Cybercrime
,
Fraud Administration & Cybercrime
,
Incident & Breach Response
Additionally, False Negatives Causes Belief in AI Pentest to Drop

Each week, ISMG rounds up cybersecurity incidents and breaches around the globe. This week: a DeepSeek browser-only ransomware path, AI pen testing belief dropped, Mustang Panda focused India, Tata breach uncovered Apple iPhone 18 Professional information, CISA flagged BlueHammer in ransomware assaults, 950 Oracle EBS methods uncovered, Amazon to pay U.S. Federal Commerce Fee penalty over fraud information.
See Additionally: Know Thy Enemy: Threats to Cyber Resilience
DeepSeek Pattern Reveals Browser-Solely Ransomware Path
The DeepSeek massive language mannequin demonstrated a brand new browser-only ransomware approach able to operating on Home windows, macOS, Linux and Android gadgets with out putting in malware or exploiting browser flaws.
Researchers from Examine Level say they analyzed a Python Flask software uploaded to VirusTotal on Jan. 25, a file they are saying got here from prompting the Chinese language-made synthetic intelligence chatbot. The appliance, dubbed InfernoGrabber v9.0, masquerades as a pretend Discord avatar AI upscaler. VirusTotal described it as a “totally practical data stealer and ransomware toolkit.” Past credential theft and information harvesting, the code revealed an uncommon assault path that makes use of the browser’s File System Entry API to encrypt information and show a ransom observe totally from inside the browser.
Examine Level mentioned the assault works by tricking a consumer into granting a malicious webpage entry to an area folder. As soon as permission is accepted, the web page can enumerate information, learn and exfiltrate their contents, encrypt and overwrite them, after which current an extortion message. The approach requires no native payload, browser exploit or root entry.
Researchers mentioned the importance lies much less within the malware itself than in how the assault path was created. Based on Examine Level, the DeepSeek-generated pattern linked an unrealistic “browser ransomware” idea with a reliable browser functionality, producing a sensible proof of idea for an assault that defenders had largely dismissed as infeasible due to browser sandboxing.
The corporate mentioned the approach is proscribed to browsers that assist the picker-based File System Entry API, together with Google Chrome and different Chromium-based browsers on desktop platforms and Android.
AI Pen Testing Belief Drops on False Negatives
Organizations are pulling again from totally automated AI safety testing after repeated false negatives undermined belief within the instruments, discovered offensive safety agency Cobalt in an annual evaluation of pen testing.
The report, based mostly on surveys of about 450 cybersecurity professionals, discovered that the share of organizations relying totally on AI automation for vulnerability testing fell from 29% in 2025 to 9% in 2026. Almost half of respondents, 47%, now want a hybrid mannequin that mixes automated testing with human experience.
Greater than three-quarters of respondents mentioned totally automated scanning instruments had missed essential vulnerabilities. On the similar time, the share of organizations utilizing automation solely in low-risk environments rose to 47%, indicating that many safety groups are narrowing the place they belief AI instruments to function independently.
Cobalt mentioned the shift displays the rising complexity of securing AI methods. Almost one in three findings from AI pen checks have been rated excessive danger – 2.7 occasions the common for standard software program – whereas simply 38% of recognized LLM vulnerabilities had been remediated on the time of research. Imply time to resolve AI and LLM flaws additionally rose from 19 days to 36 days.
Amongst organizations that skilled AI-related incidents, shadow AI was the most typical challenge, adopted by information or mannequin poisoning and improper output dealing with. Regardless of the challenges, solely 42% of respondents mentioned they plan to extend human-led purple group operations.
Mustang Panda Targets Indian Authorities, Hydropower
Chinese language cyberespionage group Mustang Panda focused Indian authorities and hydropower organizations in two campaigns that used new malware and a reliable cloud service to cover command-and-control site visitors, discovered Acronis.
Acronis Menace Analysis Unit mentioned it discovered energetic compromises inside Indian authorities networks, together with methods utilized by senior administrative employees, and labored with India’s CERT-In on notification and remediation. The attackers abused Zoho WorkDrive, a cloud storage platform extensively utilized in India’s authorities sector, to go instructions and exfiltrate information, permitting malicious site visitors to mix in with routine cloud exercise.
The researchers recognized three instruments within the operation. Shardloader sideloads a malicious DLL by way of reliable signed binaries, together with Stable PDF Creator in a single marketing campaign and Citrix Receiver in one other. It then deploys one in every of two payloads: Minirecon, a reworked model of the Toneshell backdoor beforehand documented by IBM X-Drive, or Zohomurk, a newly recognized implant that makes use of hardcoded Zoho OAuth credentials to entry an attacker-controlled WorkDrive account as a lifeless drop for instructions and stolen information.
