Data security

Blogs

Organizational Preparedness will Help Protect Against Unorthodox Cyber Attack

Type of AI based attack vectors & organizational preparedness to Threat mitigation in 2026

AI based attacks is already there and what’s more, now organizations need to protect themselves against any unorthodox attack vector’s i.e AI based. Organizational readiness to thwart any unorthodox attack vectors like AI will determine organizational security from cyber threats are.

Any preparedness by organizations to protect and combat AI powered cyber Attacks will take lot of precession as AI based attack occur at scale and speed both. In backdrop of any cyber attack that is not common how do organization’s prepare and what does statistics from 2025 reveal.

Most of AI powered attacks are not conventional in nature and traditional cybersecurity tools often struggle to respond effectively to these threat.

AI-enabled attack that organizations need to prepare for in 2026

For organizations dealing with an attack vector which are unorthodox or AI in nature require man power or skilled cyber force and tools that are automated to detect and thwart the attack before they advance towards the institutions in advance.

AI’s has capacity to process and learn vast amounts of data and in cybersecurity this is termed as powerful and presents unique challenges as well as risks. Present attack scenario we have witnessed how AI take to automate and optimize malicious activity.

For defenders AI is boon and can detect, predict and mitigate threats in real time. However, the increasing sophistication of AI-powered threats is outpacing traditional defense mechanisms.

What are the types of AI powered Attack

Hacking which is Automated and AI algorithms based, can identify and exploit vulnerabilities faster than human capabilities.
Next in line is AI- Phishing and Cybercriminals use AI to create personal and convincing phishing emails. What AI does here is to analyze data from other sources to generate highly customized messages capable of influencing.
Deepfakes are growing in form of realistic fake videos or audio impersonating public figures in order to spread misinformation, manipulate public opinion, or conduct social engineering attacks. 
Corrupting AI Models via data fed into AI systems to manipulate outcomes and is particularly concerning in critical systems. This showcases the dangerous potential of AI-powered cyber attacks.

Key findings by Organizations – AI based cyber security findings.

The evolving nature of AI means that new attack vectors are constantly being developed, making detection difficult for organizations. These are below mentioned take aways from 2025 regarding AI driven cyber threats.

  • 51% of European IT and cybersecurity professionals feared AI-driven cyber threats and deepfakes will keep them up at night in 2026
  • Only 14% feel their organizations are ‘very prepared’ to manage the risks associated with generative AI
  • Other concerns for the year ahead include regulatory complexity, ransomware attacks, and the failure to detect and respond to a breach, causing irreparable harm to the business
  • Less than half of organizations plan to hire more talent to manage and mitigate these concerns
  • In the Cisco 2025 Cybersecurity Readiness Index: 86% of business leaders with cyber responsibilities reported at least one AI-related incident over the past 12 months.
  • IBM reports that 51% of enterprises now use security AI or automation, and those organizations experience $1.8 million lower average breach costs than those without it.
  • Trend Micro’s mid-2025 scans revealed over 200 unprotected Chroma servers and 3,000+ AI components publicly exposed online, allowing data theft or model poisoning.

What do cyber security leadership require most in 2026 is having clear actionable path regarding AI based attack and threat mitigation.

A mindset change is required by CEOs, CISO’s and CXOs where focus should be to start building resilience against intelligent AI attacks.

Cybersecurity has become integral part of lives and especially 2025 was the year of cybercrimes and data breaches across verticals. As the new year commences, starting the year on a positive note with cyber-security resolutions such as

–      Prioritize employee training on evolving AI based threats
–      Enhance endpoint protection
–      Secure data & ways to scarping
–      Securing PII data during data lifecycle
–      Fortify your incident response and business continuity plans
–      Extend more focus on third-party security assessments
–      Ensure robust cloud security is aligned with data privacy regulations
–      Embrace multi-factor authentication (MFA)
–      Safeguarding against AI-driven cybercrimes.
–      Engaging often with board and leadership

Sources: https://www.isaca.org/about-us/newsroom/press-releases/2025/ai-driven-cyber-threats-are-the-biggest-concern-for-professionals-finds-new-isaca-research

Blogs

Encryption: A Foundation for Organizational Security Against Threats

Encryption is often taken as last line of defense and organizations are using encryption to secure their data. Understanding and adopting the latest encryption technologies is crucial for keeping data secure. In current scenario when attackers are equally lazed with latest technologies, companies can strengthen their cybersecurity strategies and continue to adapt encryption as last line of their defense. When organizations enhance their encryption practices today, they can protect their digital assets for the future.

