Blog

Organizational Preparedness will Help Protect Against Unorthodox Cyber Attack

Type of AI based attack vectors & organizational preparedness to Threat mitigation in 2026

AI based attacks is already there and what’s more, now organizations need to protect themselves against any unorthodox attack vector’s i.e AI based. Organizational readiness to thwart any unorthodox attack vectors like AI will determine organizational security from cyber threats are.

Any preparedness by organizations to protect and combat AI powered cyber Attacks will take lot of precession as AI based attack occur at scale and speed both. In backdrop of any cyber attack that is not common how do organization’s prepare and what does statistics from 2025 reveal.

Most of AI powered attacks are not conventional in nature and traditional cybersecurity tools often struggle to respond effectively to these threat.

AI-enabled attack that organizations need to prepare for in 2026

For organizations dealing with an attack vector which are unorthodox or AI in nature require man power or skilled cyber force and tools that are automated to detect and thwart the attack before they advance towards the institutions in advance.

AI’s has capacity to process and learn vast amounts of data and in cybersecurity this is termed as powerful and presents unique challenges as well as risks. Present attack scenario we have witnessed how AI take to automate and optimize malicious activity.

For defenders AI is boon and can detect, predict and mitigate threats in real time. However, the increasing sophistication of AI-powered threats is outpacing traditional defense mechanisms.

What are the types of AI powered Attack

Hacking which is Automated and AI algorithms based, can identify and exploit vulnerabilities faster than human capabilities.
Next in line is AI- Phishing and Cybercriminals use AI to create personal and convincing phishing emails. What AI does here is to analyze data from other sources to generate highly customized messages capable of influencing.
Deepfakes are growing in form of realistic fake videos or audio impersonating public figures in order to spread misinformation, manipulate public opinion, or conduct social engineering attacks.
Corrupting AI Models via data fed into AI systems to manipulate outcomes and is particularly concerning in critical systems. This showcases the dangerous potential of AI-powered cyber attacks.

Key findings by Organizations – AI based cyber security findings.

The evolving nature of AI means that new attack vectors are constantly being developed, making detection difficult for organizations. These are below mentioned take aways from 2025 regarding AI driven cyber threats.

51% of European IT and cybersecurity professionals feared AI-driven cyber threats and deepfakes will keep them up at night in 2026
Only 14% feel their organizations are ‘very prepared’ to manage the risks associated with generative AI
Other concerns for the year ahead include regulatory complexity, ransomware attacks, and the failure to detect and respond to a breach, causing irreparable harm to the business
Less than half of organizations plan to hire more talent to manage and mitigate these concerns
In the Cisco 2025 Cybersecurity Readiness Index: 86% of business leaders with cyber responsibilities reported at least one AI-related incident over the past 12 months.
IBM reports that 51% of enterprises now use security AI or automation, and those organizations experience $1.8 million lower average breach costs than those without it.
Trend Micro’s mid-2025 scans revealed over 200 unprotected Chroma servers and 3,000+ AI components publicly exposed online, allowing data theft or model poisoning.

What do cyber security leadership require most in 2026 is having clear actionable path regarding AI based attack and threat mitigation.

A mindset change is required by CEOs, CISO’s and CXOs where focus should be to start building resilience against intelligent AI attacks.

Cybersecurity has become integral part of lives and especially 2025 was the year of cybercrimes and data breaches across verticals. As the new year commences, starting the year on a positive note with cyber-security resolutions such as

–      Prioritize employee training on evolving AI based threats
–      Enhance endpoint protection
–      Secure data & ways to scarping
–      Securing PII data during data lifecycle
–      Fortify your incident response and business continuity plans
–      Extend more focus on third-party security assessments
–      Ensure robust cloud security is aligned with data privacy regulations
–      Embrace multi-factor authentication (MFA)
–      Safeguarding against AI-driven cybercrimes.
–      Engaging often with board and leadership

