#data_exfiltration โ Public Fediverse posts
Live and recent posts from across the Fediverse tagged #data_exfiltration, aggregated by home.social.
-
๐๐ง๐ข๐ฏ๐๐ซ๐ฌ๐ข๐ญ๐๐ญ ๐๐ ๐๐๐ฅ๐ฬ๐ง๐๐ข๐ ๐๐๐ซ๐ ๐๐ญ๐๐ ๐๐ฒ ๐๐จ๐ฏ๐ ๐๐ซ๐จ๐ฎ๐ฉ: ๐๐๐๐๐ ๐๐๐ญ๐ ๐๐ฑ๐๐ข๐ฅ๐ญ๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ข๐ฆ๐๐, ๐๐ง๐ข๐ญ๐ข๐๐ฅ $๐๐๐,๐๐๐ ๐๐๐ง๐ฌ๐จ๐ฆ ๐๐๐ฆ๐๐ง๐ ๐๐๐ฏ๐๐๐ฅ๐๐
News of the attack was initially reported by the online newspaper Escudo Digital in an article by journalist Alberto Payo, which included statements attributed to a member of the universityโs IT team. These details are now complemented by statements provided exclusively to SuspectFile.com directly by the Nova group, introducing additional information that had not previously emerged publicly, including an alleged initial ransom demand of $500,000.
#Data_Breach #Data_Exfiltration #Nova #Ransomoware #Universitat_de_Valรจncia
-
๐๐ง๐ข๐ฏ๐๐ซ๐ฌ๐ข๐ญ๐๐ญ ๐๐ ๐๐๐ฅ๐ฬ๐ง๐๐ข๐ ๐๐๐ซ๐ ๐๐ญ๐๐ ๐๐ฒ ๐๐จ๐ฏ๐ ๐๐ซ๐จ๐ฎ๐ฉ: ๐๐๐๐๐ ๐๐๐ญ๐ ๐๐ฑ๐๐ข๐ฅ๐ญ๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ข๐ฆ๐๐, ๐๐ง๐ข๐ญ๐ข๐๐ฅ $๐๐๐,๐๐๐ ๐๐๐ง๐ฌ๐จ๐ฆ ๐๐๐ฆ๐๐ง๐ ๐๐๐ฏ๐๐๐ฅ๐๐
News of the attack was initially reported by the online newspaper Escudo Digital in an article by journalist Alberto Payo, which included statements attributed to a member of the universityโs IT team. These details are now complemented by statements provided exclusively to SuspectFile.com directly by the Nova group, introducing additional information that had not previously emerged publicly, including an alleged initial ransom demand of $500,000.
#Data_Breach #Data_Exfiltration #Nova #Ransomoware #Universitat_de_Valรจncia
-
๐๐ง๐ข๐ฏ๐๐ซ๐ฌ๐ข๐ญ๐๐ญ ๐๐ ๐๐๐ฅ๐ฬ๐ง๐๐ข๐ ๐๐๐ซ๐ ๐๐ญ๐๐ ๐๐ฒ ๐๐จ๐ฏ๐ ๐๐ซ๐จ๐ฎ๐ฉ: ๐๐๐๐๐ ๐๐๐ญ๐ ๐๐ฑ๐๐ข๐ฅ๐ญ๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ข๐ฆ๐๐, ๐๐ง๐ข๐ญ๐ข๐๐ฅ $๐๐๐,๐๐๐ ๐๐๐ง๐ฌ๐จ๐ฆ ๐๐๐ฆ๐๐ง๐ ๐๐๐ฏ๐๐๐ฅ๐๐
News of the attack was initially reported by the online newspaper Escudo Digital in an article by journalist Alberto Payo, which included statements attributed to a member of the universityโs IT team. These details are now complemented by statements provided exclusively to SuspectFile.com directly by the Nova group, introducing additional information that had not previously emerged publicly, including an alleged initial ransom demand of $500,000.
