WebRTC Skimmer Bypasses CSP Defenses
Read More: buff.ly/bomNg9P

#WebRTCSkimmer #PaymentSkimmer #Magecart #WebSecurity #CSPbypass #EcommerceSecurity #DataExfiltration #ThreatResearch

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls. "Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week. The attack,

iT4iNT SERVER WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites VDS VPS Cloud #WebRTC #Cybersecurity #PaymentSecurity #DataExfiltration #Malware

Lapsus$ Claims AstraZeneca Hack
Read More: buff.ly/r6cDNQP

#Lapsus #AstraZeneca #DataExfiltration #SourceCodeLeak #CyberCrime #BreachClaims #CredentialExposure #InfosecNews

Speagle Malware Hijacks Cobra Docguard
Read More: buff.ly/tgZGHZk

#Speagle #SupplyChainAttack #SoftwareUpdateAbuse #CobraDocGuard #MalwareCampaign #ThreatIntel #DataExfiltration #InfosecAlert

Hackers Claim China Supercomputing Breach
Read More: buff.ly/JmvkRST

#ChinaCyber #Supercomputing #DataExfiltration #Monero #CyberEspionage #ThreatActors #HackerForums #InfosecNews

Huntress Introduces ITDR Incident Timeline

~Huntress~
Huntress launched a new Incident Report Timeline for Managed ITDR to provide clear visibility into fast-moving, identity-driven data exfiltration attacks.
-
IOCs: (None identified)
-
#DataExfiltration #ITDR #ThreatIntel

Less than half of SOC alerts are investigated each day.

Alert volume is rising. Capacity isn’t. Attackers hide in the noise.

Prevention matters. At BlackFog, we stop data exfiltration at the source.

www.forbes.com/sites/tonybr...

#CyberSecurity #SOC #DataExfiltration

Warlock Ransomware Group Augments Post-Exploitation Activities In a recent attack, the group showcased stealthier cross-network activity, thanks to its use of a new BYOVD technique and other tools.

We’ve been saying it for years: ransomware isn’t about encryption. It’s about data.

Warlock is just the latest example. Attackers focus on exfiltration long before encryption begins.

www.darkreading.com/threat-intel...

