Screen reading malware found in iOS app stores for first time - and it might steal your cryptocurrency - Related to cryptocurrency, app, leak, stores, ios

How to combat exfiltration-based extortion attacks

The vast majority of cyberattacks are conducted solely to disrupt organizations, but one type of attack has more than just an organization-wide effect; it also has a personal impact.

Conducted primarily by ransomware threat groups, data exfiltration-based extortion is becoming far more prominent -in fact, a notorious Russian ransomware group known as BianLian has lately appeared to shift its approach entirely towards this new trend - and it’s easy to see why. These attacks provide a more lucrative financial outcome for criminals because it preys on the organization's victims' strongest fears: humiliation and harm to loved ones, and fear about their personal information being available for years to come on the dark web even if payment has been made for its safe return.

Wes Hutcherson Social Links Navigation Director for Product Marketing at Runzero.

Organizations have become accustomed to encryption-based attacks and realize that paying the required ransom doesn’t guarantee they’ll get their files back. As a result of this, the number of organizations that pay a ransom has reduced and criminals are now bypassing this, choosing to steal sensitive data and threatening to hit organizations where it hurts the most—their reputation and also that of their individual employees.

The steps that attackers take when looking to conduct data exfiltration-based ransomware attacks are:

Gain access: The attacker gains access to the victim’s network. (Via vulnerable assets on the network).

Locate assets: The attacker locates and secures access to high-value assets.

Exfiltrate data: The attacker exfiltrates the data to their storage network.

Encrypt data: The attacker encrypts data.

Demand ransom: The attacker demands a ransom to unlock the data.

Threaten to release data: If the ransom isn’t paid, the attacker threatens to publicly or sell the data.

Now that organizations have realized that they don’t get their files back after paying, the number of organizations that pay has reduced, and criminals are responding by changing tactics, going for exfiltration and hitting a firm or employee reputation.

By stealing sensitive data—like scandalous emails, private emails, photos, or embarrassing secrets—and threatening to make it public, attackers are no longer conducting attacks with the aim of specifically targeting the organization. They are now targeting the individual. And it should not come as a surprise that 80% of ransomware attacks now include data exfiltration.

Most employees will go to great lengths to protect themselves and their families from shame, whether in the C-suite or working at the managerial, executive, or junior levels. Picture a CEO desperate to keep a personal secret out of the headlines. It’s powerful leverage, and while an organization might hold firm and refuse to pay, an individual under intense pressure often will cave.

So, how do attackers manage to pull this off so frequently? The answer lies in the many unknown and unmanaged assets that lie within an organization. Previously, attackers would look to conduct any breach via the front door, but this is no longer the case. Increasingly, attackers are infiltrating enterprise defenses via the side door of unmanaged and unknown assets. These forgotten devices, rogue endpoints, or unpatched systems often fly under the radar of security teams and are increasingly acting as open doors that give attackers an easy way to enter, steal data, and turn their threats into big paydays.

It is paramount for organizations to lock down their environment by uncovering all hidden devices and unseen vulnerabilities.

Preventing the attack before it takes place.

This increase in data exfiltration-based extortion is happening in tandem with the changing cybersecurity landscape. The aid of technological developments such as AI is supercharging attacks on IoT and OT systems simply because they tend to be the weakest link. With the increase in system convergence, unmanaged and unknown devices serve as the ideal jumping-off points to other parts of the network. Once there, attackers stay undetected, biding their time until the opportunity to steal sensitive data or demand ransomware payments presents itself.

Even with organizations stepping up their IT defenses, about 60% of assets remain hidden from security teams, creating massive blind spots. To compound matters, the speed at which attackers conduct attacks is only increasing. Studies indicate that 72% of attackers can locate and exploit an organizations vulnerability in a single day. Furthermore, last year, it was seen that unmanaged, internet-facing assets were the cause of 7 out of 10 beaches.

