#data-exfiltration · 8sync News

Akira, LimeWire, and the Sour Taste of Data Exfiltration

A Huntress SOC investigation uncovered an Akira ransomware affiliate using an unusual attack chain: the threat actor accessed a hypervisor, spun up a new virtual machine (bypassing installed security tooling), disabled Microsoft Defender, archived target data with WinRAR, and exfiltrated it via Easyupload.io — a file-sharing site now owned by the rebranded LimeWire platform. The VHDX image of the VM provided forensic analysts a clear timeline of attacker activity, including Active Directory enumeration, lateral movement to file servers, and rapid ransomware deployment. The incident highlights how RaaS affiliates adapt TTPs, including creating new VMs to evade endpoint security stacks, and underscores the need to monitor for new endpoint creation within environments.

DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories

Security researchers at Zafran discovered four vulnerabilities in Dify, a popular open source AI application platform, collectively dubbed 'DifyTap.' The flaws include a tracing hijack (CVE-2026-41947, CVSS 9.1) that lets attackers silently intercept AI chat histories by registering a rogue tracing backend, a Plugin Daemon path traversal (CVE-2026-41948, CVSS 9.4) exposing internal APIs to unauthenticated requests, and two UUID-based document access bugs (CVE-2026-41949 and CVE-2026-41950, both CVSS 6.5) enabling cross-tenant file exposure. Three of the four CVEs are patched in Dify 1.14.2; a fix for CVE-2026-41948 is available on GitHub. No real-world exploitation has been observed yet. Organizations are advised to patch promptly, apply WAF rules for CVE-2026-41948, and treat AI platforms as critical enterprise systems.