Sources: https://www.isaca.org/about-us/newsroom/press-releases/2025/ai-driven-cyber-threats-are-the-biggest-concern-for-professionals-finds-new-isaca-research

AI Cyber-Attack is Lethal, Crafted to Empower Hackers; Calls for Cyber Readiness as Enterprise Security Strategy

Japanese Brewing Giant Asahi, Exposed to Cyber-Attack; CAI Cyber-Attack is Lethal, Crafted to Empower Hackers Calls for Cyber Readiness

Encryption: A Foundation for Organizational Security Against Threats

Encryption is often taken as last line of defense and organizations are using encryption to secure their data. Understanding and adopting the latest encryption technologies is crucial for keeping data secure. In current scenario when attackers are equally lazed with latest technologies, companies can strengthen their cybersecurity strategies and continue to adapt encryption as last line of their defense. When organizations enhance their encryption practices today, they can protect their digital assets for the future.

As cyber attacks are evolving so as encryption advances. Now numerous key developments will shape the future of cybersecurity. Once inside the network, cyber criminals can easily view and steal sensitive data. If that data is encrypted, they have no way of accessing it without a decryption key, saving the data from being compromised.

For example, the continuous evolution of quantum computing presents challenges and opportunities for encryption. Quantum-resistant algorithms must increase in speed to enhance security against quantum attacks.

The FinWise Data Breach a Stark Example

On May 31, 2024, the ex-employee accessed FinWise Bank’s systems after leaving the company and leaked sensitive personal information belonging to 689,000 customers of American First Finance (AFF). Even more alarming, this unauthorized access went undetected for more than a year before being discovered by the bank on June 18, 2025.

The FinWise Data breach revealed lapses like time gap between the initial breach and its discovery. The Bank came to understand about the incident and notified affected customers in June 2025 which was over a year after the breach occurred. This was a huge time gap and lawsuits allege that the stolen data may not have been adequately encrypted and secured, causing public criticism and concern.

Security experts emphasize that a well-designed information protection framework must not only encrypt critical financial data but also proactively detect and prevent abnormal access attempts.

Quantum computing & Encryption

Organizations who relies on encryption to keep its critical business communications and data safe are secure now. But as per RAND, experts expect quantum computers capable of breaking today’s encryption standards to arrive by the 2030sOpens a new window .

In the latest updates The Federal Trade Commission (FTC) has sent letters to major tech companies in the United States, urging them to resist foreign governments’ demands to weaken encryption.

The letters were sent by FTC Chairman Andrew Ferguson to Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X.

Traditional encryption relies on math problems that would take classical computers centuries to solve. RSA encryption, which protects much of today’s internet traffic, works because factoring massive numbers is impossibly hard for regular computers. But tomorrow’s computers will make quick work of it. According to the MIT Technology Review, researchers have shown that a quantum computer with 20 million noisy qubits could crack RSA-2048 in just 8 hoursOpens a new window .

The question is Encryption alone is sufficient to protect data

As per researchers Encryption alone is no longer sufficient to protect privacy in LLM interactions, as metadata patterns can be exploited to infer sensitive subjects and corporate intent. Researchers at Microsoft have revealed a new side channel attack named Whisper Leak that can reveal the topic of encrypted conversations between users and language models, even without access to the underlying text.

The discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions.

What we must know about Whisper Leak the side channel attack

Whisper Leak exploits often exploits a side channel in network communication rather than a flaw in encryption itself. LLM services generate responses step by step, by producing one token at a time instead of the entire response at once. Also, the communications with AI-powered chatbots are often encrypted with HPPS over TLS (HTTPS), ensuring the authenticity of the server and security through encryption.

A side channel attack breaks cryptography by using information leaked by cryptography, such as monitoring the electromagnetic field (EMF) radiation emitted by a computer screen to view information before it’s encrypted in a van Eck phreaking attack, aka Transient Electromagnetic Pulse Emanation STandard (TEMPEST).

