Connect with us

Infosecurity

On the 11th Day of Christmas, the Industry Predicted…Better Security Collaboration

Published

on

The holiday season is almost here, but before we dive into turkey and presents, there’s one more crucial prediction to unwrap: better security collaboration. For years, the cybersecurity industry has struggled with a lack of cooperation. However, 2017 might finally be the year when organisations start working together more effectively to combat cyber threats.

According to Juniper Networks‘ Scott Miles, senior director of cloud, enterprise and security portfolio marketing, the industry is slowly moving toward collaboration, but it remains in its infancy. “Beyond sharing basic data, we still lack the interoperability necessary to address the next generation of threats,” he explained. Yet, there is growing optimism that this is about to change.

Why Better Security Collaboration Is Finally on the Horizon

Raj Samani, CTO EMEA at Intel Security, predicts that threat intelligence sharing organisations will form among cloud service providers in 2017. These groups will improve the identification of and reaction time to attacks. “While some businesses and cloud service providers do not perceive the benefits of threat intelligence sharing today, this will shift within the next few years,” Samani said. He added that whether driven by legislation or the aggressiveness of attacks, we will see much more threat intelligence sharing among businesses and cloud providers, and the benefits will quickly become clear.

Although sharing information about failed and successful attacks can be embarrassing, Samani believes the advantages will outweigh the downsides. “Crowdsourced threat intelligence and collaborative analytics help form a more comprehensive picture of what is happening in the attack landscape,” he noted. This sentiment is echoed by David Mount, director of security solutions consulting EMEA at Micro Focus. Mount argues that businesses should collaborate more around early indicators of compromise to understand the known mitigation path.

Industrialised Attacks Demand Collaborative Defence

Cybercriminal gangs are industrialising their processes, searching for systems where they can replicate specific attacks. “This means the same tactics can be repeated hundreds of times,” Mount explained. As a result, the information security industry must work together and collaborate with law enforcement agencies to target these criminals. Samani added that further collaboration, particularly cyber threat intelligence sharing, will be necessary as the threat landscape evolves.

To gain the upper hand in cybersecurity, businesses must reject conventional defence paradigms in favour of radical new thinking. One key step is to be collaborative instead of hoarding information and to learn to prioritise cyber defence. On a large scale, this makes life harder for cybercriminals and ensures data remains more secure.

Real-World Examples of Successful Security Collaboration

Brian Honan, owner and CEO of BH Consulting, pointed to two powerful examples of how working together has already paid off. The arrests of the two suspects behind the DD4BC DDoS extortion group and the sharing of ransomware encryption keys through the No More Ransom initiative show what can be achieved when victims, industry, and law enforcement cooperate.

Honan quoted the Simon and Garfunkel song ‘I am a Rock’ to illustrate his point: “The line ‘I am a Rock, I am an Island’ is not feasible in today’s interconnected business environments.” He warned that companies that behave like islands will become isolated and easy prey for criminals. In the past, attacks have been more successful than they should have been simply because companies did not admit they were victims or share details of the attack. Thankfully, this trait is slowly changing, and Honan hopes it will accelerate in the future.

As we look ahead to 2017, the message is clear: better security collaboration is not just a nice idea—it is a necessity. For more insights on how to strengthen your cybersecurity posture, check out our guide on cybersecurity best practices and learn about threat intelligence sharing platforms.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

Iran-Linked Hacking Group Cavern Manticore Is Targeting Israel’s Government and IT Sector

Published

on

Iran-nexus hacking group

A New Threat Actor Emerges

Since early 2026, a previously unknown cyber group has been systematically targeting Israeli government agencies and IT firms. The group, which Check Point researchers track as Cavern Manticore, appears to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).

The findings come from a threat intelligence report published July 6. Check Point says the group shares technical fingerprints with two established Iranian-aligned adversaries: MuddyWater and Lyceum.

“The adversary’s ability to gain access to organizations in the defense and government sectors during the US military campaign ‘Operation Epic Fury’ demonstrates both a high operational tempo and a disciplined approach to target selection,” the researchers wrote.

How Cavern Manticore Breaches Networks

The group’s preferred entry point is surprisingly mundane: legitimate remote monitoring and management (RMM) software. By abusing these tools, Cavern Manticore moves laterally across a victim’s environment, then delivers malware disguised as routine software updates.

Another vector? Browser-based remote desktop tools. When clipboard copy-paste or file uploads are blocked, the attackers use remote printing features to siphon data out.

Once inside, the group weaponizes a SysAid software update mechanism to drop malicious payloads onto the target network.

The Modular C2 Framework at the Core

Cavern Manticore’s most distinctive asset is its custom modular command-and-control (C2) framework. Check Point describes it as “a mature and adaptable toolset built around a shared .NET foundation.”

The framework splits into two main components:

  • Cavern agent — a persistent backdoor that handles all communication with attacker-controlled servers. It comes in multiple .NET compilation formats (.NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT) to evade detection and complicate reverse engineering.
  • Cavern modules — specialized post-exploitation tools for reconnaissance, data theft, tunneling, and lateral movement. Each module is compiled separately, allowing the attackers to tailor the toolset per victim.