#CyberSecurity #Ransomware #DataExfiltration

Royal Bahrain Hospital Faces Alleged Breach by Payload Ransomware   Several ransomware outfits have recently surfaced, claiming responsibility for significant breaches at Royal Bahrain Hospital, raising fresh concerns about healthcare cybersecurity. The group claims that it has penetrated the hospital’s digital infrastructure and exfiltrated a considerable amount of sensitive data using the name Payload. The assertions of this nature, if verified, illustrate how vulnerable healthcare institutions are, since critical operations and highly confidential patient information are intertwined. As threat actors increasingly leverage reputational pressure by threatening the public disclosure of stolen information, they are not only seeking financial gain, but also seeking reputational gain.  The incident is a reflection of an emerging trend in which ransomware groups are rapidly adopting sophisticated tactics in order to target essential service providers, posing considerable threats to operations continuity and data privacy. As a result of cyber threat intelligence and monitoring channels, the alleged intrusion has been discovered, further emphasizing ransomware operators' continued focus on healthcare infrastructure worldwide.  The Royal Bahrain Hospital was established in 2011, and is a private medical facility with a capacity of 70 patients. It offers a variety of inpatient and outpatient services, including maternity care, surgery, and advanced diagnostics.  In addition to serving a domestic patient base, the facility also serves patients from Oman, Qatar, Saudi Arabia, and the United Arab Emirates, positioning it within a system of cross-border medical care that continues to expand. These institutions have become increasingly attractive targets for financially motivated threat actors, primarily due to the criticality of uninterrupted clinical operations and the sensitive nature of patient data, which can increase the urgency with which incidents must be contained and normalcy restored.  In the broader ransomware ecosystem, the emergence of new groups continues to reflect a highly competitive threat landscape that is continually evolving. It appears Payload, a relatively recent entrant to the market, employs a structured extortion model, which incorporates data exfiltration and system level encryption to maximize leverage.  There has been a noticeable increase in the activity of the group across mid-sized to large-scale companies, particularly in sectors such as real estate and logistics, with an emphasis on organizations operating in high-growth markets or in developing countries.  Technically, its ransomware framework includes ChaCha20 for file encryption and Curve25519 for secure key exchange, in addition to further security controls that are being implemented to inhibit recovery attempts, including the removal of shadow copies and interference with security controls.  Further indicators indicate that ransomware-as-a-service may also be employed, with a Tor-based leak portal being used in a staged manner to pressure non-compliant victims. As per recent threat intelligence, the broader ransomware economy is also experiencing a period of transition. Although ransomware remains a persistent and disruptive threat, several indicators suggest that profitability across the ecosystem is gradually decreasing. There is a growing reluctance among victims to pay ransom demands as a result of strengthened organizational defenses, improved incident recovery capabilities, and improved incident recovery capabilities.  Furthermore, sustained law enforcement actions and internal fragmentation within cybercriminal networks have disrupted some previously dominant cybercriminal networks, contributing to the increase in competition and crowdedness among cybercriminals.  Consequently, threat actors appear to be recalibrating their strategies, increasing their attention to smaller organizations and pivoting toward data exfiltration-based extortion without full-scale encryption in response. In spite of the increasing pressure on ransomware threat models, they continue to adapt in order to develop viable monetization strategies. In light of this background, the incident serves as a reminder that ransomware threats are no longer restricted to large corporations, and are now increasingly affecting midsized organizations across a wide range of industries.  Experts recommend layered and proactive defense strategies to reduce operational and data exposure. Dark web activity and information stealer logs can be continuously monitored to identify compromised credentials or leaked datasets before they have been weaponized in a timely manner.  Additionally, organizations are advised to conduct comprehensive compromised assessments to trace intrusion vectors, determine whether data has been exfiltrated, and identify the presence of persistent mechanisms within their environments.  Moreover, resilience is highly dependent on the integrity of backups, which must be regularly verified, encrypted in a secure manner, and, ideally, maintained in an offline or immutable configuration to avoid tampering.  It is critical for organizations to increase their detection and response capabilities by integrating actionable threat intelligence into SIEMs and XDRs, but employee-focused measures are also necessary to prevent credential-based attacks, such as phishing awareness and strict enforcement of multifactor authentication. It is essential to coordinate engaging with specialized response teams, including forensic analysts and attorneys, prior to engaging with threat actors in the event of an incident.  The available threat intelligence indicates that Payload targets medium- to large-scale organizations across emerging markets, including those operating in commercially active sectors such as real estate, logistics, and other related industries.  There is a widespread belief that the group operates under a ransomware-as-a-service model, wherein core developers maintain and update the malware framework while affiliate operators execute attacks, generating revenue by sharing the proceeds. As a result of this approach, the group appears to maintain a Tor-based leak portal that is used for staged disclosure of exfiltrated data to exert pressure on noncompliance victims.  It is apparent that Royal Bahrain Hospital's inclusion on this platform, along with purported screenshots of compromised systems, is intended to strengthen its claims, while simultaneously amplifying the reputational risk. Further, this incident reinforces existing concerns within the cybersecurity community concerning healthcare institutions' heightened vulnerability. Because hospitals rely on interconnected digital ecosystems for patient records, diagnostics, and operational workflows, they remain particularly vulnerable. These environments can be disrupted immediately and have immediate real-world implications, which threat actors often take advantage of in order to accelerate ransom negotiations.  The group indicates that it holds a significant amount of allegedly stolen data in this case and has set a deadline for compliance of March 23 after which it threatens to disclose the data. To date, these claims have not been independently verified, and it is unclear to what extent they may have affected systems or data. As the situation develops, standard guidance emphasizes the need for detailed forensic investigations, evaluating the scope of the compromise, and reinforcing defensive controls.  In its entirety, the episode highlights the imperative for organizations to rethink cybersecurity as an integral component of operational governance rather than a peripheral safeguard. It is exceptionally difficult for healthcare institutions to avoid disruption, since digital dependency is deeply intertwined with patient outcomes.  In response, resilience-centric security architectures have become increasingly important, which prioritize threat visibility early in the attack cycle, disciplined incident response, and alignment between technical controls and executive oversight. It is expected that adversaries will continue to refine extortion-driven tactics and exploit structural vulnerabilities, making an organization’s ability to anticipate intrusion patterns, contain risk efficiently and effectively, and maintain trust in the face of advancing cyber threats increasingly becoming the differentiator.