Encryption the last line in defense & Helps Orgs Embrace GDPR

If sensitive information is no longer required, the best way to protect it is to delete it. However, when files are deleted from a hard drive they leave traces that can be reconstructed by thieves and hackers. By encrypting the files before deletion, the remnants that remain on the drive will remain encrypted and remain inaccessible should they be reconstructed. In this way, encryption protects your privacy, even when the files are gone.

Companies should, therefore, ensure that all devices leaving the workplace are encrypted. Most phones have a native encryption option that can be easily activated, while laptops can have either their hard drives or sensitive data encrypted depending on the tools an organization wants to use.

Nowadays data protection is no longer an option. Companies can’t ignore the problem and hope they won’t be targeted by malicious threat actors.

GDPR itself recommends encryption as an effective tool for data protection as do data protection standards such as the CIS Controls which advocate a data security strategy based on a combination of encryption, integrity protection and data loss prevention techniques.

At the end Encryption ensures that, whether these devices are lost, stolen or forgotten, the data on them is useless to anyone who tries to access it without a decryption key.

(Source: https://www.bleepingcomputer.com/news/security/finwise-data-breach-shows-why-encryption-is-your-last-defense/)

Sources: https://www.csoonline.com/

Regulations for Start-Ups & SME’s Helps address Cyber Risk & Business Strategy

This decade has witnessed huge technological, digital and cyber security uprise and challenges which shaped the way of doing business and business strategy. Now every company is powered by software and technology and cybersecurity a top priority for organizations everywhere. Regulations are of high importance for business strategy and cyber risks. Startups under the Startup India initiative can self-certify their compliance with labor and environmental laws, reducing the risk of inspections and penalties.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges. Compliance brings in additional challenge but integrating compliance brings in transparency and subsequent valued positioning for clients who value transparency.

That’s putting a lot of pressure on cybersecurity leaders to level up their governance, risk, and compliance programs. India’s push towards digitization has transformed how businesses interact with regulators and the government has rolled out a range of tax incentives to bolster the growth of startups and SMEs. Further the government has been recognizing the role of innovation in the startup ecosystem and to further this strengthened IP protections.

Sector specific regulations

The government has also taken a proactive approach to sector-specific regulations and this has been for most important sectors from fintech to ecommerce, healthcare etc. Regulatory sandboxes by RBI and SEBI allow fintech startups to test new products in a controlled environment. New draft e-commerce rules aim to ensure transparency, fair competition, and consumer protection.

For emerging vibrant business it is important that business leaders stay abreast to staying abreast new regulatory changes that will help leverage the full potential of upcoming India’s vibrant business landscape.

Prioritizing Cyber security for Business Continuity with Regulations

Recently Akshay Joshi, head of World Economic Forum’s Centre for Cybersecurity highlighted that significant challenges lies in prioritizing cybersecurity and addressing these requires a combination of strong incentives and regulatory support,.

“There needs to be incentives that are brought into the mix for appropriate investments into cybersecurity,” Joshi said, emphasizing that regulation plays a crucial role.

As per WEF’s annual Global Cybersecurity Outlook Report, which found that roughly 70% of respondents agree that regulations are “really effective in terms of ensuring a baseline of cybersecurity.”

(Source: Startups and SMEs need incentives and regulations to prioritise cybersecurity: WEF official | Company Business News)

As startups and SME’s navigate through business challenges and every day there is a fresh rules emerging across industries, understanding their impact on business for CEO’S is crucial for staying ahead. By understanding the different types of regulations, startups can better navigate the landscape for your business.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges.

Without regulations in place innovation will be stalled and so the fair set up within the ecosystem. In the beginning embracing regulations may be daunting task but regulations play important role for startups specifically cyber security based start ups who are constantly battling warfare’s that is equivalent to cripple critical infrastructure and damage organizations affecting economies at a scale that is equivalent to any physical attack.

