2025-12-29 AI创业新闻

New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory. The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency , which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data. “Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client,” according to a description of the flaw in CVE.org. The flaw impacts the following versions of the database - MongoDB 8.2.0 through 8.2.3 MongoDB 8.0.0 through 8.0.16 MongoDB 7.0.0 through 7.0.26 MongoDB 6.0.0 through 6.0.26 MongoDB 5.0.0 through 5.0.31 MongoDB 4.4.0 through 4.4.29 All MongoDB Server v4.2 versions All MongoDB Server v4.0 versions All MongoDB Server v3.6 versions The issue has been addressed in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.

“An client-side exploit of the Server’s zlib implementation can return uninitialized heap memory without authenticating to the server,” MongoDB said . “We strongly recommend upgrading to a fixed version as soon as possible.” If immediate update is not an option, it’s recommended to disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib. The other compressor options supported by MongoDB are snappy and zstd. “CVE-2025-14847 allows a remote, unauthenticated attacker to trigger a condition in which the MongoDB server may return uninitialized memory from its heap,” OP Innovate said .

“This could result in the disclosure of sensitive in-memory data, including internal state information, pointers, or other data that may assist an attacker in further exploitation.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a “security incident” that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to update to version 2.69 as soon as possible.

“We’ve confirmed that approximately $7M has been impacted and we will ensure all affected users are refunded,” Trust Wallet said in a post on X. “Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users.” Trust Wallet is also urging users to refrain from interacting with any messages that do not come from its official channels. Mobile-only users and all other browser extension versions are not affected. According to details shared by SlowMist, version 2.68 introduced malicious code that’s designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each wallet.

“The encrypted mnemonic is then decrypted using the password or passkeyPassword entered during wallet unlock,” the blockchain security firm said . “Once decrypted, the mnemonic phrase is sent to the attacker’s server api.metrics-trustwallet[.]com.” The domain “metrics-trustwallet[.]com” was registered on December 8, 2025, with the first request to “api.metrics-trustwallet[.]com” commencing on December 21, 2025. Further analysis has revealed that the attacker has leveraged an open‑source full‑chain analytics library named posthog-js to harvest wallet user information. The digital assets drained so far include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum.

The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. According to an update shared by blockchain investigator ZachXBT, the incident has claimed hundreds of victims. “While ~$2.8 million of the stolen funds remain in the hacker’s wallets (Bitcoin/ EVM/ Solana), the bulk – >$4M in cryptos – has been sent to CEXs [centralized exchanges]: ~$3.3 million to ChangeNOW, ~$340,000 to FixedFloat, and ~$447,000 to KuCoin,” PeckShield said . “This backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase (analytics logic), rather than an injected compromised third‑party dependency (e.g., malicious npm package),” SlowMist said.

“The attacker directly tampered with the application’s own code, then leveraged the legitimate PostHog analytics library as the data‑exfiltration channel, redirecting analytic traffic to an attacker‑controlled server.” The company said there is a possibility that it’s the work of a nation-state actor, adding the attackers may have gained control of Trust Wallet‑related developer devices or obtained deployment permissions prior to December 8, 2025. Changpeng Zhao, a co-founder of crypto exchange Binance, which owns the utility, hinted that the exploit was “most likely” carried out by an insider, although no further evidence was provided to support the theory. Update Trust Wallet, in a follow-up update, has urged affected users to complete a form on their support desk at “trustwallet-support.freshdesk[.]com” to start the compensation process. Victims have been asked to provide their contact email address, country of residence, compromised wallet address(es), the address to which the funds were drained to, and the corresponding transaction hashes.

“We are seeing scams via Telegram ads, fake ‘compensation’ forms, impersonated support accounts, and DMs,” the company cautioned. “Always verify links, never share your recovery phrase, and use official Trust Wallet channels only.” Eowyn Chen, Trust Wallet’s CEO, said an investigation into the incident is underway, reiterating that the issue impacts only Chrome browser extension version 2.68 users who logged in and before December 26, 2025, 11 a.m. UTC. “The malicious extension v2.68 was NOT released through our internal manual process,” Chen said.

“Our current findings suggest it was most likely published externally through the Chrome Web Store API key, bypassing our standard release checks.” “The hacker used a leaked Chrome Web Store API key to submit the malicious extension version v2.68. This successfully passed the Chrome Web Store’s review and was released on December 24, 2025, at 12:32 p.m. UTC.” Following the discovery of the breach, Chen said the company has taken the step of suspending the malicious domain, expiring all release APIs, and processing reimbursement for affected victims. (The story was updated after publication to reflect the latest developments.) Found this article interesting?

China-Linked Evasive Panda Ran DNS Poisoning Campaign to Deliver MgBot Malware

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It’s assessed to be active since at least 2012.

“The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims,” Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. “These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests.” This is not the first time Evasive Panda’s DNS poisoning capabilities have come to the fore. As far back as April 2023, ESET noted that the threat actor may have either carried out a supply chain compromise or an AitM attack to serve trojanized versions of legitimate applications like Tencent QQ in an attack targeting an international non-governmental organization (NGO) in Mainland China. In August 2024, a report from Volexity revealed how the threat actor compromised an unnamed internet service provider (ISP) by means of a DNS poisoning attack to push malicious software updates to targets of interest.

Evasive Panda is also one of the many China-aligned threat activity clusters that have relied on AitM poisoning for malware distribution. In an analysis last month, ESET said it’s tracking 10 active groups from China that have leveraged the technique for initial access or lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin. In the attacks documented by Kaspersky, the threat actor has been found to make use of lures that masquerade as updates for third-party software, such as SohuVA, a video streaming service from the Chinese internet company Sohu. The malicious update is delivered from the domain “p2p.hd.sohu.com[.]cn,” likely indicating a DNS poisoning attack.

