack
cyber attack Google malware Online Scams Phishing Attack Polymorphic Attack

New Polymorphic Attack Enables Malicious Chrome Extensions to Impersonate Password Managers and Banking Apps

Researchers at SquareX Labs have uncovered a sophisticated “polymorphic” attack targeting Google Chrome extensions, allowing malicious extensions to seamlessly morph into trusted ones, such as password managers, cryptocurrency wallets, and banking apps. The attack exploits Chrome’s ‘chrome.management’ API to gain insights into the user’s installed extensions and then impersonates them to steal sensitive information. 

The attack begins when an unsuspecting user installs a seemingly legitimate extension—such as an AI-powered marketing tool—through the Chrome Web Store. Once installed, the extension gains access to the list of other installed extensions using the ‘chrome.management’ API. If this permission is not granted, attackers can use a stealthier approach, injecting malicious code into web pages to detect installed extensions based on unique resource requests. 

This information is then sent to an attacker-controlled server, which determines whether a targeted extension is present. If a high-value target, such as a password manager, is detected, the malicious extension initiates the impersonation process. SquareX demonstrated how attackers could disable a legitimate extension, like 1Password, using the ‘chrome.management’ API or by manipulating the user interface to hide it. Simultaneously, the malicious extension changes its name, icon, and behavior to mimic the real one. 
To lure victims into entering their credentials, attackers deploy deceptive tactics, such as displaying fake session expiration messages that prompt users to log back in via a phishing form.

The stolen credentials are then sent to the attackers, after which the malicious extension reverts to its original state and re-enables the genuine extension, making detection nearly impossible. 

SquareX Labs has responsibly disclosed the vulnerability to Google, warning that it remains exploitable even in the latest Chrome version. The researchers recommend that Google strengthen security measures by restricting abrupt extension modifications, such as icon or HTML changes, or at the very least, issuing user alerts when such modifications occur. They also criticize Google’s classification of the ‘chrome.management’ API as a “medium risk,” given its extensive use in widely trusted extensions, including ad blockers and password managers. 

As of now, Google has not implemented any direct countermeasures against this attack. BleepingComputer has reached out to the company for a statement and will update its report accordingly. Meanwhile, users are advised to exercise caution when installing Chrome extensions and to be wary of unusual login prompts that could be phishing attempts.
Read more »
Ransomware attack
cyber attack Cybersecurity Breach Data Breach data security Lee Enterprises newspaper hack Ransomware attack

Lee Enterprises Confirms Ransomware Attack Impacting 75+ Publications

 

Lee Enterprises, a major newspaper publisher and the parent company of The Press of Atlantic City, has confirmed a ransomware attack that disrupted operations across at least 75 publications. The cybersecurity breach caused widespread outages, impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack, first disclosed to the Securities and Exchange Commission (SEC) on February 3, led to significant technology failures, affecting essential business functions. In an official update to the SEC, Lee Enterprises reported that hackers gained access to its network, encrypted key applications, and extracted files—common tactics associated with ransomware incidents.

As a result of the attack, the company's ability to deliver newspapers, process billing and collections, and manage vendor payments was severely affected. “The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments,” Lee Enterprises stated in its SEC filing.

With a vast portfolio of 350 weekly and specialty publications spanning 25 states, Lee Enterprises is now conducting a forensic investigation to assess the extent of the data breach. The company aims to determine whether hackers accessed personal or sensitive information belonging to subscribers, employees, or business partners.

By February 12, the company had successfully restored distribution for its core publications. However, weekly and ancillary publications are still facing disruptions, accounting for approximately five percent of the company's total operating revenue. While recovery efforts are underway, full restoration of all affected services is expected to take several weeks.

Cybersecurity experts have warned that ransomware attacks targeting media organizations can have severe consequences, including financial losses, reputational damage, and compromised data security. The increasing frequency of such incidents highlights the urgent need for media companies to strengthen their cybersecurity defenses against evolving cyber threats.

Growing Cybersecurity Threats in the Media Industry


The publishing industry has become an attractive target for cybercriminals due to its reliance on digital infrastructure for content distribution, subscription management, and advertising revenue. Recent high-profile cyberattacks on media organizations have demonstrated the vulnerability of traditional and digital publishing operations.

While Lee Enterprises has not yet disclosed whether a ransom demand was made, ransomware attacks typically involve hackers encrypting critical data and demanding payment for its release. Cybersecurity experts caution against paying ransoms, as it does not guarantee full data recovery and may encourage further attacks.

As Lee Enterprises continues its recovery process, the company is expected to implement stronger cybersecurity measures to prevent future breaches. The incident serves as a reminder for organizations across the media sector to enhance their security protocols, conduct regular system audits, and invest in advanced threat detection technologies.
Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
News
Chinese Hackers cyber attack Cyber-Espionage cyberattacks trending news cybersecurity news News

Chinese Hackers Exploit SSH Daemon to Maintain Persistent Access in Cyber-Espionage Operations

 

A sophisticated cyber-espionage campaign attributed to the Chinese hacking group Evasive Panda, also known as DaggerFly, has been uncovered, targeting network appliances through a newly identified attack suite. According to cybersecurity researchers at Fortinet’s FortiGuard Labs, the attackers are leveraging a malicious toolkit named ELF/Sshdinjector.A!tr, injecting malware into the SSH daemon (SSHD) to establish long-term access and execute covert operations. 

Active since at least mid-November 2024, this attack method enables unauthorized control over compromised systems. While the initial entry point remains unclear, once infiltrated, a dropper module determines whether the device is already infected and assesses its privilege level. If running under root permissions, the malware deploys multiple binaries, including libssdh.so, which serves as the primary backdoor responsible for command-and-control (C2) communication and data exfiltration. 

