thecybershark, Author at The Cyber Shark

Mozilla Fixes a Serious Firefox Issue Like the New Zero-Day Vulnerability in Chrome

Mozilla has patched a critical sandbox escape vulnerability (CVE-2025-2857) in Firefox for Windows, with no evidence of active exploitation. Only a few days after Google patched a similar vulnerability in Chrome that was actively exploited as a zero-day, Mozilla has published fixes to fix a serious security weakness affecting its Firefox browser for Windows. According to descriptions, the security flaw CVE-2025-2857 is an instance of an improper handle that could result in a sandbox escape. “Following the recent Chrome , Mozilla sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code,” an alert from Mozilla stated. “A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.” In Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1, the flaw that impacts both Firefox and Firefox ESR has been fixed. CVE-2025-2857 has not been exploited in the wild, according to any evidence. To address CVE-2025-2783, which has been used in the wild as part of attacks on Russian government agencies, media outlets, and educational institutions, Google published Chrome version 134.0.6998.177/.178 for Windows. The infection happened when unidentified victims clicked on a specifically constructed link in phishing emails and used Chrome to access the attacker-controlled website, according to Kaspersky, which discovered the activity in mid-March 2025. According to reports, CVE-2025-2783 was linked to another unidentified browser exploit to bypass the sandbox’s restrictions and accomplish remote code execution. Nevertheless, fixing the flaw successfully stops the whole assault chain. Since then, the vulnerability has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) database, and federal agencies are required to implement the required mitigations by April 17, 2025. To protect themselves from potential threats, users are advised to update their browser instances to the most recent versions.

Over 13 Million Indian Banking Customers’ Data Allegedly Leaked and Sold on Dark Web

A threat actor claims to have stolen and is selling sensitive financial data of over 13 million Indian banking customers on the dark web. A threat actor has surfaced on a well-known dark web forum, claiming to have gained access to and exfiltrated sensitive financial data belonging to over 13 million Indian banking customers. This shocking revelation has raised serious concerns about the state of data security in India’s banking ecosystem. The purported data dump, which is allegedly the product of a significant breach, is currently being offered for $10,000 to one buyer alone. Scope of the Leak According to the dark web article, the compromised data include financial and personal details like: Full names of account holders Indian Banking Customers account numbers Indian Banking Customers IFSC codes Indian Banking Customers Registered mobile numbers Indian Banking Customers Email addresses The threat actor has allegedly supplied a sample of 6,000 data from the purported breach to bolster the veracity of the claim. The entire dataset, which is 11.2 GB in size, is reportedly formatted in CSV. By declaring that only one buyer would be considered and that escrow services would be accepted to complete the transaction, the threat actor further highlighted the gravity of the sale. This unusual approach demonstrates the actor’s faith in the veracity of the breach. Top Banks Allegedly Affected The forum post claims that the customer datasets of numerous well-known Indian financial institutions are impacted by the incident, including: State Bank of India (SBI) HDFC Bank ICICI Bank Kotak Mahindra Bank Several other private and public sector banks Cyber intelligence specialists are conjecturing about a potential vulnerability exploited through third-party banking APIs or KYC data aggregators, even though the exact manner of infiltration is still unknown. Potential Risks and Implications Experts in cybersecurity caution that if confirmed, such a vulnerability might have serious repercussions: Financial fraud: Access to account numbers and phone numbers could allow cybercriminals to launch targeted phishing or vishing attacks. Identity theft: The combination of email, phone numbers, and bank data could allow for large-scale impersonation and KYC fraud. Reputational damage: If major banks are indeed involved, the fallout could impact consumer trust and regulatory compliance in the fintech space. A senior analyst at a top cybersecurity company declared, “This is not just a leak; if verified, it’s a bombshell.” The scale and extent point to either extreme neglect or a profound penetration. By using escrow, the seller demonstrates their expertise in high-value cybercrime activities. Authorities and Institutions on Alert The Reserve Bank of India (RBI) and the Indian Computer Emergency Response Team (CERT-In) have not yet released a formal statement. Additionally, no confirmations or rejections have been made by representatives of the banks listed in the leak. Dark Web Marketplace Trends This hack is just one more illustration of how the dark web is developing into a marketplace for strategic and private information. Threat actors are increasingly acting like businesses by offering escrow, negotiating exclusive deals with buyers, and supplying samples. Because of the growth of fintech apps and digital banking, there is still a high demand for banking data in particular. Previous instances have demonstrated how these leaks support account takeovers, loan fraud, and social engineering.

