Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Telstra Denies Cyber ...

 Firewall Daily

Telstra, one of Australia’s leading telecommunications providers, has denied claims of a data breach related to the Scattered Spider group. In response to the claims of 19 million personally identifiable information (PII) being compromised by the hacker group, the company denied any compromise of its internal   show more ...

systems. In a statement shared on X (formerly Twitter), Telstra retracted the claims by the hacker group, stating: “We’ve investigated it, and the data has been scraped from public sources, not Telstra systems. No passwords, banking details, or personal identification data like driver’s licence or Medicare numbers are included.”  [caption id="attachment_105819" align="alignnone" width="715"] Telstra Responds to data breach claims (Source: X)[/caption] The Telstra Data Breach and Claims 100GB of Compromised Data  The threat actor, posting on a dark web leak site under the banner Scattered Lapsus$ Hunters, listed Telstra as one of its latest victims in a post dated October 3. The post claimed that over 100GB of personally identifiable information (PII) had been compromised, including data such as full names and physical addresses.  [caption id="attachment_105817" align="alignnone" width="2798"] Telstra data breach claims (Source: X)[/caption] A particularly alarming portion of the post stated:  “We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter.”  According to the group’s listing, the data compromise allegedly occurred in July 2023, and they set a ransom deadline of October 13, 2025. The attackers claim to have obtained 16,983,437 records in a file named telstra.sql, allegedly part of a larger trove of over 19 million PII records.  Salesforce Also Targeted — Refuses to Negotiate  Interestingly, the ransom demands appear to be linked not just to Telstra but also to global cloud computing firm Salesforce. The attackers have demanded that negotiations begin with Salesforce, though the connection between Telstra’s data and Salesforce remains unclear.  On October 8, 2025, Salesforce released a firm statement refusing to negotiate or pay any ransom:  “Salesforce will not engage, negotiate with, or pay any extortion demand.”  This position is consistent with recommendations from global cybersecurity authorities, who advise against paying ransoms to cybercriminals.  A Pattern of Alleged Breaches  The data breach at Telstra appears to be part of a broader campaign by Scattered Lapsus$ Hunters. The group’s dark website now lists over 40 international companies, including Qantas, Google AdSense, IKEA, and more. Cybersecurity researchers and platforms such as Cyble Vision have noted multiple past claims of Telstra data breaches. In one instance from 2024, a separate threat actor known as UnicornLover67 advertised a dataset allegedly containing 47,300 Telstra employee records. This data reportedly included names, email addresses, hashed passwords, timestamps, and employment status, with the most recent entries dated November 2024.  [caption id="attachment_105822" align="alignnone" width="1273"] UnicornLover67 claims Telstra data breach (Source: Cyble Vision)[/caption] In yet another incident from 2022, Telstra acknowledged a third-party data breach that affected approximately 132,000 customers. While this earlier breach was not linked to Scattered Spider, it demonstrates a worrying trend of recurring security incidents involving the telecom giant.  Is This a Fresh Breach or Recycled Data?  While Telstra continues to deny any recent breach, cybersecurity experts remain skeptical. Some analysts suggest that the data now being used in this Telstra cyberattack may originate from previous incidents, repackaged to appear as a fresh breach. Others warn that even if the data was scraped from public sources or old leaks, its reuse in a ransom campaign still poses a real threat to affected individuals.  Adding to the confusion, a Telstra spokesperson previously acknowledged in November 2024 that a file containing internal company data was listed for sale online. At the time, the company maintained that the leak involved non-sensitive internal data and was unrelated to any active breach, as reported by the Australian Financial Review.  Ongoing Investigation  The Telstra data breach remains under active investigation. While the company holds its ground on denying a system compromise, the seriousness of the threats made by Scattered Spider cannot be dismissed outright. With the ransom deadline looming on October 13, 2025, the situation continues to evolve.  As of now, The Cyber Express has reached out to the organization to learn more about this incident. However, at the time of writing the article, no further information or statement was received. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Telstra data breach or any official communication from the company. 

image for The Power of Two: Wh ...

