Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response
Also, False Negatives Causes Trust in AI Pentest to Drop
Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week: a DeepSeek browser-only ransomware path, AI pen testing trust dropped, Mustang Panda targeted India, Tata breach exposed Apple iPhone 18 Pro data, CISA flagged BlueHammer in ransomware attacks, 950 Oracle EBS systems exposed, Amazon to pay U.S. Federal Trade Commission penalty over fraud records.
See Also: Know Thy Enemy: Threats to Cyber Resilience
DeepSeek Sample Shows Browser-Only Ransomware Path
The DeepSeek large language model demonstrated a new browser-only ransomware technique capable of running on Windows, macOS, Linux and Android devices without installing malware or exploiting browser flaws.
Researchers from Check Point say they analyzed a Python Flask application uploaded to VirusTotal on Jan. 25, a file they say came from prompting the Chinese-made artificial intelligence chatbot. The application, dubbed InfernoGrabber v9.0, masquerades as a fake Discord avatar AI upscaler. VirusTotal described it as a “fully functional information stealer and ransomware toolkit.” Beyond credential theft and data harvesting, the code revealed an unusual attack path that uses the browser’s File System Access API to encrypt files and display a ransom note entirely from within the browser.
Check Point said the attack works by tricking a user into granting a malicious webpage access to a local folder. Once permission is approved, the page can enumerate files, read and exfiltrate their contents, encrypt and overwrite them, and then present an extortion message. The technique requires no native payload, browser exploit or root access.
Researchers said the significance lies less in the malware itself than in how the attack path was created. According to Check Point, the DeepSeek-generated sample linked an unrealistic “browser ransomware” concept with a legitimate browser capability, producing a practical proof of concept for an attack that defenders had largely dismissed as infeasible because of browser sandboxing.
The company said the technique is limited to browsers that support the picker-based File System Access API, including Google Chrome and other Chromium-based browsers on desktop platforms and Android.
AI Pen Testing Trust Drops on False Negatives
Organizations are pulling back from fully automated AI security testing after repeated false negatives undermined trust in the tools, found offensive security firm Cobalt in an annual assessment of pen testing.
The report, based on surveys of about 450 cybersecurity professionals, found that the share of organizations relying entirely on AI automation for vulnerability testing fell from 29% in 2025 to 9% in 2026. Nearly half of respondents, 47%, now prefer a hybrid model that combines automated testing with human expertise.
More than three-quarters of respondents said fully automated scanning tools had missed critical vulnerabilities. At the same time, the share of organizations using automation only in low-risk environments rose to 47%, indicating that many security teams are narrowing where they trust AI tools to operate independently.
Cobalt said the shift reflects the growing complexity of securing AI systems. Nearly one in three findings from AI pen tests were rated high risk – 2.7 times the average for conventional software – while just 38% of identified LLM vulnerabilities had been remediated at the time of analysis. Mean time to resolve AI and LLM flaws also rose from 19 days to 36 days.
Among organizations that experienced AI-related incidents, shadow AI was the most common issue, followed by data or model poisoning and improper output handling. Despite the challenges, only 42% of respondents said they plan to increase human-led red team operations.
Mustang Panda Targets Indian Government, Hydropower
Chinese cyberespionage group Mustang Panda targeted Indian government and hydropower organizations in two campaigns that used new malware and a legitimate cloud service to hide command-and-control traffic, found Acronis.
Acronis Threat Research Unit said it found active compromises inside Indian government networks, including systems used by senior administrative staff, and worked with India’s CERT-In on notification and remediation. The attackers abused Zoho WorkDrive, a cloud storage platform widely used in India’s government sector, to pass commands and exfiltrate data, allowing malicious traffic to blend in with routine cloud activity.
The researchers identified three tools in the operation. Shardloader sideloads a malicious DLL through legitimate signed binaries, including Solid PDF Creator in one campaign and Citrix Receiver in another. It then deploys one of two payloads: Minirecon, a reworked version of the Toneshell backdoor previously documented by IBM X-Force, or Zohomurk, a newly identified implant that uses hardcoded Zoho OAuth credentials to access an attacker-controlled WorkDrive account as a dead drop for commands and stolen data.