#Data_Breach #Data_Exfiltration #Nova #Ransomoware #Universitat_de_Valรจncia
-
๐๐ง๐ข๐ฏ๐๐ซ๐ฌ๐ข๐ญ๐๐ญ ๐๐ ๐๐๐ฅ๐ฬ๐ง๐๐ข๐ ๐๐๐ซ๐ ๐๐ญ๐๐ ๐๐ฒ ๐๐จ๐ฏ๐ ๐๐ซ๐จ๐ฎ๐ฉ: ๐๐๐๐๐ ๐๐๐ญ๐ ๐๐ฑ๐๐ข๐ฅ๐ญ๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ข๐ฆ๐๐, ๐๐ง๐ข๐ญ๐ข๐๐ฅ $๐๐๐,๐๐๐ ๐๐๐ง๐ฌ๐จ๐ฆ ๐๐๐ฆ๐๐ง๐ ๐๐๐ฏ๐๐๐ฅ๐๐
News of the attack was initially reported by the online newspaper Escudo Digital in an article by journalist Alberto Payo, which included statements attributed to a member of the universityโs IT team. These details are now complemented by statements provided exclusively to SuspectFile.com directly by the Nova group, introducing additional information that had not previously emerged publicly, including an alleged initial ransom demand of $500,000.
#Data_Breach #Data_Exfiltration #Nova #Ransomoware #Universitat_de_Valรจncia
-
๐๐ง๐ข๐ฏ๐๐ซ๐ฌ๐ข๐ญ๐๐ญ ๐๐ ๐๐๐ฅ๐ฬ๐ง๐๐ข๐ ๐๐๐ซ๐ ๐๐ญ๐๐ ๐๐ฒ ๐๐จ๐ฏ๐ ๐๐ซ๐จ๐ฎ๐ฉ: ๐๐๐๐๐ ๐๐๐ญ๐ ๐๐ฑ๐๐ข๐ฅ๐ญ๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ข๐ฆ๐๐, ๐๐ง๐ข๐ญ๐ข๐๐ฅ $๐๐๐,๐๐๐ ๐๐๐ง๐ฌ๐จ๐ฆ ๐๐๐ฆ๐๐ง๐ ๐๐๐ฏ๐๐๐ฅ๐๐
News of the attack was initially reported by the online newspaper Escudo Digital in an article by journalist Alberto Payo, which included statements attributed to a member of the universityโs IT team. These details are now complemented by statements provided exclusively to SuspectFile.com directly by the Nova group, introducing additional information that had not previously emerged publicly, including an alleged initial ransom demand of $500,000.
#Data_Breach #Data_Exfiltration #Nova #Ransomoware #Universitat_de_Valรจncia
-
๐ฏ AI
===================Executive summary: Urban VPN Proxy, a Chrome extension with over 6 million users, was observed harvesting AI chat data across multiple platforms. The extension injects platform-specific executor scripts, overrides core browser network APIs, and forwards captured conversations to Urban VPN infrastructure.
Technical details:
โข The extension deploys dedicated executor scripts (examples: chatgpt.js, claude.js, gemini.js) when targeted AI platform pages load.
โข Injected code wraps and overrides fetch and XMLHttpRequest so all request and response payloads for the page flow through the extension first.
โข Extracted fields include user prompts, model responses, conversation IDs, timestamps, session metadata, and the specific AI platform/model used.
โข Inter-script messaging uses window.postMessage with an identifier PANELOS_MESSAGE to pass parsed data to the extension content script.
โข The content script forwards packaged, compressed data to the background service worker, which transmits to endpoints such as analytics.urban-vpn.com and stats.urban-vpn.com.Analysis:
โข The approach is highly invasive: overriding fetch/XMLHttpRequest captures both outgoing prompts and incoming model outputs before rendering, exposing full conversation context.
โข Harvesting is independent of VPN functionality and enabled by hardcoded flags with no user-visible opt-out, increasing exposure risk for users who installed the extension for privacy reasons.Detection guidance:
โข Monitor outbound connections to analytics.urban-vpn.com and stats.urban-vpn.com from browser processes.
โข Inspect loaded extension scripts for executor filenames and for patterns overriding fetch/XMLHttpRequest and using window.postMessage with PANELOS_MESSAGE.Limitations:
โข Public reporting indicates the extension targeted ten AI platforms; specific historical timeline details were not fully enumerated in the source.
โข No CVE identifiers or named threat actor attribution were provided in the disclosed findings.References / Tags:
chatgpt.js, claude.js, PANELOS_MESSAGE, analytics.urban-vpn.com๐น ai #privacy #browser_extension #data_exfiltration
๐ Source: https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
-
๐ฏ AI
===================Executive summary: Urban VPN Proxy, a Chrome extension with over 6 million users, was observed harvesting AI chat data across multiple platforms. The extension injects platform-specific executor scripts, overrides core browser network APIs, and forwards captured conversations to Urban VPN infrastructure.
