Experts summarized the effects of the deficit as follows:

• Attackers can obtain SIP credentials and local device account data.

• It can reconfigure the device's SIP settings and route calls through a malicious SIP proxy.

• The phone continues to ring normally, users do not notice any abnormalities, but all conversations pass through the attacker-controlled infrastructure.

The target audience of the vulnerability includes small and medium-sized businesses, law firms, sales teams and finance departments.

Grandstream responsibly reported the vulnerability in January.

Kaynak: Beykozun Sesi

“Internal Identity Information Could Be Exposed”
Araştırmacı, YouTube üzerindeki belirli işlemler sırasında Internal identifiers known as "Gaia ID" belonging to Google accounts can be obtained. belirtti. Raporda, bu kimliklerin tek başına doğrudan hassas veri içermediği ancak farklı servislerle birleştirildiğinde risk oluşturabileceği vurgulandı.

Chain Effect Between Different Services
Çalışmada, Google’ın farklı ürünleri arasında yer alan veri paylaşım mekanizmalarının, belirli senaryolarda Can lead to unexpected data matches ifade edildi. Araştırmacı, “Farklı sistemlerin birlikte değerlendirilmesi, tek başına kritik görünmeyen açıkların birleşerek daha büyük bir riske dönüşmesine neden olabilir.” değerlendirmesinde bulundu.

Responsible Notification Process Operated
Araştırmanın 2024 yılı Eylül ayında Google’a iletildiği, şirketin kısa sürede durumu incelemeye aldığı aktarıldı. Güvenlik paneli tarafından yapılan değerlendirmede açığın Highly effective but requires a certain technical complexity ifade edildi.

Google yetkililerinin, bildirimin ardından ilgili sistemlerde güncellemeler yaptığı ve The identified vulnerabilities were closed bildirildi. Sürecin tamamlanmasının ardından rapor, 2025 yılı Şubat ayında kamuoyuyla paylaşıldı.

Award and Evaluation Process
Güvenlik açığını bildiren araştırmacıya, Google’ın hata ödül programı kapsamında toplamda Prizes worth more than 10 thousand dollars were given açıklandı. Panel değerlendirmesinde, açığın “yüksek etki” kategorisinde olduğu ancak belirli bir saldırı zinciri gerektirdiği için derecelendirmede bir kademe düşürüldüğü kaydedildi.

Warning from Experts
Siber güvenlik uzmanları, bu tür olayların Even on major technology platforms, interactions between systems must be carefully audited. ortaya koyduğunu belirtti. Uzmanlar, kullanıcıların da hesap güvenliği için iki faktörlü doğrulama gibi önlemleri aktif kullanmasının önemine dikkat çekti.

Kaynak: Beykozun Sesi

The relevant provision of the law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible."

Local SQL Database Encrypted

In the notification submitted to the Board by the company, it was stated that the violation started on 22.01.2026 and was detected on 23.01.2026.

In the statement, "The local SQL database, which contains the data controller's payroll software and information systems where online food orders are managed, has been encrypted and access prevented by an external intervention."

Employees and Customers Affected

The group of contacts affected by the breach was reported to be employees and customers.

It was stated that the identity, contact and personnel data of the employees were also within the scope of the violation.

It was shared that a total of 163 thousand people, including 13 thousand employees and 150 thousand customers of the company, were affected by the breach.

Announcement Decision on the Website from the Board

It was announced that with the Decision of the Personal Data Protection Board dated 27.01.2026 and numbered 2026/141, it was decided to announce the data breach notification on the Authority's website.

Kaynak: Beykozun Sesi

The relevant provision of the law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible."

Firebase Authorization Vulnerability

In the notification sent to the Board by Codeway, it was stated that the violation occurred between 15.01.2026 and 20.01.2026 and was detected on 20.01.2026.

In the statement, "Due to the weakness in the authorization configuration on Google Firebase services used as the database (Firestore) and file storage (Storage) infrastructure of the mobile application called 'Chat & Ask AI', the attacker or attackers gained access to user data and file pool."

It was reported that the technical weakness was resolved and internal control and audit efforts regarding the data breach are continuing.

Email and Post Contents Affected

Personal data affected by the breach;

It was stated that approximately 3,700 people were evaluated to have been affected by the violation, and studies are continuing to determine the exact number.

Announcement Decision on the Website from the Board

It was announced that with the Decision of the Personal Data Protection Board dated 27.01.2026 and numbered 2026/139, it was decided to announce the data breach notification on the Authority's website.

Kaynak: Beykozun Sesi

The relevant provision of the law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible."

Firebase Authorization Vulnerability

In the notification sent to the Board by Codeway, it was stated that the violation occurred between 15.01.2026 and 20.01.2026 and was detected on 20.01.2026.

In the statement, "Due to the weakness in the authorization configuration on Google Firebase services used as the database (Firestore) and file storage (Storage) infrastructure of the mobile application called 'Chat & Ask AI', the attacker or attackers gained access to user data and file pool."

It was reported that the technical weakness was resolved and internal control and audit efforts regarding the data breach are continuing.

Email and Post Contents Affected

Personal data affected by the breach;

It was stated that approximately 3,700 people were evaluated to have been affected by the violation, and studies are continuing to determine the exact number.

Announcement Decision on the Website from the Board

It was announced that with the Decision of the Personal Data Protection Board dated 27.01.2026 and numbered 2026/139, it was decided to announce the data breach notification on the Authority's website.

Kaynak: Beykozun Sesi

The relevant provision of the law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible."

Cyber ​​Attack Started on December 26

In the notification sent to the Board, it was stated that Eurail B.V., established and operating in the Netherlands, uses an agency distribution model for the sale of travel tickets around the world.

It was reported that the violation started on 26.12.2025 and was detected on 05.01.2026.

Passport and Travel Information Affected

Personal data affected by the breach;

Within the scope of contact data, address and place of residence, e-mail address and telephone number;

It was stated that 8 thousand 823 people residing in Turkey were affected by the violation, and the relevant group of people were customers who purchased train tickets.

Şirketin, ihlale ilişkin teknik inceleme ve ek araştırmalarının devam ettiği kaydedildi. İlgili kişilerin privacyhelp@eurrail.com e-posta adresi üzerinden bilgi alabilecekleri duyuruldu.

Announcement Decision on the Website from the Board

It was announced that with the Decision of the Personal Data Protection Board dated 27.01.2026 and numbered 2026/103, it was decided to announce the data breach notification on the Authority's website.

Kaynak: Beykozun Sesi

The relevant provision of the law states: "In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible."

Dataset Detected on Dark Web

In the notification sent to the Board by Uludağ Elektrik, it was stated that the violation occurred on 05.08.2025 and was detected on 18.08.2025.

In the statement, "A data set containing information about data controller subscribers has been detected on a platform used by threat actors for file sharing on the dark web."

It was reported that the data set in question contained a total of 57 data categories, including mostly technical data about a subscriber, such as subscriber number, name-surname, partial address, consumption information and meter information, but also personal data, and it was determined that the data overlapped with the records kept in the company system.

Illegal Login to SMS Verified System

Regarding the root cause of the breach, it was stated that it was evaluated that the system, which can only be accessed with the username, password and SMS verification code that must be received at each login, was illegally entered by malicious threat actors.

It was stated that the exact number of people affected by the violation could not be determined, but the number of queries made was 899 thousand 890.

Şirket, ilgili kişilerin veri ihlali hakkında bilgi almak için dpo@uedas.com.tr e-posta adresi üzerinden iletişime geçebileceğini duyurdu.

Announcement Decision from the Board

It was announced that with the Decision of the Personal Data Protection Board dated 25.12.2025 and numbered 2025/2443, it was decided to announce the data breach notification on the Authority's website.

Kaynak: Beykozun Sesi

Güvenlik açığının, uygulamada kullanılan insecure object serialization processes ile birlikte due to lack of effective sandbox isolation kaynaklandığı belirtildi. Bu durumun, saldırganların tek bir bağlantı üzerinden hedef sistemde keyfi komutlar çalıştırabilmesine olanak tanıdığı aktarıldı.

Without Downloading Anything, Without Any Warnings
Uzmanlar, açığın istismarı için no file download required, A multi-stage exploit chain is not used ve kullanıcıya No security warnings are displayed vurguladı. Bağlantıya tıklanmasının ardından kodun doğrudan çalıştırıldığı kaydedildi.

Artificial Intelligence Detected It in Two Hours
Zafiyetin dikkat çeken yönlerinden biri de keşif süreci oldu. Açığın, an autonomous artificial intelligence agent tarafından uçtan uca analiz edilerek doğrulandığı, sürecin iki saatten kısa sürdüğü ifade edildi. Bu gelişmenin, yapay zekânın siber güvenlik alanındaki etkinliğine dair yeni bir dönemi işaret ettiği değerlendirildi.

Authorities stated that institutions and individuals using systems connected to Moltbot/Clawdbot should examine network traffic, isolate relevant components and investigate possible traces of attack.

Kaynak: Beykozun Sesi

Suspicious Link Details Revealed
Sahte e-postada yer alan “Ödemeyi Tamamla” butonuna tıklayan kullanıcıların, i6ome8hbb.cc.rs6.net uzantılı, PTT ile hiçbir bağlantısı bulunmayan bir adrese yönlendirildiği tespit edildi. Bağlantının, Constant Contact altyapısı üzerinden gizlenmiş şekilde sunulduğu ve kullanıcıyı sahte ödeme sayfasına yönlendirmeyi amaçladığı ifade ediliyor.

Addresses Originating from Abroad Are Alarming
In the sender address of the e-mail:info-santedicola.com@shared1.ccsend.com” ibaresinin yer aldığı, mesajın alt bölümünde ise ABD’ye ait açık adres bilgilerinin bulunduğu görüldü. Siber güvenlik uzmanları, bu tür Addresses originating from abroad and looking corporateemphasizes that it is frequently used in phishing attacks.

Purpose Credit Card and Personal Data
According to experts, credit card information, identity data and bank information are targeted on pages opened via fake links.

Does Not Match PTT's Practices
PTT’nin resmî uygulamalarında gümrük vergisi bildirimlerinin e-posta yoluyla ve üçüncü taraf bağlantılar üzerinden yapılmadığı belirtiliyor. Kurumun, ödemelerin yalnızca official website, e-Government and PTT branches aracılığıyla gerçekleştirildiğini daha önce kamuoyuna duyurduğu hatırlatılıyor.

Warning from Authorities to Citizens
Cyber ​​security experts emphasize that such emails should never be opened, links should not be clicked, and payment information should not be entered.

Kaynak: Beykozun Sesi

The researcher found that this form, which runs even when JavaScript is turned off, verifies whether a phone number matches a specific name-surname through specific HTTP requests.

Two-Step Verification Mechanism
In the first stage, a session key was generated with the phone number entered in the account recovery form.

Başlangıçta IP bazlı hız sınırlaması ve captcha engeliyle karşılaşan araştırmacı, BotGuard verification tokenHe stated that these obstacles were overcome by taking the form with JavaScript and integrating it into the form without JavaScript.

IPv6 and Large-Scale Trials
In the research, it was noted that by taking advantage of the width offered by IPv6 address spaces, a different IP was used for each request, thus speed limitations were neutralized.

Country Code and Name Information Could Also Be Detected
Telefon numarasının ülke kodu, Google’ın “şifremi unuttum” akışında gösterdiği maskeli numara formatları üzerinden belirlenebildi. Araştırmacı, bu formatların Google’ın kullandığı açık kaynaklı libphonenumber kütüphanesiyle birebir örtüştüğünü belirtti.

Kullanıcının ad ve soyad bilgisine ise Google Looker Studio üzerinden ulaşıldı. Araştırmacı, oluşturulan bir belgenin hedef kullanıcıya devredilmesiyle, the user's name is displayed on the home page without any interaction kaydetti.

“Possibility of Abuse Was Said Low, Reward Increased”
Açık, 14 Nisan 2025’te Google’a bildirildi. Google, ilk değerlendirmede istismar olasılığını düşük bularak sınırlı bir ödül verdi. Araştırmacının itirazı sonrası yapılan yeniden değerlendirmede ise etkinin yüksek olduğu kabul edilerek ödül toplam 5 thousand dollars seviyesine çıkarıldı.

Google, 22 Mayıs 2025 itibarıyla geçici önlemlerin devreye alındığını, 6 Haziran 2025’te ise Username recovery form without JavaScript is completely disabled doğruladı. Açık, 9 Haziran 2025’te kamuoyuna açıklandı.

Kaynak: Beykozun Sesi

Araştırma, üç bölüm halinde yayımlandı. İlk bölümde çipin Characterization against EMFI attacks, ikinci bölümde Getting random reads and writes in Secure Monitor, üçüncü bölümde ise Persistent code execution at EL3 level ayrıntıları paylaşıldı. Araştırmacılar, “Amaç, donanım tabanlı güvenlik mekanizmalarının gerçek dünyada ne kadar dayanıklı olduğunu ölçmekti.” ifadelerini kullandı.