Organizations worldwide must focus on visibility now more than ever. They must have full visibility and understanding of their entire attack surface. This means identifying and cataloguing every IT, IoT and OT device, whether managed or unmanaged, regardless of its function. Only when the light has been shone on all devices and systems can organizations understand their attack surface and lock down weak points, especially those connected to sensitive data. In doing this, security teams can stay ahead of threat groups looking to infiltrate defenses.

Solid discovery of all devices and systems is critical in preventing breaches that lead to data exfiltration-based extortion. This includes spotting all connected assets, uncovering vulnerabilities, and monitoring new assets or changed network environments. Mapping and monitoring the environment, security teams must act precisely once they identify potential issues.

It can’t be understated how critical it is to take action once you’ve encountered a potential weakness in your defenses. Whether mapping how attackers might laterally move across the network or highlighting areas where the network needs strengthening, security teams must be proactive to protect against network vulnerabilities and, in turn, minimize the chances of a data exfiltration-based ransom taking place.

We've featured the best identity theft protection.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: [website].

Let's Encrypt will halt certificate expiration emails from June 2025.

It says most consumers have automated renewals anyway.

New rumor implies Nvidia GeForce RTX 5060 Ti and RTX 5060 won’t need a 12VHPWR power connector.

Foh&Boh data leak leaves millions of CVs exposed - KFS, Taco Bell, Nordstrom applicants at risk

A hiring enterprise has reportedly left millions of CVs in a publicly accessible AWS bucket.

Foh&Boh has partnerships with leading food and hospitality services.

The dataset is now closed, but people may still be at risk.

A dataset containing a staggering [website] million files has been discovered by researchers online, and is believed to be primarily CVs (resumes) from hiring giant Foh&Boh.

Researchers from CyberNews discovered the publicly accessible AWS bucket containing the exposed records, and after ‘multiple attempts to reach the firm’, the dataset was closed.

It’s not clear whether malicious actors have accessed the dataset, but cybercriminals often have automated tools to scan the internet for unprotected instances, and immediately download them, so victims still face very real risks - here’s what we know so far.

The hiring platform, Foh&Boh, aims to ‘find and recruit talent for the hospitality industry’, and partners with independent restaurants, franchises, hospitality groups, and ‘some of the world’s largest hotel chains. The platform boasts partnerships with industry giants like Nobu, Taco Bell, and KFC.

The data was available online for a fairly significant period of time, with discovery on September 16, 2024, initial disclosure on October 22 2024, and the leak closed on January 8 2025.

This, like all data leaks, leaves those exposed in danger. Primarily, the concern is identity theft, especially since a CV hands over a comprehensive set of personal details over to potential attackers.

“The leak significantly heightens the risk of identity theft, enabling cybercriminals to create synthetic identities or fraudulent accounts, leaving individuals exposed to a range of sophisticated cyberattacks,” the researchers noted.

This might sound familiar to some, as just two days ago on the February 4 2025, a large dataset containing over a million CVs stored by Valley News Live was discovered, so it's a pretty lousy week for jobseekers.

Data breaches have unfortunately become a part of life for anyone on the web. In 2024, one single breach leaked the details of 100 million Americans (although the total is now reported at 190 million - so almost 75% of US adults) - which just displays that no-one is safe.

Also a risk with breached credentials, is social engineering attacks. These commonly come in the form of phishing campaigns, and are designed around the information hackers have obtained, often appearing to know the victim personally or preying on people in difficult financial situations by offering ‘get rich quick’ scams.

“Attackers could craft highly personalized emails referencing specific job details or interests from the resumes, making their phishing attempts ever more convincing” the researchers revealed. “This targeted approach could deceive candidates more easily, exposing them to further risks.”.

To protect yourself from the risk of identity theft, it’s crucial to keep a close eye on all of your accounts. Monitoring your cards, statements, and transactions for any suspicious activity means that you can quickly identify any issues.

If a service you use has suffered a data breach, make sure you change your password - and probably your passwords to any site that would hold sensitive information. If you’d like some tips on how to choose a secure password, we’ve listed some here.

In short, include capital and lowercase letters, numbers, and special characters - and never reuse a password, especially for sites that carry significant information like health or financial data.

