CloudSEK: Pioneering AI-Driven Cybersecurity Solutions

CloudSEK is a Bengaluru-based cybersecurity firm specializing in leveraging artificial intelligence (AI) to predict and prevent digital threats. Founded in 2015 by Rahul Sasi, the company has developed a suite of AI-powered tools designed to assist businesses in identifying, assessing, and mitigating cyber risks, including phishing attacks, data breaches, and supply chain vulnerabilities.

Innovative Products and Services

CloudSEK's flagship offerings include:

XVigil: An AI-driven threat intelligence platform that continuously monitors digital assets, providing real-time insights into potential threats and vulnerabilities.

BeVigil: A mobile application that alerts users about potential threats in their vicinity, enhancing personal security.

SVigil: A surveillance solution that uses AI to analyze video feeds, detecting anomalies and potential security breaches.

Recent Developments

In August 2024, CloudSEK reported a ransomware attack by the RansomEXX group, which disrupted India's banking system and affected approximately 300 small-sized lenders. The attack exploited a misconfigured Jenkins server, highlighting the critical need for robust cybersecurity measures in the financial sector.

Funding and Growth

CloudSEK has raised a total of $10 million over four funding rounds, with investors including QED Innovation Labs and Omidyar Network India. The company has expanded its workforce to approximately 183 employees as of 2024, reflecting its growth and commitment to enhancing cybersecurity across various industries.

Commitment to Cybersecurity

CloudSEK remains dedicated to advancing cybersecurity through AI-driven solutions, aiming to provide businesses with proactive tools to safeguard against evolving digital threats. Their focus on contextual AI enables organizations to monitor and manage their security posture in real-time, preventing costly breaches and losses.

Security Firms Say Evidence Seems to Confirm Oracle Cloud Hack

Source: https://www.securityweek.com/security-firms-say-evidence-seems-to-confirm-oracle-cloud-hack/

More info: https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis

Exposing the Dark Web Scam: Fake Pegasus Spyware Code Sold for Millions

Cybercriminals are capitalizing on the infamous reputation of the Pegasus spyware, duping unsuspecting victims on the dark web. According to a recent investigation by the cybersecurity firm CloudSEK, threat actors are systematically leveraging the Pegasus name to perpetrate a widespread scam, offering randomly generated source codes falsely associated with the potent spyware for exorbitant prices, sometimes exceeding a million dollars.

Dissecting the Scam: Insights from Months of Research

CloudSEK's report sheds light on the intricate workings of this scam, which emerged shortly after Apple warned about a "mercenary spyware" attack targeting users across 92 countries. The cybersecurity firm's researchers delved deep into the dark web, analyzing approximately 25,000 posts on platforms like Telegram, many of which claimed to sell authentic Pegasus source code. Anuj Sharma, the lead investigator and security researcher at CloudSEK, underscored the detrimental impact of this scam, stating: The misuse of Pegasus's name, logo, and identity by underground sources has led to significant misinformation about the tool, confusing both experts and the public about its true capabilities and origin. The deliberate misrepresentation complicates the attribution of cyberattacks, making it harder to determine the source and nature of the spyware being used.

Engaging with Potential Sellers: Uncovering Fake Samples and Inflated Prices

CloudSEK researchers went a step further, directly engaging with over 150 potential sellers claiming to offer Pegasus-related services. Through these interactions, they accessed purported Pegasus source code samples, live demonstrations, file structures, and snapshots. However, after analyzing 15 samples and over 30 indicators from various intelligence sources, the researchers concluded that nearly all samples were fraudulent and ineffective. The report also identified six instances of fake Pegasus HVNC (Hidden Virtual Network Computing) samples distributed on the dark web between May 2022 and January 2024. Moreover, the scam extended to code-sharing platforms on the surface web, where scammers disseminated their own randomly generated source codes, falsely associating them with the Pegasus spyware. In one particularly brazen case, a group named Deanon ClubV7 announced on April 5 that they had obtained legitimate access to Pegasus and were offering permanent access for a staggering fee of $1.5 million. The group claimed to be the first to secure access to Pegasus and boasted about selling four accesses within just two days, raking in a total of $6 million.