Crackdown on digital fraud by the Indian government: What to anticipate soon

India is ramping up digital security by blocking millions of fraudulent SIM cards and accounts while implementing AI-driven measures to combat cybercrime. With cyber fraud on the rise, the Indian government has been intensifying its efforts to safeguard digital security. Over the past few months, they have reportedly blocked more than 7.8 lakh SIM cards, 83,000+ WhatsApp accounts, and 3,000+ Skype IDs. The government has also taken a firm stand against online threats. But what does this mean for the future of India’s cybersecurity? Government’s crackdown on digital fraud Sanjay Kumar, Minister of State for Home Bundi of the Union, has recientemente revealed in the Lok Sabha que India has imposed stringent medidas against ciberdelincuentes. In addition to outlawing fake SIM cards, the government has deactivated 2,08,469 IMEI numbers, which is a crucial step in preventing misuse of devices that have been damaged or obtained illegally. Tighter regulations on messaging and video platforms Currently, authorities focus on messaging and video chatting apps, which are frequently used for fraudulent purposes. Already, the Indian Cyber Crime Coordination Centre (I4C) has detected and blocked: 3,962 Skype IDs 83,668 WhatsApp accounts This action suggests that stricter regulations may be implemented in digital fraud communication networks to reduce abuse. I4C and the Future of Cybercrime Prevention I4C, which was established in 2021, has played a crucial role in preventing financial fraud. It has already contribution a salvaguardar Rs 4,389 crore on possible presides de mas de 13.36 lakh reclamations. As cryptocurrency develops, more cryptocurrency monetization systems driven by artificial intelligence and time after quick responses to digital fraud crimes are anticipated. What’s Next? AI-powered cybersecurity measures It is anticipated that the government will use AI-powered monitoring technologies to quickly identify questionable activity. Future initiatives may include: Automated fraud detectors for telecommunications services financier’s Mas strictest medias KYC (Know Your Customer) para la emission de SIM cards Citizen-centric cybersecurity In initiatives To enable a person to report and monitor cases of cyber fraud, the government has implemented: 1930’s National Cyber Helpline for prompt fraud reporting Sanchar Saathi Portal and app that enables users to block stolen devices and report fake calls India is moving closer to a more secure digital fraud future by putting these measures into place, which will give its citizens more protection against cyberattacks.

Microsoft Unveils Six New Agentic AI Solutions to Boost Cybersecurity

Microsoft launched six new Agentic AI solutions to enhance cybersecurity, focusing on phishing, data security, and identity management. These AI agents aim to automate tasks and strengthen defences against complex cyber threats. Software major Microsoft announced on March 25 its six new Agentic Artificial intelligence (AI) agents designed to autonomously assist with critical areas such as phishing, data security, and identity management. This is important as the company now processes 84 trillion signals daily, including 7,000 password attacks per second. Scaling cyber defences through AI agents is now imperative to keep pace with this threat landscape. “We are expanding Security Copilot with six security agents built by Microsoft and five security agents built by our partners—available for preview in April 2025. The relentless pace and complexity of cyberattacks have surpassed human capacity and establishing AI agents is a necessity for modern security,” the company said in a release. Microsoft launched its earlier version of Security Copilot a year ago to empower defenders to detect, investigate, and respond to security incidents swiftly and accurately. Between January and December 2024, the company detected over 30 billion phishing emails targeting customers. The volume of these cyberattacks overwhelms security teams relying on manual processes and fragmented defences, making it difficult to both triage malicious messages promptly and leverage data-driven insights for broader cyber risk management. To solve this, the latest version unveiled can handle routine phishing alerts and cyberattacks, freeing up human defenders to focus on more complex cyber threats and proactive security measures. The six Copilot agents enable teams to autonomously handle high-volume security and IT tasks while seamlessly integrating with Microsoft Security solutions. Purpose-built for security, agents learn from feedback, adapt to workflows, and operate securely—aligned to Microsoft’s Zero Trust framework. With security teams fully in control, agents accelerate responses, prioritise risks, and drive efficiency to enable proactive protection and strengthen an organization’s security posture. Moreover, as organisations rapidly adopt generative AI, there is a growing urgency to secure and govern the creation, adoption, and use of AI in the workplace. According to Microsoft’s new report, 57 per cent of organizations report an increase in security incidents from AI usage. While most firms recognise the need for AI controls, 60 per cent have not yet started.