The campaigns were delivered in zip archives, likely via spear-phishing, with lures tied to hydropower cooperation proposals and a memorandum of understanding between Indian and Taiwanese institutions. Acronis said the activity was aimed at gathering intelligence on India’s hydropower plans and defense ties with Taiwan, and attributed it to Mustang Panda with high confidence.
Researchers linked the campaigns to the group through code overlap, reused infrastructure and a recurring typo carried across implants. Acronis said the activity was active between June 12 and June 22 and urged government and energy organizations to watch for signed-binary sideloading and unusual cloud API activity from endpoint processes.
Tata Breach Exposes Apple iPhone 18 Pro Data
Sensitive supply-chain data tied to Apple’s unreleased iPhone 18 Pro lineup surfaced on the darkweb after the ransomware breach of Indian manufacturer Tata Electronics, reported Reuters.
Documents show at least six leaked files mapping specific iPhone 18 Pro components to individual suppliers, including processors on the main logic board, battery parts and camera hardware. Reuters, citing a person familiar with the matter, said Apple considers such component-to-supplier data highly sensitive because it is not disclosed in the company’s public supplier database and relates to products that have not yet launched.
The leaked records reportedly provide an unusually detailed view into Apple’s sourcing strategy, showing where the company relies on multiple vendors and where supply is concentrated among only a few. That could expose both Apple’s bargaining leverage and potential supply-chain vulnerabilities.
The leaked material also includes early-2026 photographs showing what appear to be iPhones undergoing durability tests at a Tata facility. Reuters said the images depict flat, grey handsets with three rear cameras and a source identified them as iPhone 18 Pro models. Several files reportedly carried Apple “confidential” watermarks and internal project names associated with the iPhone 18 Pro generation.
The disclosure is part of a broader leak of more than 200,000 files stolen from Tata Electronics, which Reuters has previously reported included design documents for older iPhones as well as records linked to Tesla, Taiwan Semiconductor Manufacturing and Qualcomm.
CISA Flags BlueHammer in Ransomware Attacks
The U.S. Cybersecurity and Infrastructure Security Agency warned that a Microsoft Defender flaw tracked as BlueHammer, CVE-2026-33825, is being used in ransomware attacks.
The privilege escalation vulnerability was publicly disclosed on April 2 by researcher Chaotic Eclipse, who has released several Microsoft exploit details early in protest over the company’s vulnerability handling (see: Microsoft Threatens Legal Action Over Zero-Day Leaks).
Microsoft published patches on April 14 and said an authenticated attacker could exploit the flaw, but has not confirmed active attacks in its advisory.
CISA added the bug to its Known Exploited Vulnerabilities catalog on April 22 and has now revised the entry to specify ransomware exploitation.
950 Oracle EBS Systems Exposed as Exploitation Begins
Threat actors are exploiting a critical Oracle E-Business Suite flaw as more than 900 internet-exposed instances remain visible online, according to security researchers.
The vulnerability, tracked as CVE-2026-46817, affects the file transmission component of Oracle Payments in E-Business Suite and could allow unauthenticated attackers with HTTP access to take over vulnerable systems. Oracle patched the flaw in May, but has not publicly confirmed active exploitation.
Threat intelligence firm Defused said Monday it observed attackers exploiting the bug over the weekend against Oracle E-Business honeypots, despite no known prior exploitation or public proof-of-concept code. Separately, Shadowserver said it is tracking about 950 Oracle EBS instances exposed online, although it is unclear how many have been patched.
Amazon to Pay US FTC Fine Over Fraud Records
Amazon will pay a $2.25 million civil penalty to settle a U.S. Federal Trade Commission allegations that it failed to give identity theft victims access to records of fraudulent transactions made in their names.
The FTC found that Amazon violated the Fair Credit Reporting Act by not providing many consumers with records tied to fraudulent transactions. The agency said some Amazon customer service representatives denied requests on “privacy” or “security” grounds, while others told consumers the records could not be accessed. In other cases, Amazon provided the documents only after the law’s 30-day deadline had passed.
The FTC also said Amazon refused to provide application and business transaction records to law enforcement agencies that submitted authorized requests on behalf of identity theft victims.
Under a proposed order, Amazon must pay the penalty and also provide lawfully requested records to identity theft victims and authorized law enforcement within 30 days. The company must also notify consumers who requested records since April 2024 but did not receive them that they may submit new requests.
Other Stories From This Week
Click Here For The Original Source.
