Jump to content

abbalolucky

Members

  • Joined

  • Last visited

View Profile Find content

Blog Entries posted by abbalolucky

  1. New Chrome Vulnerability Could Let Hackers Escape Browser Security – What You Need to Know
    A newly discovered security flaw in Google Chrome is drawing serious attention from cybersecurity experts around the world, and Nigerians using Chrome browsers are advised to take immediate action by updating their browsers.
    The issue, discovered in the browser's graphics handling system, has already been exploited by attackers online—making it a real threat to users. The flaw is associated with Chrome's rendering engine and its interaction with GPU hardware, which can allow malicious actors to bypass built-in browser protections and execute code outside the browser sandbox.
    This type of vulnerability is especially dangerous because attackers can trigger it just by tricking users into visiting a malicious website. No downloads or clicks are required—the compromise happens in the background, silently and instantly.
    What’s the Risk?
    This specific flaw lies in Chrome’s ANGLE (Almost Native Graphics Layer Engine), a component that translates browser rendering tasks into commands that the underlying graphics hardware can understand. If this process is not properly secured, attackers can exploit the low-level GPU instructions to escape the browser sandbox. The sandbox is designed to isolate code execution from the rest of the system, preventing malware from accessing sensitive files or system resources.
    When a sandbox escape occurs, the attacker may gain privileges beyond the browser itself—opening the door to spying, data theft, or installation of malware. This vulnerability allows remote attackers to craft a special HTML page that exploits this weakness, turning the browser into a launchpad for further attacks.
    Who Found It?
    The issue was identified by researchers from Google’s Threat Analysis Group (TAG), who specialize in investigating government-backed hacking and advanced persistent threats (APT). The fact that the flaw was discovered by this particular team suggests it may have been used in highly targeted attacks, possibly involving nation-state actors.
    Although Google hasn’t released full technical details, the company confirmed that the vulnerability is being actively used in real-world attacks. This marks yet another instance in a growing trend of high-severity Chrome zero-day vulnerabilities being discovered and patched mid-year.
    Similar Issues in the Past
    This incident follows another zero-day vulnerability fixed just weeks prior. Google has already patched at least five high-impact flaws in Chrome this year alone, many of which were considered critical. These types of vulnerabilities are often linked to bugs in graphics rendering, memory management, and privilege boundary violations—key areas of concern for browser developers and security teams alike.
    While Chrome is the main focus, it's important to understand that other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, also share much of the same codebase. This means they are potentially vulnerable to similar attacks until they release their own patches.
    What Should Users Do?
    Nigerian users, especially those handling sensitive data such as in banking, government, education, and tech, should prioritize updating their Chrome browser immediately. The patched versions—138.0.7204.157 and above—are now available for Windows, macOS, and Linux platforms.
    To update:
    Open Chrome.
    Click the three-dot menu in the top-right corner.
    Go to Help > About Google Chrome.
    Chrome will automatically check for updates and install the latest version.
    Click Relaunch to complete the update.
    If you're using other browsers like Edge or Brave, ensure you're using the most recent version or check for security updates from the official sources.
    Stay Secure
    Cyber threats are evolving fast, and browser exploits like this demonstrate how even everyday activities like browsing the web can become risky. Keeping your browser updated, avoiding suspicious links, and using a reputable antivirus solution are essential steps for staying protected.
    For cybersecurity professionals, this case is another reminder that GPU and rendering-related vulnerabilities are gaining traction among attackers and should be monitored closely in future research and assessments.
  2. 🚨Major Security Risk: Attackers Exploit Cisco Software Used in Company Networks
    A new warning has been issued for businesses and organizations using Cisco's Identity Services Engine (ISE). Security experts have discovered that hackers are actively attacking weak spots in this software, and if your system is not updated, attackers could gain full control.
    What is Cisco ISE?
    Cisco ISE is a security tool that helps businesses manage who is allowed into their internal computer systems. It checks the identity of users and devices before allowing them access. Many Nigerian businesses and institutions use Cisco products for network control, making this issue especially important to understand.
    What's the Problem?
    Researchers found serious weaknesses in Cisco ISE and its related software. These weaknesses are called vulnerabilities. Hackers have started taking advantage of them to break into systems without needing any password or login information. Once inside, they can control the whole system like an administrator.
    What Can Hackers Do With This?
    If your Cisco ISE is affected and not updated, hackers can:
    Run harmful commands on your server.
    Install malicious files that give them ongoing control.
    Gain full access as a “root” user, which is the highest level of access.
    Avoid detection by using the same tools the system uses for trusted users.
    How Are These Attacks Happening?
    There are three main problems (security experts call them CVEs):
    Improper Input Checking
    Some APIs (the parts of the software that talk to other software) are not checking input correctly. Hackers can send specially crafted commands and run programs as if they were administrators.
    File Upload Trick
    In some versions, an attacker can upload a file and place it in a sensitive part of the system. Once the file is there, they can run it to gain full access.
    Lack of Validation
    The software fails to block dangerous files from being uploaded, allowing an attacker to bypass security protections.
    Who Is at Risk?
    Any organization using Cisco ISE or ISE-PIC and hasn’t updated their software is at risk. This includes:
    Banks and financial institutions
    Government agencies
    Universities and private schools
    Hospitals and medical centers
    Internet service providers and large businesses
    What Should You Do?
    If you are managing a system using Cisco ISE:
    Update your software immediately. Cisco has released new versions that fix the problem.
