Japan stocks hit record highs as easing Middle East tensions boost sentiment

Japan stocks hit record highs as easing Middle East tensions boost sentiment


Japanese markets rallied on Thursday, with both the Nikkei 225 and Topix indexes closing at fresh record highs after news that US President Donald Trump signed an interim agreement to end the conflict with Iran and reopen the Strait of Hormuz.

The Nikkei 225 Index rose 1.65% to close at 71,053, while the broader Topix Index gained 1.37% to finish at 4,068.

The agreement helped ease concerns about Japans economy, which relies heavily on energy imports from the Middle East. Investors largely ignored the overnight decline on Wall Street, where markets reacted to signals from the US Federal Reserve that support for a rate hike this year is increasing.

 

Financial stocks led the gains, with Mitsubishi UFJ Financial Group rising 3.1%, Sumitomo Mitsui Financial Group advancing 4.3%, and Mizuho Financial Group adding 3%.

Technology stocks also performed strongly. Lasertec surged 7.1%, Tokyo Electron gained 4.7%, and SoftBank Group climbed 4.5%.

Overall, improved global sentiment and easing geopolitical concerns supported broad-based buying in Japanese equities.

Powered by Capital Market – Live News



Source link

Japan stocks hit record highs as easing Middle East tensions boost sentiment

China markets end mixed as technology stocks gain on policy support


Chinese markets closed mixed on Thursday, with technology stocks leading gains after regulators pledged stronger support for innovation at the Lujiazui Forum.

The Shanghai Composite fell 0.43% to close at 4,090, while the Shenzhen Component rose 0.94% to a one-month high of 16,030.

Investor sentiment in the technology sector improved after Beijing announced measures to direct more funding toward emerging technologies amid growing competition with the US. Authorities said they would support stock market listings for startups in future industries such as quantum technology, nuclear fusion, and brain-computer interfaces.

Among the top gainers were Zhongji Innolight, up 7.19%, Eoptolink Technology, which rose 4.23%, and NAURA Technology, which gained 2.39%.

 

However, weakness in major banking stocks weighed on the Shanghai Composite. Industrial and Commercial Bank of China fell 2.72%, Agricultural Bank of China declined 2.45%, and China Construction Bank lost 2.07%, leading to a divergence between the two benchmark indexes.

Chinese markets will remain closed on June 19 for the Dragon Boat Festival holiday.

Powered by Capital Market – Live News



Source link

PetroChina, Indian Oil fail to secure tankers to load Iraqi crude, sources say

PetroChina, Indian Oil fail to secure tankers to load Iraqi crude, sources say


PetroChina
and Indian Oil Corp failed to secure very
large crude carriers to lift Iraqi Basrah ​crude in late June,
company and shipping sources said on Thursday, while ‌another
Chinese major Sinochem is on the hunt for ​a tanker.

The enquiries from the Chinese state energy ⁠firms this week
follow an interim deal between the United States and Iran to end
their war and reopen the Strait of Hormuz, a ‌vital waterway for
Middle East energy supplies.

PetroChina had sought a VLCC to load from Iraq’s Basrah Oil
terminal ‌between June 25 and 30, two shipping sources said. ‌Each
VLCC ⁠can carry 2 million barrels of oil.

The Chinese ⁠major received at least six offers at worldscale
points of 650 to 750, they said, representing rates nearly
triple those charged before the US and ​Israel launched the war
in late ‌February. The worldscale measure is used by the shipping
industry to calculate freight rates.

“There are tankers available, but the problem is it’s too
expensive and there is no guarantee ‌you can exit the strait,” a
PetroChina official said.

One of ​the shipping sources told Reuters that securing
supplies from the Gulf would likely remain complicated despite
the peace ⁠deal.

“It’ll be still difficult to fix a vessel due to the rate,
and I assume that both parties need to ‌agree to some special
clause (in the contract for transiting the strait),” the source
said.

On Thursday, Sinochem sought a VLCC to load oil in the Gulf
between June 20 and 30 for Asia, the shipping sources said. It
was not immediately clear if the company would succeed in
finding a vessel.