Uttarakhand Police Bust International Cybercrime Gang, Arrest Two

Uttarakhand Police arrested two cyber criminals involved in international fraud using fake business accounts and cryptocurrency transactions. The accused operated via Telegram, earning commissions by converting illicit funds into Indian currency. Dehradun: The Uttarakhand Police claimed to have busted a gang of international cybercriminals by arresting two of its members, including a trainer, who is a tenth pass out, officials said. The Special Task Force (STF) also found huge funds in the shape of cryptocurrency in the mobile phones of the accused. The accused Harjinder Singh and Sandeep Singh would provide fake business accounts to other cybercriminals to transact money and exchange funds with international gangs in cryptocurrencies. This comes weeks after the central government brought 540 Indians back from Myanmar, who were trafficked by a Chinese network of cyber criminals on the pretext of jobs in Thailand. At least 22 of the victims were from Uttarakhand Police, which prompted the state government police to form an STF under the supervision of Senior Superintendent of Police (SSP) Navneet Bhullar. Uttarakhand Police Following the joint probe with CBI and the Indian Cyber Crime Coordination Centre (I4C), two persons, Harjinder Singh and Sandeep Singh, were arrested near Zila Panchayat Chungi on Thanon Road ahead of Maharana Pratap Chowk under the Raipur Police Station area. The STF team recovered one laptop, seven mobile handsets, one passport, two chequebooks, three debit cards, two PAN cards, one passbook, one stamp seal and four SBI bank forms stamped in the name of some firm from the possession of the accused. According to officials, Sandeep and Harjinder, both friends, would use Telegram to connect with criminals and open fake bank accounts under various firm names for cybercriminals to use for illegal transactions globally. Later, they would receive payments in cryptocurrency (USDT), take a 1% fee per transaction and convert it into Indian currency. “Over the past year, the accused made about Rs 1.2 crore in profit, including Rs 25 lakh in March alone,” officials added.

Government Implements Stricter Rules to Curb Child Sexual Abuse and Cybercrime Online

