Blogs

FBI Issues Alarm as Hackers Group target Salesforce Data Paltform; Releases IOC

FBI issued fresh alert major Hackers group mainly associated with cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks on Salesforce stealing data. FBI released indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” as per FBI’s advisory.

Federal Bureau of Investigation has issued a urgent alert detailing the activities of two sophisticated cybercriminal groups, UNC6040 and UNC6395, which have been aggressively targeting Salesforce platforms.

These actors, linked to data theft and extortion schemes, exploit vulnerabilities in OAuth tokens and employ social engineering tactics like vishing to breach high-value targets.

Data Exfiltration or Data extraction/Theft

Data exfiltration occurs in two ways, through outsider attacks and via insider threats. Both are major risks, and organizations must ensure their data is protected by detecting and preventing data exfiltration at all times.

An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data and potentially user credentials. This typically is a result of a cyber criminal injecting malware onto a device, such as a computer or smartphone, that is connected to a corporate network.

Some strands of malware are designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data in an attempt to exfiltrate information. Many malware will lay dormant on a network to avoid detection by organizations’ security systems until data is exfiltrated subversively or information is gradually collected over a period of time.

Attacks can result from malicious insiders stealing their own organization’s data and sending documents to their personal email address or cloud storage services, potentially to sell to cyber criminals. They can also be caused by careless employee behavior that sees corporate data fall into the hands of bad actors.

Threat monitoring through Intrusion Detection System

Intrusion Detection system often network and searches for known threats and suspicious or malicious traffic. When it detects a possible threat, the IDS sends an alert to the organization’s IT and security teams. IDS applications can be either software, which runs on hardware or network security solutions, or cloud-based, which protects data and resources in cloud environments.

Vishing Attack Lashed by Cyber Criminal

Vishing attacks, where perpetrators impersonate trusted IT support personnel to trick employees into granting access or revealing credentials. Once inside, they manipulate connected third-party applications, such as Salesloft’s Drift AI chatbot, to siphon sensitive data.

This method has proven alarmingly effective, as evidenced by the compromise of Google’s corporate Salesforce instance earlier this year, which exposed contact data for small and medium-sized businesses

UNC6040 & UNC6395 attack methodology

UNC6040, often associated with the notorious ShinyHunters collective, has refined a supply-chain attack vector that leverages OAuth token abuse. By compromising tokens from integrated apps, attackers gain persistent access without triggering immediate alarms.

As per FBI UNC6040, threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls.

On the other hand UNC6395, has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. They target third party application.

In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

Salesloft has taken has separated the Drift infrastructure and kept in isolation, also taken the artificial intelligence (AI) chatbot application offline.

Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf

Cyber Experts reflect UNC6040’s operations extend beyond Salesforce, potentially linking to broader campaigns involving SaaS-to-SaaS connections.

Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack

Posts on X from cybersecurity accounts, including shares from The Cyber Security Hub, underscore the real-time buzz around these threats, with users warning of the rapid spread of similar tactics across cloud ecosystems as of September 13, 2025.

IOC released from FBI include extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395.

This will assist network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise. Initially believed to only impact organizations that used the Drift integration, the campaign was later found to have affected other Salesforce customers as well.

(Sources: https://cybersecuritynews.com/fbi-iocs-salesforce-instances/)

Jaguar Land Rover Data Hack reveal Significance of Security & Privacy by Design

Jaguar Land Rover announced suffering they hit by a cyberattack in August that severely disrupted its production and retail activities. Cyber criminals stole data, held by the carmaker, it has said, as its factories in the UK and abroad face prolonged closure. This massive data hack reveal that every stakeholder in the supply chain must be embed and lazed with security and privacy by design.

Principle of security by design

So the ever evolving automotive industry and modern vehicles are more of software, which means more coding which goes upto 100 million codes and this is growing in numbers and run more applications then ever before.

So the more coding and software, the more lucrative it is for attackers to target systems and codes and if security flaws exist then its a heaven for cyber criminal as it is now easy target for data privacy leaks etc.