PetroChina and Sinochem did ‌not immediately respond to
Reuters’ requests for comment.

IOC, meanwhile, did not receive ​any offers in a tender last
week seeking a VLCC to lift oil from Iraq on June 22 ⁠and 23 and
deliver to Paradip port on India’s east coast, ⁠a source familiar
with the matter said.

IOC, India’s largest refiner, subsequently issued a force
majeure on the cargo, the ‌source added.

IOC did not immediately respond to a request for comment.

Published on June 18, 2026



Source link

Silver futures tumble over 3% to ₹2.42 lakh/kg as Fed signals keep pressure on bullion

Silver futures tumble over 3% to ₹2.42 lakh/kg as Fed signals keep pressure on bullion


Silver futures plunged by ₹8,817 to ₹2.42 lakh per kg on Thursday, tracking weak global trends after the US Federal Reserve’s latest policy signals strengthened the dollar and dampened investors’ appetite for precious metals.

On the Multi Commodity Exchange, the white metal for July delivery declined by ₹8,817, or 3.5 per cent, to ₹2,42,990 per kilogram in a business turnover of 11,188 lots.

Analysts said the decline came after the US central bank kept interest rates unchanged, but indicated that the fight against inflation remains far from over, prompting traders to reassess expectations for future monetary policy easing.

Silver prices in the domestic markets saw a sharper decline of more than 3 per cent on Thursday, Gaurav Garg, Research Analyst at Lemonn Markets Desk, said.

“The downturn in precious metals can be attributed to a strengthening US dollar, as traders remain wary following a hawkish June Federal Reserve policy decision under new Chair Kevin Warsh,” he said.

In the international markets, Comex silver futures for the July contract declined $2.36, or 3.34 per cent, to $68.40 per ounce in New York.

The Federal Reserve on Wednesday unanimously voted to maintain its benchmark interest rate in the 3.5-3.75 per cent range. However, nine of 18 members of the Federal Open Markets Committee projected that they see a rate hike this year.

“Comex silver prices remained under pressure in the overseas trade on Thursday after the Federal Reserve kept interest rates unchanged, but signalled growing support for additional rate hikes, while maintaining its focus on bringing inflation back to target,” Pinky Yadav, Commodity Fundamental Analyst at Choice Broking, said.

According to analysts, prospects for higher-for-longer interest rates tend to weigh on precious metals by boosting bond yields and the US dollar.

“The division among policymakers, with half still anticipating at least one more rate hike this year, along with elevated inflation forecasts and slower GDP growth, reflects the Fed’s ongoing focus on controlling price pressures even if it moderates economic growth,” Rajesh Palviya, Head of Research, Axis Direct, said.

He added that higher yields and a firmer dollar could continue to exert pressure on bullion prices in the near term.

Published on June 18, 2026



Source link

Is multi-factor authentication enough? Kali365 breach fuels security debate

Is multi-factor authentication enough? Kali365 breach fuels security debate



For years, multi-factor authentication (MFA) has been one of the most widely recommended safeguards against account compromise. The logic was simple: even if attackers obtained a user’s password, they would still need access to a second verification factor to gain entry.

 


However, a phishing kit known as Kali365 is drawing attention because it targets something beyond passwords and authentication codes.

 

The US Federal Bureau of Investigation (FBI) has warned that Kali365, a phishing-as-a-service (PhaaS) platform, is being used to compromise Microsoft 365 accounts by capturing authentication tokens after users have already completed MFA verification. Rather than stealing credentials directly, the toolkit hijacks authenticated sessions, allowing attackers to access services such as Outlook, Teams and OneDrive as legitimate users.

 
 


The technique reflects a broader shift in cyberattacks, with threat actors increasingly targeting active sessions instead of login credentials.

 


The risks extend beyond a single account. Since Microsoft 365 often serves as a gateway to corporate email, files and business applications, a compromised session can provide access to sensitive data and internal communications.

 


Although the FBI first warned about Kali365 in May, the phishing kit has attracted renewed attention in recent weeks as researchers revealed more details about its operations and concerns grew around the increasing use of token-theft and session-hijacking techniques.