How Electromagnetic Fault Injection Works
The EMFI method is based on applying very short-term and high-energy electromagnetic pulses to the processor.

Secure Monitor Checks Bypassed
Çalışmanın ikinci aşamasında, Secure Monitor tarafından uygulanan adres doğrulama mekanizmalarının hedef alındığı aktarıldı. Normal şartlarda yalnızca izin verilen bellek alanlarına erişim sağlayan is_allowed_address benzeri kontrollerin, doğru zamanlamayla yapılan EMFI saldırıları sonucunda devre dışı bırakılabildiği kaydedildi. Bu sayede, Random 32 bit read and write in EL3 context yapılabildiği vurgulandı.

XPU Configuration Changed
Araştırmanın en kritik aşamasında, TrustZone adres alanlarını koruyan XPU configuration yeniden programlanabildiği belirtildi. Araştırmacılar, “Tek bir başarılı glitch, Secure Monitor içinde keyfi uzunlukta kod yürütmek için yeterli.” ifadesini kullandı. Bu durumun, cihazın en korumalı yazılım katmanının tamamen kontrol altına alınması anlamına geldiği aktarıldı.

Attack is Difficult but Possible
Araştırmacılar, saldırının pratikte yüksek beceri, hassas ekipman ve uzun deneme süreleri gerektirdiğini belirtti. Ortalama başarı süresinin 30 to 40 minutes arasında değiştiği, çok sayıda yeniden başlatma ve zamanlama denemesi gerektiği kaydedildi. Buna rağmen, elde edilen sonucun teorik değil, pratik olarak uygulanabilir olduğu vurgulandı.

Hardware Security Discussion
The study revealed that software measures alone may not be sufficient in embedded network devices.

Kaynak: Beykozun Sesi

Exploitation via VoiceOver Framework
Güvenlik araştırmacıları, açığın VoiceOver framework ve com.apple.scrod adlı sistem servisi üzerinden tetiklendiğini belirtti. Bu yöntemle saldırganların, Apple tarafından imzalanmış süreçlere kod enjekte edebildiği ve bu süreçler aracılığıyla Can run AppleScript ifade edildi.

Full TCC Overrun with TOCTOU Race Condition
İstismarın temelinde, Time-of-Check-Time-of-Use (TOCTOU) türü bir yarış koşulunun yer aldığı kaydedildi. Kod enjeksiyonu ile bu yarış koşulunun birlikte kullanılması sonucunda, saldırganların It can interact with the Finder, read files, access the microphone, and run arbitrary AppleScript commands. aktarıldı. Tüm bu işlemlerin kullanıcıya herhangi bir bildirim gönderilmeden gerçekleştiği vurgulandı.

Apple: Open Closed with macOS 26.2
Apple, güvenlik açığının macOS 26.2 sürümünde giderildiğini duyurdu. Şirket, com.apple.private.accessibility.scrod yetkisinin artık transaction audit token üzerinden doğrulandığını ve bu sayede hem kod enjeksiyonu açığının hem de TOCTOU penceresinin ortadan kaldırıldığını açıkladı.

Update Call to Users
Apple, kullanıcıların sistemlerini en kısa sürede güncellemelerini önerdi. Güncellemenin, macOS → System Settings → Software Update adımları izlenerek yapılabileceği hatırlatıldı. Güvenlik uzmanları, açığın kapsamı nedeniyle güncellemenin geciktirilmemesi gerektiğini belirtti.

Kaynak: Beykozun Sesi

Supply Chain Crisis in the UK Retail Industry
Nisan 2025’te Marks & Spencer, Co-op ve Harrods’a yönelik düzenlenen fidye yazılımı saldırıları, yılın en çok ses getiren olayları arasında yer aldı. Scattered Spider bağlantılı saldırganların üçüncü taraf bir hizmet sağlayıcısını hedef aldığına dikkat çeken Yılmaz, “Tek bir tedarikçi zafiyeti, tüm sektörü domino etkisiyle felç edebiliyor.” dedi. Marks & Spencer’ın vergi öncesi kârının altı ayda From £391.9 million to £3.4 million düştüğü hatırlatıldı.

Production at Jaguar Land Rover Stopped for Five Weeks
It was stated that the attack on Jaguar Land Rover in August 2025 was recorded as the costliest cyber incident in British history.

The Cost of Digital Dependency in Aviation
An attack on Collins Aerospace's vMUSE systems in March 2025 caused serious disruptions at more than 20 airports across Europe.

Municipal Systems Collapsed in the USA
In July 2025, St.

The First Autonomous Cyber ​​Attack Supported by Artificial Intelligence
Referring to the report published by Anthropic in November 2025, Yılmaz said, "The first large-scale cyber attack carried out by artificial intelligence with its own decisions, without human intervention, has been documented."

Yılmaz summarized the common message of the attacks in 2025 with the following words: "Third party risks, cloud integrations, operational technology security and identity management are now at the center of cyber defense."

Kaynak: Beykozun Sesi

Supply Chain Crisis in the UK Retail Industry
Nisan 2025’te Marks & Spencer, Co-op ve Harrods’a yönelik düzenlenen fidye yazılımı saldırıları, yılın en çok ses getiren olayları arasında yer aldı. Scattered Spider bağlantılı saldırganların üçüncü taraf bir hizmet sağlayıcısını hedef aldığına dikkat çeken Yılmaz, “Tek bir tedarikçi zafiyeti, tüm sektörü domino etkisiyle felç edebiliyor.” dedi. Marks & Spencer’ın vergi öncesi kârının altı ayda From £391.9 million to £3.4 million düştüğü hatırlatıldı.

Production at Jaguar Land Rover Stopped for Five Weeks
It was stated that the attack on Jaguar Land Rover in August 2025 was recorded as the costliest cyber incident in British history.

The Cost of Digital Dependency in Aviation
An attack on Collins Aerospace's vMUSE systems in March 2025 caused serious disruptions at more than 20 airports across Europe.

Municipal Systems Collapsed in the USA
In July 2025, St.

The First Autonomous Cyber ​​Attack Supported by Artificial Intelligence
Referring to the report published by Anthropic in November 2025, Yılmaz said, "The first large-scale cyber attack carried out by artificial intelligence with its own decisions, without human intervention, has been documented."

Yılmaz summarized the common message of the attacks in 2025 with the following words: "Third party risks, cloud integrations, operational technology security and identity management are now at the center of cyber defense."

Kaynak: Beykozun Sesi

Shared on Dark Web Forum
Dark Web Informer tarafından aktarılan bilgilere göre, sızdırıldığı iddia edilen veriler bir dark web forumunda satışa veya paylaşıma açıldı. Tehdit aktörü, ele geçirilen bilgilerin NordVPN's Salesforce database contents olduğunu savundu.

Claimed Access via Brute Force
Paylaşımda, saldırganın brute-forced a misconfigured NordVPN development server ileri sürüldü. Bu sunucuda Salesforce ve Jira sistemlerine ait bilgilerin birlikte tutulduğu iddia edildi.

Allegedly Leaked Data
Dark Web Informer reported that the following information was obtained through the samples the threat actor claimed to have shared:
10+ database source codes, Salesforce API keys, Jira access tokens, and additional sensitive technical information.

SQL Dumps Shared
Forumda yayınlanan örnek SQL dökümlerinde, “salesforce_api_step_details” ve “api_keys” tablolarına ait yapılar ile ayrıntılı veritabanı şema bilgilerinin yer aldığı öne sürüldü. Bu örneklerin, iddiaların gerçekliğini desteklemek amacıyla paylaşıldığı ifade edildi.

Official Statement from NordVPN is Expected
Sızıntı iddialarına ilişkin olarak NordVPN tarafından şu ana kadar kamuoyuna yansımış resmî bir açıklama bulunmuyor. Uzmanlar, iddiaların doğrulanması hâlinde bunun It may have important consequences in terms of trust in VPN services. belirtiyor.

Kaynak: Beykozun Sesi

Cargo Tracking Systems Reopened
Şirket, kargo takip ekranlarının As of 1 December 2025 at 17.30 kullanılabilir hâle geldiğini bildirdi. Açıklamada, “Bu kapsamda kargo takip ekranlarımızdaki veriler en kısa sürede güncellenecektir.” ifadeleri yer aldı.

Temporary Slowdowns and Outages Warning
Aras Kargo, iyileştirme sürecinin devam ettiği dönemde anlık sistem yavaşlamaları ve erişim kesintilerinin görülebileceğini belirterek, ekiplerin 24/7 operation yürüttüğünü aktardı. Yapılan açıklamada, “Tüm hizmetlerimizi en hızlı ve güvenli şekilde eski hâline getirebilmek için ekiplerimiz aralıksız çalışmaktadır.” denildi.

Distribution and Branch Operations Restarted
Announcing that distribution operations have been reactivated, the company stated that temporary interruptions in data flow may affect delivery times.

Work Continues for Full Normalization
Aras Kargo stated that its technical teams continue their improvement efforts to ensure that all systems operate at full capacity.

Kaynak: Beykozun Sesi

Human Contribution Decreased to 10 Percent
According to the report, the model automatically coordinated 80 to 90 percent of tactical processes in operations against a wide range of targets, from large technology companies to financial institutions and chemical production facilities.

Konya Bilişim Derneği Siber Güvenlik Birim Başkanı Mustafa Yilmaz, in its assessment, “The first autonomous, artificial intelligence, cyber attack in history has officially occurred.”

Bypassed Ethics Protocols with Social Engineering
One of the notable findings of the report was that attackers bypassed the security restrictions of artificial intelligence not through technical vulnerabilities but through social engineering methods.

Anthropic experts stated that the model carries out critical steps in the target systems on its own, adopting this role as a real task.

Attackers' Power Isn't in New Code, It's in AI Coordination
The report stated that attackers preferred open source and widespread penetration testing tools instead of producing new malware.

This approach demonstrated that state-level cyber capabilities are now accessible to small groups.

Artificial Intelligence Necessity in Defense
Anthropic security team announced that they again used the Claude model in the analysis of the attack.

Kaynak: Beykozun Sesi

Technical Details of the Vulnerability
Google tarafından yayımlanan özet rapora göre, açığın kök nedeni hatalı input-parsing sürecinde oluşan memory corruption (heap/stack corruption) olarak değerlendiriliyor. Bu durum, kötü niyetli verilerin sistem servisleri veya arka plan işlemleri aracılığıyla işlenmesi sırasında tetiklenebiliyor.

Attack Vectors and Domain
Saldırganların özel hazırlanmış paketler veya sideloaded malicious APKs kullanarak cihazlarda uzaktan kod çalıştırma yetkisi elde edebildiği bildirildi. Açığın, IPC/Binder çağrıları, medya ve ağ parser’ları gibi arka plan bileşenleri üzerinden tetiklenebilmesi dikkat çekiyor.

Other Related Vulnerability: CVE-2025-48581
Google ayrıca Android 16 sürümünde tespit edilen yüksek riskli bir escalation of privilege (EoP) zafiyetini CVE-2025-48581 (A-428945391) koduyla duyurdu. Bu zafiyetin RCE açığıyla birlikte zincirleme olarak kullanılabileceği değerlendiriliyor.

Warning and Safety Recommendations for Users
Uzmanlar, bu tür “0-click” saldırıların kullanıcıdan herhangi bir etkileşim gerektirmediği için özellikle tehlikeli olduğunu belirtiyor. Google, kullanıcıların install official security updates without waiting, ayrıca Do not install applications from unknown sources önerdi.

Kaynak: Beykozun Sesi

1,200 SIM-Boxes and 40,000 Active Cards Seized
Authorities announced that the network makes international calls appear local by using tens of thousands of SIM cards placed in SIM-box devices in different countries, and that it plays an active role in identity concealment, fake investment and phishing scams.

Fake Account Network in More than 80 Countries
Europol açıklamasına göre, ağ 80’den fazla ülkenin telefon numaralarıyla yaklaşık 49 to 50 million fake online accounts oluşturmayı mümkün kıldı. Bu hesapların kimlik hırsızlığı, dolandırıcılık ve yasa dışı finansman faaliyetlerinde kullanıldığı değerlendiriliyor. Sadece Avusturya ve Letonya’da 3.200’den fazla vaka tespit edilirken, zararın toplamda 5 milyon euroya yaklaştığı bildirildi.

Sites Seized
Yetkililer, suçta kullanılan gogetsms.com ve apisim.com alan adlarına el koydu. Bu platformların, ağ üyelerine sahte numara üretimi ve SMS kimlik doğrulama hizmetleri sunduğu tespit edildi.

