#FactCheck- AI-Generated Image of Narendra Modi Goes Viral Ahead of Kerala Elections

Executive Summary:

A new threat being uncovered in today’s threat landscape is that while threat actors took an average of one hour and seven minutes to leverage Proof-of-Concept(PoC) exploits after they went public, now the time is at a record low of 22 minutes. This incredibly fast exploitation means that there is very limited time for organizations’ IT departments to address these issues and close the leaks before they are exploited. Cloudflare released the Application Security report which shows that the attack percentage is more often higher than the rate at which individuals invent and develop security countermeasures like the WAF rules and software patches. In one case, Cloudflare noted an attacker using a PoC-based attack within a mere 22 minutes from the moment it was released, leaving almost no time for a remediation window. 

Despite the constant growth of vulnerabilities in various applications and systems, the share of exploited vulnerabilities, which are accompanied by some level of public exploit or PoC code, has remained relatively stable over the past several years and fluctuates around 50%. These vulnerabilities with publicly known exploit code, 41% was initially attacked in the zero-day mode while of those with no known code, 84% was first attacked in the same mode. 

Modus Operandi:

The modus operandi of the attack involving the rapid weaponization of proof-of-concept (PoC) exploits is characterized by the following steps:

• Vulnerability Identification: Threat actors bring together the exploitation of a system vulnerability that may be in the software or hardware of the system; this may be a code error, design failure, or a configuration error. This is normally achieved using vulnerability scanners and test procedures that have to be performed manually. 

• Vulnerability Analysis: After the vulnerability is identified, the attackers study how it operates to determine when and how it can be triggered and what consequences that action will have. This means that one needs to analyze the details of the PoC code or system to find out the connection sequence that leads to vulnerability exploitation. 

• Exploit Code Development: Being aware of the weakness, the attackers develop a small program or script denoted as the PoC that addresses exclusively the identified vulnerability and manipulates it in a moderated manner. This particular code is meant to be utilized in showing a particular penalty, which could be unauthorized access or alteration of data. 

• Public Disclosure and Weaponization: The PoC exploit is released which is frequently done shortly after the vulnerability has been announced to the public. This makes it easier for the attackers to exploit it while waiting for the software developer to release the patch. To illustrate, Cloudflare has spotted an attacker using the PoC-based exploit 22 minutes after the publication only. 

• Attack Execution: The attackers then use the weaponized PoC exploit to attack systems which are known to be vulnerable to it. Some of the actions that are tried in this context are attempts at running remote code, unauthorized access and so on. The pace at which it happens is often much faster than the pace at which humans put in place proper security defense mechanisms, such as the WAF rules or software application fixes. 

• Targeted Operations: Sometimes, they act as if it’s a planned operation, where the attackers are selective in the system or organization to attack. For example, exploitation of CVE-2022-47966 in ManageEngine software was used during the espionage subprocess, where to perform such activity, the attackers used the mentioned vulnerability to install tools and malware connected with espionage. 

Precautions: Mitigation

Following are the mitigating measures against the PoC Exploits: 

1. Fast Patching and New Vulnerability Handling 

• Introduce proper patching procedures to address quickly the security released updates and disclosed vulnerabilities. 

• Focus should be made on the patching of those vulnerabilities that are observed to be having available PoC exploits, which often risks being exploited almost immediately.

• It is necessary to frequently check for the new vulnerability disclosures and PoC releases and have a prepared incident response plan for this purpose. 

2. Leverage AI-Powered Security Tools 

•  Employ intelligent security applications which can easily generate desirable protection rules and signatures as attackers ramp up the weaponization of PoC exploits. 

• Step up use of artificial intelligence (AI) - fueled endpoint detection and response (EDR) applications to quickly detect and mitigate the attempts. 

• Integrate Artificial Intelligence based SIEM tools to Detect & analyze Indicators of compromise to form faster reaction. 

 3. Network Segmentation and Hardening 

• Use strong networking segregation to prevent the attacker’s movement across the network and also restrict the effects of successful attacks. 

• Secure any that are accessible from the internet, and service or protocols such as RDP, CIFS, or Active directory. 

• Limit the usage of native scripting applications as much as possible because cyber attackers may exploit them. 

4. Vulnerability Disclosure and PoC Management 

• Inform the vendors of the bugs and PoC exploits and make sure there is a common understanding of when they are reported, to ensure fast response and mitigation. 

• It is suggested to incorporate mechanisms like digital signing and encryption for managing and distributing PoC exploits to prevent them from being accessed by unauthorized persons. 

