BeatBanker and BTMOB trojans: infection techniques and how to stay safe | Kaspersky official blog

/in

To achieve their malign aims, Android malware developers have to address several challenges in a row: trick users to get inside their smartphones, dodge security software, talk victims into granting various system permissions, keep away from built-in battery optimizers that kill resource hogs, and, after all that, make sure their malware actually turns a profit. The creators of the BeatBanker — an Android‑based malware campaign recently discovered by our experts — have come up with something new for each one of these steps. The attack is (for now) aimed at Brazilian users, but the developers’ ambitions will almost certainly push them toward international expansion, so it’s worth staying on guard and studying the threat actor’s tricks. You can find a full technical analysis of the malware on Securelist.

How BeatBanker infiltrates a smartphone

The malware is distributed through specially crafted phishing pages that mimic the Google Play Store. A page that’s easily mistaken for the official app marketplace invites users to download a seemingly useful app. In one campaign, the trojan disguised itself as the Brazilian government services app, INSS Reembolso; in another, it posed as the Starlink app.

The malicious site cupomgratisfood{.}shop does an excellent job imitating an app store. It's just unclear why the fake INSS Reembolso appears all of three times. To be extra sure, perhaps?!

The malicious site cupomgratisfood{.}shop does an excellent job imitating an app store. It’s just unclear why the fake INSS Reembolso appears all of three times. To be extra sure, perhaps?!

The installation takes place in several stages to avoid requesting too many permissions at once and to further lull the victim’s vigilance. After the first app is downloaded and launched, it displays an interface that also resembles Google Play and simulates an update for the decoy app — requesting the user’s permission to install apps, which doesn’t look out-of-the-ordinary in context. If you grant this permission, the malware downloads additional malicious modules to your smartphone.

After installation, the trojan simulates a decoy app update via Google Play by requesting permission to install applications while downloading additional malicious modules in the process

After installation, the trojan simulates a decoy app update via Google Play by requesting permission to install applications while downloading additional malicious modules in the process

All components of the trojan are encrypted. Before decrypting and proceeding to the next stages of infection, it checks to ensure it’s on a real smartphone and in the target country. BeatBanker immediately terminates its own process if it finds any discrepancies or detects that it’s running in emulated or analysis environments. This complicates dynamic analysis of the malware. Incidentally, the fake update downloader injects modules directly into RAM to avoid creating files on the smartphone that would be visible to security software.

All these tricks are nothing new and frequently used in complex malware for desktop computers. However, for smartphones, such sophistication is still a rarity, and not every security tool will spot it. Users of Kaspersky products are protected from this threat.

Playing audio as a shield

Once established on the smartphone, BeatBanker downloads a module for mining Monero cryptocurrency. The authors were very concerned that the smartphone’s aggressive battery optimization systems might shut down the miner, so they came up with a trick: playing an all-but-inaudible sound at all times. Power consumption control systems typically spare apps that are playing audio or video to avoid cutting off background music or podcast players. In this way, the malware can run continuously. Additionally, it displays a persistent notification in the status bar, asking the user to keep the phone on for a system update.

Example of a persistent system update notification from another malicious app masquerading as the Starlink app

Example of a persistent system update notification from another malicious app masquerading as the Starlink app

Control via Google

To manage the trojan, the authors leverage Google’s legitimate Firebase Cloud Messaging (FCM) — a system for receiving notifications and sending data from a smartphone. This feature is available to all apps and it’s the most popular method for sending and receiving data. Thanks to FCM, attackers can monitor the device’s status and change its settings as needed.

Nothing bad happens for a while after the malware is installed: the attackers wait it out. Then they trigger the miner, but they’re careful to throttle it back if the phone overheats, the battery starts dipping, or the owner happens to be using the device. All of this is handled via FCM.

Theft and espionage

In addition to the crypto miner, BeatBanker installs extra modules to spy on the user and rob them at the right moment. The spyware module requests Accessibility Services permission, and if this is granted, begins monitoring everything that’s happening on the smartphone.

If the owner opens the Binance or Trust Wallet app to send USDT, the malware overlays a fake screen on top of the wallet interface, effectively swapping the recipient’s address for its own. All transfers go to the attackers.

The trojan features an advanced remote control system and is capable of executing many other commands:

  • Intercepting one-time codes from Google Authenticator
  • Recording audio from the microphone
  • Streaming the screen in real-time
  • Monitoring the clipboard and intercept keystrokes
  • Sending SMS messages
  • Simulating taps on specific areas of the screen and text input according to a script sent by the attacker, and much more

All of this makes it possible to rob the victim when they use any other banking or payment services — not just crypto payments.

Sometimes victims are infected with a different module for espionage and remote smartphone control — the BTMOB remote access trojan. Its malicious capabilities are even broader, including:

  • Automatic acquisition of certain permissions on Android 13–15
  • Continuous geolocation tracking
  • Access to the front and rear cameras
  • Obtaining PIN codes and passwords for screen unlocking
  • Capturing keyboard input

How to protect yourself from BeatBanker

Cybercriminals are constantly refining their attacks and coming up with new ways to profit from their victims. Despite this, you can protect yourself by following a few simple precautions:

  • Download apps from official sources only, such as Google Play or the app store preinstalled by the vendor. If you find an app while searching the internet, don’t open it via a link from your browser; instead, head to the Google Play app or another branded store on your smartphone to search for it there. While you’re at it, check the number of downloads, the app’s age, and look at the ratings and reviews. Avoid new apps, apps with low ratings, and those with a small number of downloads.
  • Check any permissions you grant. Don’t grant permissions if you’re not sure what they do or why that specific app requires them. Be extra careful with permissions like Install unknown apps, Accessibility, Superuser, and Display over other apps. We’ve written about these in detail in a separate article.
  • Equip your device with a comprehensive anti-malware solution. We, naturally, recommend Kaspersky for Android. Users of Kaspersky products are protected from BeatBanker — detected with the verdicts HEUR:Trojan-Dropper.AndroidOS.BeatBanker and HEUR:Trojan-Dropper.AndroidOS.Banker.*.
  • Regularly update both your operating system and security software. For Kaspersky for Android, which is currently unavailable on Google Play, please review our detailed instructions on installing and updating the app.

Threats to Android users have been going through the roof lately. Check out our other posts on the most relevant and widespread Android attacks and tips for keeping you and your loved ones safe:

Kaspersky official blog – ​Read More

Agentic AI security: Why you need to know about autonomous agents now

/in

Agentic AI security: Why you need to know about autonomous agents now

Agentic AI is making headlines worldwide for its potential force-multiplying capabilities, and organizations are understandably intrigued by how it can improve throughput and capabilities. However, as with any technological revolution, unforeseen issues are inevitable, and agentic AI is no exception. In organizations, these issues often arise from deploying personal assistants like OpenClaw or AI agents designed to optimize business and IT processes. Additionally, when personal assistants interact with “social networks” such as Moltbook, they introduce many hidden threats for organizations. These specific risks fall beyond the scope of this article, and will be addressed in a future blog.

This article will concentrate on agentic AI’s use within organizations and explore how these systems could potentially be used against them. There are two perspectives that must be taken into consideration when thinking about agentic AI: 

  • The perspective of organizations deploying agentic AI technologies to streamline their business and organizational processes 
  • The perspective focused on potential impacts of malicious agentic AI in the future

Both perspectives will be addressed, but let’s start with the first, which encompasses cybersecurity defense processes already in place, as well as the ways agentic AI can enhance those defenses.

