Phishing

Blogs

Organizational Preparedness will Help Protect Against Unorthodox Cyber Attack

Type of AI based attack vectors & organizational preparedness to Threat mitigation in 2026

AI based attacks is already there and what’s more, now organizations need to protect themselves against any unorthodox attack vector’s i.e AI based. Organizational readiness to thwart any unorthodox attack vectors like AI will determine organizational security from cyber threats are.

Any preparedness by organizations to protect and combat AI powered cyber Attacks will take lot of precession as AI based attack occur at scale and speed both. In backdrop of any cyber attack that is not common how do organization’s prepare and what does statistics from 2025 reveal.

Most of AI powered attacks are not conventional in nature and traditional cybersecurity tools often struggle to respond effectively to these threat.

AI-enabled attack that organizations need to prepare for in 2026

For organizations dealing with an attack vector which are unorthodox or AI in nature require man power or skilled cyber force and tools that are automated to detect and thwart the attack before they advance towards the institutions in advance.

AI’s has capacity to process and learn vast amounts of data and in cybersecurity this is termed as powerful and presents unique challenges as well as risks. Present attack scenario we have witnessed how AI take to automate and optimize malicious activity.

For defenders AI is boon and can detect, predict and mitigate threats in real time. However, the increasing sophistication of AI-powered threats is outpacing traditional defense mechanisms.

What are the types of AI powered Attack

Hacking which is Automated and AI algorithms based, can identify and exploit vulnerabilities faster than human capabilities.
Next in line is AI- Phishing and Cybercriminals use AI to create personal and convincing phishing emails. What AI does here is to analyze data from other sources to generate highly customized messages capable of influencing.
Deepfakes are growing in form of realistic fake videos or audio impersonating public figures in order to spread misinformation, manipulate public opinion, or conduct social engineering attacks. 
Corrupting AI Models via data fed into AI systems to manipulate outcomes and is particularly concerning in critical systems. This showcases the dangerous potential of AI-powered cyber attacks.

Key findings by Organizations – AI based cyber security findings.

The evolving nature of AI means that new attack vectors are constantly being developed, making detection difficult for organizations. These are below mentioned take aways from 2025 regarding AI driven cyber threats.

  • 51% of European IT and cybersecurity professionals feared AI-driven cyber threats and deepfakes will keep them up at night in 2026
  • Only 14% feel their organizations are ‘very prepared’ to manage the risks associated with generative AI
  • Other concerns for the year ahead include regulatory complexity, ransomware attacks, and the failure to detect and respond to a breach, causing irreparable harm to the business
  • Less than half of organizations plan to hire more talent to manage and mitigate these concerns
  • In the Cisco 2025 Cybersecurity Readiness Index: 86% of business leaders with cyber responsibilities reported at least one AI-related incident over the past 12 months.
  • IBM reports that 51% of enterprises now use security AI or automation, and those organizations experience $1.8 million lower average breach costs than those without it.
  • Trend Micro’s mid-2025 scans revealed over 200 unprotected Chroma servers and 3,000+ AI components publicly exposed online, allowing data theft or model poisoning.

What do cyber security leadership require most in 2026 is having clear actionable path regarding AI based attack and threat mitigation.

A mindset change is required by CEOs, CISO’s and CXOs where focus should be to start building resilience against intelligent AI attacks.

Cybersecurity has become integral part of lives and especially 2025 was the year of cybercrimes and data breaches across verticals. As the new year commences, starting the year on a positive note with cyber-security resolutions such as

–      Prioritize employee training on evolving AI based threats
–      Enhance endpoint protection
–      Secure data & ways to scarping
–      Securing PII data during data lifecycle
–      Fortify your incident response and business continuity plans
–      Extend more focus on third-party security assessments
–      Ensure robust cloud security is aligned with data privacy regulations
–      Embrace multi-factor authentication (MFA)
–      Safeguarding against AI-driven cybercrimes.
–      Engaging often with board and leadership