Additional components such as “mainpasteheader” and “selfrecoverheader” are used to maintain persistence. The injected SSH library covertly monitors and executes commands received from a remote C2 server, allowing the attackers to conduct system reconnaissance, steal credentials, manipulate files, and execute arbitrary commands. 

The malware supports fifteen different functions, ranging from collecting system details and listing active processes to reading sensitive user data and gaining remote shell access. It can also upload and download files, delete specific records, rename files, and notify the attacker when the malware is active. 

Despite previous detections of similar threats, FortiGuard’s research is the first to provide a detailed analysis of how ELF/Sshdinjector.A!tr operates. The group behind this attack, Evasive Panda, has been active since 2012 and has previously conducted cyber-espionage campaigns, including supply chain attacks via ISPs in Asia and targeted intelligence collection from U.S. organizations. 

The group was also recently linked to deploying a novel macOS backdoor. Notably, Fortinet researchers leveraged AI-assisted tools to aid in the malware’s reverse engineering process. While challenges such as hallucinations, extrapolation errors, and omissions were encountered, the experiment demonstrated AI’s growing potential in cybersecurity research. 

Fortinet assures that its customers are already protected against this threat through its FortiGuard AntiVirus service, which detects the malware as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The company has also provided hashes of identified samples on VirusTotal for further investigation by the security community.
Read more »
Security threats
cyber attack Cyber Attacks Globe Life News Security threats

Globe Life Data Breach Affects 850,000 Customers, Investigation Reveals

Insurance provider Globe Life has revealed that a data breach from June 2024 was far more extensive than initially believed. While early reports in October 2024 suggested that around 5,000 customers were impacted, the company’s latest investigation indicates that approximately 850,000 policyholders may have had their personal data compromised. 

The breach was initially detected in a subsidiary, American Income Life Insurance Company. At the time, Globe Life reported a limited impact but acknowledged the possibility of more affected individuals. 

Further findings now confirm that an unidentified cybercriminal gained access to databases maintained by independent agency owners, exposing a wide range of sensitive customer information. Stolen data includes full names, Social Security numbers, phone numbers, email addresses, home addresses, birth dates, health records, and insurance policy details. 

In response, Globe Life took immediate action to secure its systems, restricting external access to the compromised portal. According to its SEC filing, the company was targeted by an extortion attempt but chose not to meet the ransom demands. The insurer maintains that its primary IT infrastructure and data encryption systems remained intact despite the breach. 

As a precaution, Globe Life is offering credit monitoring services to potentially affected customers. However, cybersecurity experts recommend that policyholders take extra steps to protect themselves, including signing up for identity theft protection, keeping a close watch on financial statements, and being alert to phishing attempts. Cybercriminals frequently use stolen data to create deceptive emails and messages aimed at obtaining further personal or financial information. 

Customers are advised to be cautious when receiving unexpected communications via email, text, or social media. Any unsolicited messages containing links or attachments should be avoided. Installing reliable antivirus software on personal devices can also help protect against malware that may be embedded in phishing attempts. 

Despite the scale of the breach, Globe Life has stated that it does not expect any disruptions to its business operations. However, customers should update their passwords and remain vigilant against potential fraud in the coming months.
Read more »
Ransomware attack
Attack on NYBC cyber attack Cyber Attacks News NYBC Ransomware attack

Ransomware Attack Disrupts New York Blood Center Operations Amid Critical Shortage

 

The New York Blood Center (NYBC), a major provider of blood products and transfusion services in the U.S., suffered a ransomware attack on Sunday, leading to operational disruptions and the cancellation of some donor appointments. 

The cyberattack comes at a time when the center is already struggling with a significant drop in blood donations, further straining supply levels. 

NYBC, which collects approximately 4,000 units of blood daily and supports over 500 hospitals across multiple states, detected the security breach over the weekend of January 26. 
After noticing unusual activity within its IT systems, the organization swiftly enlisted cybersecurity experts to investigate. Their findings confirmed that ransomware was responsible for the disruption. 

In response, NYBC took immediate measures to contain the attack, including temporarily shutting down certain systems while working toward a secure restoration. Despite the ongoing challenges, the organization continues to accept blood donations but warned that some appointments may need to be rescheduled. 

The attack comes just days after NYBC issued a blood emergency following a dramatic 30% decline in donations, resulting in 6,500 fewer units collected and severely impacting regional blood supplies. At this time, it remains unclear whether the attackers accessed or stole sensitive donor information. No ransomware group has claimed responsibility yet.

As NYBC works to restore its systems, it is urging donors to continue making appointments to help address the ongoing blood shortage and ensure hospitals receive the critical supplies they need.
Read more »
Zyxel
cyber attack Cyber Attacks News trending news Zero day vul Zyxel

Critical Zero-Day Vulnerability in Zyxel Devices Sparks Widespread Exploitation


Cybersecurity researchers at GreyNoise have uncovered widespread exploitation of a critical zero-day vulnerability in Zyxel CPE Series devices, months after it was initially reported to the manufacturer. The flaw, identified as CVE-2024-40891, allows attackers to execute arbitrary commands on affected devices, potentially leading to data breaches, network infiltration, and complete system compromise. GreyNoise has disclosed the issue to raise awareness among organizations and individuals at risk, as mass exploitation attempts have already been observed.

Details of the Vulnerability and Exploitation

The vulnerability, CVE-2024-40891, was first reported to Zyxel by researchers at VulnCheck in August 2024. However, Zyxel has yet to release a public advisory or an official CVE entry for the flaw, leaving users without a patch to mitigate the risk. GreyNoise collaborated with VulnCheck to disclose the issue, following standard security policies. A GreyNoise spokesperson stated, “Due to first-hand, confirmed mass exploitation attempts for this vulnerability, we chose to disclose this to raise awareness among those who may be impacted.”

