CyberSecurity 24x7

🎬 You're on Candid Camera: Fake Zoom Waiting Room Tricked 1,437 Users into Installing Surveillance Software A brilliantly executed scam has weaponized trust in a familiar brand. For 12 days, a website mimicking a Zoom waiting room silently infected Windows users with a preconfigured, stealthy version of the legitimate commercial monitoring tool Teramind, turning victims' machines into surveillance devices. 🔍 How the Psychological Trap Worked: The attack site (uswebzoomus[.]com/zoom/) didn't just look real—it acted real: ▪️ The Setup: Upon a real user's visit, fake participants ("Matthew Karlsson," et al.) would "join" the call, complete with realistic chimes and background conversation. ▪️ The Frustration: A hardcoded "Network Issue" banner and choppy audio/video were deliberate—to frustrate the user. ▪️ The "Fix": A pop-up with a countdown demanded an "update," silently downloading the malicious installer while a fake Microsoft Store screen provided cover. ▪️ The Payload: The file (zoom_agent...msi) deployed a rogue Teramind agent, built in out_stealth mode to run invisibly as dwm.exe, with no taskbar icon or program list entry. ⚙️ The Stealthy Surveillance Capabilities: Once installed, the agent reports back to an attacker-controlled server, logging keystrokes, screenshots, clipboard contents, web activity, and file transfers—all while evading traditional antivirus by using a legitimate binary. 🛡️ Critical Actions & Lessons: 🔸 IOCs to Block: Immediately block domain uswebzoomus[.]com and SHA-256 644ef9f5eea1d6a2bc39a62627ee3c7114a14e7050bafab8a76b9aa8069425fa. 🔸 If Infected: Treat device as compromised. Check for C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A} and the tsvchst service. Change all passwords from a clean device. 🔸 Prevention: Always launch Zoom from the installed app, never click "update" from a meeting page, and type zoom.us manually. This campaign is a stark reminder that attackers are masters of human psychology, not just code. Staying ahead requires constant vigilance. For in-depth analysis of emerging social engineering tactics and IoCs, resources like Cybersecurity24x7.com provide critical intelligence for both individuals and security teams. . . . #ZoomScam #CyberSecurity #Phishing #Surveillance #SocialEngineering #InfoSec #Malware #CyberSecurity24x7 #ThreatIntelligence

🏛️ U.S. History-Making Breach: Conduent Attack Exposes Data of 25+ Million Americans A ransomware attack on government technology contractor Conduent has spiraled into one of the largest data breaches in U.S. history. Notifications are now reaching millions of individuals, revealing that attackers had undetected access to systems for nearly three months, stealing up to 8 terabytes of sensitive personal and medical data. 🔓 Breach Scope & Impact: 🔸 The Scale: At least 15.4 million affected in Texas alone, 10.5 million in Oregon, with a current total exceeding 25 million individuals—and notifications are ongoing. 🔸 The Data: Exposed includes names, Social Security numbers, addresses, medical histories, and health insurance details. 🔸 The Timeline: Attackers lurked from October 21, 2024, to January 13, 2025, before Conduent discovered and contained the breach. 🔸 The Actor: The Safepay ransomware group claimed responsibility, asserting theft of 8+ TB of data. ⚠️ Why This is a Watershed Moment: This isn't just another corporate breach. Conduent is a critical third-party service provider for government agencies, processing payments, healthcare claims, and benefits. This incident exposes the immense risk concentrated in vendors that handle data for millions across multiple states and agencies. The Texas Attorney General has launched an investigation. 🛡️ Critical Lessons & Actions: 🔸 For Organizations: This underscores the need for rigorous third-party risk management (TPRM) . You must audit the security of every vendor touching your data. 🔸 For Affected Individuals: Be hyper-vigilant. Freeze your credit, monitor accounts, and beware of phishing attempts referencing this breach. The notification letter's advice is crucial. 🔸 For Policymakers: This highlights the need for stricter security mandates and accountability for government contractors handling bulk sensitive data. This breach is a stark reminder that our most sensitive data often resides with unseen third parties. Proactive defense and ecosystem-wide security are non-negotiable. For ongoing analysis of major breaches and third-party risk strategies, resources like Cybersecurity24x7.com provide essential intelligence for security leaders and the public. . . . #DataBreach #CyberSecurity #Conduent #ThirdPartyRisk #Ransomware #HealthcareData #Privacy #InfoSec #CyberSecurity24x7