The framework also uses per-module AppDomain isolation. That means even if defenders discover one component on a compromised host, they cannot easily recover the full toolkit. The design keeps the group’s footprint small and its persistence high.

Check Point noted that most Cavern Manticore samples score zero or very low detection rates on VirusTotal. That’s a clear sign the group has invested heavily in evasion techniques.

Technical Overlaps with MuddyWater and Lyceum

During analysis, Check Point found a communication module (CAV3RN_Http_Module) that uses a webshell-style ASP.NET handler named cac.aspx. It runs on a separate IIS server at one of two attacker-controlled domains.

“The use of victim-side infrastructure to proxy C2 traffic, combined with XOR-based obfuscation, Base64 encoding, and a fixed verb set per backdoor, is consistent with techniques we have previously observed in operations attributed to OilRig subgroup named Lyceum,” the researchers wrote.

The targeting of SysAid servers also aligns with tactics used by MuddyWater, another MOIS-aligned group. WHOIS records for the root domain hospitalinstallation[.]com — used in the campaign — showed it was registered through Fars Data, an Iranian hosting provider.

What This Means for Israeli Defenders

“By decoupling its core infrastructure from mission-specific modules, Cavern Manticore’s operators gain both operational agility and durability under defensive pressure,” Check Point concluded. “This modularity allows them to adjust capabilities per campaign while preserving the underlying framework.”

For Israeli government and IT security teams, the message is clear: this Iran-nexus hacking group is sophisticated, well-resourced, and actively targeting critical infrastructure. Defenders should scrutinize RMM tools, restrict browser-based remote desktop features, and monitor for unusual SysAid update activity.

The group’s low detection rate on VirusTotal also suggests that signature-based defenses alone won’t cut it. Behavioral monitoring and network anomaly detection may offer a better chance of catching Cavern Manticore before it completes its mission.

Continue Reading

Infosecurity

Hidden Instructions in Web Pages: How Hackers Are Tricking AI Agents into Stealing Money

Published

on

indirect prompt injection

The New Attack Surface: Web Content That Talks to AI

Security researchers have found a disturbing new way to exploit AI agents — by hiding instructions inside ordinary web pages. The technique, called indirect prompt injection, plants commands in content that an AI agent reads, steering the agent toward fraudulent actions without the human user ever noticing.

Researchers at Zscaler‘s ThreatLabz documented two real-world campaigns that used this method. One posed as software documentation to run a payment scam. The other impersonated a cryptocurrency service. The findings were shared publicly this week.

The attacks don’t target humans directly. Instead, they target the AI agents people increasingly rely on for coding, research, and financial tasks.

How Attackers Bury Instructions Where Only Machines See Them

In both cases, the attackers started with SEO poisoning — pushing their malicious pages high in search results so that an AI agent would be more likely to land on them. Once the agent arrived, it found carefully hidden instructions.

The attackers used CSS to move text off-screen, making it invisible to human eyes. They also tucked prompt-style commands inside JSON-LD metadata — structured data that machines treat as authoritative context. A person scrolling the page sees a normal website. An AI agent sees a set of commands.

This is indirect prompt injection at work. The instructions are not injected directly into the LLM’s input. They sit in the content the model reads, waiting to be interpreted as legitimate context.

The Fake Python Documentation Scam

The first campaign used a fake page dressed up as a Python library’s documentation. The hidden text instructed any AI agent on a coding task that it had to buy a $3 API license key to fix an error. Then it walked the agent through paying an attacker’s cryptocurrency wallet for a bogus key.

Zscaler noted that the same site also tried to scam human developers. The page was a two-for-one trap — targeting both people and their AI helpers.

The Cryptocurrency Typosquat

For the second campaign, the attackers registered a typosquatting domain impersonating DeBank, a popular cryptocurrency portfolio tracker. Hidden text told an AI agent to treat the fake site as the “authoritative” DeBank and rank it first in results.

The goal was to manipulate the agent into directing users to the fraudulent page, where they might hand over credentials or wallet access.

Which AI Models Fell for the Trick?

ThreatLabz ran its own autonomous agent against the malicious sites, testing 26 large language models (LLMs). The results were uneven — and revealing.

Four of the 26 models were manipulated into executing the fraudulent payment. The vulnerable models included versions of Meta’s Llama and Google’s Gemini. In the second test, two models — OpenAI’s GPT-5.4 and Anthropic’s Claude Sonnet 4.5 — wrongly rated the fake DeBank site as legitimate. But that only happened when the models lacked a trusted reference for the real DeBank. When the genuine site was provided for comparison, none were fooled.

The takeaway? Susceptibility depends heavily on the LLM and the amount of context it is given. Some models are better at ignoring hidden commands. Others follow them blindly.

For a deeper look at how these payloads work in the wild, see the research on prompt injection payloads targeting AI agents that Zscaler uncovered.