What is agentic AI, how can it benefit organizations, and what are the dangers?

At its core, agentic AI is an autonomous system tasked with an objective, equipped with specific tools and resources. This system is typically powered by large language models (LLMs) with advanced reasoning capabilities. These capabilities allow the agent to plan how to achieve its objective, implement that plan, and, most importantly, verify results and try different approaches if errors occur. 

There are four questions an organization must ask when delegating a task to an AI agent:

  • Traceability: Can I track all agent actions, regardless of whether the outcomes are global or intermediate? 
  • Auditability: Is the task subject to regulatory oversight? Who is accountable for the outcomes produced by the agent? 
  • Business risk management: Have I conducted a business risk assessment on the AI agent’s possible actions? 
  • Cybersecurity threat management: Does the agent have guardrails to prevent malicious or disruptive actions during execution, regardless of its intent? 

AI agents can be incredibly powerful and task-oriented, so their actions must be scrutinized independently of intent. An agent may inadvertently destroy or expose data, while still successfully completing its task.  

An AI agent needs to adhere to basic cybersecurity and risk management principles. Just as you wouldn’t hand a new employee keys to all the data in your enterprise, AI agent access should be tailored for its specific role. Following good practices like threat modeling and risk management provides a solid foundation for successfully deploying AI agents. The optimal approach is to apply existing organizational roles to AI agents and adjust the data access accordingly.  The goal should be to ensure that the exposure from a compromised AI agent is no greater than from a compromised user; this is achievable only through strong access control. 

AI agents are not immune to external interference or direct attacks. Agents can search the internet to determine the best actions to achieve their goals. These actions could be manipulated, leading the agent to run a tool with an undesired consequence. At the same time, the act of making queries to the internet can result in information leaks.

When addressing these kinds of issues, it’s important to recognize that LLMs are not deterministic in nature, meaning that the execution of an agent to solve a task may vary each time, even if the task is consistently completed. This means that the traditional allow/deny approach may not be enough to provide the necessary safety and security boundaries. It is crucial to evaluate the potential outcomes of an action before execution — not from the perspective of the task at hand, but from a safety and security standpoint, free from goal-related bias. 

This oversight can be performed by a human operator, who authorizes critical steps in task resolution. It can also be provided by a separate model/agent tasked with evaluating the consequences of actions without regard to the overall objective. These evaluations can even be scored, triggering human review if a certain threshold is met. There may also be compliance requirements to track and log the actions agent actions, similar to those required for a user. 

Just as no system is 100% secure, no agent is 100% safe, especially given their non-deterministic and try-error reasoning features. However, this is not a new challenge. This is a threat modeling and risk management problem, which organizations have been facing for several years now.  

Organizations with mature cybersecurity practices model threat scenarios and prepare for incident response. They conduct business, information security, and cybersecurity risk evaluations for these scenarios and determine how each risk is managed. Using agentic AI should follow the same process: First, model threats based on agent privileges and capabilities, then evaluate the risks, and finally determine how to mitigate them.

Ultimately, we need to apply what we already know to this new context, drawing the appropriate parallels.

Near and not-so-far impacts of malicious agentic AI 

Agentic AI is already being used by malicious actors, as seen in cases like VoidLink. Nevertheless, this is just the tip of the iceberg, and defenders should be prepared for much more.

Agentic AI integration with attack frameworks is inevitable, and likely already underway; we just haven’t seen it yet. It may provide malicious operators with capabilities that could outpace defenders unless defenders also leverage agentic AI. 

Our tracking of attack frameworks and their evolution provides clues on what the next steps may look like.

The next stage for these attack frameworks could easily be an agent that runs on the backend, awaiting operator requests. These requests might include searching for, compiling, and locally testing exploits for software the operator found on the target system.

But this is just the beginning. The list below illustrates other developments likely to be adopted by malicious operators:

  • To accelerate operations, an agent may analyze the operator’s console and suggest actions based on console inputs. This would both allow the agent to infer the operator’s preferences and retain memories of the target environment — details the operator could otherwise miss.
  • More efficient use of an agent would involve the delegation of routine tasks, like environment exploration, system role recognition, and data exfiltration.
  • Eventually, an agent could be deployed directly in the victim environment to handle specific tasks, contacting the backend for inference. In this scenario, the operator simply assigns the agent a task and waits for a result, with the agent using covert channels, that don’t need to be synchronous.
  • The ultimate threat is a fully autonomous agent deployed and assigned a specific objective, using local inference and only contacting the backend upon task completion. Local inference reduces the risk of detection, as backend communications are kept to a minimum. Additionally, in long-term operations, the agent can perform tasks slowly, adapt its tactics from system to system, and even be instructed to use only living-off-the-land binaries (LOLBins).

These scenarios can be adapted by defenders to automate threat hunting and response, but all strategies must account for the risks and guardrails discussed earlier.

Cisco Talos Blog – ​Read More

Spinning complex ideas into clear docs with Kri Dontje

/in

Spinning complex ideas into clear docs with Kri Dontje

Welcome back! This week, we’re shining a spotlight on Kri Dontje, a technical writer who’s become an essential voice in making Cisco Talos’ work understandable for a wide audience. With a background in technical communications and a career that began at a small startup, Kri discusses the importance of consistency, accuracy, and accessibility in documentation, as well as how to get the most out of a subject matter expert-technical writer relationship.

Now transitioning into a new role, Kri continues to bridge the gap between deep technical expertise and clear communication. When she’s not decoding cyber jargon, she’s hand-spinning yarn for stunning knit pieces, showing that creativity and tech go hand in hand. Keep an eye out for more content featuring Kri in the future.

Amy Ciminnisi: Can you tell us a little bit about what you do here in Talos?

Kri Dontje: Absolutely. I have a technical writing degree — technical communications — which means I translate very technical topics into something that other people can understand if they’re not necessarily experts in that field. I’ve had a very nontraditional career. My first position was at a very small company, 14 people at its largest. I did documentation, design and demonstration videos, and rebuilt their health system from the ground up. It was interesting and terrifying because I was learning it completely alone.

I’m also a huge nerd and a learning junkie, which helps with this kind of job. I enjoy being around people who are into really complex things and talking to them about it. I spent a lot of time around a local miniatures wargaming shop and became friends with a bunch of nerds, some of whom have migrated into Talos.

I transitioned over to the strategic communications team as a research engineer. I’m going to focus more on communicating about Talos at a slightly more technical level than our communications have been to the public for a while, while still creating content that makes Talos accessible for people as much as possible.

AC: What do you think are the most important qualities or skills that make someone a really good technical writer, especially in a fast-changing landscape like cybersecurity?

KD: That’s a big contradiction. One of the most important things for tech writing is consistency and accessibility. It’s not a career that encourages adjectives. You want to use the same word to mean the same thing every time because if you use a fun synonym, the reader might think it’s an entirely different concept.

Versioning is a big problem. People won’t trust documentation if they find bad information in it. They’ll never think it’s a reasonable place to go again. So keeping things accurate is really important.

Being snoopy and not being afraid to feel real stupid in front of extremely smart people is also key. Usually, you can find common ground. It’s important to recognize you’re not talking down to the audience or making the information for stupid people. Even within Talos and the cyber community, everyone has broad-ranging specialties. Most people don’t know what others do or can’t figure it out without spending a lot of time and energy they don’t need to. So the important thing is to bring the information to a level where other very intelligent people can cross-reference it and make it applicable to what they’re doing.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

Cisco Talos Blog – ​Read More

Microsoft Patch Tuesday for March 2026 — Snort rules and prominent vulnerabilities

/in

Microsoft Patch Tuesday for March 2026 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” Microsoft assessed that exploitation of the three “critical” vulnerabilities is “less likely.”  