Royal Bahrain Hospital Faces Alleged Breach by Payload Ransomware #CybercrimeTrends #DataBreach #DataExfiltration

Chrome Extension Goes Rogue After Sale
Read More: buff.ly/UarSEmh

#ChromeExtension #QuickLens #ShotBird #MaliciousUpdate #BrowserSecurity #SupplyChainRisk #DataExfiltration #InfosecAlert

Cybercriminals are now exploiting Microsoft's AzCopy to stealthily exfiltrate data in ransomware attacks. Learn how to protect your organization from this emerging threat. #CyberSecurity #Ransomware #DataExfiltration Link: thedailytechfeed.com/ransomware-o...

ClawJacked Flaw Exposes OpenClaw Users
Read More: buff.ly/bTWMCMG

#ClawJacked #OpenClaw #AIAgentSecurity #LocalAgentRisk #DataExfiltration #VulnerabilityAlert #PatchNow #DevSecurity

Air Côte d'Ivoire Confirms Cyberattack
Read More: buff.ly/UqO4Kwl

#AirCoteDIvoire #INCRansomware #AviationCyber #DataExfiltration #RansomwareAttack #CriticalInfrastructure #IncidentResponse #GlobalCyber

APT28 Deploys Macro Malware in Browser-Based Exfiltration Operation Targeting Europe The APT28 threat group used webhook-based macro malware in Operation MacroMaze to exfiltrate data from European entities.

Full breakdown:
www.technadu.com/apt28-deploy...

Do you think organizations are adequately monitoring outbound traffic to legitimate cloud services? Comment your opinion below.
#CyberEspionage #APT28 #CyberSecurity #MacroMalware #ThreatIntelligence #DataExfiltration

Clawdbot, now OpenClaw, runs locally and can take real action on a user’s machine.

API keys, OAuth tokens, and chat histories stored in plaintext. Predictable file paths. Exposed control panels.

Read more:
www.blackfog.com/clawdbot-and...

#AI #DataExfiltration #PotatoSecurity

ClawdBot and OpenClaw: When Local AI Becomes A Data Exfiltration Goldmine | BlackFog ClawdBot stores API keys, chat histories, and user data in plaintext, and infostealers like RedLine, Lumma, and Vidar are already targeting it.

Clawdbot, now OpenClaw, runs locally and can take real action on a user’s machine.

API keys, OAuth tokens, and chat histories stored in plaintext. Predictable file paths. Exposed control panels.

Read more:
www.blackfog.com/clawdbot-and...

#AI #DataExfiltration #CyberSecurity

Hackers Stole 2 Quadrillion Bytes
Read Now: buff.ly/yZVvjhE

#IsraelCyber #CyberWarfare #DataExfiltration #NationStateThreat #GlobalCyber #ThreatAssessment #CriticalInfrastructure #InfosecNews

Threat Report: Datenexfiltration stark gestiegen – «it business» – Meldungen aus der ICT-Welt

Der Arctic Wolf Threat Report 2026 zeigt eine klare Verschiebung: Datenexfiltration ohne Verschlüsselung nimmt deutlich zu. #ArcticWolf #ThreatReport #Cybersecurity #Ransomware #DataExfiltration #ITSecurity #ThreatIntelligence #Cyberresilienz

OpenAI Launches ChatGPT Lockdown Mode for High-Risk Users OpenAI has introduced ChatGPT Lockdown Mode, a security setting that restricts web browsing and disables advanced features to protect high-risk users.

winbuzzer.com/2026/02/18/o...

