Blogs

Blogs

Encryption: A Foundation for Organizational Security Against Threats

Encryption is often taken as last line of defense and organizations are using encryption to secure their data. Understanding and adopting the latest encryption technologies is crucial for keeping data secure. In current scenario when attackers are equally lazed with latest technologies, companies can strengthen their cybersecurity strategies and continue to adapt encryption as last line of their defense. When organizations enhance their encryption practices today, they can protect their digital assets for the future.

As cyber attacks are evolving so as encryption advances. Now numerous key developments will shape the future of cybersecurity. Once inside the network, cyber criminals can easily view and steal sensitive data. If that data is encrypted, they have no way of accessing it without a decryption key, saving the data from being compromised.

For example, the continuous evolution of quantum computing presents challenges and opportunities for encryption. Quantum-resistant algorithms must increase in speed to enhance security against quantum attacks.

The FinWise Data Breach a Stark Example

On May 31, 2024, the ex-employee accessed FinWise Bank’s systems after leaving the company and leaked sensitive personal information belonging to 689,000 customers of American First Finance (AFF). Even more alarming, this unauthorized access went undetected for more than a year before being discovered by the bank on June 18, 2025.

The FinWise Data breach revealed lapses like time gap between the initial breach and its discovery. The Bank came to understand about the incident and notified affected customers in June 2025 which was over a year after the breach occurred. This was a huge time gap and lawsuits allege that the stolen data may not have been adequately encrypted and secured, causing public criticism and concern.

Security experts emphasize that a well-designed information protection framework must not only encrypt critical financial data but also proactively detect and prevent abnormal access attempts.

Quantum computing & Encryption

Organizations who relies on encryption to keep its critical business communications and data safe are secure now. But as per RAND, experts expect quantum computers capable of breaking today’s encryption standards to arrive by the 2030sOpens a new window .

In the latest updates The Federal Trade Commission (FTC) has sent letters to major tech companies in the United States, urging them to resist foreign governments’ demands to weaken encryption. 

The letters were sent by FTC Chairman Andrew Ferguson to Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X.

Traditional encryption relies on math problems that would take classical computers centuries to solve. RSA encryption, which protects much of today’s internet traffic, works because factoring massive numbers is impossibly hard for regular computers. But tomorrow’s computers will make quick work of it. According to the MIT Technology Review, researchers have shown that a quantum computer with 20 million noisy qubits could crack RSA-2048 in just 8 hoursOpens a new window .

The question is Encryption alone is sufficient to protect data

As per researchers Encryption alone is no longer sufficient to protect privacy in LLM interactions, as metadata patterns can be exploited to infer sensitive subjects and corporate intent. Researchers at Microsoft have revealed a new side channel attack named Whisper Leak that can reveal the topic of encrypted conversations between users and language models, even without access to the underlying text.

The discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions.

What we must know about Whisper Leak the side channel attack

Whisper Leak exploits often exploits a side channel in network communication rather than a flaw in encryption itself. LLM services generate responses step by step, by producing one token at a time instead of the entire response at once. Also, the communications with AI-powered chatbots are often encrypted with HPPS over TLS (HTTPS), ensuring the authenticity of the server and security through encryption.

A side channel attack breaks cryptography by using information leaked by cryptography, such as monitoring the electromagnetic field (EMF) radiation emitted by a computer screen to view information before it’s encrypted in a van Eck phreaking attack, aka Transient Electromagnetic Pulse Emanation STandard (TEMPEST). 

Encryption the last line in defense & Helps Orgs Embrace GDPR

If sensitive information is no longer required, the best way to protect it is to delete it. However, when files are deleted from a hard drive they leave traces that can be reconstructed by thieves and hackers. By encrypting the files before deletion, the remnants that remain on the drive will remain encrypted and remain inaccessible should they be reconstructed. In this way, encryption protects your privacy, even when the files are gone.

Companies should, therefore, ensure that all devices leaving the workplace are encrypted. Most phones have a native encryption option that can be easily activated, while laptops can have either their hard drives or sensitive data encrypted depending on the tools an organization wants to use.

