Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Russian GRU Is Hacki ...

 Espionage

In a joint cybersecurity advisory issued today, U.S. and allied intelligence agencies confirmed what many threat analysts have long suspected: the Russian GRU military intelligence agency is systematically targeting the digital backbone of logistics and transportation providers across Europe and North America. The   show more ...

campaign, detailed in a 25-page report from the NSA, FBI, CISA, and partners from 10 countries, including the U.K., Australia, and Germany, spotlights a coordinated cyber espionage effort by GRU’s Unit 26165—more widely recognized in the threat intel world as APT28, Fancy Bear, or Forest Blizzard. Targets at the center of the campaign were freight operators, rail networks, air traffic systems, and cloud tech vendors—anyone with a role in getting military and humanitarian aid to Ukraine. Targets have included organizations in 14 countries, including IP cameras in Hungary, a Russian ally. Russian GRU Campaign Not Just Malware — Surveillance Too What stands out in the report is the scale and creativity of the GRU’s tactics. The hackers aren’t just hijacking email servers or pushing trojans. They’re hacking into IP cameras, too—10,000 of them, to be exact—mostly around Ukrainian borders, using weak credentials and exposed RTSP services to turn physical surveillance into digital eyes on the ground. [caption id="attachment_102935" align="aligncenter" width="265"] List of countries where IP cameras were targeted. (Source: defense.gov)[/caption] In parallel, GRU operators launched targeted intrusions on shipping and logistics companies, exploiting familiar weaknesses like unpatched Exchange servers, WinRAR bugs (CVE-2023-38831), and Outlook NTLM leaks (CVE-2023-23397). The aim was stealing shipment manifests, routing info, and sensitive business data that could tip off troop or equipment movement. The combination of shipping data theft and compromised video feeds likely gives attackers real-time visibility into what’s moving, where, and when. It’s tactical intelligence collection at enterprise scale. The GRU Malware Stack The HEADLACE backdoor, first reported by IBM X-Force during the Israel-Hamas conflict, was found embedded in malicious shortcut files. Once activated, it initiated headless browser sessions to exfiltrate stolen data, clear logs, and maintain access. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats MASEPIE, a Python-based backdoor, offered remote shell access, file transfers, and command execution capabilities, often disguised as routine background processes. Another tool, STEELHOOK, enabled credential harvesting from browsers like Chrome and Edge by decrypting stored passwords using PowerShell-based techniques. The actors also employed LOLBins—legitimate system tools like ntdsutil, wevtutil, and ADExplorer—to evade detection and live off the land. In one case, GRU hackers gained control of an ICS vendor’s email platform, then pivoted to compromise customers in the railway sector. In another, they used stolen credentials and MFA fatigue techniques to access VPN infrastructure at a shipping company. What the Russian GRU Wants This isn’t a smash-and-grab ransomware operation. It’s long-term surveillance. The kind of campaign that’s designed to persist, quietly gather intelligence, and interfere only when necessary. And while the report doesn't explicitly name any targets by company, the industries hit hardest—logistics, transportation, and defense-adjacent vendors—are the same ones that move military hardware, humanitarian supplies, and critical infrastructure parts into conflict zones. The big concern? These compromised networks could give Russia a battlefield edge—intercepting aid, sabotaging supply lines, or simply watching to see how the West moves. How Companies Should Respond The advisory includes a laundry list of technical mitigations, including: Blocking known C2 infrastructure Hardening VPN and email access Reconfiguring exposed IP cameras Patching known exploited vulnerabilities (especially in Outlook, Exchange, and WinRAR) Monitoring PowerShell use and system tool abuse But there’s also a broader message: if you’re in the logistics or defense supply chain, and especially if you support Ukraine—even indirectly—you’re already a target. Organizations in these sectors should assume compromise and act accordingly, the advisory suggests. The Big Picture Russia’s digital playbook in Ukraine is evolving. While early campaigns relied on headline-grabbing wipers and power grid attacks, the new frontier is far more strategic—and far more subtle. What we’re seeing now is cyberwar as surveillance: fewer fireworks, more cameras. The GRU isn’t just breaking things—it’s watching, learning, and waiting. And for companies moving cargo or manufacturing gear with ties to conflict zones, that means cybersecurity is no longer just a compliance issue. It’s operational security. It’s national security.

image for Millions of Node.js ...

