Dashcams have become essential devices for drivers worldwide, serving as reliable witnesses in case of accidents or roadside disputes.

However, a team of Singaporean cybersecurity researchers has uncovered a disturbing reality: these seemingly harmless devices can be hijacked within seconds and turned into powerful surveillance tools.

The findings, presented at the Security Analyst Summit 2025, reveal how attackers can bypass authentication mechanisms to access high-resolution video footage, audio recordings, and precise GPS data stored on these devices.

The research examined two dozen dashcam models from approximately 15 different brands, starting with the popular Thinkware dashcam.

Most dashcams, even those without cellular connectivity, feature built-in Wi-Fi that allows smartphone pairing through mobile apps.

This connectivity creates a significant attack surface that malicious actors can exploit to download stored data remotely.

Kaspersky security researchers identified that many dashcam models use hardcoded default passwords and similar hardware architectures, making them vulnerable to mass exploitation.

Once connected, attackers gain access to an ARM processor running a lightweight Linux build, opening doors to various proven exploitation techniques commonly seen in IoT device attacks.

Authentication Bypass Techniques

The researchers discovered several methods attackers use to bypass manufacturer authentication. Direct file access allows hackers to request video downloads without password verification, as the web server only checks credentials at the main entry point.

MAC address spoofing enables attackers to intercept and replicate the owner’s smartphone identifier, while replay attacks involve recording legitimate Wi-Fi exchanges for later exploitation.

Perhaps most concerning is the worm-like propagation capability the researchers developed.

They wrote code that operates directly on infected dashcams, allowing compromised devices to automatically attack nearby dashcams while vehicles travel at similar speeds in traffic.

A single malicious payload designed to attempt multiple passwords and attack methods could successfully compromise roughly a quarter of all dashcams in an urban environment.

The harvested data enables complete movement tracking, conversation monitoring, and passenger identification.

Using GPS metadata extraction, text recognition from road signs, and OpenAI models for audio transcription, attackers can generate detailed trip summaries, effectively de-anonymizing victims through analyzed behavioral patterns.

Drivers should disable Wi-Fi when not in use, change default passwords, and regularly update firmware to mitigate these risks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers can Hijack Your Dash Cams in Seconds and Weaponize it for Future Attacks appeared first on Cyber Security News.

Insider threats remain one of the most challenging security problems that organizations face today. These threats typically do not show obvious warning signs at first.

Instead, they reveal themselves through small, unusual activities that often blend into normal daily operations.

Many companies struggle to identify these early indicators because they occur within legitimate user accounts and approved systems.

Without proper monitoring and analysis, these warning signs go unnoticed until serious damage has already occurred, including data loss, brand damage, or system disruption.

The core challenge in detecting insider threats stems from a fundamental attribution problem. When an employee accesses company systems or moves data between authorized locations, their actions appear completely normal.

Traditional security tools focus on blocking obvious threats but frequently miss the subtle behavioral patterns that suggest malicious intent.

This gap becomes even larger when organizations fail to connect what happens inside their network with activities occurring outside, such as employees communicating on dark web forums or selling company secrets to competitors.

Nisos security analysts noted that meaningful insider threat indicators often emerge weeks or even months before any actual data theft or system compromise occurs.

These indicators become clearer when organizations examine multiple data sources together, combining internal activity logs with external intelligence gathered from public sources.

Warning signs

The research identifies six critical warning signs that security teams must understand and monitor carefully.

Here they are mentioned below:-

• Unusual Authentication and Access Behavior
• Data Movement Outside Established Norms
• Shifts in Digital Behavior That Indicate Interest in Sensitive Assets
• Indicators That Suggest Data Exfiltration Planning
• External Activity That Aligns With Internal Anomalies
• Attempts to Conceal Activity

The most revealing early indicator appears in unusual authentication and access behavior. Nisos researchers identified that employees planning to steal data frequently attempt to access company systems from unexpected locations, log in rapidly across multiple platforms, or change their normal access timing patterns.

One user might suddenly log in from three different countries within a few hours, or access files at unusual times outside their typical work schedule.

While a single strange login might reflect normal business travel, repeated patterns of this behavior signal that deeper investigation is necessary.

These actions often precede larger data collection activities because insiders need to test whether they can move through systems without triggering automatic alerts.

Understanding these authentication anomalies requires context and correlation with other activities. Organizations that focus exclusively on these individual incidents often miss the broader pattern.

When companies combine unusual access patterns with information about employees discussing their company online or appearing in breach databases, a much clearer picture emerges.

This integrated approach transforms isolated events into meaningful threat indicators that security teams can act upon before damage occurs.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Nisos Details Earlier Signs of Insider Detection via Authentication and Access Controls appeared first on Cyber Security News.

Ukraine-linked hackers are stepping up cyberattacks against Russian aerospace and wider defence-related companies, using new custom malware to steal designs, schedules, and internal emails.

The campaign targets both prime contractors and smaller suppliers, aiming to map production chains and expose weak points in Russia’s war industry. The tools used in this campaign are simple, but they are used with care and good planning.

The malware first appeared in late 2024 in spear-phishing waves sent to engineers and project managers working on avionics, guidance systems, and satellite links.

Lures used fake job offers, conference invites, and contract updates, with attached documents that exploited outdated office software on Windows hosts. Once opened, the file quietly dropped a small loader that set the stage for the main payload.

Intrinsec security analysts identified the malware after seeing repeated outbound traffic from a defence integrator’s remote office to rare command servers hosted on bulletproof infrastructure.

Their complete technical breakdown shows that the attackers carefully tuned each payload to the victim’s role, adding custom modules for email scraping, document theft, and credential capture.