Best practices for Securing by Design principles and software development are enough to address the emerging risk to automotive systems and other systems within the vehicle.

According to the BBC, three plants were affected: the ones in Solihull, Halewood and Wolverhampton. Also the cyberattack forced the company to disconnect some systems, which led to factories in China, Slovakia and India getting shut down and workers being instructed to stay at home.

As per the company suppliers and retailers for JLR are also affected, some operating without computer systems and databases normally used for sourcing spare parts for garages or registering vehicles.

Scattered Spider group behind the cyber attack

As per reports the notorious Scattered Spider the hackers group is credited for the attack on JLR. The threat actor was also linked to recent attacks against major UK retailers, as well as several other industries worldwide.

This is the second cyberattack that hit JLR this year. In March, the Hellcat ransomware group claimed to data theft which were in hundreds of gigabytes of data from the carmaker.

July we witnessed how Scattered spider group targeted the aviation and retail sector

https://intruceptlabs.com/2025/07/scattered-spider-group-target-aviation-sector-third-party-providers-to-vendors-are-at-risk-solutions-that-will-improve-security-posture/

Addressing cyber security challenges in Automotive security

Organization addressing such cyber incident in near future will require dedication that will extend to all levels. This includes data layer, connection layer, authentication layer and more.

If organizations are proactive enough in establishing comprehensive protective measures and ensuring reliable systems that wont fail and in place, ultimately will create safe environment for entire ecosystem more resilient against cyber disruptions.

Cybersecurity challenges in automotive innovation

The integration of advanced technology has brought the automotive industry face-to-face with complex cybersecurity challenges. Vehicle technology, now deeply intertwined with software, exposes both consumers and manufacturers to varied threats.

The challenge for manufacturers is finding the right balance between advancing connected features and securing those very connections against evolving threats.

Transformation in Automotive industry while navigating cautiously in the midst of cyber attack

The year 2025 is transformative for automotive industry as the industry witnessing many groundbreaking technological advancements that is lazed with challenges in cybersecurity and supply chain resilience.

Navigate cyber challenges

For automotive industry as a whole, opportunities are huge for the industry as a whole but will take concrete shape when fitted with with robust architecture, zero-trust security frameworks and being transparent. There is a need to have more collaborative mindset and approaches among manufacturers, suppliers and leaders in technology of which cyber security is now important part.

Intercept offers Mirage Cloak

Mirage Cloak the Deception Technology, offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

Sources: https://www.theguardian.com/business/2025/sep/10/jaguar-land-rover-says-cyber-attack-has-affected-some-data

Tenable & More Cyber Vendor’s Impacted by Third Party Salesforce Breach

Proofpoint, Tenable, CyberArk are other Third-Party vendors impacted by Salesforce Breach.

In an advisory released Tenable disclosed that it “was among the many organizations impacted” in the Salesloft Drift attacks, during which “an unauthorized user had access to a portion of some of our customers’ information stored in our Salesforce instance.”

Impacted data includes “subject lines and initial descriptions provided by our customers when opening a Tenable support case” as well as standard contact information such as name, business email address, phone number and location reference.

Tenable products and data stored in the vendor’s products, were not affected, the company said. CRN has reached out to Tenable for further comment.

Tenable stated that standard business contact information, such as customer names, email addresses, phone numbers and location details, was also accessed. At this point, the company stated there is no evidence that this information has been misused.

The information accessed by the unauthorized party was limited to data within Tenable’s Salesforce environment. This included:

Commonly available business contact information, such as customer names, business email addresses, and phone numbers.
Regional and location references associated with customer accounts.
Subject lines and initial descriptions that customers provided when opening a support case.

Third party vendor’s prime target of cyber attack increase Enterprise Cyber Risk

Targeting vendors indicate how critical it is to maintain third-party risk and be cautious while managing security risks associated with these external partners, focal point of target and critical for any organization’s data security.

The Tenable and other vendors being targeted increase the responsibility of enterprise based Third-party cyber risk associated as vendors can be targets for cyberattacks.