International Cooperation and the Course of the Investigation
Europol provided operational support, while Eurojust carried out judicial coordination.

A Blow to the Cybercrime Economy
Experts state that the operation is an important step in dismantling "cybercrime-as-a-service" structures.

Kaynak: Beykozun Sesi

The user who clicks on the short link in the SMS is first directed to the fake page opened in the mobile browser.

Cyber ​​security researcher and journalist Ebubekir Bastama stated that during the examination, he found that the site was only opened on mobile devices and that a phone number was requested at the first stage.

This Fake SMS was detected by a citizen who was trained by Bastama. 

An example of the SMS text is as follows:
"Dear Vehicle Owner, According to the system records, the highway toll for your vehicle has not been paid because your HGS balance is insufficient. To avoid being penalized, please complete your payment by October 14, 2025. Unpaid Amount: 795.00 TL Payment Link: https:[//]kgminfo[.]cc/gv?qr=3urgOi"
In the mobile browser that clicks on the link, the phone number is requested at the first stage;

Messages that come with the names of official institutions but cannot be verified should not be relied upon.

• Never click on the incoming link and delete the message.

• Blocking the sending number and reporting it to the mobile operator.

• If the phone number and card information are entered, immediately contact the bank and have the card blocked.

Official institutions generally do not request payment directly through short links within SMS.

Kaynak: Beykozun Sesi

The fire that occurred on the evening of September 26, 2025, at the government data center of the National Information Resources Service (NIRS) in Daejeon, South Korea, caused serious disruptions in the country's digital infrastructure.

First findings of the fire

According to initial findings, the incident started as a result of a malfunction in the lithium-ion batteries in the energy storage area.

709 public services affected

709 online public services were temporarily stopped after the fire.

Lack of backup increased the scale of the crisis

Most of the losses were due to the G-Drive system not having an external backup infrastructure.

Investigation focused on battery-induced scenario

Police and technical teams are continuing their investigation to confirm that the fire was caused by lithium-ion batteries.

Official reactions and measures taken

President Lee Jae-myung visited the data center after the incident and ordered to strengthen redundancy standards.

Expert opinions

Experts emphasized that "cloud systems are not immune from physical risks."

timeline

• September 26, 2025: Yangın 20.15 civarında başladı, hızla yayıldı.

• September 27, 2025: Yangın kontrol altına alındı.

• October 1, 2025: G-Drive verilerinin kurtarılamadığı kesinleşti.

• October 10, 2025: Kurtarma oranı %30,6’ya ulaştı.

Kaynak: Beykozun Sesi

According to experts, the vulnerability is caused by the malfunction of the function called “service_finder_switch_back()”.

Cyber ​​security researchers state that the vulnerability in question allows malicious people to change content, update passwords, add malicious code or use the site in phishing and malware campaigns.

Domain and Risks
The vulnerability affects all versions of the “Service Finder” theme up to version 6.0.

According to security reports, requests from IP addresses 5.189.221.98, 185.109.21.157, 192.121.16.196, 194.68.32.71 and 178.125.204.198 were detected in the attack attempts.

Precautions to be Taken
Experts recommend switching to version 6.0 or later of the theme, reviewing all user accounts and permissions, and activating plugins such as firewall (WAF) or Wordfence.

If the system is planned to be restored from backup, it is necessary to ensure that the backups used are taken from a clean and reliable source.

Kaynak: Beykozun Sesi

The US Secret Service carried out a critical operation for the security of the United Nations (UN) General Assembly in New York.

Threat capacity
Authorities, the seized system is able to send 30 million SMS per minute.

Concentration around the UN General Assembly
Most of the devices identified in the operation were found around the region where the UN General Assembly was held.

Nation-State and Criminal Organizations Connection
US officials announced that the judicial investigation continued and the first findings pointed to the connection between nation-state-backed threat actors and organized crime groups.

The perpetrator remains uncertainty
Although Russia, China and Israel were mentioned in some circles after the operation, US officials did not officially point out any country.

Multi -layer measures of the USA
In addition to the Secret Service, the FBI, the Ministry of Internal Security (DHS) and the New York police reportedly participated in the operation.

Forensic Investigation Continues
Investigations on the seized devices will reveal which country or organizations are connected to the system and the dimension of the planned attacks.

Kaynak: Beykozun Sesi

Appcloud draws attention with the cooperation of Ironsource with Samsung in the Mena market within the scope of the “Aura” ecosystem (Israel -based company unity in 2022).

Samsung's response is uncertain
Although Samsung's general privacy policies are open to the public, there is no direct and technical explanation for SMEX's claims.

Critical Open on Galaxy Devices
While the discussions continued, Samsung announced that it has closed the zero-day deficit with CV-2025-21043 coded with the September 2025 security update.

The NSO Group decision increases public sensitivity
In the US case in May 2025, NSO Group was sentenced to 168 million dollars compensation for activities targeting WhatsApp users.

Recommendations for users
Experts suggest Samsung users to upgrade their devices to the most up-to-date software and control front-high applications such as Appcloud.

Kaynak: Beykozun Sesi

According to the prosecution certificates, Tymoshchuk, between July 2019 and June 2020 more than 250 US companies and many victims around the world infiltrated the network of Lockergoga and Megacortex attacks.

It is claimed that Tymoshchuk, who was said to have managed the ransom software operation from July 2020 to October 2021, provided access to his partners and received 20 %of the ransom income.

In November 2023, the Cyber ​​Security Company Group-CIP reported Tymoshchuk with other ransom software groups such as JSworm, Karma, Nokoyawa and Nemty and showed that it played a role in the supply of elements in Russian forums.

“Tymoshchuk is a series of ransom software criminals targeting major American companies, health institutions and international industrial organizations, T

In September 2022, free password solvents were released for Lockergoga and Megacortex with international cooperation, and the victims were allowed to save their data without paying ransom.

Tymoshchuk; bilgisayar dolandırıcılığı için iki komplo, korunan bilgisayarlara zarar vermek için üç suçlama, yetkisiz erişim ve gizli bilgileri ifşa etme tehdidiyle yargılanacak. ABD Dışişleri Bakanlığı, Tymoshchuk veya suç ortaklarının yakalanmasına yönelik bilgi sağlayanlara Rewards up to 11 million dollars teklif ediyor.

Kaynak: Beykozun Sesi

According to Sansec, a cyber security company, Adobe informed its selected customers about the security vulnerability on September 4 and announced that it would publish a patch on 9 September.

Adobe announced that there is no finding on the security bulletin so far.

Researchers stressed that the deficit is especially effective in store installations where the session data is stored in the file system.

Update advice now
Adobe released the patch directly as a downloadable package and advised the managers to test and disperse without wasting time.

Sansec, SessionReaper açığının yakın geçmişteki Cosmicssting, Trojanorder, Ambionics Sqli ve Shoplift vakalarıyla aynı ciddiyet seviyesinde olduğunu ve otomasyon yoluyla kitlesel istismara uygun olduğunu belirtiyor.

Researchers did not share the technical details of the deficit, but the attack was watching a similar model with last year's Cosmicssting.

Kaynak: Beykozun Sesi

Due to the error, users could not access the confirmed connections to be safe, while some e-mails have been quarantined.

According to Microsoft's statement, more than 6,000 URL has been affected.

Partial solution was applied
Microsoft engineers have released a correction that allows synchronizing no longer quarantine.

The company reported that the problem has been eliminated to a great extent, but that the work continues to eliminate the remaining effects until the root cause analysis was completed.

Similar problems have happened before
In 2025, Microsoft has faced similar errors in Exchange online service.

Kaynak: Beykozun Sesi

Bu zafiyet, Insecure Deserialization (güvensiz serileştirme) sorunundan kaynaklanıyor. Kimliği doğrulanmamış bir saldırgan, RMI-P4 protokolü üzerinden kötü amaçlı Java nesneleri göndererek hedef sistemde keyfi komut çalıştırabiliyor. RMI-P4, NetWeaver AS Java bileşenlerinde SAP içi iletişim ve yönetim için kullanılıyor. Yanlış yapılandırmalar nedeniyle bu portun internetten erişilebilir durumda olması, riski artırıyor.

Other critical explanations:

• CV-2025-42922 (CVSS 9.9): NetWeaver AS Java (Deploy Web Service) bileşeninde hatalı dosya işlemleri. Kimliği doğrulanmış düşük yetkili saldırgan, zararlı dosyalar yükleyerek tam sistem ele geçirme riski oluşturabiliyor.

• CV-2025-42958 (CVSS 9.1): Kimlik doğrulama eksikliğinden kaynaklanan açık, yetkisiz yüksek ayrıcalıklı kullanıcıların hassas verileri okumasına, değiştirmesine veya silmesine imkân tanıyor.

SAP would also eliminate the following deficits that were highly evaluated:

• CV-2025-42933 (SAP Business One Sld): Hassas verilerin güvensiz depolanması.

• CV-2025-42929 (SLT Replication Server): Eksik girdi doğrulama nedeniyle replike edilen verilerin manipüle edilmesi.

• CV-2025-42916 (S/4hana): Temel bileşenlerde eksik girdi doğrulama ile yetkisiz veri manipülasyonu riski.

SAP ürünleri, kritik iş süreçlerinde kullanıldıkları ve yüksek değerli veriler barındırdıkları için siber tehdit aktörlerinin sıkça hedefinde bulunuyor. Nitekim bu ayın başında, S/4Hana, Business One and Netweaver ürünlerini etkileyen CV-2025-42957 kod enjeksiyonu açığının aktif şekilde istismar edildiği ortaya çıkmıştı.

To system managers, CV-2025-42944, CV-2025-42922 and CV-2025-42958 are recommended to apply the patches as soon as possible.

Kaynak: Beykozun Sesi

Veri ihlali bildirimine göre saldırganlar, e-mail addresses, user names, authentication information and hashtily passwords erişti. Plex, parolaların en iyi güvenlik uygulamalarına uygun şekilde hashlenmiş olduğunu ve üçüncü taraflarca doğrudan okunamayacağını belirtti. Ancak kullanılan algoritma paylaşılmadığı için saldırganların bu hashleri kırmayı deneyebileceği ihtimali gündeme geldi.

Kullanıcılara, plex.tv/reset adresinden parolalarını sıfırlamaları ve “Parola değişikliğinden sonra bağlı cihazlardan çıkış yap” seçeneğini işaretlemeleri önerildi. Bu adım, mevcut oturumları kapatarak hesapların kötüye kullanılmasını önleyecek. SSO kullananların ise plex.tv/security üzerinden tüm cihazlardan çıkış yapmaları gerektiği bildirildi.

Plex ayrıca kullanıcılara ek güvenlik için Authority with two factors (2FA) etkinleştirmelerini hatırlattı ve hiçbir zaman e-posta yoluyla parola veya kredi kartı bilgisi talep etmediğini vurguladı.

While the company did not share technical details about how the attack took place, the method that caused a violation was removed.

This is not the first time Plex users had to reset their passwords.

Kaynak: Beykozun Sesi

The attack was carried out through IoT devices and microtic routers seized from more than 11 thousand different networks worldwide.

While the name of the targeted customer was not announced, it was stated that the institution in question was a “DDOS Scrubing” provider using methods such as package control, speed limitation, captcha and anomaly detection to filter DDOS traffic.

The incident took place after Cloudflare announced that it had stopped the world's largest DDOS attack at 11.5 TBPS bandwidth and 5.1 billion packets/seconds.

Fastnetmon Founder Pavel Odintsov stressed that the remarkable aspect of the attack is the abuse of daily network devices in large -scale attacks.

Kaynak: Beykozun Sesi

Sonicwall released an update in August 2024 for the security vulnerability and announced that weakness was actively exploited.

Australian Cyber ​​Security Center (ACSC), the warning issued on September 10, announced that the institutions in the country were targeted by Akira.

The attacks were found to be connected to VPN via Sonicwall devices via “Default Users Group ve and the assumed general access permits for the“ Virtual Office Portal ”.

In the Cyber ​​Security Community, allegations that the attacks were due to a new “zero day” deficit had come up.

The company reported that it examined about 40 incidents in connection with this security vulnerability last month.

• Gen 5: SOHO cihazları (5.9.2.14-12o ve öncesi)

• Gen 6: TZ, NSA ve SM modelleri (6.5.4.14-109n ve öncesi)

• Gen 7: TZ ve NSA modelleri (7.0.1-5035 ve öncesi)

System managers are advised to follow the recommended steps in Sonicwall's security bulletin.

Kaynak: Beykozun Sesi

Mac kullanıcılarını hedef alan yeni bir bilgi hırsızı zararlı yazılım ortaya çıktı. Shamos adı verilen zararlı, sahte hata düzeltme kılavuzları ve yazılım yüklemeleri üzerinden dağıtılıyor.

Spread with Clickfix attacks

The attackers direct users to run certain commands at the Terminal through fake Github warehouses and harmful ads.