Security analysts at Censys estimate that approximately 1,500 devices are online and potentially vulnerable, though definitive confirmation of affected versions is still pending. The National Vulnerability Database (NVD) has not yet provided additional details about the issue. To assess the extent of malicious activity, GreyNoise and VulnCheck conducted a joint investigation, revealing that attackers are actively targeting the flaw.

Researchers noted that CVE-2024-40891 shares similarities with another Zyxel vulnerability, CVE-2024-40890, which also involves authentication and command injection exploits. The key difference is that CVE-2024-40891 is exploited via telnet, while CVE-2024-40890 is HTTP-based. This latest vulnerability follows a recent warning from the Cybersecurity and Infrastructure Security Agency (CISA) and German authorities about another security flaw in Zyxel firewalls, CVE-2024-11667, which was exploited to deploy Helldown ransomware in early December.

Mitigation Strategies and Recommendations

With no official patch available, Zyxel users remain vulnerable to exploitation. Security experts urge organizations to implement temporary mitigation strategies to reduce the risk of compromise. Key recommendations include:

  1. Monitor Network Traffic: Closely monitor network traffic for unusual activity, particularly on devices running Zyxel CPE Series firmware.
  2. Restrict Access: Limit access to potentially affected devices by disabling unnecessary services, such as telnet, and implementing strict access controls.
  3. Apply Workarounds: If possible, apply any available workarounds or configuration changes recommended by cybersecurity experts until an official patch is released.
  4. Stay Informed: Keep track of updates from Zyxel and cybersecurity agencies like CISA for the latest information on vulnerability and mitigation measures.

A VulnCheck spokesperson confirmed that the firm is actively working with Zyxel on the disclosure process and expects to share further insights in the coming week. In the meantime, organizations are advised to remain vigilant and take proactive steps to protect their networks.

The widespread exploitation of CVE-2024-40891 highlights the critical importance of timely vulnerability disclosure and patch management. As attackers continue to target Zyxel devices, organizations must prioritize cybersecurity measures to safeguard their systems and data. While waiting for an official patch, implementing temporary mitigation strategies and staying informed about updates can help reduce the risk of exploitation. This incident serves as a reminder of the ongoing challenges in securing network devices and the need for collaboration between manufacturers, researchers, and users to address vulnerabilities effectively.

Read more »
RECOPE
Costa Rica cybercrime cyber attack Cyber Attacks Cyberattacks cyberattacks trending news News RECOPE

Costa Rica Faces Another Cyberattack, RECOPE Operations Shift to Manual Mode

 

Costa Rica’s state-owned oil company, RECOPE, suffered a ransomware attack on November 27, disrupting its digital operations and forcing a shift to manual procedures to maintain uninterrupted fuel distribution. 

This attack is the second major cyber incident targeting a government institution in the past month, following a similar assault on the General Directorate of Migration (DGME). 

Impact on Fuel Supply 


Despite the disruption, RECOPE assured citizens that the fuel supply remains unaffected, thanks to sufficient inventories. Manual operations, including extended working hours, have been implemented to meet demand, especially after a surge in fuel sales driven by public concerns. 

The ransomware temporarily disabled RECOPE’s digital payment systems, which are often compromised via phishing emails or malicious downloads. 

Efforts to Restore Systems 


RECOPE is working with Costa Rica’s Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) and U.S. cybersecurity experts to restore the affected systems while ensuring safe operations. However, no timeline for full recovery has been provided. 

In comparison, the DGME attack earlier in November caused significant disruptions to online services, though essential operations like border control and passport issuance continued without interruption. 


Escalating Cyber Threats in Costa Rica 


These incidents highlight the increasing threat to Costa Rica’s public institutions and their digital infrastructure. 

  • 2022 Conti Gang Attack: A notorious attack by the Conti gang paralyzed several government services and prompted Costa Rica to declare a state of emergency. 
  • U.S. Aid: The U.S. provided USD 25 million to help strengthen Costa Rica’s cybersecurity. 

Despite these efforts, the recent breaches expose persistent vulnerabilities in the nation’s rapidly digitizing but under-secured systems.  

Global Implications 


Experts warn that attacks on Costa Rican institutions could serve as testing grounds for cybercriminals, helping refine tactics for larger assaults on critical infrastructure in nations like the United States. 

Ransomware has evolved from a nuisance to a sophisticated criminal enterprise, often leveraging zero-day exploits and ransomware-as-a-service platforms. 

International Response 


Globally, governments are intensifying efforts to combat ransomware. The U.S. has established an international counter-ransomware task force, and there is a growing push to classify ransomware attacks as national security threats. 

These measures aim to curb the escalating threat and protect critical infrastructure from increasingly sophisticated cyberattacks.
Read more »
Microsoft
cyber attack Cyber Attacks data information Data Theft Microsoft

Chinese Botnet Quad7 Targets Global Organizations in Espionage Campaign



Microsoft has unveiled a sweeping cyber threat posed by a sophisticated Chinese botnet, Quad7, targeting organizations worldwide through advanced password spray attacks. Operated by a group identified as Storm-0940, this campaign primarily aims at high-value entities, including think tanks, government organizations, NGOs, law firms, and the defense industry, with espionage as its primary objective. 

Microsoft researchers report that Storm-0940 employs stolen credentials to establish persistent access, facilitating deeper intrusions and more extensive cyber espionage. The botnet’s initial actions include harvesting credentials and deploying remote access trojans (RATs) and proxies to maintain long-term access, enhancing the group’s ability to conduct disruptive attacks. 

The infiltration tactics of Quad7 stand out for their precision and stealth. According to Microsoft, Storm-0940 relies on a separate covert network, CovertNetwork-1658, to submit a limited number of sign-in attempts across multiple accounts within targeted organizations. 