The Indian government is enhancing regulations to curb online child sexual abuse and cybercrime, with stricter rules for digital platforms. Measures include content removal, grievance redressal, and international collaboration. The Indian government is working harder to control internet content and stop the spreading of sexually graphic materials, especially when it comes to child sex abuse. Ashwini Vaishnaw, the Union Minister for Railways, Information & telecast, and Electronics & IT, told the Lok Sabha that some steps are being taken to guarantee a secure online environment under the Information Technology Act of 2000 and the IT Rules of 2021. The publication or transmission of pornographic material is already illegal under the Information Technology Act of 2000, with more severe penalties for content involving minors. Digital platforms, including social media intermediaries, must adhere to due diligence under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. They are no longer legally shielded from accountability for content hosted by third parties on their platforms if they don’t comply. Notably, major social media platforms that offer messaging services are now required to make it possible to identify the original creator of communications about offences like child sexual abuse , rape, or sexually explicit content. Intermediaries are also required to take down any content that shows someone having sex, exposing their private parts, or depicting nudity within 24 hours. The government has also established Grievance Appellate Committees to improve user grievance redressal, enabling users to challenge decisions made by social media companies on the removal the content of child sexual abuse. Controlling pornographic material on OTT platforms and in movies The Central Board of Film Certification (CBFC) still oversees public film screenings in the entertainment industry, making sure that adult material is categorized correctly following the Cinematograph Act of 1952 and its certification guidelines. The IT Rules, 2021, require OTT platforms to follow a code of ethics that includes limiting access to youngsters, classifying content according to age appropriateness, and implementing age verification for adult-rated content. The government’s multifaceted strategy to combat cybercrime The Indian government has taken several steps to fight cybercrime in addition to regulating content of child sexual abuse. National Cyber Crime Reporting Portal: The Ministry of Home Affairs has a website called www.cybercrime.gov.in where anyone can report any kind of cybercrime, with a concentration on crimes against minors. Indian Cyber Crime Coordination Centre (I4C): a specialized organization that plans actions to combat online crimes, such as child exploitation of child sexual abuse. Financial aid for cybercrime prevention: Under the Cyber Crime Prevention against Women and Children (CCPWC) program, the government has provided funding to states and Union Territories so they can set up cyber forensic labs and provide law enforcement training. Blocking CSAM websites: The Central Bureau of Investigation (CBI) and Interpol provide information that is used to periodically block websites that include child sexual abuse material (CSAM). ISPs are also required to dynamically block certain websites using lists provided by Project Arachnid (Canada) and the Internet Watch Foundation (UK). Parental control and awareness initiatives: Internet service providers have been asked to advertise parental control filters, and the government is running awareness campaigns on cybercrime through educational handbooks, radio broadcasts, and the @CyberDost Twitter handle. International collaboration: The National Center for Missing and Exploited Children (NCMEC), USA, has teamed with India’s National Crime Records Bureau (NCRB) to gather information on online child exploitation. These reports are subsequently forwarded to states and Union Territories for additional action.

Businessman from Hyderabad loses Rs 1.22 crores to online scammers.

Hyderabad businessman was scammed of Rs 1.22 crores through a fake online trading scheme. Police arrested Ankit Arora, while the main accused, Deepak Kumar, remains at large. Hyderabad: After being tricked into investing in an internet trading company that promised enormous earnings, a Hyderabad businessman lost Rs 1.22 crores to cyber criminals. The victim, a resident of Secunderabad, received a message on Telegram ID Doll6726@Navyaand from a stranger who lured him to invest in online trading over time. He assured me that the profits would be huge and asked him to download an application on his mobile phone. Initially, the person invested some amount for investment and in return received some profits on the investment. After businessman being mesmerized by the profits, the man sent Rs 1, 22, 87,120 to the account that the stranger, who claimed to be Deepak Kumar, had provided. After a few weeks, Deepak failed to withdraw the winnings from the victim’s wallet and asked him to transfer more money. He became suspicious and filed a report with the police. Based on the evidence they gathered, police were able to hold on to Ankit Arora, a 38-year-old native of Uttar Pradesh who had provided Deepak Kumar with his bank account credentials. Under the guise of internet trading, Deepak was able to defraud a Hyderabad man out of Rs 1, 22, 87,120 using the bank account details. Ankit Arora’s bank account received the money from the victim, and Deepak subsequently moved it to other accounts. Cybercrime police officials claimed that Deepak had given Ankit a commission. After learning that Deepak operates out of Thailand, the police will issue a Look Out Circular (LoC) for him.