The commands dissolve a connection with Base64 and download BASH betting from a remote server.

Shamos' talents

• Determining whether it works in a virtual environment with anti-VM controls
• Collecting information about the device using applescript
• Calling and stealing browser data, keychain items, apple notes content and crypto wallet files
• Collect the data in the form of “out.zip” and send it to the attacker via curl
• Create a plist file under LaunchDaemons if it is employed by the administrator (Sudo) powers and becoming permanent
• Download additional loads such as fake versions of Ledger Live Crypto Wallet Application and botnet modules

WARNINGS TO USERS

Experts suggest that commands that are not understood from online sources should not be operated at the Terminal, especially sponsored search results.

Clickfix tactics are becoming widespread

Clickfix attacks threaten not only Mac users, but also many platforms in general.

Kaynak: Beykozun Sesi

Afrika’da siber suç örgütlerine karşı düzenlenen Operation Serengeti 2.0 isimli geniş çaplı operasyonda 1.200’den fazla kişi tutuklandı. Interpol liderliğinde yürütülen operasyon, Haziran ile Ağustos 2025 arasında gerçekleştirildi.

According to Interpol, during the operation:

• 1,209 suspects were detained
• 97.4 million dollars illegal income seized
• 11,432 malicious infrastructure was destroyed
• Attacks targeting 87,858 victims worldwide have been blocked

Scope of the operation

The fight against cyber crimes was carried out with the participation of 18 African countries and the United Kingdom law enforcement officers.

The action was carried out within the scope of African joint cyber crime operation financed by the United Kingdom Foreign Affairs, Nations Community and Development Office.

Connection with previous operations

• Operation Red Card (2024–2025): 306 şüpheli yakalandı, 5.000’den fazla mağdurun etkilendiği saldırılar açığa çıkarıldı.
• Operation Serengeti (2024): 1.006 şüpheli tutuklandı, fidye yazılımı ve çevrimiçi dolandırıcılık çeteleri çökertildi.
• Operation Africa Cyber ​​Surge II (2023): 25 ülkede 14 şüpheli yakalandı, 40 milyon doların üzerinde zarara yol açan saldırılar engellendi.

Interpol Genel Sekreteri Valdecy Urquiza, operasyonun ardından yaptığı açıklamada şunları söyledi: “Each operation increases cooperation based on the previous one, strengthens information sharing and improves the capacity of investigation. Our global network produces concrete results in protecting victims more powerful than ever.”

Kaynak: Beykozun Sesi

Davita, a US -based kidney dialysis company, confirmed that the sensitive data of approximately 2.7 million people were stolen with the ransom software attack.

Details of the attack

• The attackers infiltrated Davita's network on 24 March 2025.
• The company noticed the incident on 12 April and removed the attackers from their systems.
• During this time, the attackers reached the dialysis laboratory database.

Among the stolen data:

• Name, address, date of birth, social security number
• Health Insurance Data
• Disease, treatment information, laboratory test results
• Tax ID numbers and personal check images for some people

The US Department of Health's Civil Rights Office (OCR) announced that 2,689,826 people were affected by the incident.

The claim of the Interlock group

Davita does not explain the responsible of the attack, but the Interlock ransom software group undertook the attack at the end of April.

In June, Davita confirmed that some of the leaked files belonged to them.

Davita spokesman, "Unfortunately, we have found that the attacker provides unauthorized access to some patients' personal data. Therefore, we inform existing and old patients and offer free credit monitoring services against identity theft."

About Interlock

The interlocking ransom software group, which emerged in 2024, is especially targeting health institutions.

Kaynak: Beykozun Sesi

The US Department of Justice announced that Davis Lu, accused of harming the former employer's systems, was sentenced to four years in prison.

Background of the event

Lu, a 55 -year -old Chinese citizen, served in an Ohio -based company (referred to as Eaton Corporation) from 2007 to 2019.

Harmful codes and "Kill Switch"

• Java -based infinite cycles and established mechanisms that would cause the servers to collapse.
• He designed a Kill Switch, whom he calls “Isdlenabledinad”.
• On September 9, 2019, when the account was dismissed and the account was disabled, Kill Switch was activated and became unable to access thousands of employees.

Investigation findings

It was found that LU had deleted encrypted files on the laptop that should be returned and made searches on the methods of increasing authorization, process hiding and deleting files.

Matthew R. Galeotti, official of the Ministry of Justice, sabotaged the company's networks, caused great financial losses and violated the trust of the employer.

Details of the punishment

• Lu was found guilty of deliberately damaging protected computers.
• He was sentenced to 4 years in prison.
• After the evacuation, he will remain under probation for 3 years.
• It was announced that the damage of the company was hundreds of thousands of dollars.

Kaynak: Beykozun Sesi

Colt Technology Services, a UK -based telecommunications and network services provider, confirmed that customer certificates were stolen for the first time after the recent cyber attack.

COLT's updated security announcement, "A criminal group has accessed some files from our systems. These files may have information about our customers. Document headings have been published in the dark network."

Warlock's claim

The Warlock ransom Software Group (Storm-2603), which is considered to be China-linked, put up 1 million documents on the Cyber ​​Crime Forum on the RAM for $ 200,000.

According to BleepingComputer's verification, Tox ID, which is included in the forum announcement, matches the identities used in Warlock's previous ransom notes.

About the Warlock Group

• He appeared in March 2025 and initially demanded ransom using Lockbit leak notes.
• In June, he announced his own brand under the name “Warlock Group ve and established special dark network sites.
• Previously, Babuk VMware Esxi made attacks using passwords and Lockbit leaks.
• In July, Microsoft announced that the group used SharePoint vulnerability to infiltrate corporate networks.
• Warlock's ransom demands vary from $ 450,000 to several million dollars.

Risk for customers

Although the details of the alleged documents are not explained, the financial and institutional information of Colt customers has a risk of third parties.

Kaynak: Beykozun Sesi

As a result of the data violation, the registered files in the TTB system were accessed and these files were deleted.

Which data were affected
In a statement, identity, communication, location, legal transaction and transaction safety data were affected by the attack said.

KVKK decision
The Personal Data Protection Board (KVKK) decided to announce the data violation on the website of the institution with the decision of 2025/1514 dated 14 August 2025 and numbered 2025/1514.

Kaynak: CUMHA - CUMHUR HABER AJANSI

In the UK, 26-year-old Al-Tahery Al-Masshriky received 20 months' imprisonment, accepting the accusations that he attacked thousands of websites and stole information of millions of people.

The history of the investigation
Mashriky was arrested in 2022 in England in line with the information from the US law enforcement officers.

Targeted institutions
Adli incelemeler, Yemen Dışişleri Bakanlığı ve Yemen Güvenlik Medya Bakanlığı’nın sitelerine sızıldığını ve bu sitelerde kullanıcı adı tarama araçları yerleştirildiğini ortaya koydu. Ayrıca İsrail’deki Live News sitesinin yönetici sayfalarına erişildi ve tüm içerik indirildi. ABD ve Kanada’daki dini kuruluşlar ile Kaliforniya Su Kurulu da hedefler arasında bulundu.

Stolen Data
Mashriky'nin more than 4 million facebook users data, as well as netflix and Paypal stolen user information for services such as.

National Crime Agency statement
British National Crime Agency (NCA) Cyber Crime Unit President Paul Foster said that Mashriky's attacks have created a great deal of deduction, “These attacks were made only to spread political and ideological messages. In addition, millions of people have seized personal data that would allow them to defraud.”

Kaynak: CUMHA - CUMHUR HABER AJANSI

The two critical vulnerabilities discovered in the popular network management platform N-Eval N-Central put hundreds of servers around the world at risk.

The seriousness of the situation
N-Eval announced that the gaps were patched and closed with 2025.3.1 version.

N-Eval said in a statement that security violations were observed only in a limited number of internal environments and that the abuse was not detected in their own cloud environments.

Mandatory Instruction from CISA
The US Cyber Safety and Infrastructure Safety Agency (CISA) added to the list of ılmış known security deficits ”list.

Although CISA does not directly obliges the private sector organizations, all network executives called N-Erse to apply the patches published by N-Erse, otherwise the product to disable the product.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Workday, headquartered in the US state of California, announced that a social engineering attack on a third -party customer relations management (CRM) platform has been experienced in a social engineering attack.

Details of the attack
According to Workday's announcement on August 16, the attackers provided access to the CRM platform with social engineering methods targeting company employees.

It was reported that the incident was identified on August 6 and that the attackers tried to collect information through messages and telephones by introducing themselves as HR or IT employees.

Shinyhunters connection
The incident is part of the wave of global attacks associated with the Shinyhunters group.

The stolen data are used to ask for ransom from victims via e-mail.

Kaynak: CUMHA - CUMHUR HABER AJANSI

A critical vulnerability in Fortinet's Fortweb product allows attackers to imitate any user, even managers.

Technical details of the deficit
Araştırmacı Aviv Y tarafından “FortMajeure” adı verilen açık, FortiWeb’in çerez ayrıştırmasındaki “out-of-bounds read” hatasından kaynaklanıyor. Saldırgan, Era parametresine beklenmedik bir değer atayarak sunucunun tüm sıfırlardan oluşan gizli anahtarı kullanmasına neden oluyor. Bu durum, sahte kimlik doğrulama çerezlerinin kolayca oluşturulmasını sağlıyor.

In order to exploit the vulnerability, the target user must have actively sign.

Affected versions and patches
Open affects Fortiweb's versions between 7.0 and 7.6.

• Fortiweb 7.6.4 and Over

• FORTİWEB 7.4.8 and above

• FORTİWEB 7.2.11 and above

• FORTİWEB 7.0.11 and above

Fortweb 8.0 versions are not affected by this open.

Researcher's decision
Aviv Y shared a POC showing the foundation of the deficit, but did not publish the entire chain of abuse except for the executive imitation over Rest Endpoint.

According to the researcher, even missing details do not allow even knowledgeable attackers to develop a complete abuse alone.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Deduction in services
According to Colt's statement;

Warlock's claim
A threat actor called ‘CNKJASDFGD’ was attacking on behalf of the Warlock ransom Group.

Possible vulnerability
Cyber Security Researcher Kevin Beaumont said that attackers may have used the critical distance execution deficit in Microsoft Sharepoint and monitored as CV-2025-53770.

According to Beaumont, the attackers brought hundreds of gigabytes of customer data and internal document out of systems.

Colt's description
Company spokesman, BleepingComputer'a said in a statement, "Cyber incident, we are aware of the allegations, our investigations continue. Our technical team, third -party experts are focused on restoring the affected systems," he said.

Kaynak: CUMHA - CUMHUR HABER AJANSI

250 million dollars frozen with T3+ program
Founded in September 2024, T3 Financial Crime Unit has froze $ 250 million criminal revenue worldwide.

In one of the prominent cases, the $ 6 million crypto assets were frozen in the “Romance Scam” attacks in cooperation with Binance.

74 million dollars in cooperation with Canada-USA
The “Project Atlas” directed by Canada Ontario State Police and the “Operation Avalanche ği conducted by the British Cooperation Menkul Assets Commission was supported by Chainalysis analytics.

In the last six months, 74.3 million dollars of fraud income was reached and most of them were frozen.

Global effect
Project Atlas associated more than 2,000 crypto wallets in 14 countries with victims.

Method: intervention at blockchain level
In both initiatives, coordinated operations and direct interventions at the Blockchain level were prevented from transferring criminal revenues or converting them to cash.

Kaynak: CUMHA - CUMHUR HABER AJANSI

3.3 million dollars of damage
The defendant, 8.4 million dollars of counterfeit tax refund of approximately 2.5 million dollars by applying, also fake SBA loan applications $ 819 thousand dollars stolen.

Fake Investment Plan also carried out
According to the prosecutor's office, Gokhukwu deceived the victims with fake investment offers in the same period.

Returned from France
The purposeful was returned from France to the United States on August 4, 2025 and was brought before the judge in the Southern York Region the next day.

Facing serious penalties
There are accusations of attempted piability (5 years), twice wired fraud (20 years each), twice attempted wired fraud (20 years) and aggravated identity theft (compulsory 2 years additional penalty).

Kaynak: CUMHA - CUMHUR HABER AJANSI

145 thousand people were informed
Maine Chief Public Prosecutor's Office in a notification, 144,189 people were affected by the attack said.

Ransomhub undertook the attack
Ransomhub ransom Software Group announced the attack in January 2025.

Description from the company
The ManpowerGroup spokesman stressed that the incident only affected an independent franchise branch and the company's corporate network was not affected by the attack.

Ransomhub's history
Ransomhub has previously targeted institutions such as Halliburton, Rite Aid, Kawasaki, Christie's, Frontier Communications and Planned Parenthood.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Which versions are affected
According to Cisco, the Open is open, in the 7.0.7 and 7.7.0 versions of FMC software, Radius authentication occurs when the authentication is active.

