Blogs

CTI & SOC Team’s Compliment Holistic Threat Hunting

SOC & CTI Compliment each other in threat Hunting

AI Reshaping Roadmap for Cyber security

Can Gen AI Transform Organizations Cyber Posture

Users of WhatsApp Exposed to Sophisticated Spyware Attack

The recent Spyware attack on WhatsApp users is linked to Israeli surveillance firm Paragon Solutions that targets journalists, activists, and civil society members using sophisticated “zero-click” hacking methods that require no user interaction.

Attack Confirmed By Meta

Meta, the parent company of WhatsApp, has officially acknowledged the attack, stating that the messaging platform was compromised by hackers deploying spyware. Following multiple reports of breaches, Meta informed Italy’s National Cybersecurity Agency, confirming that about 90 users across 24 countries were targeted.

The spyware attack came to light when Luca Casarini, a migrant rescue activist and co-founder of Mediterranea Saving Humans, and investigative journalist Francesco Cancellato, received an alert from WhatsApp, notifying their device had been infiltrated by spyware.

What is Spyware and what makes Spyware attack special?

Spyware is one of the most commonly used cyberattack methods used by hackers and makes it difficult to trace and identify by users and does some serious harm to networks. These data are used to track, steal, and sell user data, such as internet usage, credit card, and bank account details, or steal user credentials to spoof their identities.

As per Fortinet, Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent.

How Zero-Click Hacking affect our Online Digital device

The Zero click hacking techniques was stunning for users which is not traceable

Unlike any other phishing attacks that require users to click on malicious links. In this method attackers infect a device without any action from the user. Such advanced tactics enable surveillance on a large scale, posing severe risks to privacy and security worldwide.

The revelation has reignited global concerns over digital espionage and unauthorized surveillance. Cybersecurity experts warn that the attack on WhatsApp underscores the vulnerabilities present in even the most widely used communication platforms. As investigations continue, users are urged to update their software regularly and remain vigilant against potential cyber threats.

Mobile spyware typically attacks mobile devices through three methods:

Flaws in operating systems: Attackers can exploit flaws in mobile operating systems that are typically opened up by holes in updates.
Malicious applications: These typically lurk within legitimate applications that users download from websites rather than app stores.
Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and cafes are often free and simple to sign in to, which makes them a serious security risk. Attackers can use these networks to spy on what connected users are doing.

Significant Cyber threat of Spyware

The Spyware attack left users fall prey to online digital attack and question on govt. surveillance which was taken seriously by Italy.Over the years Spyware infected millions of devices, stealing sensitive information.

Some of the most devastating spyware cases helps us understand how serious this threat can be.

Pegasus — Spyware Behind Global Surveillance Scandals

Pegasus — developed by Israeli tech firm NSO Group — is the most high-profile spyware ever created. While it was originally marketed as a tool for governments to combat terrorism and criminal activities, it has become infamous for its misuse.

Reports have revealed that Pegasus has been used to monitor journalists, activists, and political figures, raising serious concerns about privacy and human rights violations. Its ability to infect devices without any user interaction makes it especially dangerous and difficult to detect.

FinSpy (FinFisher) — Government Tool for Full Device Control

FinSpy, also known as FinFisher, is a spyware tool developed by Gamma Group, a company based in Germany. Initially marketed to governments and law enforcement agencies as a way to combat crime and terrorism, FinSpy has been linked to unauthorized surveillance and there is concern about its use by oppressive regimes. The spyware is capable of targeting multiple platforms, including Windows, macOS, and Linux, making it versatile and difficult to escape.

GravityRAT — Cross-Border Espionage Targeting India

GravityRAT spyware was initially designed to target individuals in India. It’s believed to be linked to cyber espionage efforts originating from Pakistan. Its primary goal is to steal sensitive information, including files, contact lists, and user data.

GravityRAT typically spreads through phishing emails that trick users into downloading malicious attachments. Once the victim opens the file, the spyware silently installs itself, granting attackers control over the infected device.