As cyber attacks are evolving so as encryption advances. Now numerous key developments will shape the future of cybersecurity. Once inside the network, cyber criminals can easily view and steal sensitive data. If that data is encrypted, they have no way of accessing it without a decryption key, saving the data from being compromised.

For example, the continuous evolution of quantum computing presents challenges and opportunities for encryption. Quantum-resistant algorithms must increase in speed to enhance security against quantum attacks.

The FinWise Data Breach a Stark Example

On May 31, 2024, the ex-employee accessed FinWise Bank’s systems after leaving the company and leaked sensitive personal information belonging to 689,000 customers of American First Finance (AFF). Even more alarming, this unauthorized access went undetected for more than a year before being discovered by the bank on June 18, 2025.

The FinWise Data breach revealed lapses like time gap between the initial breach and its discovery. The Bank came to understand about the incident and notified affected customers in June 2025 which was over a year after the breach occurred. This was a huge time gap and lawsuits allege that the stolen data may not have been adequately encrypted and secured, causing public criticism and concern.

Security experts emphasize that a well-designed information protection framework must not only encrypt critical financial data but also proactively detect and prevent abnormal access attempts.

Quantum computing & Encryption

Organizations who relies on encryption to keep its critical business communications and data safe are secure now. But as per RAND, experts expect quantum computers capable of breaking today’s encryption standards to arrive by the 2030sOpens a new window .

In the latest updates The Federal Trade Commission (FTC) has sent letters to major tech companies in the United States, urging them to resist foreign governments’ demands to weaken encryption. 

The letters were sent by FTC Chairman Andrew Ferguson to Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X.

Traditional encryption relies on math problems that would take classical computers centuries to solve. RSA encryption, which protects much of today’s internet traffic, works because factoring massive numbers is impossibly hard for regular computers. But tomorrow’s computers will make quick work of it. According to the MIT Technology Review, researchers have shown that a quantum computer with 20 million noisy qubits could crack RSA-2048 in just 8 hoursOpens a new window .

The question is Encryption alone is sufficient to protect data

As per researchers Encryption alone is no longer sufficient to protect privacy in LLM interactions, as metadata patterns can be exploited to infer sensitive subjects and corporate intent. Researchers at Microsoft have revealed a new side channel attack named Whisper Leak that can reveal the topic of encrypted conversations between users and language models, even without access to the underlying text.

The discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions.

What we must know about Whisper Leak the side channel attack

Whisper Leak exploits often exploits a side channel in network communication rather than a flaw in encryption itself. LLM services generate responses step by step, by producing one token at a time instead of the entire response at once. Also, the communications with AI-powered chatbots are often encrypted with HPPS over TLS (HTTPS), ensuring the authenticity of the server and security through encryption.

A side channel attack breaks cryptography by using information leaked by cryptography, such as monitoring the electromagnetic field (EMF) radiation emitted by a computer screen to view information before it’s encrypted in a van Eck phreaking attack, aka Transient Electromagnetic Pulse Emanation STandard (TEMPEST). 

Encryption the last line in defense & Helps Orgs Embrace GDPR

If sensitive information is no longer required, the best way to protect it is to delete it. However, when files are deleted from a hard drive they leave traces that can be reconstructed by thieves and hackers. By encrypting the files before deletion, the remnants that remain on the drive will remain encrypted and remain inaccessible should they be reconstructed. In this way, encryption protects your privacy, even when the files are gone.

Companies should, therefore, ensure that all devices leaving the workplace are encrypted. Most phones have a native encryption option that can be easily activated, while laptops can have either their hard drives or sensitive data encrypted depending on the tools an organization wants to use.

Nowadays data protection is no longer an option. Companies can’t ignore the problem and hope they won’t be targeted by malicious threat actors.

GDPR itself recommends encryption as an effective tool for data protection as do data protection standards such as the CIS Controls which advocate a data security strategy based on a combination of encryption, integrity protection and data loss prevention techniques.