• Exploits used in PoC should be simple and independent with clear and meaningful variable and function names that help reduce time spent on triage and remediation. 

5. Risk Assessment and Response to Incidents 

• Maintain constant supervision of the environment with an intention of identifying signs of a compromise, as well as, attempts of exploitation. 

• Support a frequent detection, analysis and fighting of threats, which use PoC exploits into the system and its components. 

• Regularly communicate with security researchers and vendors to understand the existing threats and how to prevent them.

Conclusion:

The rapid process of monetization of Proof of Concept (POC) exploits is one of the most innovative and constantly expanding global threats to cybersecurity at the present moment. Cyber security experts must react quickly while applying a patch, incorporate AI to their security tools, efficiently subdivide their networks and always heed their vulnerability announcements. Stronger incident response plan would aid in handling these kinds of menaces. Hence, applying measures mentioned above, the organizations will be able to prevent the acceleration of turning PoC exploits into weapons and the probability of neutral affecting cyber attacks. 

Reference:

https://www.mayrhofer.eu.org/post/vulnerability-disclosure-is-positive/

https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware

https://www.balbix.com/insights/attack-vectors-and-breach-methods/

https://blog.cloudflare.com/application-security-report-2024-update

‍

Introduction
‍

India's digital governance system is experiencing a significant transformation. The Department of Telecommunications (DoT) has extended the deadline for implementing SIM binding requirements for messaging platforms to December 31, 2026, while also stepping back from earlier proposals such as mandatory periodic web logouts. 

The government extended the current proposal but decided to cancel its previous requirement, which mandated messaging platforms to implement mandatory logout periods. The authorities implemented this action to control the increasing occurrence of digital impersonation, financial fraud, online scams and identity theft, which occurs through messaging applications.

The authorities are said to have implemented this action to control the increasing occurrence of digital impersonation, financial fraud, online scams and identity theft, which occurs through messaging applications.
‍

What Has Changed
‍

The SIM binding mandate, which the Telecommunication Cyber Security framework introduced in late 2025 requires messaging platforms to maintain user account connections with active SIM cards that match their registered mobile numbers. 

Platforms received a brief period for compliance with the original rules. Industry stakeholders, which included messaging services and device manufacturers, reported that they faced major technical and operational problems when trying to constantly verify SIM status on different devices and operating systems. 

The government postponed the compliance date to December 2026 to give organisations extra time for the gradual implementation of requirements. The policy now permits platforms to use risk-based or adaptive logout mechanisms, which enable security management without enforcing standard security procedures through their web messaging application platforms. 

‍

Why the Extension Was Necessary
‍

The extension operates as a recognition of both technical feasibility constraints and ecosystem's complex nature. Multiple devices at present enable messaging platforms to function which includes smartphones and desktops and web interfaces with real time synchronization. The system needs complete operational system and hardware component integration to maintain active SIM verification throughout all environments because stakeholders estimated that this process would take time to achieve proper results. 

The operating system providers and smartphone manufacturers expressed their worries about system limitations, which include testing procedures and compatibility problems. 

The government recognised through its deadline extension that security requirements need technical feasibility and scalability to function properly without causing service interruptions or requiring immediate implementation.

‍

Security Rationale Behind SIM Binding
‍

The SIM binding system serves its main purpose to enhance accountability while it protects digital communication systems from unauthorised use. Authorities have identified that messaging accounts can remain active even after the associated SIM card is removed, deactivated, or moved across regions. The situation creates paths for criminals to commit fraud and impersonation while perpetrating cybercrime across international borders because they can use digital identities that are hard to trace. 

The SIM binding system exists to solve this problem by 

• requiring active, Virtual KYC-verified SIMs to authenticate messaging accounts. 
• Users cannot access the system until they connect their active SIM. 
• The system maintains the capacity to track and authenticate digital identities. 

The measure aims to eliminate a security gap that digital communication systems currently use for fraudulent activities and identity theft.

‍

Shift Toward Risk-Based Regulation
‍

The current development marks a major change because it no longer applies fixed rules that used to determine what organisations must do, but now uses risk assessment methods. The previous plan, which required users to log out every six hours from web sessions, has been replaced by platforms that now log users out based on their risk assessment. The shift demonstrates that cybersecurity needs to implement security measures that require specific context and need to match the existing environment. Organisations face challenges when trying to apply standard rules because users exhibit various behaviours while using different devices on multiple platforms. 