 Firewall Daily

Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0.  According to the GitHub post, the   show more ...

two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process”.  Details of the High-Risk Multer Vulnerabilities The first vulnerability, associated with CVE-2025-47944, allows attackers to crash a Node.js application by sending a maliciously crafted multipart/form-data request. This malformed request causes an unhandled exception during parsing, leading to an immediate termination of the server process. According to GitHub advisory GHSA-4pg4-qvpc-4q3h, this flaw scores a 7.5 on the CVSS v3.1 scale, categorizing it as a high-severity issue.  In a separate but equally critical finding, CVE-2025-47935 reveals a memory leak vulnerability in versions prior to 2.0.0. The issue arises when HTTP request streams emit errors, and Multer fails to close the internal busboy stream properly. Over time, this results in unclosed streams accumulating, consuming valuable system resources like memory and file descriptors. The outcome: a potential DoS scenario that could cripple a server under sustained or repeated failure conditions.  Both flaws were initially reported and analyzed by security researcher @ctcpip, with contributions from @max-mathieu, @wesleytodd, @UlisesGascon, and @marco-ippolito. Their collective findings emphasize the severity and ease of exploitation, given that no privileges or user interaction are required to trigger the issues.  Why These Vulnerabilities Matter  What makes these flaws particularly malicious is the middleware’s core function—it handles user-uploaded content. This inherently places it on the front lines of attack surfaces, especially in public-facing applications. As such, even a single malicious request can exploit this weakness, potentially leading to complete service outages.  Multer is deeply embedded in the Node.js ecosystem. With millions of weekly downloads via npm, it powers file uploads for applications ranging from personal websites to enterprise-grade platforms.   According to the official advisories and discussions around issues #1176 and #1120, there are no workarounds available for either vulnerability. The only effective mitigation is upgrading to version 2.0.0, which includes the necessary patches to close these security gaps.  For organizations unable to deploy the update immediately, increased monitoring of crash logs and system resources is recommended as a temporary protection method, though this is by no means a replacement for a proper fix.  Conclusion   The flaws—CVE-2025-47944 and CVE-2025-47935—highlight a broader lesson for the Node.js community: even widely adopted and trusted packages can introduce critical security risks.   To mitigate the risk associated with CVE-2025-47944 and CVE-2025-47935, organizations should apply proactive security practices, including regular dependency audits, automated vulnerability scanning, and adherence to Node.js stream safety guidelines, especially when handling untrusted input like file uploads.   Additionally, all developers and organizations using Multer should immediately upgrade to version 2.0.0, as no workarounds exist.  

image for Kettering Health Hit ...

 Cyber News

Kettering Health, a major healthcare provider in Ohio, is currently facing a widespread technology outage due to a cybersecurity incident involving unauthorized access to its network. The Kettering Health cyberattack has impacted operations across its network of more than a dozen medical centers, prompting the   show more ...

cancellation of elective medical procedures and the suspension of certain communication systems. In a public statement released Tuesday morning, Kettering Health confirmed the cyberattack, describing it as a “cybersecurity incident resulting from unauthorized access” to its network systems. The organization stated that immediate steps were taken to contain and mitigate the breach, and that an investigation is actively underway. Kettering Health has also implemented monitoring protocols to prevent further unauthorized access. “We are currently experiencing a cybersecurity incident resulting from unauthorized access to our network. We have taken steps to contain and mitigate this activity and are actively investigating and monitoring the situation,” the statement read. Kettering Health Cyberattack Causes Operational Impact The cyberattack on Kettering Health has triggered a system-wide technology outage, affecting several critical patient care systems throughout Kettering Health’s network. As a result, elective inpatient and outpatient procedures scheduled for Tuesday, May 20, have been canceled. These procedures will be rescheduled at a later date, with more details to be shared as the situation evolves. The organization emphasized that its emergency rooms and clinics remain open and are continuing to see patients. Kettering Health reassured the public that despite the technical issues, it has contingency plans in place to ensure that patients currently receiving care in its facilities continue to receive safe and high-quality medical services. “We have procedures and plans in place for these types of situations and will continue to provide safe, high-quality care for patients currently in our facilities,” the statement noted. However, the hospital network's call center is also affected by the outage, potentially making it difficult for patients and the general public to contact the health system for updates or support. No timeline has been provided yet for full system restoration, but leadership teams are reportedly working closely with technical experts to restore services swiftly and securely. Scam Calls Alert Issued Kettering Health has issued a warning to the public about scam phone calls from individuals posing as Kettering Health employees. These callers are reportedly asking for credit card payments to cover medical expenses. The health system confirmed that while it is standard practice to discuss payment options with patients over the phone, it has temporarily suspended all such calls “out of an abundance of caution.” “We have confirmed reports that scam calls have occurred from persons claiming to be Kettering Health team members requesting credit card payments for medical expenses,” the organization shared in its advisory. Kettering Health has urged individuals who receive suspicious calls requesting payment to refrain from sharing any personal or financial information and to report such incidents to local law enforcement immediately. It remains unclear at this stage whether these scam calls are directly related to the Kettering Health cyberattack and network outage. “While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, we will not be making calls to ask for or receive payment over the phone until further notice,” the advisory added. No Confirmed Link Between Scam Calls and Cyberattack At this point, hospital officials have not confirmed whether the scam calls are connected to the cybersecurity breach or the system-wide outage. The Kettering Health cyberattack is being actively investigated by internal teams, and Kettering Health has promised to keep the public informed with updates as more details become available. Despite the operational setbacks due to Kettering Health cyberattack, the leadership team has emphasized its commitment to ensuring patient safety and data security. The organization is working with cybersecurity professionals and law enforcement agencies to investigate the incident and secure its IT infrastructure. “Our leadership is working with multiple teams to restore services quickly and securely. We will continue to update the community as new information emerges. We appreciate your patience and support,” the statement concluded. What Patients Should Do After Kettering Health cyberattack For patients affected by the cancellation of elective procedures, Kettering Health has assured that rescheduling will be prioritized as systems are restored. Patients are encouraged to monitor Kettering Health’s official website and social media channels for the latest updates. Anyone who receives a phone call asking for payment or sensitive information should: Not provide any personal or financial details. Hang up immediately and verify the call through official channels. Report the incident to local law enforcement. Conclusion As Kettering Health works to restore normal operations, the cyberattack on Kettering Health serves as a reminder of how essential cybersecurity has become in healthcare. While emergency services remain operational, the impact on elective care and communications reflects the far-reaching effects a single breach can have on both systems and patients. The public is advised to stay informed through credible sources and to practice vigilance when dealing with unfamiliar or unsolicited communications.