At the end Encryption ensures that, whether these devices are lost, stolen or forgotten, the data on them is useless to anyone who tries to access it without a decryption key.

(Source: https://www.bleepingcomputer.com/news/security/finwise-data-breach-shows-why-encryption-is-your-last-defense/)

Sources: https://www.csoonline.com/

Blogs

Regulations for Start-Ups & SME’s Helps address Cyber Risk & Business Strategy

This decade has witnessed huge technological, digital and cyber security uprise and challenges which shaped the way of doing business and business strategy. Now every company is powered by software and technology and cybersecurity a top priority for organizations everywhere. Regulations are of high importance for business strategy and cyber risks. Startups under the Startup India initiative can self-certify their compliance with labor and environmental laws, reducing the risk of inspections and penalties.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges. Compliance brings in additional challenge but integrating compliance brings in transparency and subsequent valued positioning for clients who value transparency.

That’s putting a lot of pressure on cybersecurity leaders to level up their governance, risk, and compliance programs. India’s push towards digitization has transformed how businesses interact with regulators and the government has rolled out a range of tax incentives to bolster the growth of startups and SMEs. Further the government has been recognizing the role of innovation in the startup ecosystem and to further this strengthened IP protections.

Sector specific regulations

The government has also taken a proactive approach to sector-specific regulations and this has been for most important sectors from fintech to ecommerce, healthcare etc. Regulatory sandboxes by RBI and SEBI allow fintech startups to test new products in a controlled environment. New draft e-commerce rules aim to ensure transparency, fair competition, and consumer protection.

For emerging vibrant business it is important that business leaders stay abreast to staying abreast new regulatory changes that will help leverage the full potential of upcoming India’s vibrant business landscape.

Prioritizing Cyber security for Business Continuity with Regulations

Recently Akshay Joshi, head of World Economic Forum’s Centre for Cybersecurity highlighted that significant challenges lies in prioritizing cybersecurity and addressing these requires a combination of strong incentives and regulatory support,.

“There needs to be incentives that are brought into the mix for appropriate investments into cybersecurity,” Joshi said, emphasizing that regulation plays a crucial role.

As per WEF’s annual Global Cybersecurity Outlook Report, which found that roughly 70% of respondents agree that regulations are “really effective in terms of ensuring a baseline of cybersecurity.”

(Source: Startups and SMEs need incentives and regulations to prioritise cybersecurity: WEF official | Company Business News)

As startups and SME’s navigate through business challenges and every day there is a fresh rules emerging across industries, understanding their impact on business for CEO’S is crucial for staying ahead. By understanding the different types of regulations, startups can better navigate the landscape for your business.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges.

Without regulations in place innovation will be stalled and so the fair set up within the ecosystem. In the beginning embracing regulations may be daunting task but regulations play important role for startups specifically cyber security based start ups who are constantly battling warfare’s that is equivalent to cripple critical infrastructure and damage organizations affecting economies at a scale that is equivalent to any physical attack.

For Cyber security Startups any regulatory updates often focus on data privacy, financial practices and data security. For instance, recent data protection laws require companies to enhance their data security measures to safeguard customer data and information, This is done so to foster trust and loyalty among users and increase brand value.

There are Compliance that are driven by regulations and can pose challenges for start ups as this increases operational costs. These changes may demand additional investments in legal counsel or technology to ensure adherence.

If any Startup is handling customer data and if they invest in data protection solutions which is essential to bring in confidence for their customers. With GDPR and CCPA regulations, organizations might face fines for non-compliance and loose trust from investors that may restrict further funding.

Startups that proactively integrate compliance into their core strategy can position themselves as industry leaders, appealing to customers who value transparency.

Conclusion:

Cyber security is every where and is crucial from point of network and cloud security to AI, privacy, governance, forensics, and risk management, each domain plays a crucial role in keeping organizations resilient. For customers it means that their data is in safe hands.

Having a discipline structure and frameworks in place increases brand value.  However, cybercriminals are increasingly focused on targets that have weaker defenses and start ups are prime in their targets.

Any organization who implement regulations, audits certification and follow compliance enhances their defenses.
They might be handling sensitive data, but staying compliant with regulations like GDPR and HIPAA is essential. Regular security audits and employee training can significantly reliability and confidence among investors.