 Cybersecurity Awareness Month

In a world where passwords are stolen, phished, or guessed every second, multifactor authentication (MFA) has quietly become one of the most effective shields against cyberattacks. Whether you call it two-step verification, 2FA, or two-factor authentication, the idea is simple, prove it’s really you with more than   show more ...

just a password. This extra step can protect your personal accounts, business systems, and even your identity from being hijacked. Yet, many people still skip it, thinking it’s inconvenient or unnecessary. But the truth is enabling multifactor authentication is one of the easiest, most human ways to strengthen cybersecurity. And this couldn’t be more relevant than now. Cybersecurity Awareness Month 2025 has arrived with a powerful message, building our cyber safe culture starts with each of us. The campaign, led by the Cybersecurity and Infrastructure Security Agency (CISA), is rallying individuals, businesses, and governments to take cybersecurity into their own hands. This year, the focus is on securing the systems that keep our world running, from clean water and healthcare to financial transactions and communication networks. As Homeland Security Secretary Kristi Noem put it: “Cybersecurity is a critical theater in defending our homeland. Every day, bad actors are trying to steal information, sabotage critical infrastructure, and use cyberspace to exploit American citizens. Taking down these threats requires a strong private-public partnership, and the reforms we’ve implemented at CISA have empowered them to work with all of our partners to take down these threats and make America cyber secure again. This Cybersecurity Awareness Month is the time for us to continue our efforts to build a cyber strong America.” While technology continues to evolve, one truth remains constant, people are at the heart of cybersecurity. It’s our decisions, habits, and awareness that often decide whether an cyberattack succeeds or fails. Among those small yet powerful habits, turning on MFA stands as one of the simplest ways to protect ourselves, and the digital world we all share. MFA is Beyond Just Passwords Think of your online accounts like your home. Your password is the front door key. But if someone steals or copies that key, what’s stopping them from walking right in? Now, imagine having a security guard who only lets you in after checking your face or your phone and that’s what exactly multifactor authentication is. In layman terms, multifactor authentication adds another layer of protection by requiring two or more pieces of evidence to prove it’s really you. As CISA explains, “MFA uses a combination of something you have and something you know or something you are to confirm you are who you say you are online.” When you log in, you might be asked for: Something you know: a password or PIN. Something you have: your smartphone or an authentication app. Something you are: a fingerprint, voice, or face scan. It's helpful to think of multifactor authentication as having layers — some methods provide more protection than others. The graphic below from CISA's guidance provides a hierarchy of multifactor authenticationfrom least secure to most secure: [caption id="attachment_105808" align="aligncenter" width="1024"] Source: CISA[/caption] At the bottom, SMS-based or voice-based MFA provides assistance, but that form of MFA is interceptable and can be spoofed. The next layer is app-based MFA such as authenticator apps or push notifications to your mobile device. And at the top of the heap are phishing resistant MFA methods like FIDO keys or Public Key Infrastructure (PKI) authentication — the gold standard of identity authentication. Why You Need MFA — Right Now Today, we shop, bank, work, and socialize online. With so much at stake, relying on just a password is like locking your house but leaving the windows open. Enabling MFA protects: Your business: Prevents unauthorized access to sensitive systems. Your online purchases: Blocks fraudsters from hijacking your accounts. Your bank accounts: Keeps your finances safe even if your credentials are leaked. Your identity: Stops cybercriminals from impersonating you. Users who enable two-step verification are 99% less likely to get hacked, according to various cybersecurity reports. That’s because it adds a barrier that most attackers can’t easily cross. Here’s a simple example: Imagine your social media password gets exposed in a data breach. Without two-step verification, anyone with that password can log in, post on your behalf, or steal personal messages. But with MFA turned on, they’d need the code sent to your phone, which they don’t have. You just stopped a potential breach before it began. But Cybersecurity Starts with You The real defense begins with human behavior. Cybercriminals often exploit human emotions, curiosity, fear, urgency, to trick people into clicking malicious links or sharing credentials. That’s why awareness and small habits make the biggest difference. Acting CISA Director Madhu Gottumukkala emphasized this point, saying, “Critical infrastructure – whether in the hands of state and local entities, private businesses, or supply chain partners – is the backbone of our daily lives. Whenever it’s disrupted, the effects ripple through communities across America. That’s why this year CISA is prioritizing the security and resilience of small and medium businesses, and state, local, tribal, and territorial government (SLTT) that facilitate the systems and services sustain us every day. This includes things like clean water, secure transportation, quality healthcare, secure financial transactions, rapid communications, and more. Together, we must make resilience routine so America stays safe, strong, and secure.” Cybersecurity isn’t just about tools, it’s about culture. When each individual takes responsibility, the collective impact is immense. Enabling two-step verification, spotting phishing emails, or updating software are all small acts that, together, strengthen our national cyber shield. Building a Cyber Safe Culture This Cybersecurity Awareness Month 2025, CISA encourages everyone, from individuals to organizations — to make security a shared mission. Here are a few easy actions you can take right now to protect yourself and your community: Recognize and report phishing: Don’t click on suspicious links or attachments. Require strong passwords: Use long, unique, and random combinations. Turn on multifactor authentication (MFA): Add that vital layer of defense. Update software: Patch vulnerabilities before attackers exploit them. Back up data: Recover quickly if an incident occurs. Encrypt sensitive information: Keep stolen data useless by locking it down. These steps might sound simple, but they represent the foundation of a cyber safe culture. They turn awareness into action. Final Thought Creating a cyber secure culture is not rooted in high tech or costly tools, it's about choice and being mindful that the strongest firewall remains the human firewall. So this October, take a few minutes to check your accounts. Turn on two-step verification as much as possible; email, banking, social media, cloud storage—whatever possible. Get your friends, coworkers, and family to do the same. Because when you secure yourself, you secure others. This Cyber Security Awareness month; let's make resilience habitual, stay alert, and most importantly turn on that second factor. You will be happy you did for your future self.