In most cases — around 80 percent — CovertNetwork-1658 limits attempts to just one per account per day, minimizing the likelihood of detection. Once a password is successfully guessed, Storm-0940 quickly moves to compromise the system further, sometimes completing the breach within the same day. Quad7’s operational scope has recently expanded beyond its initial focus on TP-Link routers, now encompassing ASUS routers, Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers. 

Researchers first identified Quad7 in late September 2024, noting its targeted attacks on specific device ports, particularly port 7777. Cybersecurity experts, including those from Sekoia and a researcher known as Gi7w0rm, initially linked the botnet to TP-Link devices. However, it has since broadened its scope, targeting new clusters labeled based on device type, such as “rlogin” for Ruckus and “zylogin” for Zyxel. 

Each variant, including clusters named xlogin, alogin, axlogin, and others, showcases Quad7’s adaptability. Some of these clusters comprise thousands of compromised devices, while others involve as few as two infections, reflecting the botnet’s flexibility in scaling its operations. 

This escalating threat underlines the urgent need for enhanced cybersecurity vigilance across potentially vulnerable devices worldwide. As Quad7’s reach expands, securing routers and other entry points is essential in protecting against ongoing cyber espionage and disruption.
Read more »
money frauds
Bank fraud banking frauds cyber attack cyber attacks news digital money frauds money frauds

Rising Bank Fraud: Steps You Can Take to Safeguard Your Money

 

Bank fraud is becoming an increasingly serious issue, with cybercriminals devising new tactics to access people’s bank accounts. In 2023, global losses from bank fraud reached nearly $500 billion, according to the 2024 NASDAQ Global Financial Crimes Report. As digital banking grows in popularity, scammers are finding more opportunities to exploit vulnerabilities. 

Some of the most common schemes include phishing, credential stuffing, and social engineering. Phishing involves sending fake emails or text messages designed to trick individuals into sharing their banking details. Credential stuffing occurs when criminals use stolen login credentials to access multiple accounts, while social engineering involves impersonating bank officials to manipulate victims into giving away personal information. 

Other scams like wire transfer fraud and ATM skimming remain widespread. Skimming devices installed at ATMs can steal card information, while unauthorized wire transfers are difficult to stop once initiated. Security experts recommend three primary strategies to protect your account: staying informed, cautious behavior, and using available security tools. Being aware of emerging threats, pausing to verify suspicious communications before responding, and enabling features like two-factor authentication can all help protect your funds. 

If you suspect your account has been compromised, it’s crucial to act quickly. Immediately contact your bank to freeze transactions and change your account credentials. It’s also important to check your credit report to ensure the attack hasn’t spread to other areas. Although cybercriminals are leveraging advanced technologies, including artificial intelligence, to improve their scams, experts emphasize that the most effective defense remains human attentiveness. 

By being vigilant, identifying potential red flags, and implementing strong security practices, individuals can greatly lower their chances of becoming victims of bank fraud.
Read more »
latest news
cyber attack Cyber Attacks Cyber campaign Cyber Scams Fake Updates latest news

New FakeUpdate Cyber Campaign Spreads Updated WarmCookie Backdoor in France

A new wave of cyberattacks is targeting users in France, exploiting fake browser and software update prompts to spread an updated version of the WarmCookie backdoor. The campaign, dubbed “FakeUpdate,” has been linked to the SocGolish threat group, known for using compromised or fake websites to display deceptive update messages for popular applications like Google Chrome, Mozilla Firefox, Microsoft Edge, and Java. 

When users fall for these fake update alerts and click on them, malicious software is installed on their systems instead of a legitimate update. This payload includes tools like info-stealers, remote access trojans (RATs), cryptocurrency drainers, and ransomware. According to researchers from Gen Threat Labs, the WarmCookie backdoor being distributed in this campaign is more advanced than its previous versions. 

Initially discovered by cybersecurity firm eSentire in 2023, WarmCookie is designed to steal data, capture screenshots, run arbitrary commands, and drop additional malicious files. In this latest campaign, it has been updated with new features, such as the ability to run DLLs from a system’s temporary folder and execute PowerShell and EXE files. The infection chain begins when users click on fake update prompts that closely mimic legitimate update notifications. 

Once clicked, a JavaScript file triggers the download of the WarmCookie installer, which bypasses security checks and installs the backdoor. The malware can evade detection through anti-virtual machine (anti-VM) checks, ensuring it’s not being monitored by security analysts before sending system data to its command and control (C2) server. 

While the attackers are primarily using compromised websites to distribute these fake updates, researchers also identified malicious domains designed to look like official update sites, such as “edgeupdate[.]com” and “mozilaupgrade[.]com.” Experts warn that legitimate browsers, including Chrome, Edge, and Firefox, update automatically and do not require users to manually download update files. 

Any pop-up asking users to do so should be viewed with suspicion and avoided.
Read more »
trending news
cyber attack Cyber attacks on Industrial leaders cyberattack news digital scam Indian cyber crimes trending news

Indian Textile Tycoon Duped of ₹7 Crore in Elaborate ‘Digital Arrest’ Scam

 

In a shocking incident, SP Oswal, chairman of the Vardhman Group, India, fell victim to a scam that cost him over INR 7 crore. The 82-year-old businessman was tricked into believing he was under investigation for money laundering, with scammers posing as officials from the Central Bureau of Investigation (CBI) and even impersonating Chief Justice of India DY Chandrachud. Through fake court setups, police uniforms, and ID cards, the conmen convinced Oswal that his “digital arrest” was legitimate. 

This case is part of a growing trend where scammers create fear and panic in victims’ minds, leading them to comply with demands for money. Experts have highlighted that the fear psychosis these scammers create makes even well-informed individuals vulnerable to such tactics. 