Nowadays data protection is no longer an option. Companies can’t ignore the problem and hope they won’t be targeted by malicious threat actors.

GDPR itself recommends encryption as an effective tool for data protection as do data protection standards such as the CIS Controls which advocate a data security strategy based on a combination of encryption, integrity protection and data loss prevention techniques.

At the end Encryption ensures that, whether these devices are lost, stolen or forgotten, the data on them is useless to anyone who tries to access it without a decryption key.

(Source: https://www.bleepingcomputer.com/news/security/finwise-data-breach-shows-why-encryption-is-your-last-defense/)

Sources: https://www.csoonline.com/

Blogs

AI Surge in CyberSecurity Redefining Threat & Defense; Reshaping Software Development & Security

Currently enterprise Cyber Security strategy with AI has become a game changer, reshaping is critical for both threat and defense. Embracing Gen AI for a robust defensive system empowers organizations to analyze vast amount of data is key requirement for enterprise security where software development is key to enterprise security , embracing ‘security by design’.

In 2024-2025, we have witnessed how mainstream enterprise deployment of AI has changed the strategic cyber security requirement. Thereby creating a strong defense mechanism around enterprise security, redefining the threat landscape and shaping software development.

AI is changing the way we look at products being a risk multiplier. How organization balancing innovation with protection?

AI can track and break commonly used passwords within minutes. So this is scary as more powers are in the hands of hackers, on the other side AI can improve password security again a boon. The Dark Web is already selling Fraud GPT and Worm GPT.

For Organizational cyber security strategy AI is being used now to tackle threats and cyber defense. Again AI has the capability to accelerate the speed of cyber attacks.

So what are leaders deciding when chasing AI based products. The way leaders are looking at products is products that give practical and actionable outlook and being embedded in delivery workflows.

Strategically, this means evolving away from rigid, checkbox-based compliance toward dynamic, adaptive security models that reflect how modern teams really build software—especially in AI-accelerated environments.

As per statistics 2025 witnessed the following AI based cyber attacks.16% of all breaches in 2025 involved attackers using AI. (IBM),and other AI attacks included 37% used phishing attacks and 35% used deepfake attacks. (IBM). 63% of breached organizations had no AI governance policy or were still developing one, highlighting the governance gap around AI adoption (IBM).

OpenText has released their survey and the report entails, AI is rapidly changing the threat landscape for organizations . Organizations are navigating a high-stake balancing act to enable innovation while managing risk.

Here are the key findings

Top AI-related concerns among respondents include data leakage (29%), AI-enabled attacks (27%), and deepfakes (16%).

95% of respondents are confident in their ability to recover from a ransomware attack, but only 15% of those attacked fully recovered their data.

88% allow employees to use GenAI tools, yet less than half (48%) have a formal AI use policy.

Enterprises lead AI governance (52%) compared to SMBs (43%) by having a formal AI policy in place.

52% report increased phishing or ransomware due to AI; 44% have seen deepfake-style impersonation attempts.

Surge in AI Threats via sophisticated attacks

One of the reasons cited by threat researchers is organizations are embracing GenAI, allowing employees to use generative AI tools and few less then 50% have a formal AI-use or data privacy policy in place, the report noted.

This is added with hackers innovative way in tricking using AI, bypassing any defense mechanism which is traditional. 

AI tools are now being used to create such convincing phishing emails, fake websites and even deepfake videos to injecting malicious code giving leverage to cyber criminals

In the last few months we witnessed how Ransomware attacks round the world surged and quite complex in nature as third-party service providers or software supply chains were prime targets. The Qantas airline breach and M&S data beach that hit UK’s top retail brand.

While Qantas did not to Information Age whether AI voice deepfakes were used in the breach, the cybercrime group experts believe may be linked to the hack — dubbed ‘Scattered Spider’ — has a track record of using voice-based phishing (or ‘vishing’) in its attacks. This is clear AI being used and surge is quite high in AI based cyber attacks.

