Blogs

Blogs

ESMA Prioritize Cyber Risk, & Cyber Resilience to Secure Financial Sector

ESMA Focuses on Cyber Risk, Digital Resilience & Cyber Resilience for Financial Sector ensuring DORA requirements are followed. This also marks how Digital resilience and ESG compliance are strategic imperatives for EU financial institutions.

The financial sector faces a growing range of multi-vector threats, ranging from ransomware and phishing to IoT exposures and many more cyber threat. Being uniquely exposed the financial sector is prone to cyber risk. Financial firms have huge sensitive data and transactions they handle are targets of cyber criminal activity round the world.

Keeping this in focus the European Securities and Markets Authority (ESMA), announced updates that reinforces EU’s commitment to digital operational resilience and ESG.

Cyber risk and digital resilience will remain central to its Union Strategic Supervisory Priorities (USSPs) for 2026 and further the European Commission’s plan to expand the authority of ESMA over cryptocurrency and capital markets but critics have other view on this.

Now that EU’s Digital Operational Resilience Act (Dora) is in force and this mandates financial institutions they must ensure robust ICT risk management and align with supervisory expectations. ESMA urges continued collaboration between NCAs to strengthen cyber resilience across the EU.

According to ESMA, this alignment allows European supervisors to better coordinate efforts to reinforce information and communications technology (ICT) risk management while improving the overall digital resilience of securities markets across the EU.

ESMA and national regulators have shown what the authority described as strong commitment to overseeing financial entities’ compliance with DORA through proactive monitoring and capacity building.

Strategic Importance ESMA aligning with Cyber Resilience & ESG

From above alignment it is clear that ESG disclosures remain a top priority, with 2026 efforts targeting high-risk areas.

  • Cyber Resilience Front and Center: ESMA confirmed that cyber risk and digital resilience will remain top priorities in its 2026 Union Strategic Supervisory Priorities (USSPs), extending the focus introduced under DORA in 2025.
  • Supervisory Coordination Deepens: National competent authorities (NCAs) are being urged to continue proactive supervision and strengthen coordination across the EU to ensure consistent application of DORA requirements.
  • Digital Risk as Systemic Risk: The renewed emphasis reflects a shift in EU financial regulation, treating technology and cyber resilience as critical to overall market stability.
  • ESG Oversight Continues: ESG disclosures will remain a key supervisory theme, with regulators targeting high-risk areas and consolidating progress made since the initiative began in 2022.
  • New Priorities: ESMA plans to assess additional supervisory topics in 2026 that may require heightened EU-wide oversight in the coming years.

With ESMA setting in renewed focus underscores a broader shift within European financial regulation, and digital resilience is fundamental part of systemic stability. Added focus for 2026, it will assess potential new topics in other areas that may require intensified supervisory work across the EU in future years.

What does this mean for Financial organizations across EU

For financial firms, this means supervisors are likely to dig deeper into how technology risks are identified, managed, and tested, from cloud dependencies to incident response. ESMA said it may introduce new areas of supervisory attention in 2026 and beyond as it refines its Union-wide agenda

(Sources: ESMA urges stronger cyber risk oversight across the EU)

Blogs

Regulations for Start-Ups & SME’s Helps address Cyber Risk & Business Strategy

This decade has witnessed huge technological, digital and cyber security uprise and challenges which shaped the way of doing business and business strategy. Now every company is powered by software and technology and cybersecurity a top priority for organizations everywhere. Regulations are of high importance for business strategy and cyber risks. Startups under the Startup India initiative can self-certify their compliance with labor and environmental laws, reducing the risk of inspections and penalties.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges. Compliance brings in additional challenge but integrating compliance brings in transparency and subsequent valued positioning for clients who value transparency.

That’s putting a lot of pressure on cybersecurity leaders to level up their governance, risk, and compliance programs. India’s push towards digitization has transformed how businesses interact with regulators and the government has rolled out a range of tax incentives to bolster the growth of startups and SMEs. Further the government has been recognizing the role of innovation in the startup ecosystem and to further this strengthened IP protections.