image for Discord Data Breach ...

 Firewall Daily

A recent cyberattack on a third-party vendor has led to a data breach at Discord, potentially compromising the sensitive personal information of approximately 70,000 users. The Discord data breach, which the company disclosed in an official statement updated on October 8, 2025, did not involve a direct breach of   show more ...

Discord's own systems but instead targeted a service provider responsible for handling customer support and age verification services.  Discord Data Breach Originated from Third-Party Vendor  The cyberattack on Discord's third-party customer support provider allowed unauthorized access to customer data exchanged with Discord's Trust & Safety and Customer Support teams. The breach involved government-issued ID photos that were submitted by users to verify their age, along with limited billing information and communications between users and support agents.  Discord, which serves more than 200 million users globally, emphasized that the breach was isolated to the third-party vendor and not the Discord platform itself. Nevertheless, the implications are serious, particularly for users who submitted personal identification during age-related appeals.  In its official statement, the San Francisco-based company confirmed that the affected vendor had been immediately cut off from accessing its internal ticketing systems once the breach was discovered.  Details of the Discord Cyberattack  According to Discord, the cyberattack was financially motivated, with the threat actor attempting to extort a ransom in exchange for the stolen data. The compromised information includes:  Names, Discord usernames, and email addresses (if shared during support interactions)  IP addresses  Limited billing details (such as payment type and last four digits of credit cards)  Messages exchanged with Discord's support teams  A small number of government-ID images  Internal corporate content, including training documents and presentations  Notably, the data breach at Discord did not expose full credit card numbers, CVV codes, user passwords, or broader activity on the Discord platform beyond the support communications.  Company Response and Ongoing Investigation  As soon as Discord became aware of the cyberattack on its third-party provider, it launched a full-scale investigation, partnering with a top computer forensics firm and notifying relevant law enforcement agencies. The company is also working with data protection authorities and has started contacting affected users via email.  “To be clear, this was not a breach of Discord itself,” the company reiterated. “This was a third-party service provider we used to support our customer service operations.”  Users whose government-issued IDs were potentially compromised will be explicitly informed via email from Discord's official address: noreply@discord.com. Discord has noted that it will not reach out by phone under any circumstances regarding this incident.

image for Two Teenagers Arrest ...

