With this approach, users will no longer have to depend on shared cloud storage limits. Instead, WhatsApp aims to provide its own storage environment specifically built for messaging data. This is especially important as chat backups today include large files like high-resolution images, videos, and voice notes, which quickly consume available space.

All data stored in this system will be protected with end-to-end encryption by default. This means that messages remain private, and even WhatsApp itself cannot access the content. By keeping backups encrypted at all times, the platform is aiming to reduce the risk of unauthorized access or data exposure.

Enhanced Security with Passkeys

To strengthen protection further, WhatsApp is planning to introduce passkey-based authentication for backup access. Instead of using traditional passwords or long encryption keys, users will be able to unlock their backups using biometric methods such as fingerprint or facial recognition.

This makes the process both simpler and more secure. The authentication is tied directly to the user’s device, which reduces the risk of attacks like phishing, credential theft, or brute-force attempts. The passkey is securely stored and can sync across trusted devices, allowing users to restore backups without needing to remember complex credentials.

At the same time, WhatsApp is expected to keep alternative options available. Users who prefer using passwords or encryption keys will still have that choice, ensuring flexibility for different security preferences.

Storage Options and Rollout Plans

The upcoming system is also expected to introduce dedicated storage plans for backups. Early expectations suggest a small free storage tier for basic use, along with larger paid options for users who need more capacity. This would allow users to manage their backup storage without affecting their personal cloud accounts.

Despite this shift, WhatsApp is likely to continue supporting third-party backups for users who prefer their current setup. This ensures a smoother transition without forcing immediate changes.

The feature is still in development and has not yet been released publicly. It is expected to go through multiple testing phases to ensure stability, security, and compatibility with existing systems before a wider rollout begins.

This move reflects a broader industry trend toward building self-contained ecosystems that prioritize privacy, security, and better control over user data, rather than relying entirely on external platforms.

The post WhatsApp Tests Safer Cloud Backup for Messages appeared first on First Hackers News.

How the Attacks Unfolded -Zestix Infostealer

Researchers link the activity to a threat actor known as Zestix, also operating under the alias Sentap. The actor accessed cloud storage platforms such as ShareFile, Nextcloud, and OwnCloud, affecting around 50 organizations.

The impacted companies span sectors including aviation, healthcare, finance, defense, and government services. In several cases, attackers were able to access and extract large volumes of sensitive data.

The attacks typically start when employees unknowingly download malicious files that install infostealer malware such as RedLine, Lumma, or Vidar. These programs silently collect saved credentials and browser data from infected systems.

The stolen information is later aggregated into underground databases. The attacker then searches these datasets for corporate cloud credentials and uses them to gain unauthorized access to enterprise environments.

Researchers found that the main weakness was not an advanced exploit, but the lack of multi-factor authentication. Without MFA in place, attackers were able to access systems using only stolen usernames and passwords, some of which had been exposed in infostealer logs for years.

The impact of the breaches is significant. An engineering firm supporting U.S. utilities lost sensitive infrastructure data, while a robotics company exposed defense-related design files.

An airline also saw internal maintenance and safety documents leaked. In another case, health records and personal data tied to Brazilian military personnel were exposed, totaling several terabytes of sensitive information.

How Credentials Are Stolen and Abused

The attacks follow a simple but effective flow that makes them hard to stop if basic controls are missing.

• An employee downloads what looks like a normal file or software update from email or the web.
• An infostealer runs quietly in the background, often blending into legitimate system activity.
• The malware collects saved passwords and session data from browsers, password managers, and apps like email or collaboration tools.
• The stolen data is encrypted and sent to attacker-controlled servers.
• Attackers search through large credential dumps to find logins tied to corporate systems such as cloud storage and business platforms.

This method is dangerous because it is cheap, scalable, and easy to repeat. Access to corporate accounts is then sold on underground forums, allowing multiple attackers to reuse the same stolen credentials.

Many organizations were compromised not due to a lack of training, but because multi-factor authentication was not enforced across critical systems.

The fix is simple but urgent: enable MFA everywhere it matters and actively monitor for exposed credentials before they are used by attackers.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Infostealers Lead to Cloud Account Compromises appeared first on First Hackers News.

The outage began at 11:20 UTC and was caused by an internal configuration mistake—not a cyberattack—showing that even strong cloud systems can fail.

This event follows similar outages at Azure and AWS, raising concerns about how dependent the world has become on large cloud providers.

Cloudflare’s issue started with a routine permissions update in its ClickHouse database cluster. At 11:05 UTC, the change exposed table metadata in the ‘r0’ database. A Bot Management query didn’t handle this correctly, pulling duplicate columns and creating a feature file twice the normal size.

This file, updated every five minutes to support machine-learning bot detection, exceeded the software’s 200-feature limit. That caused failures in Cloudflare’s core proxy system, FL.

At first, engineers suspected a massive DDoS attack, especially since Cloudflare’s status page was also down. The problem was harder to trace because good and bad files appeared in an alternating pattern during the rollout.