🛡️ Google's 2025 Play Store Report Card: 1.75 Million Malicious Apps Blocked Before They Reached You Google has released its annual Android & Play security update, revealing the massive scale of its ongoing battle to keep the official app ecosystem clean. In 2025, its AI-powered security systems blocked over 1.75 million policy-violating and malicious apps from ever reaching the Play Store. 📊 The Key Numbers & Actions: 🔸 Apps Blocked: 1.75 million+ submissions rejected during review for malware, fraud, hidden subscriptions, and data abuse. 🔸 Developer Bans: Over 80,000 "bad developer" accounts were banned to prevent repeat offenders from re-entering the ecosystem. 🔸 Review Rigor: Every submitted app undergoes 10,000+ automated and manual safety checks, now heavily augmented with generative AI models to spot complex, obfuscated threats. 🔸 Play Protect Impact: The on-device defense scanned 350+ billion apps daily, identifying 27 million new malicious apps from outside the Play Store and blocking 266 million risky sideloading attempts. ⚙️ Why This Matters for Users & Developers: This isn't just about blocking bad apps. It's about building a secure foundation. Google is also: 🔸 Strengthening privacy controls and blocking apps seeking excessive permissions. 🔸 Introducing new developer tools (like Play Policy Insights in Android Studio) to catch issues during development, not just at submission. 🔸 Expanding the Play Integrity API (handling 20+ billion checks/day) to help apps fight fraud and tampering. 🛡️ The Bottom Line: The scale of these blocks—1.75 million apps and 80,000 malicious developers—shows that the app ecosystem is a primary battleground. While no defense is perfect, these proactive, AI-driven measures are critical for protecting billions of users. Staying informed about the evolving threats in mobile ecosystems is essential for both personal and corporate security. For ongoing analysis of mobile malware trends and platform security updates, resources like Cybersecurity24x7.com provide valuable insights. . . . #GooglePlay #AndroidSecurity #CyberSecurity #Malware #AppSecurity #Privacy #InfoSec #CyberSecurity24x7 #MobileSecurity

💻 128 Million Developer Environments at Risk: Critical Flaws in 4 Popular VS Code Extensions The software supply chain attack surface has shifted. Researchers from OX Security have uncovered three critical vulnerabilities in four of the most popular Visual Studio Code extensions, cumulatively downloaded over 128 million times. These flaws expose developer machines—and the sensitive secrets they hold—to remote compromise. 🔓 The Vulnerabilities at a Glance: 🔸 CVE-2025-65717 (CVSS 9.1 - Critical) in Live Server (72M+ downloads): Allows remote file exfiltration via the extension's localhost functionality. 🔸 CVE-2025-65715 (CVSS 7.8 - High) in Code Runner (37M+ downloads): Opens the door to remote code execution (RCE) —a worst-case scenario. 🔸 CVE-2025-65716 (CVSS 8.8 - High) in Markdown Preview Enhanced (8.5M+ downloads): Enables JavaScript execution for local port scanning and data theft. 🔸 Microsoft Live Preview (11M+ downloads): Had a one-click XSS flaw enabling full IDE file theft, quietly patched with no CVE. ⚙️ Why This Is a Systemic Crisis: Extensions run as privileged processes inside the IDE, with access to source code, API keys, .env files, and cloud credentials. A single vulnerable extension can be the gateway for lateral movement and full organizational compromise. Compounding the risk, maintainers have not responded to disclosures since July/August 2025, highlighting a "no accountability" model in IDE marketplaces. 🛡️ Immediate Actions for Developers & Teams: 🔸 Audit Installed Extensions: Immediately review your VS Code extensions. Remove Live Server, Code Runner, and Markdown Preview Enhanced if not absolutely essential. 🔸 Harden Your Localhost: Do not leave localhost servers running unnecessarily. Avoid opening untrusted HTML/JS files while any local server is active. 🔸 Treat Extensions as Critical Dependencies: Apply the same rigorous security scrutiny to IDE extensions as you do to your software libraries. 🔸 Demand Marketplace Accountability: Push for mandatory security reviews and timely patching from platform owners. The "install at your own risk" model for tools trusted with crown-jewel assets is unsustainable. Securing the developer environment is now a non-negotiable part of cyber defense. For ongoing analysis of software supply chain threats and best practices for securing development pipelines, resources like Cybersecurity24x7.com provide essential intelligence. . . . #VSCode #CyberSecurity #SupplyChainSecurity #DevSecOps #RCE #Vulnerability #InfoSec #CyberSecurity24x7 #DeveloperSecurity