AI for Cyber Defense for Organizational Cyber Security Strategy

It is not hackers who are benefiting but for Organizations it is a game changer as AI being used to detect attack at faster pace meaning mean time.

Findings of this survey reinforces that protecting against ransomware now depends not just on internal defenses, but also on how effectively organizations’, partners, and technology providers collaborate to close security gaps before they are exploited.

Key pointer for building pragmatic and strategic choices and this approach starts with embracing security by design approach in developmental life cycle.

  • Continuously Embedding security in developer workflows keeping automating, scanning, policy enforcement and anomaly detection in tools used by developers.
  • Cybersecurity AI tools are better at identifying patterns and anomalies in large datasets including vulnerabilities. teams have to highly prioritize and contextualize them in term of developing products.
  • Supposedly there is an attack and the security tools not able to detect. So continuous testing is mandatory.
  • Developers can favor simple solutions that favors pragmatic security patterns and transparency in architecture. In this way trust is developed with clients.

Few important developers keep in focus is to sponsor bug bounties, publish advisories using standards like the Common Security Advisory Framework (CSAF) and provide context on severity and exploitability.

Threat researcher suggest organizations who are building in products accept all vulnerability reports, investigate them, and fix the issues. Any critically important advisory to be used for root cause analysis to improve tools, training and various threat models. Developers are suggested to give feedback for external tools if they help them evolve. Understanding no software can ever be perfect.

Offerings from IntruceptLabs are exactly what you need to develop organizational cyber defense capabilities

Intru360

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

(Sources: https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today)

Sources: https://investors.opentext.com/press-releases/press-releases-details/2025/OpenText-Cybersecurity-2025-Global-Ransomware-Survey-Rising-Confidence-Meets-a-Growing-AI-Threat/default.aspx)

Blogs

Critical React Native CLI Vulnerability Enables OS Command Injection  

Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

Severity  Critical 
CVSS Score  9.8 
CVEs  CVE-2025-11953 
POC Available  Yes 
Actively Exploited  No 
Advisory Version  1.0 

Overview 

A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
 OS Command Injection  CVE-2025-11953  @react-native-community/cli @react-native-community/cli-server-api  Critical  @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 

Technical Summary 

The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.

On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers. 

CVE ID  Component Affected  Vulnerability Details  Impact 
CVE-2025-11953  Development Server’s /open-url Endpoint  The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows.  Remote OS Command Injection 

Recommendations 

  • Update to @react-native-community/cli-server-api version 20.0.0 or later immediately. 

If upgrading is not possible, 

  • Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server. 
  • Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early. 

How these kind of security flaw can cause damage?

This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.

The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.

The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.

The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.

What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.

Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner

  • GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
  • Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
  • Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
  • GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
  • Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.

References

 

 

Blogs

ESMA Prioritize Cyber Risk, & Cyber Resilience to Secure Financial Sector

ESMA Focuses on Cyber Risk, Digital Resilience & Cyber Resilience for Financial Sector ensuring DORA requirements are followed. This also marks how Digital resilience and ESG compliance are strategic imperatives for EU financial institutions.

The financial sector faces a growing range of multi-vector threats, ranging from ransomware and phishing to IoT exposures and many more cyber threat. Being uniquely exposed the financial sector is prone to cyber risk. Financial firms have huge sensitive data and transactions they handle are targets of cyber criminal activity round the world.

Keeping this in focus the European Securities and Markets Authority (ESMA), announced updates that reinforces EU’s commitment to digital operational resilience and ESG.

Cyber risk and digital resilience will remain central to its Union Strategic Supervisory Priorities (USSPs) for 2026 and further the European Commission’s plan to expand the authority of ESMA over cryptocurrency and capital markets but critics have other view on this.

Now that EU’s Digital Operational Resilience Act (Dora) is in force and this mandates financial institutions they must ensure robust ICT risk management and align with supervisory expectations. ESMA urges continued collaboration between NCAs to strengthen cyber resilience across the EU.

According to ESMA, this alignment allows European supervisors to better coordinate efforts to reinforce information and communications technology (ICT) risk management while improving the overall digital resilience of securities markets across the EU.