When the Bot Management module failed, request scoring stopped completely. In Cloudflare’s newer FL2 proxy, this resulted in 5xx HTTP errors. Older FL versions defaulted bot scores to zero, which could block real users on sites using strict bot rules.

The outage hit key Cloudflare services. Many websites showed error pages, latency increased, and debugging became difficult. Turnstile CAPTCHA stopped working, blocking logins. Workers KV also had higher error rates, affecting dashboard access and Cloudflare Access authentication.

Email Security briefly lost some spam detection, and configuration updates slowed, though no customer data was compromised. Cloudflare restored full service by 17:06 UTC after stopping the bad files, rolling back to a stable version, and restarting proxies.

Cloudflare’s CEO, Matthew Prince, apologized and called this the company’s worst traffic outage since 2019.

This incident also reflects a broader pattern of configuration-related failures across major cloud providers.

On October 29, 2025, Azure went down globally due to a faulty change in its Front Door CDN, disrupting Microsoft 365, Teams, Xbox, and even airline systems.
AWS suffered a 15-hour outage on October 20 in US-East-1 caused by DNS issues in DynamoDB, which affected EC2, S3, Snapchat, and Roblox.
Another AWS issue on November 5 slowed Amazon.com checkouts during holiday preparation.

Experts warn these outages show how dangerous it is to rely heavily on centralized cloud services—one mistake can impact the entire internet.

To avoid future problems, Cloudflare is improving its file ingestion process, adding global kill switches, reducing excessive error logging, and reviewing proxy failure behavior.

Although this incident wasn’t caused by an attack, it highlights the need for stronger operational controls as cloud systems continue to grow.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Cloudflare Reveals Key Technical Causes of Massive Global Outage appeared first on First Hackers News.

According to a new analysis by Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman, the attackers use phishing and smishing campaigns to steal employee credentials from companies that issue or manage gift cards. Once inside, they escalate privileges and issue unauthorized cards for financial gain — often reselling them on gray markets.

Gift cards remain a preferred target for cybercriminals due to their ease of redemption, anonymity, and traceability challenges, making such fraud difficult to investigate.

A Seasonal Threat with Long-Term Persistence

The group’s name, Jingle Thief, stems from its pattern of ramping up fraud campaigns around holiday and festive seasons, when gift card transactions surge. Palo Alto Networks tracks the operation internally under the identifier CL-CRI-1032, with “CL” representing cluster and “CRI” indicating criminal motivation.

Researchers have linked Jingle Thief with moderate confidence to financially motivated actors Atlas Lion and Storm-0539, groups previously associated with operations traced back to Morocco. The threat cluster is believed to have been active since late 2021.

One of the most concerning traits of Jingle Thief is its long-term persistence within compromised environments — in some cases, maintaining access for over a year. During this period, attackers conduct extensive reconnaissance, map cloud infrastructures, move laterally, and implement methods to avoid detection.

Recent Global Campaigns

Unit 42 reported a surge in coordinated Jingle Thief campaigns between April and May 2025, targeting multiple global enterprises. In one notable incident, the attackers compromised 60 user accounts within a single organization and maintained access for approximately 10 months.

By exploiting stolen credentials, Jingle Thief operators impersonate legitimate users to infiltrate Microsoft 365 environments, steal sensitive data, and execute high-value gift card fraud at scale. They also modify log settings and forensic trails to conceal unauthorized issuance activities.

Phishing Tactics and Cloud Abuse

The group employs highly tailored phishing pages mimicking Microsoft 365 login portals, distributed via email or SMS, to harvest credentials. Once credentials are obtained, the attackers perform a second round of reconnaissance inside the organization, focusing on SharePoint, OneDrive, and internal documentation.

Targets include:

• Gift card issuance workflows
• VPN configuration guides
• Access credentials for Citrix or cloud systems
• Financial process documentation

Jingle Thief further leverages compromised accounts to send internal phishing emails, often disguised as IT service notifications or ticketing updates, exploiting the trust of corporate communication systems.

To maintain persistence, the group creates malicious inbox rules to forward emails, deletes sent messages, and even registers rogue authenticator apps to bypass multi-factor authentication (MFA). In some cases, attackers enroll their own devices in Entra ID, ensuring continued access even after password resets.

Unlike many threat actors that deploy custom malware, Jingle Thief relies heavily on identity misuse and cloud-native exploitation techniques. This stealthy approach allows them to blend in with legitimate activity and evade detection tools focused on endpoint-based threats.

The post “Jingle Thief” Cybercrime Group Targets Cloud Gift Card Systems in Retail Sector appeared first on First Hackers News.

Since late 2024, Silk Typhoon has been using stolen API keys and credentials from privilege access management (PAM), cloud app providers, and cloud data companies.

This lets them access customer environments of the compromised companies.

They’ve also gained access through password spray attacks and by finding leaked corporate passwords in public repositories.

Supply Chain Attacks and Credential Abuse

Silk Typhoon targets many industries worldwide, including IT services, healthcare, legal, education, defense, government, NGOs, and energy. Most of their attacks focus on the United States but also happen globally.

They are skilled at working with cloud environments, which helps them move between systems, stay hidden, and steal data quickly.