For Cyber security Startups any regulatory updates often focus on data privacy, financial practices and data security. For instance, recent data protection laws require companies to enhance their data security measures to safeguard customer data and information, This is done so to foster trust and loyalty among users and increase brand value.

There are Compliance that are driven by regulations and can pose challenges for start ups as this increases operational costs. These changes may demand additional investments in legal counsel or technology to ensure adherence.

If any Startup is handling customer data and if they invest in data protection solutions which is essential to bring in confidence for their customers. With GDPR and CCPA regulations, organizations might face fines for non-compliance and loose trust from investors that may restrict further funding.

Startups that proactively integrate compliance into their core strategy can position themselves as industry leaders, appealing to customers who value transparency.

Conclusion:

Cyber security is every where and is crucial from point of network and cloud security to AI, privacy, governance, forensics, and risk management, each domain plays a crucial role in keeping organizations resilient. For customers it means that their data is in safe hands.

Having a discipline structure and frameworks in place increases brand value. However, cybercriminals are increasingly focused on targets that have weaker defenses and start ups are prime in their targets.

Any organization who implement regulations, audits certification and follow compliance enhances their defenses.
They might be handling sensitive data, but staying compliant with regulations like GDPR and HIPAA is essential. Regular security audits and employee training can significantly reliability and confidence among investors.

For business to thrive and grow regulations are step ahead towards creativity, innovation and growth,. This helps business to stay ahead of competitors and establish a reputation for innovation, also for avoiding penalties, legal consequences and reputational damage.

FBI Issues Alarm as Hackers Group target Salesforce Data Paltform; Releases IOC

FBI issued fresh alert major Hackers group mainly associated with cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks on Salesforce stealing data. FBI released indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” as per FBI’s advisory.

Federal Bureau of Investigation has issued a urgent alert detailing the activities of two sophisticated cybercriminal groups, UNC6040 and UNC6395, which have been aggressively targeting Salesforce platforms.

These actors, linked to data theft and extortion schemes, exploit vulnerabilities in OAuth tokens and employ social engineering tactics like vishing to breach high-value targets.

Data Exfiltration or Data extraction/Theft

Data exfiltration occurs in two ways, through outsider attacks and via insider threats. Both are major risks, and organizations must ensure their data is protected by detecting and preventing data exfiltration at all times.

An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data and potentially user credentials. This typically is a result of a cyber criminal injecting malware onto a device, such as a computer or smartphone, that is connected to a corporate network.

Some strands of malware are designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data in an attempt to exfiltrate information. Many malware will lay dormant on a network to avoid detection by organizations’ security systems until data is exfiltrated subversively or information is gradually collected over a period of time.

Attacks can result from malicious insiders stealing their own organization’s data and sending documents to their personal email address or cloud storage services, potentially to sell to cyber criminals. They can also be caused by careless employee behavior that sees corporate data fall into the hands of bad actors.

Threat monitoring through Intrusion Detection System

Intrusion Detection system often network and searches for known threats and suspicious or malicious traffic. When it detects a possible threat, the IDS sends an alert to the organization’s IT and security teams. IDS applications can be either software, which runs on hardware or network security solutions, or cloud-based, which protects data and resources in cloud environments.

Vishing Attack Lashed by Cyber Criminal

Vishing attacks, where perpetrators impersonate trusted IT support personnel to trick employees into granting access or revealing credentials. Once inside, they manipulate connected third-party applications, such as Salesloft’s Drift AI chatbot, to siphon sensitive data.

This method has proven alarmingly effective, as evidenced by the compromise of Google’s corporate Salesforce instance earlier this year, which exposed contact data for small and medium-sized businesses

UNC6040 & UNC6395 attack methodology

UNC6040, often associated with the notorious ShinyHunters collective, has refined a supply-chain attack vector that leverages OAuth token abuse. By compromising tokens from integrated apps, attackers gain persistent access without triggering immediate alarms.