 Firewall Daily

Two 17-year-old boys have been arrested in connection with a cyberattack on Kido, a London-based nursery chain. The incident involved the theft and online exposure of sensitive data from approximately 8,000 children, prompting widespread concern and a swift response from the Metropolitan Police.  The arrests were   show more ...

made on the morning of Tuesday, October 8, during coordinated police raids at residential properties in Bishop's Stortford, Hertfordshire. According to the Metropolitan Police, both teenagers are being held on suspicion of computer misuse and blackmail. They remain in custody as investigations continue.  The cyberattack on Kido nurseries, first reported to Action Fraud on September 25, has been described as one of the most disturbing examples of digital extortion involving children's data.  Will Lyne, head of economic and cybercrime at the Metropolitan Police, acknowledged the gravity of the situation. “We understand reports of this nature can cause considerable concern, especially to those parents and carers who may be worried about the impact on them and their families. These arrests are a significant step forward in our investigation, but our work continues,” he said.  Cyberattack on Kido Nurseries and Radiant’s Ransom Demands The hacking group responsible for the breach identified itself as Radiant, a name that has now become central in discussions surrounding the Kido nursery cyberattack. Radiant initially demanded a ransom of £600,000 in Bitcoin in exchange for deleting the stolen data. When Kido refused to comply, the group escalated the situation by publishing personal profiles and photographs of 10 children on a darknet site. The number of profiles was later increased to 20.  In an unusual and controversial move, the hackers also contacted some of the parents directly, attempting to intensify pressure on Kido to pay for the ransom. The tactics used were condemned by cybersecurity experts, with many calling it a "new low" in the history of cybercrime due to the exploitation of minors.  The cyberattack on Kido nurseries drew wider attention on September 22 when the hackers reached out to the BBC, seemingly to gain publicity. However, the BBC withheld coverage until images of the children were publicly posted on September 25.  In a surprising turn of events, Radiant later blurred the images on their darknet site, citing reputational concerns within the hacking community. On October 2, the group claimed to have deleted all the stolen data, stating: "No more remains, and this can comfort parents."  Kido and Famly Respond Amid Growing Public Concern The hacking group gained access to a database hosted on the nursery management platform Famly, which Kido used to store photos, names, addresses of children, and contact information for parents and carers.  Although the data breach originated from this platform, Famly CEO Anders Laustsen clarified that their systems were not compromised. “We have conducted a thorough investigation and can confirm there has been no breach of Famly’s infrastructure. No other customers were affected,” Laustsen stated.  Kido operates 18 nurseries across London and has faced intense scrutiny since the breach. In response to the arrests, a Kido spokesperson said, “We welcome this swift action from the Met Police and recognize this is an important milestone in the process of bringing those responsible to justice. We have cooperated throughout this process with law enforcement and the relevant authorities. We remain committed to supporting police and, importantly, families, colleagues, and the wider Kido community.”  The Metropolitan Police have not confirmed whether the arrested teenagers are members of Radiant or were acting on behalf of another group. The investigation into the cyberattack on Kido nurseries remains active, with authorities urging continued vigilance among affected families. 

image for India’s Expanding ...

 Firewall Daily

With over 86% of Indian households now connected to the internet, India has made impressive strides under the Digital India initiative. However, the same connectivity that drives innovation and access has also opened the floodgates for increasing cybersecurity incidents in India. According to a new press release by   show more ...