image for India Launches e-Zer ...

 Firewall Daily

Indian Ministry of Home Affairs (MHA) has introduced the e-Zero FIR system, a digital-forward solution to ensure justice for victims of financial cybercrimes. Announced by India's Union Home Minister and Minister of Cooperation Amit Shah on May 19, 2025, this initiative is part of the government’s Cyber Secure   show more ...

Bharat initiative.  Under the supervision of the Indian Cybercrime Coordination Centre (I4C), the e-Zero FIR initiative has been rolled out as a pilot project in Delhi. Its core functionality is to automatically convert cybercrime complaints reported on the National Cybercrime Reporting Portal (NCRP) or the national helpline 1930 into Zero FIRs when the monetary loss exceeds ₹10 lakh (11,671 USD). This conversion will be processed through the Delhi Police’s e-FIR system and further integrated into the Crime and Criminal Tracking Network & Systems (CCTNS) managed by the National Crime Records Bureau (NCRB).  e-Zero FIR: Speed and Accessibility in Cybercrime Response  According to Amit Shah, this innovation will "enable unprecedented speed in nabbing cybercriminals" and dramatically improve the conversion rate of NCRP/1930 complaints into formal FIRs.  [caption id="attachment_102903" align="alignnone" width="671"] Union Home Minister on e-Zero FIR (Source: X)[/caption] The foundation for the e-Zero FIR and e-FIR systems lies in the newly enacted Bharatiya Nagarik Suraksha Sanhita (BNSS), 2023, which replaces the outdated Criminal Procedure Code of 1973. Alongside BNSS, the government has also introduced Bharatiya Nyaya Sanhita (BNS) in place of the Indian Penal Code, 1860, and Bharatiya Sakshya Adhiniyam (BSA) replacing the Indian Evidence Act of 1872.  These legal reforms, effective from July 1, 2024, aim to streamline criminal procedures and make law enforcement more victim-centric and technologically equipped. The Standard Operating Procedures (SOPs) under BNSS provide a structured framework for Zero FIR and e-FIR processing. These SOPs emphasize accessibility, uniformity, and efficiency. They allow for:  Registration of FIRs irrespective of territorial jurisdiction (Zero FIR)  Filing of complaints online without visiting a police station (e-FIR)  Mandatory video recording and interpreter support for vulnerable victims  Specific provisions for cases involving offences against women and persons with disabilities  Key Features of e-Zero FIR  The e-Zero FIR mechanism works by routing complaints involving financial losses over ₹10 lakh (11,671 USD) directly to Delhi’s e-Crime Police Station, where they are initially registered as Zero FIRs. Complainants are then required to validate the FIR within three days at their local cybercrime police station, which subsequently converts it into a regular FIR for further investigation.  Importantly, Section 173(1) and (1)(ii) of BNSS legally underpin this mechanism. This framework effectively removes jurisdictional bottlenecks and enables immediate initiation of investigations, which is crucial in cases of digital money trails. Additionally, complaints can now be digitally verified and acted upon, with investigating officers authorized to take quick action if the circumstances warrant urgent police intervention.  Expanding Nationwide After Pilot Success  Though currently operational in India's capital, Delhi, the e-Zero FIR project is designed for nationwide implementation. As per Home Minister Amit Shah’s directives, the system will soon be rolled out across all states and Union Territories. This expansion aligns with the Modi government's broader strategy to strengthen the national cybersecurity grid, further realizing the vision of a Cyber Secure Bharat. The initiative also directly responds to public grievances regarding the delays in recovering lost funds due to cyber fraud, which have plagued India's legal system.   Integration with Digital Platforms: NCRP and Sankalan App  The National Cybercrime Reporting Portal (NCRP) and helpline 1930 serve as entry points for public complaints. With the launch of e-Zero FIR, these platforms are no longer passive gateways but dynamic tools in the crime-fighting arsenal.  To support the understanding of the new criminal laws, the NCRB has launched the “NCRB Sankalan of Criminal Laws” mobile app, which compiles and explains the new laws in an accessible, user-friendly format. This initiative empowers citizens, law enforcement, and legal professionals alike with real-time information and tools.  The BNSS also ensures accountability through legal remedies if officials fail to register Zero FIRs or e-FIRs. Section 173(4) BNSS allows victims to escalate their grievances to the Superintendent of Police, who must act upon a cognizable offence. In case of willful negligence or refusal, Section 199 of BNS mandates rigorous imprisonment of 6 months to 2 years and applicable fines for public servants who violate these protocols. 