Sector specific regulations

The government has also taken a proactive approach to sector-specific regulations and this has been for most important sectors from fintech to ecommerce, healthcare etc. Regulatory sandboxes by RBI and SEBI allow fintech startups to test new products in a controlled environment. New draft e-commerce rules aim to ensure transparency, fair competition, and consumer protection.

For emerging vibrant business it is important that business leaders stay abreast to staying abreast new regulatory changes that will help leverage the full potential of upcoming India’s vibrant business landscape.

Prioritizing Cyber security for Business Continuity with Regulations

Recently Akshay Joshi, head of World Economic Forum’s Centre for Cybersecurity highlighted that significant challenges lies in prioritizing cybersecurity and addressing these requires a combination of strong incentives and regulatory support,.

“There needs to be incentives that are brought into the mix for appropriate investments into cybersecurity,” Joshi said, emphasizing that regulation plays a crucial role.

As per WEF’s annual Global Cybersecurity Outlook Report, which found that roughly 70% of respondents agree that regulations are “really effective in terms of ensuring a baseline of cybersecurity.”

(Source: Startups and SMEs need incentives and regulations to prioritise cybersecurity: WEF official | Company Business News)

As startups and SME’s navigate through business challenges and every day there is a fresh rules emerging across industries, understanding their impact on business for CEO’S is crucial for staying ahead. By understanding the different types of regulations, startups can better navigate the landscape for your business.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges.

Without regulations in place innovation will be stalled and so the fair set up within the ecosystem. In the beginning embracing regulations may be daunting task but regulations play important role for startups specifically cyber security based start ups who are constantly battling warfare’s that is equivalent to cripple critical infrastructure and damage organizations affecting economies at a scale that is equivalent to any physical attack.

For Cyber security Startups any regulatory updates often focus on data privacy, financial practices and data security. For instance, recent data protection laws require companies to enhance their data security measures to safeguard customer data and information, This is done so to foster trust and loyalty among users and increase brand value.

There are Compliance that are driven by regulations and can pose challenges for start ups as this increases operational costs. These changes may demand additional investments in legal counsel or technology to ensure adherence.

If any Startup is handling customer data and if they invest in data protection solutions which is essential to bring in confidence for their customers. With GDPR and CCPA regulations, organizations might face fines for non-compliance and loose trust from investors that may restrict further funding.

Startups that proactively integrate compliance into their core strategy can position themselves as industry leaders, appealing to customers who value transparency.

Conclusion:

Cyber security is every where and is crucial from point of network and cloud security to AI, privacy, governance, forensics, and risk management, each domain plays a crucial role in keeping organizations resilient. For customers it means that their data is in safe hands.

Having a discipline structure and frameworks in place increases brand value.  However, cybercriminals are increasingly focused on targets that have weaker defenses and start ups are prime in their targets.

Any organization who implement regulations, audits certification and follow compliance enhances their defenses.
They might be handling sensitive data, but staying compliant with regulations like GDPR and HIPAA is essential. Regular security audits and employee training can significantly reliability and confidence among investors.

For business to thrive and grow regulations are step ahead towards creativity, innovation and growth,. This helps business to stay ahead of competitors and establish a reputation for innovation, also for avoiding penalties, legal consequences and reputational damage.

Blogs Security Advisory

Critical Brash Vulnerability: Blink Engine Flaw Breaks Chromium Browsers 

Overview : Brash Vulnerability works on Google Chrome and all web browsers that run on Chromium.

A newly disclosed vulnerability, Brash, exposed a critical architectural flaw in Chromium’s Blink rendering engine. Blink is Chromium’s open-source rendering engine responsible for parsing HTML, CSS, and JavaScript, building the DOM and render trees, and executing script-driven updates to the browser interface.

It underpins the user experience of all Chromium-based browsers and is a core component of their performance and stability.

The issue allows a malicious web page to crash Chromium-based browsers within seconds, including Chrome, Microsoft Edge, Brave, Opera etc. The attack works by overloading Blink’s main UI thread using a flood of unthrottled DOM operations. A public proof-of-concept (PoC) exploit is available and can be tested on machines, that escalating the urgency for patching across all Chromium-based platforms.  