Updates Published
Cisco has released free software updates to relieve the vulnerability.

Temporary solution option
The only temporary solution proposed in the environments that cannot be loaded with patch, the use of local user accounts, LDAP or SAML -based authentication methods instead of disabled Radius authentication.

Has not been abused yet
Open, Cisco security researcher Brandon Sakai was discovered in internal tests.

Additional security patches
Cisco has also closed 13 high -importance security vulnerabilities, such as Snort 3, ASA, FTD, IOS and IOS XE, such as service rejection (DOS) and HTML injection.

Beykoz News

Kaynak: CUMHA - CUMHUR HABER AJANSI

136 people caught in 257 incidents
According to the information contained in the newsletter, 257 events occurred in a week throughout the city.

More than 60 thousand people were checked
60 thousand 682 people and 25 thousand 162 vehicles were checked in public order applications.

Weapons, drugs and illegal products seized
7 pistols, 5 rifles, 9 cartridges, 2 cutting tools were seized.

23 thousand 40 macarons, 1 detectors, 5 excavation materials, 7 kilograms of illegal tea and 50 packs of bandrol cigarettes were seized.

78 people were injured in traffic accidents
34 traffic accidents occurred in a week throughout the province.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Index crossing (Directory Traveorsal) This open, specially prepared RAR archives caused by their error allow them to issue files to a location defined by the attacker instead of the directory specified by the user. %Appdata%\ Microsoft \ Windows \ Start Menu \ Programs \ Startup veya %Programdata%\ Microsoft \ Windows \ Start Menu \ Programs \ Startup) can be placed.

ESET, saldırılarda hedefli oltalama e-postalarıyla gönderilen RAR dosyalarının bu açığı kullanarak Romcom arka kapı zararlı yazılımını yüklediğini belirledi. RomCom (Storm-0978, Tropical scorpius veya UNC2596 olarak da bilinir) Rusya bağlantılı bir tehdit grubu olup fidye yazılımı, veri hırsızlığı ve kimlik bilgisi toplama kampanyalarıyla tanınıyor. Grup daha önce Cuba ve Industrial Spy fidye yazılım operasyonlarıyla ilişkilendirilmişti.

WinRAR otomatik güncelleme özelliği sunmadığından, tüm kullanıcıların win-rar.com adresinden en son sürümü manuel olarak indirmesi öneriliyor. ESET, açığın istismarına dair detaylı bir raporu daha sonra yayımlayacağını açıkladı.

Kaynak: Cumha - Cumhur News Agency

According to the statement, some malevolent people demanded identity and bank information on the pretext of application for help, and tried to open an account through counterfeit forms.

Only your applications www.kayseri.bel.tr It was reminded that it can be done through the address.

The municipality said that citizens should not respect the directions made through telephone, text message or social media.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Uluslararası iş birliğiyle yürütülen bir operasyon kapsamında, dünyanın en büyük Rusça konuşulan siber suç forumlarından biri olan Xss.is kapatıldı. Forumun yöneticisi, 22 July 2025 tarihinde Ukrayna'nın başkenti KyivHe was caught too.

4 -year investigation process

Paris Emniyet Müdürlüğü Siber Suç Birimi tarafından 2 July 2021 tarihinde başlatılan kapsamlı soruşturma sonucunda forumun faaliyetlerine dair çok sayıda veri toplandı. Fransız kolluk kuvvetleri, XSS forumuyla bağlantılı olan theSecure.biz adlı Jabber sunucusu üzerinden iletişimleri takip etti. Bu takip sonucunda yakalanan kişinin, çok sayıda yasa dışı siber suç ve fidye yazılımı operasyonuyla bağlantılı olduğu belirlendi.

The history and role of the forum

2013 yılında Damagelab adıyla kurulan ve 2018'de Xss.is ismini alan platform, siber suç dünyasında köklü bir geçmişe sahipti. 50 binden fazla kayıtlı kullanıcısıyla XSS.is, kötü amaçlı yazılım satışı, sistemlere izinsiz erişim, çalıntı veri ticareti ve fidye yazılım hizmetleri gibi faaliyetlerin merkezi konumundaydı. Ayrıca forum, şifreli Jabber sunucusu üzerinden siber suçlular arasında anonim iletişim imkânı da sunuyordu.

Financial dimension and legal process

Europol tarafından yapılan açıklamaya göre, gözaltına alınan şüphelinin forum üzerinden 7 million eurosIt was determined that it generates more income.

Şüpheli hakkında 9 November 2021 tarihinde “veri işleme sistemlerine yönelik saldırılara yardım ve yataklık”, “örgütlü gasp” ve “suç örgütü üyeliği” suçlamalarıyla yasal işlem başlatıldı. Bu operasyon, karanlık ağ üzerindeki benzer platformlara yönelik süren uluslararası baskının bir parçası olarak değerlendiriliyor.

The effect of closure

According to experts, the closure of built -in platforms such as XSS.IS with a wide audience may cause serious gaps in the cyber crime ecosystem.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Identity Theft and Virtual Fraud is increasing
Identity authentication systems used in metavers are often insufficient.

The new world wants new security protocols
Cyber security experts, Metaverse platforms due to the decentralized structures of classical security protocols are not enough, he says.

Legal gaps attract attention
Metaverse platforms in Turkey have not yet been regulated by open legal frameworks.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Systems are locked with ransom software
The attackers make it inaccessible by encrypting patient information, medical records and system management panels.

Patient safety and service continuity are at risk
Such attacks threaten not only data security, but also service continuity.

Health Information Infrastructure should be strengthened
According to experts, most of the health institutions in Turkey have inadequate protection for cyber security.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Universities started to produce solutions
In order to close this gap, many universities open new cyber security departments, while cyber security -oriented lessons are added to the existing computer engineering departments.

Private sector cooperations are expanding
Cyber security companies and technology companies signed protocols with universities and started to organize internship, project and business guaranteed training programs.

The quality and diversity of education should be increased
Experts say that not only at the undergraduate level, but also vocational schools and certificate programs should be expanded.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Cyber crimes and digital threats are growing
Nowadays, many activities carried out in the digital environment, many activities carried out in the digital environment, Yerlikaya, 'Cyber security has become a vital difficulty.

Combating figures against cyber crimes
Yerlikaya, who also shared the data of the Ministry of Interior within the scope of the fight against Cyber Crimes, said that the account bearing a criminal element of 237,753 criminals during the cabinet period was blocked and that the account of the 21.214 account was blocked and the access of the social media account was closed.

INFORMATION SAFETY IS directly related to public order
Referring to the importance of information safety in his speech, Yerlikaya stated that this area is not only a technical issue and that it is a strategic area in terms of public order, social peace and national security.

The work of the Communication Presidency is supported
Yerlikaya, emphasizing the importance of the activities carried out by the Presidency of Communication in the workshop, said that they support the communication activities carried out in order to strengthen the link between the state and the nation.

Kaynak: CUMHA - CUMHUR HABER AJANSI

International Accredited Training Programs
Founded in 2007, Abadnet Institute is an educational organization that has been interested in international accredited programs that serve more than 10,000 students annually.

The first academy was completely filled
The new cooperation started with the first academy of 200 students and all license quotas were completely filled.

Abadnet improves the quality of education with Ine content
Abadnet Institute Operations Director Ahmed Alkathiri pointed out the content quality of Ine Security:

Future -oriented Investment
This cooperation is considered as part of Ine Security's goal of strengthening the digital employment ecosystem in the region and raising high -quality cyber security experts.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Malicious extensions get excessive permits
Malicious add -ons, manifest.json files give them extensive permissions.

They spread by imitating legitimate services
The distribution of extensions is carried out through fake websites that mimic known services such as Deepseek, Manus, Debank, Fortivpn and Site Stats.

Facebook tools may also be used
The DTI team thinks that attackers also use social media platforms to direct users to fake extensions.

Google took action, users are warned
The malicious extensions identified have been removed from the Chrome Web Store by Google.

The risk of manipulation continues
According to Domaintools' findings, some extensions direct users who give low scores to special feedback forms to manipulate user scoring, while directing high scorers directly to the Chrome Store.

Kaynak: CUMHA - CUMHUR HABER AJANSI

The critical security vulnerability called "Citrixbleed 2", which affects Citrix Netscaler products, was found to be targeted by cyber attackers before sharing public abuse codes.

Cyber Security Firm Greynoise announced on 23 June 2025 that HoneyPot systems perceived the attacks on which this deficit was targeted.

Greynoise reported that it was a special label to follow the gap on July 7, and thanks to this label, the attack attempts on past data have become visible.

Citrix remained silent
According to verification with the abuse codes provided by Greynoise, the attacks were directly targeted by the Citrixbled 2 deficit.

On July 15, Citrix released a new blog post on how to detect the symptoms of security in Netscaler systems.

Technical details of the deficit
The Citrixbleed 2 is defined as a memory excess deficit due to insufficient input verification during the login operations in Netscaler systems.

Kevin Beaumont, "/Douthentication.do" on the way to repeated post requests and "Content-Length: 5" requests that may be symptoms of abuse, he said.

Citrix's suggestions were insufficient
Citrix suggested that ICA and PCOIP sessions be terminated with Kill commands to terminate the abused sessions.

DETERMINATION AND SPRING STATUS
According to Beaumont, the deficit was used as of June 20 and became widespread in the following days.

On the other hand, according to the statement made by IMPERVA, the products detected over 11.5 million abuse attempts.

Citrix has released security patches for Netscaler ADC and Gateway and announced that users should urgently pass to supported versions.

Kaynak: CUMHA - CUMHUR HABER AJANSI

23 separate security vulnerabilities were detected
According to the study of cyber security firm Oligo, Apple has up to 23 in the AirPlay protocol.

Risk of Remote Access and Zero Click Attack
Oligo CTO Gal Elbaz, these deficits can be used by computer pirates to organize zero -click attacks, he said.

Safety Call from Apple to users
Apple, the most effective measures against these security deficits, AirPlay feature is disabled and the iPhone to the latest version of the iPhone announced.

Kaynak: CUMHA - CUMHUR HABER AJANSI

The Microsoft Teams Platform has recently been used in social engineering attacks for the recent distribution of malware called Matanbuchus.

Matanbuchus, ilk olarak 2021 yılında karanlık ağda tanıtılan bir Malware-A-A-Service (Maas) hizmeti olarak dikkat çekmişti. Windows sistemlerinde çalışan bu zararlı yazılım, yüklediği kötü amaçlı bileşenleri doğrudan bellekte çalıştırarak antivirüs yazılımlarının tespitinden kaçabiliyor. Yazılım, daha önce 2022 yılında büyük çaplı bir spam kampanyasında Cobalt Strike bileşenlerini dağıtmak için kullanılmıştı.

It infiltrates systems with fake IT calls
Morphisec adlı güvenlik firmasına göre, Matanbuchus'un yeni sürümü olan 3.0 versiyonunda Microsoft Teams üzerinden saldırılar daha yaygın hale geldi. Saldırganlar, hedef kullanıcıya harici bir Teams çağrısı başlatarak kendilerini BT destek personeli gibi tanıtıyor. Ardından, hedef kullanıcıdan Windows’un yerleşik uzaktan yardım aracı olan Quick AssistHe is asked to start.

Quick Assist üzerinden erişim sağlandıktan sonra kullanıcıdan bir PowerShell komutu çalıştırması isteniyor. Bu komut, üç dosya içeren bir ZIP arşivini indirip çıkararak, DLL Side-Loging yöntemiyle Matanbuchus zararlısının yüklenmesini sağlıyor.

Advanced hidden methods
Matanbuchus 3.0 sürümü, önceki versiyonlara kıyasla daha gelişmiş gizlenme ve tespit önleme özellikleri içeriyor. Komut ve kontrol iletişimi RC4 yerine Salsa20 algoritmasıyla sağlanıyor. Zararlı yazılım, yalnızca belirli bölge ve sistemlerde çalışmak üzere Anti-Sandbox kontrolleri uyguluyor.

Windows API çağrıları yerine doğrudan SYSCALL’lar aracılığıyla işlem yapan zararlı, güvenlik yazılımlarını atlatmayı hedefliyor. Bu işlemler, analizden kaçmak için Murmurhash3 adlı non-kriptografik özetleme algoritmasıyla gizleniyor.

The abilities of the malware after working in the system include the fact that PowerShell, CMD, EXE, DLL, MSI and Shellcode files, collect user information and identify security software and adjust the attack method accordingly.

Threat analysis and warnings
In the technical analysis by Morphisec, Matanbuchus has become a significant advanced threat.

In the past, it is known that the Darkgate pest has been distributed through Microsoft Teams in similar ways and that organizations with weak external access settings have been targeted.