Sources: https://www.isaca.org/about-us/newsroom/press-releases/2025/ai-driven-cyber-threats-are-the-biggest-concern-for-professionals-finds-new-isaca-research

Blogs Cybersecurity News

Data Breach at SoundCloud Involves Unauthorized Access to Users Data

SoundCloud Data Breach

Continue Reading
Uncategorized

Evolving Phishing Scams & Cost Incurred by Organization’s in 2025

Any phishing scams that occur, the purpose is to trick unsuspecting victims or organizations into taking a specific action and that can range from clicking on malicious links, downloading harmful files or sharing login credentials. Sometimes the effectiveness of phishing attacks stems from their use of social engineering techniques that have the ability to exploit human psychology or behavior. In 2025 we have witnessed the how evolving phishing scams that have affected organizations financially.

Often we see phishing scams create a sense of urgency, or curiosity thereby prompting victims to act quickly without verifying the authenticity of incoming request. Now with evolving technology, phishing tactics are also evolving making these attacks increasingly sophisticated, hard to detect. In coming years we will witness how AI will power more phishing attacks, including text-based impersonations to deepfake communications. These will be more cheap and popular with threat actors.

Cyber security researchers found that there is a link between ransomware, malware and form encryption and most were caused by.

14% Malicious websites

54% Phishing

27% Poor user pactices / gullibility

26% Lack of cybersecurity training

A survey by Statista found that ransomware infections were caused by:

  • 54% Phishing
  • 27% Poor user pactices / gullibility
  • 26% Lack of cybersecurity training
  • 14% Malicious websites

In this blog we will highlight latest phishing statistics that emerged in 2025 ,affecting organizations and phishing scams are changing.

As per APWG report found on Unique phishing sites. This is a primary measure of reported phishing across the globe. This is determined by the unique bases of phishing URLs found in phishing emails reported to APWG’s repository.

In the first quarter of 2025, APWG observed 1,003,924 phishing attacks. This was the largest quarterly
total since 1.07 million were observed in Q4 2023. The number has climbed steadily over the last year:
from 877,536 in Q2 2024, to 932,923 in Q3, to 989,123 in Q4. One of the reason cited being advancement in AI is also making it easier for criminals to create convincing and personalized phishing lures.

Hoxhunt find alarming statistics on phishing related attack of 2025

Business email compromise (BEC)A staggering 64% of businesses report facing BEC attacks in 2024, with a typical financial loss averaging $150,000 per incident​. These phishing attacks frequently target employees with access to financial systems, mimicking executives or trusted contacts.
Credential phishingAround 80% of phishing campaigns aim to steal credentials, particularly targeting cloud-based services like Microsoft 365 and Google Workspace. With the growing reliance on cloud platforms, cyber attackers leverage realistic fake login pages to deceive users.
HTTPS phishingAn increasing number of phishing sites now use HTTPS to appear legitimate. In 2024, approximately 80% of phishing websites feature HTTPS, complicating detection for users.
Voice phishing (vishing)Vishing attacks are growing in prevalence, with 30% of organizations reporting instances where threat actors used fake calls to impersonate officials or executives.
Quishing (QR code phishing)QR code phishing attacks (quishing) increased by 25% year-over-year, as attackers exploit physical spaces like posters or fake business cards to lure victims.
AI-driven attacksAI is powering phishing attacks, with deepfake impersonations increasing by 15% in the last year. These attacks often target high-value individuals in finance and HR.
Multi-channel phishingAttackers are increasingly exploiting platforms like Slack, Teams, and social media. Around 40% of phishing campaigns now extend beyond email, reflecting a shift to these channels.
Government agency impersonationPhishing emails mimicking government bodies such as the IRS or international tax agencies have increased by 35%. These often involve claims about overdue taxes or fines.
Phishing kitsThe availability of ready-to-use phishing kits on the dark web has risen by 50%, enabling less sophisticated attackers to deploy high-quality phishing schemes​.
Brand impersonationAttackers frequently impersonate well-known brands like Microsoft, Amazon, and Facebook, leveraging user trust. For example, over 44,750 phishing attacks specifically targeted Facebook by embedding its name in domains and subdomains​ over the past year.