Technical Details  

Blink lacks any rate limiting or coalescing on rapid document. title updates, allowing an attacker to flood the browser with millions of DOM mutations per second.  

This saturates the browser’s main UI thread, causing extreme CPU usage and blocking event processing, which leads to the browser tab freezing or crashing within 15 to 60 seconds. The exploit can also be use to trigger after a delay or at a precise scheduled time, turning it into a highly controllable logic bomb.  

The exploit requires no special permissions beyond navigating to a malicious page, presenting a severe and immediate operational risk until patches are deployed. 

Attack Flow 

Recommendations 

You can follow the recommendations below 

  • Avoid clicking on suspicious or untrusted links, especially those prompting unexpected redirects or downloads. 
  • Keep all Chromium-based browsers (Chrome, Edge, Brave etc.) updated with the latest security patches as vendors release fixes. 
  • Enforce automatic browser updates within organizations to ensure all users receive critical patches promptly. 
  • Monitor computer endpoints for unusual CPU spikes related to browser processes, which can indicate ongoing exploitation attempts. 
  • Educate users and employees about the risk of drive-by attacks through malicious websites and the importance of security awareness. 

Conclusion: 
The Brash vulnerability reveals how a simple architectural oversight. It lets attackers crash browsers by flooding them with too many title updates too fast, causing the browser to freeze or crash. This attack can be scheduled to happen later, making it harder to detect.

Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.

The best defense is to keep browsers updated, avoid suspicious links and stay alert for unusual computer slowdowns.  

References

Blogs

Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode

Atlas’s autofill and form interaction capabilities present potential attack points

As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.

These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.

For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.

Rate of Vulnerability is 90% A Warning for Users

The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject  malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.

There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.

Key pointers from research

ChatGPT’s Atlas is not resilient to Phishing attacks

Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate

Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),

ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages

Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.

The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.

Importance of Security by Design for web browsing & How AI is intricately involved

The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.

But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.

Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.

This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.

Is User’s security getting compromised

The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can  influence the AI’s behavior if browsing and this can happen across multiple tabs.

In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.

Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.

(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)

Blogs Security Advisory

Copilot Studio SupplyChain Attack Steals OAuth Tokens via CoPhishing

Summary 

The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception. 

Technical Details 

The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.

Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.

While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.

Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure. 

malicious CopilotStudio page                                                                                                                         Source: securitylabs.datadoghq.com 

Attack Flow 

Step Description 
1. Build Malicious Copilot Agent Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant. 
2. Backdoor Authentication Workflow The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication. 
3. Share Demo Link Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks. 
4. Victim and Trigger Consent Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions. 
5. Token Exfiltration After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs. 
6. Abuse Granted Permissions Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data. 
7. Persist and Retarget Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures. 

                             Source: securitylabs.datadoghq.com 

Why It’s Effective 

  • Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion. 
  • Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked. 
  • Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile. 

Recommendations 

Here are some recommendations below 

  • Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes. 
  • Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins. 
  • Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows. 
  • Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services. 
  • Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling 
  • Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens. 

Conclusion: 
CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.

Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services. 

References

Hashtags 

#Infosec #CyberSecurity #Microsoft #Copilot #Vulnerabilitymanagement # Patch Management #ThreatIntel CISO #CXO #Intrucept  

Blogs Security Advisory

Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location 

Summary 

At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.

This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries. 

The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.

Vulnerability Details 

The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.

The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation. 

Key characteristics: 

The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows: 

  • Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.​ 
  • Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.​ 
  • Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.​ 
  • Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.​ 
  • Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.​ 
  • Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks. 

Attack Flow 

Step Description 
1. Craft Malicious Input  Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw. 
2. Deliver Payload The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards. 
3. Bypass Security Measures The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system. 
4. Gain Persistent Control Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly. 
5. Exploit Device Capabilities Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly. 
6. Maintain Stealth & Avoid Detection The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications. 
7. Exploit and Monetize The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized. 

Proof-of-Concept 

The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.

The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.

This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.  

Source: https://x.com/thezdi/status/1981316237897396298 

Why It’s Effective 

  • Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes. 
  • Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling. 
  • Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms. 
  • Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user. 
  • Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections. 
  • High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access. 