Oswal is not the only Indian high-profile victim; a lawyer from Bengaluru, and a doctor in Noida were also similarly duped. The lawyer, in particular, was forced to undergo a fake “narcotics test,” strip on camera, and lost INR 14 lakh in the process. Cyber law expert Pawan Duggal explains that “digital arrest” refers to a scam where victims are made to believe they are under investigation for serious crimes. 

Scammers use fake props and legal threats to intimidate their targets into handing over large sums of money. Victims are often coerced into keeping their cameras and microphones on at all times, further intensifying the pressure. The Ministry of Home Affairs has issued warnings about these scams and urged citizens to report suspicious calls on the cybercrime helpline (1930) or via their website. 

Authorities are working with agencies like the Indian Cyber Crime Coordination Centre (I4C) to combat the growing threat of cyber scams. Experts also stress that there is no legal provision for “digital arrest” and advise people to verify suspicious calls through official channels.
Read more »
Sensitive data
cyber attack identity Microsoft Security Sensitive data

Microsoft Tightens Cloud Security After Major Breaches

 



In its efforts to better its cloud security, Microsoft has done much to remove any potential vulnerabilities and tightened the process of authenticating individuals. This comes after the tech giant saw several security breaches within the past year. Under the Secure Future Initiative launched in November 2023, Microsoft has so far purged 730,000 unused applications and deactivated 5.75 million inactive tenants in its cloud system. The initiative has been a direct response to cyber intrusions that had resulted in the revelation of sensitive data.

Reducing the Cyber Attack Surface

The firm has sought to minimise its attack surface by identifying dead or idle areas of its cloud infrastructure and is working to eliminate them. Removing hundreds of thousands of applications and millions of unused tenants works at making Microsoft shrink down the possible avenues the hackers may employ to penetrate it. Furthermore, Microsoft has sought to make the software production environment more secure by equipping the software teams with 15,000 locked-down devices. In its other security measure, the company conducted video-based identity verification for 95 percent of its production staff for further security in the identity authentication process. 

Better Identity and Authentication Security

Cybersecurity is one aspect where Microsoft has improved much. For instance, the identity management systems for its Entra ID and Microsoft Account (MSA) platforms have been remarkably enhanced.

These updates target better generation, storage, and rotation of access token signing keys as means to advance the protection of the public and government cloud environments. This is partly because of an incident in 2023, when hacking group Storm-0558 from China successfully accessed Exchange Online systems and penetrated the private email accounts of dozens of state officials. 

Secure Future Initiative Focus Areas

The SFI project is the most ambitious cybersecurity effort Microsoft has undertaken to date, providing 34,000 engineers dedicated to bulking up the company's defences. It focuses mainly on six critical areas: identity and access control, securing cloud tenants and production systems, strengthening engineering systems, improving network security, enhancing threat detection, and perfecting incident response. By doing all of these broad strokes, the likelihood of any future breach of this scale is reduced.

Mitigating Past Security Mistakes

Analysis by the US Department of Homeland Security's Cyber Safety Review Board had shown that a succession of security lapses at the company allowed these breaches. The inquiry, focused on the Storm-0558 intrusion, had asserted that it was time for Microsoft to strengthen its security posture, which primarily revolved around identity and authentication processes. Based on this, the company has moved very quickly to shore up weaknesses and prevent something similar from happening in the future.

Progress in Key Security Areas

Microsoft says it made strides in several areas in the latest report on SFI.

Unused applications and tenants removed reduce cloud attack surface. In network security, the firm now maintains a central inventory for more than 99% of physical assets, providing greater oversight.

Virtual networks with back-end connectivity are isolated from the corporate networks, which in turn is subjected to even more rigorous security audits. Centralised pipeline templates accounting for 85% of the production builds have been so far a part of the security. Personal access tokens now also have a much shorter life. Proof-of-presence checks are also instituted at the most sensitive points of the software development pipeline. 

Organisational Changes for Better Security

Beyond the technical, there have been organisations which are aimed at ensuring the executives are held responsible for security outcomes. There have been those who tied senior leadership compensation to specific security goals and that the company's threat intelligence team reports directly to the Chief Information Security Officer. This is in the way that it gives the assurance that security is top of the agenda across the organisation.

The Microsoft Secure Future Initiative is a reflection of its attempt to learn from previous failures in the area of security and succeed further in the cloud environment. The company intends to secure itself and, by extension, its customers from future cyber-attacks by enforcing identity verification, reducing attack surfaces, and having a strong network as well as engineering security. Hence, through continuous actions, Microsoft aims to ensure that such instances-where confidential and sensitive data are leaked-would not recur in the future.





Read more »
TfL
cyber attack Cyber Attacks London Ransomware Security TfL

TFL Hit by Cyberattack, Leaving Disabled Riders Stranded


 

Transport for London (TfL) recently confirmed that disabled passengers are the first group to feel the effects of a cyberattack that has hit their systems. This incident has severely impacted the Dial-a-Ride service, a specialised transport service designed for wheelchair users and individuals with long-term disabilities, leaving many unable to book their necessary door-to-door journeys.

TfL, the organisation responsible for managing London’s public transport network, initially acknowledged a cyber incident on September 2. In their first public statement, TfL reassured customers that no personal data had been compromised, and transport services across the network were unaffected. However, in the days following, it became clear that the cyberattack has caused more disruption than initially reported, particularly for disabled passengers who rely heavily on the Dial-a-Ride service.

The Dial-a-Ride service, which offers free transport for disabled passengers, was forced to suspend new bookings due to the ongoing cybersecurity incident. A recent update from TfL confirmed that the system is unable to process any new journey requests, inconveniencing those who depend on this service for mobility. In addition to suspending bookings, TfL also reported that many staff members operating the service have limited access to critical systems, making it difficult for them to respond to user inquiries or manage ongoing services efficiently.