    Check your system logs. Look for strange activity, like unknown users, unexpected file uploads, or abnormal API requests.
    Limit external access. Don’t expose the system to the internet unless absolutely necessary.
    Talk to your security team. Make sure everyone is aware of the risk and the steps taken to reduce it.
    Staying updated and informed is key to protecting your network, especially with these types of high-risk flaws.
  3. How Hackers Are Exploiting Online Shops and Servers to Earn Illegal Money
    Cybercriminals are now turning to online store platforms like Magento and server tools such as Docker to secretly make money. These attackers are not just randomly picking their targets — they are skilled, organized, and always searching for new ways to break into websites and systems that are not properly protected.
    One known group of attackers, who have previously targeted websites built with a system called Craft CMS, has now moved on to bigger platforms like Magento (an e-commerce system) and Docker (used for running apps on servers). Their main goal is to make money by hijacking the power of other people's computers and internet connections.
    How the Attack Works
    These hackers find weak spots in the software used by businesses and developers. One method involves using a bug in a Magento plugin to run dangerous commands through a feature called PHP-FPM. This gives them access to the server.
    Once inside, they install a special tool called GSocket. It hides in the system like a normal background process, making it difficult to notice. GSocket allows the attackers to connect to the hacked machine anytime they want, even after reboots.
    What’s more troubling is their use of in-memory techniques. Instead of saving files that security tools can detect, they run their malware directly from memory using advanced Linux functions like memfd_create(). This allows them to load additional tools like:
    XMRig – a program used to mine cryptocurrency using the victim’s CPU power.
    IPRoyal Proxyware – software that sells the victim’s internet connection to other people without permission.
    To stay hidden, the hackers even modify critical system files like /etc/ld.so.preload to inject rootkits that make their tools invisible. This means even if the crypto miner is found and removed, the proxyware might still be running quietly in the background.
    Expanding to Docker and Brute Force Attacks
    Besides Magento, the hackers also look for public Docker servers that don’t have security settings in place. They launch new containers inside these servers, downloading and running harmful software.
    This malware is written in Go (a powerful programming language), and it does many things:
    Stays active on the system
    Reads and writes files
    Runs hidden programs
    Installs other hacking tools like GSocket and IPRoyal
    Tries to hack more systems by guessing weak SSH passwords
    This shows the group’s goal is not just to break into one site but to build a network of infected systems for ongoing income.
    What This Means
    Businesses running online stores or hosting apps must pay attention. Leaving server settings open or using outdated software is like inviting hackers in. Even platforms widely used by Nigerian tech startups, e-commerce shops, and developers are at risk if they don’t keep their software updated and use strong security measures.
    By turning hacked computers into mining machines and internet resellers, these attackers are quietly making money off innocent users — often without anyone knowing for weeks or months.
    To stay safe:
    Always update your CMS, plugins, and server tools
    Close unused ports and services
    Monitor for unknown processes or changes to system files
    Use tools that can detect in-memory threats and hidden malware
    As attackers continue to grow in skill and boldness, it’s more important than ever to build strong digital defenses — especially if your platform is part of Nigeria’s growing tech and business ecosystem.
  4. 🛡️ New Malware Tricks Windows Features to Steal Bank Login Details
    A dangerous computer virus is now using a clever trick on Windows computers to steal people's bank login details. This malware, which researchers are calling Coyote, is specifically targeting users in Brazil but could be a warning for other countries too, including Nigeria.
    This virus uses a special part of Windows called UI Automation. Normally, this tool helps people with disabilities by allowing screen readers and other programs to access buttons and text in apps. But hackers have now found a way to use this same tool to spy on what you do on your screen — especially when you’re trying to log into your bank or crypto account.
    What Does the Coyote Malware Do?
    Once the malware is inside your computer, it starts watching which apps and websites you’re using. It checks if you’re visiting a bank or cryptocurrency site — there are at least 75 banks and exchanges on its target list. If it detects one, it can read the screen and steal your login information.
    It does this by:
    Reading what window is active on your screen
    Looking through the small pieces (called UI elements) inside that window — like buttons, tabs, or address bars
    Comparing what it finds with a list of targeted financial websites
    Stealing your login credentials if there’s a match
    This method is similar to what many Android banking viruses do. They also use “accessibility” features to read and control the screen in the background.
    Why This Matters
    This malware shows that even safe and helpful features in Windows can be misused by attackers. UI Automation was not made for hacking, but it can still be turned into a spying tool if the attacker knows what they’re doing.
    Unlike older types of malware that might need internet access to function, Coyote can work offline or online, making it harder to stop.
    What You Can Do to Stay Safe
    Don’t download unknown software or files
    Use strong antivirus and keep it updated
    Monitor your bank and crypto accounts regularly
    Keep Windows and other programs updated
    Be careful of suspicious links or attachments, even if they come from someone you know
    Cybersecurity experts are warning that tricks like this could spread beyond Brazil. As internet banking grows in Nigeria, threats like Coyote could show up locally too.
    Stay informed. Stay secure.



  5. Google Introduces New Tool to Make Open-Source Software More Secure
    Google has started a new project that will help protect open-source software from hackers who try to sneak harmful code into popular packages used by developers. The project is called OSS Rebuild, and it's meant to stop software supply chain attacks before they reach millions of users.
    Open-source software (OSS) is used everywhere—from mobile apps to websites, to government platforms. Developers often rely on public package libraries like npm (for JavaScript), PyPI (for Python), and Crates.io (for Rust). These libraries host thousands of free tools that programmers can easily add to their projects.