Cost of Phishing attacks

According to the 2024 IBM / Ponemon Cost of a Data Breach study, the average annual cost of phishing rose by nearly 10% from 2024 to 2023, from $4.45m to $4.88m. That’s the biggest jump since the pandemic.

The IBM study reported the following costs:

  • Phishing breaches: $4.88M
  • Social engineering: $4.77M
  • BEC: $4.67M

The above-listed categories of cyber security breach costs are all related to people-targeted attacks. BEC, social engineering, and stolen credentials often contain a phishing element.

Barracuda research found that email remains the common attack vector for cyber threats and highlighted their key findings:

1 in 4 email messages are malicious or unwanted spam.

83% of malicious Microsoft 365 documents contain QR codes that lead to phishing websites.

20% of companies experience at least one account takeover (ATO) incident each month.

Nearly one-quarter of all HTML attachments are malicious and more than three-quarters of
companies are not actively preventing spoofed emails.

Bitcoin sextortion scams, an emerging trend, account for 12% of malicious PDF attachments.

Nearly half of all companies have not configured a DMARC policy, putting them at risk
of email spoofing, phishing attacks, and business email compromise.

The Barracuda research also found malicious one in four emails are either malicious or unwanted spam and malicious attachment is prevalent in various file.

An alarming 87% of binaries detected were malicious, highlighting the need for strict policies against executable files being sent via email, since they can directly install malware. Despite a relatively low total volume, HTML files have a high malicious rate of 23% and are often used for phishing and credential theft.

The research say that small businesses more vulnerable to email threats, due to limited cybersecurity resources, smaller IT teams and they rely on basic email security solutions. Small business may not have required solutions to handle sophisticated attacks, such as business email compromise (BEC), phishing and ransomware.

How Organizations can strengthen their defense

As organizations embark to strengthen their defenses, it’s crucial they don’t overlook the human element and Cybersecurity hygiene. That definitely starts by identifying security at every step starting from ensuring every user, machine or system that has right to access privileges.

Cybersecurity is as much a cultural issue as it is a technical one, as a single click can compromise an entire organization, behavior starts to shift from compliance to accountability 

Whenever there is a successful phishing attack, researchers emphasize that this attack succeeds by exploiting human trust and familiarity with corporate communication formats. Security awareness remains the most vigorous defense as the growing complexity of these campaigns indicates that phishing operations are increasingly automated, data-driven and adaptive.

Conclusion: As organizations move towards adopting AI, so as attackers to continuously refining their tactics, evade traditional security measures. In this scenario organizations must mitigate the risks by adopting a multi-layered approach to email security. This will include all from leveraging AI-driven threat detection, real-time monitoring and user awareness training.

Phishing Detection & DeepPhish

For organizations who reply on unlike traditional rule-based phishing detection, which relies on blacklists and predefined rules. DeepPhish is implemented, that continuously learns from new phishing attempts, making it highly adaptive and effective against evolving threats.

DeepPhish employs a multi-layered AI approach to detect phishing threats and theses include Email and Website Analysis,uses ML algorithms to analyze historical phishing attacks and identify new patterns and NLP helps DeepPhish analyze email content, message tone, and linguistic patterns that phishers use to trick users.

(Source: APWG.org)

(Source: https://www.barracuda.com/reports/2025-email-threats-report)

(Sources: hoxhunt.com)

Blogs

Unpatched Systems, Software’s Exposes Business to Cyber Threats

Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.

Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.

Unpatched Systems, Software’s exposes Business to Cyber Threats

The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.

Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.

The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.

Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
  • CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
  • CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system

(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)

The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.

Key findings from Kaspersky reports to secure your unpatched systems

  • Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
  • Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
  • End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
  • High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day

Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.