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package,” Şensoy explained. The Russian cybersecurity vendor said it also identified other campaigns in which Evasive Panda utilized a fake updater for Baidu’s iQIYI Video, as well as IObit Smart Defrag and Tencent QQ. The attack paves the way for the deployment of an initial loader that’s responsible for launching shellcode that, in turn, fetches an encrypted second-stage shellcode in the form of a PNG image file, again by means of DNS poisoning from the legitimate website dictionary[.]com. Evasive Panda is said to have manipulated the IP address associated with dictionary[.]com, causing victim systems to resolve the website to an attacker-controlled IP address based on their geographical location and internet service provider.

It’s currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to install some kind of a network implant on edge devices, or a router or firewall used by the victims was hacked for this purpose. The HTTP request to obtain the second-stage shellcode also contains the current Windows version number. This is likely an attempt on the part of the attackers to target specific operating system versions and adapt their strategy based on the operating system used.

It’s worth noting that Evasive Panda has previously leveraged watering hole attacks to distribute an Apple macOS malware codenamed MACMA . The exact nature of the second-stage payload is unclear, but Kaspersky’s analysis shows that the first-stage shellcode decrypts and runs the retrieved payload. It’s assessed that the attackers generate a unique encrypted second shellcode file for each victim as a way to bypass detection. A crucial aspect of the operations is the use of a secondary loader (“libpython2.4.dll”) that relies on a renamed, older version of “python.exe” to be sideloaded.

Once launched, it downloads and decrypts the next-stage malware by reading the contents of a file named “C:\ProgramData\Microsoft\eHome\perf.dat.” This file contains the decrypted payload downloaded from the previous step. “It appears that the attacker used a complex process to obtain this stage from a resource, where it was initially XOR-encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm.” The use of a custom encryption algorithm is seen as an attempt to complicate analysis by ensuring that the encrypted data can only be decoded on the specific system where the encryption was initially performed and block any efforts to intercept and analyze the malicious payload. The decrypted code is an MgBot variant that’s injected by the secondary loader into a legitimate “svchost.exe” process.

A modular implant, MgBot, is capable of harvesting files, logging keystrokes, gathering clipboard data, recording audio streams, and stealing credentials from web browsers. This enables the malware to maintain a stealthy presence in compromised systems for long periods of time. “The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” Kaspersky said. Found this article interesting?

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core ) is a core Python package that’s part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025.

It has been codenamed LangGrinch . “A serialization injection vulnerability exists in LangChain’s dumps() and dumpd() functions,” the project maintainers said in an advisory. “The functions do not escape dictionaries with ‘lc’ keys when serializing free-form dictionaries.” “The ‘lc’ key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.” According to Cyata researcher Porat, the crux of the problem has to do with the two functions failing to escape user-controlled dictionaries containing “lc” keys.

The “lc” marker represents LangChain objects in the framework’s internal serialization format. “So once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an ‘lc’ key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths,” Porat said . This could have various outcomes, including secret extraction from environment variables when deserialization is performed with “secrets_from_env=True” (previously set by default), instantiating classes within pre-approved trusted namespaces, such as langchain_core, langchain, and langchain_community, and potentially even leading to arbitrary code execution via Jinja2 templates. What’s more, the escaping bug enables the injection of LangChain object structures through user-controlled fields like metadata, additional_kwargs, or response_metadata via prompt injection.

The patch released by LangChain introduces new restrictive defaults in load() and loads() by means of an allowlist parameter “allowed_objects” that allows users to specify which classes can be serialized/deserialized. In addition, Jinja2 templates are blocked by default, and the “secrets_from_env” option is now set to “False” to disable automatic secret loading from the environment. The following versions of langchain-core are affected by CVE-2025-68664 -

= 1.0.0, < 1.2.5 (Fixed in 1.2.5) < 0.3.81 (Fixed in 0.3.81) It’s worth noting that there exists a similar serialization injection flaw in LangChain.js that also stems from not properly escaping objects with “lc” keys, thereby enabling secret extraction and prompt injection. This vulnerability has been assigned the CVE identifier CVE-2025-68665 (CVSS score: 8.6).

It impacts the following npm packages - @langchain/core >= 1.0.0, < 1.1.8 (Fixed in 1.1.8) @langchain/core < 0.3.80 (Fixed in 0.3.80) langchain >= 1.0.0, < 1.2.3 (Fixed in 1.2.3) langchain < 0.3.37 (Fixed in 0.3.37) In light of the criticality of the vulnerability, users are advised to update to a patched version as soon as possible for optimal protection. “The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations,” Porat said. “This is exactly the kind of ‘AI meets classic security’ intersection where organizations get caught off guard. LLM output is an untrusted input.” Found this article interesting?

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use. This week’s findings show a pattern: precision, patience, and persuasion.

The newest campaigns don’t shout for attention — they whisper through familiar interfaces, fake updates, and polished code. The danger isn’t just in what’s being exploited, but in how ordinary it all looks. ThreatsDay pulls these threads together — from corporate networks to consumer tech — revealing how quiet manipulation and automation are reshaping the threat landscape. It’s a reminder that the future of cybersecurity won’t hinge on bigger walls, but on sharper awareness.

Open-source tool exploited Abuse of Nezha for Post-Exploitation Bad actors are leveraging an open-source monitoring tool named Nezha to gain remote access to compromised hosts. Its ability to allow administrators to view system health, execute commands, transfer files, and open interactive terminal sessions also makes it an attractive choice for threat actors. In one incident investigated by Ontinue, the tool was deployed as a post-exploitation remote access tool by means of a bash script, while pointing to a remote dashboard hosted on Alibaba Cloud infrastructure located in Japan. “The weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses,” said Mayuresh Dani, security research manager at Qualys.