For business to thrive and grow regulations are step ahead towards creativity, innovation and growth,. This helps business to stay ahead of competitors and establish a reputation for innovation, also for avoiding penalties, legal consequences and reputational damage.

Blogs

Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode

Atlas’s autofill and form interaction capabilities present potential attack points

As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.

These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.

For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.

Rate of Vulnerability is 90% A Warning for Users

The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject  malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.

There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.

Key pointers from research

ChatGPT’s Atlas is not resilient to Phishing attacks

Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate

Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),

ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages

Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.

The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.

Importance of Security by Design for web browsing & How AI is intricately involved

The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.

But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.

Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.

This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.

Is User’s security getting compromised

The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can  influence the AI’s behavior if browsing and this can happen across multiple tabs.

In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.

Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.

(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)

Blogs

Tenable & More Cyber Vendor’s Impacted by Third Party Salesforce Breach

Proofpoint, Tenable, CyberArk are other Third-Party vendors impacted by Salesforce Breach.

In an advisory released Tenable disclosed that it “was among the many organizations impacted” in the Salesloft Drift attacks, during which “an unauthorized user had access to a portion of some of our customers’ information stored in our Salesforce instance.”

Impacted data includes “subject lines and initial descriptions provided by our customers when opening a Tenable support case” as well as standard contact information such as name, business email address, phone number and location reference.

Tenable products and data stored in the vendor’s products, were not affected, the company said. CRN has reached out to Tenable for further comment.

Tenable stated that standard business contact information, such as customer names, email addresses, phone numbers and location details, was also accessed. At this point, the company stated there is no evidence that this information has been misused.

The information accessed by the unauthorized party was limited to data within Tenable’s Salesforce environment. This included:

  • Commonly available business contact information, such as customer names, business email addresses, and phone numbers.
  • Regional and location references associated with customer accounts.
  • Subject lines and initial descriptions that customers provided when opening a support case.

Third party vendor’s prime target of cyber attack increase Enterprise Cyber Risk

Targeting vendors indicate how critical it is to maintain third-party risk and be cautious while managing security risks associated with these external partners, focal point of target and critical for any organization’s data security.

The Tenable and other vendors being targeted increase the responsibility of enterprise based Third-party cyber risk associated as vendors can be targets for cyberattacks.

If their security measures are weak, your company’s data could be compromised. Ensuring vendors have strong cybersecurity protocols is essential to protecting sensitive information.

Enterprise security posture indicate how third-party security is a set of practices that can identify these risks and protect your organization from security threats associated with any third-party entity.

Risks arising from third-party vendors, contractors and business partners who have access to your data and systems is more then critical.

Three more well-known cybersecurity vendors have joined the lengthy list of companies impacted in the recent breach of a third-party Salesforce application, with Proofpoint, Tenable and CyberArk disclosing they were affected in the widespread Salesloft Drift attacks.

CyberArk, a publicly traded identity security vendor that Palo Alto Networks has a deal to acquire for $25 billion.

In similar pattern an unauthorized actor accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance,” the company said.

Attack module

The attacks involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors have used to steal data from Salesforce CRM systems. It’s unclear how threat actors obtained the tokens.

As per researchers, breach at Tenable was not an isolated attack but is linked to a wider, sophisticated campaign that security experts have been tracking. This campaign specifically exploits a vulnerability in the integration between Salesforce and Salesloft Drift, a popular sales engagement platform.

Security Advisory

PostgreSQL High-Severity RCE Flaws in pg_dump Utilities Allow Remote Code Execution 

Summary : Security advisory: The PostgreSQL Global Development Group has issued a security update addressing 3 security vulnerabilities and over 55 bugs, including two high-severity remote code execution (RCE) flaws in core utilities. The update applies to PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22, as well as the third beta release of PostgreSQL 18.

Severity High 
CVSS Score 8.8 
CVEs CVE-2025-8715, CVE-2025-8714, CVE-2025-8713 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These issues affect all PostgreSQL versions 13 through 17. All the administrators & users are urged to update immediately to prevent potential exploitation. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Object Name Newline Injection  CVE-2025-8715 PostgreSQL version 13-17  High  17.6, 16.10, 15.14, 14.19, 13.22  
pg_dump Restore-Time Arbitrary Code Execution CVE-2025-8714 PostgreSQL version 13-17 High  17.6, 16.10, 15.14, 14.19, 13.22  
View Access Policy Bypass via Statistics Leak CVE-2025-8713 PostgreSQL version 13-17 Low  17.6, 16.10, 15.14, 14.19, 13.22  

Technical Summary 

The PostgreSQL security update addresses three critical vulnerabilities that primarily impact its core utilities, specifically pg_dump, pg_dumpall and pg_restore. The most severe flaws, CVE-2025-8714 and CVE-2025-8715, enable remote code execution during database restoration.