What Businesses can do to remain Secure from Cyber threats when systems are unpatched?

For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.

How to Fix:

Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.

Follow more below recommendations

Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.

  • Utilize solutions for vulnerability assessment, patch management
  • Prioritize defense strategies & threat detection like phishing emails and web threats
  • Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
  • Implement a robust patch management process

Blogs Security Advisory

Shai-Hulud NPM Supply Chain Attack Expands to 470+ Packages 

Summary: A large-scale malicious campaign, nicknamed the Shai-Hulud attack, has impacted the npm ecosystem with over 500 trojanized packages, including those packages maintained by CrowdStrike. The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. 

The JavaScript ecosystem is under a massive threat following a major supply chain attack. Hence, millions of crypto users and developers are now at risk. With more than a billion of these packages downloaded already, thousands of blockchain wallets and applications could be suffer varying exploits.

  • Malicious NPM updates spread malware that steals and replaces crypto addresses.
  • Developers encouraged developer to cease on-chain operation and inspect HD wallets thoroughly.

The attackers injected malicious scripts that

  • Run secret-scanning tools on developer systems, 
  • Steal GitHub, npm and cloud credentials, 
  • Insert persistent GitHub Actions workflows for long-term access, and 
  • Exfiltrate sensitive data to attacker-controlled endpoints. 

This attack is ongoing and all users of npm packages should take immediate steps to secure tokens, audit their environments and verify package integrity. 

Issue Details 

Initial discovery on September 14, 2025, when suspicious versions of @ctrl/tinycolor and ~40 other packages were flagged. By September 16, the attack had spread to include CrowdStrike-namespaced packages and dozens from @ctrl, @nativescript-community, rxnt, @operato, and others. 

Malware behavior 

  • Downloads and runs TruffleHog, a legitimate secret scanner. 
  • Harvests secrets from local machines and CI/CD agents (npm tokens, GitHub PATs, AWS/GCP cloud keys). 
  • Writes malicious workflows into .github/workflows (shai-hulud-workflow.yml). 
  • Continuously exfiltrates findings to a fixed webhook endpoint or pushes them into new GitHub repos under the victim’s account. 

Attack Flow 

Here are some popular packages with affected versions 

Package Version 
@ctrl/ngx-codemirror 7.0.1, 7.0.2 
@ctrl/tinycolor 4.1.1, 4.1.2 
@crowdstrike/foundry-js 0.19.1, 0.19.2 
@crowdstrike/logscale-dashboard 1.205.1, 1.205.2 
@nativescript-community/sqlite 3.5.2 – 3.5.5 
@nativescript-community/text 1.6.9 – 1.6.13 
@nstudio/nativescript-checkbox 2.0.6 – 2.0.9 
@nstudio/angular 20.0.4 – 20.0.6 
eslint-config-crowdstrike 11.0.2, 11.0.3 
remark-preset-lint-crowdstrike 4.0.1, 4.0.2 

Attack Indicators 

Malicious Workflow Filenames 

  • .github/workflows/shai-hulud-workflow.yml 
  • .github/workflows/shai-hulud.yaml 

Exfiltration Endpoint 

  • hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

Hashes of Malicious Payloads 

SHA-256 Hash Notes 
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 Large batch, Sept 15–16 
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 CrowdStrike-related packages burst (Sept 16) 
de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 First observed compromise (Sept 14) 
81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 Sept 14 small burst 
83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e ~25 packages, Sept 14 
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db Burst of ~17 packages, Sept 14–15 
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c Multiple reuse across Sept 15–16 

Recommendations

Organizations and developers using npm should take immediate actions: 

  1. Uninstall or downgrade 
    Pin dependencies to known-safe versions until patched releases are confirmed. 
  1. Rotate credentials 
    Immediately revoke and reissue: 
  • npm access tokens 
  • GitHub personal access tokens / org tokens 
  • Cloud credentials (AWS, GCP, Azure) 
  1. Audit systems 
  • Inspect developer machines and CI/CD build agents for signs of the malicious bundle.js. 
  • Check .github/workflows for unauthorized files named “shai-hulud-*”. 
  • Review repositories for suspicious commits or new repos labeled “Shai-Hulud Migration”. 
  1. Monitor and log 
  • Search event logs for unusual npm publish activity. 
  • Investigate GitHub Actions runs designed to exfiltrate secrets. 
  1. Harden pipelines 
  • Pin package versions and use integrity checks (e.g.- lockfiles, checksums). 
  • Limit exposure of sensitive tokens in build environments. 
  • Rotate all build-related secrets regularly. 