The abuse of Nezha is part of broader efforts where attackers leverage legitimate tools to evade signature detection, blend with normal activity, and reduce development effort. Facial scans for SIMs South Korea to Require Face Scans to Buy a SIM South Korea will begin requiring people to submit to facial recognition when signing up for a new mobile phone number in a bid to tackle scams and identity theft, according to the Ministry of Science and ICT. “By comparing the photo on an identification card with the holder’s actual face on a real-time basis, we can fully prevent the activation of phones registered under a false name using stolen or fabricated IDs,” the ministry said . The new policy, which applies to SK Telecom, Korea Telecom, and LG Uplus, and other mobile virtual network operators, takes effect on March 23 after a pilot following a trial that began this week .

The science ministry has emphasized that no data will be stored as part of the new policy. “We are well aware that the public is concerned due to a series of hacking incidents at local mobile carriers,” the ministry said. “Contrary to concerns raised by some, no personal information is stored or saved, and it is immediately erased once identification is verified.” Android NFC threat spike NFC-Abusing Android Malware Surges in H2 2025 Data from ESET has revealed that detections of NFC-abusing Android malware grew by 87% between H1 and H2 2025. This increase has been coupled with the growing sophistication of NFC-based malware, such as the harvesting of victims’ contacts, disabling of biometric verification, and bringing together NFC attacks with remote access trojan (RAT) features and Automated Transfer System (ATS) capabilities.

In these campaigns, malicious apps distributing malware such as PhantomCard prompt victims to hold their payment card near the phone and enter their PIN for authentication. In the process, the captured information is relayed to the attackers. “Recent innovations in the NFC sphere demonstrate that threat actors no longer rely solely on relay attacks: they are blending NFC exploitation with advanced capabilities such as remote access and automated transfers,” ESET said . “The efficiency of the scams is further fueled by advanced social engineering and technologies that can bypass biometric verification.” Fake PoCs spread malware Fake PoCs Lead to WebRAT Threat actors are now targeting inexperienced professionals and students in the information security field with fake proof-of-concept (PoC) exploits for security flaws such as CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230 to trick them into installing WebRAT using a ZIP archive hosted in the repositories.

“To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions,” Kaspersky said . The repositories include detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format of a professional PoC write-up suggests the descriptions are machine-generated to avoid detection. Present within the ZIP file is an executable named “rasmanesc.exe,” that’s capable of escalating privileges, disabling Microsoft Defender, and fetching WebRAT from an external server.

Webrat is a backdoor that allows attackers to control the infected system, as well as steal data from cryptocurrency wallets, Telegram, Discord, and Steam accounts. It can also perform spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. WebRAT is sold by NyashTeam , which also advertises DCRat. GuLoader surge observed GuLoader Campaigns Spiked in Late 2025 Campaigns distributing GuLoader (aka CloudEyE) scaled a new high between September and November 2025, according to ESET , with the highest detection peak recorded in Poland on September 18.

“CloudEyE is multistage malware; the downloader is the initial stage and spreads via PowerShell scripts, JavaScript files, and NSIS executables,” the company said. “These then download the next stage, which contains the crypter component with the intended final payload packed within. All CloudEyE stages are heavily obfuscated, meaning that they are deliberately difficult to detect and analyze, with their contents being compressed, encrypted, encoded, or otherwise obscured.” Chatbot flaws exposed Flaws in Eurostar AI Chatbot Multiple vulnerabilities have been disclosed in Eurostar’s public artificial intelligence (AI) chatbot that could allow guardrail bypass by taking advantage of the fact that the frontend relays the entire chat history to the API while running checks only on the latest message to ensure it’s safe. This opens the door to a scenario where an attacker could tamper with earlier messages, which, when fed into the model’s API, causes it to return unintended responses via a prompt injection.

Other identified issues included the ability to modify message IDs to potentially lead to cross-user compromise and inject HTML code stemming from the lack of input validation. “An attacker could exfiltrate prompts, steer answers, and run scripts in the chat window,” Pen Test Partners said. “The core lesson is that old web and API weaknesses still apply even when an LLM is in the loop.” Some of these vulnerabilities have since been fixed, but not before a confusing disclosure process that saw the penetrating testing firm somehow being accused of blackmail by Eurostar’s head of security on LinkedIn after asking, “Maybe a simple acknowledgement of the original email report would have helped?” Critical flaws uncovered Several Flaws in Databases Discovered A hacking competition conducted by Wiz, zeroday.cloud, led to the discovery of 11 critical zero-day exploits affecting foundational open-source components used in critical cloud infrastructure, including container runtimes, AI infrastructure such as vLLM and Ollama, and databases like Redis, PostgreSQL, and MariaDB. The most severe of the flaws has been uncovered in Linux.

“The vulnerability allows for a Container Escape, often enabling attackers to break out of an isolated cloud service, dedicated to one specific user, and spread to the underlying infrastructure that manages all users,” Wiz said . “This breaks the core promise of cloud computing: the guarantee that different customers running on the same hardware remain separate and inaccessible to one another. This further reinforces that containers shouldn’t be the sole security barrier in multi-tenant environments.” Loader targets industries New Campaign Targets Manufacturing and Government Orgs Manufacturing and government organizations in Italy, Finland, and Saudi Arabia are the target of a new phishing campaign that uses a commodity loader to deliver a wide range of malware, such as PureLogs, XWorm, Katz Stealer , DCRat, and Remcos RAT. “This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882 ), malicious SVG files, and ZIP archives containing LNK shortcuts,” Cyble said .

“Despite the variety of delivery methods, all vectors leverage a unified commodity loader.” The use of the loader to distribute a variety of malware indicates that the loader is likely shared or sold across different threat actor groups. A notable aspect of the campaign is the use of steganographic techniques to host image files on legitimate delivery platforms, thereby allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic. The commodity loader is assessed to be Caminho based on similar campaigns detailed by Nextron Systems and Zscaler . Teams gets safer defaults Microsoft Bolsters Teams Security Microsoft has announced that Teams will automatically enable messaging safety features by default, including weaponizable file type protection, malicious URL protection, and reporting incorrect detections.