    But there's a big problem: some attackers try to upload fake or modified versions of these packages, hiding harmful code inside. If a developer unknowingly uses one of these bad packages, the entire app or website could be at risk.
    That’s where OSS Rebuild comes in.
    Google's new system checks the software packages and tries to rebuild them from scratch. If the rebuilt version doesn't match the original, something might be wrong—maybe someone added hidden code. This helps security teams know which packages they can trust and which ones need a closer look.
    The tool also helps with:
    Verifying where a software package comes from
    Making sure the code hasn't been changed by a hacker
    Helping companies respond faster when a new vulnerability is found
    Making software more transparent and trusted
    If a package can't be rebuilt automatically, Google provides a way to build it manually while still checking it for any suspicious changes.
    With tools like OSS Rebuild, Google hopes to make open-source software much safer for everyone—especially for developers and companies that depend on free tools to build their apps and services.
  6. How Hackers Are Exploiting SysAid Software Vulnerabilities to Break into IT Systems
    Security researchers have discovered that attackers are actively targeting weaknesses in a popular IT service management platform called SysAid. These weaknesses, known as XML External Entity (XXE) vulnerabilities, were found in key components of the software and could allow hackers to gain full control of affected systems.
    SysAid is used by many businesses and organizations to manage help desk tickets, monitor system health, and automate IT tasks. Because it is often integrated deeply into internal systems, any security flaws in this software can be extremely dangerous.
    The newly discovered vulnerabilities are related to how SysAid handles XML data. XML is a format used by many applications to send and receive information, and if not handled properly, it can be used to trick the system into giving away sensitive information or executing unauthorized commands. In this case, attackers can send specially crafted XML files that allow them to read private files on the system or even take full control of the application.
    What makes the situation worse is that these flaws do not require a valid username or password to exploit. That means an attacker can launch an attack remotely without needing to log in. If successful, they could gain administrative access and start moving through other parts of the company’s internal network.
    One of the most serious risks is that these vulnerabilities can be used together with older issues in the same platform. For example, a previously discovered command injection flaw in SysAid can be combined with the new vulnerabilities to run remote code on the server. In simpler terms, it means an attacker could take over the entire system just by sending some malicious data to the right place.
    Security researchers at watchTowr Labs first uncovered these flaws earlier this year and notified the company. SysAid responded by releasing a patched version of the software, but not all organizations have updated to the latest release. That has created an opportunity for hackers who scan the internet for unpatched systems.
    Government agencies and cybersecurity experts are urging companies to update their SysAid software immediately. The patched version not only fixes the new vulnerabilities but also addresses other known security issues. Organizations are also advised to monitor their servers for any suspicious behavior, such as strange XML requests or unexpected logins.
    Even though SysAid is just one platform, this incident highlights the bigger issue of how small configuration errors or overlooked updates can become major security risks. Hackers are constantly watching for any weakness they can use to get inside a network, and outdated software gives them an easy way in.
    This is a reminder that keeping software up to date is not just a recommendation — it's a critical part of defending against cyber threats. Organizations that rely on SysAid or similar tools should take a closer look at their current setup and make sure they are not leaving the door open for attackers.
  7. How Hackers Are Exploiting SysAid Software Vulnerabilities to Break into IT Systems
    Security researchers have discovered that attackers are actively targeting weaknesses in a popular IT service management platform called SysAid. These weaknesses, known as XML External Entity (XXE) vulnerabilities, were found in key components of the software and could allow hackers to gain full control of affected systems.
    SysAid is used by many businesses and organizations to manage help desk tickets, monitor system health, and automate IT tasks. Because it is often integrated deeply into internal systems, any security flaws in this software can be extremely dangerous.
    The newly discovered vulnerabilities are related to how SysAid handles XML data. XML is a format used by many applications to send and receive information, and if not handled properly, it can be used to trick the system into giving away sensitive information or executing unauthorized commands. In this case, attackers can send specially crafted XML files that allow them to read private files on the system or even take full control of the application.
    What makes the situation worse is that these flaws do not require a valid username or password to exploit. That means an attacker can launch an attack remotely without needing to log in. If successful, they could gain administrative access and start moving through other parts of the company’s internal network.
    One of the most serious risks is that these vulnerabilities can be used together with older issues in the same platform. For example, a previously discovered command injection flaw in SysAid can be combined with the new vulnerabilities to run remote code on the server. In simpler terms, it means an attacker could take over the entire system just by sending some malicious data to the right place.
    Security researchers at watchTowr Labs first uncovered these flaws earlier this year and notified the company. SysAid responded by releasing a patched version of the software, but not all organizations have updated to the latest release. That has created an opportunity for hackers who scan the internet for unpatched systems.
    Government agencies and cybersecurity experts are urging companies to update their SysAid software immediately. The patched version not only fixes the new vulnerabilities but also addresses other known security issues. Organizations are also advised to monitor their servers for any suspicious behavior, such as strange XML requests or unexpected logins.
    Even though SysAid is just one platform, this incident highlights the bigger issue of how small configuration errors or overlooked updates can become major security risks. Hackers are constantly watching for any weakness they can use to get inside a network, and outdated software gives them an easy way in.
    This is a reminder that keeping software up to date is not just a recommendation — it's a critical part of defending against cyber threats. Organizations that rely on SysAid or similar tools should take a closer look at their current setup and make sure they are not leaving the door open for attackers.