Technical details:
โข The extension deploys dedicated executor scripts (examples: chatgpt.js, claude.js, gemini.js) when targeted AI platform pages load.
โข Injected code wraps and overrides fetch and XMLHttpRequest so all request and response payloads for the page flow through the extension first.
โข Extracted fields include user prompts, model responses, conversation IDs, timestamps, session metadata, and the specific AI platform/model used.
โข Inter-script messaging uses window.postMessage with an identifier PANELOS_MESSAGE to pass parsed data to the extension content script.
โข The content script forwards packaged, compressed data to the background service worker, which transmits to endpoints such as analytics.urban-vpn.com and stats.urban-vpn.com.Analysis:
โข The approach is highly invasive: overriding fetch/XMLHttpRequest captures both outgoing prompts and incoming model outputs before rendering, exposing full conversation context.
โข Harvesting is independent of VPN functionality and enabled by hardcoded flags with no user-visible opt-out, increasing exposure risk for users who installed the extension for privacy reasons.Detection guidance:
โข Monitor outbound connections to analytics.urban-vpn.com and stats.urban-vpn.com from browser processes.
โข Inspect loaded extension scripts for executor filenames and for patterns overriding fetch/XMLHttpRequest and using window.postMessage with PANELOS_MESSAGE.Limitations:
โข Public reporting indicates the extension targeted ten AI platforms; specific historical timeline details were not fully enumerated in the source.
โข No CVE identifiers or named threat actor attribution were provided in the disclosed findings.References / Tags:
chatgpt.js, claude.js, PANELOS_MESSAGE, analytics.urban-vpn.com๐น ai #privacy #browser_extension #data_exfiltration
๐ Source: https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
-
๐ฏ AI
===================Executive summary: Urban VPN Proxy, a Chrome extension with over 6 million users, was observed harvesting AI chat data across multiple platforms. The extension injects platform-specific executor scripts, overrides core browser network APIs, and forwards captured conversations to Urban VPN infrastructure.
Technical details:
โข The extension deploys dedicated executor scripts (examples: chatgpt.js, claude.js, gemini.js) when targeted AI platform pages load.
โข Injected code wraps and overrides fetch and XMLHttpRequest so all request and response payloads for the page flow through the extension first.
โข Extracted fields include user prompts, model responses, conversation IDs, timestamps, session metadata, and the specific AI platform/model used.
โข Inter-script messaging uses window.postMessage with an identifier PANELOS_MESSAGE to pass parsed data to the extension content script.
โข The content script forwards packaged, compressed data to the background service worker, which transmits to endpoints such as analytics.urban-vpn.com and stats.urban-vpn.com.Analysis:
โข The approach is highly invasive: overriding fetch/XMLHttpRequest captures both outgoing prompts and incoming model outputs before rendering, exposing full conversation context.
โข Harvesting is independent of VPN functionality and enabled by hardcoded flags with no user-visible opt-out, increasing exposure risk for users who installed the extension for privacy reasons.Detection guidance:
โข Monitor outbound connections to analytics.urban-vpn.com and stats.urban-vpn.com from browser processes.
โข Inspect loaded extension scripts for executor filenames and for patterns overriding fetch/XMLHttpRequest and using window.postMessage with PANELOS_MESSAGE.Limitations:
โข Public reporting indicates the extension targeted ten AI platforms; specific historical timeline details were not fully enumerated in the source.
โข No CVE identifiers or named threat actor attribution were provided in the disclosed findings.References / Tags:
chatgpt.js, claude.js, PANELOS_MESSAGE, analytics.urban-vpn.com๐น ai #privacy #browser_extension #data_exfiltration
๐ Source: https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
-
๐ฏ AI
===================Executive summary: Urban VPN Proxy, a Chrome extension with over 6 million users, was observed harvesting AI chat data across multiple platforms. The extension injects platform-specific executor scripts, overrides core browser network APIs, and forwards captured conversations to Urban VPN infrastructure.
Technical details:
โข The extension deploys dedicated executor scripts (examples: chatgpt.js, claude.js, gemini.js) when targeted AI platform pages load.
โข Injected code wraps and overrides fetch and XMLHttpRequest so all request and response payloads for the page flow through the extension first.