 
Conclusion 
This incident is significant compromises in the npm ecosystem, impacting hundreds of widely used packages across various namespaces.

The attackers’ tactics such as credential theft, manipulation of GitHub workflows, and widespread package propagation, highlighting the growing sophistication of modern supply chain attacks.

Developers and organizations are strongly advised to take immediate action by removing affected package versions, rotating any exposed secrets, auditing their build environments and strengthening CI/CD security. Continuous monitoring and rapid response are essential to reducing risk and maintaining trust in open-source software. 

The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions.

References

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Security Advisory

WhatsApp Privacy Advisory: Protect Your Conversations 

Overview Security Advisory:

WhatsApp provides end-to-end encryption by default, ensuring that only you and your intended recipient can read messages. However, encryption alone does not guarantee complete privacy. Misconfigured or disabled privacy settings may still expose user information, media or allow unauthorized access. 

These advisory highlights the most important privacy features that should be enabled, along with a checklist for additional protections. 

Critical Privacy Features to Enable 

  1. Advanced Chat Privacy 

This feature strengthens the security of your conversations by limiting how chats and media can be shared outside WhatsApp. 

Benefits: 

  • Prevents chat exports that could expose sensitive data. 
  • Restricts unauthorized forwarding or third-party use of your conversations. 
  • Protects against data mining and AI-driven scanning, ensuring personal and business chats remain confidential. 
  • Gives you greater control over how your messages are handled beyond WhatsApp. 
  • Enabling this feature is highly recommended, especially for users discussing sensitive financial, personal, or corporate information. 
  1. End-to-End Encrypted Backups 

While chats are encrypted in transit, backups stored on Google Drive or iCloud are not encrypted by default. Activating encrypted backups ensures: 

  • Only you can access backup data, using your chosen password or encryption key. 
  • Neither WhatsApp, Google, nor Apple can read your chat history. 
  • Added protection if your cloud account is compromised. 
  1. Disappearing Messages 

This feature allows messages to auto-delete after 24 hours, 7 days, or 90 days. 

Benefits: 

  • Reduces digital footprint and limits data exposure over time. 
  • Ensure sensitive conversations do not remain accessible indefinitely. 
  • Useful for both personal privacy and business confidentiality. 

Quick Setup Checklist 

Step Action 
1 Enable Advanced Chat Privacy in all important chats 
2 Turn on End-to-End Encrypted Backup 
3 Run Privacy Checkup: review visibility and group settings 
4 Activate Disappearing Messages where appropriate 
5 Enable App/Chat Locks (biometric/PIN) 
6 Set up Two-Factor Authentication 
7 Disable Media Auto-Saving 
8 Check Linked Devices and log out extras 
9 Restrict visibility of Last Seen, Profile Photo, About, and disable Read Receipts if desired 

Recommendations 

  • Enable Advanced Chat Privacy immediately to prevent misuse of conversations. 
  • Activate encrypted backups for long-term data security. 
  • Use disappearing messages for sensitive discussions. 
  • Regularly review privacy settings and update WhatsApp to the latest version. 

Conclusion: 
Strengthening WhatsApp privacy settings is critical for protecting both personal and professional communication. Enabling key features like Advanced Chat Privacy, Encrypted Backups, and Disappearing Messages provides stronger control over data security and reduces risks of unauthorized access or misuse. 