ESMA and national regulators have shown what the authority described as strong commitment to overseeing financial entities’ compliance with DORA through proactive monitoring and capacity building.

Strategic Importance ESMA aligning with Cyber Resilience & ESG

From above alignment it is clear that ESG disclosures remain a top priority, with 2026 efforts targeting high-risk areas.

  • Cyber Resilience Front and Center: ESMA confirmed that cyber risk and digital resilience will remain top priorities in its 2026 Union Strategic Supervisory Priorities (USSPs), extending the focus introduced under DORA in 2025.
  • Supervisory Coordination Deepens: National competent authorities (NCAs) are being urged to continue proactive supervision and strengthen coordination across the EU to ensure consistent application of DORA requirements.
  • Digital Risk as Systemic Risk: The renewed emphasis reflects a shift in EU financial regulation, treating technology and cyber resilience as critical to overall market stability.
  • ESG Oversight Continues: ESG disclosures will remain a key supervisory theme, with regulators targeting high-risk areas and consolidating progress made since the initiative began in 2022.
  • New Priorities: ESMA plans to assess additional supervisory topics in 2026 that may require heightened EU-wide oversight in the coming years.

With ESMA setting in renewed focus underscores a broader shift within European financial regulation, and digital resilience is fundamental part of systemic stability. Added focus for 2026, it will assess potential new topics in other areas that may require intensified supervisory work across the EU in future years.

What does this mean for Financial organizations across EU

For financial firms, this means supervisors are likely to dig deeper into how technology risks are identified, managed, and tested, from cloud dependencies to incident response. ESMA said it may introduce new areas of supervisory attention in 2026 and beyond as it refines its Union-wide agenda

(Sources: ESMA urges stronger cyber risk oversight across the EU)

Blogs

Regulations for Start-Ups & SME’s Helps address Cyber Risk & Business Strategy

This decade has witnessed huge technological, digital and cyber security uprise and challenges which shaped the way of doing business and business strategy. Now every company is powered by software and technology and cybersecurity a top priority for organizations everywhere. Regulations are of high importance for business strategy and cyber risks. Startups under the Startup India initiative can self-certify their compliance with labor and environmental laws, reducing the risk of inspections and penalties.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges. Compliance brings in additional challenge but integrating compliance brings in transparency and subsequent valued positioning for clients who value transparency.

That’s putting a lot of pressure on cybersecurity leaders to level up their governance, risk, and compliance programs. India’s push towards digitization has transformed how businesses interact with regulators and the government has rolled out a range of tax incentives to bolster the growth of startups and SMEs. Further the government has been recognizing the role of innovation in the startup ecosystem and to further this strengthened IP protections.

Sector specific regulations

The government has also taken a proactive approach to sector-specific regulations and this has been for most important sectors from fintech to ecommerce, healthcare etc. Regulatory sandboxes by RBI and SEBI allow fintech startups to test new products in a controlled environment. New draft e-commerce rules aim to ensure transparency, fair competition, and consumer protection.

For emerging vibrant business it is important that business leaders stay abreast to staying abreast new regulatory changes that will help leverage the full potential of upcoming India’s vibrant business landscape.

Prioritizing Cyber security for Business Continuity with Regulations

Recently Akshay Joshi, head of World Economic Forum’s Centre for Cybersecurity highlighted that significant challenges lies in prioritizing cybersecurity and addressing these requires a combination of strong incentives and regulatory support,.

“There needs to be incentives that are brought into the mix for appropriate investments into cybersecurity,” Joshi said, emphasizing that regulation plays a crucial role.

As per WEF’s annual Global Cybersecurity Outlook Report, which found that roughly 70% of respondents agree that regulations are “really effective in terms of ensuring a baseline of cybersecurity.”

(Source: Startups and SMEs need incentives and regulations to prioritise cybersecurity: WEF official | Company Business News)

As startups and SME’s navigate through business challenges and every day there is a fresh rules emerging across industries, understanding their impact on business for CEO’S is crucial for staying ahead. By understanding the different types of regulations, startups can better navigate the landscape for your business.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges.