The change will roll out starting January 12, 2026, to tenants that have not previously modified messaging safety settings and are still using the default configuration. “We’re improving messaging security in Microsoft Teams by enabling key safety protections by default,” Microsoft said in a Microsoft 365 message center update. “This update helps safeguard users from malicious content and provides options to report incorrect detections.” In addition, the Windows maker said security administrators will be able to block external users in Microsoft Teams via the Tenant Allow/Block List in the Microsoft Defender portal. The feature is expected to roll out in early January 2026 and be completed by mid-January.

“This centralized approach enhances security and compliance by enabling organizations to control external user access across Microsoft 365 services,” the company said . AI assistant hijack risk Docker Patches Prompt Injection in Ask Gordon Docker has patched a vulnerability in Ask Gordon , its AI assistant embedded in Docker Desktop and the Docker CLI. The flaw, discovered by Pillar Security in the beta version, is a case of prompt injection that enables attackers to hijack the assistant and exfiltrate sensitive data by poisoning Docker Hub repository metadata with malicious instructions. An attacker could have created a malicious Docker Hub repository that contained crafted instructions for the AI to exfiltrate sensitive data when unsuspecting developers ask the chatbot to describe the repository.

“By exploiting Gordon’s inherent trust in Docker Hub content, threat actors can embed instructions that trigger automatic tool execution – fetching additional payloads from attacker-controlled servers, all without user consent or awareness,” security researcher Eilon Cohen said . The issue was addressed in version 4.50.0 released on November 6, 2025. Firewall bypass threat IoT Devices Facing Silent Takeover Researchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability. “We present a new attack technique that allows attackers anywhere in the world to impersonate target intranet devices, hijack cloud communication channels, spoof the cloud, and bypass companion app authentication, and ultimately achieve Remote Code Execution (RCE) with root privileges,” researchers Jincheng Wang and Nik Xe said .

“Our research exposes flaws in existing cloud-device authentication mechanisms, and a widespread absence of proper channel verification mechanisms.” Faster BitLocker encryption Microsoft Announces Hardware-Accelerated BitLocker in Windows 11 Microsoft said it’s rolling out hardware-accelerated BitLocker in Windows 11 to balance robust security with minimal performance impact. “Starting with the September 2025 Windows update for Windows 11 24H2 and the release of Windows 11 25H2, in addition to existing support for UFS (Universal Flash Storage) Inline Crypto Engine technology, BitLocker will take advantage of upcoming system on chip (SoC) and central processing unit (CPU) capabilities to achieve better performance and security for current and future NVMe drives,” the company said . As part of this effort, BitLocker will hardware wrap BitLocker bulk encryption keys and offload bulk cryptographic operations from the main CPU to a dedicated crypto engine. “When enabling BitLocker, supported devices with NVMe drives, along with one of the new crypto offload capable SoCs, will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default,” the tech giant added.

Israel-targeted phishing Israeli Entities Targeted by UNG0801 Information Technology (IT), Managed Service Providers (MSPs), human resources, and software development companies in Israel have become the target of a threat cluster likely originating from Western Asia that has used phishing lures written in Hebrew and designed to resemble routine internal communications to infect their systems with a Python- and Rust-based implants tracked as PYTRIC and RUSTRIC. The activity has been tracked by Seqrite Labs under the monikers UNG0801 and Operation IconCat. “A recurring pattern across the observed campaigns is the actor’s heavy reliance on antivirus icon spoofing,” the company said . “Branding from well-known security vendors, most notably SentinelOne and Check Point, is abused to create a false sense of legitimacy.” The PDF attachment in the email messages instructs recipients to download a security scanner by clicking on a Dropbox link that delivers the malware.

PYTRIC is equipped to scan the file system and perform a system-wide wipe. Attack chains distribute RUSTRIC leverage Microsoft Word documents with a malicious macro, which then extracts and launches the malware. Besides enumerating the antivirus programs installed on the infected host, it gathers basic system information and contacts an external server. EDR killer tool sold NtKiller Advertised on Cybercrime Forums A threat actor known as AlphaGhoul is promoting a tool called NtKiller that they claim can stealthily terminate antivirus and security solutions, such as Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro.

The core functionality, per Outpost24 , is available for $500, with a rootkit add-on and a UAC Bypass add-on costing $300 each. The disclosure comes weeks after a security researcher, who goes by the name Zero Salarium, demonstrated how Endpoint Detection and Response (EDR) programs can be undermined on Windows by exploiting the Bind Filter driver (“bindflt.sys”). In recent months, the security community has also identified ways to bypass web application firewalls (WAFs) by abusing ASP.NET’s parameter pollution, subvert EDRs using an in-memory Portable Executable (PE) loader, and even manipulate Microsoft Defender Antivirus to sideload DLLs and delete executable files to prevent the service from running by exploiting its update mechanism to hijack its execution folder. AI exploits blockchain AI Agents Find $4.6M in Blockchain Smart Contract Exploits AI company Anthropic said Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits in blockchain smart contracts that would have allowed the theft of $4.6 million worth of digital assets.

“Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476,” Anthropic’s Frontier Red Team said . “This demonstrates as a proof-of-concept that profitable, real-world autonomous exploitation is technically feasible, a finding that underscores the need for proactive adoption of AI for defense.” North Korea’s new lure ScarCruft Behind New Operation Artemis Campaign The North Korean threat actor known as ScarCruft has been linked to a new campaign dubbed Artemis that involves the adversary posing as a writer for Korean TV programs to reach out to targets for casting or interview arrangements. “A short self-introduction and legitimate-looking instructions are used to build trust,” Genians said . “The attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide document.” The end goal of these attacks is to trigger the sideloading of a rogue DLL that ultimately delivers RokRAT, which uses Yandex Cloud for command-and-control (C2).