DarkHotel — Targeting Business Travelers Through Hotel Wi-Fi

DarkHotel is a sophisticated spyware campaign that’s been active for over a decade, primarily targeting business travelers staying in luxury hotels. Discovered in 2007, this Advanced Persistent Threat (APT) has affected high-profile executives, government officials, and corporate leaders. The attackers aim to steal sensitive business information, like trade secrets and confidential documents, while victims are connected to hotel Wi-Fi networks.

Agent Tesla — Password and Keystroke Thief for Hire

Agent Tesla is technically classified as a Remote Access Trojan (RAT) and keylogger, though it has spyware-like functionalities. First discovered in 2014, Agent Tesla has gained notoriety for its ability to steal sensitive information, such as login credentials, keystrokes, and clipboard data. It can also take screenshots and extract information from email clients, web browsers, and other applications, making it a powerful tool for cybercriminals.

The Baltic Sea Ship Accident & not Sabotage; Highlights Ship Downtime Issues

Recently the undersea Fibre optic cable between Latvia and Sweden was damaged and reports said it was result of external influence which prompted NATO to deploy patrol ships to the area and triggering a sabotage investigation by Swedish authorities. Also the cargo ship Vezhen was seized as part of the probe by Sweden’s Security Service.

The incident took place on Jan. 26 and was one of several in recent months, triggered a hunt for vessels suspected of involvement.

The prosecutor said the Vezhen’s anchor severed the cable but that the incident was related to a combination of bad weather, equipment deficiencies and poor seamanship. Images shared by Swedish media showed that the ship appeared to have a damaged anchor.

The cable belongs to Latvia’s state broadcaster, LVRTC, which said in a statement there had been “disruptions in data transmission services”, but that end users would be mostly unaffected.

A second vessel, the Silver Dania, a Norwegian cargo ship with an all-Russian crew, was seized in Norway at the request of Latvian authorities but was cleared of wrongdoing and released. Baltic Sea region is on high alert after a string of power cable, telecom link, and gas pipeline outages since Russia invaded Ukraine in 2022.

We cannot deny the scope of Hybrid attack in the Baltic region that targeted critical undersea infrastructure (CUI), particularly fiber-optic cables, in the Baltic and Arctic regions since 2021. Mostly the prime suspect was Russia, but in this case the Vezhen ship was suspected to have incurred an accident and not sabotage, a Swedish prosecutor said on Monday, adding that the Maltese-flagged vessel had been released.

Ship downtime a major issue the marine industry faces

What is ship downtime and how does it affect?

Any breakdown in service during operation or runtime amounts to downtime in maritime industry.

Sometimes downtimes are unpredictable and unplanned which makes it harder as it incurs expenses to deal with. Repairs, emergency parts, and dry-docking fees can add up fast.

Importance of Data analytics:

This is where predictive maintenance and data analytics come into picture making it possible to provide an overview on what is pending task regarding maintenance of ship or other issues that needs immediate inspection. This can also be cyber security related issue or hybrid attacks targeting critical undersea infrastructure (CUI), particularly fiber-optic cables, have surged in the Baltic and Arctic regions.

The Baltic sea ship broke down due to combination of bad weather and and deficiencies in equipment and seamanship contributed to the cable break,” as per reports by investigators

Whether it’s an engine breakdown, a port delay, or a sudden maintenance issue, every hour of downtime costs money. And there are times when this hurts the most because you don’t see it coming and affecting profitability, delivery and supply chain disruptions.

Crew Issues – Fatigue-related mistakes or medical emergencies that delay voyages.

Mechanical Failures – Think engine breakdowns, generator issues, and propulsion failures.

Electrical Problems – A failed control system or communication outage.

Other problems falls under planned downtime

Routine Maintenance – Regular engine inspections, oil changes, and system checks.
Mandatory Surveys – Required ship inspections and certifications from regulatory authorities (like IMO).
Retrofits & Upgrades – Adding fuel-saving devices, ballast water treatment systems, or new tech.

Rise of Hybrid Attack on undersea cables in Baltic Sea and artic region

Since 2021 Russian hybrid attacks targeting critical undersea infrastructure (CUI), particularly fiber-optic cables, have surged in the Baltic and Arctic regions since 2021 causing disruptions threatening essential communication channels, exposing vulnerabilities of Northern Europe’s infrastructure.