Without regulations in place innovation will be stalled and so the fair set up within the ecosystem. In the beginning embracing regulations may be daunting task but regulations play important role for startups specifically cyber security based start ups who are constantly battling warfare’s that is equivalent to cripple critical infrastructure and damage organizations affecting economies at a scale that is equivalent to any physical attack.

For Cyber security Startups any regulatory updates often focus on data privacy, financial practices and data security. For instance, recent data protection laws require companies to enhance their data security measures to safeguard customer data and information, This is done so to foster trust and loyalty among users and increase brand value.

There are Compliance that are driven by regulations and can pose challenges for start ups as this increases operational costs. These changes may demand additional investments in legal counsel or technology to ensure adherence.

If any Startup is handling customer data and if they invest in data protection solutions which is essential to bring in confidence for their customers. With GDPR and CCPA regulations, organizations might face fines for non-compliance and loose trust from investors that may restrict further funding.

Startups that proactively integrate compliance into their core strategy can position themselves as industry leaders, appealing to customers who value transparency.

Conclusion:

Cyber security is every where and is crucial from point of network and cloud security to AI, privacy, governance, forensics, and risk management, each domain plays a crucial role in keeping organizations resilient. For customers it means that their data is in safe hands.

Having a discipline structure and frameworks in place increases brand value.  However, cybercriminals are increasingly focused on targets that have weaker defenses and start ups are prime in their targets.

Any organization who implement regulations, audits certification and follow compliance enhances their defenses.
They might be handling sensitive data, but staying compliant with regulations like GDPR and HIPAA is essential. Regular security audits and employee training can significantly reliability and confidence among investors.

For business to thrive and grow regulations are step ahead towards creativity, innovation and growth,. This helps business to stay ahead of competitors and establish a reputation for innovation, also for avoiding penalties, legal consequences and reputational damage.

Blogs Security Advisory

Critical Brash Vulnerability: Blink Engine Flaw Breaks Chromium Browsers 

Overview : Brash Vulnerability works on Google Chrome and all web browsers that run on Chromium.

A newly disclosed vulnerability, Brash, exposed a critical architectural flaw in Chromium’s Blink rendering engine. Blink is Chromium’s open-source rendering engine responsible for parsing HTML, CSS, and JavaScript, building the DOM and render trees, and executing script-driven updates to the browser interface.

It underpins the user experience of all Chromium-based browsers and is a core component of their performance and stability.

The issue allows a malicious web page to crash Chromium-based browsers within seconds, including Chrome, Microsoft Edge, Brave, Opera etc. The attack works by overloading Blink’s main UI thread using a flood of unthrottled DOM operations. A public proof-of-concept (PoC) exploit is available and can be tested on machines, that escalating the urgency for patching across all Chromium-based platforms.  

Technical Details  

Blink lacks any rate limiting or coalescing on rapid document. title updates, allowing an attacker to flood the browser with millions of DOM mutations per second.  

This saturates the browser’s main UI thread, causing extreme CPU usage and blocking event processing, which leads to the browser tab freezing or crashing within 15 to 60 seconds. The exploit can also be use to trigger after a delay or at a precise scheduled time, turning it into a highly controllable logic bomb.  

The exploit requires no special permissions beyond navigating to a malicious page, presenting a severe and immediate operational risk until patches are deployed. 

Attack Flow 

Recommendations 

You can follow the recommendations below 

  • Avoid clicking on suspicious or untrusted links, especially those prompting unexpected redirects or downloads. 
  • Keep all Chromium-based browsers (Chrome, Edge, Brave etc.) updated with the latest security patches as vendors release fixes. 
  • Enforce automatic browser updates within organizations to ensure all users receive critical patches promptly. 
  • Monitor computer endpoints for unusual CPU spikes related to browser processes, which can indicate ongoing exploitation attempts. 
  • Educate users and employees about the risk of drive-by attacks through malicious websites and the importance of security awareness. 

