Cybercrime
,
Fraud Administration & Cybercrime
,
Incident & Breach Response
Additionally, False Negatives Causes Belief in AI Pentest to Drop
Each week, ISMG rounds up cybersecurity incidents and breaches around the globe. This week: a DeepSeek browser-only ransomware path, AI pen testing belief dropped, Mustang Panda focused India, Tata breach uncovered Apple iPhone 18 Professional information, CISA flagged BlueHammer in ransomware assaults, 950 Oracle EBS programs uncovered, Amazon to pay U.S. Federal Commerce Fee penalty over fraud information.
See Additionally: Know Thy Enemy: Threats to Cyber Resilience
DeepSeek Pattern Reveals Browser-Solely Ransomware Path
The DeepSeek massive language mannequin demonstrated a brand new browser-only ransomware method able to operating on Home windows, macOS, Linux and Android units with out putting in malware or exploiting browser flaws.
Researchers from Test Level say they analyzed a Python Flask utility uploaded to VirusTotal on Jan. 25, a file they are saying got here from prompting the Chinese language-made synthetic intelligence chatbot. The appliance, dubbed InfernoGrabber v9.0, masquerades as a pretend Discord avatar AI upscaler. VirusTotal described it as a “absolutely useful data stealer and ransomware toolkit.” Past credential theft and information harvesting, the code revealed an uncommon assault path that makes use of the browser’s File System Entry API to encrypt recordsdata and show a ransom word totally from throughout the browser.
Test Level mentioned the assault works by tricking a consumer into granting a malicious webpage entry to a neighborhood folder. As soon as permission is accepted, the web page can enumerate recordsdata, learn and exfiltrate their contents, encrypt and overwrite them, after which current an extortion message. The method requires no native payload, browser exploit or root entry.
Researchers mentioned the importance lies much less within the malware itself than in how the assault path was created. In keeping with Test Level, the DeepSeek-generated pattern linked an unrealistic “browser ransomware” idea with a respectable browser functionality, producing a sensible proof of idea for an assault that defenders had largely dismissed as infeasible due to browser sandboxing.
The corporate mentioned the method is restricted to browsers that help the picker-based File System Entry API, together with Google Chrome and different Chromium-based browsers on desktop platforms and Android.
AI Pen Testing Belief Drops on False Negatives
Organizations are pulling again from absolutely automated AI safety testing after repeated false negatives undermined belief within the instruments, discovered offensive safety agency Cobalt in an annual evaluation of pen testing.
The report, based mostly on surveys of about 450 cybersecurity professionals, discovered that the share of organizations relying totally on AI automation for vulnerability testing fell from 29% in 2025 to 9% in 2026. Almost half of respondents, 47%, now want a hybrid mannequin that mixes automated testing with human experience.
Greater than three-quarters of respondents mentioned absolutely automated scanning instruments had missed crucial vulnerabilities. On the identical time, the share of organizations utilizing automation solely in low-risk environments rose to 47%, indicating that many safety groups are narrowing the place they belief AI instruments to function independently.
Cobalt mentioned the shift displays the rising complexity of securing AI programs. Almost one in three findings from AI pen assessments had been rated excessive threat – 2.7 occasions the typical for standard software program – whereas simply 38% of recognized LLM vulnerabilities had been remediated on the time of study. Imply time to resolve AI and LLM flaws additionally rose from 19 days to 36 days.
Amongst organizations that skilled AI-related incidents, shadow AI was the commonest subject, adopted by information or mannequin poisoning and improper output dealing with. Regardless of the challenges, solely 42% of respondents mentioned they plan to extend human-led crimson staff operations.
Mustang Panda Targets Indian Authorities, Hydropower
Chinese language cyberespionage group Mustang Panda focused Indian authorities and hydropower organizations in two campaigns that used new malware and a respectable cloud service to cover command-and-control site visitors, discovered Acronis.
Acronis Risk Analysis Unit mentioned it discovered lively compromises inside Indian authorities networks, together with programs utilized by senior administrative workers, and labored with India’s CERT-In on notification and remediation. The attackers abused Zoho WorkDrive, a cloud storage platform broadly utilized in India’s authorities sector, to cross instructions and exfiltrate information, permitting malicious site visitors to mix in with routine cloud exercise.
The researchers recognized three instruments within the operation. Shardloader sideloads a malicious DLL via respectable signed binaries, together with Strong PDF Creator in a single marketing campaign and Citrix Receiver in one other. It then deploys one in every of two payloads: Minirecon, a reworked model of the Toneshell backdoor beforehand documented by IBM X-Drive, or Zohomurk, a newly recognized implant that makes use of hardcoded Zoho OAuth credentials to entry an attacker-controlled WorkDrive account as a useless drop for instructions and stolen information.