image for Dutch Espionage Law ...

 Cyber News

Starting May 15, the Netherlands has introduced a new law that broadens the definition of espionage and introduces stricter penalties for cyber-related offenses. The Dutch Espionage law is aimed at protecting national security, critical infrastructure, and sensitive economic and technological information from foreign   show more ...

interference. Previously, Dutch legislation only criminalized the leaking of state secrets. The updated law now makes it illegal to leak sensitive information, even if it isn’t officially classified, when doing so could harm Dutch interests. It also punishes individuals who secretly work for foreign governments or act in ways that undermine national security. Dutch Espionage Law Redefined for a Digital Era The landscape of espionage has changed significantly in recent years. It’s no longer limited to intelligence agents and secret files. Today, it includes cyberattacks, data theft, manipulation of diaspora communities, and even academic infiltration. The new law addresses these modern threats by updating the Criminal Code to include: Digital espionage: Hacking or data theft for the benefit of a foreign state Diaspora espionage: Monitoring or pressuring citizens or former nationals living in the Netherlands Economic and academic targeting: Stealing trade secrets or scientific research Political manipulation: Activities that interfere with Dutch policymaking or public opinion With this legal update, more types of espionage are now punishable, even if the information involved is not officially classified as a state secret. What Becomes Punishable Under Dutch Espionage Law 2025 Under the new rules, individuals can be prosecuted for: Leaking sensitive information to a foreign government, even if it is not officially classified Acting on behalf of a foreign state in ways that endanger Dutch interests Espionage activities aimed at allies or international organizations Espionage conducted from outside the Netherlands but targeting Dutch institutions or infrastructure Inciting others to engage in espionage The law also makes it easier for authorities to take legal action in cases involving indirect or less visible forms of influence, such as psychological pressure, bribery, or hidden financial support. Harsher Penalties The penalties under the new law are more severe than before. Individuals found guilty of espionage-related crimes may face: Up to eight years in prison for standard offenses Up to twelve years in extreme cases, such as espionage that leads to death or major disruption In addition to the main offenses, penalties have also been increased for related crimes such as: Computer hacking and other cyber offenses Bribery or financial incentives tied to foreign influence These enhanced punishments reflect the growing concern about cyber threats and their potential to cause serious harm to national interests. [caption id="attachment_102883" align="aligncenter" width="592"] Source: https://www.nctv.nl/[/caption] A Focus on Digital Threats The rise of cyber espionage has been a major reason for this legal reform. Dutch authorities have seen increasing attempts by foreign actors to break into digital systems, extract information, and manipulate key sectors. Over the past year, Dutch intelligence agencies have warned about state-sponsored hacking attempts, including: Chinese cyber-espionage targeting Western research institutions Russian hacking efforts directed at Dutch critical infrastructure Attempts to infiltrate global institutions such as the International Criminal Court and the international chemical weapons watchdog—both based in The Hague In response, the law boosts protection for industries considered vital to Dutch security, including: Telecommunications Biotechnology and pharmaceuticals Higher education and scientific research institutions The government has also introduced a vetting system for foreign students and researchers accessing sensitive academic materials. Protecting the Diaspora A unique aspect of the new law is its focus on protecting members of diaspora communities living in the Netherlands. Foreign governments have been known to monitor and pressure their former citizens abroad, using tactics like: Collecting personal data without consent Threatening or blackmailing individuals into compliance Silencing critics or political opponents Recruiting diaspora members to spy on their own communities These actions are now explicitly covered by the new legislation. Dutch authorities can now take legal action against individuals or groups who act on behalf of foreign powers to intimidate or manipulate diaspora residents. Foreign Interest in Non-Classified Data Foreign intelligence efforts aren’t just about accessing classified government files. There is also a growing interest in: Trade secrets from businesses Scientific research from universities Political insights that could shape public policy or international relations This type of sensitive—but—unclassified—information can be used to influence political processes, undermine economic sectors, or drive wedges between allied nations. The new law allows the Dutch government to respond to such threats more effectively, even when the stolen information isn’t officially labeled as a “state secret.” Warning Signs of Foreign Influence To help individuals and organizations stay alert, Dutch authorities have outlined several signs that may indicate foreign influence or espionage attempts: Receiving unusual gifts, travel offers, or invitations to exclusive events Meetings or communications that take place outside normal work channels An unusual interest in personal or private matters Requests to keep certain relationships or discussions secret Pressure to avoid public positions or opinions on sensitive issues Employees in key sectors are being encouraged to report any such behavior to security officials. Building a Resilient Legal Framework The expanded law is part of a broader national strategy to build stronger defenses against modern threats. As espionage activities evolve, countries like the Netherlands are adapting their legal systems to match. By addressing not just classic espionage but also digital threats, foreign manipulation, and indirect influence, the Netherlands is taking a more comprehensive approach to security. The law aims to: Safeguard the privacy and rights of individuals Protect key sectors and research institutions Maintain the integrity of political and social systems Support international security and cooperation This legislative update sends a strong signal that the Netherlands is prepared to respond to modern espionage with modern tools and serious consequences.