Conclusion: 
The Brash vulnerability reveals how a simple architectural oversight. It lets attackers crash browsers by flooding them with too many title updates too fast, causing the browser to freeze or crash. This attack can be scheduled to happen later, making it harder to detect.

Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.

The best defense is to keep browsers updated, avoid suspicious links and stay alert for unusual computer slowdowns.  

References

Blogs

Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode

Atlas’s autofill and form interaction capabilities present potential attack points

As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.

These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.

For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.

Rate of Vulnerability is 90% A Warning for Users

The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject  malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.

There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.

Key pointers from research

ChatGPT’s Atlas is not resilient to Phishing attacks

Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate

Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),

ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages

Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.

The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.

Importance of Security by Design for web browsing & How AI is intricately involved

The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.

But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.

Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.

This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.

Is User’s security getting compromised

The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can  influence the AI’s behavior if browsing and this can happen across multiple tabs.

In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.

Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.

(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)

Blogs Security Advisory

Copilot Studio SupplyChain Attack Steals OAuth Tokens via CoPhishing

Summary 

The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception. 

Technical Details 

The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.

Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.

While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.

Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure. 

malicious CopilotStudio page                                                                                                                         Source: securitylabs.datadoghq.com 

Attack Flow 

Step Description 
1. Build Malicious Copilot Agent Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant. 
2. Backdoor Authentication Workflow The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication. 
3. Share Demo Link Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks. 
4. Victim and Trigger Consent Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions. 
5. Token Exfiltration After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs. 
6. Abuse Granted Permissions Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data. 
7. Persist and Retarget Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures. 

                             Source: securitylabs.datadoghq.com 

Why It’s Effective 

  • Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion. 
  • Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked. 
  • Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile. 

Recommendations 

Here are some recommendations below 

  • Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes. 
  • Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins. 
  • Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows. 
  • Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services. 
  • Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling 
  • Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens. 

Conclusion: 
CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.

Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services. 

References

Hashtags 

#Infosec #CyberSecurity #Microsoft #Copilot #Vulnerabilitymanagement # Patch Management #ThreatIntel CISO #CXO #Intrucept  

Blogs Security Advisory

Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location 

Summary 

At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.

This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries. 

The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.

Vulnerability Details 

The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.

The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation. 

Key characteristics: 

The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows: 

  • Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.​ 
  • Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.​ 
  • Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.​ 
  • Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.​ 
  • Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.​ 
  • Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks. 

Attack Flow 

Step Description 
1. Craft Malicious Input  Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw. 
2. Deliver Payload The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards. 
3. Bypass Security Measures The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system. 
4. Gain Persistent Control Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly. 
5. Exploit Device Capabilities Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly. 
6. Maintain Stealth & Avoid Detection The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications. 
7. Exploit and Monetize The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized. 

Proof-of-Concept 

The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.

The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.

This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.  

Source: https://x.com/thezdi/status/1981316237897396298 

Why It’s Effective 

  • Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes. 
  • Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling. 
  • Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms. 
  • Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user. 
  • Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections. 
  • High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access. 

Remediation

  • Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043. 
  • Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly. 
  • Enable automatic security updates on Samsung devices for timely future patching without delay. 
  • For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints. 
  • Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise. 
  • Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing. 
  • Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise. 
  • Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching. 

This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits. 

Conclusion: 


This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.

In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks. 

References

Blogs

AWS Recent Outage, Effects What we need to know

The recent disruption that sparked world wide impact and effect is the AWS outage. The AWS (Amazon web services) disruption happened on October 20, 2025, centered on its “US‑EAST‑1” cloud region . The disruption triggered a series of failures and disrupted normal working of number of consumer apps, finance, government portals and parts of Amazon’s own services.

The AWS outage a case of internet outage, impacted over disruptions at over 3,500 companies across more than 60 countries, placing this among the largest internet outages on record for Downdetector.

Now the crucial question that hovers the mind is how the disruption affected digital services and what does this means to organizations relying on third party cloud service providers, to developers and other who are in the ecosystem and rely on AWS service that run uptime.