โข Extracted fields include user prompts, model responses, conversation IDs, timestamps, session metadata, and the specific AI platform/model used.
โข Inter-script messaging uses window.postMessage with an identifier PANELOS_MESSAGE to pass parsed data to the extension content script.
โข The content script forwards packaged, compressed data to the background service worker, which transmits to endpoints such as analytics.urban-vpn.com and stats.urban-vpn.com.Analysis:
โข The approach is highly invasive: overriding fetch/XMLHttpRequest captures both outgoing prompts and incoming model outputs before rendering, exposing full conversation context.
โข Harvesting is independent of VPN functionality and enabled by hardcoded flags with no user-visible opt-out, increasing exposure risk for users who installed the extension for privacy reasons.Detection guidance:
โข Monitor outbound connections to analytics.urban-vpn.com and stats.urban-vpn.com from browser processes.
โข Inspect loaded extension scripts for executor filenames and for patterns overriding fetch/XMLHttpRequest and using window.postMessage with PANELOS_MESSAGE.Limitations:
โข Public reporting indicates the extension targeted ten AI platforms; specific historical timeline details were not fully enumerated in the source.
โข No CVE identifiers or named threat actor attribution were provided in the disclosed findings.References / Tags:
chatgpt.js, claude.js, PANELOS_MESSAGE, analytics.urban-vpn.com๐น ai #privacy #browser_extension #data_exfiltration
๐ Source: https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
-
๐ฏ AI
Executive summary: New research from LayerX demonstrates a novel prompt-injection vector in Perplexityโs Comet browser where a single crafted URL (no malicious page content required) can coerce the assistant to access stored user data (memory and connectors such as Gmail and Google Calendar), encode it, and exfiltrate it to an attacker-controlled endpoint.
Technical details: The vector leverages Cometโs URL query parsing to supply an attacker prompt and parameters. A specially chosen collection value caused the assistant to consult memory instead of performing a web search. The prompt can instruct the assistant to summarize items it helped create, convert the summary to base64, and POST the result to an external URL. This bypasses prior page-text prompt-injection mitigations by elevating the input channel from page text to URL parameters and by using trivial encoding to evade content-exfiltration heuristics.
Impact analysis: Any data accessible via granted connectors (email bodies, calendar entries, contact metadata) can be harvested without credential theft or explicit user action beyond opening a link. This transforms a trusted AI browser feature into a high-risk attack surface for targetted information theft.
Detection guidance: Log and alert on outbound POST requests to uncommon domains originating from the browser process. Inspect URL query usage patterns for unusual collection parameters and monitor assistant invocation events that reference memory retrieval. Scan request bodies for high-entropy base64 payloads tied to user contexts.
Mitigations: Disable auto-execution of instructions derived from URL parameters; restrict or compartmentalize connector scopes (least privilege); add explicit user confirmation before memory reads or external network transmission; harden exfiltration detection by decoding and analyzing encoded payloads.
References: Research by LayerX; demonstration involves Gmail/Calendar connectors and base64+POST exfiltration.
๐น Perplexity #Comet #promptinjection #data_exfiltration #AIBrowser
๐ Source: https://layerxsecurity.com/blog/cometjacking-how-one-click-can-turn-perplexitys-comet-ai-browser-against-you/
-
๐ฏ Threat Intelligence
======================Executive summary
This research describes how malicious Model Context Protocol (MCP)
servers can be abused in supply-chain attacks to perform
protocol-level tampering and data exfiltration. The article outlines a
PoC for a malicious MCP server, server installation and host analysis,
and discusses detection and mitigation approaches.Technical details
โข Target: MCP implementations and model-serving supply chains.
โข Mechanism: interception or replacement of legitimate MCP endpoints
with malicious servers that respond with manipulated model context or
exfiltrate sensitive payloads.
โข Reported artifacts: PoC server installation steps and a malicious
engine running on host (no CVE identifiers were disclosed in the
sources).Analysis
Malicious MCP servers expand the attack surface at the protocol layer:
attackers who can influence or replace MCP endpoints may inject
crafted context, modify model prompts, or intercept model
inputs/outputs to extract data. The risk is amplified in supply-chain
scenarios where third-party model endpoints are accepted without
strict validation.๐น Attack Chain Analysis
โข Initial Access: Compromise or compromise-supply component that
controls MCP endpoint registration or distribution (e.g., compromised
package, CI/CD artifact, or DNS).