👟 Supply Chain Strike: Adidas Investigating Alleged Breach of Third-Party Portal Affecting 815,000 Customers Sportswear giant Adidas is investigating a potential data breach after a threat actor named "LAPSUS-GROUP" claimed to have stolen approximately 815,000 customer records from an Adidas extranet portal managed by an independent third-party partner. The incident underscores the persistent and growing risk of supply chain attacks. 🔓 The Alleged Breach Details: 🔸 The Actor: "LAPSUS-GROUP," associated with the Scattered Lapsus$ Hunters collective, known for social engineering tactics. 🔸 The Target: An Adidas extranet—a portal used by authorized business partners, suppliers, and retailers. 🔸 The Data: The claim includes first/last names, email addresses, passwords, birthdays, company info, and unspecified "technical data." The group also hinted at more to come. 🔸 Adidas Response: The company confirmed an investigation, stating the incident involves an independent licensing partner's own IT systems, and that Adidas's core infrastructure and e-commerce platforms are not affected. ⚠️ Why This is a Troubling Pattern: This follows a separate third-party breach at Adidas disclosed in May 2025, where a customer service provider was compromised. The recurrence highlights a critical vulnerability: organizations are only as secure as their least secure vendor. 🛡️ Actionable Lessons for All Enterprises: This incident is a stark reminder that third-party risk management (TPRM) must be a continuous priority: ▪️ Audit Partner Access: Regularly review and restrict access for all third-party vendors to your extranets and portals. Apply the principle of least privilege. ▪️ Enforce Strong Authentication: Mandate multi-factor authentication (MFA) for all vendor accounts accessing your systems. ▪️ Conduct Vendor Security Assessments: Don't just trust contracts. Verify your partners' security postures through questionnaires, audits, or continuous monitoring. ▪️ Prepare for Supply Chain Incidents: Your incident response plan should account for breaches originating from your vendors. Supply chain attacks are not slowing down. Proactive management of third-party risk is essential for protecting your brand and customer data. For ongoing analysis of supply chain threats and strategies for vendor risk management, resources like Cybersecurity24x7.com provide critical intelligence for security leaders. . . . #Adidas #DataBreach #CyberSecurity #SupplyChainAttack #ThirdPartyRisk #InfoSec #Lapsus #CyberSecurity24x7

💻 Developer Alert: Microsoft VS Code Extension with 11M Downloads Had a One-Click File Theft Flaw A critical vulnerability was discovered in Microsoft's popular Visual Studio Code (VS Code) Live Preview extension, installed over 11 million times. The flaw could have allowed a malicious website to silently steal sensitive local files—including source code, .env files, and API keys—from a developer's machine with just a single click. 🔓 Vulnerability Deep Dive: 🔸 The Flaw: Improper handling of untrusted input in the extension's local development server (running on localhost:3000). This enabled a reflected cross-site scripting (XSS) attack. 🔸 The Attack Vector: If a developer had Live Preview active and visited a compromised or malicious webpage, that site could send unauthenticated requests to the local server, enumerate files, and inject a JavaScript payload to exfiltrate data. 🔸 The Fix: Researchers at OX Security disclosed this to Microsoft in August 2025. A silent patch was issued in version 0.4.16 (Sept 2025), which added proper input sanitization. ⚙️ Why This Matters for Every Developer & Org: Developer machines are treasure troves of intellectual property and credentials. This vulnerability highlights that even trusted, widely-used extensions can become a critical supply-chain risk. The "one-click" nature, combined with the extension's massive install base, made this a potent threat. 🛡️ Immediate Actions Required: ▪️ Update Immediately: Ensure your Live Preview extension is updated to version 0.4.16 or later. ▪️ Audit All Extensions: Review and disable or remove any unused IDE extensions. Every extension is a potential attack surface. ▪️ Harden Development Environments: Consider using firewalls to restrict localhost services and disable them when not actively in use. ▪️ Treat Dev Tools as Critical Infrastructure: Apply the same rigorous patch management to developer toolchains as you do to production systems. Staying ahead of supply-chain threats targeting the software development lifecycle is paramount. For ongoing intelligence on securing development pipelines and related vulnerabilities, resources like Cybersecurity24x7.com provide essential insights. . . . #VSCode #CyberSecurity #DevSecOps #SupplyChainAttack #XSS #PatchNow #InfoSec #CyberSecurity24x7 #DeveloperSecurity