CVE-2026-26110 and CVE-2026-26113 are “critical” Microsoft Office Remote Code Execution Vulnerabilities that could allow an unauthorized attacker to execute code locally; the former is a type confusion issue caused by access to a resource using an incompatible type, and the latter is an untrusted pointer dereference. 

CVE-2026-26144 is a “critical” information disclosure vulnerability affecting Microsoft Excel. This vulnerability is due to improper neutralization of input in Microsoft Excel which could enable an unauthorized attacker to disclose information on affected systems. This vulnerability has not been previously publicly disclosed or exploited, and Microsoft has rated it as “exploitation unlikely.” 

CVE-2026-26109 is an “important” vulnerability in Microsoft Office Excel that allows an unauthorized attacker to execute code locally due to an out-of-bounds read. This issue could enable an attacker to compromise the affected system. vulnerability in Microsoft Office Excel that allows an unauthorized attacker to execute code locally due to an out-of-bounds read. This issue could enable an attacker to compromise the affected system. 

CVE-2026-26106 and CVE-2026-26114 are “important” remote code execution vulnerabilities affecting Microsoft SharePoint Server. CVE-2026-26106 is caused by improper input validation in Microsoft Office SharePoint, while CVE-2026-26114 results from deserialization of untrusted data. In both cases, an authenticated attacker with at least Site Member permissions (PR:L) can execute code remotely over a network on the SharePoint Server. 

CVE-2026-26115CVE-2026-26116, and CVE-2026-21262 are “important” elevation of privilege vulnerabilities in SQL Server, each with a CVSS v3.1 highest base score of 8.8. CVE-2026-26115 is caused by improper input validation in SQL Server, while CVE-2026-26116 is due to improper neutralization of special elements used in a SQL command (‘sqlinjection’). CVE-2026-21262 results from improper access control in SQL Server. In each case, an authorized attacker could exploit the vulnerability over a network to elevate privileges, potentially gaining administrator privileges. CVE-2026-21262 has also been publicly disclosed. 

CVE-2026-26118 is an elevation of privilege vulnerability in Azure MCP Server Tools with a CVSS v3.1 highest base score of 8.8. It has been rated “important” by Microsoft. This vulnerability is caused by server-side request forgery (SSRF) in Azure MCP Server, which allows an authorized attacker to elevate privileges over a network. An attacker could exploit this issue by sending specially crafted input to an Azure Model Context Protocol (MCP) Server tool that accepts user-provided parameters. If the attacker can interact with the MCP-backed agent, they may submit a malicious URL instead of a standard Azure resource identifier. The MCP Server then sends an outbound request to that URL, possibly includingits managed identity token. The attacker can capture this token without requiring administrative access. A successful attacker could obtain the permissions associated with the MCP Server’s managed identity, enabling access or actions on any resources authorized for that identity. However, the attacker does not gain broader tenant-level or administrator permissions—only those linked to the compromised managed identity.  

CVE-2026-26128 is an elevation of privilege vulnerability in Windows SMB Server that has been rated “important” by Microsoft. This vulnerability is caused by improper authentication in Windows SMB Server, allowing an authorized attacker to elevate privileges over a network. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges. 

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited:  

  • CVE-2026-23668 – Windows Graphics Component Elevation of Privilege Vulnerability 
  • CVE-2026-24289 – Windows Kernel Elevation of Privilege Vulnerability 
  • CVE-2026-24291 – Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability 
  • CVE-2026-24294 – Windows SMB Server Elevation of Privilege Vulnerability 
  • CVE-2026-25176 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 
  • CVE-2026-25187 – Winlogon Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additionalinformation. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are: 66089 – 66092, 66096, 66097, 66101 – 66104. 

The following Snort 3 rules are also available: 301442 – 301446. 

Cisco Talos Blog – ​Read More

Mental health apps are leaking your private thoughts. How do you protect yourself? | Kaspersky official blog

/in

In February 2026, the cybersecurity firm Oversecured published a report that makes you want to factory reset your phone and move into a remote cabin in the woods. Researchers audited 10 popular Android mental health apps — ranging from mood trackers and AI therapists to tools for managing depression and anxiety — and uncovered… 1575 vulnerabilities! Fifty-four of those flaws were classified as critical. Given the download stats on Google Play, as many as 15 million people could be affected. The real kicker? Six out of the ten apps tested explicitly promised users that their data was “fully encrypted and securely protected”.

We’re breaking down this scandalous “brain drain”: what exactly could leak, how it’s happening, and why “anonymity” in these services is usually just a marketing myth.

What was found in the apps

Oversecured is a mobile app security firm that uses a specialized scanner to analyze APK files for known vulnerability patterns across dozens of categories. In January 2026, researchers ran ten mental health monitoring apps from Google Play through the scanner — and the results were, shall we say, “spectacular”.

App Type Installs Security vulnerabilities
High-severity Medium-severity Low-severity Total
Mood & habit tracker 10M+ 1 147 189 337
AI therapy chatbot 1M+ 23 63 169 255
AI emotional health platform 1M+ 13 124 78 215
Health & symptom tracker 500k+ 7 31 173 211
Depression management tool 100k+ 0 66 91 157
CBT-based anxiety app 500k+ 3 45 62 110
Online therapy & support community 1M+ 7 20 71 98
Anxiety & phobia self-help 50k+ 0 15 54 69
Military stress management 50k+ 0 12 50 62
AI CBT chatbot 500k+ 0 15 46 61
Total 14.7М+ 54 538 983 1575

Vulnerabilities found in the 10 tested mental health apps. Source

The anatomy of the flaws

The discovered vulnerabilities are diverse, but they all boil down to one thing: giving attackers access to data that should be under lock and key.

For starters, one of the vulnerabilities allows an attacker to access any internal activity of the app — even that never intended for external eyes. This opens the door to hijacking authentication tokens and user session data. Once an attacker has those, they essentially could gain access to a user’s therapy records.

Another issue is insecure local data storage with read permissions granted to any other app on the device. In other words, that random flashlight app or calculator on your smartphone could potentially read your cognitive behavioral therapy (CBT) logs, personal notes, and mood assessments.

The researchers also found unencrypted configuration data baked right into the APK installation files. This included backend API endpoints and hardcoded URLs for Firebase databases.

Furthermore, several apps were caught using the cryptographically weak java.util.Random class to generate session tokens and encryption keys.

Finally, most of the tested apps lacked root/jailbreak detection. On a rooted device, any third-party app with root privileges could gain total access to every bit of locally stored medical data.

Shockingly, of the 10 apps analyzed, only four received updates in February 2026. The rest haven’t seen a patch since November 2025, and one hasn’t been touched since September 2024. Going 18 months without a security patch is a lifetime in this industry — especially for an app housing mood journals, therapy transcripts, and medication schedules.

Here’s a quick reminder of just how dangerous the misuse of this type of data gets. In 2024, the tech world was rocked by a sophisticated attack on XZ Utils, a critical component found in virtually every operating system based on the Linux kernel. The attacker successfully pressured the maintainer into handing over code commit permissions by exploiting the developer’s public admission of burnout and a lack of motivation to carry on with the project. Had the attack been completed, the damage would have been mind-boggling given that roughly 80% of the world’s servers run on Linux.