For many disabled residents, Dial-a-Ride is a crucial service for daily travel. Without it, those with limited mobility are left without a reliable option to get around the city, exacerbating the challenges they already face in navigating public transportation.

Ransomware Likely Cause of the Attack

Although the full details of the cyberattack have not yet been disclosed, cybersecurity experts believe it may be a ransomware attack, a type of cybercrime where systems are locked down by hackers who demand payment in exchange for restoring access. The limited system access reported by TfL employees suggests that hackers may have taken control of essential systems, preventing the organisation from operating key services like Dial-a-Ride.

Mark Robertson, an expert from Acumen Cyber, noted that the involvement of Dial-a-Ride indicates the attack may be more serious than originally thought. He emphasised that being locked out of key systems is a common effect of ransomware, further hinting at the nature of the incident. However, he commended TfL for its incident response efforts, which have helped to manage the crisis and minimise further damage.

Despite the disruption, there has been some good news for Dial-a-Ride users. Following internal recovery measures, TfL announced that essential booking requests are now being accepted once again. Though services remain limited, there is optimism that the situation will continue to improve as the day progresses. 

As TfL continues to address the issue, it serves as a reminder that cyberattacks can have far-reaching impacts, particularly on vulnerable populations such as disabled individuals who rely on services like Dial-a-Ride for their daily mobility needs. TfL’s handling of this situation will likely set an example for other organisations on how to manage similar incidents in the future. 

There is a pressing need for both strong cyber defences and detailed response plans to minimise the fallout from these types of attacks.


Read more »
RansomHub
cyber attack Data Halliburton organisations RansomHub

Halliburton Hit by Cyberattack, Data Stolen


 

Halliburton, one of the world’s largest energy companies, has confirmed that it was the victim of a cyberattack. Hackers infiltrated the company’s systems and stole sensitive information. The attack occurred last week, and Halliburton is still determining the extent of the data that was taken.

In a recent filing with government regulators, Halliburton acknowledged the breach but has yet to disclose the full details of what was stolen. The company is currently investigating the incident and deciding what legal notifications are required. In response to the attack, Halliburton took certain systems offline as a precaution and is working to restore normal operations, especially for its oil and fracking businesses. 

When approached for additional comments, company spokesperson Amina Rivera declined to elaborate further, stating that Halliburton would not provide more information beyond what was mentioned in its official filing.

Although Halliburton has not officially confirmed it, there are signs that the cyberattack may have been part of a ransomware campaign. TechCrunch obtained a ransom note related to the incident, which claims that hackers encrypted Halliburton’s files and stole sensitive data. A group known as RansomHub is believed to be behind the attack. This gang is notorious for carrying out similar cyberattacks, using stolen data as leverage to demand ransom payments. 

RansomHub typically publishes stolen files on its dark web platform when victims refuse to pay. So far, Halliburton has not been listed as one of RansomHub’s victims, but this could change if negotiations fail. RansomHub has been responsible for over 210 attacks since its rise to prominence earlier this year, and it has targeted other large organisations, including Change Healthcare.

Halliburton, with around 48,000 employees spread across various countries, is a major player in the global energy industry. In the past, the company gained notoriety due to its role in the Deepwater Horizon oil spill disaster in 2010, for which it paid over $1 billion in fines.

The recent cyberattack is expected to have financial repercussions for the company, though the exact costs are yet to be determined. In 2023, Halliburton reported $23 billion in revenue, with CEO Jeff Miller earning $19 million in total compensation. Halliburton has noted that it will continue to bear costs related to the cyberattack as they work on restoring systems and resolving the situation.

As the investigation unfolds, much of Halliburton’s online services remain down, and the company is assessing the full impact of the breach. Halliburton has been tight-lipped about its cybersecurity efforts, declining to provide information on who is currently overseeing their response.

This attack is a reminder of how large corporations remain vulnerable to cyber threats. Halliburton's situation underscores the importance of investing in strong cybersecurity measures to safeguard sensitive data and avoid disruptions in critical operations. The company will likely provide more updates as it works to recover from this breach.


Read more »
Security
cyber attack Cyber Attacks FBI IT Industry Passwords Ransomware Security

IT Manager Faces Charges for Locking Computers to Demand Money


 

A recent case has highlighted that ransomware threats can sometimes come from within an organisation. Daniel Rhyne, a 57-year-old IT administrator from Kansas City, Missouri, has been accused of holding his own company hostage by locking down their systems and demanding a ransom to restore access.

The incident occurred in November last year when Rhyne was employed at an industrial company based in Somerset County, New Jersey. According to the Federal Bureau of Investigation (FBI), Rhyne allegedly took control of the company’s network by resetting the passwords of network administrator accounts as well as those of hundreds of employees. He then proceeded to delete critical backups and locked out both servers and workstations, crippling the organisation’s operations.

An hour after initiating the attack, Rhyne allegedly sent an email to the company's employees informing them of the situation and demanding a ransom in exchange for unlocking the systems. The FBI claims this was an attempt at extortion, with Rhyne threatening further damage if his demands were not met.

Rhyne’s actions were investigated by the FBI, and he has been charged with multiple counts, including extortion, intentional damage to a protected computer, and wire fraud. Should he be convicted of all charges, he faces up to 35 years in prison and a $500,000 fine, as reported by The Register.

Several pieces of evidence were gathered by the FBI to support their case against Rhyne. For instance, he allegedly used a tool known as PsPasswd, a Windows Sysinternals utility, to reset user passwords. The new password set for the accounts was "TheFr0zenCrew!", a telling detail that investigators believe connects him directly to the attack. Rhyne also reportedly kept a hidden virtual machine (VM) on his company-issued laptop, allowing him to maintain remote access to the network's administrative controls.