If their security measures are weak, your company’s data could be compromised. Ensuring vendors have strong cybersecurity protocols is essential to protecting sensitive information.

Enterprise security posture indicate how third-party security is a set of practices that can identify these risks and protect your organization from security threats associated with any third-party entity.

Risks arising from third-party vendors, contractors and business partners who have access to your data and systems is more then critical.

Three more well-known cybersecurity vendors have joined the lengthy list of companies impacted in the recent breach of a third-party Salesforce application, with Proofpoint, Tenable and CyberArk disclosing they were affected in the widespread Salesloft Drift attacks.

CyberArk, a publicly traded identity security vendor that Palo Alto Networks has a deal to acquire for $25 billion.

In similar pattern an unauthorized actor accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance,” the company said.

Attack module

The attacks involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors have used to steal data from Salesforce CRM systems. It’s unclear how threat actors obtained the tokens.

As per researchers, breach at Tenable was not an isolated attack but is linked to a wider, sophisticated campaign that security experts have been tracking. This campaign specifically exploits a vulnerability in the integration between Salesforce and Salesloft Drift, a popular sales engagement platform.

Adversarial Prompt Engineering can bypass Robust Safety Mechanisms; GPT-5 Jailbreak reveal’s the bypass Security strategy

OpenAI’s Advance AI system revealed Critical Vulnerabilities as attack vectors like storytelling and echo chamber module being used by GPT-5.

The breakthrough demonstrates how adversarial prompt engineering can bypass even the most robust safety mechanisms, This raised serious concerns about enterprise deployment readiness and the effectiveness of current AI alignment strategies discovered in august.

What is to Jailbreak in GPT-5

GPT-5 Jailbroken, in two parts by researchers who bypassed safety protocol using echo chamber and storytelling attacks.

As Storytelling attacks are highly effective and traditional methods. This kind of attacks requires additional security before deployment.

When researchers of NeuralTrust reported, the echo chamber attack leverages GPT-5’s enhanced reasoning capabilities against itself by creating recursive validation loops that gradually remove all safety protocols.

So the researchers’ employed a technique called contextual anchoring, where malicious prompts are embedded within seemingly legitimate conversation threads that establish false consensus.

The interesting part is the latest attack aimed at GPT-5, researchers found that it’s possible to infect harmful procedural content by framing it in the context of a story by feeding as input to the AI system.

Using a set of keywords and creating sentences using those words and subsequently expanding on those themes.

The attack modelled in form of a “persuasion” loop within a conversational context, while slowly-but-steadily taking the model on a path that minimizes refusal triggers and allows the “story” to move forward without issuing explicit malicious prompts.

These jailbreaks can be executed with nearly identical prompts across platforms, allowing attackers to bypass built-in content moderation and security protocols. Result is generating illicit or dangerous content.

Enterprise environment exposed to risk

If a malicious user deliberately inputs a crafted prompt into a customer service chatbot that instructs the LLM to ignore safety rules, query confidential databases. This could trigger more actions like emailing internal content.

Similarly in the context of GPT -5, what happened the attackers constructed elaborate fictional frameworks that gradually introduce prohibited elements while maintaining plausible deniability.

The outcome as per researchers is storytelling attacks can achieve 95% success rates against unprotected GPT-5 instances, compared to traditional jailbreaking methods that achieve only 30-40% effectiveness.

Once successfully exploited both echo chamber and storytelling attack vectors demonstrates that unless enterprises are ready with their baseline safety measures, deploying any kind of enterprise-grade applications is useless.

Enterprises who are ready to implement a comprehensive AI security strategy, that include prompt hardening, real-time monitoring and automated threat detection systems before production deployment will be better secured.

Sources: Researchers Uncover GPT-5 Jailbreak and Zero-Click AI Agent Attacks Exposing Cloud and IoT Systems

Azure AD configuration file for ASP.NET Core apps credentials leaked by Cybercriminals

A critical flaw in AzureD supported cyber criminals to get access to the digital keys in Azure cloud environment and discovered by Resecurity researchers .