What could leak?

What do these apps collect and store? It’s the kind of stuff you’d likely only share with a trusted clinician: therapy session transcripts, mood logs, medication schedules, self-harm indicators, CBT notes, and various clinical assessment scales.

As far back as 2021, complete medical records were selling on the dark web for US$1000 each. For comparison, a stolen credit card number goes for anywhere between US$5 and US$30. Medical records contain a full identity package: name, address, insurance details, and diagnostic history. Unlike a credit card, you can’t exactly “reissue” your medical history. Furthermore, medical fraud is notoriously difficult to spot. While a bank might flag a suspicious transaction in hours, a fraudulent insurance claim for a phantom treatment can go unnoticed for years.

We’ve seen this movie before

The Oversecured study isn’t just an isolated horror story.

Back in 2020, Julius Kivimäki hacked the database of the Finnish psychotherapy clinic Vastaamo, making off with the records of 33 000 patients. When the clinic refused to cough up a €400 000 ransom, Kivimäki began sending direct threats to patients: “Pay €200 in Bitcoin within 24 hours, or else your records go public”. Ultimately, he leaked the entire database onto the dark web anyway. At least two people died by suicide, and the clinic was forced into bankruptcy. Kivimäki was eventually sentenced to six years and three months in prison, marking a record-breaking trial in Finland for the sheer number of victims involved.

In 2023, the U.S. Federal Trade Commission (FTC) slapped the online therapy giant BetterHelp with a US$7.8 million fine. Despite stating on their sign-up page that your data was strictly confidential, the company was caught funneling user info — including mental health questionnaire responses, emails, and IP addresses — to Facebook, Snapchat, Criteo, and Pinterest for targeted advertising. After the dust settled, 800 000 affected users received a grand total of… US$10 each in compensation.

By 2024, the FTC set its sights on the telehealth firm Cerebral, tagging them with a US$7 million fine. Through tracking pixels, Cerebral leaked the data of 3.2 million users to LinkedIn, Snapchat, and TikTok. The haul included names, medical histories, prescriptions, appointment dates, and insurance info. And the cherry on top? The company sent promotional postcards (sans envelopes) to 6000 patients, which effectively broadcasted that the recipients were undergoing psychiatric treatment.

In September 2024, security researcher Jeremiah Fowler stumbled upon an exposed database belonging to Confidant Health, a provider specializing in addiction recovery and mental health services. The database contained audio and video recordings of therapy sessions, transcripts, psychiatric notes, drug test results, and even copies of driver’s licenses. In total, 5.3 terabytes of data, 126 000 files, or 1.7 million records were sitting there without a password.

Why anonymity is an illusion

Developers love to drop the line: “We never share your personal data with anyone.” Technically, that might be true — instead, they share “anonymized profiles”. The catch? De-anonymizing that data isn’t exactly rocket science anymore. Recent research highlights that using LLMs to strip away anonymity has become a routine reality.

Even the “anonymization” process itself is often a mess. A study by Duke University revealed that data brokers are openly hawking the mental health data of Americans. Out of 37 brokers surveyed, 11 agreed to sell data linked to specific diagnoses (like depression, anxiety, and bipolar disorder), demographic parameters, and in some cases, even names and home addresses. Prices started as low as US$275 for 5000 aggregated records.

According to the Mozilla Foundation, by 2023, 59% of popular mental health apps failed to meet even the most basic privacy standards, and 40% had actually become less secure than the previous year. These apps allowed account creation via third-party services (like Google, Apple, and Facebook), featured suspiciously brief privacy policies that glossed over data collection details, and employed a clever little loophole: some privacy policies applied strictly to the company’s website, but not the app itself. In short, your clicks on the site were “protected”, but your actions within the app were fair game.

How to protect yourself

Cutting these apps out of your life entirely is, of course, the most foolproof option — but it’s not the most realistic one. Besides, there’s no guarantee you can actually nuke the data already collected — even if you delete your account. We previously covered the grueling process of scrubbing your info from data broker databases; it’s possible, but prepare for a headache. So, how can you stay safe?

  • Check permissions before you hit “Install”. In Google Play, navigate to App description → About this app → Permissions. A mood tracker has no business asking for access to your camera, microphone, contacts, or precise GPS location. If it does, it’s not looking out for your well-being — it’s harvesting data.
  • Actually read the privacy policy. We get it — nobody reads these multi-page manifestos. But when a service is vacuuming up your most intimate thoughts, it’s worth a skim. Look for the red flags: does the company share data with third parties? Can you manually delete your records? Does the policy explicitly cover the app itself, or just the website? You can always feed the policy text into an AI and ask it to flag any privacy deal-breakers.
  • Check the last updated date. An app that hasn’t seen an update in over six months is likely a playground for unpatched vulnerabilities. Remember: six out of the 10 apps Oversecured tested hadn’t been touched in months.
  • Disable everything non-essential in your phone’s privacy settings. Whenever prompted, always select “ask not to track”. When an app pleads with you to enable a specific type of tracking — claiming it’s for “internal optimization” — it’s almost always a marketing ploy rather than a functional necessity. After all, if the app truly won’t work without a certain permission, you can always go back and toggle it on later.
  • Don’t use “Sign in with…” services. Authenticating via Facebook, Apple, Google, or Microsoft creates additional identifiers and gives companies a golden opportunity to link your data across different platforms.
  • Treat everything you type like a public social media post. If you wouldn’t want a random stranger on the internet reading it, you probably shouldn’t be typing it into an app with over 150 vulnerabilities that hasn’t seen a patch since the year before last.

What else you should know about privacy settings and controlling your personal data online:

Kaspersky official blog – ​Read More

OAuth Device Code Phishing: A New Microsoft 365 Account Breach Vector

/in

ANY.RUN’s analysts are observing a sharp increase in phishing activity abusing Microsoft’s OAuth Device Code flow, with more than 180 phishing URLs detected in just one week.

This technique represents a shift from credential phishing to token-based account takeover, making detection significantly harder for many SOC teams. 

Key Takeaways 

  • OAuth Device Code phishing is rising rapidly. Campaigns abusing Microsoft’s Device Authorization Grant are increasing, with hundreds of phishing URLs appearing in short timeframes. 
  • Account takeover can occur without credential theft. Victims authenticate on legitimate Microsoft pages, yet attackers still receive OAuth tokens that grant account access. 
  • The attack abuses legitimate authentication flows. Threat actors initiate the device authorization process themselves and trick victims into approving it. 
  • Token abuse replaces password theft. Access tokens and refresh tokens allow attackers to operate within Microsoft 365 without needing stolen credentials. 
  • Encrypted HTTPS traffic hides attack signals. Because activity happens on legitimate domains and encrypted channels, detection using traditional indicators becomes harder. 
  • Automatic SSL decryption improves detection speed. ANY.RUN Sandbox extracts SSL keys from process memory to decrypt HTTPS traffic, revealing hidden scripts and network activity that enable faster investigations and reduced MTTD and MTTR. 

How the Attack Works 

In this campaign, attackers abuse Microsoft’s device login process, which is normally used to sign in on devices that cannot display a full login page. 

The attacker first initiates a login request with Microsoft. This generates two values: 

  • user_code — a short, human-readable code (e.g., EL4BGRHUZ) displayed on the fake page as a “verification code;” 
  • device_code — an internal session identifier held only by the attacker, never shown to the victim. This is the ‘claim ticket’ the attacker uses to poll Microsoft’s token endpoint. 