Combating the Scam: Employee Awareness and Strict Access Controls

To combat this widespread scam, CloudSEK emphasizes the importance of employee awareness and implementing strict access controls. Sharma recommends providing regular updates and alerts about the latest scam tactics involving Pegasus and similar high-profile names, as well as implementing network monitoring to identify unusual activity that might indicate employees accessing the dark web or IRC platforms. Strict access controls should be implemented to limit and monitor employees' ability to visit potentially dangerous sites or download unauthorized software, reducing the risk of falling victim to such scams. Read the full article

パスワードを変更しても攻撃者による Google サービスへのアクセスを可能にするエクスプロイトが10月に公開されたが、このエクスプロイトを組み込んだ情報窃取型マルウェアが急速に広がっているそうだ (CloudSEK のブログ記事、 The Register の記事)。 エクスプロイトの仕組みは、トークンを改ざんして永続的な Google の cookie を生成することでパスワードを変更しても引き続きアクセスが可能になるというもの。エクスプロイトの利用が判明しているマルウェアファミリーとしては Lumma や Rhadamanthys、Stealc、Meduza、RisePro、WhiteSnake が挙げられている。 CloudSEK の調査によれば、エクスプロイトは非公開の「MultiLogin」と呼ばれる Google の OAuth エンドポイントを利用しているという。MultiLogin は Google の複数のサービスにわたって Google アカウントを同期する内部メカニズムであり、Chromium のソースコードで用途が説明されている。 根本的な解決には Google による修正を待つし��ないが、CloudSEK では暫定的な緩和策を紹介している。アカウントが侵害されている可能性がある場合、または用心のために緩和策を適用するには、すべてのブラウザープロファイルからサインアウトして現在のセッショントークンを無効化し、パスワードをリセットしてから再びサインインして新しいトークンを作成すればいい。特にトークンと GAIA ID が盗まれたと考えられる場合にはこの操作が重要とのことだ。

パスワード変更後も継続してGoogleアカウントを侵害できるエクスプロイト、実装するマルウェアが増加 | スラド セキュリティ

[ad_1] Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation," security researcher Koushik Pal said in a report published this week. "The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries." It's believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware's source code. The starting point of the attack is a web page that impersonates Spectrum ("panel-spectrum[.]net" or "spectrum-ticket[.]net"). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to "review the security" of their connection before proceeding further. However, when the user clicks the "I am human" checkbox for evaluation, they are displayed an error message stating "CAPTCHA verification failed," urging them to click a button to go ahead with an "Alternative Verification." Doing so causes a command to be copied to the users' clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it's substituted by a shell script that's executed by launching the Terminal app on macOS. The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer. "Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure," Pal said. "The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction 'Press & hold the Windows Key + R' was displayed to both Windows and Mac users." The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year. "Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access," Darktrace said. "These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads." The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue. The end result of this effective social engineering method is that users end up compromising their own systems, enabling threat actors to bypass security controls. The cybersecurity company said it identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States. And these campaigns are gaining steam, adopting several variations but operating with the same end goal of delivering malicious payloads, ranging from trojans to stealers to ransomware. Earlier this week, Cofense outlined an email phishing campaign that spoofs Booking.com, targeting hotel chains and the food services sector with fake CAPTCHAs that lead to XWorm RAT, PureLogs Stealer, and DanaBot. The fact that ClickFix is flexible and easy to adapt makes it an attractive malware distribution mechanism. "While the exact email structure varies from sample to sample, these campaigns generally provide Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers," Cofense said. The email security firm said it has also observed ClickFix samples mimicking cookie consent banners, wherein clicking on the "Accept" button causes a malicious script file to be downloaded. The user is subsequently prompted to run the script to accept cookies. In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data. "ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses," Darktrace said. "By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data." Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks. These fake pages are "pixel-perfect copies" of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages. "Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they've been conditioned to click through these as quickly as possible," SlashNext's Daniel Kelley said. "Attackers exploit this 'verification fatigue,' knowing that many users will comply with whatever steps are presented if it looks routine." Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. [ad_2] Source link

Cloudsek recauda fondos para escalar la plataforma de seguridad cibernética predictiva de IA

Cloudsek recauda fondos para escalar la plataforma de seguridad cibernética predictiva de IA https://learnmaart.com/cloudsek-recauda-fondos-para-escalar-la-plataforma-de-seguridad-cibernetica-predictiva-de-ia/

Dream Job or Scam? Key Red Flags to Watch

Dream jobs can quickly become nightmares—and not because of workplace stress. Increasingly, job seekers across India are falling prey to sophisticated scams masked as genuine employment opportunities. In this special edition of The Safe Side, we uncover how these cons work, the warning signs, and steps to protect yourself.

Victims Share Their Ordeals

For Manjunath S., a content manager from Bengaluru, a job offer through a reputed portal turned disastrous. After rounds of interviews, he resigned from his secure role to join a new company—only to find out on joining day that the job didn’t exist. Emails were ignored, calls went unanswered, and with no fallback, he was left unemployed.

In another case, a young businessman was promised easy money for basic online tasks. As trust grew, so did the financial demands. He transferred nearly ₹58 lakh before realizing it was a well-planned scam.

A Rising Threat

Job fraud cases rose sharply in 2023—by over 80% according to experts—targeting individuals through emails, messages, and social media with the lure of high-paying roles. Scammers are taking advantage of widespread unemployment and economic pressure to exploit job seekers.