The action enabled unauthorized token requests against Microsoft’s OAuth 2.0 endpoints and giving adversaries a direct path to Microsoft Graph and Microsoft 365 data.

A small critical cloud misconfiguration can give access to cyber attackers to infiltrate and this happened to Azure D when their Cloud native application configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD).

Cloud application are not merely hosted in the cloud instead they are built to thrive in a cloud environment, providing unprecedented scalability, resilience and flexibility making them game changer.

Recently the publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD). This potentially led attackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments.

This issue cannot be overlooked by enterprise as the discovery by Resecurity’s HUNTER team exposed Azure AD credentials ClientId and ClientSecret — exposed in an Application Settings (appsettings.json) file on the public Internet.

Once the credentials lands up in hackers domain any malicious activates can be conducted and compromise an organization’s Azure-based cloud deployment simultaneously retrieve sensitive data from SharePoint or Exchange Online etc. Further abuse of Graph API for privilege escalation or persistence; and the deployment of malicious applications under the organization’s tenant.

Exploiting AzureD Flaw The attack flow

To exploit the flaw, an attacker can first use the leaked ClientId and ClientSecret to authenticate against Azure AD using the Client Credentials from OAuth2 flow to acquire an access token.

Once this is acquired, the attacker then can send a GET request to the Microsoft Graph API to enumerate users within the tenant.

This allows them to collect usernames and emails; build a list for password spraying or phishing; and/or identify naming conventions and internal accounts, according to the post.

Cyber attacker also can query the Microsoft Graph API to copy OAuth2 to take permission grants within the tenant, revealing which applications have been authorized for further permissions, they hold.

Once acquired token allows an attacker to use group information to identify privilege clusters and business-critical teams.

Protecting Enterprise from getting Azure secrets exposed.

Enterprise failing to practice regular scanning, penetration tests, or code reviews, exposed cloud files can remain unnoticed until attackers discover them and exploit them, according to the post.

Further for better security posture enterprise can restricting file access; removing secrets from code and configuration files; rotating exposed credentials immediately; enforcing least privilege principles and setting up monitoring and alerts on credential use, according to the post.

Importance of automation in cloud native application

Implement continuous integration and continuous deployment (CI/CD) pipelines to automate building, deploying, and testing cloud native applications. Manage and provision cloud infrastructure using code, allowing for version control and repeatability.

Several benefits of following best practices when developing cloud native apps, like increased scalability, fewer occurrences of critical failures, and high efficiency

Enterprises having product based focus will go for cloud-first approach and ask questions on how to go about cloud computing etc.

What could have happened or will happen if not looked into Azure Active Directory (Azure AD) flaw?

Azure Active Directory (Azure AD) termed as high impact in terms of vulnerability.

Once authenticated, attackers can:

Retrieve sensitive SharePoint, OneDrive, or Exchange Online data via Graph API calls.
Enumerate users, groups, and roles, mapping out the tenant’s privilege model.
Abuse permission grants to escalate privileges or install malicious service principals.
Deploy rogue applications under the compromised tenant, creating persistence and backdoors.

Enterprises must perform compliance checks to ensure that application designed meets industry standards and regulatory requirements. Once robust auditing and reporting mechanisms is on track that changes any access to sensitive data.

Source: JSON Config File Leaks Azure AD Credentials

Critical Flaw in Azure AD Lets Attackers Steal Credentials and Install Malicious Apps

Deep Dive into AI Ransomware ‘PromptLock’ Malware

AI Ransomware ‘PromptLock’ uses OpenAI gpt-oss-20b Model for Encryption has been identified by ESET research team, is believed to be the first-ever ransomware strain that leverages a local AI model to generate its malicious components. As we Deep dive into AI Ransomware we discover the intricacies and challenges organizations face dure to AI ransomware.

The malware uses OpenAI’s gpt-oss:20b model via the Ollama API to create custom, cross-platform Lua scripts for its attack.