  8. Hackers Are Stealing Passwords and Taking Remote Control Using Free Tools — What’s Happening and How They’re Doing It
    In the past few months, cybersecurity experts have noticed a sharp increase in attacks where hackers steal usernames and passwords, and then take control of people’s or companies’ computers — all without needing fancy or expensive malware.
    Most of these attacks are happening in Mexico and other parts of Latin America, and they are being carried out by a group called Greedy Sponge. These hackers are after money, and they’re going after all kinds of businesses — from banks to shops to farms.
    Hackers Send Fake Files to Trick Victims
    The hackers usually start their attack by sending a fake ZIP file (a compressed folder), which may look like a regular update or document. This file often contains:
    A real-looking file (like a browser or software installer)
    A hidden virus that installs itself quietly in the background
    Once someone opens this ZIP file and clicks inside, the virus gets installed and starts its work without them knowing.
    What the Virus Does: AllaKore RAT
    The main tool hackers are using is called AllaKore RAT. RAT stands for Remote Access Trojan — basically, a tool that lets hackers take full control of your computer from far away.
    With AllaKore RAT, hackers can:
    Log your keystrokes (see what you type, including passwords)
    Take screenshots
    Upload or download files
    Use your computer like it’s their own
    In short, they can spy on you or steal sensitive information like bank logins and business documents.
    Smart Tricks to Hide Their Activity
    These hackers are not super advanced, but they’re smart. They’ve changed the way their tools work so that:
    Only people in Mexico (or certain locations) can download the full virus — this makes it harder for security teams outside the region to study it.
    The fake software they send looks exactly like real tools, so victims trust it.
    The virus can also install other harmful tools later, like:
    SystemBC – Turns your computer into a secret gateway for hackers
    Ghost Crypt – Helps viruses hide from antivirus programs like Microsoft Defender
    Hijack Loader – Used to sneak in even more dangerous malware like RedLine Stealer
    Some Hackers Even Call Victims to Speed Things Up
    In one recent attack, hackers pretended to be a new client, sent a fake PDF file, and even called the victim to rush them into opening the file and installing the virus. This method is called social engineering — using human tricks instead of code.
    New Tools Like Neptune RAT and PureRAT
    Other hackers are using new versions of tools like:
    Neptune RAT (used to take screenshots, log keystrokes, steal data)
    PureRAT (similar to AllaKore, also used for spying)
    XWorm (which Neptune is partly based on)
    These tools are easy to find and can be used by even low-skill hackers, making them popular for cybercrime.
    How Do These Tools Bypass Security?
    Hackers are using tools like:
    Ghost Crypt – A special service that hides viruses inside other files so they look safe
    Inno Setup Loaders – These are fake installers that sneak malware into your system when you think you're installing normal software
    For example, one type called Hijack Loader installs RedLine Stealer, which is made to steal saved passwords, browser data, and more.
    Why They’re Doing This: It’s All About the Money
    Most of these attacks are not meant to cause destruction — they’re meant to steal information that can be sold or used to access bank accounts, payment systems, or business platforms. Once hackers get in, they can:
    Sell your login info on hacker forums
    Access your bank account or online tools
    Use your PC to attack other people
    What You Can Do to Stay Safe
    Even if you’re not in Mexico or Latin America, these attacks can happen anywhere. Here’s how to protect yourself:
    Never open ZIP files from unknown senders
    Use antivirus software and keep it updated
    Use strong, unique passwords (and never reuse the same one)
    Enable two-factor authentication (2FA) wherever possible
    Be suspicious of urgent requests, especially if someone calls or emails you asking to open a file
    Hackers don’t need advanced tools anymore. With free remote-access tools and simple social engineering tricks, they’re stealing credentials and running attacks on real companies every day. Stay alert, be cautious with email attachments, and always question what you're downloading or clicking.
    If you work in a business — especially in finance, retail, or public services — share this with your team. Most attacks start with one person clicking the wrong thing.
  9. How Hackers Are Breaking Into Big Retail Brands Without Using Malware — And What You Can Learn From It
    In the past year, some of the world’s most well-known retail brands have fallen victim to cyber attacks. These include Adidas, The North Face, Cartier, Victoria’s Secret, Marks & Spencer, Co-op, and even Dior.
    What’s shocking is that these attacks didn’t involve high-end malware or advanced hacking tools. Instead, they were identity-based attacks — a growing method where hackers don’t break in. They log in using real usernames, passwords, and system access that wasn’t protected properly.
    These attacks happened because of poor identity management, over-trusted third parties, unused admin accounts, and weak access controls in cloud-based services. And because they relied on real credentials and legitimate sessions, they often went unnoticed for a long time.
    Let’s look deeper into what happened, how these attacks worked, and how any business — even smaller retailers — can learn from them to protect themselves.
    1. Adidas: Trusting the Wrong Third Party Can Open the Door
    Adidas didn’t get hacked directly. The breach happened through a third-party vendor they hired for customer service. That vendor got attacked, and as a result, customer data was exposed — including names, emails, and order information.
    The issue here wasn’t malware. It was too much access given to a third party, and that access wasn’t taken away after it was no longer needed. This kind of situation is often called a supply chain attack.
    Why this matters:
    Many companies allow vendors or partners to connect their tools and software using tokens or service accounts. These connections are rarely monitored, and they often don’t expire or require multi-factor authentication (MFA). That makes them easy targets for hackers looking for quiet, hidden ways into your system.