If that all seems a little overwhelming, we’ve tested out all the best password managers and the best password generators to simplify the process.

We’ve made a comprehensive guide on how to spot a phishing email for anyone who wants to make sure they're wise to scammer’s tricks.

SL2 The definition for an APU isn't if it's decent. Crappy APU's are still APU's, and crappy APU's has been around for a long time. It's not really ju......

A cast of compelling characters, including a new protagonist and enemies you'll face off against.

A dark fantasy set in Edo period Kyoto, brimming wi......

As smartphone SoCs continue to get more powerful every single cycle, there seems to be a plethora of gaming-oriented smartphones entering the market. ......

Screen reading malware found in iOS app stores for first time - and it might steal your cryptocurrency

Apps delivering malware to individuals to steal crypto found on iOS app store.

Some of these apps have thousands of installs across iOS and Android.

The 'SparkCat' campaign has been active since March 2024.

Crypto-stealing malware dubbed ‘SparkCat’ has been discovered on iOS and Android app stores, and is embedded with a ‘malicious SDK/framework for stealing recovery phrases for crypto wallets’.

A study from Kaspersky has identified malicious apps, some with upwards of 10,000 downloads, that scan the victims gallery to find keywords - if relevant images are found, they are then sent to a C2 server.

This is the first time a stealer has been found in Apple’s App store, and this is significant because Apple reviews every entry to ‘help provide a safe and trusted experience for customers’ - so these malware-infected apps show that the review process is not as robust as it should be.

Although aimed at stealing cryptocurrency wallet recovery phrases, Kaspersky notes that the malware is ‘flexible enough’ to steal other sensitive data from victim’s galleries - here’s what we know.

The ‘SparkCat’ malware campaign was first discovered in late 2024, and is suspected to have been active since March 2024.

The first app Kaspersky identified was a Chinese food delivery app, ComeCome. The app had over 10,000 downloads and was based in Indonesia and the UAE. The app was embedded with malicious content, and contained OCR spyware which chose images from the infected devices to exfiltrate and send to the C2 server.

This wasn’t the only infected app though, and researchers found that infected apps available in Google Play had been downloaded a combined total of over 242,000 times. In 2024, over 2 million risky Android apps were blocked from the Play Store, including some which tried to push malware and spyware - so although Google is improving its protections, clearly some still make it through.

In the app store, some apps ‘appeared to be legitimate’, like the food delivery services, while others had apparently been built to ‘lure victims’. An example of this, researchers outlined, is a series of similar AI-featured ‘messaging apps’ by the same developer, including AnyGPT and WeTink.

It’s not clear whether these infections are deliberate actions by developers, or are a result of supply chain attacks, but the study does note that the “permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance.”.

“What makes this Trojan particularly dangerous is that there’s no indication of a malicious implant hidden within the app” Kaspersky adds.

If you have one of the infected apps installed on your device, Kaspersky of course recommends removing it and steering clear until a fix is released - the list of infected apps can be found here.

There is software that can help protect your device, like antivirus software - and as a key part of this malware in particular is the exfiltration of sensitive data through screenshots, the best advice is to avoid storing passwords, confidential documents, or sensitive information in your gallery.

Instead, check out the best password managers to securely store your information, as these present a much safer and convenient option to keeping your passwords in your photos. Make sure you don’t reuse passwords on multiple sites, and change your passwords regularly to avoid a breach.

There are some tricks to avoid malware apps, and considering that dangerous malware apps have been found to have been installed millions of times, it’s always best to be safe.

First of all, be wary of the warning signs. Go through the feedback and reviews - especially the negatives, as it's likely someone else will have already flagged a bug. Be very suspicious of an app which asks for your existing social media credentials - as this could be criminals looking to hijack your account.

Priced at the equivalent of $116, the China--core/12-thread processor powered by the older.

Saber Interactive and Focus Entertainment are thrilled to welcome the third major content improvement for the blockbuster Warhammer 40,000: Space Marine 2.......

Intel's data center business has experienced a lot of decline in recent years. Once the go-to choice for data center buildout, nowadays, Xeon processo......