Adding to the case, the FBI noted that Rhyne's digital activities prior to the attack were suspicious. He allegedly used his work laptop to search for ways to alter administrator passwords via command-line tools, which are often used by IT professionals to manage networks remotely. Investigators claim that on the day of the attack, Rhyne was seen logging into his work laptop, conducting these searches, and reviewing company password spreadsheets while also accessing the hidden VM.

The fact that he used his company-issued laptop to perform these actions leaves a strong digital trail linking him to the crime. The FBI’s detailed investigation paints a clear picture of how the attack was executed, utilising common IT tools to gain unauthorised control over the company’s systems.

If Rhyne is found guilty, his actions could serve as a warning to organisations about the potential for internal threats. It highlights the need for companies to have strong security protocols in place, not just to defend against external hackers but also to safeguard against malicious insiders who have privileged access to sensitive systems.

This case illustrates how cyberattacks are evolving and how attackers, even those within the organisation, can exploit their knowledge and access to launch devastating attacks. Organisations must remain vigilant and continually monitor for suspicious behaviour, no matter the source, to protect their critical digital infrastructure.


Read more »
Unicoin
communication cryptocurrency cyber attack Google Drive Hacking Unicoin

Unicoin's Four-Day Cyberattack: Disruption, Recovery, and Ongoing Investigation

 



Unicoin, a leading cryptocurrency company, experienced a cyberattack beginning on August 9, 2024, which severely disrupted its operations for nearly four days. The breach occurred when a hacker gained unauthorised access to the company’s Google G-Suite account, affecting all employees using the "@unicoin.com" domain. As a result, employees were locked out of critical Google services like Gmail and Google Drive, causing major disruptions in internal communication and file sharing.

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC), Unicoin detailed the extent of the attack, noting that the hacker not only altered account passwords but also restricted access to essential tools. The company managed to restore access to its systems by August 13, 2024. However, ongoing investigations have revealed additional issues stemming from the breach.

Several senior management email accounts were compromised, and further investigations uncovered anomalies in the personal information of employees and contractors. The company’s accounting department discovered several discrepancies, including an instance of identity forgery involving a contractor, which led to their immediate termination. Investigators are still determining whether these incidents are isolated or part of a larger cyber threat, potentially involving North Korean hackers.

Financial Impact and Investigation

Despite the severity of the breach, Unicoin has assured its stakeholders that there is no evidence of stolen funds or compromised cryptocurrency assets. While the situation is serious, the company stated that the attack has not immensely impacted its financial condition or operational performance. However, the full extent of the breach is still under review, and Unicoin has not ruled out the possibility of long-term financial consequences.

In its SEC filing, Unicoin emphasised that no immediate financial losses had been identified. The company has committed to continuing its assessment of the situation and will report any significant impact in future filings if necessary.

Cybersecurity Concerns in the Cryptocurrency Sector

Unicoin's adherence to regulatory compliance stands out in the cryptocurrency industry, where oversight is often limited. The company consistently files reports with the SEC, demonstrating its commitment to transparency. With more than $500 million in Unicoins sold and a diverse portfolio that includes real estate and equity investments, the recent cyberattack is a telling event of how even the well regulated firms are not immune to combating such vulnerabilities. 

As investigations continue, the broader cryptocurrency industry will be closely monitoring Unicoin's response to this breach and the steps it takes to better amp up its cybersecurity defenses.

Read more »
Phishing Scams
cyber attack Cyber Fraud Email Housing Scams Locata Manchester Phishing Scams

Cyber Attack Disrupts Housing Services Across Greater Manchester


A scathing cyber attack has disrupted housing services in three Greater Manchester boroughs, leaving thousands of residents at risk of a phishing scam. The breach, which affected the software company Locata, has caused the temporary closure of housing websites for Manchester, Salford, and Bolton councils, and resulted in fraudulent emails being sent to users, urging them to provide sensitive personal information.

Widespread Disruption from Cyber Incidents

The cyber attack first emerged last week, targeting Locata’s software, which is widely used by local councils to manage housing applications and services. Over the weekend, the attack escalated, causing disruptions to the public-facing housing websites operated by Manchester, Salford, and Bolton councils. Users of these services were targeted with phishing emails that appeared legitimate, asking them to "activate your tenancy options" by clicking on a link and submitting their personal details. This scam has potentially compromised the security of many individuals.

Locata’s Response and Council Actions

Locata, the company responsible for providing housing software to several councils, acknowledged the security breach on July 29. In a public statement, the company expressed regret for the incident and assured the public that they were working urgently with cybersecurity experts to investigate and contain the breach. Locata informed the affected local authorities and emphasised their commitment to resolving the issue as quickly as possible.

In response, Manchester City Council confirmed that the breach led to scam emails being sent to some Manchester Move applicants. The council acted promptly by taking the affected website offline to prevent further breaches and initiated an investigation with the Information Commissioner’s Office. They advised residents to exercise caution, avoid interacting with suspicious emails, and refrain from clicking on unverified links.

Impact on Bolton and Salford Residents

Bolton Council also reported that the cyber attack had affected its housing service, Homes for Bolton, leading to a similar phishing scam. The council has urged residents to stay alert and provided guidance on steps to take if they had mistakenly interacted with the fraudulent emails, including following advice from the UK’s National Cyber Security Centre.

Salford City Council was among the first to experience the breach, which led to the temporary suspension of the Salford Home Search website. To protect residents, the council advised users to monitor their financial accounts closely, report any suspicious activity, change passwords, and contact Action Fraud if they experienced financial losses.

The investigation into the cyber attack is ongoing, with Locata working closely with affected local authorities to restore services securely. Authorities have urged the public to follow cybersecurity best practices, remain alert against phishing scams, and take necessary precautions to safeguard their personal information.