What is Kali365


In a recent public service announcement, the FBI’s Internet Crime Complaint Center (IC3) described Kali365 as an “emerging phishing-as-a-service (PhaaS) platform” that first appeared in April 2026.

 


According to the agency, the toolkit is distributed primarily through Telegram and is designed to help attackers access Microsoft 365 accounts by stealing authentication tokens, thereby bypassing MFA protections.

 


Phishing-as-a-service refers to a criminal business model in which developers provide ready-made phishing tools and infrastructure to other cybercriminals for a fee.

 


The FBI said Kali365 offers features such as AI-generated phishing lures, automated campaign templates, real-time tracking dashboards and OAuth token-capture capabilities. It effectively packages sophisticated phishing tools into a subscription-based service.

 


Cybersecurity publication BleepingComputer, citing research from Arctic Wolf, reported that Kali365 operates much like a business. The platform has developers who maintain the service, resellers who market it and affiliates who launch phishing campaigns.

 


Researchers said the toolkit supports multiple attack methods, including techniques capable of capturing session cookies and authentication tokens even after a user has completed MFA verification.

 


Authentication tokens are digital credentials issued after a user successfully signs in. They allow users to remain logged in without repeatedly entering passwords or completing MFA checks. If attackers obtain these tokens, they can access an account as though they were the legitimate user, even without knowing the password.

 


According to security researcher Graham Cluley, writing on Bitdefender’s Hot for Security blog, access to Kali365 is reportedly available through a subscription model priced at around $250 a month or $2,000 a year.

 


Researchers also reported that hundreds of attacks linked to the toolkit were observed across North America and Europe within weeks of its emergence.

 


How the scam works

 


What makes Kali365 different from conventional phishing campaigns is that it does not focus on stealing passwords. Instead, it tricks users into authorising access to their accounts and then captures the authentication tokens that Microsoft issues after a successful login.

 


According to the FBI, the attack generally follows four stages:

 


Lure: The attack begins with a phishing email designed to resemble a legitimate notification from Microsoft or another trusted cloud service. The email asks the user to complete a sign-in process and provides a unique device code. Unlike many phishing scams, victims are not directed to a fake website. Instead, they are instructed to visit a genuine Microsoft verification page, making the request appear legitimate.

 


Authorisation: Once on the Microsoft page, the user enters the device code and signs in with their account. If MFA is enabled, they may also complete the additional verification step. At this stage, the victim believes they are simply logging into a service, but they are actually granting the attacker’s device permission to access the account.

 


Token theft: After the login is approved, Microsoft issues authentication tokens that prove the user has successfully signed in. These tokens allow services such as Outlook, Teams and OneDrive to recognise the user without repeatedly requesting a password. Kali365 is designed to capture these tokens, giving attackers the same level of access as the legitimate user.

 


Persistence: With the stolen tokens, attackers can continue accessing Microsoft 365 services even though they never learned the user’s password. Because the tokens indicate that MFA has already been completed, attackers can often bypass additional authentication prompts and retain access until the tokens expire or are revoked.

 


How widespread is this technique and is Kali365 unique

 


Kali365 is more like a broader trend rather than a one-off threat. According to reporting that cited researchers from cybersecurity firm Proofpoint, multiple device-code phishing kits with nearly identical tactics were observed within a span of just 10 days. Researchers noted that many of these campaigns appeared highly automated and likely generated with the help of AI, suggesting that adoption of the technique is growing rapidly among cybercriminal groups.

 


The same report noted that device-code phishing attacks were already being used to compromise Microsoft 365 accounts before Kali365 emerged. In December, researchers documented cases involving both state-backed threat actors and financially motivated cybercriminals using similar methods to gain access to accounts.

 


Further evidence of the trend came from researchers at Huntress and Flare.io, who earlier this year linked a separate wave of attacks to another device-code phishing platform known as “Evil Tokens.” The findings suggest that Kali365 is not an isolated tool but part of a growing ecosystem of phishing services designed to steal authenticated sessions rather than passwords.