    What to take away:
    Don’t just protect your employees. Review and manage what third-party systems and vendors have access to your data, and turn off those access points when they’re no longer needed.
    2. The North Face: When Password Reuse and No MFA Lead to Trouble
    The North Face suffered a credential stuffing attack — which is when attackers try usernames and passwords leaked from other websites to log into customer accounts.
    No malware. No phishing. Just weak password habits, reused credentials, and the absence of MFA. Once inside, attackers quietly accessed personal information.
    Why this matters:
    This was not the first time The North Face was hit by a credential attack. In fact, it was their fourth incident like this since 2020. Many SaaS platforms still don’t enforce MFA, and users often reuse the same password across multiple accounts.
    What to take away:
    Credential stuffing is still one of the easiest ways for attackers to get in. Every account — especially those connected to SaaS platforms — needs MFA, strong password policies, and protections against multiple failed login attempts.
    3. Marks & Spencer and Co-op: Social Engineering Beats Technology
    These UK retailers were targeted by a group called Scattered Spider. The attackers used SIM swapping and social engineering to impersonate employees. Then, they called the IT help desks and tricked staff into resetting passwords and MFA settings — giving attackers full access.
    No malware, no phishing emails. Just smart social manipulation.
    Why this matters:
    Attackers know that humans are the weakest link. Even strong security tools can’t stop an employee from being tricked. Once inside, attackers often go after admin-level accounts or service accounts that no one monitors.
    What to take away:
    Help desk staff need better training to spot social engineering attempts. Security policies should prevent help desk staff from resetting passwords or MFA unless strict verification steps are met. And access to sensitive SaaS tools should always be limited and logged.
    4. Victoria’s Secret: When SaaS Admin Accounts Go Unwatched
    Victoria’s Secret had to delay its earnings report due to a cyber incident that affected both their website and in-store systems. While technical details were not made public, signs point to the breach coming from within their SaaS platforms — likely from an overprivileged admin account that wasn’t protected properly.
    Why this matters:
    Many SaaS applications (like those used for managing inventory, processing orders, or handling analytics) rely on internal admin roles. If those roles are misconfigured, or if an attacker takes control of them, the damage can be massive. It doesn’t even require malware — just legitimate access.
    What to take away:
    Admin accounts should be closely monitored, and access permissions should be reviewed regularly. Just because someone is an admin today doesn’t mean they still need to be one next quarter.
    5. Cartier & Dior: Customer Support Platforms Can Be a Hidden Weakness
    Cartier and Dior were breached through the SaaS platforms they used for customer service and CRM (Customer Relationship Management). Attackers didn’t go through their internal systems — they targeted external platforms used to help customers.
    These platforms are often connected to internal systems using API keys or machine accounts that rarely rotate and are easy to forget about.
    Why this matters:
    Customer service tools may seem harmless, but they often hold sensitive customer information — and they’re frequently connected to back-end systems. If those non-human accounts aren’t protected, hackers can steal massive amounts of data.
    What to take away:
    Every SaaS platform connected to your business is part of your attack surface. You should track how customer data flows through these systems and make sure all integrations are secure, especially those using API tokens or service accounts.
    So, What’s the Bigger Picture Here?
    What all these incidents show is that you don’t need fancy malware or complex exploits to breach a major company. Hackers are getting in by using what's already available — usernames, forgotten tokens, weak passwords, and human mistakes.
    They’re exploiting:
    Third-party vendors who still have access
    Passwords reused across different platforms
    Help desk staff tricked into handing over access
    Overprivileged SaaS admin accounts
    Machine identities no one monitors
    These identity-based attacks leave no malware, no digital fingerprints, and very few alerts. That’s why they’re so dangerous — and why more and more attackers are using them.
    What Can You Do to Protect Your Business?
    Whether you’re running a global retail chain or a small e-commerce store, you can take real steps to stop these types of attacks. Here are some security tips every organization should follow:
    Use multi-factor authentication (MFA) everywhere — not just for users, but also for service accounts and integrations.
    Review third-party access regularly. If a vendor no longer works with you, revoke their access immediately.
    Rotate API keys and tokens periodically. Avoid leaving them active forever.
    Train your support and help desk staff to recognize social engineering attempts.
    Limit admin privileges to only those who absolutely need it — and only for as long as they need it.
    Monitor SaaS identity behavior — both human and machine accounts — and flag anything unusual.
    Cyber attackers are no longer kicking in the front door. They’re walking in through the side gate, wearing a uniform and holding a key you gave them two years ago.
    If you're not keeping track of who has access to what, when, and how — you're already at risk.
    Make identity a core part of your security strategy. Because in today’s world, your weakest point might not be a broken system — it might be a forgotten login.
  10. Cybersecurity experts have discovered a wave of cyber attacks targeting banks and financial institutions in different parts of Africa. These attacks have been happening since at least July 2023. What’s surprising is that the hackers are not using expensive or custom-made tools. Instead, they are using open-source tools — tools that anyone can download for free from the internet.
    These hackers are smart. They use tricks to hide what they’re doing and make it look like they’re running normal programs. They even copy the signatures and icons of trusted software like Microsoft Teams or Palo Alto Cortex, so it’s harder for security systems to catch them.
    A cybersecurity research group called Palo Alto Networks Unit 42 is keeping track of this cybercrime activity. They’ve named it CL-CRI-1014 — “CL” stands for “cluster” and “CRI” stands for “criminal.” They believe the hackers’ goal is to break into computer systems and then sell that access to other criminals on the dark web. These types of hackers are known as Initial Access Brokers (IABs).