The growing risks associated with cyber threats and the importance of strong cybersecurity measures for both organisations and individuals cannot be overstated


Read more »
Ransomware
cyber attack Hospital Cyber Attacks OneBlood Ransomware

Ransomware Attack on OneBlood Disrupts Florida Blood Supply Chain, Urgent Call for Donations

 

A recent ransomware attack on OneBlood, a leading blood supplier in the southeastern United States, has severely impacted the blood supply chain in Florida. This cyberattack has prompted urgent health warnings and a call for donations from Florida health officials, particularly in Orlando, as the state faces a potential public health crisis due to disrupted blood supplies. 

OneBlood, a nonprofit organization responsible for supplying blood to over 350 hospitals across Florida, Georgia, Alabama, North Carolina, and South Carolina, was targeted in late July 2024 by a sophisticated ransomware attack. This cyber assault crippled the organization's IT systems, significantly disrupting its ability to collect, test, and distribute blood products. The attackers encrypted sensitive data and demanded a ransom for its release, leaving OneBlood struggling to restore normal operations. 

“The recent ransomware attack against OneBlood and the previous Russian-connected ransomware group attacks against blood suppliers Synnovis in U.K. and Octapharma in the U.S. have resulted in significant disruption to patient care, including canceled elective surgeries,” John Riggi, AHA national advisor for cybersecurity and risk noted. 

The attack has had a serious impact, forcing hospitals to save and prioritize their limited blood supplies. As a result, elective surgeries and non-urgent medical procedures have been postponed to ensure that blood is available for emergencies. 

This situation highlights how vulnerable healthcare systems are to cyberattacks, which can have dangerous, even life-threatening, effects. Despite these challenges, OneBlood has managed to stay operational, though at a reduced capacity, and is working to get its systems back to normal. The organization has been open about the steps it's taking to improve its cybersecurity and prevent future attacks. 
Meanwhile, the American Hospital Association (AHA) and other health groups have been working with federal agencies to support OneBlood and minimize the impact on patient care. This attack is part of a growing trend of ransomware attacks on critical healthcare infrastructure. Similar incidents involving Russian cybercriminals have disrupted blood supplies in the U.K. and the U.S., affecting patient care. 

The AHA is urging hospitals and health systems to strengthen their cybersecurity and develop plans to ensure they can continue operating even if another attack occurs. 

“This incident once again reminds us that any cyberattack against any entity that results in the delay and disruption to life-sustaining care is a threat to life crime. It also reminds us that our cyber adversaries are increasingly and intentionally targeting healthcare mission-critical and life-critical third-party service providers and supply chain to cause maximum disruption on a regional and field-wide basis. Due to this escalating threat, we continue to strongly recommend that hospitals and health systems identify all of their life-critical and mission-critical third-party service and supply chain providers, and develop business and clinical continuity procedures and supply chain resiliency to sustain a loss of access to those critical services and supplies for 30 days or longer,” Riggi further added. 

As OneBlood continues its recovery, the call for blood donations remains urgent to address the ongoing shortage and ensure the well-being of patients across the region.
Read more »
Scam
Android Users APK Files bank account cyber attack Financial Fraud KYC Scam

New APK Scam: Protect Your Bank Account from Fraudsters


 


Punjab and Sind Bank (PSB) recently issued a public notice alerting customers to a new scam involving fraudulent messages and malicious APK files. This scam threatens grave  financial losses if customers do not take proper precautions.

How the APK Scam Works

Step 1: Creating Panic with Fake Messages

Scammers initiate the fraud by sending text messages that mimic legitimate bank communications. These messages claim that recipients must update their Know Your Customer (KYC) information to avoid having their bank accounts blocked. The fraudulent messages create a sense of urgency, making recipients more likely to follow the instructions.

Kaushik Ray, Chief Operating Officer of Whizhack Technologies, explains that these messages exploit users' fears and desires, bypassing rational judgement. The goal is to trick recipients into downloading a malicious APK file, a common format for Android apps.

Step 2: Installing Malicious APK Files

Once recipients are convinced by the false narrative, they are instructed to download and install an APK file. These files often contain malware. Upon installation, the malware grants hackers access and control over the victim's mobile device.

Step 3: Executing Cyber Attacks

With control of the device, hackers can perform various malicious activities. These include installing a keylogger to capture sensitive information like banking credentials and passwords, launching ransomware attacks that lock the device until a ransom is paid, and accessing the clipboard to steal copied information such as account numbers.

How to Protect Yourself from APK Scams

To protect against these scams, PSB advises customers to take the following precautions:

1. Avoid Downloading Files from Unknown Sources: Only download apps from trusted sources like the Google Play Store.

2. Do Not Click on Suspicious Links: Be wary of links received in unsolicited messages, even if they appear to be from your bank.

3. Block and Report Suspicious Contacts: If you receive a suspicious message, block the sender and report it to your bank or relevant authorities.

4. Never Share Personal Information Online: Do not disclose personal or financial information to unverified sources.

Why APK Scams Target Android Users

Ray highlights that this scam primarily targets Android users because APK files are specific to Android devices. iOS devices, which use a different file format called IPA, generally have stricter controls against installing third-party apps, making them less vulnerable to this type of attack. However, iOS users should remain vigilant against phishing and other scams.

Real-Life Impacts of the APK Scam

Imagine receiving a message that your bank account will be frozen if you do not update your KYC information immediately. This could lead to panic about how you will pay for everyday expenses like groceries, school fees, or utility bills. Scammers exploit this fear to convince people to download the malicious APK file, giving them access to your device and your money.

Stay alert, verify the authenticity of messages, and protect your personal information to safeguard your financial assets.


Read more »
Subscribe to: Posts (Atom)