The campaigns had been delivered in zip archives, probably through spear-phishing, with lures tied to hydropower cooperation proposals and a memorandum of understanding between Indian and Taiwanese establishments. Acronis mentioned the exercise was geared toward gathering intelligence on India’s hydropower plans and protection ties with Taiwan, and attributed it to Mustang Panda with excessive confidence.
Researchers linked the campaigns to the group via code overlap, reused infrastructure and a recurring typo carried throughout implants. Acronis mentioned the exercise was lively between June 12 and June 22 and urged authorities and vitality organizations to look at for signed-binary sideloading and strange cloud API exercise from endpoint processes.
Tata Breach Exposes Apple iPhone 18 Professional Knowledge
Delicate supply-chain information tied to Apple’s unreleased iPhone 18 Professional lineup surfaced on the darkweb after the ransomware breach of Indian producer Tata Electronics, reported Reuters.
Paperwork present no less than six leaked recordsdata mapping particular iPhone 18 Professional elements to particular person suppliers, together with processors on the primary logic board, battery components and digicam {hardware}. Reuters, citing an individual acquainted with the matter, mentioned Apple considers such component-to-supplier information extremely delicate as a result of it’s not disclosed within the firm’s public provider database and pertains to merchandise that haven’t but launched.
The leaked information reportedly present an unusually detailed view into Apple’s sourcing technique, displaying the place the corporate depends on a number of distributors and the place provide is concentrated amongst just a few. That might expose each Apple’s bargaining leverage and potential supply-chain vulnerabilities.
The leaked materials additionally contains early-2026 pictures displaying what seem like iPhones present process sturdiness assessments at a Tata facility. Reuters mentioned the pictures depict flat, gray handsets with three rear cameras and a supply recognized them as iPhone 18 Professional fashions. A number of recordsdata reportedly carried Apple “confidential” watermarks and inner venture names related to the iPhone 18 Professional era.
The disclosure is a part of a broader leak of greater than 200,000 recordsdata stolen from Tata Electronics, which Reuters has beforehand reported included design paperwork for older iPhones in addition to information linked to Tesla, Taiwan Semiconductor Manufacturing and Qualcomm.
CISA Flags BlueHammer in Ransomware Assaults
The U.S. Cybersecurity and Infrastructure Safety Company warned {that a} Microsoft Defender flaw tracked as BlueHammer, CVE-2026-33825, is being utilized in ransomware assaults.
The privilege escalation vulnerability was publicly disclosed on April 2 by researcher Chaotic Eclipse, who has launched a number of Microsoft exploit particulars early in protest over the corporate’s vulnerability dealing with (see: Microsoft Threatens Authorized Motion Over Zero-Day Leaks).
Microsoft printed patches on April 14 and mentioned an authenticated attacker might exploit the flaw, however has not confirmed lively assaults in its advisory.
CISA added the bug to its Recognized Exploited Vulnerabilities catalog on April 22 and has now revised the entry to specify ransomware exploitation.
950 Oracle EBS Methods Uncovered as Exploitation Begins
Risk actors are exploiting a crucial Oracle E-Enterprise Suite flaw as greater than 900 internet-exposed cases stay seen on-line, in response to safety researchers.
The vulnerability, tracked as CVE-2026-46817, impacts the file transmission part of Oracle Funds in E-Enterprise Suite and will enable unauthenticated attackers with HTTP entry to take over susceptible programs. Oracle patched the flaw in Could, however has not publicly confirmed lively exploitation.
Risk intelligence agency Defused mentioned Monday it noticed attackers exploiting the bug over the weekend towards Oracle E-Enterprise honeypots, regardless of no recognized prior exploitation or public proof-of-concept code. Individually, Shadowserver mentioned it’s monitoring about 950 Oracle EBS cases uncovered on-line, though it’s unclear what number of have been patched.
Amazon to Pay US FTC Positive Over Fraud Information
Amazon pays a $2.25 million civil penalty to settle a U.S. Federal Commerce Fee allegations that it failed to provide id theft victims entry to information of fraudulent transactions made of their names.
The FTC discovered that Amazon violated the Truthful Credit score Reporting Act by not offering many shoppers with information tied to fraudulent transactions. The company mentioned some Amazon customer support representatives denied requests on “privateness” or “safety” grounds, whereas others advised shoppers the information couldn’t be accessed. In different instances, Amazon supplied the paperwork solely after the regulation’s 30-day deadline had handed.
The FTC additionally mentioned Amazon refused to supply utility and enterprise transaction information to regulation enforcement companies that submitted approved requests on behalf of id theft victims.
Beneath a proposed order, Amazon should pay the penalty and in addition present lawfully requested information to id theft victims and approved regulation enforcement inside 30 days. The corporate should additionally notify shoppers who requested information since April 2024 however didn’t obtain them that they might submit new requests.
Different Tales From This Week