The campaigns have been delivered in zip archives, probably by way of spear-phishing, with lures tied to hydropower cooperation proposals and a memorandum of understanding between Indian and Taiwanese establishments. Acronis mentioned the exercise was geared toward gathering intelligence on India’s hydropower plans and protection ties with Taiwan, and attributed it to Mustang Panda with excessive confidence.
Researchers linked the campaigns to the group by way of code overlap, reused infrastructure and a recurring typo carried throughout implants. Acronis mentioned the exercise was energetic between June 12 and June 22 and urged authorities and power organizations to observe for signed-binary sideloading and strange cloud API exercise from endpoint processes.
Tata Breach Exposes Apple iPhone 18 Professional Information
Delicate supply-chain information tied to Apple’s unreleased iPhone 18 Professional lineup surfaced on the darkweb after the ransomware breach of Indian producer Tata Electronics, reported Reuters.
Paperwork present at the least six leaked information mapping particular iPhone 18 Professional elements to particular person suppliers, together with processors on the principle logic board, battery components and digital camera {hardware}. Reuters, citing an individual accustomed to the matter, mentioned Apple considers such component-to-supplier information extremely delicate as a result of it’s not disclosed within the firm’s public provider database and pertains to merchandise that haven’t but launched.
The leaked information reportedly present an unusually detailed view into Apple’s sourcing technique, exhibiting the place the corporate depends on a number of distributors and the place provide is concentrated amongst just a few. That would expose each Apple’s bargaining leverage and potential supply-chain vulnerabilities.
The leaked materials additionally consists of early-2026 images exhibiting what look like iPhones present process sturdiness checks at a Tata facility. Reuters mentioned the photographs depict flat, gray handsets with three rear cameras and a supply recognized them as iPhone 18 Professional fashions. A number of information reportedly carried Apple “confidential” watermarks and inner venture names related to the iPhone 18 Professional technology.
The disclosure is a part of a broader leak of greater than 200,000 information stolen from Tata Electronics, which Reuters has beforehand reported included design paperwork for older iPhones in addition to information linked to Tesla, Taiwan Semiconductor Manufacturing and Qualcomm.
CISA Flags BlueHammer in Ransomware Assaults
The U.S. Cybersecurity and Infrastructure Safety Company warned {that a} Microsoft Defender flaw tracked as BlueHammer, CVE-2026-33825, is being utilized in ransomware assaults.
The privilege escalation vulnerability was publicly disclosed on April 2 by researcher Chaotic Eclipse, who has launched a number of Microsoft exploit particulars early in protest over the corporate’s vulnerability dealing with (see: Microsoft Threatens Authorized Motion Over Zero-Day Leaks).
Microsoft revealed patches on April 14 and mentioned an authenticated attacker may exploit the flaw, however has not confirmed energetic assaults in its advisory.
CISA added the bug to its Identified Exploited Vulnerabilities catalog on April 22 and has now revised the entry to specify ransomware exploitation.
950 Oracle EBS Techniques Uncovered as Exploitation Begins
Menace actors are exploiting a essential Oracle E-Enterprise Suite flaw as greater than 900 internet-exposed cases stay seen on-line, in accordance with safety researchers.
The vulnerability, tracked as CVE-2026-46817, impacts the file transmission element of Oracle Funds in E-Enterprise Suite and will permit unauthenticated attackers with HTTP entry to take over susceptible methods. Oracle patched the flaw in Could, however has not publicly confirmed energetic exploitation.
Menace intelligence agency Defused mentioned Monday it noticed attackers exploiting the bug over the weekend in opposition to Oracle E-Enterprise honeypots, regardless of no identified prior exploitation or public proof-of-concept code. Individually, Shadowserver mentioned it’s monitoring about 950 Oracle EBS cases uncovered on-line, though it’s unclear what number of have been patched.
Amazon to Pay US FTC High-quality Over Fraud Information
Amazon can pay a $2.25 million civil penalty to settle a U.S. Federal Commerce Fee allegations that it failed to provide identification theft victims entry to information of fraudulent transactions made of their names.
The FTC discovered that Amazon violated the Truthful Credit score Reporting Act by not offering many shoppers with information tied to fraudulent transactions. The company mentioned some Amazon customer support representatives denied requests on “privateness” or “safety” grounds, whereas others informed shoppers the information couldn’t be accessed. In different instances, Amazon supplied the paperwork solely after the regulation’s 30-day deadline had handed.
The FTC additionally mentioned Amazon refused to offer software and enterprise transaction information to regulation enforcement businesses that submitted licensed requests on behalf of identification theft victims.
Below a proposed order, Amazon should pay the penalty and in addition present lawfully requested information to identification theft victims and licensed regulation enforcement inside 30 days. The corporate should additionally notify shoppers who requested information since April 2024 however didn’t obtain them that they could submit new requests.
Different Tales From This Week




![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)