OpenAI Launches ChatGPT Lockdown Mode for High-Risk Users

#AI #ChatGPT #OpenAI #AISecurity #PromptInjection #DataExfiltration

Russian Ransomware Hackers Hit Tulsa Airport
Read More: buff.ly/glnBbUM

#QilinRansomware #AirportSecurity #CriticalInfrastructure #RansomwareAttack #DataExfiltration #AviationCyber #CyberIncident #ThreatIntel

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms Mandiant reports ShinyHunters-linked vishing attacks abusing MFA and SSO to breach SaaS apps, steal data, and extort organizations.

ShinyHunters is abusing trusted cloud services to exfiltrate data — blending in to stay invisible. When legit platforms are weaponized, detection must focus on behavior. ☁️🕵️‍♂️ #ThreatActors #DataExfiltration

Why Exfiltration of Data is the Biggest Cyberthreat Facing Your Business | BlackFog What do firms need to know about exfiltration of data in order to keep their operations secure?

If your security focus is perimeter first, you’re missing the real threat. Data exfiltration has eclipsed other attack vectors and drives today’s biggest breaches.

www.blackfog.com/why-exfiltra...

#CyberSecurity #DataExfiltration #Ransomware #Infosec #DataProtection #RiskManagement

Gemini Prompt Flaw Exposed Calendar Data
Read More: buff.ly/42IasCs

#GoogleGemini #PromptInjection #AIsecurity #CalendarData #IndirectPrompting #DataExfiltration #CyberResearch #Infosec #AIThreats

How MCP Could Become a Covert Channel for Data Theft | BlackFog Find out how Model Context Protocol (MCP) could be abused as a covert channel for data theft: five real risks, examples, and mitigations.

Could the Model Context Protocol (MCP) become a covert channel for data theft? New analysis shows attackers could abuse MCP connections to siphon sensitive context and exfiltrate data outside traditional controls.

www.blackfog.com/mcp-could-be...

#AIsecurity #MCP #DataExfiltration #Cybersecurity

Security Flaw Resurfaces in Anthropic’s New Claude Cowork Tool Days After Launch - WinBuzzer Anthropic has launched Cowork with a known data exfiltration vulnerability that researchers reported in October 2025 but remained unpatched for the January 13 release.

winbuzzer.com/2026/01/17/s...

Security Flaw Resurfaces in Anthropic’s New Claude Cowork Tool Days After Launch

#AI #Anthropic #Claude #CyberSecurity #AISecurity #AIAgents #ClaudeCowork #PromptInjection #DataExfiltration #AIRisks #AITools #FilesAPI #AgenticAI #PromptArmor