Remediation

  • Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043. 
  • Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly. 
  • Enable automatic security updates on Samsung devices for timely future patching without delay. 
  • For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints. 
  • Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise. 
  • Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing. 
  • Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise. 
  • Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching. 

This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits. 

Conclusion: 


This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.

In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks. 

References

Blogs

AWS Recent Outage, Effects What we need to know

The recent disruption that sparked world wide impact and effect is the AWS outage. The AWS (Amazon web services) disruption happened on October 20, 2025, centered on its “US‑EAST‑1” cloud region . The disruption triggered a series of failures and disrupted normal working of number of consumer apps, finance, government portals and parts of Amazon’s own services.

The AWS outage a case of internet outage, impacted over disruptions at over 3,500 companies across more than 60 countries, placing this among the largest internet outages on record for Downdetector.

Now the crucial question that hovers the mind is how the disruption affected digital services and what does this means to organizations relying on third party cloud service providers, to developers and other who are in the ecosystem and rely on AWS service that run uptime.

AWS covers 30% of the global cloud infrastructure market and such a kind of disruption is hard for the world relying on AWS infra. Many global apps and websites rely heavily on AWS for cloud hosting and data processing, which means the disruption can rapidly become widespread and create a knock out effect to many services and businesses to return to normal may witness challenege.

Origin of the AWS incident:

The incident originated in the US-EAST-1 (Northern Virginia) region one of AWS’s oldest and most heavily utilized hubs — and impacted key services such as DynamoDB, EC2, Lambda, and SQS.

As services in all these started failing the spread was wide and impacted AWS’s internal infrastructure and external applications, affecting end-user experiences who were on Snapchat, Pinterest, Fortnite, Signal etc.
Earlier it happened in the same region US-East-1. If we go by history (2017, 2021 & 2023).

The outage echoes shed light on the most crucial point, i.e. over reliance on single point of cloud infrastructure. AWS pointed on DNS issues and admitted global services or features that rely on US-EAST-1 endpoints, such as IAM updates and DynamoDB Global tables, “may also be experiencing issues.”

DNS Issue resolved as per AWS:

After the disruption and AWS says the DNS issue has “been fully mitigated”, and most AWS Service operations are succeeding normally now. However, it added that some requests may be throttled “while we work toward full resolution.”

Technical Analysis AWS Disruption:

The investigation revealed how a control plane failure in the US-EAST-1 region, triggered by an unexpected behavior within AWS’s internal load balancing and routing layer. So a configuration change happened in the service responsible for metadata and service discovery propagated inconsistently.

This lead to authentication and routing failures for dependent instances and services which further expanded and caused choke and resource exhaustion across interdependent services like EC2, Lambda, and S3, all of which rely on low-latency internal communication.

The largest hit services

The heaviest‑hit services by report count included Snapchat (~3M), AWS itself (~2.5M), Roblox (~716k), Amazon retail (~698k), Reddit (~397k), Ring (~357k) and Instructure (~265k). The UK alone generated more than 1.5M reports, far exceeding a typical day’s ~1M global baseline across all markets, highlighting both the unique intensity and breadth of this event.

Country wise bifurcation on AWS outage & results

(Image sources: Revealing the Cascading Impacts of the AWS Outage | Ookla®)

What amplified the disruption of AWS

All apps we are using are mostly chain together managed services like storage, queues, and serverless functions. If DNS cannot reliably resolve a critical endpoint (for example, the DynamoDB API involved here), errors cascade through upstream APIs and cause visible failures in apps users do not associate with AWS. That is precisely what Downdetector recorded across Snapchat, Roblox, Signal, Ring, HMRC, and others.

Cloud infrastructure should be of national importance

The AWS outage/ disruption highlighted how cloud infrastructures are not risk free and over dependence eon single point. Any fault in the infrastructure stack on which everything else depends and from which failures can trigger and subsequent redundancy.

The need of the hour is to recognize that Cloud infrastructure should be of national importance and any failure on the entire stack can be overcome with systematic approach. This will require by pulling down or dismantling each part and diversify the route so that on event of outage , the rest of the part of can be recovered by not depending on single point of the platform.