Common Job Scams

Experts from the Future Crime Research Foundation, CloudSEK, and IDfy outline some of the most common job-related frauds today:

Fee-First Traps: Applicants are asked to pay for training, registration, or verification—then ghosted.

Overseas Job Scams: Fake firms promise jobs abroad in return for visa or documentation charges.

Ghost Job Listings: Ads posted only to gather personal data or test market interest.

Ponzi-Style Tasks: Victims are baited with microtasks before being duped into bigger payments.

Fake Employers: Scammers issue fake offer letters, contracts, or experience certificates for a price.

Work-from-Home Cons: Roles that ask for upfront money for tools or access.

Bogus Consultancies: Phony recruiters charge for interviews or devices.

Social Media Listings: Job offers that appear on Telegram, Instagram, or WhatsApp without verification.

Ghost Jobs: A Dangerous Illusion

“Ghost jobs don’t actually exist,” explained CloudSEK’s Vikas Kundu. “Some companies post them to collect resumes or gauge demand.” Future Crime’s Harshvardhan Singh added that scammers use these listings to extract personal data and small fees from hopeful candidates. “It’s emotionally draining and often leaves victims devastated,” he said.

Red Flags You Shouldn’t Ignore

Generic job offers via WhatsApp or Telegram.

Requests for money for training, paperwork, or equipment.

Poor grammar or strange email addresses.

Pressure to act quickly or accept without interviews.

High salaries with little to no role details.

No online footprint or unclear contact details.

Some scams are so polished that they include video interviews, cloned LinkedIn profiles, and fake websites. In one major case, scammers posed as Indigo Airlines recruiters, collecting ₹75,000 from each victim.

How to Stay Safe

LinkedIn India’s legal head Aditi Jha advises users to verify job posters and company pages. “Look for verification badges and check company credibility before applying,” she said.

Experts suggest:

Avoid paying for job opportunities.

Check official company websites for matching job listings.

Don’t share sensitive information unless you're sure of the recruiter.

Report suspicious activities to authorities.

What To Do If Scammed

Stop communicating with the scammer.

Save all relevant evidence (messages, receipts, emails).

File a complaint at cybercrime.gov.in or dial 1930.

Lodge an FIR at your nearest police station.

Inform your bank to freeze accounts or recover funds.

Spreading Awareness

Cybersecurity professionals urge educational institutions and public offices to conduct awareness drives. Being informed is your first line of defense.

Final Word

In a digital age where fraudsters are only getting smarter, every job seeker must stay alert. Whether you're hunting your first job or looking for a better one, approach every offer with a healthy dose of skepticism. A little caution can save you from a major loss.

Cybercrimes Could Cost India Rs. 20,000 Crore Due to Brand Abuse and Fake Domains in 2025: CloudSEK | Daily Reports Online

India could potentially suffer financial losses reaching roughly Rs. 20,000 crore due to cybercrimes in 2025, as per a recent report by a cybersecurity firm. The report predicted that brand abuse, phishing scams, and fake domains would be the leading methods to conduct cybercrimes in the ongoing year. Despite the rise of technologies such as artificial intelligence (AI), the report claims…

Vietnamese hackers fuelling WhatsApp e-challan scam in India: Report

A highly technical Android malware campaign by Vietnamese hackers is targeting Indian users through fake traffic e-challan messages on WhatsApp, according to a report on Wednesday. Researchers from CloudSEK, a cybersecurity firm, identified the malware as part of the Wromba family. It has infected more than 4,400 devices and led to fraudulent transactions exceeding Rs. 16 lakh by just one scam…