As per FBI UNC6040, threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls.

On the other hand UNC6395, has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. They target third party application.

In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

Salesloft has taken has separated the Drift infrastructure and kept in isolation, also taken the artificial intelligence (AI) chatbot application offline.

Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf

Cyber Experts reflect UNC6040’s operations extend beyond Salesforce, potentially linking to broader campaigns involving SaaS-to-SaaS connections.

Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack

Posts on X from cybersecurity accounts, including shares from The Cyber Security Hub, underscore the real-time buzz around these threats, with users warning of the rapid spread of similar tactics across cloud ecosystems as of September 13, 2025.

IOC released from FBI include extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395.

This will assist network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise. Initially believed to only impact organizations that used the Drift integration, the campaign was later found to have affected other Salesforce customers as well.

(Sources: https://cybersecuritynews.com/fbi-iocs-salesforce-instances/)

Firmware Vulnerabilities affecting Dell Laptops Could allow attackers to achieve persistent access

A set of vulnerabilities affecting millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide. The vulnerability known as “ReVault,” mainly target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware.

This subsequently create opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.

How does the vulnerability work

Most of the flaws reside in the firmware for ControlVault3 and ControlVault3+, which are hardware security components that store passwords, biometric templates, and security codes.

The lists includes:

Two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050)
An arbitrary free (CVE-2025-25215) flaw
A stack-overflow bug (CVE-2025-24922)
An unsafe-deserialization flaw (CVE-2025-24919)

According to the researchers, the vulnerabilities can be exploited in so-called ReVault attacks by:

Attackers who have achieved non-administrative access/privileges on a vulnerable target laptop. The vulnerabilities may allow them to interact with the ControlVault firmware and leak key material that would allow them to permanently modify the firmware (i.e., effectively creating a potential backdoor into the system)
Attackers that have physical access to the laptop. They could pry the device open, use a custom connector to access the Unified Security Hub board (which runs ControlVault) over USB, and exploit those vulnerabilities – all without having to log into the system beforehand or having knowledge of the full-disk encryption password.

“Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint,” as per researchers.

Technical details have not been publicly shared, but they have, of course, been privately reported to Dell and Broadcom.

These are 5 critical vulnerabilities of ReVault found by Cisco Talos researcher

ReVault Attack – Five Critical Vulnerabilities

ControlVault3 and ControlVault3+ systems:

CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage
CVE-2025-25050: An out-of-bounds write flaw allowing code execution
CVE-2025-25215: An arbitrary memory free vulnerability
CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution
CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs

Importance of device security posture/Endpoint security

The incident highlight how device posture check is designed to evaluate threat that a device poses to an organization and its systems.

The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level.

Here traditional antivirus solutions cannot detect or remove it. Now sophistication of cyber threats means that organizations need to become more proactive in terms of defense.

The identification and mitigation of a threat early on, via an effective and clearly defined security posture, reduces costs, lessens downtime, and minimizes reputational damage.

Periodic security audits are essential to have a complete check on all the security features of the organization. Such audits identify vulnerabilities in the current security controls and allow for ensuring things align properly with industry standards.

Importance of Endpoint security

End point security detect and prevent security threats like file-based malware attacks among other malicious activities. It also provides investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

Conclusion:

Protecting against endpoint attacks is challenging for organisation because endpoints exist where humans and machines intersect. With the increasing number of adversaries trying to breach organizations using sophisticated cyberattacks, quickly detecting potential threats will help speed the remediation process and keep data protected.

(Source: https://www.helpnetsecurity.com/2025/08/05/dell-laptops-firmware-vulnerabilities-revault-attacks/)

Analyzing the newly discovered Vulnerability in Gemini CLI; Impact on Software coding

Google’s Gemini command line interface (CLI) AI agent

Its not been one month when Google’s Gemini CLI vulnerability discovered by Tracebit researchers and found attackers could use prompt injection attacks to steal sensitive data.