the Indian government, cybersecurity incidents in India surged from 10.29 lakh in 2022 to 22.68 lakh in 2024, reflecting not only the growing threat landscape but also improved detection and reporting mechanisms. By February 2025, cyber frauds totaling ₹36.45 lakh were reported on the National Cyber Crime Reporting Portal (NCRP). Recognizing Patterns in Cyber Frauds Cyber fraud in India is becoming more advanced, leveraging new technologies and exploiting user behavior. From spoofing attacks, where fraudsters impersonate trusted entities, to the use of AI-generated deepfakes and phishing scams, criminals continue to innovate their tactics. The exploitation of Unified Payments Interface (UPI) through compromised mobile numbers prompted the Department of Telecommunications (DoT) to roll out the Financial Fraud Risk Indicator (FRI), which flags high-risk numbers based on suspicious activity.  Another growing concern is the rise of illegal online betting apps, which have reportedly generated over ₹400 crore through deceptive gaming schemes. In response, the government enacted the Promotion and Regulation of Online Gaming Bill, 2025, banning all forms of online money gaming while promoting e-sports and social gaming.  Institutional Frameworks and Legislative Tools India’s fight against cybercrime is grounded in a legal framework. The Information Technology Act, 2000, remains the cornerstone of cyber law in India, addressing a broad range of offences including identity theft and digital impersonation. Supplementing this is the Digital Personal Data Protection Act, 2023, which mandates lawful processing of personal data with user consent, enhancing data privacy, and reducing misuse.  The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, further hold online platforms accountable for the content they host, especially in an era where AI misuse and disinformation are rising concerns.  Government-Led Cybersecurity Initiatives Recognizing the severity of the threat, the Union Budget 2025–26 earmarked ₹782 crore for cybersecurity projects. This financial push is aimed at enhancing digital infrastructure resilience and response mechanisms. The government has blocked over 9.42 lakh SIM cards and 2,63,348 IMEIs associated with fraudulent activity.  Law enforcement has also been strengthened with over 1,05,796 police officers trained on the CyTrain portal, and more than 82,704 certifications issued in cybercrime investigation and digital forensics.  The Indian Cybercrime Coordination Centre (I4C) has taken proactive steps by blocking 3,962 Skype IDs and 83,668 WhatsApp accounts linked to cyber fraud. Furthermore, its Samanvaya platform has led to the arrest of 12,987 individuals, mapping over 1.5 lakh criminal linkages through its analytical tools.  National Agencies in Action At the national level, the Indian Computer Emergency Response Team (CERT-In) plays a pivotal role in threat monitoring and response. By March 2025, CERT-In had conducted 109 cybersecurity drills, involving 1,438 organizations to assess readiness. Meanwhile, the National Critical Information Infrastructure Protection Centre (NCIIPC) protects vital sectors like banking, telecom, and transport from potential cyberattacks.  To boost preparedness, the Cyber Crisis Management Plan (CCMP) has been implemented across government bodies, with 205 workshops conducted to build coordinated responses to cyber incidents.  Citizen-Centric Measures and Public Awareness Public engagement is vital in combating cyber fraud in India. The National Cyber Crime Reporting Portal (www.cybercrime.gov.in) enables users to report cybercrimes, while the dedicated helpline 1930 provides real-time support, especially for financial fraud.  Through initiatives like Cyber Crime Prevention Against Women and Children (CCPWC), backed by ₹132.93 crore, specialized labs have been set up in 33 States and UTs, training over 24,600 personnel to tackle cyber threats targeted at vulnerable groups.  The Sahyog Portal ensures quick takedown of harmful digital content, and Samanvaya facilitates interstate collaboration among agencies to dismantle cybercrime networks.  National Collaboration and Global Outlook India's commitment to cybersecurity was on full display at India Mobile Congress (IMC) 2025, inaugurated on October 8, 2025, by Prime Minister Narendra Modi. With over 1.5 lakh visitors and 7,000 international delegates, the event spotlighted India’s growing role in global digital innovation and cybersecurity strategy.  India is also advancing through the National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), fostering academic-industry-government collaboration in emerging technologies, including AI and cybersecurity.  To promote cyber awareness, the government has initiated outreach through radio, newspapers, metro announcements, and social media campaigns. Tools like the National Cyber Coordination Centre (NCCC), and publications such as the Cyber Safety Handbook for Adolescents reflect efforts to educate the public and prevent cyber fraud at the grassroots.

image for CISA Warns of Active ...