image for Active Directory dMS ...

 Cyber News

The delegated Managed Service Account (dMSA) feature was introduced in Windows Server 2025 as a secure replacement for legacy service accounts and to prevent credential attacks like Kerberoasting, but an Akamai researcher discovered a privilege escalation vulnerability in dMSA that could allow an attacker to   show more ...

compromise any user in Active Directory (AD). In a blog post published today, Akamai researcher Yuval Gordon detailed a dMSA attack that works with default configurations, has low attack complexity, and could affect most organizations that use Active Directory (AD). “In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack,” Gordon wrote. “By abusing dMSAs, attackers can take over any principal in the domain,” the researcher said. “All an attacker needs to perform this attack is a benign permission on any organizational unit (OU) in the domain — a permission that often flies under the radar. And the best part: The attack works by default — your domain doesn’t need to use dMSAs at all. As long as the feature exists, which it does in any domain with at least one Windows Server 2025 domain controller (DC), it becomes available.” Microsoft plans to fix the issue, but no patch is currently available. Active Directory dMSA Attack Detailed The blog post goes into great detail on the dMSA migration process, but a key point in the attack development came when the researcher was looking for a way around the limitation that account migration is restricted to Domain Admins, so he simulated a migration by setting two attributes on the dMSA object: Write the target account’s Distinguished Name (DN) to msDS-ManagedAccountPrecededByLink Set msDS-DelegatedMSAState to value 2 (migration completed) The effect of those changes was to grant the researcher the full permissions of the superseded account. “One interesting fact about this ‘simulated migration’ technique, is that it doesn’t require any permissions over the superseded account,” Gordon said. “The only requirement is write permissions over the attributes of a dMSA. Any dMSA.” Once a dMSA has been marked as preceded by a user, the Key Distribution Center (KDC) “automatically assumes a legitimate migration took place and happily grants our dMSA every single permission that the original user had, as though we are its rightful successor.” That attack technique, which the researcher named “BadSuccessor,” works on any user, including high-privileged accounts like Domain Admins. “It allows any user who controls a dMSA object to control the entire domain. That’s all it takes. No actual migration. No verification. No oversight.” One scenario more likely to be available to attackers is to create a new dMSA. When a user creates an object in AD, they have full permissions over all of its attributes, Gordon said: “Therefore, if an attacker can create a new dMSA, they can compromise the entire domain.” dMSAs are not restricted to the Managed Service Accounts container and can be created in any normal organizational unit (OU). The researcher located an OU on which he had privileges – an OU called “temp” in the example environment – and gave the unprivileged user “weak” permissions to create child objects using the path argument in the accessible OU. The researcher then granted write access on the two attributes used in the attack, setting msDS-ManagedAccountPrecededByLink to any user or computer’s DN and msDS-DelegatedMSAState to “2” to simulate a completed migration. "this attack seems to work on all accounts in AD" Gordon said “this attack seems to work on all accounts in AD. We were unable to find any configuration that would prevent an account from being used as a superseded target.” They were also able to access credentials with a new structure called KERB-DMSA-KEY-PACKAGE, which includes two fields: current-keys and previous-keys. When requesting a Ticket Granting Ticket (TGT) for a new dMSA, the researcher found the previous-keys field wasn’t empty. It contained the key corresponding to the password used for his target account during the demo. “The msDS-ManagedAccountPrecededByLink doesn't just link the dMSA to the superseded account for permission purposes, it also lets the dMSA inherit its keys,” Gordon said. “This means that this attack can also be used to get the keys of any (or every) user and computer in the domain... Although we have not analyzed the entire implementation, our theory is that this behavior exists to ensure seamless continuity during account migration for the end user’s benefit.” Microsoft’s Response Akamai said Microsoft has acknowledged the issue and confirmed its validity, but rated it a Moderate severity vulnerability that doesn’t meet the threshold for immediate servicing. “While we appreciate Microsoft’s response, we respectfully disagree with the severity assessment,” Gordon wrote. “This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks.” Until a patch is released by Microsoft, Akamai recommends limiting the ability to create dMSAs and tightening permissions wherever possible. Akamai created a PowerShell script to help with that. “This research highlights how even narrowly scoped permissions, often assumed to be low risk, can have far-reaching consequences in Active Directory environments,” Gordon concluded.  

image for What is cyber-resili ...