  

Security Advisory

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

  • 126 Microsoft CVEs addressed
  • 9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEMMicrosoft
SeverityCritical
Date of Announcement2025-04-08
No. of Vulnerabilities Patched135
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]  CVE-2025-29824WindowsHigh7.8
Remote Desktop Gateway Service RCE VulnerabilityCVE-2025-27480 CVE-2025-27482WindowsHigh8.1
LDAP Service RCE VulnerabilityCVE-2025-26663WindowsHigh   8.1
LDAP Client RCE VulnerabilityCVE-2025-26670WindowsHigh8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-29824  Windows 10/11, Windows ServerAn elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.    Elevation of Privilege
  CVE-2025-27480 CVE-2025-27482  Windows RDSRace condition in Remote Desktop Gateway; triggers use-after-free allowing code execution  Remote Code Execution
  CVE-2025-26663  Windows LDAPCrafted LDAP call causes use-after-free, leading to arbitrary code execution  Remote Code Execution
CVE-2025-26670  Windows TCP/IPMemory mismanagement during DHCPv6 handling, complex exploit chain.  Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

  • CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

  • CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

  • CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

  • CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

  • CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

  • Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

  • Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
  • Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
  • Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

Security Advisory

Critical Chrome Vulnerability (CVE-2025-2783) Exploited in Cyber-Espionage Campaign

OEMGoogle Chrome
SeverityHigh
CVSS8.3
CVEsCVE-2025-2783
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding the critical zero-day vulnerability, CVE-2025-2783, in Google Chrome and other Chromium-based browsers on Windows. This vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, urged immediate patching to prevent security breaches and unauthorized system access.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
  Google Chromium Mojo Sandbox Escape Vulnerability  CVE-2025-2783  Google Chrome  High  134.0.6998.117/.118

Technical Summary

This high-severity vulnerability found in the Mojo framework of Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera, Brave etc. The vulnerability originates from a logic error that results in an incorrect handle being provided under certain conditions. This flaw allows attackers to bypass Chrome’s sandbox protections and potentially execute arbitrary code on the affected system.

Security researchers from Kaspersky discovered this zero-day vulnerability as part of an advanced cyber-espionage campaign dubbed “Operation ForumTroll.” The attack campaign targeted media outlets, educational institutions, and government organizations in Russia through highly personalized phishing emails.

The exploit chain is particularly dangerous because it requires minimal user interaction. Victims only need to click on a malicious link in a phishing email, after which the attack executes automatically without any additional action from the user. Once triggered, the exploit allows attackers to escape Chrome’s sandbox environment, leading to remote code execution and possible system compromise.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-2783    Google Chrome (Windows)    Incorrect handle provided in Mojo, allowing sandbox escape  Remote code execution, System Compromise

Remediation:

  • Google Chrome Patch Released: Google has released security updates in Chrome versions 134.0.6998.177/.178 to address this vulnerability. Users should update immediately.

General Recommendations:

  • Enable Automatic Updates: Ensure automatic updates are enabled in Google Chrome and other Chromium-based browsers to receive future security patches promptly.
  • Phishing Awareness Training: Organizations should educate employees on identifying and avoiding phishing emails to prevent exploitation.
  • Endpoint Security Measures: Deploy endpoint detection and response (EDR) solutions to monitor and mitigate potential threats.
  • CISA Compliance for Federal Agencies: Federal agencies must adhere to CISA’s Binding Operational Directive (BOD) 22-01 to address known exploited vulnerabilities promptly.

Conclusion:

The exploitation of CVE-2025-2783 demonstrates the ongoing threat posed by sophisticated cyber-espionage activities.  Google has responded swiftly with a patch, and users are strongly advised to update their browsers immediately. Organizations should remain vigilant against phishing attempts and enhance their cybersecurity posture to mitigate similar threats in the future.

References:

Blogs

Cyberespionage Group Blind Eagle Infects 1,600 Orgs in Colombia

URL manipulation attack; An agile attack methodology

Continue Reading
Scroll to top