Kaynak: CUMHA - CUMHUR HABER AJANSI

VMware has released security updates for four zero -day deficit that affecting virtualization products and abused in the PWN2WN Berlin 2025 competition.

Three of these deficits are defined as high -importance weaknesses that allow the attackers to move from the virtual machine to the main system to run a command.

• CV-2025-41236: VMXNET3 sanal ağ adaptöründe bulunan tamsayı taşması açığı. Bu zafiyet, STARLabs SG’den Nguyen Hoang Thach tarafından kullanıldı.

• CV-2025-41237: VMCI (Virtual Machine Communication Interface) bileşeninde tamsayı alt taşması sonucu oluşan out-of-bounds yazma hatası. Açık, REverse Tactics’ten Corentin Bayet tarafından istismar edildi.

• CV-2025-41238: PVSCSI (Paravirtualized SCSI) kontrolcüsünde bulunan heap overflow zafiyeti. Bu açık, Synacktiv’ten Thomas Bouzerar ve Etienne Helluy-Lafont tarafından kullanıldı.

Each of these three vulnerabilities has 9.3 CVSS points.

Information leakage deficit was also closed
Dördüncü açık olan CV-2025-41239It was defined as a vulnerability that could lead to leakage of information and received 7.1 violence points.

There is no solution other than patch
VMware has announced that it does not offer any temporary solution for these security deficits.

All of the deficits were shown in the PWN2OW Berlin competition held in May 2025.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Doğukan Çalışkan, who works in the fields of Cyber ​​Security and Open Source Intelligence, announced the newly developed geographical location system called Intelsonar.

According to Çalışkan's statement, Intelsonar provides a high accuracy ratio, especially in images that do not contain EXIF ​​data, blurred or reference points.

In the final tests, Intelsonar reached a accuracy rate of more than 92 %in challenging areas such as desert and urban border regions.

Intelsonar, which is still in a closed test phase, is planned to be announced in the coming period.

Kaynak: CUMHA - CUMHUR HABER AJANSI

Highly confidential engineering data and projects belonging to Disneyland Paris in France were leaked to the public as a result of a cyber attack. The data archive, which is 64 GB in total, contains numerous documents and media files regarding the construction process of the park. It was learned that the leak occurred as a result of unauthorized access to the digital systems of a subcontractor company working on various theme areas of Disneyland Paris.
 
Detailed plans leaked
The archive, which consists of 39,000 files in total, includes detailed architectural plans, engineering calculations, geological reports and safety standards for popular areas such as Frozen, Pirates of the Caribbean, Phantom Manor and Big Thunder Mountain. These documents contain critical information regarding the park's infrastructural security and trade secrets.
 
Secret images are also among the files
The leaked documents include more than 4,000 photos and videos. The images are believed to be behind-the-scenes footage taken by Disneyland employees in areas protected by confidentiality agreements. The videos and photos show the construction phases of the theme park.
 
Risk of industrial espionage
Experts say that such large-scale leaks pose not only a risk to brand security, but also a serious espionage opportunity for other companies operating in the amusement park sector. Disneyland Paris management has not yet made an official statement.
 
In the focus of cybersecurity experts
Details about the incident can be accessed via the Intelsonar platform. Developed by local software developers, this platform stands out as one of the most prominent current solutions in the field of cyber threat intelligence. IntelSonar has become an important tool for the early detection and analysis of such leaks.
 
Disneyland Paris Massive 64GB Data Leak: Secret Plans and Engineering Documents Revealed
 
Source: CUMHA - CUMHURS NEWS AGENCY

Play Group Targets 900 Institutions
According to the US Federal Bureau of Investigation (FBI), the Play ransomware group has targeted approximately 900 institutions to date. The group has not only increased the number of attacks, but also diversified its attack techniques. As of May 2025, it continues to carry out active attacks.
 
New Attack Method: SimpleHelp Vulnerability
The vulnerability, coded CVE-2024-57727, was announced to the public on January 16, 2025. The Play group and its threat actors quickly began to exploit this vulnerability. The group, which infiltrated systems via a remote desktop access tool called SimpleHelp, is calling on organizations using this software to update.
 
Ransomware Tailored to Each Victim
To avoid detection, the Play group recompiles its ransomware files for each attack, creating a unique virus for each victim. This method makes detection difficult for antivirus software, revealing the group's technical capabilities.
 
New Threat Type: Telephone Intimidation
The group not only threatens victims by e-mail, but now also by calling them directly. They reach out to numbers belonging to different units of the institutions and put pressure on them by saying, 'We will leak your data'. Specially created e-mail addresses with the extensions "@gmx.de" or "@web.de" are used for each victim.
 
VMware Systems Special Target
The Play group has developed a ransomware specifically designed for VMware ESXi hypervisor systems. It shuts down virtual machines and locks virtual machine files with AES-256 encryption. At the same time, they replace the welcome message in the system interface with a ransom note.
 
Their Own Spyware: GRIXBA
The information-stealing software, called GRIXBA, is a special spy tool developed by the group. This software scans network structures, detects antivirus software and tries to hide under the identity of Zabbix 2023.
 
What Should Institutions Do?
According to CISA's recommendations, the precautions to be taken are listed as follows:
 
    Apply the CVE-2024-57727 patch immediately.
 
    Enable multi-factor authentication, especially on VPN and email systems.
 
    Review your network segmentation.
 
    Check your offline backups.
 
    Update your incident response plan.
 
The Play group is no longer just a ransomware group, but an organized cybercrime network. They pose a serious threat with their rapid technical adaptation, rapid exploitation of new vulnerabilities, and psychological pressure methods.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

What is SS7 and why is it important?
SS7 (Signaling System No. 7) is a signaling protocol that handles critical operations such as call origination, SMS routing, and roaming information sharing among telephone operators worldwide. However, structural vulnerabilities in this system that have persisted for years have allowed attacks, particularly location tracking, call routing, and authentication bypassing.
 
Who is Dogukan Caliskan?
Cyber ​​threat intelligence analyst and exploit developer Doğukan Çalışkan discovered the vulnerability on the dark web. Çalışkan contacted the threat actor directly as the recipient and technically recorded the process.
 
SS7 exploit being sold on the Darkweb
In a post on dark web forums in June 2025, a threat actor offered the SS7 vulnerability for sale for $5,000. The post also included screenshots and nmap scans of a device on which the vulnerability was used. It was observed that the SIP (port 5060) service was open on the device in question and that there were services that processed the SS7 protocol.
 
Contact was established by pretending to be a buyer
Çalışkan contacted the threat actor via the TOX messaging app. Initially, no direct exploit was requested; instead, evidence was requested to determine if it was a scam. The actor shared data showing SS7-related traffic on a device and device scan results.
 
There was a striking phrase in the actor's messages: 'This should still be turned into a working RCE (remote code execution exploit)'. This means that the exploit being sold would need to be developed by a technical processor in its raw form.
 
What do the technical data shown reveal?
The actor stated that there was an Apache server running on devices with an open SIP port and a PHP-based web application was targeted. On these systems, vulnerabilities of services running on CentOS were scanned and it was claimed that there was a potential for RCE.
 
Among the data presented, the following stood out:
 
    Wappalyzer analysis screen
 
    Port scan results with Nmap
 
    SS7 traffic monitored with sngrep and ngrep
 
    Details of services running on the target device
 
The actor also said that credentials for the Asterisk PBX could be accessed, which could allow for control over processes such as call forwarding.
 
Sales method and use of escrow system
The seller stated that they would only work through escrow systems to prevent fraud. In such systems, money is held in an escrow account until the product is verified after payment is made. When Çalışkan requested proof before the transaction, the threat actor provided various technical screenshots.
 
Potential threats of SS7 vulnerabilities
Vulnerabilities in the SS7 infrastructure can be exploited by malicious individuals for the following purposes:
 
    Redirection of SMS messages
 
    Eavesdropping on calls or transferring them to another device
 
    Determining the current location of the target person
 
    Bypassing two-factor authentication
 
However, the most important element that draws attention here is that the actor did not directly make this vulnerability operational, but only provided the necessary technical infrastructure. This suggests that the final use of the vulnerability was left to more advanced groups.
 
Techniques and tools used
The tools and methods that stand out in the incident reported by Çalışkan are as follows:
 
    Targeting with search engines such as Shodan and Fofa
 
    Port scanning and service detection with nmap
 
    SIP and SS7 traffic monitoring with sngrep, ngrep
 
    Software version detection with Wappalyzer
 
    Web vulnerability analysis and potential RCE detection
 
On the radar of advanced groups
As the threat actor noted, these types of vulnerabilities are often the foundation of infrastructures built not for non-technical users but for ransomware groups, advanced persistent threat (APT) teams, and rogue intelligence networks.
 
Infrastructure vulnerabilities such as the SS7 vulnerability can target not only individual users but also corporate systems, public communications, and critical communications infrastructures.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

Cyber ​​Security Board and Presidency Authorized
With the Cyber ​​Security Law accepted by the Turkish Grand National Assembly, new regulations came into force to ensure Türkiye's digital security. While the powers of the Cyber ​​Security Presidency, established in January, were expanded, the Cyber ​​Security Board affiliated to the Presidency was established.
 
This board will have the authority to determine strategies, conduct audits and create security policies to protect Türkiye against cyber threats. In addition, local and national solutions will be encouraged to protect critical infrastructures.
 
New Obligations for Companies and Individuals
The new law covers public and private sector organizations and individuals operating in the digital environment. Accordingly:
 
    Companies will be responsible for identifying and reporting cybersecurity vulnerabilities.
    Only authorized cybersecurity products can be used for public and critical infrastructures.
    Institutions and companies will be required to submit the requested cybersecurity data to the Cybersecurity Presidency in a timely and complete manner.
 
Heavy Fines and Prison Penalties Are Coming
The law provides for severe penalties for companies and individuals that fail to fulfill their cybersecurity obligations:
 
    Companies that create security vulnerabilities will be fined up to 10 million TL.
    Those who spread false data leak news will be sentenced to 2 to 5 years in prison.
    Those who shared previously leaked data were sentenced to 3 to 5 years in prison.
    Those who attack Türkiye's cyber infrastructure will face 8 to 15 years in prison.
 
Cyber ​​Incident Response Team (SOME) to be Established
In order to combat cyber attacks more effectively, a Cyber ​​Incident Response Team (SOME) will be established. This team will detect cyber threats, intervene, and conduct international collaborations. In addition, cyber security drills will be organized for public institutions and critical infrastructures.
 
Cyber ​​Security Presidency Will Be Able to Access Company Data
According to the law, the Cyber ​​Security Presidency will be able to access the information systems of companies and individuals in order to prevent security risks and integrate the necessary software and hardware products into the systems. In addition, the obtained data will be stored for a maximum of two years and will be destroyed at the end of the specified period.
 
The new regulation aims to raise cyber security standards in Türkiye and create a stronger infrastructure against digital threats.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

Important security update from Microsoft
Microsoft has released a new update to close critical security vulnerabilities in Windows 10 and 11 operating systems. This update, which comes as part of the company's monthly "Patch Tuesday", fixes six vulnerabilities actively used in cyberattacks and a total of 57 security vulnerabilities.
 
Critical patches for system security
The update closes vulnerabilities that could allow attackers to remotely access computers and run malicious code. One of the most dangerous vulnerabilities, CVE-2025-24993, allows attackers to take over a system by opening a malicious virtual hard disk file. Microsoft has determined the vulnerability's risk rating as 7.8 and announced that users should update it without delay.
 
In addition, the vulnerability coded CVE-2025-24991 allows attackers to gain unauthorized access to data in the system, while the vulnerability coded CVE-2025-24984 can lead to unwanted data being added to certain log files.
 
Warning from cybersecurity experts
Microsoft also announced that it has closed three more vulnerabilities that are actively used in attacks. Cybersecurity experts consider it an extraordinary situation that so many vulnerabilities are being exploited at the same time. The security research group called Zero Day Initiative emphasizes that system administrators should install the update as soon as possible, stating that the vulnerability coded CVE-2025-26633 has affected more than 600 institutions.
 
This update released by Microsoft aims to make users' systems more secure against cyber threats. Users and system administrators are advised to install the updates without wasting time.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

It has been claimed that TurkNet, one of Türkiye's leading internet service providers, has been subject to a cyber attack. It has been claimed that the static IP addresses of many subscribers have been exposed following the incident, and users are concerned about data security.
 
What is a static IP?
 
A static IP (Internet Protocol) address is an IP address that is manually assigned to a specific device and does not change. It allows devices to be identified on an Internet connection or local network. Unlike dynamic IP addresses, static IP addresses do not change with each reboot.
 
What happens if a static IP is compromised?
 
Static IP addresses hijacked by cyber attackers can pose serious security risks. Attackers can use these addresses to gain unauthorized access to networks or servers. Malware can be spread and firewalls can be bypassed via a hijacked IP address.
 