The victim is then shown the user_code on a phishing page, often disguised as a document verification step (for example, a fake DocuSign notification). The page instructs the user to copy the code and enter it at microsoft[.]com/devicelogin

From the user’s perspective, everything appears legitimate. They are redirected to a real Microsoft page, where they enter their credentials and complete MFA. 

However, by entering the verification code, the user is unknowingly approving a login request that was initiated by the attacker. While the victim sees only the user_code, the attacker uses the associated device_code to collect authentication tokens from Microsoft once the approval is completed. 

Microsoft then issues access tokens to the attacker’s session, allowing them to access the victim’s Microsoft 365 account. Because the login happens through legitimate Microsoft infrastructure, no credentials are stolen on the phishing page and no fake login form is required.  

Why This Attack Poses a Critical Risk and Is Harder for SOC Teams to Detect 

OAuth Device Code phishing changes how account compromise happens. This campaign represents a structural shift:  

  • The victim interacts with legitimate Microsoft domains;  
  • Credentials and MFA are entered on authentic pages;  
  • The attack runs entirely over encrypted HTTPS;  
  • Traditional phishing indicators may not trigger.  

As a result, token abuse replaces password theft. Detection relies heavily on visibility into encrypted network traffic and behavioral artifacts rather than domain reputation alone.  

For SOC teams, this means:  

  • Delayed detection: Account compromise may only be noticed after suspicious activity appears. 
  • Longer investigations: Analysts must reconstruct token-based access rather than analyze credential theft. 
  • Higher incident impact: Attackers can operate inside Microsoft 365 immediately after token issuance. 

For organizations, this creates a critical risk: attackers can immediately access corporate email, internal documents, and shared resources, impersonate employees in business email compromise schemes, and potentially maintain persistent access through refresh tokens, turning a single phishing interaction into data exposure, financial fraud, or broader account compromise

OAuth Device Code Phishing Example: Full Attack Analysis 

View sample analysis in ANY.RUN Interactive Sandbox 

Attack chain exposed in the Sandbox

The attack often begins with a landing page impersonating DocuSign, prompting the user to “Review Document.” The victim is shown a verification code and instructed to copy it. 

Key red flag: this is not a real DocuSign signing workflow. It is a scripted sequence: 

  • Copy the verification code, 
  • Click “Continue to Microsoft”, 
  • Paste the code into Microsoft’s device login page. 

The address bar typically shows a *.workers.dev domain instead of a legitimate DocuSign domain. 

Fake DocuSign page with a verification code

A Microsoft window then opens at login.microsoftonline.com/…/deviceauth, showing the form “Enter code to allow access.” The user enters the same code they were shown on the fake page.

Reduce MTTD and MTTR for phishing attacks.
Employ ANY.RUN’s solutions for faster investigations and higher detection rate. 



Integrate in your SOC


This action takes place on a legitimate Microsoft domain, even displaying Microsoft’s own warning: “Do not enter codes from sources you don’t trust.” 

Fake verification granting access to external client 

The following screen states: “You’re signing in to Microsoft Office on another device…” From the victim’s perspective, the process still appears legitimate. In reality, they are approving access for an external client controlled by the attacker, not verifying the document they originally clicked. 

Fake authorization for passing the code

The key point is: the user never enters their password on a fake site. Instead, they are guided through legitimate Microsoft infrastructure and manually transfer a code. 

How Automatic SSL Decryption Ensures Instant Detection  

From an investigation standpoint, these phishing pages often rely on JavaScript loaders and encrypted HTTPS traffic to hide the real workflow from traditional scanners.  

This is where SSL decryption in the ANY.RUN Sandbox becomes critical. By extracting TLS encryption keys directly from process memory and decrypting HTTPS traffic during execution, the sandbox reveals the hidden scripts, API requests, and attacker infrastructure involved in the phishing flow. 

SSL decryption allows Suricata IDS rules to detect malicious encrypted traffic

In this case, SSL decryption exposed the malicious JavaScript responsible for orchestrating the device authorization process and revealed high-confidence network indicators used by the phishing kit. Among them were specific API requests such as /api/device/start and /api/device/status/, along with a distinctive X-Antibot-Token header used in communication with the backend. 

Traffic decrypted with SSL decryption 

When these artifacts appear in HTTP requests to non-legitimate hosts, they become high-signal network IOCs that analysts can use to detect related phishing infrastructure and pivot to other campaign assets during investigation. 

Protecting Business from Device Code Phishing Attacks 

Because OAuth Device Code phishing abuses legitimate authentication flows and trusted infrastructure, traditional phishing detection often fails. Preventing account takeover requires strengthening the SOC processes responsible for early detection, fast triage, and proactive hunting. 

Security leaders can reduce exposure by improving three key SOC processes. 

Expand Threat Coverage with Real-Time Intelligence 

Early visibility is critical for detecting phishing infrastructure before users interact with it. Without fresh threat signals, SOC teams often discover campaigns only after accounts are already compromised. 

ANY.RUN’s Threat Intelligence Feeds help organizations improve monitoring by delivering continuously updated indicators derived from live sandbox investigations performed by thousands of security teams worldwide. 

For SOC operations, this means: 

  • Earlier detection of emerging phishing infrastructure 
  • Faster identification of campaigns targeting similar industries 
  • Higher-quality detection signals entering SIEM, EDR, and network monitoring tools 

For the business, earlier signals reduce the likelihood of successful account takeover and lower the probability of incidents escalating into financial fraud or data exposure

Accelerate Triage to Drive Down MTTD 

When a suspicious link or domain appears in an alert, SOC teams must quickly determine whether it is part of a real attack campaign. Slow validation creates backlogs, analyst fatigue, and delayed response. 

ANY.RUN’s Interactive Sandbox helps analysts investigate suspicious URLs and files in a controlled environment where the full phishing workflow becomes visible.  

ANY.RUN’s Sandbox provides instant detection and a response-ready report 

With automatic SSL decryption, the sandbox extracts encryption keys directly from process memory and reveals the contents of HTTPS sessions without altering the traffic. 

For organizations, this translates into faster investigation cycles, quicker escalation decisions, and reduced dwell time, limiting the impact of compromised accounts. 

Integrate ANY.RUN’s solutions for faster response. 
Reduce investigation time and improve detection coverage. 



Contact ANY.RUN 


Improve Threat Hunting and Campaign Correlation 

Even after a phishing page is discovered, identifying related infrastructure across the campaign is essential for preventing further compromise. 

ANY.RUN’s Threat Intelligence Lookup allows analysts to quickly verify whether indicators are linked to known campaigns and explore related artifacts across previous investigations. 

This supports SOC teams by enabling them to: 

  • connect alerts to active phishing campaigns 
  • identify related domains, files, and infrastructure 
  • prioritize investigations based on real attack activity 

For security leaders, this improves operational efficiency and ensures that analyst time is focused on the threats most likely to impact the business. 

For example, indicators associated with this campaign can be queried directly in TI Lookup using the threat name: 

threatName:”oauth-ms-phish” 

Is your business at risk? Most targeted sectors and countries 

TI Lookup instantly shows the attack landscape.  

Recently, the industries most at risk include Technology, Education, Manufacturing, and Government & Administration; primarily in the United States and India, though other countries are also affected. 