    What Tools Are the Hackers Using?
    These cybercriminals are using a mix of free, open-source software tools, including:
    PoshC2 – a tool used for controlling infected computers remotely.
    Chisel – a tool that allows hackers to secretly send information in and out of a network.
    Classroom Spy – a remote access tool originally meant for teachers to monitor students, but now being misused.
    Once they get into a network, the attackers usually install these tools to take over systems, move to other devices in the same network, and avoid being detected.
    How Do They Break In?
    So far, experts don’t know the exact method the hackers are using to get inside these financial systems. But once they’re in, the attackers install other programs like:
    MeshCentral Agent – used to control the computer remotely.
    Classroom Spy – to watch everything users are doing.
    Chisel – to go around firewalls and security blocks.
    They also use PoshC2 and make it look like it's part of popular software so that no one suspects anything. To stay inside the system for a long time, they make PoshC2 run automatically using different methods like:
    Creating a new system service
    Placing a shortcut in the Windows startup folder
    Scheduling a fake system task called “Palo Alto Cortex Services”
    They may also steal usernames and passwords, and use those to create a proxy, which lets them stay hidden and keep communicating with their command-and-control server.
    Why Is This Important?
    If you work in the banking or finance sector in Africa — or even run a small business — this is very important. Hackers don’t always go after big companies. They often look for smaller targets that don’t have strong cybersecurity. If they break into your network, they could steal sensitive information or sell access to others who might install ransomware or steal money.
    This isn’t the first time tools like PoshC2 have been used in Africa. In 2022, a similar attack campaign called DangerousSavanna targeted banks in Ivory Coast, Cameroon, Senegal, Togo, and Morocco. That time, hackers used email phishing to trick people into downloading malware.
    What Else Is Happening in Cybersecurity?
    In addition to these attacks in Africa, another threat is growing worldwide. A new ransomware group called Dire Wolf has recently attacked at least 16 companies in the U.S., India, Australia, Canada, and other countries. Their favorite targets include:
    Technology companies
    Manufacturing companies
    Financial services
    The Dire Wolf ransomware is built using a language called Golang, and it can do serious damage. It can:
    Stop important system logs (making it harder to trace the attack)
    Shut down over 75 services and 59 programs
    Delete backup copies of data so victims can't recover
    While we don’t yet know how Dire Wolf gets into systems, companies are being advised to monitor their systems carefully and follow best practices like using strong passwords, keeping software updated, and training employees on phishing attacks.
    How Can You Protect Your Business?
    If you own a website, run a business, or manage a bank or fintech company in Africa, here are some important things you should do:
    Use strong and unique passwords for all systems
    Install antivirus software and keep it up to date
    Educate your employees about phishing emails and fake downloads
    Update your software and operating systems regularly
    Use a firewall and intrusion detection system
    Monitor your network for strange behavior
    Use two-factor authentication (2FA) whenever possible
    Also, avoid downloading unknown software and be cautious of attachments or links in emails, even if they look like they came from someone you trust.

    Cybercrime is growing quickly, and hackers are getting smarter every day. By learning how these attacks work and how to protect yourself, you can help keep your company and customers safe.
    Cybersecurity is not just for IT teams anymore. Everyone — from employees to small business owners — must take part in keeping systems secure.
  11. The UK’s National Crime Agency (NCA) has announced the arrest of four individuals in connection with large-scale cyber attacks that caused significant financial damage to some of the country's most recognized retail brands. The attacks, which reportedly targeted Marks & Spencer, Co-op, and Harrods, are estimated to have caused losses of up to £440 million.
    The individuals arrested include three young men aged 17, 19, and 19, along with a 20-year-old woman, all apprehended in coordinated operations across London and the West Midlands. Authorities confirmed that these arrests are part of an ongoing investigation into organized cybercrime, focusing on breaches that leveraged ransomware and social engineering to gain unauthorized access to corporate systems.
    The Scale and Nature of the Attacks
    According to the Cyber Monitoring Centre (CMC), the cyber operations were classified as a single, coordinated cyber event, rather than unrelated breaches. The total financial impact is believed to be between £270 million and £440 million, representing one of the most damaging cyber incidents targeting UK retailers in recent years.
    The nature of the attack suggests a high level of planning and coordination. Marks & Spencer, during a parliamentary hearing earlier this month, confirmed that their systems had been impacted by ransomware, specifically naming a group known as DragonForce. Investigators believe DragonForce did not act alone, but rather operated in collaboration with other loosely affiliated actors forming part of a broader cybercriminal ecosystem.
    Suspected Link to Scattered Spider
    While the NCA has not publicly confirmed the names of the groups behind the attacks, investigators and private sector experts believe that elements of the cyber campaign may be connected to a notorious hacking collective known as Scattered Spider. This decentralized cybercrime group has made a name for itself through its use of advanced social engineering techniques to breach organizations and deploy ransomware.
    Unlike traditional financially-motivated groups that rely heavily on malware alone, Scattered Spider has gained notoriety for leveraging human manipulation—voice phishing, impersonation of employees, and infiltration of help desk systems—to gain access to corporate networks. Security analysts have described the group as one of the most persistent and capable adversaries targeting Western organizations.