Additionally, a stolen IP address may be blacklisted if used for illegal activities. This may result in email blocking or access to certain websites being blocked. Users should regularly check their IP addresses and increase security measures to minimize security risks.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

Cities across the U.S. have warned of a new mobile phishing attack targeting drivers. The fake messages pretend to be municipal parking enforcement agencies, notifying drivers that they have unpaid parking tickets. The message warns that if the tickets are not paid by the due date, a $35 daily fee will be added.

This scam method is seen intensively in big cities such as New York, Boston, Detroit, Houston, San Diego, San Francisco. The attacks, which have been ongoing since December, aim to trick users through fake links.

Information is being seized through fake sites
 
Scammers are using Google’s open redirect feature to trick users. Because the redirects are made via Google.com, a trusted domain, these links are not blocked by iMessage on iPhones and direct users to fake payment sites.
 
For example, a fake website for New York City appears to operate under the address "nycparkclient[.]com." When users enter their name and zip code, they are presented with the amount they allegedly owe and asked to click the "Make Payment" button.
 
But one of the most obvious signs of a scam is typos on the payment screen. While the dollar sign ($) is usually written before the number in the US, these fake sites use it attached to the end of the number.
 
Credit Card and Personal Information Are Stolen
 
When victims proceed to pay, scammers request their name, address, phone number, email, and credit card information. This data can be used for identity theft, financial fraud, and other cybercrimes.
 
Authorities stress that people should be careful about messages coming from an unexpected number, not click on suspicious links and report such messages to the authorities.
 
 
Source: CUMHA - CUMHURS NEWS AGENCY
 
 

New Threat: StilachiRAT Trojan
 
Microsoft has announced the discovery of a new malware targeting Google Chrome users. The trojan horse, StilachiRAT, specifically targets cryptocurrency wallets. Popular wallets such as MetaMask, TrustWallet, OKX, and OKX Wallet are among the main targets of this malware. Aiming to steal users’ passwords, keywords, and wallet information, this malware leaks wallet information in the Chrome browser, allowing attackers to obtain it.
 
Attack Method and Results
 
Once infiltrated, StilachiRAT searches for wallet information stored in the browser and sends it to an unknown central system. In this way, users' cryptocurrency accounts can be compromised and investors can experience serious financial losses.
 
Microsoft Warns: Store Crypto Wallets in Hardware
 
Microsoft warned users to protect themselves from this threat and recommended using a strong antivirus software. In addition, it was emphasized that it would be safer to store cryptocurrency wallets in hardware wallets rather than in the browser. This warning shows that users should be more careful about security, especially due to the recent increase in cryptocurrency theft and fraud.
 
Ways to Be Safe
 
One of the most effective ways to increase security for cryptocurrency users is to avoid suspicious links, use reliable security software, and store wallet information offline. These measures provide stronger protection against attacks.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

The month of Ramadan has come with new traps for scammers. Cyber ​​scammers reach out to citizens via social media, SMS and WhatsApp, aiming to access personal data and bank accounts through various methods.
 
Beware of fake aid campaigns
 
Scammers are exploiting the spiritual atmosphere of Ramadan and demanding money under the names of "zakat," "fitra" and "Ramadan package aid." People who present themselves as needy are using the goodwill of citizens by making calls for help through fake accounts. Experts state that aid campaigns shared on social media must be organized with the permission of the governor's office and that it is important to do good research before making a donation.
 
Aydın Ağaoğlu, the President of the Consumer Confederation (TÜKONFED), made a statement on the subject and said, “People who want to do good can become the target of scammers. These people not only demand money, but can also obtain personal data. The people and organizations that will be helped should definitely be investigated well. The most reliable method is to help through official institutions and foundations.”
 
Fake rewards and iftar reservation trap
 
Scammers are trying to deceive citizens not only with requests for help, but also with fake prizes. They are directed to malicious links through messages such as 'You have won a Ramadan package', 'You have won a gift card'. Citizens who click on these links can have malicious software loaded onto their phones, which can then access their bank accounts.
 
Consumers Union Chairman Mahmut Şahin warned against such fraudulent methods, saying, “Free cheese is in a mousetrap. No institution distributes gift certificates or aid packages to random people. Therefore, do not click on the links that come to your phone. In addition, aid should be delivered not only to those who request it, but also to those who really need it and do not request it.”
 
Another method used by scammers is the 'iftar reservation' trap. With messages that say 'your iftar reservation has been activated', citizens are directed to fake links and their account information is seized. Experts emphasize that citizens should be careful against these types of scams, which increase during Ramadan.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

Ramadan continues to be a period when scammers develop new tactics. Cyber ​​scammers collect money from citizens through fake messages spread through social media, SMS and WhatsApp, aiming to access personal data and bank accounts.
 
Fraud Methods Have Diversified
 
Cyber ​​scammers are trying to lure citizens into a trap by sending messages like, "You have won a Ramadan package" or "Your iftar reservation has been activated." People who ask for money under the names of "zakat", "fitra" and "Ramadan package aid" through fake accounts that present themselves as needy people are committing fraud by exploiting spiritual feelings.
 
Experts warn that clicking on malicious links in such messages, especially those sent to phones, could result in bank accounts being emptied and personal data being compromised. It is emphasized that aid campaigns should only be conducted through officially authorized organizations.
 
'The Person to be Helped Should Be Researched Well'
 
Aydın Ağaoğlu, President of the Consumer Confederation (TÜKONFED), stated that citizens who want to do good during Ramadan should be careful and said:
 
“Scammers who pose as needy people exploit the feelings of charitable people. They both extort money and seize personal data. Those who want to help should make their donations through official institutions, foundations and associations.”
 
'Free Cheese in a Mousetrap'
 
Consumers Union Chairman Mahmut Şahin drew attention to the fact that fraudulent methods are increasing and issued the following warning:
 
“Scammers are not only asking for help, they are also trying to trick people with messages like ‘you have won a gift certificate’. It should not be forgotten that free cheese is in a mousetrap. Citizens should not click on such messages and links. They should investigate whether the person is really in need when helping.”
 
Iftar Reservation Trap
 
One of the most common methods used by scammers during Ramadan is iftar reservation messages. Messages that say 'Your iftar reservation has been activated' aim to infiltrate phones and gain access to bank accounts through malicious links they contain.
 
Consumer associations state that fraudulent activities increase as the Ramadan holiday approaches, and emphasize that citizens should be cautious about all kinds of messages and calls.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

Artificial Intelligence-Powered Security Platform from Microsoft
Microsoft has announced its new AI-powered threat analysis platform, 'Sentinel AI+', for corporate networks. This system detects anomalies on the network in real time and analyzes threat intelligence to provide recommendations to security teams. Aiming to reduce the burden on SOC (Security Operations Center) teams, this solution strengthens the use of AI as a decision support tool.
 
New Move from the EU for Artificial Intelligence and Data Security
The European Union is working on a new bill to ensure the safe processing of personal data. Going beyond the GDPR, the draft aims to bring more transparency and accountability to how AI systems work. It is envisioned that companies will develop explainable AI systems and be open to auditing.
 
Alarming Increase in Ransomware Attacks in Türkiye
According to local cybersecurity reports, ransomware attacks increased by 37% in Türkiye in the first quarter of 2025. These attacks, which target SMEs in particular, are easily successful due to weak encryption systems and unupdated infrastructures. Experts state that emphasis should be placed on backup systems, EDR solutions and regular penetration tests.
 
Critical Vulnerability in OpenSSL
The buffer overflow vulnerability, coded CVE-2025-13456, detected in the OpenSSL library puts millions of servers worldwide at risk. It is stated that attackers can run arbitrary code through this vulnerability. Experts emphasize that system administrators should urgently switch to OpenSSL version 3.2.4.
 
Zero Trust Architecture is on the Agenda of Institutions
According to a new report by Gartner, 78% of organizations plan to invest in zero trust architecture by 2025. This architecture provides an effective security layer against both external and internal threats by continuously authenticating users and devices.
 
WhatsApp Security Vulnerability Quickly Fixed
Attackers were able to access private media via WhatsApp thanks to a vulnerability affecting Android users. Meta announced that this vulnerability, coded CVE-2025-09876, has been fixed and users should update the application.
 
Demand for Cybersecurity Training Explodes
Rising threats have also increased interest in cybersecurity training at individual and corporate levels. In particular, certification programs in areas such as SOC analysis, vulnerability analysis, and ethical hacking are in high demand.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY

Simultaneous operation in 28 provinces

Kocaeli, Ankara, Kayseri, Adana, Zonguldak, Aksaray, Istanbul and Izmir -based operations in a total of 28 provinces, 103 suspects were detained.

Captured persons, social media platforms and phishing sites through bungalow and bodyal fraud, investment promise of high -earning offers by offering people defrauded people. In addition, it was determined that members of the criminal organization that provides financial management of illegal betting sites laundered their money through screens and crypto assets.

Millions of pounds of assets were confiscated

Within the scope of the operation, 13 vehicles worth 250 million TL, 3 villas, 3 companies, 2 hotels in Istanbul and Aydın, 7.5 million dollars worth of crypto assets and bank accounts were confiscated.

During the raids, unlicensed pistols, a large amount of foreign exchange and Turkish Lira with a large number of digital materials were seized.

Warning from Minister Yerlikaya

Interior Minister Ali Yerlikaya, calling for citizens to be careful against cyber crimes, 'Do not send money to people you do not know, do not believe in the promising offers. The most powerful shield against cyber crimes is awareness. Report suspicious situations to 112 Emergency Call Center 'he said.

Source: Cumha - Cumhur News Agency

Risks Posed by APT Attacks
According to Doğan, undetected APT attacks could have severe consequences, including the following risks:

• Disruption of operational processes
• Major financial losses
• Damage to corporate reputation
• Threats to national security

Why Malware Analysis is Crucial
In combating APT attacks, Doğan emphasized the importance of malware analysis. He noted that by utilizing sandbox and dynamic analysis methods, the techniques used by attackers can be decrypted, which in turn strengthens security measures. This allows organizations to detect and mitigate potential threats more effectively.

Threat Intelligence Provides Proactive Defense
Doğan also pointed out that malware intelligence plays a critical role in cybersecurity. He explained that such intelligence provides several key benefits:

• Potential threats can be detected early
• Security teams can take faster action against attacks
• Critical infrastructures can be proactively protected

Proactive Approach is Essential in Cybersecurity
Doğan concluded by stating that reactive solutions alone are insufficient to defend against APT attacks. He stressed that continuous malware analysis and up-to-date threat intelligence are indispensable for protecting critical infrastructures in the long run.

Exploitation of File Copy Mechanism
The vulnerability was discovered by security researcher Naor Hodorov and revolves around the file copying mechanism used by the AnyDesk service running on Windows systems. When a new session is initiated, AnyDesk copies the current desktop wallpaper to the C:\Windows\Temp folder. This process allows low-privileged users to read and potentially control certain files within this folder.

Unauthorized File Access and Privilege Escalation
A low-privileged user can manipulate the process by changing the desktop wallpaper and controlling which file gets copied to C:\Windows\Temp. However, the copied file is only accessible by system administrators and NT AUTHORITY\SYSTEM. To bypass this restriction, an attacker can place a file with the same name in the C:\Windows\Temp directory before the copy operation, allowing them to access the copied file.

Additionally, attackers can exploit the Windows-created HarddiskVolumeShadowCopy (Shadow Copies) mechanism to access system files. Following these steps, attackers can elevate their local privileges:

1. Place a file with the target name in C:\Windows\Temp beforehand.
2. Trigger the copy operation using an oplock (file lock).
3. Redirect the folder containing the wallpaper to the NT Object Manager Namespace.
4. Use shadow copies to access SAM, SYSTEM, and SECURITY files.
5. Gain administrator privileges by utilizing the obtained data.

Disclosure Timeline
The vulnerability was reported to AnyDesk developers on July 24, 2024. After being tracked through Trend Micro’s Zero Day Initiative (ZDI), the flaw was publicly disclosed on December 19, 2024. Details about the CVE and ZDI can be found through the provided link.

To prevent exploitation of this vulnerability, AnyDesk users are advised to follow updates and review their system security settings promptly.

The attacks accelerated after the release of a Proof-of-Concept (PoC) exploit code.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has classified this vulnerability as critical. It impacts SonicOS versions 7.1.x (up to version 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are commonly used in Gen 6 and Gen 7 firewalls, as well as SOHO series devices.

SonicWall issued security updates on January 7 to address the flaw and urged customers to update their systems immediately. For those unable to update, the company recommended restricting device access to trusted sources only and cutting off internet access entirely.

However, the publication of PoC exploit code by Bishop Fox security researchers on February 10 has shown attackers how to exploit the vulnerability. Following this release, Arctic Wolf, a cybersecurity firm, reported a sharp increase in attack attempts.