More incidents were noticed in 2023 and 2024 involving Chinese vessels damaging Baltic subsea cables raise concerns over possible Russian-Chinese hybrid warfare collaboration despite no direct evidence confirming this, complicating Western deterrence efforts. (https://jamestown.org/program/hybrid-attacks-rise-on-undersea-cables-in-baltic-and-arctic-regions/)

Financial Implications

Any disruption of events that causes downtime in shipping such as piracy, bad weather and accidents blocking major shipping lanes causes major financial losses on global economy. Attacks such as cyber-attacks are growing with each passing day and quite predominant on risk landscape like the maritime industry, forcing organizations account of in its operations and work on legacy technologies replacing them with advanced technology systems to counter any attacks or sabotage or foul play.

Companies that have proven their ability to manage these risks and remain agile for recovery are more likely to secure favorable finance options.

Innovations in Maritime industry

Maritime transport is seen key player in global trade and the intricacies of networks of shipping
routes, ports, forced globalization to strengthened their operation strategies for the world economy to grow surpassing numerous challenges. Innovations is high on demand for safety systems form part of the ongoing development where digital based systems are part of ships in current scenario. E.g. the Intelligent awareness (IA) systems will be nex- gen of digital technologies to provide safety net for smooth operation of ships on transit that include utilizing sensors, high-resolution displays, and intelligent software.

Maritime chokepoints are critical points in shipping routes.as they facilitate substantial trade volumes and connect the world. Due to disruptions and very limited routes that are valid for ship passages there are negative impacts on supply chains, leading to systemic consequences, affecting food security, energy supply and whole of the global economy.

Sources: https://www.reuters.com/world/europe/baltic-undersea-cable-damaged-by-external-influence-sunday-latvian-broadcaster-2025-01-26/

www.shipuniverse.com

Complexities Compounding in Cyber Landscape; WEF Global Cybersecurity Outlook 2025 Analysis

WEF Global Cybersecurity Outlook 2025

New Regulations & Directives to Boost Cyber Defense; DORA & NIS2

DORA & NIS2
EU Regulations to Strengthen Cyber defense

Codefinger Ransomware attack encrypts Amazon S3 buckets

Ransomware crew dubbed Codefinger targets AWS S3 buckets
Sets data-destruct timer for 7 days
Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it

Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.

The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.

In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it.

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.

Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.

As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.

Sources:

https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/

www.Bleeping computers.com

Cybersecurity Trends for 2025; Responsible AI to gain Importance

Cyber security trends as per research and data available shows that responsible AI will gain importance with more public scrutiny of risks growing along with remediation practices. Organizations will now require to balance taking risks with AI and having rapid remediation strategies available.

As per experts the areas that will get attention will be cloud security and data location. In 2025, new laws may require that sensitive data stay within national borders, affecting how companies manage and store data across regions. As businesses and critical services become increasingly dependent on cloud services, some countries may prioritize cloud availability in national emergency plans, recognizing that stable cloud access is mandatory for crisis management. This shift could lead towards the establishment of a new program like Cloud Service Priority (CSP), treating cloud infrastructure as important as utilities like electricity and telecoms.

How organization need to prepare themselves as big and small businesses and brands will see dramatically increased risks, as bad actors using AI will launch convincing impersonation attacks. This will make it easier with higher accuracy than ever to fool customers and clients.

Key Cyber Security Trends of 2025

As organization navigate through 2025 we will witness that threat actors will increasingly use AI for sophisticated phishing, vishing, and social engineering attacks.

Gen-AI

Generative AI is driving an unprecedented surge in cyber fraud, with nearly 47% of organisations identifying adversarial AI-powered attacks as their primary concern, according to the World Economic Forum’s Global Cybersecurity Outlook 2025.

Due to technological advancements the Cyberspace is growing more complex due to technological advancements as they are interconnected to supply chains. Collaboration between public and private sectors is essential to secure the benefits of digitalization at all levels.