These arise from improper handling of untrusted data and newline characters in dump outputs, allowing a malicious superuser from the origin server to inject arbitrary code via crafted meta-commands or object names.

When such a dump file is restored, the injected code executes on the client system as the operating system user running psql, leading to potential full system compromise. In some cases, the attack can even lead to SQL injection on the target server. The third issue, CVE-2025-8713, is lower in severity but still notable, allowing unauthorized users to infer sensitive data from optimizer statistics due to insufficient enforcement of row-level security policies. This can lead to leakage of histogram data and most common value lists from views or partitioned tables. These vulnerabilities collectively threaten data confidentiality, system integrity and operational security, especially in environments where backups are frequently restored or shared. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-8715 8.8 PostgreSQL version 13-17 Due to improper neutralization of newline characters in object names. A user with access to the origin server can craft object names containing newlines that inject psql meta-commands into the dump output. Upon restoration, these commands are interpreted and executed, leading to arbitrary code execution or even SQL injection on the restore target server. This issue was previously addressed in CVE-2012-0868 but was inadvertently reintroduced in version 11.20. Arbitrary code execution 
CVE-2025-8714 8.8 PostgreSQL version 13-17 A malicious superuser on the origin server can inject arbitrary code into a plain-format database dump via meta-commands or object definitions. When this dump is restored, the malicious code is executed by the psql client under the privileges of the system account running the restore operation. This flaw occurs due to insufficient validation of input data included in dump files. Arbitrary code execution 
CVE-2025-8713 3.1 PostgreSQL version 13-17 This allows unauthorized users to infer sensitive data by exploiting PostgreSQL’s optimizer statistics. A user can craft a leaky operator or query that bypasses access control mechanisms within views or partitioned tables. This permits access to internal statistics, such as histograms or most-common-values lists, which can expose data that row security policies are meant to hide. Unauthorized access 

Recommendations: 

Here are some recommendations below 

  • Upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, 13.22, or the latest. 
  • Ensure pg_dump/restore operations are performed only with trusted data sources. 
  • Limit superuser privileges on database systems. 
  • Sanitize and audit database objects used in dumps or restores. 
  • Check for unusual meta-commands or object names in restore logs. 

Conclusion: 
Two of the vulnerabilities (CVE-2025-8714 and CVE-2025-8715) allow for arbitrary code execution. It’s the threats to system integrity and confidentiality. While not publicly exploited at the time of release, the potential severity of these flaws makes immediate patching critical.

PostgreSQL administrators should update all affected systems and review internal restore processes to avoid compromise. 

References

Blogs

Malware Uses AWS Lambda to collect data; Govt Org’s Across S E Asia affected by HazyBeacon

Data Stolen from various government based organizations across South east-Asia via State-Backed HazyBeacon Malware that Uses AWS Lambda was discovered and tracked by researchers Palo Alto Networks Unit 42 under the moniker CL-STA-1020.

Here “CL” stands for “cluster” and “STA” refers to “state-backed motivation, data collected include information about recent tariffs and trade disputes. The initial access vector used to deliver the malware is currently not known, although evidence shows the use of DLL side-loading techniques to deploy it on compromised hosts. Specifically, it involves planting a malicious version of a DLL called “mscorsvc.dll” along with the legitimate Windows executable, “mscorsvw.exe.”

Campaign execution flow

As per researchers backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure. AWS Lambda URLs are a feature of AWS Lambda that allows users to invoke serverless functions directly over HTTPS.

This technique uses legitimate cloud functionality to hide in plain sight, creating a reliable, scalable and difficult-to-detect communication channel.

Figure 1 shows the high-level execution flow of this attack.

(Source: Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication)

Key points:

The malware is using a newly discovered Windows backdoor dubbed HazyBeacon.