 Firewall Daily

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent alert concerning an actively exploited zero-day vulnerability in the Zimbra Collaboration Suite (ZCS). The flaw, identified as CVE-2025-27915, is a cross-site scripting (XSS) vulnerability that impacts the ZCS Classic Web Client.     show more ...

The security hole has already been weaponized in the wild, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and recommend immediate action from administrators.  Technical Details of CVE-2025-27915  The vulnerability arises due to insufficient sanitization of HTML content within iCalendar (ICS) invitation files when accessed via the Classic Web Client in Zimbra. Specifically, the flaw can be exploited when malicious JavaScript is embedded inside an ICS file's ontoggle attribute. Once the malicious calendar invite is opened by a user, the script executes within the user’s session context — without requiring further interaction.  This execution gives the attacker the same level of access as the victim, effectively compromising the account. Post-exploitation activities can include modifying email filters, redirecting messages to attacker-controlled addresses, exfiltrating sensitive data, and performing other unauthorized actions as the user.  The Common Vulnerability Scoring System (CVSS) score for CVE-2025-27915 is 7.5, categorizing it as a high-severity issue.  Scope of Impact  All supported versions of Zimbra Collaboration Suite that use the Classic Web Client are affected. Because the exploit requires nothing more than viewing a crafted email or calendar invite, it lends itself to phishing-style attacks. This low barrier to execution increases the risk, especially within organizations that heavily rely on Zimbra for internal communication.  Although no specific ransomware groups have been publicly tied to the exploitation of CVE-2025-27915 as of now, its characteristics make it a strong candidate for targeted campaigns, particularly those relying on email vectors.  CISA's Response and Recommendations  CISA has set a compliance deadline of October 28, 2025, for federal agencies to address this vulnerability. Their recommendations for mitigating risk include:  Review and apply vendor patches or temporary workarounds as soon as possible.  Follow the Cloud Security Technical Reference Architecture under Binding Operational Directive (BOD) 22-01, especially for cloud-hosted ZCS deployments.  If mitigations are not currently available, administrators should consider disabling the ZCS Classic Web Client or suspending use of affected Zimbra servers altogether until an official fix is provided.  CISA also advises organizations to monitor logs for unusual activity, particularly changes to email filters or signs of ICS file abuse. Any indication of compromise should be treated as a high-priority incident.  Vendor and Industry Response  Zimbra, developed by Synacor, has not released a public statement naming a specific patch at the time of CISA’s alert, though organizations are urged to keep up with vendor advisories. The lack of immediate fixes makes the mitigation guidance even more critical in the short term.  This vulnerability falls under the Common Weakness Enumeration (CWE-79), which relates to improper neutralization of input during web page generation (cross-site scripting). It’s one of the most commonly exploited flaws in web applications, particularly when used to hijack user sessions or perform unauthorized actions. 

image for How to protect your ...

 Threats

It’s been ten years since two researchers — Charlie Miller and Chris Valasek — terrified a Wired journalist (and then the whole world) with their remote hack of a Jeep Cherokee speeding down the highway. It played out like something straight out of a Stephen King novel — a possessed car gone rogue. The wipers   show more ...