The campaign gets its name from the fact that one of the identified HWP documents has its Last Saved By field set to the value “Artemis.” AI-fueled disinfo surge CopyCop Scales AI-Driven Influence Ops The Russian influence operation CopyCop (aka Storm-1516) is using AI tools to scale its efforts to a global reach, quietly deploying more than 300 inauthentic websites disguised as local news outlets, political parties, and even fact-checking organizations targeting audiences across North America, Europe, and other regions, including Armenia, Moldova, and parts of Africa. The primary objective is to further Russia’s geopolitical goals and erode Western support for Ukraine. “What sets CopyCop apart from earlier influence operations is its large-scale use of artificial intelligence,” Recorded Future said . “The network relies on self-hosted LLMs, specifically uncensored versions of a popular open-source model, to generate and rewrite content at scale.

Thousands of fake news stories and ‘investigations’ are produced and published daily, blending factual fragments with deliberate falsehoods to create the illusion of credible journalism.” RomCom-themed phishing SHADOW-VOID-042 Behind Trend Micro-Themed Phishing Campaign A threat cluster dubbed SHADOW-VOID-042 has been linked to a November 2025 spear-phishing campaign featuring a Trend Micro-themed social engineering lure to trick victims in the defense, energy, chemical, cybersecurity (including Trend and a subsidiary), and ICT sectors with messages instructing them to install a fake update for alleged security issues in Trend Micro Apex One. The activity, Trend Micro said, shares overlaps with prior campaigns attributed to RomCom (aka Void Rabisu), a threat actor with both financial and espionage motivations that aligned with Russian interests. However, in the absence of a definitive connection, the latter attack waves are being tracked under a separate temporary intrusion set. What’s more, the November 2025 campaign shares tactical and infrastructure overlaps with another campaign in October 2025, which used alleged harassment complaints and research participation as social engineering lures.

“The campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and delivering intermediate payloads to a select number of targets,” Trend Micro said . The URLs embedded in the emails redirect victims to a fake landing page impersonating Cloudflare, while, in the background, attempts are made to exploit a now-patched Google Chrome security flaw (CVE-2018-6065) using a JavaScript file. In the event exploitation fails, they are taken to a decoy site named TDMSec, impersonating Trend Micro. The JavaScript file also contains shellcode responsible for gathering system information and contacting an external server to fetch a second-stage payload, which acts as a loader for an encrypted component that then proceeds to contact a server to obtain an unspecified next-stage malware.

While Void Rabisu has exploited zero-days in the past, the new findings raise the possibility that it could be undergoing several changes. The stories this week aren’t just about new attacks — they’re a snapshot of how the digital world is maturing under pressure. Every exploit, fake lure, or AI twist is a sign of systems being tested in real time. The takeaway isn’t panic; it’s awareness.

The more we understand how these tactics evolve, the less power they hold. Cybersecurity now sits at the crossroads of trust and automation. As AI learns to defend, it’s also learning how to deceive. That tension will define the next chapter — and how ready we are to face it depends on what we choose to notice today.

Stay curious, stay skeptical, and read between the lines. The biggest threats often hide in what feels most routine — and that’s exactly where the next breakthrough in defense will begin. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators

JavaScript must be enabled in order to register for webinar. Yes, I’d like to register for the webinar and agree to the handling of my information as explained in thePrivacy Policy. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them:“Living off the Land” Attacks:Today’s attackers use a combination of malware and legitimate system tools like PowerShell, WMI, or RDP.

File-based detection alone misses threats that blend in with trusted processes. Learn how and why gaining endpoint visibility into file-based threats, apps, and process behaviors is essential.Fileless “Last Mile” Reassembly Attacks:Legacy security tools are ineffective against fileless attacks, including those using only obfuscated HTML and JavaScript. Learn how a cloud-native antimalware engine that emulates malicious scripting and reassembles an executable binary in isolation can stop malicious files from being delivered to an endpoint.Securing Developer Environments:Developers are building and deploying applications faster than ever before. But third-party repositories and other open-source CI/CD tools can contain malicious code and vulnerabilities that can compromise your organization’s security.

Inspecting encrypted traffic in developer environments can identify and defeat would-be threats. Learn how to secure development workflows with automated TLS/SSL inspection and code sandboxing.You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.

In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them: You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. By clicking “Register Now,” you agree to permit The Hacker News and its partners to process your contact details, which may include The Hacker News reaching out to you and sharing your contact information with its webinar partners.

LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs. The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. This assessment is “based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps ,” it added. LastPass suffered a major hack in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults containing credentials, such as cryptocurrency private keys and seed phrases.

Earlier this month, the password management service was fined $1.6 million by the U.K. Information Commissioner’s Office (ICO) for failing to implement sufficiently robust technical and security measures to prevent the incident. The breach also prompted the company to issue a warning at the time, stating bad actors may use brute-force techniques to guess the master passwords and decrypt the stolen vault data. The latest findings from TRM Labs show that the cybercriminals have done just that.

“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” the company said. “As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.” The Russian links to the stolen cryptocurrency from the 2022 LastPass breach stem from two primary factors: The use of exchanges commonly associated with the Russian cybercriminal ecosystem in the laundering pipeline and operational connections gleaned from wallets interacting with mixers both before and after the mixing and laundering process. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

The stolen funds have been found to be routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges associated with illicit activity. It’s worth mentioning here that Cryptex was sanctioned by the U.S. Treasury Department in September 2024 for receiving over $51.2 million in illicit funds derived from ransomware attacks. TRM Labs said it was able to demix the activity despite the use of CoinJoin techniques to make it harder to trace the flow of funds to external observers, uncovering clustered withdrawals and peeling chains that funneled mixed Bitcoin into the two exchanges.