 Business

Attacks on corporate IT infrastructure — especially using ransomware — and other cyber incidents are increasingly topping the lists of risks to business continuity. More importantly, theyve caught the attention of management, who now ask not Might we be attacked? but What will we do when were attacked? As a   show more ...

result, many companies are striving to develop cyber-resilience. The World Economic Forum (WEF) defines cyber-resilience as an organizations ability to minimize the impact of significant cyber incidents on its primary business goals and objectives. The U.S. National Institute of Standards and Technology (NIST) refines this: cyber-resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, attacks, or compromises of cyber systems. Everyone agrees todays companies need cyber-resilience — but actually implementing a cyber-resilience strategy presents many challenges. According to a Cohesity survey of 3100 IT and cybersecurity leaders, 98% of surveyed companies aim to be able to recover from a cyberattack within 24 hours, while only 2% can actually meet that goal. In reality, 80% of businesses need between four days and… three weeks to recover. The seven pillars of cyber-resilience In its Cyber-Resilience Compass whitepaper, the WEF identifies the following key components of a strategy: Leadership: embedding cyber-resilience into the companys strategic goals; communicating clearly with teams about its importance; defining company-wide tolerance levels for major cyber-risks; empowering those responsible for designing and (if necessary) executing rapid response scenarios. Governance, risk, and compliance: defining a risk profile; assigning clear responsibilities for specific risks; planning and implementing risk mitigation measures; ensuring regulatory compliance. People and culture: developing cybersecurity skills; tailoring security awareness training to each employees role; hiring staff with the right cybersecurity skills; creating a safe environment where employees can report incidents and mistakes without fear. Business processes: prioritizing IT services based on their importance to business continuity; preparing for worst-case scenarios and fostering adaptability. This includes planning in detail how critical processes will function in the event of large-scale IT failures. Technical systems: developing and regularly updating system-specific protection measures. For example, secure configurations (hardening), redundancy, network micro-segmentation, multi-factor authentication (MFA), tamper-proof backups, log management. The level of protection and allocated resources must be proportionate to the systems importance. For timely and effective threat response, its essential to implement systems that combine detailed infrastructure monitoring with semi-automated response: XDR, SIEM+SOAR, or similar tools. Crisis management: building incident response teams; improving recovery plans; designating decision-makers in the event of a crisis; preparing backup communication channels (for example, if corporate email and instant messengers are unavailable); developing external communications strategies. Ecosystem engagement: collaborating with supply-chain partners, regulators, and competitors to raise collective resilience. Stages of cyber-resilience implementation The same Cohesity survey reveals that most companies feel they are midway on the road to cyber-resilience, with many having implemented some of the necessary basic technical and organizational measures. Most commonly implemented: Backup tools Regular backup recovery drills MFA (though rarely company-wide and across all services) Role-based access control (RBAC, also usually only partially implemented) Other cybersecurity hygiene measures Formal response plans Annual or quarterly tabletop exercises testing crisis response procedures with staff from various departments Unfortunately, commonly implemented doesnt mean widely adopted. Only 30–60% of the surveyed businesses have even partially implemented these. Moreover, in many organizations, IT and cybersecurity teams lack synergy, leading to poor collaboration in shared areas of responsibility. According to the survey respondents, the most challenging elements to implement are: Metrics and analytics. Measuring progress in cyber-resilience or security innovation is difficult. Few organizations know how to calculate MTTD/MTTR or quantify risks in financial terms. Typically, these are companies whose core activity involves measuring risks, such as banks. Changing company culture. Engaging employees at all levels in cybersecurity processes is challenging. While basic awareness training is common (as a hygiene measure), few companies can adapt it to specific departments or maintain regular engagement and updates due to personnel shortages. Embedding cyber-resilience into the supply chain.  From avoiding dependence on a single supplier to actually controlling contractor security processes — these tasks are extremely difficult and, even with the combined efforts of cybersecurity and procurement, often prohibitively expensive to address for all counterparties. Another key issue is rethinking the organization of cybersecurity itself and transitioning to zero trust systems. Weve previously written about the challenges of this transition. Experts emphasize that cyber-resilience is not a project with a clear end point — its an iterative process with multiple phases, which eventually spans the entire organization. Required resources Implementing cyber-resilience begins with strong board-level support. Only then can collaboration between the CIO and CISO drive real changes and rapid progress in implementation. In most companies, up to 20% of the cybersecurity budget is allocated to technologies and projects tied to cyber-resilience — including incident response, identity management, and training programs. The core cyber-resilience team should be a small cross-functional group with the authority and support required to mobilize IT and cybersecurity resources for each implementation phase, and bring in external experts when needed — for example, for training, tabletop exercises with management, and security assessments. Having the right skill set in this core group is critical. Implementing cyber-resilience is a largely organizational process, not just technical — so, in addition to a detailed asset inventory and security measures, serious work is required to prioritize risks and processes, define roles and responsibilities in key departments, document, test, and improve incident playbooks, and conduct extensive staff training.

image for The Hidden Cybersecu ...