PromptLock is written in Golang and has been identified in both Windows and Linux variants on the VirusTotal repository and uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts in real-time.

ESET researchers have discovered the first known AI-powered ransomware. The malware, which ESET has named PromptLock, has the ability to exfiltrate, encrypt and possibly even destroy data, though this last functionality appears not to have been implemented in the malware yet.

PromptLock was not spotted in actual attacks and is instead thought to be a proof-of-concept (PoC) or a work in progress, ESET’s discovery shows how malicious use of publicly-available AI tools could supercharge ransomware and other pervasive cyberthreats.

“The PromptLock malware uses the gpt-oss-20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes. PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption,” said ESET researchers.

New Era of AI Generated Ransomware

A tool can be used to automate various stages of ransomware attacks and the same can be said as AI-powered malware are able to adapt to the environment and change its tactics on the fly and warns of a new frontier in cyberattacks.

Its core functionality is different then traditional ransomware, which typically contains pre-compiled malicious logic. Instead, PromptLock carries hard-coded prompts that it feeds to a locally running gpt-oss:20b model.

As per researchers for its encryption payload, PromptLock utilizes the SPECK 128-bit block cipher, a lightweight algorithm suitable for this flexible attack model.

ESET researchers emphasize that multiple indicators suggest PromptLock is still in a developmental stage. For instance, a function intended for data destruction appears to be defined but not yet implemented.

Indicators of Compromise (IoCs)

Malware Family: Filecoder.PromptLock.A

SHA1 Hashes:

24BF7B72F54AA5B93C6681B4F69E579A47D7C102
AD223FE2BB4563446AEE5227357BBFDC8ADA3797
BB8FB75285BCD151132A3287F2786D4D91DA58B8
F3F4C40C344695388E10CBF29DDB18EF3B61F7EF
639DBC9B365096D6347142FCAE64725BD9F73270
161CDCDB46FB8A348AEC609A86FF5823752065D2

Given LLMs’ success, many companies and academic groups are currently creating all kinds of models and constantly developing variants and improvements to LLM. In the context of LLMs, a “prompt” is an input text given to the model to generate a response.

The success rate is high so threat actors are leveraging these models for illicit purposes, making it easier to create sophisticated attacks like ransomware and evade traditional defenses. sale of models Now

By automating the creation of phishing emails, ransomware scripts, and malware payloads, LLMs allow less skilled attackers to conduct sophisticated campaigns.

For AI-powered ransomware

AI-powered ransomware is a challenging threat to organizations far and above older attack tactics adopted by cyber criminals. If organization’s basic defensive methods such as ensuring critical vulnerabilities are patched as soon as possible, network traffic is monitored and implementing offline backups applied on time.

How Intrucept helps Defend Against AI-Powered Ransomware

Analyzing threat by behavior allows for early detection and response to malware threats and alert generation,. This reduces the risk of data exfiltration.

Intru360

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Prebuilt playbooks and automated response capabilities.

Source of above graphics : Courtesy: First AI Ransomware ‘PromptLock’ Uses OpenAI gpt-oss-20b Model for Encryption

'Lightweight cryptography' standard to protect small devices finalized

NIST Wrapped Up ‘Lightweight Cryptography’ Algorithm to protect small devices, as IoT & Embedded Devices being prime Target of cybercriminals

The National Institute of Standards and Technology (NIST) has finalized four lightweight cryptographic algorithms designed to safeguard data generated and transmitted by the Internet of Things (IoT) and other small-scale technologies.

The four lightweight cryptographic algorithms that NIST has finalized the standard after a multiyear public review process followed by extensive interaction with the design community.

In the wake of IoT and embedded devices increasingly targeted by cybercriminals, the lightweight cryptography standard ensures strong security without overburdening limited hardware, paving the way for safer adoption in critical sectors like healthcare, transportation, and smart infrastructure.

There are many connected device such as smart home systems, fitness tracker and other IoT applications that lack the processing power and memory to run conventional encryption methods.