“This is a clear example of how a single breach can evolve into a multi-year theft campaign,” said Ari Redbord, global head of policy at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.” “Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability

Fortinet on Wednesday said it observed “recent abuse” of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations. The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed. “This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method (eg, LDAP),” Fortinet noted in July 2020. “The issue exists because of inconsistent case-sensitive matching among the local and remote authentication.” The vulnerability has since come under active exploitation in the wild by multiple threat actors , with the U.S.

government also listing it as one of the many weaknesses that were weaponized in attacks targeting perimeter-type devices in 2021. In a fresh advisory issued December 24, 2025, Fortinet noted that successfully triggering CVE-2020-12812 requires the following configuration to be present - Local user entries on the FortiGate with 2FA, referencing back to LDAP The same users need to be members of a group on the LDAP server At least one LDAP group the two-factor users are a member of needs to be configured on FortiGate, and the group needs to be used in an authentication policy which could include for example administrative users, SSL, or IPSEC VPN If these prerequisites are satisfied, the vulnerability causes LDAP users with 2FA configured to bypass the security layer and instead authenticate against LDAP directly, which, in turn, is the result of FortiGate treating usernames as case-sensitive, whereas the LDAP Directory does not. “If the user logs in with ‘Jsmith’, or ‘jSmith’, or ‘JSmith’, or ‘jsmiTh’ or anything that is NOT an exact case match to ‘jsmith,’ the FortiGate will not match the login against the local user,” Fortinet explained. “This configuration causes FortiGate to consider other authentication options.

The FortiGate will check through other configured firewall authentication policies.” “After failing to match jsmith, FortiGate finds the secondary configured group ‘Auth-Group’, and from it the LDAP server, and provided the credentials are correct, authentication will be successful regardless of any settings within the local user policy (2FA and disabled accounts).” As a result, the vulnerability can authenticate admin or VPN users without 2FA. Fortinet released FortiOS 6.0.10, 6.2.4, and 6.4.1 to address the behavior in July 2020. Organizations that have not deployed these versions can run the below command for all local accounts to prevent the authentication bypass issue - set username-case-sensitivity disable Customers who are on FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later are advised to run the following command - set username-sensitivity disable “With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting,” the company said. As additional mitigation, it’s worth considering removing the secondary LDAP Group if it’s not required, as this eliminates the entire line of attack since no authentication via LDAP group will be possible, and the user will fail authentication if the username is not a match to a local entry.

However, the newly issued guidance does not give any specifics on the nature of the attacks exploiting the flaw, nor whether any of those incidents were successful. Fortinet has also advised impacted customers to contact its support team and reset all credentials if they find evidence of admin or VPN users being authenticated without 2FA. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code execution. “Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi,” CISA said.

The addition of CVE-2023-52163 to the KEV catalog comes in the multiple reports from Akamai and Fortinet about the exploitation of the flaw by threat actors to deliver botnets like Mirai and ShadowV2 . According to TXOne Research security researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file read bug (CVE-2023-52164, CVSS score: 5.1), remains unpatched due to the device reaching end-of-life (EoL) status. Successful exploitation requires an attacker to be logged into the device and perform a crafted request. In the absence of a patch, it’s advised that users avoid exposing the device to the internet and change the default username and password.

CISA is also recommending that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations or discontinue use of the product by January 12, 2025, to secure their network from active threats. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that’s delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks. “Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix -style techniques, this sample adopts a more deceptive, hands-off approach,” Jamf researcher Thijs Xhaflaire said . The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that’s hosted on “zkcall[.]net/download.” The fact that it’s signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructions prompting users to right-click and open the app – a common tactic used to sidestep such safeguards.

Apple has since revoked the code signing certificate. The Swift-based dropper then performs a series of checks before downloading and executing an encoded script through a helper component. This includes verifying internet connectivity, enforcing a minimum execution interval of around 3600 seconds to enforce a rate limit, and removing quarantine attributes and validating the file prior to execution. “Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants,” Xhaflaire explained.

“Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like –noproxy have been introduced.” “These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.” Another evasion mechanism used in the campaign is the use of an unusually large DMG file, inflating its size to 25.5 MB by embedding unrelated PDF documents. The Base64-encoded payload, once parsed, corresponds to MacSync , a rebranded version of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes beyond simple data theft and enables remote command and control capabilities. It’s worth noting that code-signed versions of malicious DMG files mimicking Google Meet have also been observed in attacks propagating other macOS stealers like Odyssey .

That said, threat actors have continued to rely on unsigned disk images to deliver DigitStealer as recently as last month. “This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from Czechia, Japan, Slovakia, Spain, and Poland. Nomani was first documented by ESET in December 2024 as leveraging social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claim significant returns.

When victims request payout of the promised profits, they are asked to pay additional fees or provide additional personal information, such as ID and credit card information. As is typical of investment scams of this kind, the end goal is financial loss. It doesn’t end there, for the fraudsters attempt to scam them again by making use of Europol- and INTERPOL-related lures on social media that promise assistance with getting their stolen funds back – only to lose more money in the process. ESET said the scam has since received some notable upgrades, including making their AI-generated videos more realistic in an effort to make it harder for prospective targets to spot the deception.

“Deepfakes of popular personalities, used as initial hooks for phishing forms or websites, now use higher resolution, have significantly reduced unnatural movements and breathing, and have also improved their A/V sync,” the company noted. The fabricated content has been found to often leverage topical events or personalities who are more widely seen in the public discourse to lend more credibility to the scheme. In one case observed in Czechia, a bogus news article falsely claimed the government was investing through one of its scam cryptocurrency platforms and generating substantial returns. To ensure that their malicious ads are not caught by the platform’s systems, the threat actors make sure that the campaigns are run only for a few hours.