Security Researchers Warn of ‘Reprompt’ Flaw That Turns AI Assistants Into Silent Data Leaks   Cybersecurity researchers have revealed a newly identified attack technique that shows how artificial intelligence chatbots can be manipulated to leak sensitive information with minimal user involvement. The method, known as Reprompt, demonstrates how attackers could extract data from AI assistants such as Microsoft Copilot through a single click on a legitimate-looking link, while bypassing standard enterprise security protections. According to researchers, the attack requires no malicious software, plugins, or continued interaction. Once a user clicks the link, the attacker can retain control of the chatbot session even if the chat window is closed, allowing information to be quietly transmitted without the user’s awareness. The issue was disclosed responsibly, and Microsoft has since addressed the vulnerability. The company confirmed that enterprise users of Microsoft 365 Copilot are not affected. At a technical level, Reprompt relies on a chain of design weaknesses. Attackers first embed instructions into a Copilot web link using a standard query parameter. These instructions are crafted to bypass safeguards that are designed to prevent direct data exposure by exploiting the fact that certain protections apply only to the initial request. From there, the attacker can trigger a continuous exchange between Copilot and an external server, enabling hidden and ongoing data extraction. In a realistic scenario, a target might receive an email containing what appears to be a legitimate Copilot link. Clicking it would cause Copilot to execute instructions embedded in the URL. The attacker could then repeatedly issue follow-up commands remotely, prompting the chatbot to summarize recently accessed files, infer personal details, or reveal contextual information. Because these later instructions are delivered dynamically, it becomes difficult to determine what data is being accessed by examining the original prompt alone. Researchers note that this effectively turns Copilot into an invisible channel for data exfiltration, without requiring user-entered prompts, extensions, or system connectors. The underlying issue reflects a broader limitation in large language models: their inability to reliably distinguish between trusted user instructions and commands embedded in untrusted data, enabling indirect prompt injection attacks. The Reprompt disclosure coincides with the identification of multiple other techniques targeting AI-powered tools. Some attacks exploit chatbot connections to third-party applications, enabling zero-interaction data leaks or long-term persistence by injecting instructions into AI memory. Others abuse confirmation prompts, turning human oversight mechanisms into attack vectors, particularly in development environments. Researchers have also shown how hidden instructions can be planted in shared documents, calendar invites, or emails to extract corporate data, and how AI browsers can be manipulated to bypass built-in prompt injection defenses. Beyond software, hardware-level risks have been identified, where attackers with server access may infer sensitive information by observing timing patterns in machine learning accelerators. Additional findings include abuses of trusted AI communication protocols to drain computing resources, trigger hidden tool actions, or inject persistent behavior, as well as spreadsheet-based attacks that generate unsafe formulas capable of exporting user data. In some cases, attackers could manipulate AI development platforms to alter spending controls or leak access credentials, enabling stealthy financial abuse. Taken together, the research underlines that prompt injection remains a persistent and evolving risk. Experts recommend layered security defenses, limiting AI privileges, and restricting access to sensitive systems. Users are also advised to avoid clicking unsolicited AI-related links and to be cautious about sharing personal or confidential information in chatbot conversations. As AI systems gain broader access to corporate data and greater autonomy, researchers warn that the potential impact of a single vulnerability increases substantially, underscoring the need for careful deployment, continuous monitoring, and ongoing security research.

Security Researchers Warn of ‘Reprompt’ Flaw That Turns AI Assistants Into Silent Data Leaks #ArtificialIntelligence #CyberSecurity #DataExfiltration

Reprompt Attack Steals Microsoft Copilot Data
Read More: buff.ly/AHYG9Id

#MicrosoftCopilot #PromptInjection #LLMSecurity #AIAppSec #GenAISecurity #PromptHacking #DataExfiltration #CyberResearch #SecurityWeek #Varonis

Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration via Prompt Injection A critical Anthropic Claude vulnerability in Cowork AI allows data exfiltration via prompt injection, as the AI interprets malicious data as executable instructions.

Full Article: www.technadu.com/anthropic-cl...

Do you think current AI guardrails are enough? Comment your opinion.
#AIsecurity #PromptInjection #Anthropic #LLMs #CyberRisk #DataExfiltration #EnterpriseSecurity

A single click mounted a covert, multistage attack against Copilot https://arstechni.ca #dataexfiltration #promptinjections #Security #copilot #Biz&IT #LLMs #AI

Chrome Extensions Steal AI Chats
Read More: buff.ly/N6kVLLC

#MaliciousExtensions #ChromeSecurity #AIPrivacy #ChatGPTSecurity #DeepSeek #BrowserThreats #DataExfiltration #SupplyChainRisk