Chennai Batman loses Rs 2 crore in email spoofing scam ; here’s how police recovered the entire amount from fraudsters

Chennai cybercrime police recovered Rs 2 crore lost to email spoofing scam by swiftly coordinating with global banks. Authorities advise caution with suspicious emails to prevent similar scams. The scammers who defrauded a businessman of Rs 2 crore by sending a counterfeit email to their company’s bank account to pay for their trading have been found by cybercrime police. Cybercriminals trick victims into making unauthorized payments by intercepting or mimicking official company communications. The entire amount was returned to the complainant’s bank account by the state cybercrime wing team as a result of the cybercrime officers’ prompt action. What exactly happened? According to the police, a bogus email from kunal1113@gmail.com was sent to the private company Agrigo Trading Private Limited in Chennai. Since the email was a part of a chain, the general manager of the company replied. The proforma invoice and banking information for the payment of US dollars 238,500 (Rs 2, 00,10,150) to be deposited at Regions Bank, USA, were included in the letter. On September 26, the manager made the NEFT payment via State Bank of India, Leather International Branch, Chennai, believing it to be authentic because it was connected to an earlier email exchange with the original supplier asking for a proforma invoice for payment of the amount for a business deal. It was found that the email was false and that the complainant had been defrauded when they followed up with the provider on September 27. Following Cr.No. 57/2024, u/s 318(4) of BNS 2023 & 66, 66C, 66D of IT Act 2000, the victim submitted a report through the National Cyber Crime Reporting Portal, and a case was opened at the State Cyber Crime Investigation Center. The State Bank of India, Chennai’s Leather International Branch, received requests to track down the misplaced sum. The money had been credited to Regions Bank’s account in the United States, according to confirmation from the State Bank of India. It was verified that the full amount was returned and credited to the complainant’s account as a result of the team’s sincere efforts to coordinate with the I4C, the Ministry of Home Affairs, and Regions Bank, USA. This instance emphasizes how crucial it is to confirm the legitimacy of emails, particularly when significant financial transactions are at stake. This kind of fraud takes advantage of people’s confidence and can cost companies a lot of money. You must respond right away if you believe you have been the victim of similar fraudulent activities or if you have discovered any questionable activity. Call the Cyber Crime Toll-free Helpline at “1930” to report the occurrence, or file a complaint online at “www.cybercrime.gov.in.” Advisory to citizens for cyber safety: Pay close attention to the sender’s address: Phishers frequently produce phoney email addresses that resemble real ones almost exactly, with a few minor variations. Check for unusual language: An email may be fake if it has strange wording, poor grammar, or spelling errors. Look out for demands that seem suspicious or urgent: If the email requests that you do something right away, such as transferring money, changing your password, or verifying your account, proceed with caution. Examine links before clicking: To view the URL, move your mouse pointer over any links in the email without clicking. Do not click if anything appears suspicious. Notify the impersonated organization: Report the scam to the security staff of the firm or entity that the fake email purports to originate from. Get rid of the email: Once the suspicious mail has been reported, remove it from both your inbox and trash folder.

14 years after rejecting it, Karnataka intends to implement sex education programs.