Google’s Gemini CLI, an open-source AI agent for coding could allow attackers exploit to hide malicious commands, using “a toxic combination of improper validation, prompt injection and misleading UX,” as Tracebit explains.

After reports of the vulnerability surfaced, Google classified the situation as Priority 1 and Severity 1 on July 23, releasing the improved version two days later.

Those planning to use Gemini CLI should immediately upgrade to its latest version (0.1.14). Additionally, users could use the tool’s sandboxing mode for additional security and protection.

Disclosure of the vulnerability

Researchers reported on vulnerability directly to Google through its Bug Hunters programme. According to a timeline provided by Tracebit, the vulnerability was initially reported to Google’s Vulnerability Disclosure Programme (VDP) on 27 June, just two days after Gemini CLI’s public release.

Impact of the vulnerability

A detailed analysis found that in the patched version of Gemini CLI, attempts at code injection display the malicious command to users. This require explicit approval for any additional binaries to be executed. This change is intended to prevent the silent execution that the original vulnerability enabled.

Tracebit’s researchers played an important role in discovering and reporting the issue which is symbol of independent security research, particularly as AI-powered tools become central to software development workflows.

LLM integral to software development but hackers are using it too

Gemini CLI integrates Google’s LLM with traditional command line tools such as PowerShell or Bash. This allows developers to use natural language prompts to speed up tasks such as analyzing and debugging code, generating documentation, and understanding new repositories (“repos”).

As developers worldwide are using LLMs to help them develop code faster, attackers worldwide are using LLMs to help them understand and attack applications faster.

Tracebit also discovered that malicious commands could easily be hidden in Gemini CLI This is possible by by packing the command line with blank characters, pushing the malicious commands out of the user’s sight.

More vigilance required when examining and running third-party or untrusted code, especially in tools leveraging AI to assist in software development.

Through the use of LLMs, AI excels at educating users, finding patterns and automate repetitive tasks.

Sam Cox, Tracebit’s founder, says he personally tested the exploit, which ultimately allowed him to execute any command — including destructive ones. “That’s exactly why I found this so concerning,” Cox told Ars Technica. “The same technique would work for deleting files, a fork bomb or even installing a remote shell giving the attacker remote control of the user’s machine.”

Source: https://in.mashable.com/tech/97813/if-youre-coding-with-gemini-cli-you-need-this-security-update

Malware Uses AWS Lambda to collect data; Govt Org’s Across S E Asia affected by HazyBeacon

Data Stolen from various government based organizations across South east-Asia via State-Backed HazyBeacon Malware that Uses AWS Lambda was discovered and tracked by researchers Palo Alto Networks Unit 42 under the moniker CL-STA-1020.

Here “CL” stands for “cluster” and “STA” refers to “state-backed motivation, data collected include information about recent tariffs and trade disputes. The initial access vector used to deliver the malware is currently not known, although evidence shows the use of DLL side-loading techniques to deploy it on compromised hosts. Specifically, it involves planting a malicious version of a DLL called “mscorsvc.dll” along with the legitimate Windows executable, “mscorsvw.exe.”

Campaign execution flow

As per researchers backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure. AWS Lambda URLs are a feature of AWS Lambda that allows users to invoke serverless functions directly over HTTPS.

This technique uses legitimate cloud functionality to hide in plain sight, creating a reliable, scalable and difficult-to-detect communication channel.

Figure 1 shows the high-level execution flow of this attack.

(Source: Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication)

Key points:

The malware is using a newly discovered Windows backdoor dubbed HazyBeacon.

Secondly, it exploits a legitimate feature of the AWS Lambda serverless compute service called Lambda URLs, to hide its malicious activities

AWS Lambda URLs are a part of AWS Lambda that allow users to invoke serverless functions directly over HTTPS.