โข Download/Delivery: Deployment of a malicious MCP server or
reconfiguration of routing to point clients to attacker-controlled
MCP.
โข Execution: Malicious MCP server begins responding to model context
requests, injecting or capturing payloads.
โข Infection/Persistence: Optional host-side agent or service persists
to continue intercepting MCP traffic.
โข Exfiltration: Captured sensitive model inputs/outputs are
transmitted to attacker-controlled exfiltration endpoints.
โข Cleanup/Cover Tracks: Logs may be modified or rotated to hide
traffic patterns.Detection
โข Monitor for outbound connections to unknown MCP endpoints and
unusual TLS/SNI values.
โข Inspect HTTP/2 or HTTP POST bodies used by MCP for anomalous fields
or repetitive metadata that indicates exfiltration.
โข Implement network IDS/IPS rules to flag persistent connections to
newly seen MCP hosts and unusual request/response sizes.
โข Correlate host process activity following MCP interactions (new
services, unexpected file writes, child processes of model client
processes).Mitigation
โข Enforce endpoint allowlisting and mutual TLS for MCP clients and servers.
โข Validate and cryptographically sign MCP server metadata and
distribute it through trusted channels.
โข Harden CI/CD and supply-chain mechanisms that publish or register
MCP endpoints.
โข Apply egress filtering and DLP controls on model input/output flows.References & notes
The article is a Securelist research post; it documents a PoC and
analysis but does not list CVEs or named threat actors. The insights
should be integrated into model-serving security reviews and
supply-chain risk assessments.๐น MCP #supplychain #data_exfiltration #modelsecurity #MITRE_ATT&CK
๐ Source: https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/
-
Ransomware Attacks Focus on Data Exfiltration Over Encryption - https://www.redpacketsecurity.com/only-a-fifth-of-ransomware-attacks-now-encrypt-data/
-
Ransomware Attacks Focus on Data Exfiltration Over Encryption - https://www.redpacketsecurity.com/only-a-fifth-of-ransomware-attacks-now-encrypt-data/
-
Ransomware Attacks Focus on Data Exfiltration Over Encryption - https://www.redpacketsecurity.com/only-a-fifth-of-ransomware-attacks-now-encrypt-data/
-
Ransomware Attacks Focus on Data Exfiltration Over Encryption - https://www.redpacketsecurity.com/only-a-fifth-of-ransomware-attacks-now-encrypt-data/
-
Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach - https://www.redpacketsecurity.com/chemical-facilities-warned-of-possible-data-exfiltration-following-cisa-breach/
#threatintel #cybersecurity_breach #data_exfiltration #chemical_security
-
Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach - https://www.redpacketsecurity.com/chemical-facilities-warned-of-possible-data-exfiltration-following-cisa-breach/
#threatintel #cybersecurity_breach #data_exfiltration #chemical_security
-
Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach - https://www.redpacketsecurity.com/chemical-facilities-warned-of-possible-data-exfiltration-following-cisa-breach/
#threatintel #cybersecurity_breach #data_exfiltration #chemical_security
-
Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach - https://www.redpacketsecurity.com/chemical-facilities-warned-of-possible-data-exfiltration-following-cisa-breach/
#threatintel #cybersecurity_breach #data_exfiltration #chemical_security
-
Russian Coldriver Hackers Deploy Malware to Target Western Officials - https://www.redpacketsecurity.com/russian-coldriver-hackers-deploy-malware-to-target-western-officials/
#threatintel #Coldriver_malware #Russian_threat_group #Data_exfiltration
-
Russian Coldriver Hackers Deploy Malware to Target Western Officials - https://www.redpacketsecurity.com/russian-coldriver-hackers-deploy-malware-to-target-western-officials/
#threatintel #Coldriver_malware #Russian_threat_group #Data_exfiltration
-
Russian Coldriver Hackers Deploy Malware to Target Western Officials - https://www.redpacketsecurity.com/russian-coldriver-hackers-deploy-malware-to-target-western-officials/
#threatintel #Coldriver_malware #Russian_threat_group #Data_exfiltration
-
Russian Coldriver Hackers Deploy Malware to Target Western Officials - https://www.redpacketsecurity.com/russian-coldriver-hackers-deploy-malware-to-target-western-officials/
#threatintel #Coldriver_malware #Russian_threat_group #Data_exfiltration