Digitalization

76% of cybersecurity leaders report difficulties navigating a patchwork of global policies and 66% of organizations expect AI to transform cybersecurity, only 37% have implemented safeguards to secure these tools before deployment.

IoT Devices Vulnerable

Hackers will grow attacks on IoT devices as per research by Analytics insights report 2025 as over 30 billion devices across the globe will be connected through the Internet of Things. IoT enhance productivity offering convenience but due to their low-security backgrounds hackers may utilize opportunity to obtain sensitive information, or form massive botnets to execute Distributed Denial-of-Service (DDoS) attacks. (Analytics insight)

Ransomware

Attackers have resorted to different methods of extortion, involving ransom demands along with DDoS attacks. Encryption and fileless ransomware are being developed in an attempt to evade detection. RaaS makes it increasingly easy for non-technical users to carry out advanced attacks and the trend is growing. Experts predict that, by 2025, ransomware attacks will occur globally every two seconds prime targets remain in the healthcare, education, and government sectors.

AI /ML

To survive in highly competitive environment hackers will continue using AI so as organization will continue with previous theme of 2024 application of artificial intelligence and this will expand along with machine learning (ML) as these tools are the game changer in in a cybersecurity strategy.

Quantum Computing

The year 2025 will witness the rise and development of Quantum Computing and computers.An exciting technological development; however, it also generates grave challenges for cybersecurity. Quantum computers solve complex problems much faster than classical computers, making traditional cryptography algorithms vulnerable to quantum attacks is equally necessary to be proactive, with an immediate focus on quantum-safe encryption that would last to provide safety to the digital security systems in the years to follow. McKinsey poll says, 72% of tech executives, investors and quantum computing academics believe that “a fully fault-tolerant quantum computer” will be here by 2035, while 28% think this won’t happen until at least 2040. With Quantum computing business can protect their data and stay ahead of quantum threats with the right tools and strategies in place.

Regulations

Regulatory changes and compliance will evolve in 2025 as government across the European countries are gearing up with regulation being prepared to protect against surge of ransomware attacks, introducing stringent measures to combat the growing menace of cyber extortion. The EU emerged as a frontrunner in cybersecurity regulation, with the Network and Information Security (NIS2) Directive coming into full force.

BISO Analytics: In 2025 we will witness rise of virtual CISO (vCISO) or CSO consultant roles over full-time in-house roles. Also Shifting CISO responsibilities have brought about an increasing role for BISOs. The cybersecurity team has a lot to handle as companies face more cyber threats, compliance requirements, growing remote workforces, and rapid adoption of new cloud-based technologies. With such a large scope of duty, the CISO is often over stretched and in this complex cybersecurity environment having a BISO will bring in support to entire cyber security strategy.
BISO ‘s may also be called upon to interact with marketing and corporate communications, bringing their research into potential attack vectors, typical points of vulnerability, and unique understanding of the hackers mindset and guide organizations that are increasingly battening cybersecurity strategy to deal with various attack vectors.

Intrucept offers BISO Analytics as a services. BISOs are crucial for strategies requiring technical cybersecurity and strategic business input.

Organizations need bespoke solutions to defend against attacks across email, social, and other channels as we witness evolving nature of attacks demands continuous weekly innovation to stay ahead. The use of Multifactor authentication reduces the danger in identity and access management EDR solutions with feeds of threat intelligence will gain prominence. Intrucept is dedicated in helping organizations to run fast and be secure. We will always find that being easy and slowing down is a tendency but we as organization try to enable our customers to maintain speed (and even accelerate).

References:

McKinsey Lock Down! Top Cybersecurity Threats We May Witness in 2025 Healthcare Trends Shaping 2025 And Insights For Industry Leaders Lock Down! Top Cybersecurity Threats We May Witness in 2025
Healthcare Trends Shaping 2025 And Insights For Industry Leaders
https://www.cisecurity.org/insights/blog/12-cis-experts-cybersecurity-predictions-2025

LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux

Researchers have uncovered the first UEFI bootkit designed specifically for Linux systems, named Bootkitty.

Tailored Security Solutions for Maritime Operations by Intrucept 

Tailored Security Solutions from Maritime Operations by Intrucept 