NIST’s new lightweight cryptography standard addresses this challenge by offering algorithms that require significantly less computing power and time, while still providing strong protection against cyberattacks.

The new framework, Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST SP 800-232), provides tools for authenticated encryption and hashing while minimizing energy, time, and memory usage.

Selected in 2023 after a global review, the Ascon algorithm family forms the core of the standard. Originally developed in 2014 by researchers at Graz University of Technology, Infineon Technologies, and Radboud University, Ascon has already proven its resilience through the CAESAR competition, where it was recognized as a leading lightweight encryption solution.

Key Features of the Standard

The standard is the result of a multiyear public review and extensive collaboration with the cryptographic design community. Its adoption will help ensure that even resource-constrained devices can securely protect sensitive information.

As NIST emphasizes, “it’s the little things that matter most.” With this new standard in place, even the smallest of networked electronics now have robust defenses against cyber threats.

Four related algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics.

Many networked devices do not possess the electronic resources that larger computers do, but they still need protection from cyberattacks. NIST’s lightweight cryptography standard will help.

The four algorithms in the standard require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices such as those making up the Internet of Things.

In the standard are four variants from the Ascon family that give designers different options for different use cases. The variants focus on two of the main tasks of lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing.

ASCON-128 AEAD – Enables secure data encryption and integrity checks while resisting side-channel attacks.

ASCON-Hash 256 – Provides lightweight integrity verification for firmware updates, passwords, and digital signatures.

ASCON-XOF 128 / ASCON-CXOF 128 – Flexible hash functions with customizable lengths for efficiency and collision resistance.

The CXOF variant also adds the ability to attach a customized “label” a few characters long to the hash. If many small devices perform the same encryption operation, there is a small but significant chance that two of them could output the same hash, which would offer attackers a clue about how to defeat the encryption. Adding customized labels would allow users to sidestep this potential problem.

McKay said the NIST team intends the standard not only to be of immediate use, but also to be expandable to meet future needs.

NIST researchers emphasize the standard’s immediate applicability across industries, from smart appliances to healthcare. Future updates may expand functionalities, including a dedicated message authentication code.

In India, regulatory bodies have issued frameworks such as TEC’s Code of Practice for Securing Consumer IoT Devices and the IoT System Certification Scheme to enforce baseline security.

These measures focus on secure boot, encrypted communications, and safe software updates for connected devices.

Sources: ‘Lightweight cryptography’ standard to protect small devices finalized

“gestation robot”, Humanoid Robot to be developed to Carry Foetus by China

Yes you heard that right, now a robot will be carrying a foetus for 9 months, a gestation robot that will deliver baby, to be developed by Kaiwa Technology, based in Guangzhou, China.

What does this mean for us, the people who are living in this fast-changing world?

The company led by Zhang Qifang , a scientist, announced the ambitious project at the 2025 World Robot Conference in Beijing, saying it aims to provide an alternative for those who wish to avoid human gestation.

Dr. Zhang, explained as per The Telegraph that the next step involves integrating the system into a robot’s abdomen, allowing interaction with a human to achieve pregnancy and support fetal development.

The company that will develop and manufacture gestation robot and plans to unveil the robot by 2026, with an expected price tag of under 100,000 yuan (approximately RM59,000).

The core technology involves a foetus developing in artificial amniotic fluid, receiving nutrients through a hose that mimics an umbilical cord. While the scientists have not yet shared details on how the egg and sperm will be fertilised, the technology is said to be in a “mature stage” of development.

Zhang claimed the artificial womb technology is already mature in laboratory settings, adding that it now only requires integration into a humanoid form. The concept of robotic surrogacy has triggered widespread public discussion, ranging from ethical concerns to hopeful possibilities for infertile couples.

Earlier similar research was done in 2017, where in researchers successfully nurtured a premature lamb in a transparent “biobag” for four weeks. The gestation robot takes this concept further, aiming to create a fully functional system capable of sustaining a human fetus for the entire gestation period.