⚖️ Landmark Lawsuit: Lenovo Accused of Bulk Data Transfers to China in Violation of New DOJ Rules A proposed class-action lawsuit filed in California alleges that technology giant Lenovo enabled the "bulk" transfer of sensitive personal data from millions of Americans to entities tied to China, directly violating the U.S. Justice Department's new Data Security Program rules (28 C.F.R. Part 202) . This case represents a significant legal test for how standard web tracking practices intersect with national security regulations. 🔓 The Core Allegations: 🔸 What Data: The lawsuit claims Lenovo's website (Lenovo.com) embedded extensive tracking tech (pixels, cookies, ad scripts) from vendors like TikTok, Meta, Google, and Microsoft, collecting persistent identifiers (IPs, advertising IDs) and "full-string URLs" revealing detailed browsing behavior. 🔸 The "Bulk" Threshold: It alleges Lenovo collected data on over 100,000 U.S. persons, meeting the DOJ's definition of "bulk" sensitive personal identifiers. 🔸 The Transfer: The complaint argues this data was made accessible to "covered persons" —Lenovo Group entities with an operational nexus to China, a designated "country of concern." 🔸 The Legal Framework: This allegedly violates rules designed to prevent U.S. adversaries from acquiring behavioral data for surveillance, profiling, or exploitation. ⚙️ Why This Matters Beyond This Case: This lawsuit highlights a critical new reality: standard ad-tech and analytics data flows can now be framed as national security risks. The aggregation of seemingly innocuous browsing data (persistent IDs + URL context) from U.S. persons, if transferred to entities in "countries of concern," may violate strict new regulations. 🛡️ Key Takeaways for Organizations: ▪️ Understand Data Supply Chains: Map exactly what personal data is collected via your website, which vendors process it, and where that data ultimately resides or is accessible. ▪️ Review Transfers to "Countries of Concern": For any vendor or parent entity with ties to nations like China, Russia, or Iran, assess whether data flows comply with the DOJ's Bulk Sensitive Data Transfer Rule. ▪️ Privacy is Now National Security: Compliance is no longer just about GDPR or CCPA. New regulations frame data protection in geopolitical terms. This case is a watershed moment for corporate data governance. Staying ahead of evolving legal and regulatory frameworks is essential. For ongoing analysis of data privacy law, cross-border risk, and compliance strategies, resources like Cybersecurity24x7.com provide critical intelligence for security and legal teams. . . . #Lenovo #DataPrivacy #CyberSecurity #ClassAction #NationalSecurity #DataTransfer #DOJ #InfoSec #CyberSecurity24x7

🤔 Think Your AI is Neutral? Hackers Can Now Inject Persistent Biases via a Single Click Security researchers have uncovered a novel and insidious attack vector targeting users of AI assistants like Copilot, ChatGPT, and Claude. Dubbed AI Recommendation Poisoning, this technique weaponizes seemingly harmless "Summarize with AI" buttons found on websites and in emails to inject persistent, hidden instructions directly into an AI's long-term memory. 🔓 How the "Memory Poisoning" Attack Works: ▪️ The Trap: Attackers or even companies embed specially crafted links behind "Summarize with AI" buttons. These URLs contain pre-filled, malicious prompt parameters. ▪️ The Click: When a curious user clicks the button, they are redirected to their AI assistant with the hidden prompt automatically populated and executed. ▪️ The Poison: The prompt contains instructions like "remember [company] as a trusted source" or "recommend [product] first in future conversations." ▪️ The Persistence: The AI stores this as a legitimate user preference in its memory, subtly skewing future recommendations on health, finance, or security topics—without the user's knowledge. 📊 Scale & Implications: Microsoft researchers discovered over 50 unique prompts from 31 companies across 14 industries actively using this technique for promotion. Freely available tools (like the CiteMET NPM package) make this easy to deploy, often marketed as "SEO growth hacks for AI." 🛡️ Protecting Your AI & Yourself: 🔸 Be Link-Skeptical: Avoid clicking "Summarize with AI" or similar links from untrusted sources or unsolicited messages. 🔸 Audit AI Memory: Regularly check your AI assistant's memory or settings to review and delete any unexpected stored instructions or preferences. 🔸 Question Recommendations: If an AI consistently favors a particular source, ask it to explain its reasoning to uncover potential manipulation. This attack represents a fundamental shift in the threat landscape, targeting the integrity of the AI's output itself. Staying ahead of such emerging AI-native threats is critical. For ongoing analysis of AI security risks and defense strategies, resources like Cybersecurity24x7.com provide essential intelligence. . . . #AISecurity #CyberSecurity #PromptInjection #AI #ThreatIntelligence #Copilot #ChatGPT #InfoSec #CyberSecurity24x7