 Feed

Merger and acquisition due diligence typically focuses on financials, legal risks, and operational efficiencies. Cybersecurity is often an afterthought — and that's a problem.

image for The Day I Found an A ...

 Feed

Dark Reading Confidential Episode 6: Cyber researchers Ismael Valenzuela and Vitor Ventura share riveting stories about the creative tricks they used to track down advanced persistent threat groups, and the surprises they discovered along the way.

 Cybercrime

The 19-year-old Assumption College student, Matthew Lane, also was charged Tuesday with hacking and demanding a ransom payment from an unnamed telecommunications company, according to Massachusetts federal prosecutors.

 Feed

Google has announced a new feature in its Chrome browser that lets its built-in Password Manager automatically change a user's password when it detects the credentials to be compromised. "When Chrome detects a compromised password during sign in, Google Password Manager prompts the user with an option to fix it automatically," Google's Ashima Arora, Chirag Desai, and Eiji Kitamura said. "On

 Feed

Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said. The attack chains, which have not been

 Feed

Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology,

 Feed

Continuous Integration and Continuous Delivery/Deployment (CI/CD) refers to practices that automate how code is developed and released to different environments. CI/CD pipelines are fundamental in modern software development, ensuring code is consistently tested, built, and deployed quickly and efficiently. While CI/CD automation accelerates software delivery, it can also introduce security

 Feed

It takes just one email to compromise an entire system. A single well-crafted message can bypass filters, trick employees, and give attackers the access they need. Left undetected, these threats can lead to credential theft, unauthorized access, and even full-scale breaches. As phishing techniques become more evasive, they can no longer be reliably caught by automated solutions alone. Let’s take

 Feed

Cybersecurity researchers have discovered a new campaign that employs malicious JavaScript injections to redirect site visitors on mobile devices to a Chinese adult-content Progressive Web App (PWA) scam. "While the payload itself is nothing new (yet another adult gambling scam), the delivery method stands out," c/side researcher Himanshu Anand said in a Tuesday analysis. "The malicious landing

 Feed

Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.

 Blog

Source: socprime.com – Author: Veronika Telychko In today’s fast-evolving ransomware landscape, threat actors are accelerating their tactics to gain access and deploy payloads with alarming speed. Increasingly, attackers are leveraging known vulnerabilities as entry points, as seen in a recent attack where   show more ...

adversaries exploited CVE-2023-22527, a maximum-severity template injection flaw in Atlassian Confluence, to compromise […] La entrada ELPACO-Team Ransomware Attack Detection: Hackers Exploit Atlassian Confluence Vulnerability (CVE-2023-22527) to Gain RDP Access and Enable RCE – Source: socprime.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.troyhunt.com – Author: Troy Hunt This has been a very long time coming, but finally, after a marathon effort, the brand new Have I Been Pwned website is now live! Feb last year is when I made the first commit to the public repo for the rebranded service, and we soft-launched the new brand […]   show more ...

La entrada Have I Been Pwned 2.0 is Now Live! – Source: www.troyhunt.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 A Little Sunshine

Source: krebsonsecurity.com – Author: BrianKrebs KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive   show more ...

new Internet of Things […] La entrada KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Source: krebsonsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April began in 2022. SK Telecom is South Korea’s largest wireless telecom company, a major player in the country’s mobile and tech landscape. It holds about   show more ...

48% of the market share for mobile services, meaning […] La entrada SK Telecom revealed that malware breach began in 2022 – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due to improper IMS standard implementation. A flaw in 4G Calling (VoLTE) service of the UK telecom O2 exposed user location data through network responses due to flaws in the   show more ...

IMS standard implementation. 4G Calling, […] La entrada 4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 APT

Source: securityaffairs.com – Author: Pierluigi Paganini China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia. ESET researchers revealed that a China-linked APT, tracked as UnsolicitedBooker, targeted an international organization in Saudi Arabia   show more ...

using a new backdoor called MarsSnake. The experts uncovered the attacks in March 2023 and again in […] La entrada China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that sensitive data was stolen during the incident. The Legal Aid Agency (LAA) revealed that it had suffered a cyberattack on its systems on April 23.  The Legal Aid Agency   show more ...

(LAA), part of the UK […] La entrada UK’s Legal Aid Agency discloses a data breach following April cyber attack – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Breaking News

Source: securityaffairs.com – Author: Pierluigi Paganini Cybersecurity Observatory of the Unipegaso’s malware lab published a detailed analysis of the Sarcoma ransomware. It is with great pleasure and honor that I present the first report produced by the Malware Analysis Lab, led by Luigi Martire. The lab was   show more ...

established within the Cybersecurity Observatory of the Unipegaso […] La entrada Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: thehackernews.com – Author: . Google has announced a new feature in its Chrome browser that lets its built-in Password Manager automatically change a user’s password when it detects the credentials to be compromised. “When Chrome detects a compromised password during sign in, Google Password   show more ...