Secondly, it exploits a legitimate feature of the AWS Lambda serverless compute service called Lambda URLs, to hide its malicious activities

AWS Lambda URLs are a part of AWS Lambda that allow users to invoke serverless functions directly over HTTPS.

In this attack, the HazyBeacon backdoor uses the service to establish C2 communications, allowing the actor to engage in covert intelligence gathering.

Researchers at Trellix, revealed the attacker tactic of using Lambda to obscure C2 activity in late June, noting that such obscurity “makes network-based detection nearly impossible without decryption or deep behavioral analysis,” according to their report.

During backdoor deployment, attackers also establish persistence on the compromised Windows endpoint by creating a Windows service named msdnetsvc, which ensures that the HazyBeacon DLL would be loaded even after rebooting the system.

Unit 42 included a list of indicators of compromise (IoCs) in the post to help identify a potential attack. Defenders can set their machine-learning models and analysis techniques to be triggered by those IoCs, as well as use behavioral threat protection to detect and block the execution of processes with malicious behavior in their cloud environments.

How the malware reaches out to serverless AWS Lambda endpoints

  • These URLs are hosted on cloud infrastructure that’s globally trusted
  • Traffic looks like regular HTTPS communication
  • Detection becomes near-impossible for traditional firewalls or EDRs

This use of cloud-native tools for C2 is a growing trend in advanced persistent threats (APTs).

South east Asia a focal point of target

The reason why Southeast Asia has increasingly becoming a focal point for cyber espionage mainly due various sensitive trade negotiations being done by countries, defense enhancement taken up by countries as a part of modernization and power alignment between U.S.–China.

Why threat actors chose this area via targeting government agencies as the data stolen carried various intelligence inputs that were based on foreign policy direction, infrastructure planning and various regulatory shifts that further influence the behavior of global markets.

HazyBeacon reflects a broader aspect and trend in cyber security related to advanced persistent threats using trusted platforms as covert channels.

This cloud-based malware cluster, similar techniques have been observed in threats using Google Workspace, Microsoft Teams, or Dropbox APIs to evade detection and facilitate persistent access.

Once the malware is on the system, it doesn’t want to leave. HazyBeacon registers itself as a Windows service, making sure it gets relaunched after every reboot.

Organizations who detect and mitigate this emerging threats also understand how attackers exploit cloud services for malicious purposes.

The misuse of AWS Lambda occurs when the malicious DLL, mscorsvc.dll, establishes a C2 channel through an AWS Lambda URL. AWS Lambda runs code in response to events without requiring server provisioning or management; the URLs feature, introduced in 2022, extends this functionality by providing customers with a way to configure dedicated HTTPS endpoints for Lambda functions.

Source: 🔍 Deep Dive: How State‑Backed HazyBeacon Malware is Weaponizing AWS Lambda & Steganography | by Abhay Haswani | Jul, 2025 | Medium

Blogs

Recent Health Care Data Breaches Highlight Importance of Proactive Leadership

Recent data breaches on healthcare organisation be it insurance provider to  big hospitals and healthcare organisation witnesses how hackers were able to compromise the protected health information of patients.

Healthcare organisations collect an enormous amount of data and these are not only personal details but includes health insurance details, payment structure and  medical records etc. These information’s are extremely important from financial point and a big lucrative market for hackers to track down and use them for gains.

In 2024 there were 1,160 healthcare related cyber breaches, exposing 305 million patients record out in dark web a marked increase of 26% in 2025.

As of March 19, 2025, 734 large data breaches have been reported to OCR, a percentage decrease of 1.74% from the 747 large healthcare data breaches reported in 2023.

While a reduction in healthcare data breaches is a step in the right direction, 2024 was the worst-ever year in terms of breached healthcare records, which jumped by 64.1% from last year’s record-breaking total to 276,775,457 breached records, or 81.38% of the 2024 population of the United States.

The Star Health Data Breach

Star Health and Allied Insurance is delaing a difficult situation where a potential exodus of top executives following a massive data breaches affecting over 30 million customers.

The breach has led to internal cybersecurity investigations, possible financial penalties up to ₹250 crore and heightened scrutiny over leadership accountability.

Employee attrition is reportedly rising with the organization, especially in tier-2 and tier-3 cities and top it all the reputational damage and operational challenges.