started moving on their own, buttons stopped responding, the radio blasted uncontrollably, and the brake pedal went dead. We’ve covered that case in detail plenty before: here, here, and here. Since then, cars have continued to evolve rapidly to integrate an ever-wider array of features. Digital electronics now control almost everything — from the engine and fuel systems to autopilot, passenger safety, and infotainment. That also means every interface or component can become a hacker’s entry point: MOST, LIN, and CAN buses, OBD ports, Ethernet, GPS, NFC, Wi-Fi, Bluetooth, LTE… But hey — on the bright side, the latest CarPlay lets you change your dashboard wallpaper! Jokes aside, the most serious attacks no longer target individual vehicles, but rather their manufacturers’ servers. In 2024, for example, Toyota lost 240GB of data, including customer information and internal network details. A single compromised server can expose millions of vehicles at once. Even the United Nations has taken note, and for once didn’t stop at “expressing concern”. Together with automakers, the UN has developed two key regulations — UN R155 and UN R156 — setting high-level cybersecurity and software update requirements for vehicle manufacturers. Also relevant is the ISO/SAE 21434:2021 standard, introduced in 2021, which details methods to mitigate cyber-risks throughout vehicle production. Though the above, technically, are recommendations, automakers have a strong incentive to comply: mass recalls can cost tens or even hundreds of millions of dollars. Case in point: following the incident mentioned earlier, Jeep had to recall 1.4 million vehicles in the U.S. alone — and faced a whopping $440 million in lawsuits. Surprisingly, the UN’s efforts have had real impact. In the last two years, the strict new rules have already led to the discontinuation of several older models, simply because they were designed before the regulations came into force. The discontinued models in 2024 include the Porsche 718 Boxster and Cayman (July), Porsche Macan ICE (April), Audi R8 and TT (June), VW Up! and Transporter 6.1 (June), and Mercedes-Benz Smart EQ Fortwo (April). What exactly can hackers do? There are plenty of ways cybercriminals can cause trouble for drivers: Creating dangerous situations. Disabling brakes, blasting loud music, or triggering other distractions (as in the Jeep case) can serve as psychological pressure or direct physical threats to anyone inside the vehicle. Stealing telematics data. This can be used to launch a targeted attack on specific individuals. In 2024, millions of Kia vehicles were found vulnerable to remote tracking via a dealer portal. With just a license plate number, attackers could locate the car in real time, lock or unlock the doors, start or stop the engine, and even honk the horn. Similar issues have affected BMW, Mercedes, Ferrari, and other manufacturers. Researchers also discovered that by compromising smart alarm systems they could listen to what’s going on in the interior of the car, access vehicle history, and steal owners’ personal data. Stealing the car itself. For example, by using devices such as CAN injectors, which connect to the vehicle’s CAN bus (through the headlight circuit, for example) and send commands that mimic signals from the real key. Stealing payment data. You might wonder why a car would hold the owner’s credit card info? Well, one was needed to pay for BMW’s heated seat subscription, for example. But while that particular scheme was scrapped after a public backlash, the “everything-as-a-service” trend continues. For example, in 2023, Mercedes-Benz offered electric car drivers the option to pay extra for faster acceleration. The feature would shave 0.9 seconds off the 0–100km/h time for an annual fee of US$600–900! How real is the threat to your car? First, let’s determine which category your vehicle falls into. Kaspersky ICS-CERT experts roughly divide all cars into three groups: Obsolete vehicles — no risk Vehicles in this group have no interaction with external information systems via digital channels. Their control units are minimal, and the only interface (if any) is the diagnostic OBD port. They can’t be hacked remotely, and there are no known cases of cyberattacks against them — the only real threat is traditional theft. Even if you install a modern multimedia head unit or an emergency response system, those modules remain isolated from the car’s internal components, preventing any attack on critical systems. Legacy vehicles — highest risk These models come in-between older cars with nothing to hack (“when cars were car”, etc.), and today’s “computers on wheels” packed with sensors and interfaces. Most of their systems and controls are digital. They typically include a telematics unit for wireless connectivity, a powerful infotainment system, and intelligent driver-assistance features. Together, these modules form a poorly protected information network where the ability to remotely adjust vehicle settings or control certain systems creates plenty of potential attack vectors. Owners often replace the outdated factory head units with new ones from third-party manufacturers — which rarely prioritize cybersecurity. Such models are the most vulnerable to serious cyberattacks — including those that can endanger the driver’s or passengers’ lives. But no one is planning serious security updates for them anymore. That ill-fated Jeep mentioned earlier falls squarely into this category. Modern vehicles — medium risk The latest models take into account lessons learned from past mistakes, as well as newly developed standards and regulations. Manufacturers now use segmented network architectures with a central gateway that filters traffic to isolate critical systems from the