In this attack, the HazyBeacon backdoor uses the service to establish C2 communications, allowing the actor to engage in covert intelligence gathering.

Researchers at Trellix, revealed the attacker tactic of using Lambda to obscure C2 activity in late June, noting that such obscurity “makes network-based detection nearly impossible without decryption or deep behavioral analysis,” according to their report.

During backdoor deployment, attackers also establish persistence on the compromised Windows endpoint by creating a Windows service named msdnetsvc, which ensures that the HazyBeacon DLL would be loaded even after rebooting the system.

Unit 42 included a list of indicators of compromise (IoCs) in the post to help identify a potential attack. Defenders can set their machine-learning models and analysis techniques to be triggered by those IoCs, as well as use behavioral threat protection to detect and block the execution of processes with malicious behavior in their cloud environments.

How the malware reaches out to serverless AWS Lambda endpoints

These URLs are hosted on cloud infrastructure that’s globally trusted
Traffic looks like regular HTTPS communication
Detection becomes near-impossible for traditional firewalls or EDRs

This use of cloud-native tools for C2 is a growing trend in advanced persistent threats (APTs).

South east Asia a focal point of target

The reason why Southeast Asia has increasingly becoming a focal point for cyber espionage mainly due various sensitive trade negotiations being done by countries, defense enhancement taken up by countries as a part of modernization and power alignment between U.S.–China.

Why threat actors chose this area via targeting government agencies as the data stolen carried various intelligence inputs that were based on foreign policy direction, infrastructure planning and various regulatory shifts that further influence the behavior of global markets.

HazyBeacon reflects a broader aspect and trend in cyber security related to advanced persistent threats using trusted platforms as covert channels.

This cloud-based malware cluster, similar techniques have been observed in threats using Google Workspace, Microsoft Teams, or Dropbox APIs to evade detection and facilitate persistent access.

Once the malware is on the system, it doesn’t want to leave. HazyBeacon registers itself as a Windows service, making sure it gets relaunched after every reboot.

Organizations who detect and mitigate this emerging threats also understand how attackers exploit cloud services for malicious purposes.

The misuse of AWS Lambda occurs when the malicious DLL, mscorsvc.dll, establishes a C2 channel through an AWS Lambda URL. AWS Lambda runs code in response to events without requiring server provisioning or management; the URLs feature, introduced in 2022, extends this functionality by providing customers with a way to configure dedicated HTTPS endpoints for Lambda functions.

Source: 🔍 Deep Dive: How State‑Backed HazyBeacon Malware is Weaponizing AWS Lambda & Steganography | by Abhay Haswani | Jul, 2025 | Medium

Zero Trust 2.0” Strategy by White House to Streamline Compliance; A Shift in Threat landscape

Zero trust isn’t just for security teams, but a strategy where organizations meet compliance standards, vendors behavior, govt policies. Overall zero trust is a shift in how an entire enterprise thinks how to access risk and more than a checklist.

The White House is developing a “Zero Trust 2.0” strategy to focus on targeted, high-impact cybersecurity initiatives and improve the efficiency of federal cyber investments.

Trump admin Officials aim to streamline compliance regimes and tailor software security requirements, especially differentiating critical from low-risk software.

The administration is also preparing new guidance on drone procurement and use, restricting purchases from certain foreign entities, and finalizing instructions for agencies to adopt post-quantum cryptography following recent NIST standards.

The zero-trust security architecture was introduced by Forrester Research in 2010. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.

Nick Polk, branch director for federal cybersecurity at the Office of Management and Budget, said OMB is looking toward the next iteration of the federal zero trust strategy.

“We’re still coalescing around the exact strategy here, but it likely will be focused on specific initiatives we can undertake for the entire government,” Polk said a July 16 online meeting of the Information Security and Privacy Advisory Board.

AI & Zero Trust

AI tools help build a Zero Trust foundation for enterprises fixing different layers of security and focus on elevating security strategies . Now with the advent of AI-driven advancements, the path forward offers some intriguing prospects for AI and zero trust synergies.