AWS covers 30% of the global cloud infrastructure market and such a kind of disruption is hard for the world relying on AWS infra. Many global apps and websites rely heavily on AWS for cloud hosting and data processing, which means the disruption can rapidly become widespread and create a knock out effect to many services and businesses to return to normal may witness challenege.

Origin of the AWS incident:

The incident originated in the US-EAST-1 (Northern Virginia) region one of AWS’s oldest and most heavily utilized hubs — and impacted key services such as DynamoDB, EC2, Lambda, and SQS.

As services in all these started failing the spread was wide and impacted AWS’s internal infrastructure and external applications, affecting end-user experiences who were on Snapchat, Pinterest, Fortnite, Signal etc.
Earlier it happened in the same region US-East-1. If we go by history (2017, 2021 & 2023).

The outage echoes shed light on the most crucial point, i.e. over reliance on single point of cloud infrastructure. AWS pointed on DNS issues and admitted global services or features that rely on US-EAST-1 endpoints, such as IAM updates and DynamoDB Global tables, “may also be experiencing issues.”

DNS Issue resolved as per AWS:

After the disruption and AWS says the DNS issue has “been fully mitigated”, and most AWS Service operations are succeeding normally now. However, it added that some requests may be throttled “while we work toward full resolution.”

Technical Analysis AWS Disruption:

The investigation revealed how a control plane failure in the US-EAST-1 region, triggered by an unexpected behavior within AWS’s internal load balancing and routing layer. So a configuration change happened in the service responsible for metadata and service discovery propagated inconsistently.

This lead to authentication and routing failures for dependent instances and services which further expanded and caused choke and resource exhaustion across interdependent services like EC2, Lambda, and S3, all of which rely on low-latency internal communication.

The largest hit services

The heaviest‑hit services by report count included Snapchat (~3M), AWS itself (~2.5M), Roblox (~716k), Amazon retail (~698k), Reddit (~397k), Ring (~357k) and Instructure (~265k). The UK alone generated more than 1.5M reports, far exceeding a typical day’s ~1M global baseline across all markets, highlighting both the unique intensity and breadth of this event.

Country wise bifurcation on AWS outage & results

(Image sources: Revealing the Cascading Impacts of the AWS Outage | Ookla®)

What amplified the disruption of AWS

All apps we are using are mostly chain together managed services like storage, queues, and serverless functions. If DNS cannot reliably resolve a critical endpoint (for example, the DynamoDB API involved here), errors cascade through upstream APIs and cause visible failures in apps users do not associate with AWS. That is precisely what Downdetector recorded across Snapchat, Roblox, Signal, Ring, HMRC, and others.

Cloud infrastructure should be of national importance

The AWS outage/ disruption highlighted how cloud infrastructures are not risk free and over dependence eon single point. Any fault in the infrastructure stack on which everything else depends and from which failures can trigger and subsequent redundancy.

The need of the hour is to recognize that Cloud infrastructure should be of national importance and any failure on the entire stack can be overcome with systematic approach. This will require by pulling down or dismantling each part and diversify the route so that on event of outage , the rest of the part of can be recovered by not depending on single point of the platform.

Organizations relying solely on a single AWS region or without robust multi-region, multi-cloud, or hybrid failover mechanisms faced significant downtime and operational risk, a wake up call for governments.

Various government across Europe recognized the risk associated with cloud infrastructure introduced policy’s for e.g., EU’s flagship Digital Operational Resilience Act (DORA) introduces EU-level oversight of critical ICT third-party providers, while the UK’s Critical Third Parties act for finance. These tool kits will act as balancers when it comes to reporting, stress management, incident reporting and adhering to transparency that is required as mandate.

Why Network resilience is important ?

The AWS disruption highlighted importance of network resilience. The reason being network resilience prevents single points of failure with backup systems and alternative pathways. Further this helps to adapt to sudden increases in demand without degrading performance. At the same time efficiently reallocates resources and adapts to changing conditions.



Scroll to top