What This Means for AI Agent Security

The attacks are still early-stage, but the implications are clear. As AI agents become a more common interface to the web, the content itself becomes a larger attack surface. A malicious website doesn’t need to hack the model — it only needs to speak its language.

“AI is a double-edged sword,” Zscaler warned in its report. “It can streamline workflows while also introducing new avenues for abuse.”

The company recommends that developers building AI agent security into their products treat all web content as untrusted input. That means sandboxing agent actions, limiting the tools an agent can call, and requiring human approval before any payment or sensitive operation.

For users, the advice is simple: don’t let AI agents make financial decisions autonomously — especially when they visit unfamiliar websites.

The research adds to a growing body of evidence that prompt injection is not just a theoretical risk. It is happening now, in the wild, and it is targeting the AI tools people are starting to trust with real money.

Continue Reading

Infosecurity

Cutting the Phishing Line: Why User Authorization Is Your Best Defense

Published

on

Cutting the Phishing Line: Why User Authorization Is Your Best Defense

Identity theft remains a persistent threat in the digital age. From banking and e-commerce to online education, nearly every aspect of modern life relies on virtual identities. As we move further into 2025, the question isn’t whether you’ll face a phishing attempt — it’s whether your user authorization systems are strong enough to stop it.

Imagine two colleagues, X and Y, working in the same office. X has access to sensitive financial data; Y does not. Human nature being what it is, Y might try to gain the same privileges — possibly by tricking X into sharing login credentials. This “possession effect” drives many identity theft attempts. Fortunately, the AAA framework — authentication, authorization, and accounting — offers a proven defense.

Understanding the AAA Framework for User Authorization

Every time you log into a corporate system, you go through three critical steps: authentication verifies who you are, authorization determines what you can access, and accounting tracks your actions. This trio forms the backbone of network security and is central to user authorization strategies.

Authentication: The First Gate

Authentication confirms identity. When you enter a password, the system checks it against stored credentials. But passwords alone are vulnerable. Two-factor authentication (2FA) adds a second layer — like a one-time code from an app — making it harder for attackers to impersonate you.

Authorization: Defining Permissions

Once authenticated, authorization kicks in. It decides which files, apps, or networks you can use. For example, a junior employee might only access project documents, while a manager sees payroll data. Properly configured authorization limits the damage if credentials are stolen.

Accounting: Continuous Monitoring

Accounting isn’t a one-time event. It logs every action — who accessed what, when, and from where. If a breach occurs, these logs help trace the source. Without accounting, you’re flying blind.

These three steps are the core of the RADIUS protocol, which scales AAA across large networks. But even the best protocols fail if implementation is sloppy.

How Phishing Attacks Exploit Weak Authorization

Cyber-criminals know that humans are the weakest link. Phishing attacks are designed to steal login credentials — effectively bypassing user authorization by tricking users into handing over their keys. These attacks fall into three common streams:

  • Request Stream: The victim is asked to “confirm” a software update by entering their username and password.
  • Intimidation Stream: A fake warning threatens account closure unless credentials are provided immediately.
  • Information Stream: Users are shown fake terms of service that require login to “accept.”

All three aim for the same prize: your login and password. Once obtained, attackers assume your identity and all associated permissions. This is why user authorization must be granular — not everyone needs access to everything.

Phishing has become more sophisticated. Modern attacks use AI-generated emails that mimic trusted brands, realistic pop-up windows, and even voice deepfakes. The best defense is a combination of user education and robust technical controls.

Practical Steps to Strengthen User Authorization Against Phishing

So, how do you cut the phishing line? Start with these actionable measures:

1. Enforce Unique User Identifiers

Every user should have a unique account. Shared accounts make it impossible to trace who did what. If a breach happens, unique IDs help identify the compromised account quickly.

2. Implement Least-Privilege Access

Give users only the permissions they need to do their jobs. A customer support agent doesn’t need access to the CEO’s email. This limits the blast radius if an account is hijacked.

3. Use Multi-Factor Authentication (MFA)

MFA is no longer optional. It adds a second factor — like a biometric scan or a hardware token — that attackers can’t easily steal. Even if a password is phished, MFA can block the attacker.

4. Regularly Audit Access Logs

Review who accessed what and when. Look for anomalies — like a user logging in from an unusual location or at 3 AM. Automated tools can flag suspicious behavior in real time.

5. Train Employees to Spot Phishing

Technology alone isn’t enough. Conduct regular phishing simulations and teach users to verify requests before entering credentials. Encourage them to report suspicious emails.

For more on integrated security solutions, check out Comarch’s enterprise IT security tools. Also, explore zero-trust architecture and identity and access management best practices to further harden your defenses.

Conclusion: Authorization Is the Unsung Hero

Phishing attacks are evolving, but so are defenses. While authentication gets most of the attention, user authorization is just as critical. It ensures that even if credentials are stolen, the damage is contained. By combining strong AAA protocols with user awareness, organizations can cut the phishing line — before it’s too late.

Continue Reading

Trending