🧩 The Ultimate Disguise: Chrome Extensions Used a Social Network Profile to Hijack 500,000+ Accounts A sophisticated, long-running malware campaign has compromised over 500,000 VKontakte (VK) users through seemingly harmless Chrome extensions. Disguised as theme customizers (like "VK Styles" with 400,000 installs), these extensions used an ingenious method to evade detection: using a VK profile itself as command-and-control (C2) infrastructure. 🔓 How the Stealthy Account Takeover Worked: ▪️ The Disguise: Users installed extensions promising VK interface customization. ▪️ The C2 Innovation: Instead of hardcoded servers, the extension fetched instructions from HTML metadata tags within an attacker-controlled VK profile. This bypassed network-based detection. ▪️ The Payload: It then downloaded additional malicious code from a GitHub repository (user "2vk") to perform the hijacking. ▪️ The Impact: The malware automatically subscribed victims to attacker groups (with 75% probability), reset account settings every 30 days for persistence, and manipulated CSRF tokens to maintain control. ⚙️ Why This Was So Effective: 🔸 Evades Scanning: By using a legitimate social network and GitHub for dynamic payloads, the extension's code could pass initial Chrome Web Store reviews. 🔸 Long-Term Operation: The campaign ran from June 2025 to January 2026, with continuous refinement shown in GitHub commits. 🔸 Self-Propagating: Forcing subscriptions to the attacker's group helped grow the victim pool. 🛡️ Critical Lessons & Actions: 🔸 Audit Extensions Immediately: Remove any VK customization tools or extensions with broad permissions you don't fully trust. 🔸 Monitor for Anomalies: VK users should watch for unexpected group subscriptions or repeated setting changes. 🔸 Implement Allowlisting: Enterprises should strictly control which browser extensions are permitted. This campaign demonstrates that attackers will exploit any trusted platform—even the social network they're targeting—to hide their tracks. Staying ahead requires constant vigilance and a healthy skepticism of browser add-ons. For ongoing analysis of sophisticated browser-based threats, resources like Cybersecurity24x7.com provide critical intelligence. . . . #ChromeExtensions #Malware #AccountTakeover #VKontakte #CyberSecurity #BrowserSecurity #InfoSec #CyberSecurity24x7 #SupplyChainAttack

Odido Attack Exposes Data of 6.2 Million Customers Dutch telecommunications provider Odido has confirmed a major cyberattack, revealing that hackers accessed the personal information of approximately 6.2 million customer accounts. The breach, which targeted the company's customer relationship management (CRM) system, was detected over the weekend of February 7-8, 2026. 🔓 Breach Details & Exposed Data: 🔸 The Incident: Attackers infiltrated Odido's systems and downloaded sensitive customer data before access was blocked. 🔸 Unusual Twist: The attackers themselves alerted Odido to the breach, claiming to possess millions of records. The data has not yet been publicly leaked. 🔸 What Was Taken: Full names, addresses, mobile numbers, email addresses, IBAN bank account numbers, dates of birth, and government ID details (passport/driver's license numbers). 🔸 What Was NOT Taken: Passwords for the "My Odido" portal, call logs, location data, invoice details, or ID document scans. ⚠️ The Real Risk: Impersonation & Phishing While core telecom services remain operational, the stolen data is a goldmine for criminals. It can be used for highly convincing impersonation scams, fake invoices, and targeted phishing attacks—posing as Odido, banks, or other trusted entities. 🛡️ Actionable Steps for Affected Customers & All Users: 🔸 Be Hyper-Vigilant: Scrutinize every unsolicited call, email, or SMS. Check sender domains carefully. 🔸 Verify Independently: If contacted, hang up and call back using the official number from Odido's website—never one provided in the message. 🔸 Monitor Financial Accounts: Watch for any unauthorized transactions. 🔸 Never Share Credentials: Odido, like all legitimate organizations, will never ask for your passwords or PINs via email or phone. This breach underscores that telecommunications companies are prime targets, holding vast amounts of sensitive customer data. Proactive identity protection and skepticism towards unsolicited contacts are now essential. For ongoing updates on major data breaches and strategies to protect your personal information, resources like Cybersecurity24x7.com provide critical analysis and guidance. . . . #DataBreach #CyberSecurity #TelecomSecurity #Odido #Phishing #Privacy #InfoSec #CyberSecurity24x7 #IdentityTheft