There are also complete sandbox analyses of these attacks with detailed IOCs and TTPs that the SOC analysts can use to build strong detection rules and prevent similar attacks in the future. 

View OAuth phishing examples in live sandbox detonations 

This approach helps CISOs move beyond reactive security and establish a proactive defense strategy that aligns with business priorities: minimizing operational disruption, reducing incident response costs, and protecting sensitive corporate identities. 

Conclusion 

OAuth Device Code Phishing represents an evolution in account takeover tactics. It bypasses traditional credential harvesting and exploits trust in legitimate authentication flows. The compromise happens through approved token issuance rather than stolen passwords. 

Defending against it requires deep visibility into encrypted sessions, behavioral pivoting, and rapid confirmation workflows. 

With automatic SSL decryption in ANY.RUN Sandbox, SOC teams gain the ability to see inside encrypted phishing infrastructure without disrupting traffic. What was previously hidden becomes actionable intelligence. 

About ANY.RUN   

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.    
  
With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with TI Lookup, YARA Search, and TI Feeds, we equip businesses to speed up investigations, reduce security risks, and improve teams’ efficiency. 

IOCs:  

  • singer-bodners-bau-at-s-account[.]workers[.]dev 
  • dibafef289[.]workers[.]dev 
  • ab-monvoisinproduction-com-s-account[.]workers[.]dev 
  • subzero908[.]workers[.]dev 
  • sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev 
  • tyler2miler-proton-me-s-account[.]workers[.]dev 
  • aarathe-ramraj-tipgroup-com-au-s-account[.]workers[.]dev 
  • andy-bardigans-com-s-account[.]workers[.]dev 
  • dennis-saltertrusss-com-s-account[.]workers[.]dev 
  • rockymountainhi[.]workers[.]dev 
  • workspace1717-outlook-com-s-account[.]workers[.]dev 
  • aiinnovationsfly[.]com 
  • astrolinktech[.]com 

FAQ

What is OAuth Device Code phishing?

It is a phishing technique that abuses the OAuth Device Authorization Grant. Instead of stealing credentials, attackers trick victims into approving a login request initiated by the attacker, which results in OAuth tokens being issued to them.

Why don’t victims notice the attack?

Victims authenticate on legitimate Microsoft pages and complete MFA normally. Since no fake login form is used, the process appears trustworthy.

What are the main signs of this phishing technique?

Typical indicators include verification codes shown on phishing pages, instructions to visit microsoft[.]com/devicelogin, and suspicious device authorization prompts such as “You’re signing in on another device.”

Which industries are most at risk?

Campaign analysis shows targeting of technology companies, educational institutions, financial organizations, and government agencies, although any Microsoft 365 user can be affected.

Why is this attack difficult for SOC teams to detect?

The attack leverages legitimate authentication infrastructure and encrypted HTTPS traffic. Without deep inspection of network activity, the malicious flow blends into normal login behavior.

How does SSL decryption help detect these attacks?

SSL decryption exposes hidden JavaScript and encrypted traffic within phishing pages, allowing analysts to observe real network requests, identify IoCs, and reconstruct the attack chain.

How can organizations reduce the risk?

Organizations should combine threat intelligence, strong identity controls, security awareness, and dynamic malware analysis tools such as ANY.RUN Sandbox to quickly detect phishing infrastructure and extract behavioral indicators.

The post OAuth Device Code Phishing: A New Microsoft 365 Account Breach Vector appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks

/in

INC Ransom

Cybersecurity agencies across the Pacific region are sharing concerns about the ransomware group INC Ransom’s expanding activities and the growing influence of its affiliate network.

A joint advisory issued by the Australian Cyber Security Centre (ACSC), National Computer Emergency Response Team Tonga (CERT Tonga), and the New Zealand National Cyber Security Centre (NCSC) highlights how the INC Ransom ecosystem has become an active threat to organizations in Australia, New Zealand, and Pacific Island states.

The advisory from the agencies down under is designed for both technical specialists and general network defenders. It outlines how INC Ransom operates, the techniques its affiliates use, and the steps organizations can take to reduce their exposure. Officials from the three agencies are urging both government ministries and private organizations to review the mitigation measures outlined in the guidance to strengthen defenses against INC Ransom activity.

What distinguishes this campaign is not only the ransomware itself, but the operational structure behind it. The INC Ransom ecosystem relies on a distributed affiliate model, enabling a broad range of cybercriminal operators to conduct attacks using shared tools and infrastructure.

The INC Ransom Affiliate Model and the RaaS Ecosystem

The operational structure of INC Ransom, which functions as a Ransomware-as-a-Service (RaaS) platform. The model allows external affiliates to deploy ransomware against victims while the core operators manage extortion negotiations and payment collection. 

INC Ransom first emerged in mid-2023 as a financially motivated cybercriminal group believed to be based in Russia. Since then, the group has built an affiliate network that distributes ransomware to attackers targeting organizations worldwide. Within this structure, affiliates perform the technical intrusion and deployment of the malware, while the core INC Ransom operators handle victim communication and ransom demands. 

The group is also known by other threat-intelligence labels, including Tarnished Scorpion and GOLD IONIC. 

According to the advisory from ACSC, NCSC, and CERT Tonga, INC Ransom operations are particularly focused on organizations that manage sensitive or high-value information. Health care providers have become a prominent target globally, likely due to the operational pressure these organizations face when systems become unavailable. 

Although earlier activity concentrated on victims in the United States and the United Kingdom, threat intelligence collected by ACSC, NCSC, and CERT Tonga indicates that the group has shifted attention toward the Pacific region since early 2025. 

INC Ransom Incidents in Australia

In Australia, ACSC has tracked a series of incidents linked to INC Ransom affiliates. 

Between 1 July 2024 and 31 December 2025, the ACSC responded to 11 incidents attributed to the ransomware operation. These incidents primarily affected organizations in professional services and the health care sector. 

Since January 2025, analysts at the ACSC have observed INC Ransom affiliates targeting Australian health care entities through compromised user accounts. Once access is obtained, attackers typically escalate privileges by creating new administrator-level accounts. They then move laterally through internal systems to expand control within the network. 

During these operations, INC Ransom affiliates have deployed malicious payloads using filenames such as “win.exe.” Investigations conducted by the ACSC have also identified cases in which attackers exfiltrated personally identifiable information and medical records before launching the encryption phase. 

Victims typically discover ransom notes containing instructions and links to the INC Ransom Tor-based data leak site (DLS) where negotiations occur. 

Health Infrastructure Disruption in Tonga 

One of the most disruptive incidents linked to INC Ransom occurred in the Kingdom of Tonga. 

On 15 June 2025, the ICT environment of the Tongan Ministry of Health was hit by a ransomware attack that disrupted the national health care network and rendered several core services inaccessible. Investigators from CERT Tonga, working with regional partners including ACSC and NCSC, discovered a ransom note associated with INC Ransom embedded within the ministry’s file systems. 

On 26 June 2025, the INC Ransom group publicly claimed responsibility for the incident on its dark-web data leak site. 

The advisory further identifies Roman Khubov, a cybercriminal also known as “blackod,” as the individual controlling the malicious infrastructure used to exfiltrate data during the Ministry of Health breach. 

Ransomware Incident in New Zealand 

Ransomware activity remains a persistent problem in New Zealand, where multiple sectors of the economy have experienced disruptions. 

In May 2025, the NCSC received a report from a health-sector organization that had suffered a major ransomware intrusion. According to the notification, attackers encrypted a large number of servers and endpoint devices while also stealing significant volumes of data. 