Another important change involves redirecting users to benign cloaking pages instead of external phishing forms in case they don’t meet the targeting criteria. “To further lower their footprint, attackers increasingly abuse legitimate tools offered by the social media ad framework, such as forms and surveys instead of external webpages, to harvest victims’ information,” ESET said. Improvements have also been observed in the templates used to generate phishing pages, with signs pointing to the use of AI tools to write the HTML code. This assessment is based on the presence of checkboxes in source code comments.

Furthermore, GitHub repositories hosting such templates for investment scams have come from Russian and/or Ukrainian users. Despite these changes, the number of detections for Nomani in the second half of 2025 dropped, an indication that the attackers are likely being forced to revamp their tactics in the face of increased law enforcement efforts to combat such scams. “On the bright side, although overall detections are up compared to 2024, there’s a hint of improvement, as H2 2025 detections have declined by 37% compared to H1 2025,” ESET said. The disclosure coincides with a new investigation from Reuters that found 19% of Meta’s $18 billion in ad sales in China last year came from ads for scams, illegal gambling, pornography, and other banned content that are run by the company’s ad agency partners in the country.

Some of these agencies allow businesses to run banned advertisements. Following the report, Meta is said to have put the program under review. The latest report comes on the heels of another Reuters report that revealed the company projected earning 10% of Meta’s global revenue for 2024 – or about $16 billion – from such ads, including those run by threat actors behind Nomani, quantifying the humongous scale of the problem. Found this article interesting?

Attacks are Evolving: 3 Ways to Protect Your Business in 2026

Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday. But in 2025, the data breaches that affected small and medium-sized businesses (SMBs) challenged our perceived wisdom about exactly which types of businesses cybercriminals are targeting. This article will outline the learnings from key data breaches in 2025 as well as the most effective ways for SMBs to protect themselves in the coming year.

Examining the 2025 data breaches Prior to 2025, large businesses were popular targets for hackers because of their large pools of resources. It was assumed that smaller businesses simply weren’t as vulnerable to cyberattacks because there was less value in attacking them. But new security research from the Data Breach Observatory shows that’s changing: Small- and medium-sized businesses (SMBs) are now more likely to become a target. This change in tactic has been caused by large businesses investing in their cybersecurity and also refusing to pay ransoms.

Cybercriminals are less likely to extract anything of value by attacking these businesses, so instead they’re turning to attacking smaller businesses. While the payday may be smaller when attacking SMBs, by increasing the volume of attacks, cybercriminals can make up the shortfall. Smaller businesses have fewer resources to protect their networks and thus have become more reliable targets. Four in five small businesses have suffered a recent data breach.

By examining some of these data breaches and the companies they affected, a pattern emerges, and failings can be identified. Here are three key SMB data breaches from 2025: Tracelo — More than 1.4 million records stolen from this American mobile geolocating business appeared on the dark web following an attack from a hacker known as Satanic. Customer names, addresses, phone numbers, email addresses, and passwords were all made available for sale. PhoneMondo — This German telecommunications company was infiltrated by hackers and had more than 10.5+ million records stolen and posted online.

Customer names, dates of birth, addresses, phone numbers, email addresses, usernames, passwords, and IBANs all made it onto the dark work. SkilloVilla — The 60-person team behind this Indian edtech platform wasn’t able to protect the extensive customer data collected by the platform, and more than 33 million records were leaked on the dark web. Customer names, addresses, phone numbers, and email addresses have all been spotted online. What can we learn?

Looking at these particular breaches and taking into account the wider data breach landscape, we can identify trends that shaped 2025: SMBs were the number one target for hackers in 2025, accounting for 70.5% of the data breaches identified in the Data Breach Observatory . This means that companies between 1 and 249 employees were the most vulnerable to cybersecurity breaches throughout the year. Retail, tech, and media/entertainment businesses were targeted most frequently. Names and contact information are the most common records to appear on the dark web, increasing the risk of phishing attacks targeting workers.

Names and emails appeared in 9 out of 10 data breaches. With these trends in mind, it’s likely that hackers will continue targeting SMBs in the new year. If your organization falls into this category, your risk of a data breach could be higher. It’s not inevitable, however.

By considering your business’s sensitive data, how it’s stored, and what you use to protect it, you can secure your organization. How to avoid data breaches in 2026 Avoiding a data breach doesn’t have to be costly or complicated, as long as your business takes the right approach and finds the right tools. Employ two-factor authentication If all it takes to gain access to one of your business tools is a username and a password, your network is significantly easier to breach. Two-factor authentication (2FA) makes it harder for unauthorized individuals to gain access.

By introducing a secondary authentication method, such as an OTP code, security key, or biometric login, authentication and authorization take less time for your system, as well as increasing the barrier to entry. Secure access control to your network The principle of least privilege is a method used to decide who has access to what business tools and data. It dictates that any given team member should have access to strictly the necessary information they need to perform their role and nothing else. This approach to access control protects your organization by reducing the number of entry points into your network.

When access has been granted to strictly necessary team members, that access needs to be secured with good password hygiene. This includes creating strong passwords, not reusing passwords for multiple accounts, and ensuring that your business is notified if any of your data appears on the dark web. Strong and enforceable password policies support good password hygiene, and you can ensure that the dark web is regularly scanned for business data with a tool or service such as a password manager. Store sensitive data securely Leaked passwords and email addresses contribute to the risk that your employees will be targeted by phishing attacks or have their accounts compromised.

Even a single compromised account can lead to a data breach. Create a single, secure repository for every business credential by adopting a secure business password manager . With a password manager, every team member can safely generate strong passwords that meet your business’s password policy, autofill them on frequently visited websites and apps, and securely share credentials when needed. This secures all of these vital entry points into your business network.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips

The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation. The SEC said the scam unfolded as a multi-step fraud that enticed unsuspecting users with ads on social media and built trust with them through group chats in which the scammers posed as financial professionals and promised returns from artificial intelligence (AI)-generated investment tips.