Dr. Zhang’s team is reportedly collaborating with authorities in Guangdong Province to develop policies and regulations that ensure the technology is used responsibly.

The Ethical question on ‘Gestation robot’

Advanced robotics and artificial intelligence (AI), is no longer just a concept of science fiction or a distant vision of the future; it is already happening in industries across the globe and healthcare is not left behind. From manufacturing to healthcare, from autonomous vehicles to virtual assistants, robots are stepping into roles that were once reserved for humans.

Experts are raising question on the psychological and emotional impact on children born through this technology. This kind of pregnancy would witness the absence of fetal-maternal bonding, as well as uncertainties about how eggs and sperm will be sourced.

There are also questions about the long-term effects on a child’s identity and well-being when born via a robotic system.

Lets wait for the baby till then many questions will be puzzling our minds, like motherhood being outsourced if Kaiwa Technology succeeds. Humanity could soon witness the first baby born not from a woman’s womb, but from a robot. The world is on the cusp of a technological revolution that will reshape our future in profound ways.

Source: Robot That Can Carry & Deliver A Baby Is In The Works In China

Chinese Scientists Are Developing ‘Gestation Robots’ That Could Give Birth To Children Soon – Science

Fake ChatGPT Desktop App used to deliver PipeMagic Malware

Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability

The PipeMagic campaign a malware to technical threat exploiting trust globally

As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.

PipeMagic’s evolution from malware to technical threat exploiting trust globally

The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.

Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.

PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.

The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.

Pipemagic’s technique of attack

PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.

By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.

Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.

PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.

The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.

The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.

The malware self-updates by storing these modules in memory using a series of doubly linked lists.

These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.

By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.

Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).

Automotive Security under fire as Firmware Flipper Zero of Dark Web break Rolling Code security of Latest Vehicles

Security researchers discovered Firmware for device related to Flipper Zero and showcased by YouTube channel Talking Sasquatch.

A cyber threat that can bring in significant escalation in automotive cybersecurity that demands a single intercepted signal to compromise a vehicle’s entire key automotive functionality. Rolling code security systems basically protects millions of modern vehicles.

Automative vehicles may use encryption to avoid eavesdropping (i.e., capture and decoding of signals) or tampering attacks (i.e., “flipping” lock signals to unlocks). However, replaying signals, even if they are encrypted, is straightforward.

Rolling code security

That is where rolling code come in action and have been introduced wherein a particular code² (e.g., an “unlock” code) is considered disposable, i.e., it is only used once. In a nutshell, every button click on the key fob triggers a counter in the key fob and in the vehicle upon reception to roll, making it valid for subsequent use in the future. (https://dl.acm.org/doi/full/10.1145/3627827)

Single capture attack method: For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob’s functions, including lock, unlock, and unlock trunk. A consequence of this is that the original keyfob gets out of sync, and will no longer function.

According to the Talking Sasquatch, the attack works by simply reverse engineering the rolling code sequence, either through sequence leaks or prior brute forcing of the sequence from a large list of known codes.

Challenges in Automotive landscape

The automotive landscape has transformed into a convergence of software and mechanics, introducing exciting possibilities for vehicle performance and convenience. New concerns on vulnerabilities raises eyes about how malicious actors can exploit codes.

Regardless of the method, videos demonstrating the attack show that only a single capture is needed to emulate a keyfob completely.

Affected vehicles include Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru. As of yet, there appears to be no easy fix for this, other than mass vehicle recalls.

Secure coding

It is advised that regular code reviews is published that uses latest static analysis tools help detect vulnerabilities early in the development process.

Keep a secured update mechanisms enable swift responses to emerging threats that can address security vulnerabilites

Let’s understand the importance of of security and feel responsible for it and that requires best practices, cyber security culture and implementing early testing.

What can manufactures do to avoid cyber security lapses

For manufactures its advisable DevSecOps and automotive fuzzing tools that offer great solutions to prevent crashes further they improve efficiency and accuracy of their testing efforts and minimize costs.

GaarudNode from Intruceptlabs

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Sources: https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasses-rolling-code-security/)