The hacker responsible for a major data breach at Star Health and Allied Insurance last year has reportedly claimed responsibility for sending death threats and bullet cartridges to the insurer’s top executives.

As per reports the hacker reportedly said the recent threats were triggered after being contacted by Star Health policyholders who claimed their legitimate insurance claims were denied.

Star Health, India’s biggest health insurer, has faced criticism from customers and data security experts as per Reuters. Since last September the hacker known by alias name ‘xenZen’ had leaked sensitive client data, including medical reports. At the time, xenZen told Reuters in an email they possessed 7.24 terabytes of data related to over 31 million Star Health customers and was speaking to potential buyers for the data.

This incident brings in light top leadership crisis within the organisation.

Crisis Management is broader perspective that encompasses leadership decisions, communication strategies, stakeholder engagement, business continuity, fiscal management, and long-term reputational considerations.

Healthcare specific Cyber security performance goal(CPGs)

With record numbers of healthcare records being compromised, it is clear that more needs to be done to improve healthcare cybersecurity.

Beginning of 2024, the HHS’ Office for Civil Rights published two sets of healthcare-specific cybersecurity performance goals (CPGs).

In December 2024, the HHS published a long-awaited proposed update to the HIPAA Security Rule that will, if enacted, force healthcare organizations to implement a range of measures to improve their security posture. The proposed update includes some of the recommended measures in the CPGs, such as multifactor authentication, encryption for data at rest and in transit, mitigating known vulnerabilities, network segmentation, maintaining an accurate asset inventory and cyber security testing.

Stable Leadership to deal with un-certainties  of cyber threats

Organisations under stable leadership must undertake a rigorous risk-assessment process that encompasses disaster mitigation. This will include cyber incident recovery and business continuity planning to support the resilience of critical health care functions and systems. 

With strong new leadership companies can adopt bold steps to regain trust by investing heavily in cyber security infrastructure. This is led by launching new products focused on identity protection.

Having a transparent approach in addressing vulnerabilities and commitment to innovation will help restore customer confidence and set a new industry standard for data protection. To turn cybersecurity threats into oppertunites, CEO and CISO’s must embrace a multifaceted leadership approach to deal with advance cyber tactics employed by hackers and cyber criminals.

To go beyond technical solutions and extends to cultural, strategic and operational changes.

Adopting a cyber-security first culture within the Organization

  • First and foremost it is important to foster a security-first culture within an organization is critical. This will involve embedding cyber security considerations into every level of business decision-making.
  • Organisations and top leadership taking decisions from development to customer engagement. Leadership must set the tone by prioritizing security as a fundamental business value .
  • Cyber security training a must within the organisation will help build a culture that requires continuous reinforcement through regular training, internal etc.
  • The next step would be ad frameworks that allow businesses to quickly pivot in response to emerging risks.
  • The next step would be adopting frameworks that will allow business to quickly scale and impose proper response during emergency or any cyber threat.
  • The growing cyber risk is also an opportunity for cyber security leadership to stay ahead of their adversaries by improving certain aspects like involving real time threat visibility, gathering actionable insights from industry partners etc.. This will enable proactive security measures  that is resilient in building a cyber-security strategy . To reduce the after affect of breaches, top leadership must adopt cross-functional collaboration and investing in ongoing education to create a more security-conscious workforce.
  • All in all a proactive cyber security strategy will help organizations and this is possible by embracing innovation and having a transparent and proactive leadership.

A strong leadership will help to mitigate risks and enhance organisations competitive standing in the market. This can be followed by Iidentifing not only technical vulnerabilities but also operational weaknesses, supply chain risks, and human factors or insider threat .

.

Security Advisory

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary 

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview 

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Spoofing Vulnerability  CVE-2025-30401  WhatsApp Desktop for Windows  Medium  2.2450.6 

Technical Summary 

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables. 

Example Scenario: 

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code. 

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-30401   WhatsApp Desktop for Windows (<2.2450.6)  MIME type used for display, but file extension used for execution.

A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe). 		 Remote Arbitrary code execution 

Remediation

  • Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version. 

Conclusion: 

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise. 

Be careful when you click attachments.

References: 

Blogs

Leadership role in Effective Vulnerability Management

Leadership role in Vulnerability Management

Continue Reading
Scroll to top