[ad_1] Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting its cloud infrastructure. Last week, Hackread.com published an article based on the findings of cybersecurity firm CloudSEK revealing that a threat actor had stolen 6 million records from Oracle Cloud. The hacker, identified as “rose87168“, claimed to have compromised a key Single Sign-On (SSO) endpoint, resulting in the exfiltration of sensitive data including SSO and LDAP credentials, OAuth2 keys, and customer tenant information. Oracle’s Firm Denial Shortly after the story broke, Oracle issued a categorical denial, making a strong statement that “There has been no breach of Oracle Cloud.” The company maintained that the credentials published by the threat actor were not associated with Oracle Cloud and emphasized that no Oracle Cloud customers were affected. This statement directly contradicted the findings of CloudSEK, which had alerted the public and Oracle via formal reports. CloudSEK’s Follow-Up Investigation However, CloudSEK has doubled down on Oracle’s claims with a new follow-up analysis, presenting what it calls “conclusive evidence” of the breach. In a blog post, which the company shared with Hackread.com ahead of its publishing over the weekend, CloudSEK outlined how their researchers detected the threat actor’s activities on March 21, 2025. According to the cybersecurity firm, they traced the attack to a compromised production SSO endpoint (login.us2.oraclecloud.com), which the hacker exploited to steal records from more than 140,000 tenants. CloudSEK also found evidence that the threat actor had actively used the compromised domain to authenticate API requests via OAuth2 tokens, as seen in an archived public GitHub repository under Oracle’s official "oracle-quickstart" account. The endpoint was proven to be in use for production purposes, contradicting Oracle’s assertion that the credentials were unrelated to their infrastructure. New Evidence: Real Customer Data Confirmed One of the most noteworthy pieces of evidence involves real customer domain names that the hacker provided as samples. CloudSEK verified the domains against publicly available data and found that they were, in fact, valid Oracle Cloud customers. Some of the domain names identified include: These domains were present in GitHub repositories and Oracle partner documentation, and CloudSEK confirmed they were not mere dummy or canary accounts. Additionally, the compromised endpoint, login.us2.oraclecloud.com, was validated as an active production SSO setup, used in real-world configurations by OneLogin and Rainfocus. The screenshot shared by CloudSEK shows “login.us2.oraclecloud.com” was a production SSO setup The Impact and Concerns The impact of this breach, if proven, could be serious. The exposure of 6 million records, including encrypted SSO and LDAP passwords risks unauthorized access, espionage, and data breaches across affected systems. Additionally, the inclusion of JKS files and OAuth2 keys means attackers might gain long-term control over affected services. CloudSEK warns that the compromised credentials could potentially be cracked and reused in a way that poses further risks to enterprise environments. The hacker is also reportedly demanding ransom payments from affected firms to delete the stolen data, amplifying both financial and reputational threats. CloudSEK’s Stance: Evidence over Speculation In response to Oracle’s denial, Rahul Sasi, CEO of CloudSEK, stated that the company is focused on providing transparency and evidence rather than speculation. CloudSEK has been sharing its findings through public reports and free tools to help organizations assess whether they are affected. Additionally, Rahul recommends companies change their SSO and LDAP credentials right away and set up multi-factor authentication (MFA) to add extra protection. It’s also important to take a closer look at logs to spot any unusual activity related to the compromised endpoint. Keeping an eye on dark web forums for any signs of leaked data is a good move too. On top of that, it’s a good idea to get in touch with Oracle Security to figure out any weak spots and fix them. Questions Are Pouring In Already Cybersecurity experts are already questioning Oracle’s quick denial. Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform stressed that Oracle needs to address the questions raised by CloudSEK to maintain its credibility. “CloudSEK raises a critical point. If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain?“ argued Chad. “This indicates unauthorized access, even if it wasn’t a full-scale compromise.” “Dismissing the incident without addressing this key detail raises more questions than answers. If Oracle wants to maintain credibility, the company must clarify how the file ended up there, whether any security gaps were exploited, and why the subdomain was taken down,“ he added. Heath Renfrow, CISO and Co-founder at Fenix24 a Chattanooga, Tennessee-based cyber disaster recovery firm, expressed concerns about Oracle’s stance on the breach and the threat actor’s ability to upload files within critical infrastructure. “Regardless of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning,“ said Health. “This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk.“ Hackread.com has reached out to Oracle. Stay tuned for updates! [ad_2] Source link

Cloudsek is providing Internship

Hey graduates, Cloudsek is providing Internship.

Go and apply!!!

Link in BIO

📌𝘊𝘰𝘮𝘮𝘦𝘯𝘵 "hire" 𝘪𝘧 𝘪𝘯𝘵𝘦𝘳𝘦𝘴𝘵𝘦𝘥

📢 Follow @gethired01

📢 Follow us for daily update

Secondo un'analisi condotta dalla rinomata società di sicurezza CloudSEK, un pericoloso malware sta sfruttando i cookie di terze parti per ottenere accesso non autorizzato ai dati privati delle persone, svelando un metodo piuttosto sofisticato per aggirare le difese online. La scoperta di questo exploit è emersa nel mese di ottobre del 2023, quando un hacker ha divulgato i dettagli su un canale Telegram dedicato alle discussioni sulla sicurezza informatica. Il post ha mostrato una vulnerabilità legata ai cookie, elementi utilizzati da siti web e browser per monitorare e ottimizzare l'esperienza degli utenti. Particolarmente preoccupante è il fatto che questo malware riesce a recuperare i cookie di autenticazione di Google, consentendo agli hacker di bypassare persino l'autenticazione a due fattori. Questo significa che, una volta compromesso un account, gli attaccanti possono mantenere un accesso continuo ai servizi Google, anche dopo che l'utente ha cambiato la propria password.

Dall'articolo "Ti possono rubare l'account Google senza sapere la password" di Andrea Riviera