components most exposed to attack — the infotainment and telecom modules. Major automakers (General Motors was among the first, plus Tesla, Ford, Hyundai, BMW, Mercedes, Volkswagen, Toyota, Honda, and component makers like Bosch and Continental) now have dedicated cybersecurity teams and conduct penetration testing. However, this doesn’t mean these cars are completely secure. Researchers regularly find new vulnerabilities even in the most advanced models, because their attack surface is far larger than that of older vehicles. By the way, Kaspersky has developed its own car cybersecurity solution — Kaspersky Automotive Secure Gateway, so our top-tier protection will soon be available for vehicles too. What to look out for when buying a car? When buying a new vehicle these days, consider not only the technical specs but also its cybersecurity. Start by checking online for reports of cyberattacks on specific models or their manufacturers — such incidents rarely go unnoticed. If possible, find information about the following: The information network architecture of the car The presence of a central security gateway Separation of the car’s network into security domains Support of CAN-message encryption You should also ask the dealer the right questions: What cybersecurity systems are built into the car? How often are software updates released for this model, and how are they installed? How can unused smart functions be disabled? How do you set everything up correctly if you already have a car? Start with the manufacturer’s mobile app (if one exists). Set a strong, unique password that doesn’t contain any personal information. For help with this, see Creating an unforgettable password. Strengthen your account security with two-factor authentication or passkeys, if available. Regularly check the activity log and the list of devices connected to your account. Disable any unused features in both the app and the car. Next, tighten up the privacy settings in the car itself. Turn off telemetry collection where possible. Limit access to microphones and cameras. Clear your travel history and saved contacts before selling the car. And let’s not forget about managing connected devices. Regularly review paired Bluetooth devices. If possible, prohibit Bluetooth pairing without confirmation. Remove connections to the devices of previous owners or passengers. Disable automatic connection to unknown Wi-Fi networks. A few final tips: Keep your car’s software up to date: install firmware updates as soon as they’re released. Enable automatic notifications for available updates in the car settings. Monitor telemetry access: regularly check what data your car collects and who it’s shared with. Many of the latest cars let you limit personal data collection. What to do if you suspect your car is hacked? First, ask yourself: “What’s the evidence?” and check for the following signs of compromise: Vehicle features unexpectedly turning on and off Rapid battery drain with no obvious cause Strange notifications in the vehicle’s mobile app Inability to control the car normally If you suspect a hack, do the following: Disconnect the car from the internet. Remove the SIM card if possible, or contact your mobile operator to block data transfer for the number linked to the vehicle. Change passwords for the car’s mobile app. If possible, terminate all sessions tied to your account (often an option in the settings), or review all connections and remove any unknown devices. Take photos of any alerts the car displays. If you’ve entered payment card details in the car, block the card immediately. Contact an authorized dealer for diagnostics. Contact the vehicle manufacturer’s support. If you suspect data theft, report it to the police. Note that for private owners, the most likely threats are tracking and theft. However, for organizations that operate fleets (taxis, car-sharing, transportation or construction equipment companies), the risks are significantly higher. For a deeper dive into current automotive cybersecurity trends, check out our report on the Kaspersky ICS CERT site. Want to learn more about other threats to car owners? Browse our relevant posts: How millions of Kia cars could be tracked I know how you drove last summer Spies on wheels: how carmakers collect and then resell information Automotive apps: who gets your car keys? Hacking smart car alarm systems

 Feed

Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated

 Feed

Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites. The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the

 Feed

SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service. "The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks," the company said. It also noted that it's working to notify all

 Feed

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help

 Feed

Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks. Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens. Tokens, like

 Feed

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL. "The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely

 Feed

A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. "Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front

 Data loss

Your computer's mouse might not be as innocent as it looks - and one ransomware crew has a crisis of conscience that nobody saw coming. We talk about how something as ordinary as a web page could turn your mouse into a surprisingly nosey neighbour, and why ransomware gangs need to think carefully about their   show more ...

reputation. All this and more is discussed in episode 436 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Geoff White.

2025-10
Aggregator history
Thursday, October 09
WED
THU
FRI
SAT
SUN
MON
TUE
OctoberNovember