The risk-based model enables platforms to detect suspicious activity through dynamic monitoring, which establishes strict security measures for high-risk situations while preserving system access during periods of low risk.

‍

Implications for the Digital Ecosystem
‍

The extension, together with its related policy alterations, creates significant effects for organisations. The extra time allows the industry to create systems that can work together with different ecosystems while testing their implementation process and matching their required operational standards. 

The shift shows policymakers that they should adopt a process that combines multiple rounds of assessment with stakeholder input to develop their regulations. 

The upcoming changes will create invisible effects for users, which will determine the future methods of digital identity verification and the security functions of communication platforms.

‍

Conclusion
‍

The extension of the SIM binding deadline represents a new approach to regulations instead of being a regulatory rollback. The process requires both dedicated efforts and actual implementation to create secure digital environments. 

India needs to establish secure and scalable user-friendly systems while advancing its digital infrastructure development. The current developments show progress toward achieving a solution that protects cybersecurity needs while considering technological facts and user experience. Organisations face two main obstacles in modern interdependent systems: they must protect their systems while maintaining user trust and system protection, and their capability to operate over extended periods.
‍

References
‍

• https://www.thehindu.com/sci-tech/technology/government-shelves-periodic-web-logout-for-chat-apps-extends-sim-binding-to-december-31/article70811929.ece
• https://www.gadgets360.com/telecom/news/dot-sim-binding-mandate-extension-2026-report-11301917

‍

Starting in mid-December, 2024, a series of attacks have targeted Chrome browser extensions. A data protection company called Cyberhaven, California, fell victim to one of these attacks. Though identified in the U.S., the geographical extent and potential of the attack are yet to be determined. Assessment of these cases can help us to be better prepared for such instances if they occur in the near future. 

The Attack

Browser extensions are small software applications that add and enable functionality or a capacity (feature) to a web browser. These are written in CSS, HTML, or JavaScript and like other software, can be coded to deliver malware. Also known as plug-ins, they have access to their own set of Application Programming Interface (APIs). They can also be used to remove unwanted elements as per customisation, such as pop-up advertisements and auto-play videos, when one lands on a website. Some examples of browser extensions include Ad-blockers (for blocking ads and content filtering) and StayFocusd (which limits the time of the users on a particular website).

In the aforementioned attack, the publisher of the browser at Cyberhaven received a phishing mail from an attacker posing to be from the Google Chrome Web Store Developer Support. It mentioned that their browser policies were not compatible and encouraged the user to click on the “Go to Policy”action item,  which led the user to a page that enabled permissions for a malicious OAuth called Privacy Policy Extension (Open Authorisation is an adopted standard that is used to authorise secure access for temporary tokens). Once the permission was granted, the attacker was able to inject malicious code into the target’s Chrome browser extension and steal user access tokens and session cookies. Further investigation revealed that logins of certain AI and social media platforms were targeted.

CyberPeace Recommendations

As attacks of such range continue to occur, it is encouraged that companies and developers take active measures that would make their browser extensions less susceptible to such attacks. Google also has a few guidelines on how developers can safeguard their extensions from their end. These include:

1. Minimal Permissions For Extensions- It is encouraged that minimal permissions for extensions barring the required APIs and websites that it depends on are acquired as limiting extension privileges limits the surface area an attacker can exploit.
2. Prioritising Protection Of Developer Accounts- A security breach on this end could lead to compromising all users' data as this would allow attackers to mess with extensions via their malicious codes. A 2FA (2-factor authentication) by setting a security key is endorsed.
3. HTTPS over HTTP- HTTPS should be preferred over HTTP as it requires a Secure Sockets Layer (SSL)/ transport layer security(TLS) certificate from an independent certificate authority (CA). This creates an encrypted connection between the server and the web browser.

Lastly, as was done in the case of the attack at Cyberhaven, it is encouraged to promote the practice of transparency when such incidents take place to better deal with them.

References

1. https://indianexpress.com/article/technology/tech-news-technology/hackers-hijack-companies-chrome-extensions-cyberhaven-9748454/
2. https://indianexpress.com/article/technology/tech-news-technology/google-chrome-extensions-hack-safety-tips-9751656/
3. https://www.techtarget.com/whatis/definition/browser-extension
4. https://www.forbes.com/sites/daveywinder/2024/12/31/google-chrome-2fa-bypass-attack-confirmed-what-you-need-to-know/
5. https://www.cloudflare.com/learning/ssl/why-use-https/