 


Is MFA losing effectiveness

 


Multi-factor authentication (MFA) remains one of the most effective defences against account takeovers because it can stop attackers who have obtained a user’s password from gaining access. In that sense, MFA is still doing the job it was designed to do.

 


The challenge highlighted by Kali365 is different. Instead of trying to crack or bypass MFA, attackers wait for the legitimate user to complete the authentication process themselves. Once the user has successfully signed in and verified their identity, the attackers steal the authentication tokens generated during that session. Those tokens can then be used to access the account without needing the password or another MFA prompt.

 


Security experts therefore argue that the issue is not that MFA is broken, but that cybercriminals are increasingly targeting parts of the authentication process that occur after MFA has already been completed. This broader trend is reflected in industry research.

 


According to cybersecurity firm SentinelOne, which cited findings from the 2025 Verizon Data Breach Investigations Report (DBIR), MFA-fatigue attacks accounted for 14 per cent of analysed security incidents involving MFA bypass. In those attacks, users are bombarded with authentication requests until they eventually approve one.

 

Device-code phishing, the technique used by Kali365, works differently. Rather than overwhelming users with prompts, it abuses a legitimate Microsoft authentication workflow to obtain access that the user unknowingly authorises. 

 


The shift from passwords to 2-factor authentication to passkeys

 


The way people secure their online accounts has changed over time as cyberattacks have become more sophisticated. For years, passwords were the first line of defence. But passwords alone proved insufficient because they could be guessed, stolen in data breaches, reused across multiple websites or captured through phishing scams.

 


To strengthen account security, companies introduced two-factor authentication (2FA), also known as multi-factor authentication (MFA). This added an extra verification step, such as a one-time code, an authenticator app notification or a biometric check. Even if a password were compromised, attackers would still need a second factor to gain access.

 


However, cybercriminals have adapted. Instead of focusing solely on passwords, many now target the login process itself through phishing campaigns, MFA fatigue attacks and token theft. Tools such as Kali365 are part of this shift, allowing attackers to take advantage of authenticated sessions rather than stealing credentials directly.

 


As a result, technology companies are increasingly promoting passkeys as the next step in account security. Passkeys allow users to sign in using a fingerprint, face scan or device PIN, without relying on traditional passwords. Because they are linked to a specific device and website, they are considered more resistant to phishing attacks.

 

The growing attention around Kali365 highlights why this transition is underway. The challenge is no longer just preventing password theft but ensuring that attackers cannot misuse the trust established after a user has successfully logged in. 

 


What organisations can do now

 


The emergence of Kali365 is prompting organisations to look beyond traditional account-security measures. While multi-factor authentication remains an important safeguard, the attack demonstrates how cybercriminals are increasingly targeting authenticated sessions and access tokens rather than passwords themselves. As a result, security teams may need to strengthen protections around the entire login process, not just the initial sign-in.

 


In its advisory, the FBI outlined several measures to limit the attack techniques used by the phishing kit and reduce the chances of unauthorised access to Microsoft 365 accounts. These include:


  • Restrict device code authentication: According to the FBI, organisations should consider blocking or limiting device code authentication wherever possible. This is the login method that Kali365 exploits to trick users into granting access to their accounts.


  • Review existing usage before making changes: Before restricting device code authentication, companies should identify which applications, devices or workflows rely on it. This helps avoid disrupting legitimate services, such as conference-room systems and shared workplace devices.


  • Limit authentication-transfer features: The FBI also recommends restricting features that allow users to transfer authentication between devices. These workflows can create additional opportunities for attackers to exploit legitimate login processes.


  • Maintain emergency-access accounts: Organisations should ensure that emergency or break-glass accounts remain available and are excluded from broad restrictions. This can help administrators regain access if normal authentication systems become unavailable.


  • Strengthen phishing defences: The FBI further points organisations to guidance from the US Cybersecurity and Infrastructure Security Agency (CISA), which recommends employee awareness training, phishing detection measures and stronger identity-security controls.



Source link

YouTube
Instagram
WhatsApp