The NCSC investigation determined that INC Ransom was responsible for the incident. After the organization refused to meet the extortion demand, the attackers published the stolen dataset on the INC Ransom data leak site. 

The event reinforced concerns among cybersecurity officials at NCSC, ACSC, and CERT Tonga that the group’s tactics are targeting organizations whose operations are highly sensitive to disruption. 

Technical Tactics Used by INC Ransom 

Technical analysis from ACSC, NCSC, and CERT Tonga shows that INC Ransom affiliates rely on several common intrusion techniques to gain initial access to victim networks. 

The most frequently observed entry points include: 

  • Spear-phishing campaigns targeting employees 

  • Exploitation of unpatched internet-facing systems 

  • Purchased credentials from initial access brokers 

Once inside the network, INC Ransom affiliates often rely on legitimate software tools rather than custom malware to perform key tasks. This tactic allows malicious activity to blend into normal administrative operations. 

For example: 

  • 7-Zip and WinRAR are used to compress data before theft. 

  • The file synchronization tool rclone is frequently used to transfer stolen data outside the network. 

After data exfiltration, attackers deploy the encryption component of INC Ransom. A ransom note is then left on affected systems with payment instructions and contact details. 

If the targeted organization refuses to pay, INC Ransom operators initiate double-extortion tactics by publishing both the victim’s name and stolen information on the group’s leak site. 

Security analysts note that the tactics, techniques, and procedures (TTPs) used by INC Ransom share similarities with other ransomware operations such as Lynx, Nemty, Nemty X, Karma, and Nokoyawa. 

Defensive Measures Recommended by ACSC, NCSC, and CERT Tonga 

The joint advisory from ACSC, NCSC, and CERT Tonga outlines several practical security measures designed to reduce the risk of INC Ransom compromise. 

Key defensive actions include: 

  • Maintain Reliable Backups: Organizations should maintain regular, tested backups of critical systems and store them securely to prevent unauthorized modification or deletion. 

  • Restrict Network Traffic: Network administrators should limit inbound and outbound traffic to only what is necessary for operations. Firewalls and filtering technologies can help reduce exposure to phishing campaigns and malicious attachments. 

  • Harden Remote Access: Virtual private networks (VPNs) and other remote access systems should be carefully configured to ensure only authorized users can reach sensitive resources. 

  • Implement Multi-Factor Authentication: The advisory from ACSC, NCSC, and CERT Tonga emphasizes implementing phishing-resistant multi-factor authentication (MFA) for internet-facing services and privileged accounts. 

  • Manage Privileged Access: Administrative privileges should be tightly controlled. Unique accounts for administrators improve accountability and reduce the impact of credential compromise. 

  • Maintain Strong Vulnerability Management: Regular vulnerability scanning and rapid patching of exposed systems remain critical, particularly for internet-facing services that ransomware actors commonly target. 

Growing Regional Collaboration Against the INC Ransom 

The joint advisory reflects cooperation among cybersecurity agencies across the Pacific. By sharing intelligence and incident data, organizations such as ACSC, NCSC, and CERT Tonga are building a more coordinated response to ransomware threats like INC Ransom. 

The rise of affiliate-driven ransomware operations has significantly lowered the barrier to entry for cybercriminal activity. In this environment, the INC Ransom ecosystem demonstrates how distributed attacker networks can rapidly shift focus across geographic regions. 

For organizations in Australia, New Zealand, and the Pacific islands, the advisory from the Australian Cyber Security Centre (ACSC), New Zealand National Cyber Security Centre (NCSC), and National Computer Emergency Response Team Tonga (CERT Tonga) highlights the need to strengthen access controls, monitor network activity, and maintain a tested incident response plan to limit the impact of ransomware attacks. 

Threat intelligence from Cyble helps organizations track ransomware activity, monitor dark web exposure, and identify indicators of compromise earlier. 

Schedule a demo with Cyble to see how its threat intelligence platform supports ransomware detection and response. 

References:

The post Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks appeared first on Cyble.

Cyble – ​Read More

Ransomware attacks on schools and colleges | Kaspersky official blog

/in

Back when ransomware was just a startup industry, the primary goal of the attackers was simple: encrypt data, then extort a ransom in exchange for decrypting it. Because of this, cybercriminals mostly targeted commercial enterprises — companies that valued their data enough to justify a hefty payout. Schools and colleges were generally left alone — hackers assumed educators didn’t have the kind of data worth paying a ransom for.

But times have changed, and so has the ransomware groups’ business model. The focus has shifted from payment for decryption, to extortion in exchange for non-disclosure of stolen data. Now, the “incentive” to pay isn’t just about restoring the company’s normal operations, but rather avoiding regulatory trouble, potential lawsuits, and reputational damage. And it’s this shift that’s put educational institutions in the crosshairs.

In this post, we discuss several cases of ransomware attacks on educational organizations, why they took place, and how to keep cybercriminals out of the classroom.

Attacks on educational institutions in 2025–2026

In February 2026, the Sapienza University of Rome, one of Europe’s oldest and largest higher education institutions, suffered a ransomware attack. Internal systems were down for three days. According to sources familiar with the incident, the cybercriminals sent the university’s administration a link leading to a ransom demand. Upon clicking the link, a countdown timer started on the site that opened — counting down from  72 hours: the time the attackers demands needed to be met. As of now, there’s still no word on whether the university administration paid up or not.

Unfortunately, this case isn’t an exception. At the very end of 2025, attackers targeted another Italian educational institution — a vocational training center in the small city of Treviso. Things aren’t looking much better in the UK, either: in the same year, Blacon High School was hit by ransomware. Its administration had to shut its doors for two days to restore its IT systems, assess the scale of the incident, and prevent the attack from spreading further through the network.

In fact, a UK government study suggests these incidents are just part of a broader trend. According to its 2025 data, cyberincidents hit 60% of secondary schools, 85% of colleges, and 91% of universities. Across the pond, American researchers also noted that in the first quarter of 2025, ransomware attacks in the global education sector surged by 69% year on year. Clearly, the trend is global.

Why schools and universities are becoming easy targets

The core of the problem is that modern educational organizations are rapidly incorporating digital services into their operations. A typical school or university infrastructure now manages a dizzying array of services:

  • Electronic gradebooks and registers
  • Distance learning platforms
  • Admission systems and databases for storing applicants’ personal data
  • Cloud storage for educational materials
  • Internal staff and student portals
  • Email for faculty, students, and the administration to communicate

While these systems make education more convenient and manageable, they also drastically expand the attack surface. Every new service and every additional user account is a potential doorway for a phishing campaign, access compromise, or a personal data leak.

According to a UK study, the primary vector for these attacks is basic phishing. But that’s not all that surprising: since the education sector was off the cybercriminals’ radar for so long, cybersecurity training for both staff and students was hardly a priority. As a result, even the most seasoned professors can find themselves falling for a fake email purportedly sent by the “dean” or the “school principal”.

But it’s not just the faculty. Students themselves often unwittingly act as mules for malware. In many institutions, students still frequently hand in assignments on USB flash drives. These drives travel across various home or public devices, picking up malicious digital hitchhikers along the way. All it takes is one infected USB drive plugged into a campus workstation to give an attacker a foothold in the internal network.

It’s worth noting that while USB drives aren’t as ubiquitous as they were a decade ago, they remain a staple in the educational environment. Dismissing the threats they carry isn’t a good idea.