Over 4,500 Devices Vulnerable
Internet scans conducted by Bishop Fox researchers on February 7 revealed that more than 4,500 SonicWall SSL VPN servers remain unprotected against the vulnerability. The company warned that these devices are easy targets for attackers and urged administrators to apply security patches as soon as possible.

Previously, ransomware groups Akira and Fog were known to have targeted SonicWall firewalls. According to a report published by Arctic Wolf in October, at least 30 cyberattacks were traced back to compromised SonicWall VPN accounts.

Experts emphasize that SonicWall users must immediately update their devices to close the security hole. If updates are not possible, disabling the SSLVPN service is recommended.

On February 12, Palo Alto Networks issued a security bulletin urging system administrators to upgrade to the following versions immediately:

• 11.2.4-h4 or later
• 11.1.6-h1 or later
• 10.2.13-h3 or later
• 10.1.14-h9 or later

The PAN-OS 11.0 version is also impacted by the vulnerability, but since it has reached its end of life, no security updates will be provided. Therefore, users of this version are strongly advised to upgrade to a supported release.

Security Researchers’ Warning
The vulnerability, CVE-2025-0108, was discovered by cybersecurity firm Assetnote and reported to Palo Alto Networks. In a technical report published after the patch release, the researchers demonstrated that attackers could exploit this flaw to extract sensitive system data, view firewall configurations, or alter specific settings.

The attackers leverage a confusion between Nginx and Apache servers within PAN-OS to bypass authentication and gain system access.

Surge in Attack Attempts
Cyber threat monitoring platform GreyNoise has recorded an increasing number of attack attempts targeting unpatched PAN-OS systems. As of February 13, 17:00 UTC, attacks originating from multiple IP addresses and threat actors attempting to exploit this vulnerability have been observed.

Additionally, Yutaka Sejiyama, a security researcher at Macnica, revealed that over 4,400 PAN-OS devices worldwide still have their management interfaces exposed to the internet.

Defense Recommendations
Experts predict a rise in attack attempts due to the public disclosure of this vulnerability. To mitigate the risk, the following measures are recommended:

• Immediate application of security patches
• Restricting access to the firewall management interface
• Implementing additional security controls to prevent unauthorized network access

If exploited, this vulnerability could place systems in significant jeopardy, underscoring the need for prompt action from authorities and system administrators.

The government denied allegations that the spyware targeted Italian journalist Francesco Cancellato and activist Luca Casarini. Cancellato serves as the editor-in-chief of the news site Fanpage.it, while Casarini works for the civil society organization Mediterranea Saving Humans, which assists migrants.

Several European countries were targeted

The Italian National Cybersecurity Agency (ACN) stated that it had contacted WhatsApp and its legal firm, Advant, determining that at least seven individuals in Italy had been targeted by the spyware. However, WhatsApp declined to disclose their identities due to privacy concerns.

According to WhatsApp, similar targeting occurred in several European countries, including Austria, Belgium, Cyprus, Czechia, Denmark, Germany, Greece, Latvia, Lithuania, the Netherlands, Portugal, Spain, and Sweden.

While WhatsApp did not directly respond to the Italian government's claims, it previously stated that 90 individuals had been affected by the spyware, spanning more than two dozen countries worldwide.

Paragon Solutions denies the accusations

In a statement on Tuesday, Paragon Solutions claimed that it sells its spyware technology exclusively to the U.S. government and other "allied" nations. The company emphasized that its strict terms of use prohibit targeting journalists and civil society representatives and that it would terminate relationships with clients who violate these policies.

However, the company did not directly confirm whether the countries mentioned by the Italian government were indeed its customers.

The Italian National Cybersecurity Agency and the Prime Minister's Office declined to comment on the matter.

Rise in Ransomware Attacks
Ransomware attacks also soared to their highest levels in history, with over 5,600 incidents reported globally in 2024. Ransom payments broke records, with the notorious Dark Angels hacker group demanding $75 million in a single attack. Major security breaches hit financial institutions across China, Japan, South Korea, and India.

Crypto Exchanges Under Heavy Cyberattacks
Cryptocurrency exchanges became prime targets for hackers, with $2.2 billion worth of digital assets stolen throughout the year. North Korea-linked hacking groups alone were responsible for illicit transactions worth $800 million, primarily targeting Asia-based exchanges.

Crypto’s Role in Drug Trade and Sanctions Evasion
Cryptocurrencies continued to play a crucial role in drug trafficking and illicit fund transfers. Reports indicate that insurgent groups in Asia used blockchain networks for untraceable transactions. Stablecoins like USDT were increasingly utilized for illegal activities due to their ease of transfer and price stability.

As digital crimes escalate, cybersecurity experts warn that regulatory oversight and advanced fraud detection technologies are urgently needed to combat evolving threats in the crypto space.

Once the distraction is in place, attackers impersonate "Help Desk" or "IT Support" on Microsoft Teams, reaching out to targeted individuals. According to NVISO Labs, they attempt to manipulate victims into granting remote access using tools like Quick Assist or AnyConnect, allowing them to take full control of their systems.

Attack Execution Through Microsoft Teams
These social engineering attacks on Microsoft Teams can lead to severe security breaches. Attackers use their access to:

• Bypass security controls
• Extract sensitive data
• Deploy malicious software

How to Detect and Prevent These Attacks
NVISO Labs has shared several key indicators that can help organizations detect such cyber threats:

• Sudden Increase in Email Traffic: A spike in spam or phishing emails could indicate the start of an attack.
• Suspicious Usernames on Microsoft Teams: Be cautious of accounts with names like "Help Desk" or "Support."
• Unusual Use of Remote Access Tools: Unauthorized use of Quick Assist or AnyConnect may signal a breach attempt.
• Timing Between Email Flooding and Chat Messages: If a Microsoft Teams chat starts within three hours of an email bombing event, it should be investigated.

As social engineering attacks become more sophisticated, experts recommend organizations improve user awareness training and implement strict authentication policies to minimize risks.

Salt Typhoon's Espionage Tactics
Scott Caveza, a research engineer at Tenable, noted that Salt Typhoon uses specialized malware to remain undetected within victim networks for extended periods. Malware like GhostSpider, SnappyBee, and Masol are the primary tools used by this group for espionage operations. These persistent attackers utilize remote code execution to infiltrate and control targeted systems.

In addition to Salt Typhoon, other Chinese government-backed groups such as Volt Typhoon and Flax Typhoon have been using similar tactics but targeting different sectors. Volt Typhoon, for example, is focused on disrupting U.S. critical infrastructure with an eye on disabling key systems during potential conflicts. Meanwhile, Flax Typhoon targets IoT devices to create botnet networks for future cyber-attacks.

Congress Focuses on China's Cyber Threats
In a recent session of the U.S. House of Representatives Homeland Security Committee, China’s growing cyber threats were highlighted as one of the primary topics. Experts emphasized that China poses the most "capable and opportunistic" cyber threat to the U.S.

Former U.S. Navy Rear Admiral Mark Montgomery explained that Volt Typhoon’s operations are designed to disrupt the speed and efficiency of military operations by targeting logistics networks. He described these actions as "preparing the battlefield" in the context of potential warfare.

Urgent Action Needed
Caveza stressed the importance of organizations regularly patching their publicly accessible devices and swiftly addressing known vulnerabilities despite persistent attacks from these threat groups. "It’s vital for organizations to close these security gaps quickly to protect against further exploitation," he said.

How the Vulnerability Was Exploited
Security researchers revealed that the leaked data was accessed using a vulnerability in the ClickHouse HTTP interface. By exploiting this flaw, attackers could run arbitrary SQL queries directly through a web browser. This kind of vulnerability presents a significant opportunity for cybercriminals, according to experts.

DeepSeek’s Response and Measures Taken
DeepSeek confirmed the security flaw and stated that patches have been applied to address the issue. However, this incident brings the risks of data security in AI-related ventures back into focus. Experts highlight the growing importance of securing databases and access control in organizations, particularly those in the AI sector.

Leaked Data
The data leaked due to this security flaw includes:

• Over 1 million log records
• User chat histories
• Sensitive API keys and access credentials
• Backend system details and operational metadata

Expert Warnings and Risks
This breach underscores the need for companies to strengthen their data security measures. Experts specifically warn AI companies to tighten their database access controls and to be more vigilant about securing sensitive data to prevent similar incidents in the future.

Gaining Trust with the USOM Name
Scammers are using the name of Turkey’s National Cyber Incident Response Center (USOM) to claim they will help individuals who have fallen victim to cyberattacks. However, their real goal is to steal personal and financial information from the victims.

Instagram Information Collection Trap
The fraudsters ask victims to fill out a fake "Contact Form" on Instagram, requesting the following information:

• How much money have you lost? (A rough amount is asked.)
• When did this loss occur? (Month and year details are requested.)
• Share the details of the incident. (They ask for information about the fraud method, transaction details, and company name.)
• Contact information: Name, surname, email, and phone number.

How Scammers Bypass Filters on Social Media
Fraudsters use various techniques to bypass Instagram's fraud filters. Unlike standard scams, they collect data using an official-looking form and use video ads to gain the victim's trust.

Warning from Ebubekir Bastama
Ebubekir Bastama warns that no information should be entered into such fake ads or forms. He also advises that any suspicious content encountered on social media platforms should be reported to the relevant platform authorities.

Precautionary Measures to Protect Against Fraud
Bastama outlines how users can protect themselves from fraud:

• Verify the authenticity of announcements that claim to come from official institutions.
• Do not fill out unknown links or forms.
• Use the official support channels of Instagram and other social media platforms.
• Report suspicious ads to the relevant platforms to prevent their spread.
• Never provide personal or financial information in social media ads.

Limited Authorities of Cybersecurity Units

Osman Doğan pointed out that the cybersecurity units in many organizations have limited authority within their structure, making it difficult to implement risk-mitigating measures. He stated, "Cybersecurity teams are unable to take necessary actions to minimize risks because they are denied sufficient authority."

Insufficient Budgets and Human Resources Pose Major Problems

Doğan also mentioned that the budgets allocated to cybersecurity departments are inadequate, and this shortage, combined with a lack of qualified personnel, further exacerbates security vulnerabilities. "Companies are not allocating enough budget and expert staff despite the increasing cybersecurity threats," he said.

Penetration Testing is Inadequate

The cybersecurity expert emphasized that many organizations conduct penetration tests only once a year, which he argued is insufficient. "Digital assets are constantly evolving, but companies create significant risks by failing to perform regular security tests," Doğan added.

Serious Deficiencies in DevSecOps Processes

Doğan criticized the security processes in software development, saying, "There are serious deficiencies in automated and manual testing, preventing the early detection of security vulnerabilities." He highlighted that the lack of robust DevSecOps processes exposes organizations to greater risks.

Data Leaks and Insider Threats Go Undetected

According to Doğan, existing security vulnerabilities are not limited to external threats. Insider threats and data leaks also pose significant challenges. "Many institutions learn about data breaches through social media or third-party sources," he noted.

Malware and Security Solution Deficiencies

Doğan also discussed how malware hidden in documents sent to company employees often goes undetected due to flaws or misconfigurations in existing security solutions. "These errors make it easier for attackers to gain access to systems," he explained.

Configuration Mistakes in Cloud Systems Are Widespread

He stressed that misconfigurations in cloud-based systems, incorrect network segmentation, and insufficient access control mechanisms create major security risks. "Companies need to be more cautious about this issue," Doğan advised.

Cybersecurity Must Become a Culture

Finally, Doğan emphasized that cybersecurity should not solely be the responsibility of the relevant departments but must be ingrained across the entire organization. "Companies need to spread security awareness to all employees. Cybersecurity is not a luxury; it is the only way to survive in the digital world’s ongoing battle," he concluded.

Haberi Yapan: Ebubekir Bastama

Security Vulnerabilities Identified
Under the terms of the contract, HNFS was required to comply with cybersecurity controls outlined in 48 C.F.R. § 252.204-7012 and the National Institute of Standards and Technology (NIST) Special Publication 800-53. However, HNFS reportedly neglected several critical security measures, including:

• Failure to scan systems for security vulnerabilities and promptly address issues
• Ignoring risks outlined in audit reports and failing to take corrective actions
• Not implementing asset management, access control, firewall protections, and patch management
• Using outdated hardware and software
• Not enforcing strong password policies

The U.S. Department of Justice also revealed that HNFS submitted false compliance certifications on at least three occasions: November 17, 2015, February 26, 2016, and February 24, 2017.

Company Denies Allegations
While HNFS and Centene deny any data breaches or information leaks, they have agreed to pay the $11.25 million fine as part of a settlement. However, the agreement does not exempt the companies from potential future criminal or administrative penalties if new evidence arises.