Since 2020, Silk Typhoon has used different web shells to run commands, stay in networks, and steal data.

Recently, Silk Typhoon used stolen API keys to access downstream customers, gather data, and run recon with admin accounts.

They also reset admin accounts, planted web shells, created new users, and cleared activity logs.

Microsoft notified affected customers to help secure their systems.

Recommended Actions:

• Review Entra Connect server logs for any suspicious activity.
• Check newly created applications to ensure they are legitimate.
• Monitor multi-tenant applications, especially for any unexpected changes.
• Investigate any Microsoft Graph or eDiscovery activity, especially involving SharePoint or email data access — these are common targets for Silk Typhoon.

Stronger Defenses:

• Make sure all public-facing devices are fully patched to prevent known exploits.
• Apply strict controls and monitoring on all important accounts, especially privileged accounts.
• Focus on credential hygiene, such as removing unused accounts, enforcing strong passwords, and applying least privilege access to limit damage if an account is compromised.
• Set up Conditional Access policies to enforce Zero Trust principles — requiring users to verify their identity before accessing critical systems.
• Enable risk-based sign-in protection, so suspicious logins (like from unusual locations or devices) trigger extra security checks.

The post Microsoft Warns Silk Typhoon Hackers Target IT Supply Chain via Cloud appeared first on First Hackers News.

Modern cloud environments and evolving security threats create major challenges for organizations. Security teams struggle to manage the high volume of events, making it harder to detect and respond to threats quickly.

The complexity is increased because many attacks unfold in multiple stages, making it critical for security solutions to identify these stages as part of a larger attack pattern. To address this, Amazon has upgraded GuardDuty with advanced AI and machine learning features.

These enhancements allow GuardDuty to detect not only known attack types but also new, previously unseen attack sequences. By recognizing related activities across time, security teams can quickly identify potential threats and prevent larger attacks before they can cause significant damage to systems and data.

GuardDuty’s enhanced threat detection uses advanced AI/ML models to identify complex attack sequences in AWS. These sequences may include actions like privilege discovery, API manipulation, and data exfiltration.

The update introduces a new high-severity finding level for more urgent threats and improves existing detections, making them easier to act on.

The system now offers composite detections that cover multiple data sources, timeframes, and resources in an account, giving a better view of complex cloud attacks and improving response efforts. GuardDuty’s enhanced capabilities work smoothly with existing security workflows.

Users can access these new AI/ML features through the Amazon GuardDuty console, where additional widgets appear on the Summary page.

The widgets show an overview of detected attack sequences and allow users to sort findings by severity for easier threat investigation.

Each finding includes a summary of the threat, linked to tactics from the MITRE ATT&CK® framework, and provides remediation recommendations based on AWS best practices. The enhanced detection is enabled by default, with no extra cost beyond the standard GuardDuty fees.

The new features integrate with Amazon GuardDuty workflows, including AWS Security Hub and third-party systems. It recommends activating S3 Protection to detect data risks with S3 buckets.

With AI/ML-driven detection, GuardDuty improves cloud security by providing deeper, actionable insights and automating the detection of complex threats, helping organizations strengthen their security.

The post Amazon GuardDuty Gains AI/ML Threat Detection for Cloud Security appeared first on First Hackers News.

It’s a modular set of tools that enables malicious actors to scan for poorly configured servers, potentially leading to the theft of cloud-based email service credentials and authentication secrets.

According to SentinelLabs research on AlienFox, this powerful toolkit aims to fix popular misconfigurations in widely used online hosting frameworks such as Drupal, Opencart, WordPress, Magento and Prestashop among many others. Targeted services also include Laravel and Joomla.

Here below, we have mentioned all the hosting frameworks that AlienFox targets:-

• Laravel
• Drupal
• Joomla
• Magento
• Opencart
• Prestashop
• WordPress

Identified versions of AlienFox

All the versions of AlienFox that the security analysts identify:-

• AlienFox V2
• AlienFox V3.x
• AlienFoxV4

AlienFox then uses data extraction scripts to explore misconfigured servers and locate sensitive configuration files, which are often used to store secrets such as API keys, account credentials, and authentication tokens.

Using security scanning platforms, malicious actors employ AlienFox to obtain inventories of poorly configured cloud endpoints from sources including:-

• LeakIX
• SecurityTrails

Secondly, AlienFox retrieves sensitive configuration files that generally store sensitive data from misconfigured servers using data-extraction scripts, including:-

• API keys
• Account credentials
• Authentication tokens

More specifically, the third version of the kit introduced better performance, now with initialization variables, Python classes with modular functions and process threading.

The latest version of AlienFox is v4, which has better code and script organization and extended targeting range.

Recommendation

• The administrators must ensure that the access control settings of their servers are set accordingly.
• Ensure that the file permissions on their server are set properly.
• Remove any unnecessary services that are running on your server.
• Make sure to enable multi-factor authentication.
• Ensure that any activity on your accounts that seems unusual or suspicious is closely monitored.

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post New AlienFox toolkit steals credentials for 18 cloud services appeared first on First Hackers News.