Manager prompts the user with an option to fix it […] La entrada Google Chrome Can Now Auto-Change Compromised Passwords Using Its Built-In Manager – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: Threat intelligence platforms have evolved and became essential security defensive tools. Here is what you need to know before choosing a TIP. The bedrock of a solid enterprise security program begins with the choice of an appropriate threat intelligence platform (TIP) and   show more ...

how to use this to design the rest of […] La entrada Threat intelligence platform buyer’s guide: Top vendors, selection advice – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: Infoblox says crooks are finding and taking over ‘dangling’ CNAME records for scams. Threat actors continue to find ways of hijacking domains thanks to poor DNS record-keeping and misconfigurations by administrators, a hole that CSOs have to plug or risk financial or   show more ...

reputational damage to their organizations. The latest example of […] La entrada Poor DNS hygiene is leading to domain hijacking – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: CSO Australia is accepting nominations for the 2025 CSO30 Awards, entries close on 20 June. Nominations are officially open for the 2025 CSO30 Australia Awards, celebrating the country’s most effective and inspiring cybersecurity leaders. This year’s CSO30 Awards will   show more ...

once again be held alongside the CIO50 Awards, bringing together the nation’s […] La entrada CSO30 Australia Awards 2025: Nominations now open – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: Eine Studie zeigt: Fast zwei Drittel der Unternehmen versäumen es, die Auswirkungen von GenAI-Tools auf die Sicherheit zu prüfen. In ihrem Wettlauf um Produktivitätssteigerungen durch generative KI übersehen die meisten Unternehmen die damit verbundenen Sicherheitsrisiken.   show more ...

Summit Art Creations – Shutterstock.com Laut einer Studie des Weltwirtschaftsforums, die in Zusammenarbeit mit Accenture durchgeführt […] La entrada 8 KI-Sicherheitsrisiken, die Unternehmen übersehen – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.proofpoint.com – Author: SECURITY Proofpoint to acquire Hornetsecurity in move to expand Microsoft 365 threat protection Cybersecurity firm Proofpoint Inc. today announced it plans to acquire Hornetsecurity GmbH, a Germany-based pan-European provider of artificial intelligence-powered Microsoft   show more ...

365 security, data protection, compliance and security awareness services. The price of the acquisition was not officially disclosed, but CNBC […] La entrada Proofpoint to acquire Hornetsecurity in move to expand Microsoft 365 threat protection – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.proofpoint.com – Author: Skip to main content Voting is open for the 2025 CyberScoop 50 awards! Click here! Listen to this article 0:00 Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. (Scoop News Group photo) Proofpoint   show more ...

has entered into an agreement to acquire […] La entrada Proofpoint to acquire Hornetsecurity for over $1 billion – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.proofpoint.com – Author: With the acquisition deal positioning Proofpoint for major growth with MSPs and SMBs in the U.S. market, ‘this is a big strategic leap forward for us,’ Proofpoint CEO Sumit Dhawan tells CRN. Proofpoint’s planned acquisition of Hornetsecurity positions the company for   show more ...

massive growth with MSPs and SMBs in the U.S. market, […] La entrada Proofpoint CEO On ‘Monumental’ Hornetsecurity Deal, MSP Growth In US – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.proofpoint.com – Author: Pavlo Gonchar | Lightrocket | Getty Images Cybersecurity firm Proofpoint is acquiring European rival Hornetsecurity for north of $1 billion to strengthen its European presence as it explores a return to public markets. The deal marks the single largest acquisition   show more ...

in Proofpoint’s history. The cybersecurity industry has seen heightened consolidation in […] La entrada Cybersecurity firm Proofpoint to buy European rival for over $1 billion as it eyes IPO – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 agentic

Source: www.proofpoint.com – Author: Cybersecurity leaders gather at RSAC 2025 to explore AI innovation, identity threats, and the future … More of digital defense in an increasingly borderless world. getty Now that RSAC 2025 has wrapped, it’s a good time to look at the top takeaways from the   show more ...

event—and what they mean for the future […] La entrada RSAC 2025: Agentic AI, Identity And The New Rules Of Cyber Defense – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.proofpoint.com – Author: Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products. Location 333 West San Carlos StreetSan Jose, California 95110United States WWW: acer.com ChannelPro Network Awards Podcast In this   show more ...

new episode of Voice of the Vendor, recorded live at RSAC in San Francisco, we […] La entrada Voice of the Vendor: RSAC 2025, Part 1 – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2025-05
Aggregator history
Wednesday, May 21
THU
FRI
SAT
SUN
MON
TUE
WED
MayJuneJuly