    Scattered Spider is believed to be an offshoot of a broader loose-knit collective known as The Com, which has been linked to a range of illegal activities beyond cybercrime, including sextortion, SIM swapping, swatting, and even violent crimes such as kidnapping and murder. This blending of traditional cybercrime with broader criminal behavior underscores the evolving threat landscape organizations now face.
    Arrests a Major Step Forward, but Investigation Continues
    Deputy Director Paul Foster, who leads the National Cyber Crime Unit at the NCA, called the arrests a major development in a complex, fast-moving investigation. According to Foster, “These arrests represent significant progress, but our work continues alongside international partners to identify all individuals involved and hold them accountable.”
    The four suspects were arrested at their residences, and authorities have seized electronic devices for forensic examination. Investigators are expected to analyze digital evidence for connections to known threat groups, stolen data, ransom negotiation records, and cryptocurrency transactions.
    Notably, independent cybersecurity researcher Brian Krebs later identified two of the suspects as Owen David Flowers and Thalha Jubair, both of whom are allegedly linked to earlier cybercriminal operations. Jubair, in particular, is suspected of having been a key member of the LAPSUS$ group and the former administrator of Doxbin, a pastebin platform used for publishing personal data.
    A Profile of the Modern Attacker
    What sets Scattered Spider apart from traditional cybercriminal groups is not only their tactics, but also their demographic makeup. Unlike many groups based in Eastern Europe or Asia, Scattered Spider is believed to consist largely of young, native English speakers. This gives them an edge in voice-based social engineering attacks, as they can convincingly impersonate employees during phone calls to IT help desks or customer support centers.
    Security experts warn that many of these individuals are teenagers, lured into cybercrime by promises of quick financial rewards, often without fully understanding the legal consequences. Some begin participating in phishing operations and vishing calls while still underage, a trend that law enforcement has started to clamp down on more aggressively.
    Threat researcher Zach Edwards noted that these young actors are being used as frontline operatives, making phishing calls and handling initial access operations. Their voices and digital footprints make them easier to track and prosecute, while higher-ranking members of the group remain in the shadows.
    Tactics and Techniques
    Reports from cybersecurity firms such as Mandiant and Halcyon provide additional insight into the tools and strategies used by these attackers. One common approach involves creating fake login portals that mimic legitimate corporate systems. Employees are tricked into entering their credentials, which are then captured and used to gain network access.
    Once inside, attackers often move laterally across the network, deploy ransomware, and extract sensitive data for extortion. In several cases, organizations have been forced into lengthy downtime and expensive recovery processes, not to mention regulatory scrutiny and reputational damage.
    Defending Against Social Engineering and Ransomware
    While the arrests are a positive sign of law enforcement effectiveness, security professionals caution that the threat has not been eliminated. The decentralized nature of these groups means others may quickly take their place. Organizations must use this window of opportunity to strengthen their defenses.
    Some key defensive recommendations include:
    Training help desk staff to enforce strong identity verification protocols
    Deploying phishing-resistant Multi-Factor Authentication (MFA) across all accounts
    Monitoring for suspicious domains and fake login pages mimicking corporate portals
    Keeping incident response plans up to date and tested regularly
    Collaborating with threat intelligence providers to stay informed on emerging attack techniques
    Charles Carmakal, CTO at Mandiant Consulting, described the arrests as “a significant win” but emphasized the importance of international collaboration and proactive defense. According to Carmakal, the effectiveness of groups like Scattered Spider is not due to novel techniques, but their persistence and skill in manipulating human trust.
    The Bigger Picture
    This case highlights the changing nature of cybercrime in 2025. Cybercriminals are becoming younger, more organized, and more audacious in their methods. As the lines between digital and physical crimes continue to blur, law enforcement agencies must adapt quickly—and businesses must take security more seriously than ever before.
    While arrests bring temporary disruption, the long-term solution lies in security awareness, technological preparedness, and cross-border law enforcement cooperation.
    Organizations, especially those in retail, finance, and healthcare, must not wait for a breach to take action. The tools and techniques used in these recent attacks are widely available, and many criminal groups now operate with professional structures, financial incentives, and even recruitment pipelines that target tech-savvy youth.
    Taking cybersecurity seriously is no longer optional—it is a business imperative.
  12. Chinese Cyber Espionage Groups Exploit SharePoint Vulnerabilities in Coordinated Attacks, Microsoft Warns
    Microsoft has issued a new warning about a series of active cyberattacks targeting vulnerable SharePoint Server systems. These attacks have been formally linked to multiple Chinese state-sponsored threat actors, highlighting an urgent security risk to organizations still running unpatched, internet-facing SharePoint deployments.
    The tech giant confirmed that three advanced persistent threat (APT) groups—Linen Typhoon, Violet Typhoon, and Storm-2603—have been exploiting previously identified vulnerabilities in SharePoint servers, using them as a stepping stone to gain unauthorized access to enterprise networks.
    According to Microsoft, the malicious activity has been ongoing at least since July 7, 2025, and appears to be increasing in scope and sophistication. The company’s latest intelligence also aligns with earlier reports from other cybersecurity firms, reinforcing the seriousness of the campaign.
    SharePoint Flaws Being Exploited
    At the core of the attacks are vulnerabilities in on-premises SharePoint Server environments, including:
    CVE-2025-49706 – a spoofing vulnerability
    CVE-2025-49704 – a remote code execution (RCE) flaw
    While Microsoft previously released patches for these issues, the threat actors have found workarounds that bypass the original fixes. These bypass methods have now been assigned new identifiers:
    CVE-2025-53771
    CVE-2025-53770
    In real-world exploitation observed by Microsoft, attackers are targeting the SharePoint ToolPane endpoint using crafted POST requests. This method allows them to bypass authentication mechanisms and execute code remotely on the server. From there, attackers typically deploy a web shell—usually named spinstall0.aspx, spinstall1.aspx, or similar—giving them persistent backdoor access to the compromised environment.