Karnataka schools to introduce sex education for grades 8-12, focusing on reproductive health, cyber safety and moral values. The initiative marks a shift from previous opposition to such programs. In Karnataka’s schools, sex education has long been a controversial subject. Despite suggestions from Unicef and child rights organisations, the state government flatly rejected a plan to implement it as part of an anti-AIDS initiative in 2011. Officials at the time contended that students would not benefit from such instruction. Now, following years of discussion, Karnataka is adopting a new strategy. Along with moral instruction for younger kids, the government has announced intentions to provide sex education for grades 8 through 12. SEX EDUCATION, COUNSELLING, AND CYBER SAFETY The new proposal calls for local doctors to lead sex education seminars twice a week for students. Teens will learn about reproductive health, cleanliness, and making responsible decisions, as well as how their bodies, emotions, and hormones are changing. Additionally, twice a year, kids in Classes 1 through 10 will get health examinations. Primary Health Centre physicians and nurses will offer advice on disease prevention, proper cleanliness, and the dangers of substance addiction. To guarantee that kids, particularly those who are dealing with behavioural challenges, receive the appropriate help, schools will also set up counselling programs. By offering cyber hygiene courses, the government is also addressing online safety and digital addiction. Although there is no set schedule for implementation, these courses will instruct students on how to use the internet securely, stay safe from online threats, and develop good screen habits. In addition to digital safety and health, the project raises knowledge of the law. In order to ensure that kids are aware of their rights and are able to recognize dangerous circumstances, police officers will visit schools to teach them about the Protection of Children from Sexual Offences (POCSO) Act. MORAL EDUCATION TO SHAPE VALUES Up until Class 10, moral education will be required for younger pupils. These twice-weekly lectures, which will focus on characteristics like probity, patience, and respect, will emphasize the idea that character development is just as vital as academics. INDOA’S CONTENTIOUS HISTORY OF SEX EDUCATION In India, sex education has long been a contentious issue, and important attempts to implement it have been thwarted. To educate pupils about puberty, sexual health, HIV/AIDS prevention, and related subjects, the National Council of Educational Research and Teaching (NCERT) launched the Adolescence Education Programme (AEP) in 2007. However, parents, conservative organizations, and politicians strongly opposed the initiative. Many states, including Gujarat, Maharashtra, Madhya Pradesh, Karnataka, Rajasthan, Chhattisgarh, and Goa, outlawed sex education in schools as a result of the outcry. NCERT was forced to remove its sex education module from schools as a result of this opposition. The resistance was based on worries that the material was against cultural norms and unsuitable for school-age youngsters. Regarding the implementation of sex education, this dispute demonstrated the conflict between contemporary educational goals and conventional societal norms. Jharkhand launched ‘Udaan’ in 2009, a school-based program for adolescents in Classes 6–11 that emphasizes health education and life skills. Over a million children were impacted by this program in 2019, and it is still going strong today. Despite issues, initiatives to advance comprehensive sex education are still underway in several places, acknowledging its significance for the health and well-being of adolescents. Karnataka’s decision to implement sex education classes is a change from its previous position, although it is unclear if opposition would resurface. UNICEF blasted the government in 2011 for avoiding talking about adolescent health, claiming that keeping information secret endangered children. Although the new program is more in line with international best practices, its effectiveness will rely on how well it is executed and whether or not previous discussions come up again.

Has the open-source AI from DeepSeek turned into a tool for online fraudsters?

Researchers found that DeepSeek’s open-source AI model can be exploited to create malware with minimal tweaks. Experts warn of potential misuse despite basic safeguards. According to a recent study, malicious actors may utilize DeepSeek’s open-source, free AI models to create harmful malware while displaying shoddy security measures. Since the public was made aware of the current scope of generative AI, governments and regulators have been alerting people to the potential for LLMs like ChatGPT and Gemini to be used to write harmful code. A few LLMs have already been created expressly for illegal purposes, but although these models usually demand money to access and the major LLM providers have safeguards in place, scammers have an advantage with DeepSeek’s open-source, publicly available architecture. Research by Nick Miles of Tenable Research revealed that the DeepSeek R1 model, a reasoning large language model (LLM) created by the Chinese company, could produce the “basic structure for malware,” providing barriers that are “easy to work around” and “vulnerable to a variety of jailbreaking techniques.” Miles tried to use DeepSeek to develop a key logger for the test that could secretly record keystrokes from users of a device while evading the operating system’s defences. Telling the LLM that the exercise was for “educational purposes only” was enough to persuade it to continue after its initial refusal. After following DeepSeek’s directions, a functional key logger was eventually produced, even though the model’s code needed to be manually rewritten in a few places. Miles also tried to create a sample of simple ransomware, which is a kind of software that prevents users from accessing their files that are susceptible to ransomware. Miles was able to create a few functional ransomware samples after some back and forth, but they also needed human editing to work. Once more, the system’s restrictions cautioned against the practice. The researcher concluded that malicious actors may get over DeepSeek’s safeguards against malware production with a little tweaking. The results do not portend a total catastrophe because the model’s outputs depend on a significant amount of prior coding information. “However, DeepSeek offers a helpful collection of methods and search terms that can enable someone who has never written malicious code before to become quickly acquainted with the pertinent ideas,” Miles said. According to my investigation, I think DeepSeek will soon encourage thieves to create more dangerous AI-generated programs.

Author: thecybershark