The operation hits research labs, testing ranges, and logistics firms that support aircraft, drones, and missile systems. Stolen data can reveal parts shortages, delivery delays, and software bugs, giving Ukrainian planners a clearer view of Russian combat readiness.

Infection chain and command execution

The infection chain is simple but smart. The first loader, often a small DLL, runs in memory only and pulls a second-stage script from a hard-coded URL.

That script injects the final payload into a trusted process such as explorer.exe, which helps it blend with normal user activity.

Intrinsec researchers noted that the payload uses a compact command loop to stay flexible. A typical routine, as seen in memory dumps, looks like this:-

while (connected) {
  cmd = recv();
  if (cmd == "exfil") run_exfil();
  if (cmd == "shell") open_shell();
}

This simple logic lets the operator switch between silent data theft and hands-on keyboard control. Each stage is built to keep noise low on the host.

Despite its clear design, the malware avoids noisy persistence tricks, instead relying on scheduled tasks and hijacked update tools to return after reboots while staying hard to spot.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Ukraine Hackers Attacking Russian Aerospace Companies and Other Defence-Related Sectors appeared first on Cyber Security News.

Hackers are turning to Evilginx, a powerful adversary-in-the-middle tool, to get around multi-factor authentication and take over cloud accounts.

The framework acts as a reverse proxy between the victim and real single sign-on pages, so the login screen looks and behaves just like the real thing.

To the user, the fake site feels normal, with valid TLS and familiar branding. Attackers start with targeted phishing emails that push victims to carefully crafted fake SSO portals.

These pages copy the layout, scripts, and flows of common identity platforms, including enterprise SSO gateways. Once the user enters credentials and completes MFA, Evilginx quietly captures session cookies and tokens while still passing traffic to the real provider.

This shows the staged relay from the victim to the identity provider. Infoblox security analysts identified recent campaigns where Evilginx was used to mimic legitimate corporate SSO sites and steal tokens for email and collaboration platforms.

They noted that the stolen cookies allow attackers to replay sessions without ever needing passwords or MFA codes again. This shifts the risk from classic credential theft to full session hijack.

The impact is serious for both companies and users. With an active session token, attackers can read mail, reset passwords on linked apps, deploy new MFA methods, and plant backdoor access.

Attack analysis

This can lead to business email compromise, data theft, and long-term stealth access that is hard to trace back to the first phishing click. In contrast, the attack flow shows how stolen cookies unlock downstream services.

One key focus in the complete technical breakdown is how Evilginx evades detection during this process.

The framework forwards all content from the real SSO site, including scripts, styles, and dynamic prompts, which makes traditional visual checks almost useless.

It also uses real certificates on lookalike domains, so browser padlocks still appear green and reassuring.

Under the hood, Evilginx proxies and rewrites headers to keep the session alive while stripping out sensitive cookies for theft.

A simple, high-level phishlet can look like:-

server_name login.example.com;
proxy_pass https://login.real-sso.com;
proxy_set_header Host login.real-sso.com;

By logging cookies at the proxy layer, attackers grab session data before it is protected by the user’s device or corporate tools.

This shows how headers and cookies flow through the proxy, highlighting the points where tokens are intercepted.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Leverage Evilginx to Undermine MFA Security Mimicking Legitimate SSO Sites appeared first on Cyber Security News.

Cybercriminals targeting Brazilian users have aggressively escalated their tactics, launching a highly sophisticated campaign dubbed “Water Saci.”

This new wave of attacks weaponizes WhatsApp Web, a platform implicitly trusted by millions, to deliver banking trojans and steal sensitive financial data.

By compromising user accounts, the attackers send convincing messages to trusted contacts, creating a rapid, self-propagating infection loop that leverages social engineering to bypass traditional security defenses effectively, impacting countless unsuspecting individuals.

The infection chain typically begins when users receive messages containing malicious attachments, such as ZIP archives, PDF lures disguised as Adobe updates, or direct HTA files following specific naming patterns like A-{random}.hta.

Once a victim opens these files, they execute a complex multi-stage attack sequence involving Visual Basic scripts and MSI installers.

This process stealthily downloads a banking trojan while simultaneously deploying automation scripts designed to hijack the victim’s WhatsApp session for further propagation, ensuring maximum reach.

Trend Micro security analysts identified that this campaign marks a significant shift in malware development, utilizing artificial intelligence to accelerate its capabilities.

The attackers appear to have used Large Language Models (LLMs) to translate and optimize their propagation code, transitioning from PowerShell to a more robust Python-based infrastructure.

Strategic shift

This strategic shift significantly enhances their ability to spread malware across different browsers, including Chrome, Edge, and Firefox, making detection increasingly difficult for standard security protocols and leaving users vulnerable.

A critical component of this technical evolution is the whatsz.py script, which replaces earlier PowerShell variants.

Analysis reveals compelling evidence of AI-assisted coding, such as script headers explicitly stating “Versao Python Convertido de PowerShell”, and comments like “version optimized with errors handling.”

This script relies on component files like chromedriver.exe to automate the infection process, using Selenium to inject the WA-JS library, extract contact lists, and send malicious files in bulk to unsuspecting victims.

The Python code exhibits a sophisticated object-oriented structure with advanced error handling, features typically absent in quick manual ports.

For instance, the main automation class defines clear formatting for various statuses, ensuring reliable execution.

Additionally, the console output includes colorful emojis, a trait rarely seen in standard malware but common in AI-generated codebases.

This advanced automation allows the malware to operate autonomously, pausing and resuming tasks to blend in with normal network traffic while reporting progress to a command-and-control server, ultimately ensuring persistent access.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Water Saci Hackers Leveraging AI Tools to Attack WhatsApp Web Users appeared first on Cyber Security News.