    This web shell provides access to sensitive server-side data, including MachineKey information, which can be used to facilitate lateral movement, further exploitation, or data theft.
    Groups Behind the Exploitation
    Linen Typhoon
    Also known as APT27, Bronze Union, Lucky Mouse, or Emissary Panda, this group has been active since at least 2012. Known for their use of tools like SysUpdate, HyperBro, and PlugX, Linen Typhoon has a long history of conducting cyber espionage campaigns targeting both private and government-sector networks.
    Violet Typhoon
    Active since around 2015, Violet Typhoon is also known as APT31 or Zirconium. The group has previously conducted campaigns against countries including the United States, Finland, and Czechia. They are known for targeting sensitive geopolitical and technology-related sectors.
    Storm-2603
    A newer China-based actor, Storm-2603 is believed to have ties to the deployment of both Warlock and LockBit ransomware. While not as well-documented as the other two groups, Microsoft’s report suggests that Storm-2603 has become increasingly active in exploiting unpatched SharePoint vulnerabilities as part of its initial access strategy.
    Deeper Technical Analysis Reveals Sophisticated Behavior
    Cybersecurity researcher Rakesh Krishnan contributed additional insights into the tactics being used during forensic analysis of these attacks. In at least one case, investigators found that the exploitation process involved three different invocations of Microsoft Edge, including:
    Network Utility Process
    Crashpad Handler
    GPU Process
    Each of these processes has a legitimate role in the Chromium browser architecture. However, the attackers are believed to have used them strategically to mimic typical system behavior and evade sandbox detection tools.
    Even more alarming, the malicious web shell used by the attackers was found to communicate using Google’s Client Update Protocol (CUP). By doing so, the attackers are able to disguise their traffic as routine browser update checks, making it far more difficult for defenders to detect or block the communication.
    Recommended Mitigations for Organizations
    In response to the threats, Microsoft has published a set of urgent mitigation recommendations. Organizations using SharePoint Server Subscription Edition, SharePoint Server 2019, or SharePoint Server 2016 should take the following actions without delay:
    Apply all recent SharePoint updates, including patches that address CVE-2025-53770 and CVE-2025-53771.
    Rotate ASP.NET machine keys used by the SharePoint instance to prevent reuse by attackers.
    Restart Internet Information Services (IIS) to ensure any exploited sessions are terminated.
    Deploy endpoint detection and response (EDR) tools, such as Microsoft Defender for Endpoint, or equivalent.
    Enable AMSI (Antimalware Scan Interface) and configure it to Full Mode for maximum threat visibility.
    Ensure that Microsoft Defender Antivirus or an equivalent security solution is installed and up to date across all systems.
    These steps are necessary to reduce exposure and eliminate persistence mechanisms that threat actors may have left behind on compromised servers.
    History of Chinese Threat Activity Targeting Microsoft Products
    This is not the first time Microsoft has publicly attributed large-scale cyber campaigns to Chinese state-sponsored groups. In March 2021, a group referred to as Silk Typhoon (formerly known as Hafnium) was linked to the mass exploitation of Microsoft Exchange Servers through a series of zero-day vulnerabilities. That attack, later dubbed ProxyLogon, impacted thousands of organizations globally and became one of the most significant cybersecurity incidents of that year.
    Adding further context to China's cyber activities, earlier in July 2025, a 33-year-old Chinese national named Xu Zewei was arrested in Italy. He was charged with conducting cyber attacks against U.S. organizations and government agencies, specifically using the same Exchange Server vulnerabilities exploited during the ProxyLogon incident.
    Outlook and Ongoing Threat
    Microsoft’s assessment of the current situation is blunt: attackers will likely continue to exploit these SharePoint vulnerabilities, especially against unpatched on-premises systems. Organizations that have not yet applied the latest updates or taken other necessary security steps are at significant risk of compromise.
    As SharePoint remains a widely used platform for internal collaboration, project management, and enterprise content hosting, it presents a highly attractive target for espionage-focused actors. The use of sophisticated tools and techniques—such as encrypted communication, process mimicry, and web shell obfuscation—demonstrates a high level of planning and technical skill.
    Security teams must treat this campaign as active and ongoing. The window for easy exploitation remains open for any organization lagging behind on updates or operating without modern security monitoring.
    Final Thoughts on Securing SharePoint Environments
    This recent campaign highlights a broader trend in cybersecurity: attackers are quick to adapt, reuse, and evolve their methods, especially when targeting widely deployed enterprise platforms like SharePoint. Once a vulnerability becomes public—especially one involving authentication bypass or remote code execution—threat actors begin incorporating it into their playbooks almost immediately.
    As always, staying protected is not about reacting to the breach after it happens, but about preventing it altogether. Keeping your infrastructure updated, actively monitoring systems, and deploying layered security controls can significantly reduce your exposure to these sophisticated threats.
    For organizations that rely on SharePoint for day-to-day operations, now is the time to act. Apply the latest patches, confirm your security configurations, and work with your IT and cybersecurity teams to close any remaining gaps.
    Cybersecurity is not a one-time fix—it’s a continuous process of awareness, assessment, and action.