AI and Zero Trust intersecting will unlock key opportunities for holistic cyber security maturity, further AI generates an informed narrative for granting or denying resource access. The security approach seamlessly aligns with a core tenet on principle of Zero Trust and least privilege.

Key Security Updates

Nick Polk also explained some of the key changes in President Donald Trump’s June cybersecurity executive order. Trump maintained many Biden-era initiatives, but canceled a plan to require federal software vendors to submit “artifacts” that demonstrate the security of their product.

“That was really a key instance of compliance over security, requiring an excessive amount of different artifacts from each software vendor, changing requirements midstream, when software providers were already working on getting the security software development form and agencies were already working on collecting it,” Polk said, pointing to a continued requirement for agencies to collect secure software attestation forms from contractors.

How Zero trust help organizations security posture

Organizations who place Zero Trust architecture will have access control policies and definitely use micro segmentation . Required to minimize the damage from ransomware attack can cause.

Attackers not only find it more difficult to breach the system in the first place, they’re limited in their ability to expand made possible by Zero trust when put in place.

Ransomware attack, typically involves an initial infection, lateral movement and data exfiltration with or without encryption. Zero Trust implementation bring organization to address each step as it happens or before it happens. Ransomware will attack a business, consumer, or device e

According to Gartner, at least 70% of new remote access deployments will be served mainly by ZTNA instead of VPN services by 2025 — up from less than 10% at the end of 2021.

Zero trust is based on the principle of least-privilege access, meaning it has to be assumed that no user or application should be inherently trusted. Zero Trust Network Access (ZTNA) takes a completely different approach than VPNs to securing access for remote workers.

Implementing zero trust will connect users to network and no risk is involved with network. Users are connected directly to only the applications and data they need, preventing the lateral movement of malicious users with overly permissive access to sensitive data and resources.

Behavioral Analytics and Anomaly Detection with AI its much easier to detect and entity actions

Automating Threat Response and Remediation is faster with AI as, AI takes the lead in automating response measures by swift device isolation.

AI involves real time risk assessments and determines when to give access resource.

In few years from now many organization will attain the optimal posture for Zero Trust as AI and zero trust emerge as strong significant partner for a better security maturity and posture.

(Source: https://www.computer.org/csdl/magazine/co/2022/02/09714079/1AZLiSNNvIk)

Source: https://www.govcon.community/c/news-summary/trump-admin-focuses-on-zero-trust-2-0-cybersecurity-efficiencies

Hackers Weaponizing AI Extension to steal Crypto Assets Through Malicious Packages

The amount of crypto malware has doubled in the first quarter of 2025 as per research.

Kaspersky GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code — a tool used for AI-assisted coding.

The fake extension, published under the name “Solidity Language,” had accumulated 54,000 downloads before being detected and removed.

What makes this attack particularly insidious is its exploitation of search ranking algorithms to position the malicious extension above legitimate alternatives.

How the Threat actors deceive the developers

During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets.

The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package’s downloads count to 54,000.

After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number – 2 million, compared to 61,000 for the legitimate package.

The extension was removed from the platform following a request from Kaspersky.

The attackers leveraged the Open VSX registry’s relevance-based ranking system, which considers factors including recency of updates, download counts, and ratings. The attack infrastructure reveals a well-organized operation extending beyond this single incident.

In 2025, threat actors are actively publishing clones of legitimate software packages that, once installed, execute harmful payloads ranging from cryptocurrency theft to full codebase deletion.

The discovery leads us to think how cyber criminals take advantage of the trust inherent in open-source environments by embedding harmful code. All third-party code should be treated as untrusted until proven.

After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device.

Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer’s wallet seed phrases and subsequently steal cryptocurrency from the accounts.

Mitigation Strategies from Intruceptlabs

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Source: https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages-targeting-cursor-developers