How to ensure the cybersecurity of educational infrastructure

Let’s face it: training every literature and biology teacher to spot phishing emails is now easy, quick task. Similarly, the educational system isn’t going to cut down on USB usage overnight.

Fortunately, a robust security solution (such as Kaspersky Small Office Security) can do the heavy lifting for you. It’s ideal for schools and colleges that need set-it-and-forget-it protection without a steep learning curve. Plus, it’s affordable even for institutions operating on a tight budget, and doesn’t require constant management.

At the same time, Kaspersky Small Office Security addresses all the threats we’ve discussed above: it blocks clicks on phishing links, automatically scans USB drives the moment they’re plugged in, and prevents suspicious files from executing on devices connected to the school’s network.

Kaspersky official blog – ​Read More

What cybersecurity actually does for your business

/in

The ability to continue operating safely in an unsafe environment where competitors cannot is a competitive advantage that is rarely measured or discussed

WeLiveSecurity – ​Read More

Patch, track, repeat: The 2025 CVE retrospective

/in

Patch, track, repeat: The 2025 CVE retrospective

Welcome to this week’s edition of the Threat Source newsletter.

It’s time to look back at a year that pushed the vulnerability landscape to new heights. I’ll admit this retrospective is arriving a bit later than planned. With 48,196 CVEs in 2025 (a stunning 132 vulnerabilities per day), the analysis takes time — especially when you’re operating one-handed after an encounter with black ice breaks your dominant arm. But better thorough than rushed, right?

Patch, track, repeat: The 2025 CVE retrospective

What concerns me more than the sheer volume is what’s inside these CVEs. XSS, SQL injection, and deserialization vulnerabilities continue to dominate, accounting for roughly 10,000 CVEs. Despite decades of awareness, these fundamental software security weaknesses persist. 

The Known Exploited Vulnerabilities (KEV) Catalog tells an even more sobering story. With 241 KEVs in 2025 compared to 186 in 2024, we saw a 30% increase in confirmed active exploitation.

Patch, track, repeat: The 2025 CVE retrospective

94 KEVs (39%) added in 2025 originated from CVE-2024 and earlier. We saw actively exploited vulnerabilities from as far back as 2007 — yes, vulnerabilities old enough to vote in some countries are still causing problems today. Patch management must address legacy systems. It starts with visibility: maintaining accurate asset inventories and understanding what’s actually running in your environment. For those systems that truly can’t be patched, whether due to operational constraints or vendor abandonment, compensating controls become essential. Microsegmentation, network isolation, and enhanced monitoring can reduce the radius of damage when (not if) something goes wrong.

Patch, track, repeat: The 2025 CVE retrospective

With 54 KEVs targeting firewalls, VPNs, and other network appliances, we saw network infrastructure take a disproportionate hit. And the vendor landscape in KEVs expanded to 99 vendors in 2025, up from 79 when I last checked in October. Connect that with supply chain complexity and the patch management visibility challenges I mentioned earlier, and you’ll quickly realize why security teams are spending more time — not less — on vulnerability management. Every additional vendor in your environment is another patch cycle to track, another advisory to monitor, another potential weak link in the chain.

This is the first time I’ve attempted to systematically track AI-related vulnerabilities in the CVE data, and the methodology is still evolving. Defining what constitutes an “AI vulnerability” isn’tstraightforward. For this initial pass, I searched for CVEs containing specific keywords across several categories:

Category 

Keywords 

AI Platforms 

AutoGPT, Open WebUI, Ollama, vLLM, llama.cpp, LLaMA-Factory, MaxKB, Dify, LangChain 

ML Frameworks 

PyTorch, TensorFlow, scikit-learn, XGBoost, Hugging Face, MLflow 

LLM Products 

ChatGPT, GPT-3, GPT-4, OpenAI, Anthropic, Claude Code 

AI Concepts 

prompt injection, large language model, Model Context Protocol 

Using this approach, AI-related CVEs nearly doubled year-over-year, jumping from 168 to 330. Notably, “Model Context Protocol (MCP)” and “Claude” didn’t appear in 2024 data at all. 

A word of caution: While CVE data provides valuable insight into disclosed vulnerabilities in AI tools and frameworks, it doesn’t capture emergent risks such as jailbreaking, hallucination-based misinformation, training data extraction, or model inversion attacks. See https://genai.owasp.org/llm-top-10/ and https://atlas.mitre.org/ if you want to learn more. 

Keep tracking, keep patching, and stay tuned for the 2025 Year in Review for more trend analysis.

The one big thing 

Cisco Talos continues to monitor the ongoing conflict in the Middle East. At this time we have not seen any significant cyber impacts, with some small incidents such as web defacements and small-scale distributed-denial-of-service (DDoS) attacks occurring. As with any highly fluid or dynamic situation, we are focused on providing our customers with highly accurate and timely intelligence and information. We will remain vigilant looking to identify any cyber related activity relevant to the region. 

Why do I care? 

Currently there does not appear to be any significant increase in cyber activity associated with state-sponsored or state-affiliated groups. However, cyber criminals are likely to take advantage of the war to try and increase their scope of infections through the use of lures and other social engineering avenues. 

So now what? 

Recommendations for organizations are currently focused on security hygiene, to include having multi-factor authentication (MFA) enabled, being diligent around any links or documents that are circulating, and ensuring you have proper monitoring in place to ensure you are prepared for any collateral impacts as they arise. Additional inspection or controls may be warranted to insulate potential larger impacts to the wider organization. Warn employees against clicking on unsolicited links related to the Middle East conflict, whether news or humanitarian. As always, ensure all software has been updated to the latest versions to minimize the attack surface and ensure you have a robust patching process.  

If and/or when more relevant information becomes available, we will update this blog accordingly.

Top security headlines of the week 

Hackers steal medical details of 15 million in France 
France’s health ministry has confirmed a data breach involving the exposure of administrative information for 15.8 million patients and sensitive doctors’ notes for approximately 165,000 individuals. (France 24) 

Google addresses actively exploited Qualcomm zero-day 
The memory-corruption vulnerability (CVE-2026-21385) which Google’s Androidsecurity team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. (CyberScoop

Quantum decryption of RSA may be much closer than expected 
The Advanced Quantum Technologies Institute announced that the JVG algorithm requires thousand-fold less quantum computer resources, and “research extrapolations suggest it will require less than 5,000 qubits to break encryption methods used in RSA and ECC.” (SecurityWeek

Indian APT “Sloppy Lemming” targets defense, critical infrastructure 
The group has evolved from using off-the-shelf red teaming tools like Cobalt Strike and Havoc C2 to developing its own custom tooling written in Rust, while expanding its C2 infrastructure (DarkReading

Can’t get enough Talos? 

UAT-9244 targets South American telecommunication providers 
Since 2024, UAT-9244 has targeted critical telecommunications infrastructure, including Windows and Linux-based endpoints and edge devices in South America, proliferating access via three malware implants.

New Dohdoor malware campaign targets education and health care 
Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively.

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55  
MD5: 41444d7018601b599beac0c60ed1bf83  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55  
Example Filename: content.js  
Detection Name: W32.38D053135D-95.SBX.TG 

SHA256: 5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811  
MD5: f3e82419a43220a7a222fc01b7607adc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811  
Example Filename: Accounts Final-2024 .exe  
Detection Name: Win.Dropper.Suloc::1201 

Cisco Talos Blog – ​Read More