The fraudsters then convinced the victims to invest their funds into fake cryptocurrency asset trading platforms, only to defraud them later. According to the SEC, AI Wealth, Lane Wealth, AIIEF, and Zenith operated investment clubs on messaging apps like WhatsApp to which retail investors were lured into joining via ads on social media. While AI Wealth and Lane Wealth operated their WhatsApp groups from at least January 2024 to June 2024, AIIEF and Zenith ran from at least July 2024 to January 2025. The complaint alleges an unnamed individual based in Beijing, China, paid for the registrations of AI Wealth, Lane Wealth, and Zenith.

The details of the cryptocurrency platforms are as follows - Morocoin Tech Corp. - Established around December 2023 and accessible at h5.morocoin[.]top (Currently delinquent) Berge Blockchain Technology Co., Ltd. - Established around June 2022 and accessible at www.bergev[.]org (Currently delinquent) Cirkor Inc. - Established around May 2024 and accessible at www.cirkortrading[.]com (Administratively dissolved in October 2025) Each of these clubs included a “professor” who sent updates to investors via WhatsApp on macroeconomic conditions or commentary on stocks and an “assistant” who handled day-to-day interactions with participants.

These personas also send trade recommendations that they falsely claimed were based on AI-generated “signals.” “The clubs gained investors’ confidence with supposedly AI-generated investment tips before luring investors to open and fund accounts on purported crypto asset trading platforms Morocoin, Berge, and Cirkor, which falsely claimed to have government licenses, as alleged,” the SEC said. “The investment clubs and platforms then allegedly offered ‘Security Token Offerings’ that were purportedly issued by legitimate businesses. In reality, no trading took place on the trading platforms, which were fake, and the Security Token Offerings and their purported issuing companies did not exist.” The AI Wealth and Lane Wealth WhatsApp groups are said to have promoted an STO of a cryptocurrency asset called SCT, purportedly issued by the company SatCommTech. Likewise, the AIIEF and Zenith WhatsApp groups advertised an STO of another crypto asset called HMB that was issued by HumanBlock.

Both SatCommTech and HumanBlock have been identified as fictitious. To make matters worse, when investors attempted to withdraw their funds, the bogus platforms defrauded them a second time by demanding that they pay advance fees to gain access to money in their accounts. In the end, the platforms cut off investors’ access to their services. The ill-gotten proceeds, totaling at least $14 million, were moved overseas through a web of bank accounts and crypto asset wallets, in some cases through accounts held by Chinese or Burmese individuals located in Southeast Asia.

Of the total misappropriated funds, cryptocurrency assets account for at least $7.4 million, and fiat currency accounts for $6.6 million. In one case, a Morocoin investor made seven separate wires amounting to more than $1 million to accounts in China and Hong Kong. In another, a Cirkor investor wired over $1.4 million to a bank in Indonesia. There have also been multiple reports on Reddit about individuals losing their money to the scam , with the AIIEF flagged for using names like “Richard Dill” and “Daisy Akemi” for professors and assistants.

The defendants have been charged with violating the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. In addition, the SEC is seeking permanent injunctions and civil penalties, along with the repayment of the money with prejudgment interest. “This matter highlights an all-too-common form of investment scam that is being used to target U.S. retail investors with devastating consequences,” said Laura D’Allaird, Chief of the Cyber and Emerging Technologies Unit.

“Fraud is fraud, and we will vigorously pursue securities fraud that harms retail investors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Italy Fines Apple €98.6 Million Over ATT Rules Limiting App Store Competition

Apple has been fined €98.6 million ($116 million) by Italy’s antitrust authority after finding that the company’s App Tracking Transparency (ATT) privacy framework restricted App Store competition. The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato, or AGCM) said the company’s “absolute dominant position” in app distribution allowed it to “unilaterally impose” the ATT rules on third-party app developers, without consulting with them beforehand. The investigation was launched in May 2023. The AGCM said it’s not calling into question Apple’s decision to adopt safeguards designed to enhance users’ privacy on iOS, but rather it’s taking issue with the consent requirements that are excessively burdensome for developers and “disproportionate” to the stated objectives of ATT.

Specifically, this requires developers to serve both ATT- and GDPR-related permission prompts in apps for iPhone and iPad users in the E.U. to seek user permission before processing their data for personalized ads. In contrast, Apple’s own apps and services can obtain this permission in a single tap. “In particular, third-party app developers are required to obtain specific consent for the collection and linking of data for advertising purposes through Apple’s ATT prompt,” AGCM said.

“However, such a prompt does not meet privacy legislation requirements, forcing developers to double the consent request for the same purpose.” The authority also said the double consent requirement that arises as a result of ATT harms third-party developers who rely on advertising, adding, “Apple should have ensured the same level of privacy protection for users by allowing developers to obtain consent to profiling in a single ‘Personalized Advertising’ prompt. In a statement shared with Reuters, Apple said it will appeal the regulator’s decision and reiterated its commitment “to defend strong privacy protections.” It also said the rules apply equally to all developers, including Apple. Apple introduced ATT in 2021 as a way for mobile apps to seek users’ explicit consent in order to access their device’s unique advertising identifier for tracking them across apps and websites for targeted advertising. This is not the first time the privacy framework has run at odds with competition authorities.

Back in March 2025, the company was also fined €150 million ($162 million) by France’s competition watchdog for using ATT to leverage its dominant market position in mobile app advertising. Apple is also facing similar probes in Poland and Romania . Earlier this month, Germany’s antitrust authority said it was testing Apple’s proposed changes to ATT, which included changes to the text and formatting of the consent prompt while maintaining “core user benefits.” The company is said to have agreed to introduce neutral consent prompts for both its own services and third-party apps, in addition to simplifying the consent process so that developers can obtain user permission in a manner that complies with data protection law. Found this article interesting?