Organizations relying solely on a single AWS region or without robust multi-region, multi-cloud, or hybrid failover mechanisms faced significant downtime and operational risk, a wake up call for governments.

Various government across Europe recognized the risk associated with cloud infrastructure introduced policy’s for e.g., EU’s flagship Digital Operational Resilience Act (DORA) introduces EU-level oversight of critical ICT third-party providers, while the UK’s Critical Third Parties act for finance. These tool kits will act as balancers when it comes to reporting, stress management, incident reporting and adhering to transparency that is required as mandate.

Why Network resilience is important ?

The AWS disruption highlighted importance of network resilience. The reason being network resilience prevents single points of failure with backup systems and alternative pathways. Further this helps to adapt to sudden increases in demand without degrading performance. At the same time efficiently reallocates resources and adapts to changing conditions.



Blogs

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

 Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

  • July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
  • August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

  • Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
  • The SMB flaw enables lateral movement inside networks.
  • The Kentico pair lets attackers take over CMS environments used for staging and publishing.
  • The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Blogs

Unpatched Systems, Software’s Exposes Business to Cyber Threats

Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.

Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.

Unpatched Systems, Software’s exposes Business to Cyber Threats

The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.

Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.

The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.

Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
  • CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
  • CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system

(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)

The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.

Key findings from Kaspersky reports to secure your unpatched systems

  • Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
  • Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
  • End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
  • High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day

Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.

What Businesses can do to remain Secure from Cyber threats when systems are unpatched?

For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.

How to Fix:

Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.

Follow more below recommendations

Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.

  • Utilize solutions for vulnerability assessment, patch management
  • Prioritize defense strategies & threat detection like phishing emails and web threats
  • Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
  • Implement a robust patch management process

Blogs Cybersecurity News

Cyber Threats in Maritime Domain; National Security in Focus at Delhi Seminar

Seminar Titled ‘Impact of Cyber Attacks on Maritime Sector and its Effects on National Security and International Relations’ 

The event in Delhi organized by Indian Navy and address cyber threat on the Maritime domain and how the threats are aligned to national security and their impact.

The event organized at a time when geo -politics is evolving and the seminar aims to deepen understanding of cyber threats in the maritime domain and foster collaboration amongst key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.

Cyber threats evolving and looming above the maritime sector as the Maritime industry steps into the world of cyber risk. The cyber risk is vast and includes array of ransomware capable of shutting down port operations to GPS, halting steering vessels as hackers are get more creative.

Any cyberthreat on maritime sector also involves national security and is not isolated and target of cyber criminals. Maritime security involves trade, global logistics, oil and gas, defense which are major reasons to map maritime cyber threat to national security.

With an aim to deepen understanding of cyber threats in the maritime domain, the Indian Navy is organized the seminar.

The seminar, titled ‘Impact of Cyber Attacks on Maritime Sector and Its Effects on National Security and International Relations’, aims to foster collaboration among key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.

Minister of State for IT Ministry, Jitin Prasada, deliver the keynote address during the inaugural session. The seminar will feature panel discussions each led by distinguished experts from the ministries and organizations.

The seminar aims to advance Hon’ble PM’s vision of MAHASAGAR (Mutual and Holistic Advancement for Security and Growth Across the Regions) by reinforcing a safe, secure cyberspace, and echoes the call for ‘Aatmanirbhar Bharat’ through indigenous, secure-by-design digital systems and robust public-private partnership.

Aligned with Maritime India Vision 2030 and the Amrit Kaal Vision 2047, the seminar positions cybersecurity as a core enabler of port-led growth, smart logistics, offshore energy security, and mission critical naval operations.

These include the Ministry of Ports, Shipping and Waterways, the Ministry of Petroleum and Natural Gas (MoPNG), the National Security Council Secretariat (NSCS), the Gas Authority of India Limited (GAIL), the Directorate General of Hydrocarbons (DGH), the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Maritime Foundation (NMF) as well as leaders from private organisations.

The topics for panel discussions are ‘Global Cyber Threats to Maritime Infrastructure,’ ‘Civil and Military Partnership,’ and ‘Maritime Sector as Critical Information Infrastructure’.

Scroll to top